From acd3dc788b52c92def6096bcab67c564c8aca49f Mon Sep 17 00:00:00 2001 From: jeremylongshore Date: Wed, 17 Jun 2026 21:05:59 -0600 Subject: [PATCH 1/2] ci: wire Gemini code review + CodeQL security scanning Gemini Code Assist is the workhorse code reviewer; CodeQL runs the security-extended query suite only (no quality queries) so the two are non-overlapping. Both run on PRs and pushes to main so review is a standing pre-merge gate on the umbrella's generator scripts (aggregate-changelog.mjs, ecosystem-drift.py). - .gemini/config.yaml + .gemini/styleguide.md workhorse code-review gate - .github/workflows/codeql.yml CodeQL security-extended, build-mode none --- .gemini/config.yaml | 22 ++++++++++++++++++ .gemini/styleguide.md | 20 ++++++++++++++++ .github/workflows/codeql.yml | 45 ++++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 .gemini/config.yaml create mode 100644 .gemini/styleguide.md create mode 100644 .github/workflows/codeql.yml diff --git a/.gemini/config.yaml b/.gemini/config.yaml new file mode 100644 index 0000000..4cc743c --- /dev/null +++ b/.gemini/config.yaml @@ -0,0 +1,22 @@ +# Gemini Code Assist — Intent Eval Platform. +# Gemini is the WORKHORSE code reviewer (design/logic/correctness/cross-artifact +# consistency). CodeQL owns security scanning (security-extended, non-overlapping). +# Review priorities: .gemini/styleguide.md +have_fun: false +code_review: + disable: false + comment_severity_threshold: MEDIUM + max_review_comments: -1 + pull_request_opened: + help: false + summary: true + code_review: true +# NOTE: _generated/ is intentionally NOT ignored — three-way schema/validator/Pydantic +# drift hides there (a real class of one-way-door bug). Gemini must review it. +ignore_patterns: + - "**/dist/**" + - "**/node_modules/**" + - "**/coverage/**" + - "**/*.snap" + - "pnpm-lock.yaml" + - "**/*.lock" diff --git a/.gemini/styleguide.md b/.gemini/styleguide.md new file mode 100644 index 0000000..ca2b640 --- /dev/null +++ b/.gemini/styleguide.md @@ -0,0 +1,20 @@ +# Intent Eval Platform — Gemini Code Review style guide + +Gemini is the **workhorse code reviewer** for this repo (design · logic · correctness · cross-artifact consistency). CodeQL handles security scanning separately — do **not** duplicate security-vuln findings here. Prioritize the failure classes below; they are the ones deterministic CI gates (lint/typecheck/test/schema-valid) structurally cannot catch. + +## Highest-priority checks (one-way-door / signed-artifact repos) + +1. **Cross-artifact semantic consistency.** When an entity and a predicate (or any two schemas) reference each other, flag same-named fields whose **type _or_ meaning diverges across files** — e.g. one side `sha256:`-prefixed and the other bare 64-hex; one side "pre-edit input" and the other "post-edit output". ajv/Zod validate each file in isolation and never see the mismatch. +2. **Three-way schema drift.** A change to a JSON Schema must keep its hand-written Zod validator **and** its Python Pydantic model in agreement — especially `required` vs optional, `nullable`, and `enum` boundaries. Flag any validator looser or stricter than its schema, and any hand-authored `_generated/` file that no longer matches its source schema. +3. **Lineage / append-only integrity.** If a doc or `$comment` calls something an "append-only" or "tamper-evident" lineage, the parent link must be a **content hash chain**, not an opaque reassignable UUID. Flag lineage fields that claim integrity but carry only IDs (no self `content_hash`, no `parent_content_hash`). +4. **Closed signed enums (values-vs-types trap).** A closed enum that ships in a signed entry is a `/v2` trigger if it ever widens. Flag closed enums on signed artifacts that lack an explicit open/closed-world posture, and flag a discriminator that double-encodes a fact another field already carries. +5. **Cross-field invariants actually enforced.** If prose/`$comment` states an invariant (e.g. "X iff Y", "revert requires a non-null parent"), flag it if the schema/validator does **not** enforce it. An unenforced invariant on a signed row is a permanent lie waiting to be signed. +6. **Determinism / probabilistic boundary.** An LLM must never author a signed artifact or close a deterministic signal; flag any LLM output path that reaches a signed surface without a deterministic wall (substring pre-check + corpus post-check). +7. **Additive-only discipline.** Kernel schemas/predicates/entities ship in signed `@intentsolutions/core` entries; flag any non-additive change (field removed, type/semantics/enum-value changed, constraint loosened) — those require a Class-1 ISEDC + often a `/v2`. +8. **Governance traceability.** A change citing a Decision Record must not silently resolve a conflict between two ratified clauses; flag unilateral resolutions of contradictory bindings. + +## Also flag (normal review) +Correctness bugs, missing edge-case tests (root/empty/null cases), error-handling gaps, security-relevant logic Gemini sees that CodeQL might miss, and comments that claim behavior the code doesn't implement. + +## Do NOT +No style nitpicks already covered by ESLint/Prettier/Ruff. No praise-only comments. No security-CVE findings (CodeQL owns those). diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..215476f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,45 @@ +name: CodeQL + +# Security scanning ONLY (security-extended query suite — no quality/maintainability +# queries). Code-quality, design, and correctness review is Gemini's job (see +# .gemini/styleguide.md); the two are intentionally non-overlapping. Free on public repos. + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "27 3 * * 1" + +permissions: + contents: read + security-events: write + actions: read + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 30 + strategy: + fail-fast: false + matrix: + language: [ javascript-typescript, python ] + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: none + queries: security-extended + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" From 97fd41d8cc9efc35fe4b26439df4e60059dbb1b3 Mon Sep 17 00:00:00 2001 From: jeremylongshore Date: Wed, 17 Jun 2026 21:08:42 -0600 Subject: [PATCH 2/2] ci: codeql.yml bracket spacing (yamllint max-spaces-inside:0) --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 215476f..cc6e964 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,7 +29,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ javascript-typescript, python ] + language: [javascript-typescript, python] steps: - name: Checkout uses: actions/checkout@v4