feat: Weaver-based generator + IUpstreamConventions Nuke wiring

[ANcpLua]

Summary

Replaces the pure-JS Node generator with a Weaver-based pipeline lifted from qyl/eng/semconv, and bolts a Nuke build host implementing IUpstreamConventions from Nuke.OpenTelemetry.Conventions@0.1.0.

Why

The previous scripts/generate.mjs produced a 228-file shape that didn't match what the downstream consumer (@o-ancpplua/otel-conventions-api) actually needs (single otel-keys.gen.tsp). The Weaver pipeline at qyl/eng/semconv already produced the correct shape — this PR lifts it out so the producer/consumer contract is decoupled from qyl's release cadence.

What's in this PR

Generator (templates/, scripts/, lib/, test/)

• templates/registry/typespec/{weaver.yaml,otel-keys.gen.tsp.j2} — lifted from qyl, rebranded root_namespace to ANcpLua.OtelConventions.OTel.Keys, added trailing newline
• scripts/{bootstrap-weaver.sh,bootstrap-weaver.ps1,run-weaver.sh} — Bash↔PowerShell parity preserved, REPO_ROOT rebased, qyl-specific csharp_*/qyl passes dropped (only the upstream→typespec path remains)
• test/staging-dir-guard.test.sh — safety guard regression test for the rm -rf path
• lib/otel-keys.gen.tsp — generator output, checked in for verify-clean diff
• package.json flipped to public, version 1.41.0-1, no private: true, scripts: generate, verify-clean, lint:smoke, test, check

Nuke build host (build/)

• build/_build.csproj — net10.0, Nuke.Common 10.1.0 + Nuke.OpenTelemetry.Conventions 0.1.0
• build/Build.cs — implements IUpstreamConventions via explicit-interface; each target shells out to the matching scripts/*.sh; pins WeaverVersion to v0.23.0
• build/NuGet.config — points at https://nuget.pkg.github.com/O-ANcppLua/index.json for the shared Nuke component; nuget.org for everything else
• build.sh / build.cmd / .nuke/ / global.json — standard Nuke bootstrap

CI / publish

• .github/workflows/ci.yml — runs Weaver bootstrap → generate → verify-clean → lint:smoke → vitest → staging-guard regression → Nuke dotnet build + VerifyOtelKeysReproducible. Grants packages: read, passes GITHUB_ACTOR + GITHUB_TOKEN for the NuGet feed.
• .github/workflows/publish.yml — release-triggered npm publish to GitHub Packages with provenance; same hardening as the API repo (validated inputs.tag, prerelease → next auto-routing, no always-auth/no npm install fallback)

Byte-identity proof

The generated lib/otel-keys.gen.tsp is byte-identical to the consumer repo's current hand-copied artifact:

$ diff lib/otel-keys.gen.tsp ~/RiderProjects/ANcpLua.OtelConventions.Api/generated/otel-keys.gen.tsp
(no output — 113556 bytes match exactly)

This is the lockstep signal: once @ancplua/typespec-otel-semconv@1.41.0-1 publishes, the consumer can drop its hand-copied artifact and consume this package as a real npm dep.

Verification (all 9 gates green locally)

1. bash scripts/bootstrap-weaver.sh — Weaver v0.23.0 binary installed
2. bash scripts/run-weaver.sh — 1,648 lines / 707 consts emitted
3. byte-identity diff vs API repo ✅
4. npm run lint:smoke ✅ (tsp 1.12.0-dev.12)
5. npm run verify-clean ✅ (zero drift, zero untracked)
6. npm run test ✅ (vitest 4.1.6, 2/2: byte-identity + git-clean)
7. dotnet build build/_build.csproj -c Release ✅ (0 warn / 0 err)
8. ./build.sh GenerateOtelKeys ✅
9. ./build.sh (default VerifyOtelKeysReproducible) + bash test/staging-dir-guard.test.sh ✅ (3/3 guard tests PASS)

Test plan

• CI workflow goes green on this PR
• Cut a release v1.41.0-1 after merge to publish @ancplua/typespec-otel-semconv@1.41.0-1 to GitHub Packages
• Consumer (ANcpLua.OtelConventions.Api) then adds the npm dep and drops its hand-copied generated/otel-keys.gen.tsp (separate PR)
• qyl follows with namespace alignment + barrel swap (separate PR, already staged locally)

Versioning

{semconv-version}-{n} per the architecture sketch: this is 1.41.0-1 (semconv v1.41.0, first generator revision). Bumping semconv pin = bump 1.41.0 → 1.42.0, reset n to 1. Bumping generator code without semconv changes = increment n.

🤖 Generated with Claude Code

[coderabbitai]

Summary by CodeRabbit

Chores

• Implementiert automatisierte Continuous Integration zur Validierung von Änderungen bei Push und Pull Requests
• Konfiguriert automatisiertes Publishing von npm-Paketen zu GitHub Packages bei Release-Erstellung

Walkthrough

Zwei neue GitHub Actions Workflows wurden hinzugefügt: Der ci-Workflow validiert Code bei jedem Push auf main und bei Pull Requests, führt Linting, Tests und .NET-Builds aus. Der publish-Workflow veröffentlicht das npm-Paket in GitHub Packages bei Release-Events oder manuellem Trigger, einschliesslich Tag-Auflösung und Provenance-Attestation.

Changes

CI-Validierungs-Workflow

Layer / File(s)	Summary
Workflow-Trigger und Job-Setup .github/workflows/ci.yml (Zeilen 1–36)	Definiert den Trigger für push zu main und pull_request, setzt Read-Only-Permissions, Concurrency mit Abbruch und richtet Node.js v22 sowie .NET ein.
Abhängigkeits- und Bootstrapping-Schritte .github/workflows/ci.yml (Zeilen 37–48)	Installiert npm-Abhängigkeiten, bootstrapt Weaver, generiert Schlüssel und validiert einen sauberen Arbeitszustand via npm run verify-clean.
Validierungs- und Test-Ausführung .github/workflows/ci.yml (Zeilen 49–62)	Führt Lint-Smoke-Tests, Vitest-Suite, Regressionstests und .NET-Release-Build aus; überprüft abschliessend die Reproduzierbarkeit von OpenTelemetry-Schlüsseln.

Paket-Publishing-Workflow

Layer / File(s)	Summary
Workflow-Trigger und Publishing-Setup .github/workflows/publish.yml (Zeilen 1–30)	Definiert Trigger für release published und workflow_dispatch, setzt Package-Push-Permissions und Concurrency ohne Abbruch, richtet Node.js und .NET ein sowie GitHub Packages Registry für den @ancplua-Scope.
Validierungsschritte und Abhängigkeiten .github/workflows/publish.yml (Zeilen 31–60)	Prüft dass package.json nicht privat ist, installiert Abhängigkeiten, bootstrapt Weaver, regeneriert Schlüssel, führt Verifikation, Linting und Tests durch.
Dist-Tag-Auflösung und Publishing .github/workflows/publish.yml (Zeilen 61–92)	Berechnet validiert den npm Dist-Tag basierend auf Dispatch-Input oder Release-Status (prerelease vs. stable), veröffentlicht das Paket mit Provenance und GITHUB_TOKEN.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

area:infra

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Title check	❌ Error	Der Titel folgt der Conventional-Commits-Konvention mit dem Präfix 'feat' und liegt unter 72 Zeichen, beschreibt aber nicht den Scope korrekt laut Anforderung.	Nutze einen der erforderlichen Scopes: feat(dashboard|ingestion|mcp|loom|infra). Beispiel: 'feat(infra): Weaver-based generator and IUpstreamConventions Nuke wiring'.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description check	✅ Passed	Die Beschreibung ist detailliert und direkt auf die Änderungen im Changeset bezogen, behandelt den Übergang vom JS-Generator zum Weaver-Pipeline und die Nuke-Integration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Otel Instrumentation Required	✅ Passed	No DI-registered services added. Build.cs is Nuke build infrastructure, not application service. Custom check criterion not met—does not apply.
No Unbounded Mcp Responses	✅ Passed	PR contains no MCP tool definitions under src/qyl.mcp/. Check requires verification only when MCP tools are added or modified. No action required.
Duckdb Backpressure On Write Paths	✅ Passed	Die PR fügt keine DuckDB-Schreibpfade hinzu. Es ist ein Weaver-basierter Code-Generator für OTel-Semantik-Konventionen mit CI/CD und Nuke-Build. Keine Datenbankoperationen vorhanden.
Cancellationtoken Threading	✅ Passed	PR adds only one C# file (build/Build.cs) which contains no public async methods. All public methods are sync, and interface implementations are Target properties, not async methods.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 19-24: The job currently exposes GITHUB_PACKAGES_TOKEN at job
level (env: GITHUB_PACKAGES_TOKEN) making it available during npm ci and tests;
remove GITHUB_PACKAGES_TOKEN from the top-level env and instead inject it only
into the specific .NET/Nuke steps that need the NuGet feed by adding env:
GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }} to those steps (the steps
that run NuGet restore, dotnet restore, or Nuke tasks), ensuring npm ci/test
steps do not have access to that env var.

In @.github/workflows/publish.yml:
- Around line 6-12: Add a hard ref-guard that aborts manual publishes if the
workflow was triggered from a non-tag ref: check the event context
(workflow_dispatch) and verify GITHUB_REF or github.ref_name matches refs/tags/*
before performing any tag resolution or defaulting the tag input; if the ref
does not match refs/tags/*, exit early with a clear failure message to prevent
unintended "latest" publishes when the tag input is empty. Ensure this guard
runs prior to any logic that inspects or defaults the workflow_dispatch input
named "tag" and is applied consistently for the other publish sections
referenced (lines around the publish job logic).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c7f3f7d4-d0fc-4669-90c5-1c93a9e8f58e

📥 Commits

Reviewing files that changed from the base of the PR and between 1beeb7e and 7a706a4.

⛔ Files ignored due to path filters (280)

• .gitignore is excluded by none and included by none
• .gitmodules is excluded by none and included by none
• .nuke/parameters.json is excluded by none and included by none
• .tools/semconv-upstream is excluded by none and included by none
• .tools/semconv-upstream is excluded by none and included by none
• AGENTS.md is excluded by none and included by none
• README.md is excluded by none and included by none
• build.cmd is excluded by none and included by none
• build.sh is excluded by none and included by none
• build/Build.cs is excluded by none and included by none
• build/NuGet.config is excluded by none and included by none
• build/_build.csproj is excluded by none and included by none
• global.json is excluded by none and included by none
• lib/_decorators.tsp is excluded by none and included by none
• lib/_schema.tsp is excluded by none and included by none
• lib/android.entities.tsp is excluded by none and included by none
• lib/android.enums.tsp is excluded by none and included by none
• lib/android.tsp is excluded by none and included by none
• lib/anthropic.spans.tsp is excluded by none and included by none
• lib/app.entities.tsp is excluded by none and included by none
• lib/app.events.tsp is excluded by none and included by none
• lib/app.tsp is excluded by none and included by none
• lib/artifact.tsp is excluded by none and included by none
• lib/aspnetcore.enums.tsp is excluded by none and included by none
• lib/aspnetcore.metrics.tsp is excluded by none and included by none
• lib/aspnetcore.tsp is excluded by none and included by none
• lib/aws.entities.tsp is excluded by none and included by none
• lib/aws.enums.tsp is excluded by none and included by none
• lib/aws.spans.tsp is excluded by none and included by none
• lib/aws.tsp is excluded by none and included by none
• lib/az.events.tsp is excluded by none and included by none
• lib/az.tsp is excluded by none and included by none
• lib/azure.enums.tsp is excluded by none and included by none
• lib/azure.events.tsp is excluded by none and included by none
• lib/azure.metrics.tsp is excluded by none and included by none
• lib/azure.spans.tsp is excluded by none and included by none
• lib/azure.tsp is excluded by none and included by none
• lib/browser.entities.tsp is excluded by none and included by none
• lib/browser.events.tsp is excluded by none and included by none
• lib/browser.tsp is excluded by none and included by none
• lib/cassandra.enums.tsp is excluded by none and included by none
• lib/cassandra.tsp is excluded by none and included by none
• lib/cicd.entities.tsp is excluded by none and included by none
• lib/cicd.enums.tsp is excluded by none and included by none
• lib/cicd.metrics.tsp is excluded by none and included by none
• lib/cicd.spans.tsp is excluded by none and included by none
• lib/cicd.tsp is excluded by none and included by none
• lib/cli.spans.tsp is excluded by none and included by none
• lib/client.tsp is excluded by none and included by none
• lib/cloud.entities.tsp is excluded by none and included by none
• lib/cloud.enums.tsp is excluded by none and included by none
• lib/cloud.tsp is excluded by none and included by none
• lib/cloudevents.tsp is excluded by none and included by none
• lib/cloudfoundry.entities.tsp is excluded by none and included by none
• lib/cloudfoundry.tsp is excluded by none and included by none
• lib/code.tsp is excluded by none and included by none
• lib/container.entities.tsp is excluded by none and included by none
• lib/container.enums.tsp is excluded by none and included by none
• lib/container.metrics.tsp is excluded by none and included by none
• lib/container.tsp is excluded by none and included by none
• lib/cpu.enums.tsp is excluded by none and included by none
• lib/cpu.metrics.tsp is excluded by none and included by none
• lib/cpu.tsp is excluded by none and included by none
• lib/cpython.enums.tsp is excluded by none and included by none
• lib/cpython.metrics.tsp is excluded by none and included by none
• lib/cpython.tsp is excluded by none and included by none
• lib/db.enums.tsp is excluded by none and included by none
• lib/db.events.tsp is excluded by none and included by none
• lib/db.metrics.tsp is excluded by none and included by none
• lib/db.spans.tsp is excluded by none and included by none
• lib/db.tsp is excluded by none and included by none
• lib/deployment.entities.tsp is excluded by none and included by none
• lib/deployment.enums.tsp is excluded by none and included by none
• lib/deployment.tsp is excluded by none and included by none
• lib/destination.tsp is excluded by none and included by none
• lib/device.entities.tsp is excluded by none and included by none
• lib/device.events.tsp is excluded by none and included by none
• lib/device.tsp is excluded by none and included by none
• lib/disk.enums.tsp is excluded by none and included by none
• lib/disk.tsp is excluded by none and included by none
• lib/dns.metrics.tsp is excluded by none and included by none
• lib/dns.tsp is excluded by none and included by none
• lib/dotnet.enums.tsp is excluded by none and included by none
• lib/dotnet.metrics.tsp is excluded by none and included by none
• lib/dotnet.spans.tsp is excluded by none and included by none
• lib/dotnet.tsp is excluded by none and included by none
• lib/dynamodb.spans.tsp is excluded by none and included by none
• lib/elasticsearch.tsp is excluded by none and included by none
• lib/enduser.tsp is excluded by none and included by none
• lib/error.enums.tsp is excluded by none and included by none
• lib/error.tsp is excluded by none and included by none
• lib/event.tsp is excluded by none and included by none
• lib/exception.events.tsp is excluded by none and included by none
• lib/exception.tsp is excluded by none and included by none
• lib/faas.entities.tsp is excluded by none and included by none
• lib/faas.enums.tsp is excluded by none and included by none
• lib/faas.events.tsp is excluded by none and included by none
• lib/faas.metrics.tsp is excluded by none and included by none
• lib/faas.spans.tsp is excluded by none and included by none
• lib/faas.tsp is excluded by none and included by none
• lib/feature_flag.enums.tsp is excluded by none and included by none
• lib/feature_flag.events.tsp is excluded by none and included by none
• lib/feature_flag.tsp is excluded by none and included by none
• lib/file.tsp is excluded by none and included by none
• lib/gcp.entities.tsp is excluded by none and included by none
• lib/gcp.enums.tsp is excluded by none and included by none
• lib/gcp.tsp is excluded by none and included by none
• lib/gen_ai.enums.tsp is excluded by none and included by none
• lib/gen_ai.events.tsp is excluded by none and included by none
• lib/gen_ai.metrics.tsp is excluded by none and included by none
• lib/gen_ai.spans.tsp is excluded by none and included by none
• lib/gen_ai.tsp is excluded by none and included by none
• lib/geo.enums.tsp is excluded by none and included by none
• lib/geo.tsp is excluded by none and included by none
• lib/go.enums.tsp is excluded by none and included by none
• lib/go.metrics.tsp is excluded by none and included by none
• lib/go.tsp is excluded by none and included by none
• lib/graphql.enums.tsp is excluded by none and included by none
• lib/graphql.spans.tsp is excluded by none and included by none
• lib/graphql.tsp is excluded by none and included by none
• lib/heroku.entities.tsp is excluded by none and included by none
• lib/heroku.tsp is excluded by none and included by none
• lib/host.entities.tsp is excluded by none and included by none
• lib/host.enums.tsp is excluded by none and included by none
• lib/host.tsp is excluded by none and included by none
• lib/http.enums.tsp is excluded by none and included by none
• lib/http.events.tsp is excluded by none and included by none
• lib/http.metrics.tsp is excluded by none and included by none
• lib/http.spans.tsp is excluded by none and included by none
• lib/http.tsp is excluded by none and included by none
• lib/hw.enums.tsp is excluded by none and included by none
• lib/hw.metrics.tsp is excluded by none and included by none
• lib/hw.tsp is excluded by none and included by none
• lib/ios.enums.tsp is excluded by none and included by none
• lib/ios.tsp is excluded by none and included by none
• lib/jsonrpc.tsp is excluded by none and included by none
• lib/jvm.enums.tsp is excluded by none and included by none
• lib/jvm.metrics.tsp is excluded by none and included by none
• lib/jvm.tsp is excluded by none and included by none
• lib/k8s.entities.tsp is excluded by none and included by none
• lib/k8s.enums.tsp is excluded by none and included by none
• lib/k8s.metrics.tsp is excluded by none and included by none
• lib/k8s.tsp is excluded by none and included by none
• lib/kestrel.metrics.tsp is excluded by none and included by none
• lib/linux.enums.tsp is excluded by none and included by none
• lib/linux.tsp is excluded by none and included by none
• lib/log.enums.tsp is excluded by none and included by none
• lib/log.tsp is excluded by none and included by none
• lib/main.tsp is excluded by none and included by none
• lib/mainframe.tsp is excluded by none and included by none
• lib/mcp.enums.tsp is excluded by none and included by none
• lib/mcp.metrics.tsp is excluded by none and included by none
• lib/mcp.spans.tsp is excluded by none and included by none
• lib/mcp.tsp is excluded by none and included by none
• lib/message.enums.tsp is excluded by none and included by none
• lib/message.tsp is excluded by none and included by none
• lib/messaging.enums.tsp is excluded by none and included by none
• lib/messaging.events.tsp is excluded by none and included by none
• lib/messaging.metrics.tsp is excluded by none and included by none
• lib/messaging.tsp is excluded by none and included by none
• lib/net.enums.tsp is excluded by none and included by none
• lib/net.tsp is excluded by none and included by none
• lib/network.enums.tsp is excluded by none and included by none
• lib/network.tsp is excluded by none and included by none
• lib/nfs.metrics.tsp is excluded by none and included by none
• lib/nfs.tsp is excluded by none and included by none
• lib/nodejs.enums.tsp is excluded by none and included by none
• lib/nodejs.metrics.tsp is excluded by none and included by none
• lib/nodejs.tsp is excluded by none and included by none
• lib/oci.tsp is excluded by none and included by none
• lib/onc_rpc.tsp is excluded by none and included by none
• lib/openai.enums.tsp is excluded by none and included by none
• lib/openai.spans.tsp is excluded by none and included by none
• lib/openai.tsp is excluded by none and included by none
• lib/openshift.entities.tsp is excluded by none and included by none
• lib/openshift.metrics.tsp is excluded by none and included by none
• lib/openshift.tsp is excluded by none and included by none
• lib/opentracing.enums.tsp is excluded by none and included by none
• lib/opentracing.tsp is excluded by none and included by none
• lib/oracle.tsp is excluded by none and included by none
• lib/oracle_cloud.tsp is excluded by none and included by none
• lib/os.entities.tsp is excluded by none and included by none
• lib/os.enums.tsp is excluded by none and included by none
• lib/os.tsp is excluded by none and included by none
• lib/otel-keys.gen.tsp is excluded by none and included by none
• lib/otel.entities.tsp is excluded by none and included by none
• lib/otel.enums.tsp is excluded by none and included by none
• lib/otel.metrics.tsp is excluded by none and included by none
• lib/otel.tsp is excluded by none and included by none
• lib/peer.tsp is excluded by none and included by none
• lib/pool.tsp is excluded by none and included by none
• lib/pprof.tsp is excluded by none and included by none
• lib/process.entities.tsp is excluded by none and included by none
• lib/process.enums.tsp is excluded by none and included by none
• lib/process.metrics.tsp is excluded by none and included by none
• lib/process.tsp is excluded by none and included by none
• lib/profile.enums.tsp is excluded by none and included by none
• lib/profile.tsp is excluded by none and included by none
• lib/rpc.enums.tsp is excluded by none and included by none
• lib/rpc.events.tsp is excluded by none and included by none
• lib/rpc.metrics.tsp is excluded by none and included by none
• lib/rpc.spans.tsp is excluded by none and included by none
• lib/rpc.tsp is excluded by none and included by none
• lib/security_rule.tsp is excluded by none and included by none
• lib/server.tsp is excluded by none and included by none
• lib/service.entities.tsp is excluded by none and included by none
• lib/service.enums.tsp is excluded by none and included by none
• lib/service.tsp is excluded by none and included by none
• lib/session.events.tsp is excluded by none and included by none
• lib/session.tsp is excluded by none and included by none
• lib/signalr.enums.tsp is excluded by none and included by none
• lib/signalr.metrics.tsp is excluded by none and included by none
• lib/signalr.tsp is excluded by none and included by none
• lib/source.tsp is excluded by none and included by none
• lib/state.enums.tsp is excluded by none and included by none
• lib/state.tsp is excluded by none and included by none
• lib/system.enums.tsp is excluded by none and included by none
• lib/system.metrics.tsp is excluded by none and included by none
• lib/system.tsp is excluded by none and included by none
• lib/telemetry.entities.tsp is excluded by none and included by none
• lib/telemetry.enums.tsp is excluded by none and included by none
• lib/telemetry.tsp is excluded by none and included by none
• lib/test.enums.tsp is excluded by none and included by none
• lib/test.tsp is excluded by none and included by none
• lib/thread.tsp is excluded by none and included by none
• lib/tls.enums.tsp is excluded by none and included by none
• lib/tls.tsp is excluded by none and included by none
• lib/url.tsp is excluded by none and included by none
• lib/user.tsp is excluded by none and included by none
• lib/user_agent.enums.tsp is excluded by none and included by none
• lib/user_agent.tsp is excluded by none and included by none
• lib/v8js.enums.tsp is excluded by none and included by none
• lib/v8js.metrics.tsp is excluded by none and included by none
• lib/v8js.tsp is excluded by none and included by none
• lib/vcs.entities.tsp is excluded by none and included by none
• lib/vcs.enums.tsp is excluded by none and included by none
• lib/vcs.metrics.tsp is excluded by none and included by none
• lib/vcs.tsp is excluded by none and included by none
• lib/webengine.entities.tsp is excluded by none and included by none
• lib/webengine.tsp is excluded by none and included by none
• lib/zos.entities.tsp is excluded by none and included by none
• lib/zos.tsp is excluded by none and included by none
• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json and included by none
• package.json is excluded by none and included by none
• scripts/bootstrap-weaver.ps1 is excluded by none and included by none
• scripts/bootstrap-weaver.sh is excluded by none and included by none
• scripts/generate.mjs is excluded by none and included by none
• scripts/run-weaver.sh is excluded by none and included by none
• src/generated/deprecated-keys.ts is excluded by !**/generated/** and included by src/**
• src/generated/entity-identifying.ts is excluded by !**/generated/** and included by src/**
• src/generated/enum-keyed-attrs.ts is excluded by !**/generated/** and included by src/**
• src/generated/known-domains.ts is excluded by !**/generated/** and included by src/**
• src/generated/metric-triplets.ts is excluded by !**/generated/** and included by src/**
• templates/registry/typespec/otel-keys.gen.tsp.j2 is excluded by none and included by none
• templates/registry/typespec/weaver.yaml is excluded by none and included by none
• test/__snapshots__/library-structure.json is excluded by none and included by none
• test/__snapshots__/openapi3-smoke.yaml is excluded by none and included by none
• test/deprecation.tsp is excluded by none and included by none
• test/global-setup.ts is excluded by none and included by none
• test/lint.bad.tsp is excluded by none and included by none
• test/lint.deprecated.tsp is excluded by none and included by none
• test/lint.enum.tsp is excluded by none and included by none
• test/lint.metric.tsp is excluded by none and included by none
• test/lint.test.ts is excluded by none and included by none
• test/openapi3.tsp is excluded by none and included by none
• test/regen.test.ts is excluded by none and included by none
• test/rules/no-deprecated-otel-key.rule.test.ts is excluded by none and included by none
• test/rules/prefer-otel-key.rule.test.ts is excluded by none and included by none
• test/setup.ts is excluded by none and included by none
• test/smoke.tsp is excluded by none and included by none
• test/snapshot.test.ts is excluded by none and included by none
• test/staging-dir-guard.test.sh is excluded by none and included by none
• test/tester.ts is excluded by none and included by none
• test/validate.entity.tsp is excluded by none and included by none
• test/validate.entity.valid.tsp is excluded by none and included by none
• test/validate.schema-url.tsp is excluded by none and included by none
• test/validate.schema-url.valid.tsp is excluded by none and included by none
• tsconfig.json is excluded by none and included by none
• tspconfig.yaml is excluded by none and included by none
• vitest.config.ts is excluded by none and included by none

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/publish.yml
• src/decorators.ts
• src/index.ts
• src/lib.ts
• src/rules/_shared.ts
• src/rules/enum-typed-value.rule.ts
• src/rules/metric-triplet-bound.rule.ts
• src/rules/no-deprecated-otel-key.rule.ts
• src/rules/prefer-otel-key.rule.ts
• src/validate.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

.github/**

⚙️ CodeRabbit configuration file

GitHub Actions workflows. Review for: action version pinning (use SHA not tags for third-party actions), proper secret handling (no secrets in logs, use GITHUB_TOKEN where possible), unnecessary workflow triggers, and job dependency correctness. Flag missing concurrency groups on push-triggered workflows. Ensure matrix strategies cover the supported .NET TFMs.

Files:

• .github/workflows/publish.yml
• .github/workflows/ci.yml

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: Pin upstream semantic conventions version (`v1.41.0`), Weaver version (`v0.23.0`), and submodule commit (`e018fe6f`) together in `package.json#metadata`, `templates/registry/typespec/weaver.yaml`, and `bootstrap-weaver.{sh,ps1}`. All four must move together when bumping the upstream pin.

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: This repo emits only `lib/otel-keys.gen.tsp` as its single artifact. All code must serve byte-reproducibility of this one file. The 228-file shape from the old pure-JS implementation is removed deliberately.

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: Use Bash and PowerShell scripts (`scripts/*.sh`) as the canonical pipeline. Shell scripts are the authoritative source for runtime behavior, including Weaver version, platform mapping, staging directory configuration, and install permissions.

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: Template files (`templates/registry/typespec/`) are authoritative for the TypeSpec output shape, namespace, include set, and identifier rules. The Jinja template (`otel-keys.gen.tsp.j2`) and Weaver configuration (`weaver.yaml`) define the projection schema.

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: Upstream YAML files at `.tools/semconv-upstream/model/**/*.{yaml,yml}` are authoritative for attribute names, briefs, stability status, and deprecation information. Do not override or redefine these in generated code.

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: Ensure `npm run verify-clean` and the regen vitest pass on every commit. If a template or script change produces a different byte sequence, bump `package.json#version` as `{semconv}-{n+1}` and commit the updated `lib/otel-keys.gen.tsp`.

Learnt from: CR
Repo: ANcpLua/typespec-otel-semconv

Timestamp: 2026-05-12T13:53:05.946Z
Learning: Do not add qyl-specific code, models, C# SDK constants, Markdown documentation, or SQL column templates to this repo. Only registry-agnostic templates and generation logic belong here.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Secrets auf Step-Ebene begrenzen, nicht jobweit setzen.

GITHUB_PACKAGES_TOKEN ist aktuell auch während npm ci und Tests verfügbar; bitte nur in den .NET/Nuke-Schritten injizieren, die den NuGet-Feed wirklich benötigen.

Vorschlag (Least-Privilege)

   check:
     runs-on: ubuntu-latest
-    env:
-      # build/NuGet.config has the org GitHub Packages NuGet feed as a packageSource
-      # and reads these env vars in its <packageSourceCredentials> section.
-      GITHUB_ACTOR: ${{ github.actor }}
-      GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
@@
       - name: Nuke build (compile)
         run: dotnet build build/_build.csproj -c Release
+        env:
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@
       - name: Nuke VerifyOtelKeysReproducible
         run: ./build.sh VerifyOtelKeysReproducible
+        env:
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_TOKEN }}

As per coding guidelines "proper secret handling (no secrets in logs, use GITHUB_TOKEN where possible)".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 19 - 24, The job currently exposes
GITHUB_PACKAGES_TOKEN at job level (env: GITHUB_PACKAGES_TOKEN) making it
available during npm ci and tests; remove GITHUB_PACKAGES_TOKEN from the
top-level env and instead inject it only into the specific .NET/Nuke steps that
need the NuGet feed by adding env: GITHUB_PACKAGES_TOKEN: ${{
secrets.GITHUB_TOKEN }} to those steps (the steps that run NuGet restore, dotnet
restore, or Nuke tasks), ensuring npm ci/test steps do not have access to that
env var.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Manueller Publish braucht einen Ref-Guard auf Git-Tags.

workflow_dispatch kann aktuell von Branches laufen; in Kombination mit leerem Input endet das schnell in einem unbeabsichtigten latest-Publish. Bitte vor dem Tag-Resolve auf refs/tags/* hart abbrechen.

Vorschlag (fail-fast bei nicht-Tag-Refs)

       - name: Resolve npm dist-tag
         shell: bash
         env:
           DISPATCH_TAG: ${{ inputs.tag }}
           IS_PRERELEASE: ${{ github.event.release.prerelease }}
           EVENT_NAME: ${{ github.event_name }}
         run: |
           set -euo pipefail
+          if [ "$EVENT_NAME" = "workflow_dispatch" ] && [[ "${GITHUB_REF:-}" != refs/tags/* ]]; then
+            echo "::error::workflow_dispatch publish is only allowed from tag refs (refs/tags/*)."
+            exit 1
+          fi
           if [ "$EVENT_NAME" = "workflow_dispatch" ] && [ -n "$DISPATCH_TAG" ]; then
             dist_tag="$DISPATCH_TAG"
           elif [ "$IS_PRERELEASE" = "true" ]; then
             dist_tag="next"
           else
             dist_tag="latest"
           fi

As per coding guidelines "unnecessary workflow triggers".

Also applies to: 66-87

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 6 - 12, Add a hard ref-guard that
aborts manual publishes if the workflow was triggered from a non-tag ref: check
the event context (workflow_dispatch) and verify GITHUB_REF or github.ref_name
matches refs/tags/* before performing any tag resolution or defaulting the tag
input; if the ref does not match refs/tags/*, exit early with a clear failure
message to prevent unintended "latest" publishes when the tag input is empty.
Ensure this guard runs prior to any logic that inspects or defaults the
workflow_dispatch input named "tag" and is applied consistently for the other
publish sections referenced (lines around the publish job logic).