ci(deps): bump github/codeql-action from 3 to 4#4
Closed
dependabot[bot] wants to merge 20 commits into
Closed
Conversation
…ontracts, three-layer validation framework, quality criteria, failure modes
…r manual, configurable triggers, failure-isolated, bounded latency (72 tests pass)
…-preserved misses (77 tests pass)
…all p95 under 50ms architecture target
… context keywords match (81 tests pass)
…y, completes action-time injection coverage (87 tests pass)
…corruption warnings (90 tests pass)
…dd CMA_FM_CLASSIFIER plugin hook, document loose-coupling pattern (98 tests pass)
Whetstone is committed to commercial; it does not belong with the open Clarethium reference artifacts in the 'Clarethium body' section. 'Three reference artifacts' becomes 'two open reference artifacts'; Whetstone bullet removed; Touchstone and Lodestone remain. cma's role as Lodestone companion is unchanged. Signed-off-by: Lovro Lucic <11740211+lluvr@users.noreply.github.com>
- ARCHITECTURE.md sections were 8, 10, 11; renumber to 8, 9, 10 contiguous - Update cross-references in README.md, CHANGELOG.md, cma script - Add corruption warning to recurrence and behavior query paths so all four Python heredocs print "cma: skipped N corrupted line(s)..." consistently - README test count: 77 to 98 cases (current actual)
Two stale claims in the Roadmap section. The shell wrapper integration was described as "in development" but ships in hooks/cma-pre and the README earlier sections document its zsh and bash usage in detail. The "Beyond 1.0" list also incorrectly included the shell wrapper. Roadmap now reflects shipped state: action-time injection ships for Claude Code (PreToolUse and SessionStart hooks) and for shell environments (zsh native preexec, bash via bash-preexec). The Beyond 1.0 list is trimmed to genuinely-pending items: counterfactual capture analysis, per-project data scoping, recency-weighted surface ranking.
Adds the Model Context Protocol distribution layer for cma's
compound practice loop. cma-mcp lives under cma-mcp/ as a sibling
component to the bash CLI; both ship from this repository under
one Apache-2.0 license, one governance model, one issue tracker,
with independent release cadence (cma-1.x and cma-mcp-0.x).
Component (cma-mcp/):
- mcp_server.py + mcp_protocol.py: MCP over stdio, manual
JSON-RPC 2.0 (no SDK dependency, DECISIONS AD-001)
- mcp_schema.py + mcp_resources.py + mcp_compose.py: 7 tools
mirroring bash cma's primitives, 4 resources, three-section
payload (analysis + agent_guidance + provenance)
- cma_subprocess.py + cma_jsonl.py: subprocess wrapper around
bash cma (DECISIONS AD-004 argv-array, AD-003 5s timeout) and
JSONL reader matching cma's DATA.md schema (AD-002)
- mcp_log.py: stderr-only logging
- tests/: 34 cases covering protocol conformance, three-section
payload determinism, JSONL parsing tolerance, and subprocess
isolation including an argv-injection-resistance probe
- docs/: MCP_SERVER reference, ANTICIPATED_CRITIQUES (10
enumerated adversarial readings), VALIDATION_PROGRAM (three
pre-registered validation layers)
- pyproject.toml: zero runtime deps; PyPI package 'cma-mcp'
- README.md: PyPI-facing quickstart
- CHANGELOG.md: independent release history
Project-level (repository root):
- STRATEGY.md: durable decisions DD-1..DD-7 (subprocess wrapper,
no SDK dep, bash+WSL stance, methodology-agnostic substrate,
three-section payload, schema parity, Apache-2.0+CC-BY-4.0)
- DECISIONS.md: architectural log AD-001..AD-007 for the MCP
component
- GOVERNANCE.md: BDFL governance, named curator, covers entire
repo
- CONTRIBUTING.md: DCO sign-off, file layout for both bash and
Python paths
- SECURITY.md: threat model covering both components
- CITATION.cff: cite cma 1.0 (primary citable artifact)
- NOTICE: per-component licensing summary
- .gitignore: covers Python build artifacts
CI (.github/workflows/):
- tests-mcp.yml: pytest matrix on Python 3.10/3.11/3.12, scoped
to cma-mcp/** changes
- dco-check.yml: Signed-off-by enforcement (entire repo)
- codeql.yml: security-and-quality scan (Python in cma-mcp/)
- PULL_REQUEST_TEMPLATE.md and ISSUE_TEMPLATE/ for both
components
cma's existing surface (cma binary, hooks, test.sh, bench.sh,
DESIGN.md, ARCHITECTURE.md, DATA.md, CHANGELOG.md, README.md)
unchanged in scope; README.md gains a cma-mcp pointer section.
Signed-off-by: Lovro Lucic <11740211+lluvr@users.noreply.github.com>
… CI coverage
Six gap-fixes from a fresh-eyes pass on the consolidated repo:
1. Fix stale Clarethium/cma-mcp URLs in two places:
- CONTRIBUTING.md issue link → Clarethium/cma/issues with [cma]/
[cma-mcp] prefix guidance
- mcp_compose.py citation string → monorepo subdirectory URL
(the citation appears in every payload's provenance block)
2. cma_version() is now robust to forks/versions that lack the
--version flag. Tries --version first (canonical cma's
documented surface); falls back to scanning 'cma help' output
for a 'Version X.Y.Z' line. Empirical verification: the
operator's locally-diverged cma 1.1.0 (subcommand-only) now
surfaces correctly in the install fingerprint as 'cma 1.1.0'
instead of null.
3. Apache-2.0 §4(d) wheel compliance: bundle LICENSE and NOTICE
in cma-mcp/. Declared via pyproject.toml [tool.setuptools]
license-files so setuptools writes them to the wheel's
dist-info/licenses/ directory. Verified: built wheel carries
both files.
4. Convert cma-mcp/README.md cross-component links from relative
../*.md to absolute github.com URLs. Relative parent paths
render as broken links on PyPI; absolute URLs work both on
PyPI and on GitHub.
5. tests-mcp.yml now installs the in-repo cma binary to PATH
before running pytest. Without this, the argv-injection-
resistance probe and every other subprocess-bound test
silently skipped via the cma_binary_available fixture --- a
coverage gap masquerading as green CI. Adds a smoke step
('cma --version') to fail-fast if the binary is broken.
6. CONTRIBUTING.md no longer references a nonexistent
tests/test_mcp_adversarial.py file. The actual coverage
layout (test_mcp_server / test_resources / test_subprocess /
test_payload_determinism) is named accurately so contributors
know where adversarial cases land.
Signed-off-by: Lovro Lucic <11740211+lluvr@users.noreply.github.com>
The prior commit consolidated cma-mcp into Clarethium/cma as a
subdirectory after explicit reasoning with the operator. The
decision deserves to land in the durable record:
- DECISIONS.md AD-008 records the monorepo choice, the wrapper-of
vs substrate-uses distinction that drives it, the trade-offs
accepted, and the reversibility path via git filter-repo.
- cma-mcp/docs/ANTICIPATED_CRITIQUES.md C-11 enumerates the
adversarial reading ('monorepos rot') and answers it with the
structural argument plus a concrete worked example of drift
the consolidation prevents (revisit_after_date hypothetical).
Pinned by the project's construct-honesty discipline: a decision
this load-bearing should be visible to a reader who has never
been part of the conversation that produced it.
Signed-off-by: Lovro Lucic <11740211+lluvr@users.noreply.github.com>
test.sh:266 SC1003: replace 'with \backslashes\' with concatenation
'with \backslashes'\\ — same argv ('with \backslashes\') without the
\' inside-single-quotes pattern shellcheck (rightly) warns about.
bench.sh:63 SC2207: replace IFS-and-array-splat with mapfile -t to
read sorted lines without word-splitting. Drops the now-unneeded
unset IFS.
hooks/cma-pre:89 SC2221/SC2222: drop the redundant *oauth* alternative
from the auth surface case — *auth* already matches it (oauth contains
auth), making the explicit pattern dead code. Behavior preserved.
All 98 bash tests pass; shellcheck runs clean across cma, test.sh,
bench.sh, and the three hooks under set -e.
Signed-off-by: Lovro Lucic <11740211+lluvr@users.noreply.github.com>
Closes the install-fingerprint trust gap on the PyPI install path
and adds the missing release plumbing.
git_sha bake (closes the PyPI fingerprint degradation):
cma-mcp's install fingerprint advertises forensic traceability
('lets an operator confirm the cma-mcp install configured in
their MCP client is the expected one'), but the existing runtime
probe only worked in development clones — after pip install from
a wheel, .git was gone and git_sha silently dropped to null.
setup.py now writes _build_info.py with the SHA at build time.
Resolution order: CMA_MCP_BUILD_SHA env var (CI sets it to
GITHUB_SHA so PEP 517 build isolation does not strip the
context), git rev-parse on the source tree (editable install),
empty string. The runtime _git_sha() in mcp_server.py prefers
the live probe and falls back to BUILD_GIT_SHA. Two new tests
pin both code paths.
Publish workflow (.github/workflows/publish-mcp.yml):
Mirrors frame-check-mcp's pattern with cma-mcp adaptations:
cma-mcp-X.Y.Z tag trigger, version-sync gate (tag = pyproject =
SERVER_VERSION), build with env-var SHA injection, twine
validation, wheel-content audit (modules + license-files), clean
venv smoke install verifying the baked SHA. PyPI / TestPyPI
upload jobs are present but commented out — the lift checklist
in the workflow header gates publication on Zenodo DOI
allocation and a final pre-flight pass.
CI smoke step in tests-mcp.yml:
Build the wheel + sdist on every push (with CMA_MCP_BUILD_SHA),
install into a clean venv, exercise --help and --version, and
fail loudly if the baked SHA is missing or the entry point is
broken. Catches packaging regressions the editable-install
pytest path cannot see.
CI badges:
README and cma-mcp/README surface the live workflow status
(tests, tests-mcp, codeql) so operators see project health at
a glance instead of trusting prose claims.
CHANGELOG:
cma-mcp/CHANGELOG.md documents the bake mechanism, the publish
workflow, the CI smoke step, and updates the test count from
~30 to 36 cases.
Signed-off-by: Lovro Lucic <11740211+lluvr@users.noreply.github.com>
…oubleshooting, latency bench, validation framing Second pass of the publication-readiness lift, covering the remaining real gaps from the fresh-eyes audit. Test coverage: tests/test_mcp_wire.py spawns cma-mcp as a real subprocess and exchanges JSON-RPC over stdin/stdout pipes. 12 cases pin the initialize handshake, catalog discovery, error-envelope discipline, framing robustness, and end-to-end tool dispatch. Total pytest count: 48. Documentation: docs/ARCHITECTURE.md is the missing module map; docs/FAQ.md addresses conceptual questions and per-client install configs; docs/TROUBLESHOOTING.md leads with a four-command diagnostic loop. Latency benchmark (bench.py): mirrors bash cma's bench.sh shape; confirms empirically that the wrapper itself adds essentially zero overhead over the bash CLI it wraps. Validation framing (VALIDATION_PROGRAM.md): new 'Interim evidence' section publishes the single-operator pilot data honestly. N=1 operator, ~150 days continuous capture; names what compounds verifiably and what does not.
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
lluvr
force-pushed
the
main
branch
2 times, most recently
from
ac00f04 to
4b4ee97
Compare
lluvr
force-pushed
the
dependabot/github_actions/github/codeql-action-4
branch
from
2969ee6 to
0099a33
Compare
lluvr
force-pushed
the
main
branch
2 times, most recently
from
1cbba64 to
535ead0
Compare
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github/codeql-action from 3 to 4.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
5145c11Bump ruby/setup-ruby7108503Bump@ava/typescriptfrom 6.0.0 to 7.0.04fe9b1eMerge pull request #3856 from github/henrymercer/overlay-add-log-group56733fbAdd log group for downloading overlay-base DB0a63608Add GHES 3.21 to supported versions table97be3afDeprecate CodeQL versions 2.19.3 and earlierDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)