* fix: limit claude code review to PR creation and @claude comments
Reduces unnecessary action runs and token usage by only triggering the
review on initial PR open, and re-running when @claude is mentioned.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: restrict @claude trigger to trusted contributors
Only repo owners, org members, and collaborators can invoke the review
via @claude comments, preventing external users from consuming token quota.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: consolidate claude workflows and auto-run on PR creation
Remove separate claude-code-review.yml and add pull_request trigger
to claude.yml so it runs automatically on PR open without needing
@claude in the body.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: restore author_association guard on issue_comment trigger
The consolidation commit dropped the author_association check from the
issue_comment condition. Without it, any external commenter could invoke
Claude and consume token quota. Restores the guard to limit triggers to
OWNER, MEMBER, and COLLABORATOR.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: apply author_association guard to review comment triggers
Extends the OWNER/MEMBER/COLLABORATOR check to pull_request_review_comment
and pull_request_review events, preventing external users from triggering
Claude via review comments.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: new onboarding flow
* feat: co-ordinate the sign in and import hints
* fix: ux on step one
* fix: make custom option friendlier
* feat: added required fields
* feat: setup step two redirection
* fix: remove copy url button
* feat: store profile info from onboarding
* feat: sync onboarding profile to api
* feat: show confetti when the onboarding completes
* fix: change the options in onboarding demo
* feat: setup missing analytics events
* fix: lint issues
* ci: fix typescript error
* fix: sign in hint
This workflow runs a daily security audit on the codebase, checking for vulnerabilities and sending the results to Slack. It includes steps for checking out the code, setting up Bun, installing dependencies, running the audit, parsing results, and notifying via Slack.
* ci: update dependabot to focus on security
Added open-pull-requests-limit, enabled beta ecosystems (for bun support) and only allow only security updates
* chore: fix whitespaces
* ci: update dependency groups to only apply to security-updates
* monorepo: core
* monorepo: tools and server
* mono: repo refactor
* moved tests, removed old files
* update server tests
* agent server location and TBD
* fix formatting
* add new workflows
* rename core to common, mcp-server, to mcp, agent-server to agent
* remove nodejs tests
* test: add simple GitHub Actions workflow for running tests on PR
* test workflow
* feat: add test coverage reporting to GitHub Actions workflow
- Run tests with --coverage flag to generate coverage reports
- Display coverage summary in PR comments
- Upload coverage artifacts for analysis
- Show coverage in GitHub Actions summary
* simple test workflow
