chore: add agentic coding quality gates#15
Open
deferredreward wants to merge 4 commits intounfoldingWord:mainfrom
Open
chore: add agentic coding quality gates#15deferredreward wants to merge 4 commits intounfoldingWord:mainfrom
deferredreward wants to merge 4 commits intounfoldingWord:mainfrom
Conversation
- Replace bypassPermissions with explicit tool allowlists in .claude/settings.json so Claude can only run approved commands - Expand CLAUDE.md from minimal 12-line file to full guardrail coverage (push rules, deploy rules, merge rules, commit rules, verification workflow, post-push workflow, PR review handling) - Add gitleaks secret scanning and npm dependency audit to pre-commit hook - Add gitleaks secret-scan job to CI workflow Brings web-client to parity with worker and admin-portal. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
gitleaks-action@v2 requires a paid GITLEAKS_LICENSE for org repos. Local pre-commit hook handles secret scanning without a license.
- Add || exit 1 after gitleaks commands so secret detection actually prevents the commit from proceeding - Remove npm audit from pre-commit — transitive deps with no available fix can lock out all devs. CI already runs this check. - Remove .claude/settings.json from version control (already in .gitignore)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
bypassPermissionswith explicit tool allowlists in.claude/settings.json— Claude can now only run approved commands instead of having unrestricted accessCLAUDE.mdfrom a minimal 12-line file to full guardrail coverage — adds push rules, deploy rules, merge rules, commit rules, verification workflow, post-push workflow, and PR review handling.husky/pre-commithook so secrets and vulnerable dependencies are caught before code leaves the developer's machine.github/workflows/ci.ymlas a CI safety netWhy
We audited current best practices for agentic coding (March 2026) and found significant gaps in web-client specifically:
bypassPermissionsenabled, meaning Claude could run any command without restrictionCLAUDE.mdcontained almost no guardrails (just 12 lines about streaming animation)These changes bring web-client to parity with the guardrails already in place for worker and admin-portal.
Test plan
.claude/settings.jsonCLAUDE.mdrules for completeness🤖 Generated with Claude Code