chore(ci): bump docker/metadata-action from 5 to 6#4
Open
dependabot[bot] wants to merge 388 commits into
Open
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix 2 failing E2E tests:
- T38: regex now accommodates import("@mnm/shared").RequiredFileDef[] syntax
- T44c: match enforcer.enforceTransition() call instead of import to verify RBAC-before-enforcement ordering
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Human-In-The-Loop validation system that intercepts stage completion for stages configured with hitlRequired, routing them through a validating state where authorized users can approve or reject before the workflow advances. Backend: - New HitlDecision, HitlValidationRequest, PendingValidation shared types - hitl_decision and hitl_history jsonb columns on stage_instances - hitlRequired and hitlRoles fields on WorkflowStageTemplateDef - hitl-validation.ts service with shouldRequestValidation, approveStage, rejectStage, listPendingValidations, getValidationHistory - Orchestrator integration: intercept "complete" -> "request_validation" when hitlRequired=true, auto-complete after approve (no infinite loop via Strategy A), persist rejection decisions with feedback - HITL WebSocket events: hitl.validation_requested, hitl.approved, hitl.rejected - Migration 0038 for new columns Frontend: - ValidationBanner with approve/reject dialogs and readonly mode - PendingValidationsPanel with badge count - ValidationHistory chronological decision display - All data-testid attributes per spec Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove stale machineState === "validating" checks in approveStage() and rejectStage(). The orchestrator transitions the state machine BEFORE calling these methods, so the stage is already in "in_progress" by the time HITL metadata is persisted. The checks would have caused a runtime conflict error on every approve/reject operation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
14 REST routes exposing orchestrator, HITL, and enforcement services: - Stage lifecycle: transition, get, context, artifacts, history - Workflow state: get, list (filterable), stages (filterable) - HITL: pending validations, approve, reject, validation-history - Enforcement: dry-run check, persisted results Includes 6 Zod validators in packages/shared and barrel exports. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add missing emitAudit for access.invite_accepted in access.ts invite accept flow - Add missing emitAudit for agent.woken in agents.ts wakeup route - Fix 4 severity E2E tests using lastIndexOf to target emitAudit block instead of logActivity Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…st-id Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add scope sync, bulk operations, pagination, and member counts: - syncUserProjectScope(): syncs scope.projectIds in principal_permission_grants - getUserProjectIds(): returns user's project IDs - bulkAddMembers(): bulk add with individual status tracking - bulkRemoveMembers(): bulk remove with individual status tracking - countMembersByProject(): GROUP BY count across projects - listMembersPaginated(): cursor-based pagination - Enrich addMember/removeMember with automatic scope sync - 4 new API routes with permission enforcement and audit - 3 new Zod validators with 100-user bulk limit - Backward-compatible GET members pagination support Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
47 file-content based E2E tests covering: - Scope synchronization (T01-T06) - New service functions (T07-T17) - New routes (T18-T25) - Pagination enrichment (T26-T28) - New validators (T29-T33) - Activity log events (T34-T36) - Audit events (T37-T39) - Response shapes (T40-T43) - Integration patterns (T44-T47) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix PROJ-S01 regression: T42 test was matching the first router.post() which is now the PROJ-S02 bulk add route instead of the single-add route. Updated test to search for validate(addProjectMemberSchema) directly instead of using positional indexOf on router.post(). 47/47 PROJ-S02 E2E pass, 67/67 PROJ-S01 E2E pass (0 regressions). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migrate drift service from in-memory Maps to PostgreSQL persistence: - Create drift_reports and drift_items Drizzle schemas with indexes and FK cascade - Generate Drizzle migration (0035) for both new tables - Create drift-persistence.ts service with CRUD: createReport (atomic transaction), getReportById, listReports (paginated), countReports, getItemById, resolveItem, listItems (filtered), getScanStatus (DB-derived), deleteReportsForProject (soft delete) - Refactor drift.ts: replace reportCache/scanStatusMap Maps with persistence service calls, add db/companyId params to checkDrift, getDriftResults, resolveDrift, getDriftScanStatus, runDriftScan - Update drift routes: pass companyId to all queries, add pagination (limit/offset), add GET /items endpoint with severity/decision/driftType filters, emit audit event (drift.item_resolved) on resolution with decidedBy - Enrich shared types: DriftReport/DriftItem with companyId, reportId, decidedBy, timestamps; add DriftReportFilters, DriftItemFilters, DriftReportStatus types - Update barrel exports (schema/index.ts, services/index.ts, shared types) - Update workspace-context.ts call site for new checkDrift signature - Update frontend API and hooks for paginated response format Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
48 file-content-based E2E tests covering all acceptance criteria: - Schema drift_reports (T01-T05): columns, FKs, indexes - Schema drift_items (T06-T10): columns, cascade FK, indexes - Barrel exports (T11-T13): schema + service exports - Service drift-persistence (T14-T22): 9 CRUD functions - Refactoring drift.ts (T23-T28): Map removal, DB service usage - Routes drift.ts (T29-T34): companyId, pagination, filters - Types partages (T35-T40): enriched types + new filter types - Audit + Transaction (T41-T45): atomic tx, emitAudit, soft delete - Migration (T46-T48): SQL table creation verified Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Active drift monitor that observes orchestrator stage transitions via LiveEvents to detect execution deviations in real-time. Detects 5 drift types (time_exceeded, stagnation, retry_excessive, stage_skipped, sequence_violation), persists alerts via drift-persistence, emits WebSocket notifications, and integrates with the audit system. Includes: - DriftMonitorService with start/stop/status per company - Event-driven detection for stage_skipped, sequence_violation, retry_excessive - Periodic check (60s) for time_exceeded and stagnation - In-memory deduplication (stageId + alertType) - 4 new LiveEventTypes (drift.alert_created/resolved/monitoring_started/stopped) - 4 shared types (DriftAlertType, DriftAlert, DriftMonitorConfig, DriftMonitorStatus) - 5 API routes for alerts and monitoring management - Audit event emission for alert creation and resolution Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
50 file-content-based tests covering: - Service structure and 9 functions (T01-T10) - Config thresholds: 15min, 30min, 2 retries, 60s (T11-T15) - Shared types: DriftAlertType, DriftAlert, DriftMonitorConfig, DriftMonitorStatus (T16-T20) - LiveEventTypes: 4 drift.* events (T21-T24) - Integration: LiveEvents, persistence, setInterval, dedup (T25-T30) - 5 deviation types detected (T31-T35) - 5 API routes for alerts and monitoring (T36-T40) - Barrel exports and audit emission (T41-T45) - Edge cases: event filtering, logging, guards, cleanup (T46-T50) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fixed stream-json result format: usage/cost at top level, not nested - Switched completeCapture to raw SQL (Drizzle ORM column name issues) - Verified: 2196+ observations from real agent runs in DB - Traces transition from running → completed with duration calculated Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Groups bronze observations into semantic phases (COMPREHENSION, IMPLEMENTATION, VERIFICATION, COMMUNICATION, INITIALIZATION, RESULT) based on observation name patterns and 30s time-gap rule. Generates deterministic summaries per phase. Stores in traces.phases JSONB. Wired into heartbeat.ts (fire-and-forget after bronze completeCapture) and startup backfill (129 existing traces enriched on first deploy). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add `gold` JSONB column to traces table for LLM analysis results - Add TraceGold/TraceGoldPhase interfaces (verdict, phases, highlights, AC status) - Create gold_prompts table with RLS, scope index, company FK - Seed default French global prompt for all existing companies - Add CRUD API: POST/GET/PUT/DELETE /companies/:companyId/gold-prompts - Add Zod validators: createGoldPromptSchema, updateGoldPromptSchema, goldPromptFiltersSchema - Export GoldPrompt type + GOLD_PROMPT_SCOPES from @mnm/shared - Migration 0047 is idempotent (IF NOT EXISTS guards) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…lback Gold trace enrichment produces structured analysis (TraceGold) for each completed trace. Layered prompt composition (global → workflow → agent → issue context) feeds silver phases + bronze observations to LLM (Haiku). When MNM_LLM_SUMMARY_ENDPOINT is not configured, a deterministic fallback generates neutral gold with phase scores of 50 and verdict based on trace status. Backfill on startup enriched all 134 existing traces. Pipeline: Bronze → Silver → Gold (chained fire-and-forget in heartbeat). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add TracePhase, TraceGold, TraceGoldPhase types to shared + UI API - Create GoldVerdictBanner: verdict (success/partial/failure), model badge, highlights, AC status - Create GoldPhaseCard: collapsible card with phase type badge, annotation, relevance bar, verdict - Expand phase -> silver summary + observation list; expand obs -> bronze raw JSON - TraceDetail defaults to gold view when available, falls back to silver-only, then raw - All interactive elements have data-testid attributes (trace-gold-*, trace-silver-*, trace-bronze-*) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add GET /api/companies/:companyId/traces/by-run/:heartbeatRunId endpoint to fetch trace data linked to a heartbeat run. In the RunDetail component, query this endpoint and display GoldVerdictBanner + GoldPhaseCards above the transcript when gold analysis data exists for the run. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When MNM_LLM_SUMMARY_ENDPOINT is not configured, gold enrichment falls back to `claude -p --model haiku` using existing Claude Code auth. PIPE-06 also committed: gold traces in RunDetail panel. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pipeline PIPE-01 to PIPE-06 done. Remaining: Langfuse-style UI refactor, real agent run with tool calls, Haiku gold enrichment, prompts UI, workflow-level gold, QC final. Full context for next session in CLAUDE.md + memory files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New TraceTimeline component replacing accordion-based phase cards: - Horizontal bars proportional to duration per phase - Color-coded by phase type (blue=comprehension, green=impl, amber=verify...) - Gold annotations inline in timeline bars - Relevance scores + verdict badges per phase - Drill-down: click phase → silver observations → click obs → bronze JSON - Key observations highlighted with sparkle icon - Time ruler with 6 tick marks - Legend with all phase types TraceTimelineDemo page at /traces/demo with rich mock data: - "Fix authentication bug in login flow" scenario - 10 observations across 6 phases (init→comprehend→communicate→implement→verify→result) - Gold analysis with scores, annotations, verdicts - 3 acceptance criteria evaluated (all Met) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deep analysis of Langfuse codebase (cloned to IdeaProjects/langfuse): - Timeline: CSS divs (not SVG), TanStack Virtual, proportional bars - Tree: iterative building with topological sort, cost aggregation - Graph: vis-network (canvas + physics) for agent workflows - Detail panel: CodeMirror JSON, Formatted/Raw toggle - Architecture: multi-provider (TraceData, Selection, ViewPrefs) - Key math: startOffset = (timeFromStart / totalScaleSpan) * scaleWidth Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split layout (tree/gantt/graph + detail panel), Bronze content block fix, Gold Haiku E2E, live streaming, agent graph view. Based on Langfuse codebase analysis + user vision. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Claude Code stream-json puts tool calls INSIDE assistant/user message.content[] arrays, not as top-level events. Added: - ContentBlock type + contentBlockToEvent() converter - Extracts tool_use, tool_result, thinking, text from content blocks - tool_result handles both string and array content formats - Top-level events (system:init, result) still processed directly This is critical for capturing real tool calls (Read, Edit, Bash) instead of just raw:assistant/raw:user conversation events. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- OBS-02: TraceDataProvider with iterative tree building from silver phases, observation parent/child nesting, gold annotation attachment, and bottom-up metric aggregation. Exposes roots, nodeMap, flatList. - OBS-03: TraceSelectionProvider (selected node, collapse/expand) and TraceViewPrefsProvider (tree/timeline/graph view, duration/cost toggles). - OBS-04: TraceLayout resizable split panel using react-resizable-panels v4 (Group/Panel/Separator API). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…grouping - TraceTreeView: Langfuse-style indented tree with phase group headers, observation nodes, gold annotations (relevance bar + verdict badge), expand/collapse, keyboard nav, and @tanstack/react-virtual for 200+ nodes - TraceDetailPanel: right-panel placeholder showing selected node gold/IO info - TraceDetail page wired with split layout (TraceDataProvider → SelectionProvider → ViewPrefsProvider → TraceLayout with tree + detail panels) - Mock trace detail for demo mode toggle - All 13 packages pass typecheck Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
OBS-06: TraceTimeline now uses providers (useTraceData, useTraceSelection, useTraceViewPrefs) instead of direct props. Clicking a bar selects the node and updates the detail panel. Tree/Timeline toggle in left panel. OBS-07: Detail panel IO tab with Formatted/JSON/Raw toggle. Tool-specific renderers: Read (file path + lines), Edit (diff-style old/new), Bash (command + output + exit code), Grep (pattern + matches), Generation (rendered text). Collapsible JSON tree viewer. Copy button. OBS-08: Gold tab for phase nodes with verdict banner, annotation text, relevance score bar, clickable key observations, and AC status cards. Scores tab with duration/cost/token grid. Metadata tab with timestamps, model, IDs. Default tab depends on node type (phase->Gold, obs->IO). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ming OBS-09: Verified gold Haiku E2E in Docker — claude CLI available at /usr/local/bin/claude, claude -p executes but JSON parsing fails on short traces (deterministic fallback used). Documented findings. OBS-10: TraceGraphView — CSS flexbox-based agent workflow graph showing phases as sequential flow nodes with arrows. Each node displays phase icon, observation count, gold score/verdict. Wired as third view tab (Tree/Timeline/Graph) in Execution Explorer. OBS-11: Live streaming — TraceDetail subscribes to WebSocket events when viewing a running trace. trace.observation_created/completed events trigger query invalidation for real-time updates. Shows "Live" indicator with event counter in header. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- extractJsonFromText() with 4 strategies: direct parse, markdown block, first/last brace, line-by-line accumulation - Added "IMPORTANT: Respond with ONLY valid JSON" to claude -p prompt - Verified: Haiku now produces real gold (not deterministic-fallback) - Verdicts: success/partial with contextual French reasons Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pipeline PIPE-01 to PIPE-06 done. Remaining: Langfuse-style UI refactor, real agent run with tool calls, Haiku gold enrichment, prompts UI, workflow-level gold, QC final. Full context for next session in CLAUDE.md + memory files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…facts from dev-gab Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…mation Feature/b2b enterprise transformation
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@v5...v6) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Seeyko
added a commit
that referenced
this pull request
Mar 22, 2026
Review finding #3: updateMemberstring typo → updateMemberRole + body sends roleId Review finding #4: getMyPermissions local_implicit returns {roleId, effectivePermissions} Review finding #7: createdByUserId populated on agent create + hire routes All 13 packages compile clean (0 errors). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Seeyko
added a commit
that referenced
this pull request
Apr 28, 2026
Review finding #3: updateMemberstring typo → updateMemberRole + body sends roleId Review finding #4: getMyPermissions local_implicit returns {roleId, effectivePermissions} Review finding #7: createdByUserId populated on agent create + hire routes All 13 packages compile clean (0 errors). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Seeyko
force-pushed
the
dependabot/github_actions/docker/metadata-action-6
branch
2 times, most recently
from
April 29, 2026 15:46
c3d78af to
f23919d
Compare
Seeyko
force-pushed
the
dependabot/github_actions/docker/metadata-action-6
branch
from
April 29, 2026 16:25
f23919d to
7e68937
Compare
Seeyko
added a commit
that referenced
this pull request
May 3, 2026
…ansactional fanout cap + companyId in artifact recursion Three SEC P4 review findings on T5 (composite meta-workflows): CRITICAL #1 — detectCycle was exported but never imported in governed-workflows.ts, so launchWorkflow would happily create sub-runs for a workflow.json with cycles (A->A or A->B->A). Now imported and called BEFORE db.transaction with a resolver that loads sub-workflows via getWorkflowParsed at the same companyId. Throws WORKFLOW_COMPOSITE_CYCLE on detection. HIGH #4 — TOCTOU race in enforceFanoutCap: COUNT ran outside the tx and INSERTs ran inside, so concurrent launchCompositeStep calls could both read N < cap and both insert K rows for a final size > cap. Fix moves the COUNT inside the tx and adds pg_advisory_xact_lock keyed on 'mnm:composite-fanout:<rootRunId>' to serialise expansions per root run (mirrors the launchWorkflow pattern at hashtext('mnm:launch:<defId>')). HIGH #5 — fetchSucceededArtifactsRecursive's BFS query had no companyId filter; in BYPASSRLS mode a stale compositeRunId could walk into another tenant's run. Added a required companyId param + scoped the inner WHERE, plus a defense-in-depth child-run tenant probe before enqueueing each descendant. No live callers (function not yet wired into the orchestrator), so signature change is safe. Tests: - Updated governed-workflows-composite.test.ts mocks to provide tx.execute for the moved fanout call, and added a new "different tenant" case for the BFS guard. - New governed-workflows-p4-fixes.test.ts covers cycle detection on the resolver shape used by launchWorkflow + the inside-tx fanout flow. Typecheck 19/19. New tests: 5 pass on isolated run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps docker/metadata-action from 5 to 6.
Release notes
Sourced from docker/metadata-action's releases.
... (truncated)
Commits
030e881Merge pull request #607 from crazy-max/allow-comments4b529acchore: update generated contentb0082b3preserve comments in list input values with commentNoInfix7b19fecMerge pull request #604 from docker/dependabot/npm_and_yarn/docker/actions-to...281c9b0chore: update generated content5f43b3btest: stabilize github mock setup since ESM9d53276github class moved since actions-toolkit v0.77.0eaa3d39chore(deps): Bump@docker/actions-toolkitfrom 0.68.0 to 0.77.06b695f7Merge pull request #605 from crazy-max/node24a1afadcnode 24 as default runtimeDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)