Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Automatically synced template files after updating .rhiza/template.yml Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
📝 WalkthroughWalkthroughThis pull request consolidates GitHub Actions workflows, migrates documentation from a pdoc+minibook system to MkDocs, removes numerous deprecated documentation files, refactors the Makefile build system, updates tool versions, and reorganizes CI/CD logic into a centralized workflow structure with a new weekly schedule. Changes
Sequence Diagram(s)sequenceDiagram
participant trigger as CI Trigger
participant rhiza_ci as rhiza_ci.yml
participant rhiza_weekly as rhiza_weekly.yml
trigger ->> rhiza_ci: push/pull_request (all branches)
rect rgba(100, 150, 200, 0.5)
Note over rhiza_ci: Matrix Jobs (per OS)
rhiza_ci ->> rhiza_ci: test (ubuntu, macos, windows)
end
rect rgba(150, 100, 200, 0.5)
Note over rhiza_ci: Serial Quality Checks
rhiza_ci ->> rhiza_ci: typecheck
rhiza_ci ->> rhiza_ci: deptry
rhiza_ci ->> rhiza_ci: pre-commit
rhiza_ci ->> rhiza_ci: validation
rhiza_ci ->> rhiza_ci: security
rhiza_ci ->> rhiza_ci: license
end
trigger ->> rhiza_weekly: schedule (Monday 08:00 UTC)
trigger ->> rhiza_weekly: manual dispatch
rect rgba(200, 150, 100, 0.5)
Note over rhiza_weekly: Scheduled Jobs
rhiza_weekly ->> rhiza_weekly: dep-compat-test
rhiza_weekly ->> rhiza_weekly: semgrep
rhiza_weekly ->> rhiza_weekly: pip-audit
rhiza_weekly ->> rhiza_weekly: link-check
end
sequenceDiagram
participant user as User
participant make as make book
participant mkdocs as MkDocs
participant reports as reports.md
participant notebooks as notebooks.md
participant output as _book/
user ->> make: make book
alt mkdocs.yml exists
make ->> reports: Generate if HTML artifacts exist
make ->> notebooks: Generate if HTML artifacts exist
make ->> mkdocs: mkdocs build
mkdocs ->> output: Create static site
make ->> output: Write .nojekyll
else No mkdocs.yml found
make ->> output: Warn and skip
end
make ->> user: Display output tree
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Syncs this repository with the upstream Rhiza template v0.9.5, updating CI/workflow structure and adopting the new MkDocs-based documentation/book layout.
Changes:
- Bumped Rhiza template ref/lock to
v0.9.5and applied synced template updates. - Consolidated/reshaped GitHub Actions workflows (new weekly workflow, CI expanded, several deprecated workflows removed).
- Introduced new
docs/structure and updated Make targets to build a MkDocs-based book (plus new quality targets likelicense/suppression-audit).
Reviewed changes
Copilot reviewed 58 out of 65 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| ruff.toml | Updates Ruff per-file ignores to match the new notebook location pattern. |
| docs/mkdocs-base.yml | Adds base MkDocs config used by make book as a fallback. |
| docs/index.md | Adds MkDocs homepage content via snippet include. |
| docs/development/TESTS.md | Adds template testing documentation (property/benchmark/stress guidance). |
| docs/development/MARIMO.md | Updates Marimo docs paths to the new notebooks location. |
| docs/assets/rhiza-logo.svg | Adds Rhiza logo asset for docs theme branding. |
| docs/adr/0000-adr-template.md | Adds ADR template under the new docs structure. |
| docs/SECURITY.md | Removes docs-scoped security policy (root policy intended to be canonical). |
| docs/QUICK_REFERENCE.md | Removes legacy quick reference doc from old structure. |
| docs/GLOSSARY.md | Removes legacy glossary doc from old structure. |
| docs/DEMO.md | Removes legacy demo doc from old structure. |
| docs/CUSTOMIZATION.md | Removes legacy customization doc from old structure. |
| docs/BOOK.md | Removes legacy book doc from old structure. |
| docs/ARCHITECTURE.md | Removes legacy architecture doc from old structure. |
| book/marimo/notebooks/rhiza.py | Removes legacy marimo notebook from the old book layout. |
| SECURITY.md | Updates security policy supported versions (but currently contains a placeholder line that needs removal). |
| Makefile | Removes custom semgrep/license targets (quality targets moved into .rhiza/make.d/*). |
| .rhiza/tests/sync/conftest.py | Updates sync test fixture list to reflect removed docs.mk. |
| .rhiza/tests/security/test_security_patterns.py | Tightens policy check to require root SECURITY.md. |
| .rhiza/tests/integration/test_marimushka.py | Removes marimushka integration tests (target removed). |
| .rhiza/tests/integration/test_docs_targets.py | Adds tests validating MKDOCS_EXTRA_PACKAGES integration in book build. |
| .rhiza/tests/integration/test_book_targets.py | Updates expected targets to align with MkDocs-based book targets. |
| .rhiza/tests/api/test_makefile_targets.py | Adds tests for new suppression-audit and license make targets. |
| .rhiza/tests/api/conftest.py | Removes docs.mk from expected included makefiles. |
| .rhiza/tests/README.md | Updates integration test documentation after marimushka test removal. |
| .rhiza/templates/minibook/custom.html.jinja2 | Removes minibook template (book generation moved away from minibook). |
| .rhiza/template.yml | Bumps template ref from v0.8.16 to v0.9.5. |
| .rhiza/template.lock | Updates locked template SHA/ref and synced file manifest. |
| .rhiza/rhiza.mk | Updates file header to reflect removal of docs/marimushka targets. |
| .rhiza/requirements/docs.txt | Switches docs requirements to MkDocs stack (adds mkdocs/material/mkdocstrings, removes pdoc). |
| .rhiza/requirements/README.md | Updates requirements documentation (currently inconsistent with docs.txt contents). |
| .rhiza/make.d/quality.mk | Adds license and suppression-audit targets and wires license into all. |
| .rhiza/make.d/marimo.mk | Removes marimushka target; keeps Marimo validate/serve targets. |
| .rhiza/make.d/docs.mk | Removes legacy pdoc + mkdocs targets file (now handled by book.mk). |
| .rhiza/make.d/book.mk | Reworks book to build via MkDocs and export notebooks/reports into docs structure. |
| .rhiza/make.d/agentic.mk | Changes analyse-repo to use Claude-based agent configuration. |
| .rhiza/make.d/README.md | Removes docs.mk reference and drops references to removed docs paths. |
| .rhiza/docs/WORKFLOWS.md | Updates internal docs links (currently points to a non-existent docs path). |
| .rhiza/docs/CONFIG.md | Updates workflow list to match consolidated workflows. |
| .rhiza/CONTRIBUTING.md | Adds template-managed contributing guide under .rhiza/. |
| .rhiza/CODE_OF_CONDUCT.md | Adds template-managed code of conduct under .rhiza/. |
| .rhiza/.env | Updates MARIMO_FOLDER to docs/notebooks and removes minibook config vars. |
| .pre-commit-config.yaml | Bumps hook versions and adds YAML exclude for recipe/meta.yaml. |
| .gitignore | Ignores generated docs artifacts (reports/notebook exports) and LaTeX build outputs. |
| .github/workflows/rhiza_weekly.yml | Adds weekly workflow for dep-compat, semgrep, pip-audit, and link checking. |
| .github/workflows/rhiza_validate.yml | Removes standalone validate workflow (folded into CI). |
| .github/workflows/rhiza_typecheck.yml | Removes standalone typecheck workflow (folded into CI). |
| .github/workflows/rhiza_sync.yml | Refactors sync workflow (direct commit on renovate branches + PR creation for scheduled/manual). |
| .github/workflows/rhiza_semgrep.yml | Removes standalone semgrep workflow (weekly job intended to cover it). |
| .github/workflows/rhiza_security.yml | Removes standalone security workflow (folded into CI/weekly). |
| .github/workflows/rhiza_release.yml | Updates uv version and release steps (adds git-cliff release notes generation). |
| .github/workflows/rhiza_pre-commit.yml | Removes standalone pre-commit workflow (folded into CI). |
| .github/workflows/rhiza_pip_audit.yml | Removes standalone weekly pip-audit workflow (folded into weekly). |
| .github/workflows/rhiza_marimo.yml | Updates uv version and artifact action versions. |
| .github/workflows/rhiza_license.yml | Removes standalone license workflow (folded into CI). |
| .github/workflows/rhiza_deptry.yml | Removes standalone deptry workflow (folded into CI). |
| .github/workflows/rhiza_dep_compat_test.yml | Removes standalone dep compat workflow (folded into weekly). |
| .github/workflows/rhiza_codeql.yml | Updates documentation link reference in comments. |
| .github/workflows/rhiza_ci.yml | Consolidates CI checks into one workflow and expands test matrix + adds validation/security/license jobs. |
| .github/workflows/rhiza_book.yml | Updates uv version and artifact action versions for the docs build workflow. |
| .github/workflows/renovate_rhiza_sync.yml | Removes old renovate sync workflow (logic moved into rhiza_sync.yml). |
| .github/workflows/copilot-setup-steps.yml | Updates uv version used in Copilot agent setup workflow. |
| .github/semgrep.yml | Adds Semgrep rules file under .github/. |
| .github/copilot-instructions.md | Updates Copilot instructions (removes references to removed docs/dirs). |
| .github/agents/analyser.md | Updates analyser agent output format to a per-category scoring table. |
| @@ -1,14 +1,16 @@ | |||
| # Security Policy | |||
|
|
|||
| Overwrite this file using Claude and adjust for the Rhiza dependant. | |||
There was a problem hiding this comment.
Line 3 looks like a leftover placeholder/instruction rather than a published security policy. It should be removed (and the typo “dependant” → “dependent” fixed) so the repository’s SECURITY.md is actionable for reporters.
| nav: | ||
| - Home: index.md | ||
| - Notebooks: notebooks.md | ||
| - Reports: reports.md | ||
| - Paper: paper/rhiza.pdf |
There was a problem hiding this comment.
The default nav references files that don’t exist in this repo (notebooks.md, reports.md, and paper/rhiza.pdf). MkDocs treats missing nav targets as build errors, so make book/mkdocs build will fail unless these are created/generated first. Either ship placeholder pages/assets, update the nav to match the actual layout (e.g., papers/...), or ensure the mkdocs build target always generates the referenced pages before building.
| Rhiza uses [uv](https://docs.astral.sh/uv/) for fast, reliable Python dependency management. | ||
|
|
||
| > 📚 **For detailed information about dependency version constraints and rationale**, see [docs/DEPENDENCIES.md](../../docs/DEPENDENCIES.md) | ||
| > 📚 **For detailed information about dependency version constraints and rationale**, see [docs/DEPENDENCIES.md](../../docs/reference/DEPENDENCIES.md) |
There was a problem hiding this comment.
This link now points to ../../docs/reference/DEPENDENCIES.md, but there is no docs/reference/ directory in the repository, so the documentation link is broken. Update the path to the actual location (or add the referenced doc) to avoid dead links in the template docs.
| > 📚 **For detailed information about dependency version constraints and rationale**, see [docs/DEPENDENCIES.md](../../docs/reference/DEPENDENCIES.md) | |
| > 📚 **For detailed information about dependency version constraints and rationale**, see [docs/DEPENDENCIES.md](../../docs/DEPENDENCIES.md) |
| - **docs.txt** - Documentation generation dependencies (pdoc, interrogate, mkdocs, mkdocs-material, mkdocstrings) | ||
| - **tools.txt** - Development tools (pre-commit, python-dotenv, typer, ty) |
There was a problem hiding this comment.
This README claims docs.txt includes pdoc, but .rhiza/requirements/docs.txt no longer lists pdoc. Please update this line to reflect the actual contents (or re-add pdoc if it’s still required) so contributors don’t install the wrong tooling.
| @@ -68,7 +69,7 @@ jobs: | |||
| - name: Install uv | |||
| uses: astral-sh/setup-uv@v8.0.0 | |||
| with: | |||
| version: "0.11.2" | |||
| version: "0.11.6" | |||
| python-version: ${{ matrix.python-version }} | |||
|
|
|||
| - name: Configure git auth for private packages | |||
| @@ -83,14 +84,82 @@ jobs: | |||
| make test | |||
|
|
|||
There was a problem hiding this comment.
The test matrix now includes windows-latest and macos-latest, but the job runs make test without any OS-specific setup. If make (and required Unix tooling) isn’t available on those runners, CI will fail. Either add steps to install/enable make on Windows (and use an appropriate shell), or restrict the OS matrix to platforms the Makefile supports.
| @@ -0,0 +1,2 @@ | |||
| --8<-- "README.md" | |||
There was a problem hiding this comment.
MkDocs snippets here include README.md, but this repository’s README is at the repo root (no docs/README.md). With the current mkdocs-base config (docs_dir: . and snippets base_path: ["."]), this will fail to resolve. Update the include path (e.g., reference ../README.md and/or widen base_path) or add/copy a README into docs/.
| _book-notebooks: | ||
| @if [ -d "$(MARIMO_FOLDER)" ]; then \ | ||
| for nb in $(MARIMO_FOLDER)/*.py; do \ | ||
| name=$$(basename "$$nb" .py); \ | ||
| printf "${BLUE}[INFO] Exporting $$nb${RESET}\n"; \ | ||
| abs_output="$$(pwd)/docs/notebooks/$$name.html"; \ | ||
| mkdir -p docs/notebooks; \ | ||
| (cd "$$(dirname "$$nb")" && ${UV_BIN} run marimo export html --sandbox "$$(basename "$$nb")" -o "$$abs_output"); \ | ||
| done; \ | ||
| printf "# Marimo Notebooks\n\n" > docs/notebooks.md; \ | ||
| for html in docs/notebooks/*.html; do \ | ||
| name=$$(basename "$$html" .html); \ | ||
| echo "- [$$name]($$name.html)" >> docs/notebooks.md; \ | ||
| done; \ | ||
| fi |
There was a problem hiding this comment.
_book-notebooks iterates over $(MARIMO_FOLDER)/*.py without checking whether any files match. If there are no notebooks, many shells will keep the literal glob and the export command will run on a non-existent path, causing make book to fail. Add an explicit check (e.g., ls $(MARIMO_FOLDER)/*.py >/dev/null 2>&1) and/or ensure docs/notebooks.md is still created with a placeholder when no notebooks exist (since mkdocs nav expects it).
| book:: _book-reports _book-notebooks ## compile the companion book via MkDocs | ||
| @if [ -n "$(_MKDOCS_CFG)" ]; then \ | ||
| rm -rf "$(BOOK_OUTPUT)"; \ | ||
| ${UVX_BIN} --with "mkdocs-material<10.0" --with "pymdown-extensions>=10.0" --with "mkdocs<2.0" $(MKDOCS_EXTRA_PACKAGES) mkdocs build \ | ||
| -f "$(_MKDOCS_CFG)" \ | ||
| -d "$$(pwd)/$(BOOK_OUTPUT)"; \ | ||
| else \ | ||
| CF_REPO=$$(git remote get-url origin 2>/dev/null | sed 's|.*github\.com[:/]||' | sed 's|\.git$$||'); \ | ||
| fi; \ | ||
| if [ -n "$$CF_REPO" ]; then \ | ||
| CF_URL="https://www.codefactor.io/repository/github/$$CF_REPO"; \ | ||
| HTTP_CODE=$$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 "$$CF_URL" 2>/dev/null || echo "000"); \ | ||
| if [ "$$HTTP_CODE" = "200" ]; then \ | ||
| if [ $$first -eq 0 ]; then printf ",\n" >> _book/links.json; fi; \ | ||
| printf " \"CodeFactor\": \"$$CF_URL\"" >> _book/links.json; \ | ||
| printf "${BLUE}[INFO] Adding CodeFactor...${RESET}\n"; \ | ||
| else \ | ||
| printf "${YELLOW}[WARN] CodeFactor page not accessible (HTTP $$HTTP_CODE), skipping${RESET}\n"; \ | ||
| fi; \ | ||
| fi; \ | ||
| printf "\n}\n" >> _book/links.json | ||
| printf "${YELLOW}[WARN] No mkdocs config found, skipping MkDocs build${RESET}\n"; \ | ||
| fi | ||
| @mkdir -p "$(BOOK_OUTPUT)" | ||
| @touch "$(BOOK_OUTPUT)/.nojekyll" | ||
| @printf "${GREEN}[SUCCESS] Book built at $(BOOK_OUTPUT)/${RESET}\n" | ||
| @tree $(BOOK_OUTPUT) | ||
|
|
There was a problem hiding this comment.
The book target invokes $(UVX_BIN) and then runs tree $(BOOK_OUTPUT) but it doesn’t depend on install-uv, and tree isn’t guaranteed to exist on all environments (including CI runners/minimal installs). Consider adding install-uv as a prerequisite for book, and guarding the tree call (or replacing it with a POSIX-friendly find/ls) so the build doesn’t fail due to missing tooling.
| - name: Run Semgrep | ||
| env: | ||
| UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }} | ||
| run: make semgrep |
There was a problem hiding this comment.
make semgrep is invoked here, but the Semgrep make target was removed from the root Makefile and there is no semgrep target anywhere in the current repo. This job will fail with “No rule to make target 'semgrep'”. Either restore a semgrep target (using .github/semgrep.yml as the config) or update the workflow to run Semgrep directly via uvx semgrep --config .github/semgrep.yml ....
| run: make semgrep | |
| run: uvx semgrep --config .github/semgrep.yml . |
| # - Leave unset for automatic behavior (recommended) | ||
| # | ||
| # For more information, see docs/CUSTOMIZATION.md | ||
| # For more information, see docs/guides/CUSTOMIZATION.md |
There was a problem hiding this comment.
This comment points readers to docs/guides/CUSTOMIZATION.md, but docs/guides/ doesn’t exist and docs/CUSTOMIZATION.md was removed, so the reference is broken. Update the path to an existing customization guide (or add the referenced doc) so users can find the configuration guidance.
| # For more information, see docs/guides/CUSTOMIZATION.md | |
| # For more information about repository customization hooks, see .rhiza/make.d/README.md |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (7)
.github/workflows/rhiza_weekly.yml (2)
66-67: Job name contains unclear "(numpy)" label.The job name "Semgrep (numpy)" appears to be a leftover placeholder. If this runs general Semgrep rules via
make semgrep, consider removing "(numpy)" or clarifying what it means.Suggested fix
semgrep: - name: Semgrep (numpy) + name: Semgrep static analysis runs-on: ubuntu-latest🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/rhiza_weekly.yml around lines 66 - 67, The job name "Semgrep (numpy)" in the workflow should be clarified or simplified: open the workflow definition and update the job's name value currently set to "Semgrep (numpy)" to a clearer label such as "Semgrep" or a more specific descriptor (e.g., "Semgrep - security" or "Semgrep - lint") so it accurately reflects what make semgrep runs; modify the name field under the semgrep job declaration to remove or replace "(numpy)" accordingly.
17-21: Remove commented-out trigger configuration.These commented-out triggers for
pushandpull_requestevents are dead code. If they're not intended for future use, removing them would improve readability.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/rhiza_weekly.yml around lines 17 - 21, Remove the dead commented-out GitHub Actions triggers by deleting the commented "push:" and "pull_request:" blocks (the lines starting with "#push:", "# branches:", "# paths:", "#pull_request:", "# paths:") so the workflow file contains only active configuration and no stale commented trigger definitions..gitignore (1)
100-101: Duplicate.bandit-baseline.jsonentry.This pattern appears twice in the file (lines 100 and 122). Consider removing the duplicate.
Remove duplicate
# Security scanning baselines (regenerate as needed) .bandit-baseline.json - -... - -.bandit-baseline.jsonAlso applies to: 122-123
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.gitignore around lines 100 - 101, The .gitignore contains a duplicated pattern ".bandit-baseline.json"; remove the redundant entry so the pattern appears only once (search for the literal ".bandit-baseline.json" and delete the duplicate occurrence), ensuring no other intended duplicates remain..rhiza/requirements/docs.txt (1)
3-5: Version constraints differ from book.mk.The requirements file specifies
mkdocs>=1.6.0andmkdocs-material>=9.5.0without upper bounds, but.rhiza/make.d/book.mk(context snippet) uses stricter constraints:--with "mkdocs-material<10.0"and--with "mkdocs<2.0".If this file is used for installing documentation dependencies in other contexts, versions may diverge from what
make bookuses. Consider aligning the constraints or documenting the intended usage.Suggested alignment with book.mk constraints
# Documentation dependencies for rhiza interrogate>=1.7.0 -mkdocs>=1.6.0 -mkdocs-material>=9.5.0 +mkdocs>=1.6.0,<2.0 +mkdocs-material>=9.5.0,<10.0 mkdocstrings[python]>=0.25.0🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.rhiza/requirements/docs.txt around lines 3 - 5, The requirements file lists loose constraints (mkdocs>=1.6.0, mkdocs-material>=9.5.0, mkdocstrings[python]>=0.25.0) that conflict with the stricter bounds used by the make target in .rhiza/make.d/book.mk (--with "mkdocs<2.0" and --with "mkdocs-material<10.0"); update .rhiza/requirements/docs.txt to match those upper bounds (e.g., add <2.0 to mkdocs and <10.0 to mkdocs-material) or add a clear comment explaining this file is for a different use-case than make book, so installations remain consistent with book.mk’s --with constraints.docs/development/MARIMO.md (1)
42-44: Preferuv runfor the single-notebook edit examples.These snippets assume
marimois already onPATH. Usinguv runhere keeps the docs aligned with the repo's normal bootstrap flow and avoids a dead-end for contributors who only ranmake install.Based on learnings, use
maketargets when available anduv run <command>for Python tooling without a correspondingmaketarget.Also applies to: 101-104
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/development/MARIMO.md` around lines 42 - 44, Replace direct use of the marimo CLI in single-notebook edit examples with the uv runner so docs follow the repo bootstrap flow: change occurrences of the command string "marimo edit docs/notebooks/rhiza.py" to be invoked via the project virtualenv runner ("uv run marimo edit docs/notebooks/rhiza.py") and apply the same replacement for the other instances referenced (around lines 101-104) to ensure contributors who used make install still follow the documented workflow..github/workflows/rhiza_release.yml (1)
231-233: Pinuvin the new draft-release job too.
buildandfinalise-releaseboth pin0.11.6, but this newsetup-uvstep omitswith.version. That reintroduces toolchain drift into the release-notes path.🔧 Minimal fix
- name: Install uv uses: astral-sh/setup-uv@v8.0.0 + with: + version: "0.11.6"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/rhiza_release.yml around lines 231 - 233, The "Install uv" step using the astral-sh/setup-uv@v8.0.0 action in the new draft-release job omits a pinned version; add a with.version: '0.11.6' (matching build and finalise-release) to that step so the setup-uv action is pinned and toolchain drift is prevented—locate the "Install uv" step (uses: astral-sh/setup-uv@v8.0.0) and add the with.version property set to '0.11.6'..rhiza/make.d/book.mk (1)
62-88: Extract the shared MkDocs build path before these targets drift.
bookandmkdocs-buildboth inline the sameuvx ... mkdocs buildsequence. A private helper target or variable would keep the package list, flags, and output handling in sync the next time the template updates them.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.rhiza/make.d/book.mk around lines 62 - 88, Both book and mkdocs-build duplicate the same uvx ... mkdocs build invocation; extract that into a single private helper (e.g. a variable MKDOCS_BUILD_CMD or a phony target _mkdocs-build-run) and call it from both targets so package list, flags and -d handling stay in sync. Ensure the helper uses the same inputs (UVX_BIN, _MKDOCS_CFG, MKDOCS_EXTRA_PACKAGES, BOOK_OUTPUT) and preserves the current differing behaviors: book should warn and continue when _MKDOCS_CFG is empty while mkdocs-build should error/exit 1. Replace the inline uvx ... mkdocs build lines in the book and mkdocs-build targets with a call to the new helper/variable.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/rhiza_book.yml:
- Around line 80-82: The workflow now uses actions/upload-pages-artifact@v5.0.0
which requires Node.js 24+; update the workflow so the runner provides Node 24
before calling actions/upload-pages-artifact (or pin the action back to v4).
Specifically, either insert actions/setup-node (e.g. actions/setup-node@v4) with
node-version: "24" prior to the step that uses
actions/upload-pages-artifact@v5.0.0, or change the step to
actions/upload-pages-artifact@v4.x while keeping path: _book/ unchanged.
In @.github/workflows/rhiza_sync.yml:
- Around line 91-98: The heredoc used in the git commit command (git commit -m
"$(cat <<'EOF' ... EOF )") is indented so the commit message will contain
leading whitespace; fix by removing indentation from the heredoc body or use a
stripping heredoc marker—move the cat <<'EOF' opener to column 0 and left-align
the message, or change to cat <<-'EOF' and ensure indents are tabs (not spaces)
so leading tabs are stripped, keeping the message text exactly as intended.
In @.github/workflows/rhiza_weekly.yml:
- Around line 88-101: The pip-audit job may fail resolving private packages
because it doesn't configure git auth or UV_EXTRA_INDEX_URL like other jobs;
update the pip-audit job (job name: pip-audit, step that runs: "Run pip-audit"
which executes uvx pip-audit) to export the same UV_EXTRA_INDEX_URL and set up
the same git authentication/credential steps used in dep-compat-test and semgrep
before running uvx pip-audit so private indexes and repos can be accessed.
In @.rhiza/.env:
- Line 1: The MARIMO_FOLDER env var was pointed at the generated docs directory
which breaks targets that expect source notebooks; change MARIMO_FOLDER back to
the source notebook directory (the path where notebooks actually live, e.g.,
book/marimo/notebooks or the original source location) so
.rhiza/make.d/marimo.mk and .rhiza/make.d/book.mk continue to find and process
notebooks; update the value of MARIMO_FOLDER in .rhiza/.env to the
source-notebooks path and verify make marimo, marimo-validate, and the notebook
export workflows run as before.
In @.rhiza/make.d/agentic.mk:
- Around line 19-23: The analyse-repo make target currently calls
"$(CLAUDE_BIN)" with --allowedTools "Write", which blocks the analyser from
reading files; update the invocation used by the analyse-repo rule (the command
that includes --allowedTools) to include "Read" (and optionally "Grep" and/or
"Glob") in the --allowedTools list so the analyser agent can inspect repository
files for concrete references and perform efficient searches; ensure you only
modify the string passed to --allowedTools in that command (the same line that
currently reads --allowedTools "Write").
In @.rhiza/make.d/book.mk:
- Around line 46-60: The _book-notebooks Make target assumes there is at least
one file in $(MARIMO_FOLDER) and in docs/notebooks/*.html; update it to guard
the export and link-generation loops by testing for actual matches before
iterating: first mkdir -p docs/notebooks, then check (e.g. use a shell test like
"set -- $(MARIMO_FOLDER)/*.py; [ -e "$1" ]" or similar) and only run the export
loop (the for nb in ... and the marimo export call) if there are .py files, and
similarly check whether docs/notebooks/*.html expands to real files before
populating docs/notebooks.md (create an empty docs/notebooks.md or a placeholder
if no notebooks exist) so make book never emits literal "*.py" or "*.html"
entries when none are present.
In `@docs/index.md`:
- Line 1: The snippet include in docs/index.md uses --8<-- "README.md" which
resolves under the docs root (due to docs/mkdocs-base.yml settings docs_dir: .
and base_path: ["."]) and thus points to a non-existent docs/README.md; fix by
either changing the include to reference the repo-root README (e.g. update the
snippet path in docs/index.md to the correct relative path to the repository
README) or update the MkDocs snippet config in docs/mkdocs-base.yml by adding
the repository root to pymdownx.snippets.base_path so --8<-- "README.md" can
resolve to the repo root.
In `@SECURITY.md`:
- Around line 3-4: Remove the internal generation note present in SECURITY.md
(the template-authoring instruction on line 3) so the published policy contains
only end-user facing content; open SECURITY.md, delete the sentence "Overwrite
this file using Claude and adjust for the Rhiza dependant." (or any similar
template note), and commit the cleaned file so the policy contains only the
actual security guidance intended for users.
---
Nitpick comments:
In @.github/workflows/rhiza_release.yml:
- Around line 231-233: The "Install uv" step using the astral-sh/setup-uv@v8.0.0
action in the new draft-release job omits a pinned version; add a with.version:
'0.11.6' (matching build and finalise-release) to that step so the setup-uv
action is pinned and toolchain drift is prevented—locate the "Install uv" step
(uses: astral-sh/setup-uv@v8.0.0) and add the with.version property set to
'0.11.6'.
In @.github/workflows/rhiza_weekly.yml:
- Around line 66-67: The job name "Semgrep (numpy)" in the workflow should be
clarified or simplified: open the workflow definition and update the job's name
value currently set to "Semgrep (numpy)" to a clearer label such as "Semgrep" or
a more specific descriptor (e.g., "Semgrep - security" or "Semgrep - lint") so
it accurately reflects what make semgrep runs; modify the name field under the
semgrep job declaration to remove or replace "(numpy)" accordingly.
- Around line 17-21: Remove the dead commented-out GitHub Actions triggers by
deleting the commented "push:" and "pull_request:" blocks (the lines starting
with "#push:", "# branches:", "# paths:", "#pull_request:", "# paths:") so
the workflow file contains only active configuration and no stale commented
trigger definitions.
In @.gitignore:
- Around line 100-101: The .gitignore contains a duplicated pattern
".bandit-baseline.json"; remove the redundant entry so the pattern appears only
once (search for the literal ".bandit-baseline.json" and delete the duplicate
occurrence), ensuring no other intended duplicates remain.
In @.rhiza/make.d/book.mk:
- Around line 62-88: Both book and mkdocs-build duplicate the same uvx ...
mkdocs build invocation; extract that into a single private helper (e.g. a
variable MKDOCS_BUILD_CMD or a phony target _mkdocs-build-run) and call it from
both targets so package list, flags and -d handling stay in sync. Ensure the
helper uses the same inputs (UVX_BIN, _MKDOCS_CFG, MKDOCS_EXTRA_PACKAGES,
BOOK_OUTPUT) and preserves the current differing behaviors: book should warn and
continue when _MKDOCS_CFG is empty while mkdocs-build should error/exit 1.
Replace the inline uvx ... mkdocs build lines in the book and mkdocs-build
targets with a call to the new helper/variable.
In @.rhiza/requirements/docs.txt:
- Around line 3-5: The requirements file lists loose constraints (mkdocs>=1.6.0,
mkdocs-material>=9.5.0, mkdocstrings[python]>=0.25.0) that conflict with the
stricter bounds used by the make target in .rhiza/make.d/book.mk (--with
"mkdocs<2.0" and --with "mkdocs-material<10.0"); update
.rhiza/requirements/docs.txt to match those upper bounds (e.g., add <2.0 to
mkdocs and <10.0 to mkdocs-material) or add a clear comment explaining this file
is for a different use-case than make book, so installations remain consistent
with book.mk’s --with constraints.
In `@docs/development/MARIMO.md`:
- Around line 42-44: Replace direct use of the marimo CLI in single-notebook
edit examples with the uv runner so docs follow the repo bootstrap flow: change
occurrences of the command string "marimo edit docs/notebooks/rhiza.py" to be
invoked via the project virtualenv runner ("uv run marimo edit
docs/notebooks/rhiza.py") and apply the same replacement for the other instances
referenced (around lines 101-104) to ensure contributors who used make install
still follow the documented workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 06a73f83-4de6-4df5-9b71-20bd9e0549b4
⛔ Files ignored due to path filters (2)
.rhiza/template.lockis excluded by!**/*.lockdocs/assets/rhiza-logo.svgis excluded by!**/*.svg
📒 Files selected for processing (63)
.github/agents/analyser.md.github/copilot-instructions.md.github/semgrep.yml.github/workflows/copilot-setup-steps.yml.github/workflows/renovate_rhiza_sync.yml.github/workflows/rhiza_book.yml.github/workflows/rhiza_ci.yml.github/workflows/rhiza_codeql.yml.github/workflows/rhiza_dep_compat_test.yml.github/workflows/rhiza_deptry.yml.github/workflows/rhiza_license.yml.github/workflows/rhiza_marimo.yml.github/workflows/rhiza_pip_audit.yml.github/workflows/rhiza_pre-commit.yml.github/workflows/rhiza_release.yml.github/workflows/rhiza_security.yml.github/workflows/rhiza_semgrep.yml.github/workflows/rhiza_sync.yml.github/workflows/rhiza_typecheck.yml.github/workflows/rhiza_validate.yml.github/workflows/rhiza_weekly.yml.gitignore.pre-commit-config.yaml.rhiza/.env.rhiza/CODE_OF_CONDUCT.md.rhiza/CONTRIBUTING.md.rhiza/docs/CONFIG.md.rhiza/docs/WORKFLOWS.md.rhiza/make.d/README.md.rhiza/make.d/agentic.mk.rhiza/make.d/book.mk.rhiza/make.d/docs.mk.rhiza/make.d/marimo.mk.rhiza/make.d/quality.mk.rhiza/requirements/README.md.rhiza/requirements/docs.txt.rhiza/rhiza.mk.rhiza/template.yml.rhiza/templates/minibook/custom.html.jinja2.rhiza/tests/README.md.rhiza/tests/api/conftest.py.rhiza/tests/api/test_makefile_targets.py.rhiza/tests/integration/test_book_targets.py.rhiza/tests/integration/test_docs_targets.py.rhiza/tests/integration/test_marimushka.py.rhiza/tests/security/test_security_patterns.py.rhiza/tests/sync/conftest.pyMakefileSECURITY.mdbook/marimo/notebooks/rhiza.pydocs/ARCHITECTURE.mddocs/BOOK.mddocs/CUSTOMIZATION.mddocs/DEMO.mddocs/GLOSSARY.mddocs/QUICK_REFERENCE.mddocs/SECURITY.mddocs/adr/0000-adr-template.mddocs/development/MARIMO.mddocs/development/TESTS.mddocs/index.mddocs/mkdocs-base.ymlruff.toml
💤 Files with no reviewable changes (27)
- .rhiza/tests/sync/conftest.py
- .rhiza/docs/CONFIG.md
- docs/ARCHITECTURE.md
- .github/workflows/rhiza_validate.yml
- .github/workflows/rhiza_pip_audit.yml
- .github/workflows/rhiza_deptry.yml
- docs/SECURITY.md
- docs/CUSTOMIZATION.md
- .github/workflows/rhiza_security.yml
- .github/workflows/rhiza_semgrep.yml
- .github/workflows/rhiza_typecheck.yml
- Makefile
- docs/DEMO.md
- .rhiza/make.d/README.md
- .github/workflows/rhiza_dep_compat_test.yml
- .github/workflows/renovate_rhiza_sync.yml
- docs/BOOK.md
- .rhiza/templates/minibook/custom.html.jinja2
- .rhiza/tests/integration/test_marimushka.py
- docs/GLOSSARY.md
- .github/workflows/rhiza_license.yml
- .rhiza/make.d/docs.mk
- docs/QUICK_REFERENCE.md
- .rhiza/tests/README.md
- .github/workflows/rhiza_pre-commit.yml
- book/marimo/notebooks/rhiza.py
- .rhiza/tests/api/conftest.py
| uses: actions/upload-pages-artifact@v5.0.0 # Official GitHub Pages artifact upload action | ||
| with: | ||
| path: _book/ # Path to the directory containing all artifacts to deploy |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What are the breaking changes in actions/upload-pages-artifact v5?
💡 Result:
The breaking changes in actions/upload-pages-artifact v5 (tagged v5.0.0) primarily stem from updating its internal dependency on actions/upload-artifact from v4 to v7. This update ensures compatibility with Node.js 24 runners following the Node 20 deprecation. Key changes in v5: - Updates actions/upload-artifact to version 7 (via PR #139). - Adds a new input: include-hidden-files (default: false), allowing explicit inclusion of hidden files/directories (excludes .git and .github regardless). This builds on v4's change where hidden files were excluded by default. No explicit breaking changes are listed in the v5 release notes, but inheriting from upload-artifact v7 may introduce upstream breaking changes such as: - Node.js 24 runtime requirement (actions/upload-artifact v6+). - Potential ESM support and other artifact handling updates from intermediate versions (v5-v7 of upload-artifact). Users should ensure their runners support Node 24 and test workflows, especially if relying on hidden files or specific artifact behaviors. For hidden files, use the new input if needed. v4 had a potentially breaking change: hidden files (dotfiles) excluded by default.
Citations:
- 1: Update upload-artifact action to version 7 actions/upload-pages-artifact#139
- 2: https://github.com/actions/upload-pages-artifact/tags
- 3: https://github.com/actions/upload-pages-artifact/releases/tag/v4.0.0
- 4: https://github.com/actions/upload-pages-artifact/releases
- 5: Pin
actions/upload-artifactto SHA actions/upload-pages-artifact#127
Major version bump for upload-pages-artifact requires Node.js 24+ runtime.
The upgrade from v4.0.0 to v5.0.0 introduces a breaking change: Node.js 24 runtime requirement (inherited from actions/upload-artifact v7). The current workflow usage (path: _book/) is compatible with v5, but ensure your runners are configured for Node.js 24.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/rhiza_book.yml around lines 80 - 82, The workflow now uses
actions/upload-pages-artifact@v5.0.0 which requires Node.js 24+; update the
workflow so the runner provides Node 24 before calling
actions/upload-pages-artifact (or pin the action back to v4). Specifically,
either insert actions/setup-node (e.g. actions/setup-node@v4) with node-version:
"24" prior to the step that uses actions/upload-pages-artifact@v5.0.0, or change
the step to actions/upload-pages-artifact@v4.x while keeping path: _book/
unchanged.
| git commit -m "$(cat <<'EOF' | ||
| chore: sync rhiza template files | ||
|
|
||
| Automatically synced template files after updating .rhiza/template.yml | ||
|
|
||
| Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | ||
| EOF | ||
| )" |
There was a problem hiding this comment.
Heredoc indentation will appear in commit message.
The heredoc content is indented, which means the commit message will have leading whitespace. This may not be intentional.
Suggested fix to remove indentation
git add -A
git commit -m "$(cat <<'EOF'
- chore: sync rhiza template files
+chore: sync rhiza template files
- Automatically synced template files after updating .rhiza/template.yml
+Automatically synced template files after updating .rhiza/template.yml
- Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- EOF
+Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
+EOF
)"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| git commit -m "$(cat <<'EOF' | |
| chore: sync rhiza template files | |
| Automatically synced template files after updating .rhiza/template.yml | |
| Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | |
| EOF | |
| )" | |
| git commit -m "$(cat <<'EOF' | |
| chore: sync rhiza template files | |
| Automatically synced template files after updating .rhiza/template.yml | |
| Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | |
| EOF | |
| )" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/rhiza_sync.yml around lines 91 - 98, The heredoc used in
the git commit command (git commit -m "$(cat <<'EOF' ... EOF )") is indented so
the commit message will contain leading whitespace; fix by removing indentation
from the heredoc body or use a stripping heredoc marker—move the cat <<'EOF'
opener to column 0 and left-align the message, or change to cat <<-'EOF' and
ensure indents are tabs (not spaces) so leading tabs are stripped, keeping the
message text exactly as intended.
| pip-audit: | ||
| name: Dependency vulnerability scan | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v8.0.0 | ||
| with: | ||
| version: "0.11.6" | ||
|
|
||
| - name: Run pip-audit | ||
| run: uvx pip-audit |
There was a problem hiding this comment.
pip-audit job may fail on private dependencies.
Other jobs (dep-compat-test, semgrep) configure git auth for private packages and set UV_EXTRA_INDEX_URL, but the pip-audit job does neither. If the project has private dependencies, uvx pip-audit may fail to resolve them.
Suggested fix to add auth/index configuration
pip-audit:
name: Dependency vulnerability scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- name: Install uv
uses: astral-sh/setup-uv@v8.0.0
with:
version: "0.11.6"
+ - name: Configure git auth for private packages
+ uses: ./.github/actions/configure-git-auth
+ with:
+ token: ${{ secrets.GH_PAT }}
+
- name: Run pip-audit
+ env:
+ UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
run: uvx pip-audit📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| pip-audit: | |
| name: Dependency vulnerability scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v8.0.0 | |
| with: | |
| version: "0.11.6" | |
| - name: Run pip-audit | |
| run: uvx pip-audit | |
| pip-audit: | |
| name: Dependency vulnerability scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v8.0.0 | |
| with: | |
| version: "0.11.6" | |
| - name: Configure git auth for private packages | |
| uses: ./.github/actions/configure-git-auth | |
| with: | |
| token: ${{ secrets.GH_PAT }} | |
| - name: Run pip-audit | |
| env: | |
| UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }} | |
| run: uvx pip-audit |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/rhiza_weekly.yml around lines 88 - 101, The pip-audit job
may fail resolving private packages because it doesn't configure git auth or
UV_EXTRA_INDEX_URL like other jobs; update the pip-audit job (job name:
pip-audit, step that runs: "Run pip-audit" which executes uvx pip-audit) to
export the same UV_EXTRA_INDEX_URL and set up the same git
authentication/credential steps used in dep-compat-test and semgrep before
running uvx pip-audit so private indexes and repos can be accessed.
| @@ -1,8 +1,2 @@ | |||
| MARIMO_FOLDER=book/marimo/notebooks | |||
| MARIMO_FOLDER=docs/notebooks | |||
There was a problem hiding this comment.
Don't point MARIMO_FOLDER at the generated docs directory yet.
.rhiza/make.d/marimo.mk and .rhiza/make.d/book.mk still treat MARIMO_FOLDER as the source notebook directory. With the notebooks still living under book/marimo/notebooks, this change makes make marimo, marimo-validate, notebook export, and the marimo workflow skip them entirely.
📁 Minimal fix
-MARIMO_FOLDER=docs/notebooks
+MARIMO_FOLDER=book/marimo/notebooks📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| MARIMO_FOLDER=docs/notebooks | |
| MARIMO_FOLDER=book/marimo/notebooks |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.rhiza/.env at line 1, The MARIMO_FOLDER env var was pointed at the
generated docs directory which breaks targets that expect source notebooks;
change MARIMO_FOLDER back to the source notebook directory (the path where
notebooks actually live, e.g., book/marimo/notebooks or the original source
location) so .rhiza/make.d/marimo.mk and .rhiza/make.d/book.mk continue to find
and process notebooks; update the value of MARIMO_FOLDER in .rhiza/.env to the
source-notebooks path and verify make marimo, marimo-validate, and the notebook
export workflows run as before.
| analyse-repo: install-claude ## run the analyser agent to update REPOSITORY_ANALYSIS.md | ||
| @"$(CLAUDE_BIN)" --print \ | ||
| --allowedTools "Write" \ | ||
| --agent .github/agents/analyser.md \ | ||
| "Analyze the repository and update REPOSITORY_ANALYSIS.md" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Inspecting analyse-repo target:"
rg -n -A5 -B2 '^\s*analyse-repo:' .rhiza/make.d/agentic.mk
echo
echo "Checking Claude CLI help for --allowedTools semantics and valid tool names:"
if command -v claude >/dev/null 2>&1; then
claude --help | sed -n '/allowedTools/,+20p'
else
echo "claude CLI not found in PATH; verify against your installed-version docs."
fiRepository: tschm/jsharpe
Length of output: 526
🏁 Script executed:
find . -name "analyser.md" -type fRepository: tschm/jsharpe
Length of output: 85
🌐 Web query:
Claude CLI allowedTools documentation what tools are available
💡 Result:
Claude Code CLI (the terminal-based agentic coding tool from Anthropic, installed via curl -fsSL https://claude.ai/install.sh | bash) provides a set of built-in tools that Claude can use to interact with your codebase and environment. The "allowedTools" refers to the CLI flags --allowedTools and --tools, and the corresponding permissions.allow and permissions.deny settings in .claude/settings.json files, which control which tools Claude can use without prompting or at all. Official documentation is at code.claude.com/docs, with key pages: - Tools reference: http://code.claude.com/docs/en/tools-reference (complete list with permission requirements) - CLI reference: http://code.claude.com/docs/en/cli-reference (flags like --allowedTools) - Permissions: https://code.claude.com/docs/en/permissions (rule syntax) Available built-in tools (exact names for rules/flags): - Agent: Spawns subagents (no permission needed) - AskUserQuestion: Asks user questions (no) - Bash: Shell commands (yes) - CronCreate/CronDelete/CronList: Scheduling (no/yes/no) - Edit: Targeted file edits (yes) - EnterWorktree: Git worktrees (permission varies) - Glob: File pattern matching (no) - Grep: Content search (no) - ListMcpResourcesTool / ReadMcpResourceTool: MCP resources (no) - LSP: Language server intelligence (varies) - Monitor: Background command monitoring (yes, like Bash) - Read: File reads (no) - SendMessage: Agent messaging (no) - Skill: Executes skills (yes) - TaskCreate/TaskGet/TaskList/TodoWrite: Task management (no) - ToolSearch: Deferred tool loading (no) - Write: File creation (yes) Additional tools via MCP servers, plugins, skills. Use /permissions in-session or --allowedTools "Read" "Bash(git *)" on CLI to pre-approve. Deny with --disallowedTools or permissions.deny. Rules support patterns like Bash(ls *). To list tools in a session: Ask Claude "What tools do you have access to?" or /mcp for MCP. Note: Distinct from Anthropic Claude API tools (e.g., web_search) or anthropic-cli (ant tool).
Citations:
- 1: http://code.claude.com/docs/en/tools-reference
- 2: https://code.claude.com/docs/en/tools-reference.md
- 3: http://code.claude.com/docs/en/cli-reference
- 4: https://code.claude.com/docs/en/permissions
- 5: https://github.com/Cranot/claude-code-guide
- 6: https://docs.anthropic.com/en/docs/claude-code/cli-usage
🏁 Script executed:
# Check if there are any docs in the repo about Claude CLI usage or requirements
find . -name "*.md" -type f | xargs grep -l "allowedTools\|--agent\|claude.*--" | head -20Repository: tschm/jsharpe
Length of output: 39
🏁 Script executed:
# Check the analyser.md agent content to understand what it does
if [ -f ".github/agents/analyser.md" ]; then
cat -n ".github/agents/analyser.md"
else
echo "analyser.md not found at .github/agents/analyser.md"
fiRepository: tschm/jsharpe
Length of output: 2191
Allow read-capable tools for analyse-repo—agent cannot analyze files with write-only access.
On line 21, --allowedTools "Write" prevents the analyser agent from reading repository files. The agent's task explicitly requires file inspection to "identify concrete strengths, weaknesses, risks, and notable design decisions" with "specific file and module references," which is impossible without the Read tool (and optionally Grep/Glob for efficient search).
Suggested adjustment
analyse-repo: install-claude ## run the analyser agent to update REPOSITORY_ANALYSIS.md
@"$(CLAUDE_BIN)" --print \
- --allowedTools "Write" \
+ --allowedTools "Read" "Grep" "Glob" "Write" \
--agent .github/agents/analyser.md \
"Analyze the repository and update REPOSITORY_ANALYSIS.md"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| analyse-repo: install-claude ## run the analyser agent to update REPOSITORY_ANALYSIS.md | |
| @"$(CLAUDE_BIN)" --print \ | |
| --allowedTools "Write" \ | |
| --agent .github/agents/analyser.md \ | |
| "Analyze the repository and update REPOSITORY_ANALYSIS.md" | |
| analyse-repo: install-claude ## run the analyser agent to update REPOSITORY_ANALYSIS.md | |
| @"$(CLAUDE_BIN)" --print \ | |
| --allowedTools "Read" "Grep" "Glob" "Write" \ | |
| --agent .github/agents/analyser.md \ | |
| "Analyze the repository and update REPOSITORY_ANALYSIS.md" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.rhiza/make.d/agentic.mk around lines 19 - 23, The analyse-repo make target
currently calls "$(CLAUDE_BIN)" with --allowedTools "Write", which blocks the
analyser from reading files; update the invocation used by the analyse-repo rule
(the command that includes --allowedTools) to include "Read" (and optionally
"Grep" and/or "Glob") in the --allowedTools list so the analyser agent can
inspect repository files for concrete references and perform efficient searches;
ensure you only modify the string passed to --allowedTools in that command (the
same line that currently reads --allowedTools "Write").
| _book-notebooks: | ||
| @if [ -d "$(MARIMO_FOLDER)" ]; then \ | ||
| for nb in $(MARIMO_FOLDER)/*.py; do \ | ||
| name=$$(basename "$$nb" .py); \ | ||
| printf "${BLUE}[INFO] Exporting $$nb${RESET}\n"; \ | ||
| abs_output="$$(pwd)/docs/notebooks/$$name.html"; \ | ||
| mkdir -p docs/notebooks; \ | ||
| (cd "$$(dirname "$$nb")" && ${UV_BIN} run marimo export html --sandbox "$$(basename "$$nb")" -o "$$abs_output"); \ | ||
| done; \ | ||
| printf "# Marimo Notebooks\n\n" > docs/notebooks.md; \ | ||
| for html in docs/notebooks/*.html; do \ | ||
| name=$$(basename "$$html" .html); \ | ||
| echo "- [$$name]($$name.html)" >> docs/notebooks.md; \ | ||
| done; \ | ||
| fi |
There was a problem hiding this comment.
Handle empty or missing notebook sets without breaking make book.
Line 47 only emits docs/notebooks.md when $(MARIMO_FOLDER) exists, and both for .../*.py / for .../*.html loops assume at least one match. On a repo with no marimo notebooks, that means make book can either skip the page that the default MkDocs nav expects or try to export a literal *.py / append a bogus *.html link. This is on the CI path because the book workflow runs make book.
💡 Minimal hardening
_book-notebooks:
- `@if` [ -d "$(MARIMO_FOLDER)" ]; then \
+ `@mkdir` -p docs/notebooks
+ `@printf` "# Marimo Notebooks\n\n" > docs/notebooks.md
+ `@if` [ -d "$(MARIMO_FOLDER)" ]; then \
for nb in $(MARIMO_FOLDER)/*.py; do \
+ [ -e "$$nb" ] || continue; \
name=$$(basename "$$nb" .py); \
printf "${BLUE}[INFO] Exporting $$nb${RESET}\n"; \
abs_output="$$(pwd)/docs/notebooks/$$name.html"; \
- mkdir -p docs/notebooks; \
(cd "$$(dirname "$$nb")" && ${UV_BIN} run marimo export html --sandbox "$$(basename "$$nb")" -o "$$abs_output"); \
done; \
- printf "# Marimo Notebooks\n\n" > docs/notebooks.md; \
for html in docs/notebooks/*.html; do \
+ [ -e "$$html" ] || continue; \
name=$$(basename "$$html" .html); \
echo "- [$$name]($$name.html)" >> docs/notebooks.md; \
done; \
fi
+ `@grep` -q '^- ' docs/notebooks.md || echo "_No notebooks found._" >> docs/notebooks.md📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| _book-notebooks: | |
| @if [ -d "$(MARIMO_FOLDER)" ]; then \ | |
| for nb in $(MARIMO_FOLDER)/*.py; do \ | |
| name=$$(basename "$$nb" .py); \ | |
| printf "${BLUE}[INFO] Exporting $$nb${RESET}\n"; \ | |
| abs_output="$$(pwd)/docs/notebooks/$$name.html"; \ | |
| mkdir -p docs/notebooks; \ | |
| (cd "$$(dirname "$$nb")" && ${UV_BIN} run marimo export html --sandbox "$$(basename "$$nb")" -o "$$abs_output"); \ | |
| done; \ | |
| printf "# Marimo Notebooks\n\n" > docs/notebooks.md; \ | |
| for html in docs/notebooks/*.html; do \ | |
| name=$$(basename "$$html" .html); \ | |
| echo "- [$$name]($$name.html)" >> docs/notebooks.md; \ | |
| done; \ | |
| fi | |
| _book-notebooks: | |
| `@mkdir` -p docs/notebooks | |
| `@printf` "# Marimo Notebooks\n\n" > docs/notebooks.md | |
| `@if` [ -d "$(MARIMO_FOLDER)" ]; then \ | |
| for nb in $(MARIMO_FOLDER)/*.py; do \ | |
| [ -e "$$nb" ] || continue; \ | |
| name=$$(basename "$$nb" .py); \ | |
| printf "${BLUE}[INFO] Exporting $$nb${RESET}\n"; \ | |
| abs_output="$$(pwd)/docs/notebooks/$$name.html"; \ | |
| (cd "$$(dirname "$$nb")" && ${UV_BIN} run marimo export html --sandbox "$$(basename "$$nb")" -o "$$abs_output"); \ | |
| done; \ | |
| for html in docs/notebooks/*.html; do \ | |
| [ -e "$$html" ] || continue; \ | |
| name=$$(basename "$$html" .html); \ | |
| echo "- [$$name]($$name.html)" >> docs/notebooks.md; \ | |
| done; \ | |
| fi | |
| `@grep` -q '^- ' docs/notebooks.md || echo "_No notebooks found._" >> docs/notebooks.md |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.rhiza/make.d/book.mk around lines 46 - 60, The _book-notebooks Make target
assumes there is at least one file in $(MARIMO_FOLDER) and in
docs/notebooks/*.html; update it to guard the export and link-generation loops
by testing for actual matches before iterating: first mkdir -p docs/notebooks,
then check (e.g. use a shell test like "set -- $(MARIMO_FOLDER)/*.py; [ -e "$1"
]" or similar) and only run the export loop (the for nb in ... and the marimo
export call) if there are .py files, and similarly check whether
docs/notebooks/*.html expands to real files before populating docs/notebooks.md
(create an empty docs/notebooks.md or a placeholder if no notebooks exist) so
make book never emits literal "*.py" or "*.html" entries when none are present.
| @@ -0,0 +1,2 @@ | |||
| --8<-- "README.md" | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Checking include directive and mkdocs snippet base path..."
rg -n --fixed-strings '--8<-- "README.md"' docs/index.md
rg -n 'docs_dir:' docs/mkdocs-base.yml
rg -n 'base_path:' docs/mkdocs-base.yml -A3
echo "Checking whether docs/README.md exists..."
if [ -f docs/README.md ]; then
echo "docs/README.md exists (include may still be valid)."
else
echo "docs/README.md is missing; current include likely points to a non-existent file."
fiRepository: tschm/jsharpe
Length of output: 553
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Checking for snippet include directive ==="
if grep -n --fixed-strings '--8<-- "README.md"' docs/index.md 2>/dev/null; then
echo "Found include directive"
else
echo "No matching include directive found"
fi
echo -e "\n=== Checking mkdocs configuration ==="
if [ -f docs/mkdocs-base.yml ]; then
echo "docs/mkdocs-base.yml contents:"
cat docs/mkdocs-base.yml
else
echo "docs/mkdocs-base.yml not found"
fi
echo -e "\n=== Checking file existence ==="
echo "Checking docs/README.md..."
[ -f docs/README.md ] && echo "✓ docs/README.md exists" || echo "✗ docs/README.md missing"
echo "Checking README.md at repo root..."
[ -f README.md ] && echo "✓ README.md exists at repo root" || echo "✗ README.md missing at repo root"
echo -e "\n=== Listing docs/ directory ==="
ls -la docs/ 2>/dev/null | head -20 || echo "docs/ directory not found"Repository: tschm/jsharpe
Length of output: 2901
🏁 Script executed:
cat -n docs/index.mdRepository: tschm/jsharpe
Length of output: 90
Snippet include path resolves to non-existent file under current MkDocs config.
--8<-- "README.md" in docs/index.md will resolve from the docs root because docs_dir: . and base_path: ["."] in docs/mkdocs-base.yml are relative to that config file's location. This means it looks for docs/README.md, which doesn't exist. The repo-root README.md exists but won't be found, causing the docs build to fail.
💡 Proposed fix
---8<-- "README.md"
+--8<-- "../README.md"Alternatively, add the repo root to pymdownx.snippets.base_path in docs/mkdocs-base.yml if snippet path restrictions allow it.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| --8<-- "README.md" | |
| --8<-- "../README.md" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/index.md` at line 1, The snippet include in docs/index.md uses --8<--
"README.md" which resolves under the docs root (due to docs/mkdocs-base.yml
settings docs_dir: . and base_path: ["."]) and thus points to a non-existent
docs/README.md; fix by either changing the include to reference the repo-root
README (e.g. update the snippet path in docs/index.md to the correct relative
path to the repository README) or update the MkDocs snippet config in
docs/mkdocs-base.yml by adding the repository root to
pymdownx.snippets.base_path so --8<-- "README.md" can resolve to the repo root.
| Overwrite this file using Claude and adjust for the Rhiza dependant. | ||
|
|
There was a problem hiding this comment.
Remove template-authoring instruction from the published policy.
Line 3 is an internal generation note, not end-user policy content. It should be removed from the committed SECURITY.md.
Suggested patch
-Overwrite this file using Claude and adjust for the Rhiza dependant.
-📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Overwrite this file using Claude and adjust for the Rhiza dependant. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@SECURITY.md` around lines 3 - 4, Remove the internal generation note present
in SECURITY.md (the template-authoring instruction on line 3) so the published
policy contains only end-user facing content; open SECURITY.md, delete the
sentence "Overwrite this file using Claude and adjust for the Rhiza dependant."
(or any similar template note), and commit the cleaned file so the policy
contains only the actual security guidance intended for users.
Summary
v0.8.16tov0.9.5in.rhiza/template.ymlmake syncto apply upstream template changesastral-sh/setup-uvpast the patch baselineChanges
uv version: "0.11.2"→"0.11.6"across 7 workflow filesTOKEN_SETUP.mdreference path (.github/→.rhiza/docs/) inrhiza_sync.ymlrhiza_ci.yml)CODE_OF_CONDUCT.md/CONTRIBUTING.mdinto.rhiza/docs/structure from template (ADR template, assets, index, mkdocs-base)Test plan
make validatepasses locally🤖 Generated with Claude Code
Summary by CodeRabbit
Documentation
Chores