chore: update rhiza template ref to v0.10.1

[tschm]

Summary

• Bumps .rhiza/template.yml ref from v0.9.5 to v0.10.1

Test plan

• CI passes on this branch

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added Semgrep static analysis integration for enhanced code quality checks.
  • Added local documentation server via make serve.

• Updates

  • Updated toolchain and dependencies (uv: 0.11.6 → 0.11.7; template: v0.9.5 → v0.10.1).
  • Switched documentation build from MkDocs to Zensical.
  • Updated default AI model version.

• Removals

  • Removed GitHub Agentic Workflows integration and associated hooks.
  • Removed ADR (Architecture Decision Records) template and setup.
  • Removed repository analysis documentation.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR applies a comprehensive template sync that removes agentic workflow tooling (agents, hooks, GitHub Actions agentic setup), updates CI tooling (uv 0.11.6→0.11.7, mkdocs→zensical for documentation builds), consolidates Bandit configuration into a .bandit file, and removes extensive documentation and ADR templates while upgrading the Rhiza template to v0.10.1.

Changes

Cohort / File(s)	Summary
Bandit Configuration .bandit, .pre-commit-config.yaml	Added .bandit file with [bandit] section disabling B101; updated pre-commit hook to use --ini .bandit instead of inline --skip B101 argument.
Removed Agentic Workflows .github/agents/..., .github/hooks/..., .github/workflows/copilot-setup-steps.yml, .rhiza/make.d/agentic.mk, .rhiza/make.d/gh-aw.mk	Deleted agent definitions (analyser, summarise), Copilot instructions, session hooks, agentic Make targets, and GitHub Agentic Workflows integration; reflects shift away from agentic tooling.
Removed GitHub Helper Targets .rhiza/make.d/github.mk, .rhiza/tests/api/test_github_targets.py, Makefile	Removed GitHub CLI wrapper targets and related tests; deleted adr Make target (previously invoked gh workflow run adr-create.md).
uv Toolchain Version Bump .github/workflows/rhiza_book.yml, .github/workflows/rhiza_ci.yml, .github/workflows/rhiza_release.yml, .github/workflows/rhiza_weekly.yml, .pre-commit-config.yaml	Updated uv from 0.11.6 to 0.11.7 across all workflows and pre-commit hooks.
CodeQL Action Updates .github/workflows/rhiza_codeql.yml	Updated github/codeql-action/init and github/codeql-action/analyze from v4.35.1 to v4.35.2; updated workflow header comment guidance.
Marimo Notebook Execution .github/workflows/rhiza_marimo.yml	Changed notebook execution from uvx uv run "$notebook" to uv run --script "$notebook", altering environment provisioning approach.
CI Job Removals .github/workflows/rhiza_ci.yml	Removed coverage-badge job that previously pushed coverage badges to gh-pages branch.
Documentation Generation Tooling .rhiza/make.d/book.mk, .rhiza/requirements/docs.txt, .rhiza/requirements/README.md, docs/mkdocs-base.yml	Replaced mkdocs with zensical (zensical>=0.0.33, mike>=2.2.0); reworked book build, report/notebook handling, and MkDocs configuration; added server target and coverage badge generation.
Removed Documentation Files .rhiza/docs/..., docs/adr/0000-adr-template.md	Deleted configuration guides (ASSETS, CONFIG, LFS, PRIVATE_PACKAGES, RELEASING, TOKEN_SETUP, WORKFLOWS) and ADR template.
Removed Make Documentation & Targets .rhiza/make.d/README.md	Deleted Makefile recipe and hook documentation.
Quality & Test Targets .rhiza/make.d/quality.mk, .rhiza/make.d/test.mk	Added semgrep Make target; updated security target to use --ini .bandit and accept PIP_AUDIT_ARGS override; reworked coverage-badge to use coverage.xml input and generate local SVG (removed gh-pages push).
Test Updates for Removed Files .rhiza/tests/api/test_gh_aw_targets.py, .rhiza/tests/api/test_github_targets.py	Added module-level skips when corresponding .rhiza/make.d/*.mk files do not exist.
Makefile Coverage Badge Test .rhiza/tests/api/test_makefile_targets.py	Updated test_coverage_badge_target_dry_run to expect coverage.xml input instead of coverage.json, and removed gh-pages assertions.
New Weekly Workflow Tests .rhiza/tests/api/test_weekly_workflow.py	Added comprehensive test suite validating .github/workflows/rhiza_weekly.yml structure and job configuration (dep-compat-test, semgrep, pip-audit, link-check), plus Makefile target behaviors.
Book Targets Test .rhiza/tests/integration/test_book_targets.py	Removed mkdocs-build from expected phony targets; updated for new build tooling.
Docs Targets Tests .rhiza/tests/integration/test_docs_targets.py	Removed tests asserting mkdocs invocation behavior with MKDOCS_EXTRA_PACKAGES; retained variable declaration and override tests.
Security & Linting Annotations .rhiza/tests/.../*.py (multiple files)	Added # nosec B404 and # nosec B603 annotations to subprocess imports and calls across integration, stress, sync, and utility tests; no logic changes.
Root Makefile Makefile	Updated DEFAULT_AI_MODEL from claude-sonnet-4.5 to claude-sonnet-4.6; added MKDOCS_EXTRA_PACKAGES variable; removed post-validate hook and adr target.
Bandit Security Test .rhiza/tests/security/test_security_patterns.py	Added test_bandit_ini_file_exists() verifying presence and contents of .bandit configuration file.
Development Documentation docs/development/MARIMO.md, docs/development/TESTS.md	Updated notebook example paths and workflow references; changed test commands from pytest to uv run pytest; removed .github/workflows/rhiza_benchmarks.yml reference.
Template Version .rhiza/template.yml	Bumped Rhiza template from v0.9.5 to v0.10.1.
.gitignore .gitignore	Removed docs/notebooks.md ignore rule (file no longer generated).
Pre-commit Hook Additions .pre-commit-config.yaml	Added econchick/interrogate hook for docstring coverage checks; bumped rhiza-hooks from v0.3.2 to v0.3.3.

Sequence Diagram(s)

The changes do not meet the criteria for sequence diagram generation. While this is a substantial template sync, the modifications are primarily: configuration updates, file removals, build tooling replacements, and test additions—none of which introduce new feature flows or multi-component interactions that would benefit from sequence visualization. The marimo workflow change and book build refactoring are implementation-level adjustments rather than architectural flow changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore: sync with rhiza template v0.9.5 #192: Overlapping template-sync changes affecting workflow uv version bumps, .rhiza template updates, Makefile and Make.d adjustments, and related test/docs modifications.
• chore: Sync with rhiza #106: Both PRs modify the same GitHub Actions workflow files to update astral-sh/setup-uv action versions.
• Modify template.yml to update included templates #119: Both PRs modify Bandit/pre-commit configuration; retrieved PR adjusts Bandit hook args while this PR consolidates configuration into .bandit file.

Poem

🐰 The agentic workflows bid adieu,
As zensical builds replace the old brew,
Bandit config consolidated with care,
Template synced—v0.10.1 in the air! ✨
Workflows refined, the tests march ahead,
With coverage badges and notebooks well-fed.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: update rhiza template ref to v0.10.1' accurately and specifically describes the main change—updating the Rhiza template reference version from v0.9.5 to v0.10.1, which is the primary functional change in the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rhiza/update-template-v0.10.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the repository’s Rhiza template reference to v0.10.1 and applies the corresponding template sync changes across docs, Make targets, CI workflows, and Rhiza’s internal test suite.

Changes:

• Bump .rhiza/template.yml / .rhiza/template.lock to Rhiza template v0.10.1.
• Update build/CI tooling (weekly workflow additions, CodeQL and uv version bumps, Semgrep target, coverage badge behavior).
• Adjust docs and security configuration (MkDocs base config changes, Bandit config moved to .bandit, docs dev instructions refreshed).

Reviewed changes

Copilot reviewed 50 out of 52 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
docs/mkdocs-base.yml	Updates base MkDocs configuration (theme/features/extensions/plugins) and output dirs.
docs/development/TESTS.md	Switches “direct pytest” examples to uv run pytest; clarifies benchmarks section.
docs/development/MARIMO.md	Updates Marimo documentation wording and workflow name reference.
docs/adr/0000-adr-template.md	Removes ADR template file.
Makefile	Updates default AI model and adds MKDOCS_EXTRA_PACKAGES override.
.rhiza/tests/utils/test_git_repo_fixture.py	Adds Bandit suppression comments for subprocess usage in tests.
.rhiza/tests/sync/test_rhiza_version.py	Adds Bandit suppression comments for subprocess usage in tests.
.rhiza/tests/sync/test_readme_validation.py	Adds Bandit suppression comments for subprocess import.
.rhiza/tests/stress/test_makefile_stress.py	Adds Bandit suppression comments for subprocess import.
.rhiza/tests/stress/test_git_stress.py	Adds Bandit suppression comments for subprocess import.
.rhiza/tests/security/test_security_patterns.py	Adds test asserting .bandit exists and is used as Bandit config source.
.rhiza/tests/integration/test_sbom.py	Expands Bandit suppressions for uvx subprocess calls.
.rhiza/tests/integration/test_docs_targets.py	Removes tests tied to old mkdocs build/serve command splicing.
.rhiza/tests/integration/test_book_targets.py	Updates expected phony targets set (drops mkdocs-build).
.rhiza/tests/api/test_weekly_workflow.py	Adds structure and Makefile dry-run tests for rhiza_weekly.yml.
.rhiza/tests/api/test_makefile_targets.py	Updates coverage badge expectations (XML-based, local output).
.rhiza/tests/api/test_github_targets.py	Skips GitHub targets tests if github.mk is absent.
.rhiza/tests/api/test_gh_aw_targets.py	Skips gh-aw targets tests if gh-aw.mk is absent.
.rhiza/template.yml	Bumps template ref to v0.10.1.
.rhiza/template.lock	Updates locked template SHA/ref and synced file list/timestamp.
.rhiza/requirements/docs.txt	Updates docs requirement set (now includes mike, zensical).
.rhiza/requirements/README.md	Updates docs requirements description (but now diverges from docs.txt).
.rhiza/make.d/test.mk	Updates security (bandit config), adds PIP_AUDIT_ARGS, changes coverage-badge to local generation.
.rhiza/make.d/quality.mk	Adds semgrep target and updates phony list.
.rhiza/make.d/github.mk	Removes GitHub helper Make targets file.
.rhiza/make.d/gh-aw.mk	Removes gh-aw helper Make targets file.
.rhiza/make.d/book.mk	Reworks book build (zensical), report/notebook handling, adds serve target.
.rhiza/make.d/agentic.mk	Removes agentic helper Make targets file.
.rhiza/make.d/README.md	Removes template “cookbook” documentation.
.rhiza/docs/WORKFLOWS.md	Removes Rhiza workflow guidance doc.
.rhiza/docs/TOKEN_SETUP.md	Removes PAT token setup doc.
.rhiza/docs/RELEASING.md	Removes releasing guide doc.
.rhiza/docs/PRIVATE_PACKAGES.md	Removes private packages guide doc.
.rhiza/docs/LFS.md	Removes Git LFS guide doc.
.rhiza/docs/CONFIG.md	Removes Rhiza config index doc.
.rhiza/docs/ASSETS.md	Removes Rhiza assets doc.
.pre-commit-config.yaml	Updates Bandit args to .bandit, bumps uv-pre-commit, adds interrogate hook, bumps rhiza-hooks.
.gitignore	Stops ignoring docs/notebooks.md.
.github/workflows/rhiza_weekly.yml	Bumps uv version used in the workflow to 0.11.7.
.github/workflows/rhiza_release.yml	Bumps uv version used in the workflow to 0.11.7.
.github/workflows/rhiza_marimo.yml	Bumps uv version; switches notebook execution to uv run --script.
.github/workflows/rhiza_codeql.yml	Updates CodeQL action versions and clarifies comment.
.github/workflows/rhiza_ci.yml	Bumps uv versions and removes coverage-badge job.
.github/workflows/rhiza_book.yml	Bumps uv version used in the workflow to 0.11.7.
.github/workflows/copilot-setup-steps.yml	Removes Copilot agent setup workflow file.
.github/hooks/session-start.sh	Removes Copilot session start hook script.
.github/hooks/session-end.sh	Removes Copilot session end hook script.
.github/hooks/hooks.json	Removes Copilot hook configuration.
.github/copilot-instructions.md	Removes Copilot instruction file.
.github/agents/summarise.md	Removes summarise agent definition.
.github/agents/analyser.md	Removes analyser agent definition.
.bandit	Adds Bandit INI config file (skipping B101).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The serve target runs python3 -m http.server, which assumes a system Python is available. Elsewhere the repo relies on uv-managed Python (so Python isn't a prerequisite). Consider invoking the server via the uv-managed interpreter (e.g., ${UV_BIN} run python -m http.server 8000) to keep behavior consistent and avoid failures on minimal environments.

Suggested change

	@cd $(BOOK_OUTPUT) && python3 -m http.server 8000
	@cd $(BOOK_OUTPUT) && ${UV_BIN} run python -m http.server 8000

[Copilot]

_book-notebooks always writes exports to ${ROOT}/docs/notebooks/... but doesn't ensure that output directory exists. This works only if MARIMO_FOLDER is also docs/notebooks; if a project overrides MARIMO_FOLDER to another location, the export can fail due to a missing ${ROOT}/docs/notebooks directory. Add a mkdir -p ${ROOT}/docs/notebooks before exporting.

[Copilot]

The description of docs.txt here doesn't match the actual contents of .rhiza/requirements/docs.txt after this sync (it now lists mike and zensical, and no longer lists mkdocs/material/mkdocstrings). Update this line to reflect the real docs toolchain, or adjust docs.txt so the README stays accurate.

[Copilot]

make book now runs zensical build -f "$(ROOT)/mkdocs.yml", but this repository has no root-level mkdocs.yml (only docs/mkdocs-base.yml). This will make the book target fail. Either add a root mkdocs.yml (likely inheriting from docs/mkdocs-base.yml) or update the target to fall back to docs/mkdocs-base.yml when mkdocs.yml is absent.

[Copilot]

docs/mkdocs-base.yml lives under docs/, so setting docs_dir: docs will resolve to docs/docs when this base config is used directly (as the header comments describe), and docs/docs does not exist in this repo. This will break mkdocs/zensical builds that point at docs/mkdocs-base.yml. Consider using docs_dir: . in the base config (and overriding to docs only from a root-level mkdocs.yml if needed).