Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 0 additions & 11 deletions .Jules/palette.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,12 @@
## 2026-06-13 - Added screen reader text for tooltip divs
**Learning:** When using `title` attributes on non-interactive elements like icon-only `div`s for tooltips, screen readers might not announce them properly because they aren't focusable. The visual tooltip is not enough for accessibility.
**Action:** Always add a visually hidden `<span className="sr-only">[Tooltip Text]</span>` inside non-interactive elements that rely on a `title` attribute so that screen readers have text content to announce.

## 2026-06-18 - Added keyboard accessibility to scrollable regions
**Learning:** Horizontally scrollable regions (like the `SectionRoadmap` component) are not accessible to keyboard-only users unless they can receive focus. Keyboard users must be able to focus the container to scroll its content using arrow keys.
**Action:** For proper keyboard accessibility in custom scrollable regions, always include `tabIndex={0}`, an appropriate `aria-label`, `role="region"`, and explicit focus visible styling (e.g., `focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-cyan-300`).

## 2026-06-19 - Internationalization
**Learning:** The desktop app uses i18n via json files located in `apps/desktop/src/locales/`
**Action:** When adding new text strings, make sure to add it to all locale files.

## 2026-06-25 - Native tooltips on disabled elements
**Learning:** Standard HTML `title` attributes used as tooltips do not render on elements that use Tailwind's `pointer-events-none` class, which is often applied to `disabled:` variants in Base UI and styled components.
**Action:** Do not rely on native `title` attributes for explaining disabled states on buttons with `pointer-events-none`. Instead, either use a custom tooltip component or ensure focus/interactive styles are preserved if an explanation is strictly required.

## 2024-06-29 - ๋น„ํ™œ์„ฑํ™”๋œ ๋„ค์ดํ‹ฐ๋ธŒ ๋ฒ„ํŠผ์˜ ํˆดํŒ ์ฐจ๋‹จ
**Learning:** ๋„ค์ดํ‹ฐ๋ธŒ `<button>` ์š”์†Œ์— `disabled` ์†์„ฑ์„ ์‚ฌ์šฉํ•˜๋ฉด ๋งˆ์šฐ์Šค ํ˜ธ๋ฒ„ ์ด๋ฒคํŠธ๋ฅผ ํฌํ•จํ•œ ํฌ์ธํ„ฐ ์ด๋ฒคํŠธ๊ฐ€ ์™„์ „ํžˆ ์ฐจ๋‹จ๋˜์–ด ํ‘œ์ค€ HTML `title` ์†์„ฑ์ด ํˆดํŒ์œผ๋กœ ํ‘œ์‹œ๋˜์ง€ ์•Š์œผ๋ฉฐ, ํ‚ค๋ณด๋“œ ํƒญ ์ˆœ์„œ(tab order)์—์„œ๋„ ์ œ์™ธ๋ฉ๋‹ˆ๋‹ค.
**Action:** "์ถœ์‹œ ์˜ˆ์ •" ๋“ฑ ์„ค๋ช… ํˆดํŒ์ด ํ•„์š”ํ•œ ๋น„ํ™œ์„ฑํ™”๋œ ์•ก์…˜ ๋ฒ„ํŠผ์˜ ๊ฒฝ์šฐ, `title`์„ ๋ฒ„ํŠผ์— ์ง์ ‘ ๋ถ™์ด๋Š” ๋Œ€์‹  ํฌ์ปค์Šค ๊ฐ€๋Šฅํ•œ `span` (`<span tabIndex={0} title={...} role="button" aria-disabled="true">`)์œผ๋กœ ๋ฒ„ํŠผ์„ ๊ฐ์‹ธ์„œ ์‹œ๊ฐ์  ๋ฐ ์Šคํฌ๋ฆฐ ๋ฆฌ๋” ์ ‘๊ทผ์„ฑ์„ ๋ชจ๋‘ ๋ณด์žฅํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

## 2024-07-01 - Testing components with focusable disabled button wrappers
**Learning:** When native disabled buttons are wrapped in a focusable `span` to provide accessible tooltips, tests that previously found and clicked the `button` (by temporarily removing the `disabled` attribute) may fail or become overly complex. It is cleaner and more accurate to query the wrapper element (e.g. via its `title`) and fire events on it, reflecting the actual accessible DOM structure.
**Action:** When testing UI components that wrap disabled buttons in a focusable span for accessibility (e.g., using a tooltip/title), use `screen.getByTitle(...)` to query the wrapper element for interactions like `fireEvent.click` rather than `screen.getByRole('button')`.
2,577 changes: 2,577 additions & 0 deletions .github/workflows/opencode-review.yml

Large diffs are not rendered by default.

105 changes: 105 additions & 0 deletions .github/workflows/pr-review-merge-scheduler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: PR Review Merge Scheduler
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed

on:
schedule:
- cron: "17 */2 * * *"
workflow_dispatch:
inputs:
dry_run:
description: Print planned actions without mutating PRs
required: false
default: false
type: boolean
max_prs:
description: Maximum open PRs to inspect
required: false
default: "100"
trigger_reviews:
description: Dispatch OpenCode Review for PR heads without current approval
required: false
default: false
type: boolean
enable_auto_merge:
description: Enable auto-merge for current-head approved PRs
required: false
default: true
type: boolean
update_branches:
description: Update outdated PR branches after OpenCode approval
required: false
default: true
type: boolean
stale_opencode_minutes:
description: Redispatch OpenCode Review when an in-progress OpenCode check is older than this many minutes
required: false
default: "45"

permissions: read-all

concurrency:
group: pr-review-merge-scheduler
cancel-in-progress: false

env:
GIT_CONFIG_COUNT: "1"
GIT_CONFIG_KEY_0: init.defaultBranch
GIT_CONFIG_VALUE_0: develop

jobs:
scan-pr-queue:
runs-on: ubuntu-latest
permissions:
checks: read
contents: write
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
issues: write
pull-requests: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run == true }}
MAX_PRS: ${{ inputs.max_prs || '100' }}
PROJECT_FLOW: ${{ vars.PROJECT_FLOW || 'git-flow' }}
TRIGGER_REVIEWS: ${{ github.event_name == 'workflow_dispatch' && inputs.trigger_reviews == true }}
ENABLE_AUTO_MERGE: ${{ github.event_name != 'workflow_dispatch' || inputs.enable_auto_merge == true }}
UPDATE_BRANCHES: ${{ github.event_name != 'workflow_dispatch' || inputs.update_branches == true }}
STALE_OPENCODE_MINUTES: ${{ inputs.stale_opencode_minutes || vars.STALE_OPENCODE_MINUTES || '45' }}
steps:
- name: Checkout trusted scheduler
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1

- name: Self-test scheduler
run: python3 scripts/ci/pr_review_merge_scheduler.py --self-test

- name: Inspect PR review and merge queue
run: |
set -euo pipefail
args=(
--repo "$GITHUB_REPOSITORY"
--base-branch "$DEFAULT_BRANCH"
--max-prs "$MAX_PRS"
--project-flow "$PROJECT_FLOW"
--review-workflow "OpenCode Review"
--stale-opencode-minutes "$STALE_OPENCODE_MINUTES"
)
if [ "$DRY_RUN" = "true" ]; then
args+=(--dry-run)
fi
if [ "$TRIGGER_REVIEWS" = "true" ]; then
args+=(--trigger-reviews)
else
args+=(--no-trigger-reviews)
fi
if [ "$ENABLE_AUTO_MERGE" = "true" ]; then
args+=(--enable-auto-merge)
else
args+=(--no-enable-auto-merge)
fi
if [ "$UPDATE_BRANCHES" = "true" ]; then
args+=(--update-branches)
else
args+=(--no-update-branches)
fi
python3 scripts/ci/pr_review_merge_scheduler.py "${args[@]}"
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,8 @@
**Vulnerability:** CSV formula injection mitigation was naive, missing leading whitespace, tabs, and newlines.
**Learning:** Checking `/^[=+\-@]/` is not sufficient, as OWASP states that spaces and tabs before the formula triggers will also execute the formula in applications like Excel.
**Prevention:** Use a regex that allows leading whitespace (e.g. `/^[\s\uFEFF\xA0]*[=+\-@\t\r\n]/`) and include standalone tabs or new lines which are also injection vectors.

## 2024-10-24 - [Information Leakage in Error Handling]
**Vulnerability:** A catch-all exception handler in `services/analysis-engine/src/bandscope_analysis/api.py` passed raw `str(error)` exception strings through the `result_queue`, which were then raised as `RuntimeError(str(payload))` and leaked in orchestrator logs and status updates.
**Learning:** Returning or logging raw exception objects can leak sensitive internal details, file paths, or architecture information, violating the principle of failing securely.
**Prevention:** Always log the raw exception object internally using `logger.error` for debugging, but return a generic, safe error message to the client or outer orchestrator layer (e.g., "Stem separation failed due to an internal error.").
9 changes: 4 additions & 5 deletions apps/desktop/src-tauri/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading