docs: add CLAUDE.md with migrated agent notes#52
Conversation
There was a problem hiding this comment.
This new CLAUDE.md is well-written and specific, but it has three factual-drift issues to fix before it becomes the durable knowledge home. The doc is authored as an append to a pre-existing file, but no CLAUDE.md exists on main — this PR creates it. Two claims also describe repo state that is not actually present.
- Framing/structure: opens with an orphaned
---and no H1, as if appending. release-plz.ymlis described as an existing two-job workflow, but the.github/workflows/dir has onlyci.ymlandpr-title.yml(release-plz.tomldoes exist). Confirmed againstmainand this branch.bits()line reference has drifted (it is atsrc/util.rs:56onmain).
Rule check (docs-only, human-authored PR): PR title is conventional-commit compliant; prose is clean against writing-rules apart from the leading ---. No additional rule findings.
|
/dobby fix all comments you made |
- Add H1 title and drop the orphaned leading '---'; this PR creates CLAUDE.md (no such file on main), so it is not an append. - Drop the drift-prone src/util.rs:43-49 range for bits(); the function now moves on every edit, so reference the function by name instead. - Reword the release process: release-plz.toml has landed but release-plz.yml is not yet present, so the automation still needs manual human application and the release flow is still manual. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
One blocking issue in the added CLAUDE.md.
Embargo leak (blocking). The "Security: already fixed on main" section names several security-advisory identifiers in plain prose, each with its vulnerability class and fix location. Those advisories are still in draft (unpublished/embargoed) and this repo is public — merging this file would publish the advisory ids and vulnerability detail and defeat the embargo. This is the recurring draft-advisory-leak pattern.
Fix before merge: genericize that section — drop the advisory ids and the per-item vulnerability mechanism, keeping only non-sensitive facts (e.g. "several audit findings from 2026-07-04 are fixed and shipped on main; see the private advisories for detail"). Restore full detail once the advisories are published. Holding the PR in draft until then.
The three prior factual-drift findings (leading ---/framing, release-plz.yml presence, bits() line reference) are all resolved and re-verified against the repo — thanks for those.
…rgoed The "already fixed on main" section named per-finding identifiers and their root cause plus fix location. Those findings are still under embargo and this repo is public, so summarize them generically and point to the private advisories instead. Restore the detail once they are published. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Creates
CLAUDE.mdwith agent notes migrated from the private dobby memory repo (encryption4all/dobby, formerlyrepos/<this-repo>/), verified against the current state of the code before migration. NoCLAUDE.mdexisted onmain, so this PR adds the file.Going forward this file is the single home for durable repo knowledge: dobby updates it in the same PR whenever it learns something worth keeping.
Refs #52