Skip to content

E. Process, CI & Release

Parent: Code Review Index Priority: every item here is small-effort and compounds Surface affected: .github/workflows/, Dockerfile, repo root hygiene

E1 — Only one CI job; most backend tests are not gated

  • Status: Open
  • Impact: H | Complexity: L | Time: 1 D
  • Files: .github/workflows/dfm-vision-fusion-gate.yml, new .github/workflows/ci.yml

Finding. The only workflow is the DFM Vision Fusion Gate. It runs a subset of backend tests and a web build. The backend has 56 test files; the majority never run in CI.

Action for Codex. 1. Create ci.yml with three jobs: - backend-fast — runs the full pytest suite with lightweight deps (no FreeCAD/OCC where possible; skip the ones that need them with markers). - backend-full — runs the DFM/Vision/Fusion gate on the heavy image (what today's workflow does). - web — Vitest unit tests + Playwright + npm run build. 2. Use pytest -m "not requires_freecad" for fast; pytest -m requires_freecad for full. 3. Add path filters so backend-full runs only on server changes; web only on web changes. 4. Fail CI on pytest failures, linter failures (after C6/D6), and build errors.

Acceptance criteria. - Every push runs at least one job. PRs that change both surfaces run both. - backend-fast completes in < 3 min; backend-full is allowed up to 15 min.

Depends on: B5 (pinned deps) makes CI reproducible.

E2 — CI installs unpinned deps

  • Status: Open
  • Impact: H | Complexity: L | Time: part of B5
  • Files: .github/workflows/dfm-vision-fusion-gate.yml:20-23

Finding. CI runs pip install -r server/requirements.txt against a floating set of versions. Green today, red tomorrow.

Action for Codex. Covered by B5: lock file, CI installs from the lock.

Acceptance criteria. See B5.

Depends on: B5 (same PR).

E3 — No linter / formatter gate in CI

  • Status: Open
  • Impact: M | Complexity: L | Time: 0.5 D
  • Files: .github/workflows/*.yml, new pyproject.toml or ruff.toml

Finding. Python has no ruff/black check; TS has no ESLint/Prettier check.

Action for Codex. 1. Add ruff for Python: pyproject.toml with a conservative starting config (select = ["E", "F", "UP", "I"]). 2. Add ruff check and ruff format --check to CI. 3. Add npm run lint to the web CI job (requires D6 first).

Acceptance criteria. - CI fails on ruff errors and ESLint errors. - Project passes on main.

Depends on: C6 (pyupgrade), D6 (ESLint setup).

E4 — No SBOM, Dependabot, or vulnerability scanning

  • Status: Open
  • Impact: M | Complexity: L | Time: 1 D
  • Files: .github/dependabot.yml (new), .github/workflows/security.yml (new)

Finding. For an enterprise-targeted tool this is table stakes. Nothing today tells the team when a dependency has a known CVE or a new version.

Action for Codex. 1. Add .github/dependabot.yml with weekly updates for pip, npm, github-actions, docker. 2. Add a security.yml workflow that runs: - pip-audit -r server/requirements.txt (after B5) - npm audit --audit-level=high in web/ - Optionally trivy against the built Docker image 3. Fail on high/critical findings. 4. Emit an SBOM (cyclonedx-bom for Python, npm sbom for Node) as a build artifact.

Acceptance criteria. - Dependabot PRs arrive weekly. - Security workflow runs on every push and produces SBOM artifacts.

Depends on: B5.

E5 — AGENTS.md references absolute Windows paths

  • Status: Open
  • Impact: M | Complexity: L | Time: 0.5 D
  • Files: AGENTS.md (top of repo)

Finding. AGENTS.md points to C:\Users\adeel\.codex\AGENTS.md and to personal OneDrive planning paths. Not reproducible for any collaborator; not reproducible for future-you on another machine. Per the existing AGENTS policy itself, planning docs should live in the wiki, not in absolute-path references.

Action for Codex. 1. Remove the absolute-path references. 2. Link to the wiki sections instead (the wiki is the canonical source — this review lives there too). 3. Keep the "repo scope" and "technical workflow" sections; remove the "central planning source" section that points at local paths.

Acceptance criteria. - No absolute Windows paths in AGENTS.md. - Links work when opening the file from any clone.

Depends on: none.

E6 — Repo root carries loose planning docs

  • Status: Open
  • Impact: L | Complexity: L | Time: 0.5 D
  • Files: claude_notes.md, gui-refresh.md, ISOMETRIC_IMPLEMENTATION.md, adddesignreview.pdf, library.md, projection_occ.md, projections.md, workflow.md, project.md

Finding. The repo's own AGENTS.md says implementation-local docs belong in docs/design-review/, docs/contracts/, or docs/validation/. Several root-level MD files and a PDF contradict that policy. They also clutter the GitHub landing page.

Action for Codex. 1. Review each file: keep, move into docs/, or delete. 2. project.md (deploy instructions) belongs in docs/ or a proper README.md. 3. Delete adddesignreview.pdf unless there is a reason to version a binary.

Acceptance criteria. - Repo root contains only: README.md, AGENTS.md, Dockerfile, docker-entrypoint.sh, LICENSE (if added), start scripts, config files, and directories.

Depends on: E5 (AGENTS.md cleanup same pass).

E7 — server/requirements_pythonocc.txt is corrupt

  • Status: Open
  • Impact: L | Complexity: L | Time: 0.1 D
  • Files: server/requirements_pythonocc.txt

Finding. The file is stored as UTF-16 (or otherwise byte-mangled): cat outputs ��p y t h o n o c c - c o r e. Not currently consumed by the Dockerfile. Confuses anyone reading it.

Action for Codex. 1. Inspect git history for the intended content. 2. Either rewrite as plain UTF-8 with pythonocc-core pinned, or delete the file. 3. Document the FreeCAD/OCC install path in docs/contracts/runtime.md.

Acceptance criteria. - file server/requirements_pythonocc.txt reports ASCII or UTF-8 (or file is gone).

Depends on: none.