chore: lane greenup — README work-state, vite CVE, build, CI workflow fixes

[KooshaPari]

chore: lane greenup — README work-state, vite CVE, build, CI workflow fixes

Summary

Stewarding pass for the BLOCK A (Traceability/PM/Data) repo. Pins an active CVE, fixes the uv sync build blocker, corrects a misconfigured CodeQL job, and adds an honest alpha progress marker to the README.

Work-state

alpha — [######----] 60% (ten-block bar, six filled). Honest split:

• Green: core policy resolve / sync / host-rules flow, pytest (491 passed, 23 skipped, 0 failed), VitePress docs build, all 18 CI workflows already ubuntu-latest only.
• Open debt: ruff check reports 2382 errors and ruff format --check flags 1261 files across wrappers/, tools/, tests/, scripts/. Out of scope for a greenup; would require a multi-commit refactor sweep.
• Transitive CVEs: esbuild 0.25.x line (GHSA-gv7w-rqvm-qjhr) is gated by vitepress 1.6.4 — fixing requires a vitepress breaking change. Tracked as remaining work below.

Green at start of this pass

• pytest tests/: 491 passed, 23 skipped, 0 failed
• npm run docs:build: build complete (8s)
• All 18 workflows under .github/workflows/ already pinned to ubuntu-latest — no billable / macOS-large / self-hosted runners to remove

Red at start of this pass

• uv sync: fails with "Multiple top-level packages discovered in a flat-layout: ['cli', 'specs', 'schemas', 'policies', 'wrappers', 'contracts', 'extensions']". setuptools auto-discovery walks root dirs with no __init__.py.
• npm audit: high severity on vite 6.4.2 (override pinned to vulnerable boundary).
• .github/workflows/codeql.yml: job named "Analyze Rust" with languages: rust, but this is a Python / TypeScript repo. The pinned actions/checkout ref was also inconsistent (40-char SHA without # v4 annotation) and the github/codeql-action/init|autobuild|analyze steps floated on @v4.
• .github/workflows/trufflehog.yml: actions/checkout ref inconsistent (40-char SHA only, no # v4).

Fixes applied (5 commits, ~26 / 14 lines, 7 files)

Commit	What
docs(readme): add work-state line and ascii progress bar	Single HTML-comment line at the top of README.md reflecting honest alpha state.
fix(deps): bump vite override to ^6.4.3 for CVE-2025-30208	Bumps the package.json override from ^6.4.2 to ^6.4.3 (highest-patched 6.x for GHSA-fx2h-pf6j-xcff, CWE-22 server.fs.deny bypass on Windows alternate paths). Lockfile regenerated. Docs build re-verified.
fix(build): declare setuptools packages.find to fix uv sync	Adds [tool.setuptools.packages.find] with include = [] to disable auto-discovery of the data dirs at the repo root. Shortest root-cause fix; uv sync now succeeds. uv run pytest re-verified: 491 passed, 23 skipped.
ci(workflows): align codeql + trufflehog checkout refs; fix codeql languages	codeql.yml: align checkout ref (@<sha> # v4), pin github/codeql-action/* to the same SHA used by the other workflows (@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3), change languages: rust to languages: python, typescript (the actual repo languages), drop the meaningless category: /language:rust filter, rename job to "Analyze". trufflehog.yml: align checkout ref to @<sha> # v4.
chore(deps): add uv.lock for reproducible installs	Newly generated by uv sync after the pyproject fix; makes CI installs deterministic.

What remains (top blockers, in order)

1. esbuild transitive CVE (GHSA-gv7w-rqvm-qjhr) — vitepress 1.6.4 → @vitejs/plugin-vue 5.2.4 → vite 6.4.3 → esbuild 0.25.x (vulnerable). npm audit fix --force would downgrade vitepress to 0.22.4, which is a breaking change. Needs a vetted plan to either bump vitepress (preferred) or pin esbuild override once vitepress 1.6.x lands a fix.
2. Lint / format mass — 2382 ruff errors, 1261 files needing reformat. Already excluded for scripts/** (ALL ignore) and partially for tests/** (D, PLR2004, ANN, E402). Needs a phased sweep, not a greenup.
3. .vitepress-dist/ is tracked at the repo root — pre-existing; the .gitignore only covers docs/.vitepress/dist. VitePress emits to .vitepress-dist/ by default. The pages-deploy.yml workflow explicitly points at .vitepress-dist, so the gitignore is wrong, not the workflow. A future PR should either ignore the directory or move the build output back under docs/.vitepress/dist.
4. PyO3 / Rust wrapper — the wrappers/rust/ subtree has a Cargo.toml. No CI job builds it; quality-gate.yml and ci.yml only Python. The security-deep-scan.yml and sast.yml include rust in their CodeQL matrix, so any rust source added later will be scanned. Not exercised today.

How to verify locally

git fetch origin chore/lane-greenup
git checkout chore/lane-greenup

# Build
uv sync
uv run pytest tests/ -q --tb=line          # 491 passed, 23 skipped
npm ci
npm run docs:build                          # build complete

# CVE
npm audit                                    # vite 6.4.2 entry should be gone

Links

• CVE: GHSA-fx2h-pf6j-xcff (CVE-2025-30208)
• Transitive (still open): GHSA-gv7w-rqvm-qjhr

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[coderabbitai]

Warning

Review limit reached

@KooshaPari, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 52 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d5265ca0-36f5-46c1-a19c-58391f354c9f

📥 Commits

Reviewing files that changed from the base of the PR and between b6057cc and 2fe8516.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/codeql.yml
• .github/workflows/trufflehog.yml
• README.md
• package.json
• pyproject.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/lane-greenup

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/lane-greenup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (19 files)

• README.md — work-state HTML comment
• package.json / package-lock.json — vite override bump for CVE-2025-30208
• pyproject.toml — setuptools packages.find config
• .github/workflows/codeql.yml — language correction, SHA pinning
• .github/workflows/trufflehog.yml — checkout SHA annotation
• scripts/output_contract.py — _as_path_text cross-platform normalization
• scripts/policy_common.py — format_policy_path cross-platform normalization
• scripts/sync_host_rules.py — _had_managed_segment_before graceful error handling
• scripts/validate_policy_contract.py — consistent _display_path usage across all emit paths
• Deleted scripts/federation/f203–f216_* placeholders and gate stubs (no active consumers)
• tests/README.md — new test documentation
• tests/test_integration.py, test_performance.py, test_platform_wrappers.py, test_policy_contract.py, test_policy_contract_validation_governance.py, test_smoke_dispatch_host_hook.py, tests/unit/support.py, tests/unit/test_interceptor.py — Windows skip guards and cross-platform argv helper

Fix these issues in Kilo Cloud

---

_{Reviewed by step-3.7-flash-20260528 · Input: 150K · Output: 9.6K · Cached: 566.4K}