Skip to content

chore: open-source readiness cleanup#104

Merged
tessak22 merged 6 commits into
mainfrom
chore/open-source-cleanup
May 30, 2026
Merged

chore: open-source readiness cleanup#104
tessak22 merged 6 commits into
mainfrom
chore/open-source-cleanup

Conversation

@tessak22

Copy link
Copy Markdown
Owner

Summary

  • Security: Gitignore .claude/settings.local.json — this file can contain credentials baked into Bash permission strings and must never be committed
  • Config: Replace rivals.config.json with a generic placeholder template; add rivals.config.tabstack.json as the real-world example the Tabstack team uses
  • Docs cleanup: Remove docs/superpowers/ (13 internal dev planning docs — not relevant to contributors, everyone has their own skills setup); gitignore going forward
  • Gitignore: Add demo scripts, working notes, and local debug scripts
  • Tracking: Add prisma/migrations/migration_lock.toml (Prisma best practice) and .claude/settings.json (project-level permissions, useful for contributors)
  • README: Fix cp .env.example .envcp .env.example .env.local to match CONTRIBUTING.md; add note pointing to rivals.config.tabstack.json as the full example

Action required after merge

Rotate credentials — the production DB password and TABSTACK_API_KEY that appeared in .claude/settings.local.json were exposed in shell output during this session. They are not in git history, but should be rotated as a precaution.

Test plan

  • npm run typecheck passes
  • Fresh clone: cp .env.example .env.local → fill in keys → npm run dev works
  • rivals.config.json generic template seeds correctly after replacing placeholder URLs

tessak22 added 6 commits May 29, 2026 19:26
The Tabstack API returns sources as metadata.citedPages[]{url, title}
on the complete event, not as a top-level citations array. extractCitations
was only checking data.citations so always returned [].

Also removes the duplicate extractResult/extractCitations functions from
the deep-dive route and imports the canonical versions from research.ts.
- Extract isSafeHttpUrl helper to deduplicate URL validation logic
- Make metadata.citedPages the primary citation source (what the API
  actually returns) and data.citations the forward-compat fallback
- Drop explicit source_text: undefined in citedPages path (field is optional)
- Remove dead local ResearchCitation type from route.ts
- Add 4 tests covering citedPages extraction, claim/title fallback,
  priority over data.citations, and URL safety filtering
…e invalid

If every citedPages entry fails URL validation, the previous code returned []
immediately without checking the data.citations fallback. Now only returns
from the citedPages branch when at least one valid citation is extracted.
Security:
- Gitignore .claude/settings.local.json — may contain credentials in
  Bash allow-lists and must never be committed

Config:
- Replace rivals.config.json with a generic placeholder template so
  forks start from a clean slate
- Add rivals.config.tabstack.json as the real-world example config
- Fix README cp command to use .env.local (consistent with CONTRIBUTING.md)
- README now points to rivals.config.tabstack.json as the full example

Tracking:
- Remove docs/superpowers/ (internal dev planning docs — not relevant
  to contributors and people have their own skills setup)
- Gitignore docs/superpowers/, docs/demo-script-*.md,
  docs/tabstack-usage-by-page.md, scripts/debug-health.ts
- Add prisma/migrations/migration_lock.toml (should be tracked per
  Prisma best practices)
- Add .claude/settings.json (project-level Claude Code permissions,
  useful for contributors, no sensitive data)
- Replace hardcoded tessak22/rival footer URL with your-org/rival placeholder
- Use *.example.com domains in rivals.config.json template so placeholders
  can never resolve to real sites or waste Tabstack API credits
- Fix README wording: tabstack.json is reference documentation only,
  the app always loads rivals.config.json
- Document matrix: false competitor field in README config section
- Broaden .gitignore to cover .claude/*.local.json (not just settings.local.json)
- Tighten .claude/settings.json: remove broad git add/commit/push/checkout
  permissions; keep only read-only git ops as project-level defaults
@tessak22 tessak22 merged commit 98121b5 into main May 30, 2026
1 of 2 checks passed
@tessak22 tessak22 deleted the chore/open-source-cleanup branch May 30, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant