chore: open-source readiness cleanup#104
Merged
Merged
Conversation
The Tabstack API returns sources as metadata.citedPages[]{url, title}
on the complete event, not as a top-level citations array. extractCitations
was only checking data.citations so always returned [].
Also removes the duplicate extractResult/extractCitations functions from
the deep-dive route and imports the canonical versions from research.ts.
- Extract isSafeHttpUrl helper to deduplicate URL validation logic - Make metadata.citedPages the primary citation source (what the API actually returns) and data.citations the forward-compat fallback - Drop explicit source_text: undefined in citedPages path (field is optional) - Remove dead local ResearchCitation type from route.ts - Add 4 tests covering citedPages extraction, claim/title fallback, priority over data.citations, and URL safety filtering
…e invalid If every citedPages entry fails URL validation, the previous code returned [] immediately without checking the data.citations fallback. Now only returns from the citedPages branch when at least one valid citation is extracted.
Security: - Gitignore .claude/settings.local.json — may contain credentials in Bash allow-lists and must never be committed Config: - Replace rivals.config.json with a generic placeholder template so forks start from a clean slate - Add rivals.config.tabstack.json as the real-world example config - Fix README cp command to use .env.local (consistent with CONTRIBUTING.md) - README now points to rivals.config.tabstack.json as the full example Tracking: - Remove docs/superpowers/ (internal dev planning docs — not relevant to contributors and people have their own skills setup) - Gitignore docs/superpowers/, docs/demo-script-*.md, docs/tabstack-usage-by-page.md, scripts/debug-health.ts - Add prisma/migrations/migration_lock.toml (should be tracked per Prisma best practices) - Add .claude/settings.json (project-level Claude Code permissions, useful for contributors, no sensitive data)
- Replace hardcoded tessak22/rival footer URL with your-org/rival placeholder - Use *.example.com domains in rivals.config.json template so placeholders can never resolve to real sites or waste Tabstack API credits - Fix README wording: tabstack.json is reference documentation only, the app always loads rivals.config.json - Document matrix: false competitor field in README config section - Broaden .gitignore to cover .claude/*.local.json (not just settings.local.json) - Tighten .claude/settings.json: remove broad git add/commit/push/checkout permissions; keep only read-only git ops as project-level defaults
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.claude/settings.local.json— this file can contain credentials baked into Bash permission strings and must never be committedrivals.config.jsonwith a generic placeholder template; addrivals.config.tabstack.jsonas the real-world example the Tabstack team usesdocs/superpowers/(13 internal dev planning docs — not relevant to contributors, everyone has their own skills setup); gitignore going forwardprisma/migrations/migration_lock.toml(Prisma best practice) and.claude/settings.json(project-level permissions, useful for contributors)cp .env.example .env→cp .env.example .env.localto match CONTRIBUTING.md; add note pointing torivals.config.tabstack.jsonas the full exampleAction required after merge
Rotate credentials — the production DB password and TABSTACK_API_KEY that appeared in
.claude/settings.local.jsonwere exposed in shell output during this session. They are not in git history, but should be rotated as a precaution.Test plan
npm run typecheckpassescp .env.example .env.local→ fill in keys →npm run devworksrivals.config.jsongeneric template seeds correctly after replacing placeholder URLs