[codex] expose repository discovery metadata

[moose-lab]

Summary

• Add llms.txt as the crawler/LLM-facing project map for DevLog.
• Add package metadata for public repository discovery: repository, homepage, issues URL, and indexing keywords.
• Add a repository-discovery guard test without introducing Markdown documentation file changes.

Audit Result

• Rewrote the PR branch history so AGENTS.md, README.md, and docs/repository-discovery.md are no longer in the PR diff or commit history.
• Addressed the review should-fix by removing hardcoded optional .devin/wiki.json page-title assertions; when that optional file exists, the test now validates structure only.
• Anchored test file resolution to import.meta.url instead of process.cwd() so focused tests also work from subdirectories.
• Tightened the optional DeepWiki steering assertion so it is tied to .devin/wiki.json, not any unrelated occurrence of “optional”.

Validation

• node --test --import tsx --test-reporter spec src/core/__tests__/repository-discovery.test.ts (3/3 pass)
• bun run typecheck
• TZ=Asia/Shanghai bun run test (274/274 pass)
• Pre-commit hook reran git diff --cached --check && bun run typecheck && TZ=Asia/Shanghai bun run test successfully.

[claude]

Claude finished @moose-lab's task in 1m 16s —— View job

---

PR Review

• Gather context
• Read changed files
• Review for correctness, cross-platform safety, security, type safety, and test coverage
• Post findings

---

Findings

• [should-fix] src/core/__tests__/repository-discovery.test.ts:68-71 — The wiki.json content assertions (wiki.pages?.some(page => page.title === "Architecture Overview") etc.) are hardcoded title checks that only run when .devin/wiki.json happens to exist. If that optional file is ever added with different titles, the test fails with no warning. Since the file is explicitly optional, either remove the content assertions entirely (just validate JSON parses and has repo_notes/pages keys), or add a comment explaining the expected schema. As written, anyone adding .devin/wiki.json with different page titles will hit a surprise test failure. Fix this →

• [should-fix] src/core/__tests__/repository-discovery.test.ts:10 — const root = process.cwd() makes all file resolution dependent on the working directory at test execution time. The AGENTS.md convention (TZ=Asia/Shanghai bun run test) implies running from the repo root, so this works in practice, but a CWD change (e.g., running bun test src/... from a subdirectory) produces silent wrong-path errors. Consider anchoring to new URL('../../../..', import.meta.url).pathname for robustness.

• [nit] src/core/__tests__/repository-discovery.test.ts:80 — assert.match(readme, /optional/i) is too loose; the word "optional" could appear in any sentence. A tighter pattern like /\.devin\/wiki\.json.*optional|optional.*\.devin\/wiki\.json/is ties the assertion to the actual claim. Currently passes, but won't catch regressions if the phrasing changes.

• [nit] AGENTS.md:7 — "Superpowers v5.1.0" will rot fast. Since this is a guide file agents are supposed to keep current, pinning a version here may cause confusion if the plugin updates without the file being updated. Consider dropping the version number or noting it should be kept in sync.

---

Summary: This is a clean documentation/metadata PR. The guard-test pattern is well-chosen for ensuring discovery files stay in place. No correctness bugs, no security issues, no unsafe casts worth blocking on. The two should-fix items are about test fragility, not runtime behavior.

Verdict: APPROVE (with the wiki.json assertion cleanup recommended before the file is ever committed to this repo)

[claude]

Claude finished @moose-lab's task in 1m 32s —— View job

---

PR Review

• Gather context
• Read changed files
• Review updates since last review (commit 3b0ff72 — "test: avoid URL regex in discovery guard")
• Post findings

---

What changed since last review

Commit 3b0ff72 replaced regex-based URL assertions with String.includes():

-  assert.match(llms, /https:\/\/github\.com\/moose-lab\/DevLog/);
-  assert.match(llms, /https:\/\/deepwiki\.com\/moose-lab\/DevLog/);
+  assert.ok(llms.includes("https://github.com/moose-lab/DevLog"));
+  assert.ok(llms.includes("https://deepwiki.com/moose-lab/DevLog"));

This correctly addresses both CodeQL "Missing regular expression anchor" alerts. Unanchored regexes on URL strings can match unexpected substrings; String.includes() is the right tool for a literal substring check here.

---

Findings

• [should-fix] src/core/__tests__/repository-discovery.test.ts:72-73 — The wiki.json content assertions still check for specific hardcoded titles "Architecture Overview" and "Agent Session Discovery". Currently harmless (.devin/wiki.json doesn't exist), but if the file is ever committed with different page titles, these tests will fail with no hint of why. Replace with structural checks (Array.isArray(wiki.pages)) or remove the content assertions entirely. Fix this →

• [nit] src/core/__tests__/repository-discovery.test.ts:6 — process.cwd() makes path resolution dependent on invocation directory. Running bun test src/core/... from a subdirectory silently resolves to wrong paths. new URL('../../../..', import.meta.url).pathname is CWD-independent.

• [nit] AGENTS.md:7 — "Superpowers v5.1.0" will quietly rot when the plugin updates. Either drop the version or add a note that it should be kept in sync.

---

CodeQL alerts resolved: Both "Missing regular expression anchor" alerts are closed by 3b0ff72. No new security issues introduced.

Summary: This is a clean metadata/discovery PR — AGENTS.md, llms.txt, docs/repository-discovery.md, package.json enrichment, and a guard test to keep them in place. The CodeQL fix is correct and appropriate. The two should-fix items from the prior review are carry-overs; neither affects runtime behavior or current test correctness. The wiki.json assertions are the only ones worth addressing before that file is ever committed.

Verdict: APPROVE

[claude]

Claude finished @moose-lab's task in 1m 5s —— View job

---

PR Review — commit 1aa1d70

• Gather context
• Read updated test file
• Check CodeQL alert resolution
• Post findings

---

What changed in 1aa1d70

Replaced String.includes() URL checks with a readBulletValue() helper that parses structured bullet lines (- Label: value) and compares with assert.equal() for exact equality:

-  assert.ok(llms.includes("https://github.com/moose-lab/DevLog"));
-  assert.ok(llms.includes("https://deepwiki.com/moose-lab/DevLog"));
+  assert.equal(readBulletValue(llms, "GitHub repository"), "https://github.com/moose-lab/DevLog");
+  assert.equal(readBulletValue(llms, "DeepWiki project wiki"), "https://deepwiki.com/moose-lab/DevLog");

---

Findings

• [should-fix] src/core/__tests__/repository-discovery.test.ts:80-81 — Hardcoded wiki page title assertions ("Architecture Overview", "Agent Session Discovery") are carry-overs from prior reviews. Harmless now since .devin/wiki.json doesn't exist, but will cause a surprise failure if the file is ever committed with different titles. Replace with structural checks (assert.ok(Array.isArray(wiki.pages))) or remove the content assertions. Fix this →

• [nit] src/core/__tests__/repository-discovery.test.ts:6 — process.cwd() makes path resolution dependent on invocation directory. new URL('../../../..', import.meta.url).pathname is CWD-independent.

• [nit] AGENTS.md:7 — "Superpowers v5.1.0" will quietly rot when the plugin updates. Either drop the version or add a note to keep it in sync.

---

CodeQL alerts #28 and #29 resolved. The readBulletValue() approach is the right fix — it extracts the URL from a structured - Label: value bullet, then uses assert.equal() for exact string comparison rather than substring matching. CodeQL's "Incomplete URL substring sanitization" no longer applies.

Verdict: APPROVE

[claude]

Claude finished @moose-lab's task in 1m 40s —— View job

---

PR Review — commit eb56dcc

• Gather context
• Read updated test file
• Review changes since last review (1aa1d70)
• Post findings

---

What changed in eb56dcc

Two files touched:

1. AGENTS.md — version pin removed: "Superpowers v5.1.0" → "current Superpowers plugin"
2. src/core/__tests__/repository-discovery.test.ts — three changes:
   • process.cwd() → fileURLToPath(new URL("../../..", import.meta.url)) (CWD-independent path anchoring)
   • Wiki type narrowed to unknown; hardcoded title assertions replaced with Array.isArray() structural checks
   • Readme assertion tightened: /optional/i → /\.devin\/wiki\.json.*optional|optional.*\.devin\/wiki\.json/is

---

All prior carry-overs resolved

Prior finding	Status
[should-fix] wiki.json hardcoded title assertions	✅ replaced with Array.isArray(wiki.repo_notes) / Array.isArray(wiki.pages)
[nit] process.cwd() CWD-dependent path resolution	✅ now fileURLToPath(new URL("../../..", import.meta.url))
[nit] "Superpowers v5.1.0" version rotting	✅ version string removed
[nit] /optional/i too-loose readme assertion	✅ tightened to require .devin/wiki.json in proximity to "optional"

Path resolution check: new URL("../../..", import.meta.url) from src/core/__tests__/repository-discovery.test.ts — URL resolution strips the filename first, then applies three .. segments removing __tests__, core, and src. Resolves correctly to repo root. ✓

Findings

No new issues.

Verdict: APPROVE

[claude]

Claude finished @moose-lab's task in 2m 16s —— View job

---

PR Review — squashed commit c904531

• Gather context
• Read changed files
• Review all changes (commits were squashed into c904531 — reviewed as a full fresh diff vs origin/main)
• Post findings

---

What this PR changes

Three files:

• llms.txt — new crawler/LLM discovery entry point (53 lines)
• package.json — adds repository, homepage, bugs fields; extends keywords; sets author
• src/core/__tests__/repository-discovery.test.ts — new guard test (72 lines)

---

Findings

No issues. All prior carry-overs are resolved in the squashed commit:

Prior finding	Status
[should-fix] wiki.json hardcoded title assertions	✅ structural Array.isArray() checks only
[nit] process.cwd() CWD-dependent resolution	✅ fileURLToPath(new URL("../../..", import.meta.url))
[nit] "Superpowers v5.1.0" version pin	✅ AGENTS.md not in scope of this PR
[nit] /optional/i too-loose	✅ tightened to require .devin/wiki.json in proximity
CodeQL alerts #28 / #29	✅ readBulletValue() + assert.equal() — no substring/regex URL matching

Path resolution check: new URL("../../..", import.meta.url) from src/core/__tests__/repository-discovery.test.ts resolves src/core/__tests__/ → src/core/ → src/ → repo root. ✓

readBulletValue correctness: parses - Label: value lines, returns the value substring, used with assert.equal() for exact match — CodeQL "Incomplete URL substring sanitization" does not apply. ✓

Wiki.json guard: early-returns when .devin/wiki.json is absent; uses only structural Array.isArray() assertions if present — no hardcoded title strings. ✓

---

Verdict: APPROVE