docs: audit registry label vocabulary#1912
Conversation
|
Scope checkThis PR changes 508 lines across 1 files. Large PRs are harder to review and more likely to be closed without review. If this scope is intentional, no action needed. A maintainer will review it. If not, please consider splitting this into smaller PRs. See CONTRIBUTING.md for contribution guidelines. |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
emdash-demo-do | 2da6d78 | Jul 10 2026, 12:24 PM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
emdash-playground | 2da6d78 | Jul 10 2026, 12:24 PM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
emdash-demo-cache | 2da6d78 | Jul 10 2026, 12:24 PM |
There was a problem hiding this comment.
Reviewed the full diff: a single new planning/audit document at .opencode/plans/plugin-registry-labelling-service/gate-0/vocabulary-audit.md. This PR completes the Gate 0 audit for the registry label-vocabulary cutover (security:yanked → security-yanked).
Approach: This is the right artifact at the right time. A vocabulary cutover that touches signed history, multiple published packages, aggregator endpoints, the core install/update path, admin UI, and CLI requires an explicit inventory and preflight policy before any code changes land. The document fits cleanly into the existing .opencode/plans/plugin-registry-labelling-service/ tree alongside spec.md and implementation-plan.md, and it correctly represents the work as read-only documentation and a production-readiness gate, not an implementation PR.
What I checked:
- Sampled the audit's line-anchored code references against the working tree:
apps/aggregator/migrations/0001_init.sql,searchPackages.ts,views.ts,router.ts,listReleases.ts,getLatestRelease.ts,packages/core/src/api/handlers/registry.ts,packages/admin/src/components/RegistryPluginDetail.tsx,RegistryBrowse.tsx,packages/plugin-cli/src/commands/search.ts/info.ts,packages/registry-client/src/discovery/index.ts,packages/registry-lexicons, docs, and core tests. - All sampled references match the claimed lines/behavior (legacy
security:yankedin SQL filter and core/admin checks, emptylabels: []views, CORS exposingatproto-accept-labelersinstead ofatproto-content-labelers, rawverifiedchecks, missingacceptLabelersin React Query keys, etc.). - Verified the claim that canonical
security-yankeddoes not appear outside the planning/spec files by searching the tree. - Walked the read-only preflight SQL mentally against the documented fixture cases. The conservative structural screen behaves as described; the text repeatedly requires strict application parsing before any migration action, which is the correct separation of concerns.
- The file is in a tracked plans directory (
.gitignorere-includes.opencode/plans/plugin-registry-labelling-service/**), consistent with the rest of the planning package.
Conclusion: No code is changed, no AGENTS.md conventions are violated by a documentation-only planning file, and the audit's claims about current code are accurate. No findings.
035889b
into
feat/plugin-registry-labelling-service
What does this PR do?
Completes the Gate 0 audit for the registry label-vocabulary cutover.
security:yanked,!takedown, rawverified, hydration, install/update, admin, and CLI behavior.Implements W0.3 from #1909. Branch A remains conditional on an authorized production preflight returning zero legacy rows.
Related to #1909 and #694.
Type of change
Checklist
pnpm typecheckpassespnpm lintpassespnpm testpasses (or targeted tests for my change)pnpm formathas been runmessages.pochanges except in translation PRs — a workflow extracts catalogs on merge tomain.Typecheck, repository tests, test changes, admin i18n, a changeset, and an approved Discussion are not applicable to this read-only audit PR.
AI-generated code disclosure
Screenshots / test output
pnpm buildpasses with existing warningspnpm lint: 0 warnings and 0 errors.opencodeignore overridegit diff --checkpassesTry this PR
Open a fresh playground →
A full working EmDash site, deployed from this branch. Each visit gets its own session-scoped sandbox: no login needed and no shared state. Try the admin, edit content, hit the public site.
Tracks
feat/labeller-02-vocabulary-audit. Updated automatically when the playground redeploys.