ci: add ci.yml workflow for TypeScript + Electron stack

[don-petry]

Summary

• Adds .github/workflows/ci.yml following the Tier 2 per-repo pattern for TypeScript + Electron (npm) documented in the org CI standards
• SHA-pins all actions per the Action Pinning Policy
• Includes all required quality gates with a matrix across ubuntu/macOS/Windows

Quality gates

Gate	Command	Threshold	Blocking
Type check	tsc --noEmit	Zero errors	Yes
Lint	eslint --max-warnings 0	Zero warnings	Yes
Format	prettier --check .	All files formatted	Yes
Test + Coverage	vitest run --coverage	≥90%	Yes
Mutation	stryker run	≥80%	No (continue-on-error)
E2E	playwright test	macOS + Windows	No (continue-on-error)

Closes #40

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 28 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 28 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ce264eb5-176c-4dc6-a169-ec03db7643fd

📥 Commits

Reviewing files that changed from the base of the PR and between 051f051 and 28fe2e7.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-40-20260414-1308

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review complete — no issues found.

• Triggers, permissions, and concurrency match the org CI standard exactly
• All actions SHA-pinned per Action Pinning Policy (checkout v4, setup-node v4)
• Matrix covers ubuntu/macOS/Windows for the main CI job
• Mutation and E2E jobs use continue-on-error: true as specified in the Tier 2 pattern
• Format check uses npx prettier --check . consistent with the AGENTS.md CI gates table

@don-petry — this is ready for your review and merge.

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Adds the required ci.yml GitHub Actions workflow to bring the repo in line with the org’s Tier 2 CI standard for a TypeScript + Electron (npm) stack, running key quality gates on pushes/PRs to main.

Changes:

• Introduces a new CI workflow with an OS matrix (Ubuntu/macOS/Windows) for typecheck/lint/format/tests.
• Adds separate informational jobs for mutation testing (Ubuntu) and E2E (macOS/Windows), both continue-on-error.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — NEEDS HUMAN REVIEW

Risk: HIGH
Reviewed commit: 57243af4a743aff5ea59520a23d33438612f83d9
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

The workflow file itself has a sound security posture (deny-all top-level permissions, per-job contents:read, SHA-pinned third-party actions, no secrets, pull_request not pull_request_target). However, the PR must not merge: every CI job fails because cache: npm + npm ci require a package-lock.json that does not exist — and in fact no package.json exists either, so the entire JS toolchain the workflow invokes is absent from the repo. SonarCloud Quality Gate has also FAILED with 3 Security Hotspots, and the workflow invokes npx prettier and npx playwright without pinned versions, creating a supply-chain risk if the matching devDependencies are not present at run time.

Findings

Critical

• [critical] .github/workflows/ci.yml:53 — All six CI jobs (ci ubuntu/macos/windows, mutation, e2e macos/windows) have concluded FAILURE on the head SHA. actions/setup-node with cache: npm requires a committed package-lock.json; the repo has neither a lockfile nor a package.json at ref 57243af. Every subsequent step (npm ci, npm run typecheck, npm run lint, npm test, npm run test:mutate, npx playwright install) is therefore unreachable. This is a hard merge blocker per AGENTS.md §7 (all gates must pass).

Major

• [major] (SonarCloud) — SonarCloud Quality Gate failed with 3 Security Hotspots (OPEN/CONFIRMED, on the new-code leak period). The SonarCloud Code Analysis check is FAILURE. Hotspots must be triaged on SonarCloud and either resolved or marked safe with rationale before merge.
• [major] .github/workflows/ci.yml — The workflow references an npm/TypeScript/Electron toolchain that the repository does not yet contain — no package.json, no src/, no tsconfig.json at ref 57243af. Merging a CI workflow whose every step is guaranteed to fail will (a) keep main permanently red, (b) block any subsequent PR that relies on required checks, and (c) train reviewers to ignore failed CI. The workflow should land in the same PR as — or after — the initial scaffolding.

Minor

• [minor] .github/workflows/ci.yml:65 — npx prettier --check . (line 65) and npx playwright install --with-deps (line 114) run without a pinned version. If prettier / @playwright/test are not listed in the eventual package.json / package-lock.json, npx will silently resolve the latest published version at job time — an unpinned, mutable dependency executed in CI. Require these as devDependencies and invoke via npm exec/npm run, or pin the version explicitly (e.g. npx prettier@3.3.3).
• [minor] (Process) — The PR author (don-petry) posted a self-review comment. CODEOWNERS lists * @don-petry as the only owner; a workflow of this blast radius warrants a second human reviewer or acknowledgement that the four-eyes principle is not met. No approving human review exists (reviewDecision is empty).

Info

• [info] .github/workflows/ci.yml — Positive security controls observed: top-level permissions: {} (deny-all) with each job narrowed to contents: read; actions/checkout and actions/setup-node pinned to immutable commit SHAs with version comments; trigger is pull_request (not pull_request_target); no expression-injection surface; concurrency with cancel-in-progress scoped by ref; no secrets referenced.

CI status

BLOCKED — All CI jobs are failing at the head SHA (57243af). mergeStateStatus: BLOCKED.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.