chore: CodeRabbit triage for v0.2.10

[github-actions]

CodeRabbit Triage: v0.2.10

Metric	Value	Δ vs Previous
PRs analyzed	4	-26 ↓
Critical issues	2	-21 ↓
Major issues	14	-106 ↓
Issues per PR	4.0	-0.8 ↓
Coverage gaps	16	-109 ↓

Trend

Release	Date	PRs	Critical	Major	Per PR	Gaps
v0.2.0	2026-04-10	30	23	120	4.8	125
v0.2.10	2026-06-01	4	2	14	4.0	16

Top Uncovered Patterns

1. Add explicit trusted-proxy boundary for forwarded identity headers. (1 occurrences, impact: 4) — other
2. Fix sed replacement escaping for dynamic values (&, \, and delimiter |) (1 occurrences, impact: 4) — other
3. Do not document TLS verification disablement for production. (1 occurrences, impact: 3) — other
4. Fix NODE_EXTRA_CA_CERTS to trust the OpenShift service-ca signer (not the serviceaccount CA). (1 occurrences, impact: 3) — manifests
5. Distroless-incompatible verification command will fail. (1 occurrences, impact: 3) — other
6. Scope postMessage replies to the requester's origin. (1 occurrences, impact: 3) — other
7. User access token forwarded to every allowlisted preview host. (1 occurrences, impact: 3) — other
8. 10MB limit is bypassable; HTML path buffers unbounded before checking. (1 occurrences, impact: 3) — other
9. Gate feedback.markAsSent() on successful feedback delivery (1 occurrences, impact: 3) — other
10. Fix iframe sandbox to prevent app-origin script execution for preview-proxy. (1 occurrences, impact: 3) — other

Recommended Guardrails

CLAUDE.md Conventions

• Add explicit trusted-proxy boundary for forwarded identity headers.: Enforce via convention (needs specific rule)
• Fix sed replacement escaping for dynamic values (&, \, and delimiter |): Enforce via convention (needs specific rule)
• Do not document TLS verification disablement for production.: Enforce via convention (needs specific rule)
• Fix NODE_EXTRA_CA_CERTS to trust the OpenShift service-ca signer (not the serviceaccount CA).: Enforce via convention (needs specific rule)
• Distroless-incompatible verification command will fail.: Enforce via convention (needs specific rule)
• Scope postMessage replies to the requester's origin.: Enforce via convention (needs specific rule)
• User access token forwarded to every allowlisted preview host.: Enforce via convention (needs specific rule)
• 10MB limit is bypassable; HTML path buffers unbounded before checking.: Enforce via convention (needs specific rule)
• Gate feedback.markAsSent() on successful feedback delivery: Enforce via convention (needs specific rule)
• Fix iframe sandbox to prevent app-origin script execution for preview-proxy.: Enforce via convention (needs specific rule)

Hookify Rules

• PreToolUse hook for add explicit trusted-proxy boundary for forwarded identity headers. enforcement in TypeScript code
• PreToolUse hook for fix sed replacement escaping for dynamic values (&, \, and delimiter |) enforcement in TypeScript code
• PreToolUse hook for do not document tls verification disablement for production. enforcement in TypeScript code
• PreToolUse hook for fix node_extra_ca_certs to trust the openshift service-ca signer (not the serviceaccount ca). enforcement in TypeScript code
• PreToolUse hook for distroless-incompatible verification command will fail. enforcement in TypeScript code
• PreToolUse hook for scope postmessage replies to the requester's origin. enforcement in TypeScript code
• PreToolUse hook for user access token forwarded to every allowlisted preview host. enforcement in TypeScript code
• PreToolUse hook for 10mb limit is bypassable; html path buffers unbounded before checking. enforcement in TypeScript code
• PreToolUse hook for gate feedback.markassent() on successful feedback delivery enforcement in TypeScript code
• PreToolUse hook for fix iframe sandbox to prevent app-origin script execution for preview-proxy. enforcement in TypeScript code

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	783c341
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a21c70e0e789500088ec4e1