chore: align docpull with Raintree standard

[admin-raintree]

docpull Raintree Standardization Report

PR

• Repository: raintree-technology/docpull
• Branch: chore/raintree-standard
• Base: main
• Head: a7053f9
• PR: pending
• Central standard SHA: 3256afba6d5c060f8b00f1bbf96887d253b0e9e1

Classification

• Public Python package and CLI, published as docpull.
• Mature existing CI: Python test matrix, Ruff, mypy, security workflow, CodeQL, release/publish, benchmark, metrics.
• JS subpackages:
  • mcp/: Bun/TypeScript internal MCP lab.
  • web/: npm/Next.js marketing site.

Changes

• Added Raintree status and branding badges to README.md.
• Added .npmrc with save-exact=true and .nvmrc with Node 22.
• Exact-pinned mcp/package.json and web/package.json, added package-manager and Node engine metadata, and refreshed mcp/bun.lock plus web/package-lock.json.
• Added root uv.lock and stopped ignoring it so Python dependency resolution is reproducible without changing the library's published dependency ranges.
• Added 7-day Dependabot cooldowns for GitHub Actions, pip, npm, and bun ecosystems.
• Added central Raintree standard CI for the JS subpackages, pinned to 3256afba6d5c060f8b00f1bbf96887d253b0e9e1, without secrets: inherit because this repo is public and the Socket GitHub App already gates PRs.
• Added scheduled/config-triggered central drift check pinned to the same SHA.
• Preserved existing Python package CI/security/release workflows.

Local Checks

• uv lock: PASS.
• bun install --frozen-lockfile && bun run typecheck in mcp/: PASS.
• npm ci && npm run typecheck in web/: PASS.
• npm run build in web/: PASS.
• uv run --extra dev ruff check .: PASS.
• uv run --extra dev ruff format --check .: PASS.
• uv run --extra all --extra dev mypy src: PASS.
• node /tmp/raintree-standardization/.github/scripts/check-pinned-deps.mjs: PASS at root, mcp/, and web/.
• STANDARD_DIR=/tmp/raintree-standardization/.github bash /tmp/raintree-standardization/.github/scripts/drift-check.sh: PASS.
• gitleaks detect --source . --redact --exit-code 1: PASS, 163 commits scanned, no leaks.
• git diff --check: PASS.
• uv run --extra all --extra dev pytest -q: WARN. Full local suite had 492 pass / 2 fail, both in benchmark throughput thresholds. The same two benchmark tests pass when run in isolation on this branch, and also pass in isolation on a clean origin/main worktree. Treat as local load-sensitive performance threshold pending remote CI.

Blockers / NEEDS-HUMAN

• NEEDS-HUMAN: confirm whether Python runtime dependency ranges should remain broad for PyPI compatibility. This PR adds uv.lock instead of exact-pinning published library requirements.
• NEEDS-HUMAN: watch remote CI for the full pytest matrix; local full-suite failure was limited to benchmark throughput thresholds under local load.

Changed Paths

• .github/dependabot.yml
• .github/workflows/drift-check.yml
• .github/workflows/raintree-ci.yml
• .gitignore
• .npmrc
• .nvmrc
• README.md
• mcp/bun.lock
• mcp/package.json
• uv.lock
• web/package-lock.json
• web/package.json

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docpull	Ready	Preview, Comment	Jun 12, 2026 8:01am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​next@​16.2.7 ⏵ 16.2.6	-13
	npm/​@​types/​pg@​8.20.0 ⏵ 8.11.10
	npm/​@​next/​eslint-plugin-next@​16.2.7 ⏵ 16.2.6
	npm/​next-themes@​0.4.6 ⏵ 0.4.4
	npm/​react@​19.2.7 ⏵ 19.0.0	+1		+1
	npm/​react-dom@​19.2.7 ⏵ 19.0.0				+1
	npm/​eslint@​10.4.1 ⏵ 10.4.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm scheduler is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/react-dom@19.0.0 → npm/scheduler@0.25.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/scheduler@0.25.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report