2f119fbd95
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 16s
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Generic: Project CI / Lint & Validate (pull_request) Successful in 44s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 1m29s
Universal: PR Check / Secret Scan (pull_request) Successful in 3m49s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
The "deserialize-yaml-py" rule in services/security/code_scanner.go used a negative lookahead `(?!\s*#)` in regexp.MustCompile. Go's regexp engine is RE2, which has no lookahead/lookbehind, so MustCompile panics during the package init() — crash-looping the entire server at startup. `go build` and `go vet` do not execute init(), and CI never boots the binary, so this shipped to main via #552 undetected; the running instances survived only because they predate that image. Replace the pattern with an RE2-safe equivalent `(?i)yaml\.load\s*\(`, which matches the rule's stated intent (flag yaml.load() without SafeLoader, CWE-502). Add a regression test that forces the package init and asserts every DefaultCodeRules pattern compiled, so a future RE2-incompatible pattern fails in CI here instead of on a live deploy. Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT