neon_sakura 0.1.4

data/.github/workflows/ai-pr-review.yml

@@ -0,0 +1,328 @@
+name: AI PR Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+  models: read
+
+jobs:
+  ai-review:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Get previous AI reviews and comments
+        id: previous-reviews
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            // Fetch both PR comments and review comments
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+
+            const aiComments = comments.data
+              .filter(c => c.body.includes('🤖 AI Code Review'))
+              .map(c => ({
+                type: 'comment',
+                created_at: c.created_at,
+                body: c.body
+              }));
+
+            const reviews = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number
+            });
+
+            const aiReviews = reviews.data
+              .filter(r => r.body && r.body.includes('🤖 AI Code Review'))
+              .map(r => ({
+                type: 'review',
+                created_at: r.submitted_at,
+                state: r.state,
+                body: r.body
+              }));
+
+            // Combine and sort by date (newest last)
+            const allReviews = [...aiComments, ...aiReviews]
+              .sort((a, b) => new Date(a.created_at) - new Date(b.created_at))
+              .slice(-3) // Last 3 reviews/comments
+              .map(r => r.body)
+              .join('\n---\n');
+
+            const truncated = allReviews.substring(0, 3000);
+
+            core.setOutput('reviews', truncated);
+            core.setOutput('has_reviews', truncated.length > 0 ? 'true' : 'false');
+
+      - name: Get PR diff
+        id: pr-diff
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          git fetch origin "$BASE_REF"
+          DIFF=$(git diff "origin/$BASE_REF...HEAD")
+
+          # Filter out ignored sections
+          # Remove lines between ai-review-ignore-start and ai-review-ignore-end
+          echo "$DIFF" | awk '
+            /ai-review-ignore-start/ { ignore=1; next }
+            /ai-review-ignore-end/ { ignore=0; next }
+            !ignore { print }
+          ' > pr_diff_filtered.txt
+
+          DIFF=$(cat pr_diff_filtered.txt)
+
+          DIFF_LENGTH=${#DIFF}
+          if [ $DIFF_LENGTH -gt 15000 ]; then
+            DIFF="${DIFF:0:15000}"
+            DIFF="$DIFF\n\n... (diff truncated due to size)"
+          fi
+
+          echo "$DIFF" > pr_diff.txt
+
+      - name: Get changed files list
+        id: changed-files
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          git fetch origin "$BASE_REF"
+          FILES=$(git diff --name-only "origin/$BASE_REF...HEAD" | head -50)
+          echo "files<<EOF" >> $GITHUB_OUTPUT
+          echo "$FILES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Read project guidelines
+        id: guidelines
+        run: |
+          CLAUDE_MD=""
+
+          # Extract comprehensive sections from CLAUDE.md using shared helper
+          # Only include on first review to save tokens
+          if [ -f "CLAUDE.md" ] && [ -f ".ai-reviewer/extract-claude-sections.sh" ]; then
+            CLAUDE_MD=$(.ai-reviewer/extract-claude-sections.sh CLAUDE.md)
+          fi
+
+          echo "claude_md<<EOF" >> $GITHUB_OUTPUT
+          echo "$CLAUDE_MD" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Build prompts
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          CHANGED_FILES: ${{ steps.changed-files.outputs.files }}
+          CLAUDE_MD: ${{ steps.guidelines.outputs.claude_md }}
+          PREVIOUS_REVIEWS: ${{ steps.previous-reviews.outputs.reviews }}
+          HAS_PREVIOUS_REVIEWS: ${{ steps.previous-reviews.outputs.has_reviews }}
+        run: |
+          DIFF=$(cat pr_diff.txt)
+
+          # Use shared system prompt (source of truth)
+          if [ -f ".ai-reviewer/build-system-prompt.sh" ]; then
+            .ai-reviewer/build-system-prompt.sh > system.txt
+          else
+            echo "Error: Shared system prompt script not found" >&2
+            exit 1
+          fi
+
+          # Build user prompt - more concise to save tokens
+          echo "**PR:** $PR_TITLE" > user.txt
+          echo "" >> user.txt
+
+          # Add previous reviews if they exist (incremental review mode)
+          if [ "$HAS_PREVIOUS_REVIEWS" = "true" ]; then
+            echo "**Previous Reviews:**" >> user.txt
+            echo "$PREVIOUS_REVIEWS" >> user.txt
+            echo "" >> user.txt
+            echo "**Focus:** Review new changes only. Were previous issues fixed?" >> user.txt
+            echo "" >> user.txt
+          fi
+
+          # Add changed files count (not full list to save tokens)
+          FILE_COUNT=$(echo "$CHANGED_FILES" | wc -l)
+          echo "**Changed Files ($FILE_COUNT):**" >> user.txt
+          echo "$CHANGED_FILES" | head -20 >> user.txt
+          if [ $FILE_COUNT -gt 20 ]; then
+            echo "... and $((FILE_COUNT - 20)) more" >> user.txt
+          fi
+          echo "" >> user.txt
+
+          echo "**Diff:**" >> user.txt
+          echo '```diff' >> user.txt
+          echo "$DIFF" >> user.txt
+          echo '```' >> user.txt
+
+          # Only add guidelines on first review (token savings)
+          if [ "$HAS_PREVIOUS_REVIEWS" != "true" ] && [ -n "$CLAUDE_MD" ]; then
+            echo "" >> user.txt
+            echo "**Guidelines:**" >> user.txt
+            echo "$CLAUDE_MD" >> user.txt
+          fi
+
+      - name: AI Code Review with Codestral
+        id: ai-review
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Use jq to build properly escaped JSON from files
+          SYSTEM_PROMPT=$(cat system.txt)
+          USER_PROMPT=$(cat user.txt)
+
+          # Reduce max_tokens to save costs (was 1500, now 1000)
+          # Increased temperature slightly for more concise responses
+          jq -n \
+            --arg system "$SYSTEM_PROMPT" \
+            --arg user "$USER_PROMPT" \
+            '{
+              messages: [
+                {role: "system", content: $system},
+                {role: "user", content: $user}
+              ],
+              model: "Codestral-2501",
+              temperature: 0.6,
+              max_tokens: 1000,
+              top_p: 0.9
+            }' > prompt.json
+
+          # Call GitHub Models API
+          RESPONSE=$(curl -s -X POST \
+            "https://models.inference.ai.azure.com/chat/completions" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer $GITHUB_TOKEN" \
+            -d @prompt.json)
+
+          # Extract review content
+          REVIEW=$(echo "$RESPONSE" | jq -r '.choices[0].message.content // "Error: Unable to generate review"')
+
+          echo "$REVIEW" > review_raw.md
+
+          if echo "$REVIEW" | grep -q "Error:"; then
+            echo "ERROR: Failed to generate review"
+            echo "Response: $RESPONSE"
+            exit 1
+          fi
+
+          # Smart deduplication - removes both exact duplicates AND similar issues from same file:line
+          # This catches cases where AI generates variations like:
+          # - "file.rb:10 - Issue A"
+          # - "file.rb:10 - Issue B"  <- should be deduplicated (same file:line)
+          # This allows reviewing config/docs files while preventing repetition
+          awk '
+            # Extract file:line pattern (e.g., "file.rb:10")
+            match($0, /^[[:space:]]*-[[:space:]]*`[^`]+:[0-9]+/) {
+              prefix = substr($0, RSTART, RLENGTH)
+              # If we have seen this file:line before, skip
+              if (seen[prefix]++) next
+            }
+            # Also skip exact duplicate lines
+            !seen_exact[$0]++
+          ' review_raw.md > review.md
+
+          # If review is still too long after deduplication, truncate it
+          if [ $(wc -l < review.md) -gt 100 ]; then
+            head -100 review.md > review_truncated.md
+            echo "" >> review_truncated.md
+            echo "... (review truncated - too many issues)" >> review_truncated.md
+            mv review_truncated.md review.md
+          fi
+
+      - name: Dismiss previous AI reviews
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            // Get all existing reviews for this PR
+            const reviews = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number
+            });
+
+            // Find AI reviews that should be dismissed (REQUEST_CHANGES state)
+            const aiReviews = reviews.data.filter(r =>
+              r.body &&
+              r.body.includes('🤖 AI Code Review') &&
+              r.state === 'CHANGES_REQUESTED'
+            );
+
+            // Dismiss each AI review
+            for (const review of aiReviews) {
+              console.log(`Dismissing previous AI review #${review.id}`);
+              await github.rest.pulls.dismissReview({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+                review_id: review.id,
+                message: 'New changes have been pushed - dismissing previous AI review'
+              });
+            }
+
+      - name: Post review as PR review (not comment)
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const review = fs.readFileSync('review.md', 'utf8');
+
+            // Determine review event type based on the Verdict section only
+            // GitHub does not allow bots to APPROVE, so we use COMMENT or REQUEST_CHANGES
+            let event = 'COMMENT';
+            let verdict = '💬 COMMENT';
+
+            // Extract only the Verdict section to avoid false positives from policy text
+            // Look for the first line after "## Verdict" that contains the status
+            const verdictMatch = review.match(/## Verdict\s*\n\*\*Status:\*\*\s*([^\n]*)/i);
+            if (verdictMatch) {
+              const verdictLine = verdictMatch[1].trim();
+              if (verdictLine.includes('REQUEST_CHANGES') || verdictLine.includes('REQUEST CHANGES')) {
+                event = 'REQUEST_CHANGES';
+                verdict = '⚠️ REQUEST CHANGES';
+              }
+            }
+
+            const body = `## 🤖 AI Code Review - ${verdict}\n\n${review}\n\n---\n*Powered by GitHub Models (Codestral-2501) • AI recommendations only, human approval required • [Ignore sections](https://github.com/${context.repo.owner}/${context.repo.repo}/blob/main/docs/AI_PR_REVIEWER.md#ignoring-code-sections) with \`ai-review-ignore-start/end\`*`;
+
+            // Post as a proper PR review (not an issue comment)
+            // This prevents duplication and integrates better with GitHub's review system
+            await github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              body: body,
+              event: event
+            });
+
+      - name: Check for critical issues
+        run: |
+          if grep -qi "REQUEST CHANGES\|CRITICAL\|SECURITY.*CONCERN" review.md; then
+            echo "::warning::AI reviewer found critical issues that need attention"
+          fi
+
+# Alternative models (commented out - uncomment to switch):
+#
+# For Mistral Large:
+# Replace "Codestral-2501" with "Mistral-large-2411"
+# Model: https://github.com/marketplace/models/azureml-mistral/Mistral-large-2411
+#
+# For Mistral Small:
+# Replace "Codestral-2501" with "Mistral-small"
+# Model: https://github.com/marketplace/models/azureml-mistral/Mistral-small
+#
+# For Mistral Nemo:
+# Replace "Codestral-2501" with "Mistral-Nemo"
+# Model: https://github.com/marketplace/models/azureml-mistral/Mistral-Nemo

data/.github/workflows/license-check.yml

@@ -0,0 +1,78 @@
+name: License Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 8 * * 1'  # Weekly on Monday at 8am UTC (after dependency updates)
+  workflow_dispatch: # Allow manual triggering
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  license-check:
+    name: Gem License Compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4.7
+          bundler-cache: true
+
+      - name: Make license check script executable
+        run: chmod +x scripts/license-check.rb
+
+      - name: Run License Check
+        run: ruby scripts/license-check.rb
+
+      - name: Upload license report as artifact
+        uses: actions/upload-artifact@v6
+        if: failure()
+        with:
+          name: license-check-report
+          path: |
+            Gemfile.lock
+            config/license_overrides.yml
+          retention-days: 30
+          if-no-files-found: ignore
+
+  license-audit:
+    name: License Audit (Monthly)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4.7
+          bundler-cache: true
+
+      - name: Install license_finder
+        run: gem install license_finder
+
+      - name: Generate detailed license report
+        run: |
+          echo "# License Audit Report" > license-audit-report.md
+          echo "Generated on: $(date)" >> license-audit-report.md
+          echo "" >> license-audit-report.md
+          echo "## All Gem Licenses" >> license-audit-report.md
+          echo "" >> license-audit-report.md
+          license_finder --format markdown >> license-audit-report.md
+
+      - name: Upload detailed license audit
+        uses: actions/upload-artifact@v6
+        with:
+          name: license-audit-report
+          path: license-audit-report.md
+          retention-days: 90

data/.github/workflows/lint.yml

@@ -0,0 +1,79 @@
+name: Lint
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+
+jobs:
+  rubocop:
+    name: RuboCop (Ruby Linting)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Run RuboCop
+        run: bundle exec rubocop --parallel
+
+  stylelint:
+    name: Stylelint (CSS Linting)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Run Stylelint
+        run: yarn lint:css
+
+  brakeman:
+    name: Brakeman (Security Scan)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Run Brakeman
+        run: bundle exec brakeman --quiet --no-pager
+
+  bundle-audit:
+    name: Bundle Audit (Dependency Security)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Run Bundle Audit
+        run: bundle exec bundle-audit check --update

data/.github/workflows/security.yml

@@ -0,0 +1,131 @@
+name: Security Scanning
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday at 6am UTC
+  workflow_dispatch: # Allow manual triggering
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  trufflehog:
+    name: TruffleHog Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || 'HEAD~1' }}
+          head: HEAD
+          extra_args: --debug --only-verified
+        continue-on-error: false
+
+  semgrep:
+    name: Semgrep Security Analysis
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'pull_request'
+    container:
+      image: semgrep/semgrep
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run Semgrep
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        run: |
+          if [ -n "$SEMGREP_APP_TOKEN" ]; then
+            echo "Running semgrep ci with token"
+            semgrep ci --json --output=semgrep-results.json || true
+          else
+            echo "Running semgrep with auto config (no token)"
+            semgrep --config=auto \
+              --exclude="*.min.js" \
+              --exclude="node_modules" \
+              --exclude="vendor" \
+              --exclude="tmp" \
+              --exclude="log" \
+              --exclude="public/assets" \
+              --json --output=semgrep-results.json . || true
+          fi
+        continue-on-error: false
+
+      - name: Upload Semgrep Results
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: semgrep-results
+          path: semgrep-results.json
+          retention-days: 30
+
+  semgrep-manual:
+    name: Manual Semgrep Trigger
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    container:
+      image: semgrep/semgrep
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run Semgrep (Manual)
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        run: semgrep ci
+        continue-on-error: false
+
+  dependency-check:
+    name: Dependency Vulnerability Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4.7
+          bundler-cache: true
+
+      - name: Bundle Audit
+        run: |
+          gem install bundler-audit > /dev/null 2>&1
+          bundle-audit check --update
+
+  docker-security:
+    name: Docker Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run Trivy config scanner on Dockerfile
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          scan-ref: './Dockerfile'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        continue-on-error: true
+
+      - name: Upload Trivy scan results as artifacts
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: trivy-security-results
+          path: trivy-results.sarif
+          retention-days: 30
+          if-no-files-found: ignore

data/.github/workflows/semgrep.yml

@@ -0,0 +1,26 @@
+on:
+  workflow_dispatch: {}
+  pull_request: {}
+  push:
+    branches:
+    - main
+    - master
+    paths:
+    - .github/workflows/semgrep.yml
+  schedule:
+  # random HH:MM to avoid a load spike on GitHub Actions at 00:00
+  - cron: 1 14 * * *
+name: Semgrep
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    container:
+      image: semgrep/semgrep
+    steps:
+    - uses: actions/checkout@v6
+    - run: semgrep ci

data/.github/workflows/test.yml

@@ -0,0 +1,44 @@
+name: Test with Coverage
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: [3.4.7]
+
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+
+    - name: Install dependencies
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+
+    - name: Run tests
+      run: |
+        bundle exec rake test
+
+    - name: Check test coverage
+      run: |
+        bundle exec rake coverage
+        # Verify coverage is at least 80%
+        if [ ! -f coverage/.last_run.json ]; then
+          echo "Coverage report not found"
+          exit 1
+        fi
+        coverage=$(grep -o '"covered_percent":[0-9.]*' coverage/.last_run.json | cut -d':' -f2)
+        if (( $(echo "$coverage < 80.0" | bc -l) )); then
+          echo "Coverage is below 80%: $coverage%"
+          exit 1
+        else
+          echo "Coverage is at least 80%: $coverage%"
+        fi