@aaronshaf/ger 1.2.10 → 2.0.0

package/.github/workflows/security-scan.yml

@@ -0,0 +1,113 @@
+name: Security Scan
+
+on:
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+  workflow_dispatch: # Allow manual triggering
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  dependency-scan:
+    name: Dependency Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: "1.2.17"
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.bun/install/cache
+            node_modules
+          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
+          restore-keys: |
+            ${{ runner.os }}-bun-
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run security audit
+        run: bun audit --audit-level moderate
+
+      # Dependency review only works on PRs, so we skip it in scheduled runs
+
+  codeql-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['typescript']
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: "1.2.17"
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.bun/install/cache
+            node_modules
+          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
+          restore-keys: |
+            ${{ runner.os }}-bun-
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build for analysis
+        run: bun run build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+
+  secret-scan:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Trivy secret scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-secrets.sarif'
+          scanners: 'secret'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-secrets.sarif'

package/.github/workflows/security.yml

@@ -0,0 +1,96 @@
+name: Weekly Security Audit
+
+on:
+  schedule:
+    # Run every Monday at 8:00 AM UTC
+    - cron: '0 8 * * 1'
+  workflow_dispatch: # Allow manual triggering
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: "1.2.17"
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.bun/install/cache
+            node_modules
+          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
+          restore-keys: |
+            ${{ runner.os }}-bun-
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run security audit
+        run: |
+          echo "Running security audit..."
+          bun audit --audit-level moderate > audit-report.txt 2>&1 || true
+          
+          # Display the audit results
+          echo "📊 Security Audit Results:"
+          cat audit-report.txt
+          
+          # Check if there are any vulnerabilities
+          if grep -q "vulnerabilities" audit-report.txt; then
+            echo "⚠️ Security vulnerabilities found. Please review the audit report."
+            # Don't fail the workflow, just report the findings
+            exit 0
+          else
+            echo "✅ No security vulnerabilities found."
+          fi
+
+      - name: Upload audit report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: security-audit-report
+          path: audit-report.txt
+          retention-days: 30
+
+  dependency-updates:
+    name: Check for Dependency Updates
+    runs-on: ubuntu-latest
+    needs: security-audit
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: "1.2.17"
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Check for outdated packages
+        run: |
+          echo "Checking for outdated packages..."
+          bun outdated > outdated-report.txt 2>&1 || true
+          
+          # Display the results
+          echo "📦 Outdated Dependencies:"
+          cat outdated-report.txt
+
+      - name: Upload outdated report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: outdated-dependencies-report
+          path: outdated-report.txt
+          retention-days: 30

package/.husky/pre-commit

@@ -0,0 +1,16 @@
+# Husky pre-commit hook
+
+# Run lint-staged
+bun lint-staged
+
+# Check file sizes
+bun scripts/check-file-size.ts
+
+# Run ast-grep to check for banned 'as' typecasting
+echo "Checking for banned patterns..."
+# Temporarily disabled - need to fix rule for 'as unknown as T' pattern
+# ast-grep scan --rule .ast-grep/rules/no-as-casting.yml src/
+
+# Check test coverage
+echo "Checking test coverage..."
+bun run test:coverage:check

package/.husky/pre-push

@@ -0,0 +1,25 @@
+# Husky pre-push hook
+
+# Type checking
+echo "Running type check..."
+bun tsc --noEmit
+
+# Run all tests with coverage and check thresholds
+echo "Running tests with coverage check..."
+bun run test:coverage:check
+
+# Run linters and formatter
+echo "Running linters..."
+bun oxlint src/ tests/
+bun biome format --write src/ tests/
+
+# Check file sizes
+echo "Checking file sizes..."
+bun scripts/check-file-size.ts
+
+# Run ast-grep to check for banned 'as' typecasting
+echo "Checking for banned patterns..."
+# Temporarily disabled - need to fix rule for 'as unknown as T' pattern
+# ast-grep scan --rule .ast-grep/rules/no-as-casting.yml src/
+
+# Security audit runs weekly in CI, not on every push

package/.lintstagedrc.json

@@ -0,0 +1,6 @@
+{
+  "*.ts": [
+    "bun oxlint",
+    "bun biome format --write"
+  ]
+}

package/.tool-versions

@@ -0,0 +1 @@
+bun 1.2.17

package/CLAUDE.md

@@ -0,0 +1,105 @@
+# Gerrit CLI Tool - Project Rules
+
+## Technology Stack
+- **Runtime**: Bun
+- **Language**: TypeScript with isolatedDeclarations: true
+- **CLI Framework**: Ink with ink-spinner and ink-text-input
+- **State Management**: Effect and Effect Schema
+- **Testing**: Bun test with MSW
+- **Database**: SQLite for local-first caching
+- **Linting**: oxlint
+- **Formatting**: Biome
+- **i18n**: i18next
+
+## Strict Requirements
+
+### Code Quality
+- **NO** implicit any or noExplicitAny in TypeScript
+- **MUST** use isolatedDeclarations: true in tsconfig.json
+- **ONLY** use .ts files (no .js/.jsx/.tsx files - this is a CLI tool)
+- **NEVER** use `as` typecasting except for `as const` or `as unknown`
+- **NEVER** use --no-verify flag with git commands
+- **NO** files over 700 lines (block in pre-commit/pre-push)
+- **WARN** for files over 500 lines (but don't block)
+
+### Testing & Coverage
+- **ENFORCE** minimum 80% code coverage
+- **RUN** all tests in pre-commit and pre-push hooks
+- **USE** MSW (Mock Service Worker) for all HTTP request mocking
+- **REQUIRE** meaningful integration tests for all commands that simulate full workflows
+- **IMPLEMENT** both unit tests and integration tests for every command modification/addition
+- **ENSURE** integration tests use realistic MSW handlers that match Gerrit API responses
+- **EXCLUDE** generated code and tmp/ from coverage
+
+### Security
+- **NEVER** commit sensitive data, API keys, or secrets
+- **NEVER** expose sensitive information in error messages
+- **USE** Effect Schema for all input validation
+- **IMPLEMENT** SQL injection prevention
+
+### Development Workflow
+- **RUN** type-checking in pre-commit and pre-push hooks
+- **RUN** oxlint in pre-commit and pre-push hooks
+- **RUN** biome formatter before commits
+- **RUN** `bun run build` after making changes to ensure compilation succeeds
+- **USE** ast-grep to enforce no `as` typecasting rule
+- **CHECK** file sizes in pre-commit and pre-push hooks
+- **EXCLUDE** generated code and tmp/ from all checks
+
+### Architecture Patterns
+- **USE** Effect for all service implementations
+- **USE** Effect Schema for all data models
+- **IMPLEMENT** cache-first strategy with SQLite
+- **USE** regional error boundaries for error handling
+- **FOLLOW** functional programming patterns with Effect
+
+### Testing Requirements for Commands
+- **UNIT TESTS**: Test individual functions, schemas, and utilities
+- **INTEGRATION TESTS**: Test complete command flows with mocked HTTP requests
+- **HTTP MOCKING**: Use MSW handlers with http.get/http.post patterns for mocking
+- **SCHEMA VALIDATION**: Ensure mocks return data that validates against Effect Schemas
+- **COMMAND COVERAGE**: Every command must have integration tests covering:
+  - Happy path execution
+  - Error handling (network errors, API errors, validation errors)
+  - Interactive UI behavior (where applicable)
+  - Cache behavior verification
+
+### Git Workflow
+- **USE** conventional commit messages
+- **CREATE** feature branches from main
+- **NEVER** commit directly to main
+- **INCLUDE** test coverage report in README.md
+
+### CLI Specific
+- **USE** Ink components for all UI
+- **IMPLEMENT** proper loading states with ink-spinner
+- **USE** ink-text-input for user input
+- **SUPPORT** internationalization with i18next
+- **PROVIDE** helpful error messages without sensitive data
+
+### File Organization
+- src/cli/ - Ink components and commands
+- src/services/ - Effect services
+- src/api/ - Gerrit API client
+- src/db/ - SQLite layer
+- src/schemas/ - Effect Schema definitions
+- src/i18n/ - Internationalization
+- tests/ - All test files
+- scripts/ - Build and hook scripts
+- docs/adr/ - Architecture Decision Records
+- docs/prd/ - Product Requirements Documents
+
+### Performance
+- **IMPLEMENT** efficient caching strategies
+- **USE** SQLite for offline-first functionality
+- **MINIMIZE** API calls through smart caching
+- **OPTIMIZE** bundle size for fast CLI startup
+
+## Commands
+- **show** - Comprehensive change information including metadata, diff, and all comments
+- **comment** - Post comments with piped input support for AI integration
+- **diff** - Get diffs with various formatting options
+- **comments** - View all comments on a change with context
+- **incoming/mine/abandon/open** - Change management commands
+
+Remember: This is a CLI tool, not a web app. No React components, no .tsx files, no Playwright tests.