@chappibunny/repolens 0.4.3 → 0.6.0

package/CHANGELOG.md

@@ -2,6 +2,137 @@
 
 All notable changes to RepoLens will be documented in this file.
 
+## 0.6.0 (Phase 4: Team Features & Observability Dashboard)
+
+### ✨ New Features
+
+**Discord Integration** (`src/integrations/discord.js` - 268 lines):
+- Rich embed notifications with coverage, health score, and change metrics
+- Threshold-based notifications (default: >10% change)
+- Branch filtering with glob pattern support
+- Secure webhook configuration via `DISCORD_WEBHOOK_URL` environment variable
+- Functions: `sendDiscordNotification()`, `buildDocUpdateNotification()`, `buildErrorNotification()`, `shouldNotify()`
+- Color-coded embeds: success (green), warning (yellow), error (red), info (blue)
+
+**Metrics Collection System** (`src/utils/metrics.js` - 412 lines):
+- **Coverage Calculation**: Weighted average (modules 50%, APIs 30%, pages 20%)
+- **Health Score Algorithm**: 0-100 rating (40% coverage + 30% freshness + 30% quality)
+- **Staleness Detection**: Flags documentation >90 days old
+- **Quality Analysis**: Identifies undocumented modules/APIs/pages with severity levels
+- **Historical Tracking**: Persists metrics to `.repolens/metrics-history.json`
+- **Trend Indicators**: Up/down/stable trend detection (>1% threshold)
+- Functions: `calculateCoverage()`, `calculateHealthScore()`, `detectStaleness()`, `analyzeQuality()`, `trackMetrics()`, `calculateTrends()`, `collectMetrics()`
+
+**Interactive Dashboard** (`src/renderers/renderDashboard.js` - 1,020 lines):
+- Beautiful HTML dashboard with inline CSS (zero dependencies)
+- **Health Score Card**: Color-coded 0-100 score (excellent/good/fair/poor)
+- **Coverage Breakdown**: Module/API/page coverage with progress bars
+- **Freshness Tracking**: Stale file detection with last updated timestamps
+- **Quality Issues List**: Severity badges (high/medium/low) with actionable items
+- **Trend Charts**: SVG visualization of coverage and health score over time
+- **Quick Links**: Direct links to Notion, GitHub, and Markdown documentation
+- Responsive design with animations and smooth transitions
+- Generated at `.repolens/dashboard/index.html`
+
+**GitHub Pages Deployment** (`.github/workflows/deploy-dashboard.yml` - 73 lines):
+- Automated deployment to `https://OWNER.github.io/REPO/`
+- Deploys on every push to main branch
+- Uses local code during development (`npm link`)
+- Graceful fallback for missing dashboard files
+- Security-conscious environment variable handling
+
+**Configuration Extensions** (`src/core/config-schema.js`):
+- **Discord Configuration**:
+  * `discord.notifyOn`: "always", "significant", or "never"
+  * `discord.significantThreshold`: 0-100 (default: 10%)
+  * `discord.branches`: Array with glob pattern support
+  * `discord.enabled`: Boolean
+- **Dashboard Configuration**:
+  * `dashboard.enabled`: Boolean (default: true)
+  * `dashboard.githubPages`: Boolean
+  * `dashboard.staleThreshold`: Number (default: 90 days)
+
+**Publishing Integration** (`src/publishers/index.js`):
+- Automatic metrics collection after publishing
+- Dashboard generation integrated into publish flow
+- Discord notifications sent after successful publish (if configured)
+- Branch-aware notification filtering
+- Graceful error handling (doesn't fail publish if dashboard/notifications fail)
+
+### 🔧 Configuration
+
+**Environment Variables** (`.env.example`):
+- Added `DISCORD_WEBHOOK_URL` for team notifications
+- Security warnings and setup instructions
+- GitHub Actions secret configuration guidance
+
+**GitHub Actions** (`.github/workflows/publish-docs.yml`):
+- Added `DISCORD_WEBHOOK_URL` to workflow environment
+
+### 📊 Testing
+- All 90 tests passing (47 main + 43 security)
+- No regressions from Phase 4 integration
+- Metrics algorithms validated
+- Dashboard generation tested
+
+### 🐛 Bug Fixes
+- **GitHub Pages Workflow**: Fixed deployment to use local code during development
+  * Changed from `npx @chappibunny/repolens@latest` to `npm link && npx repolens`
+  * Added file existence checks before copying dashboard
+  * Created graceful fallback with "Coming Soon" placeholder for missing files
+
+## 0.5.0 (Phase 3: Security Audit)
+
+### 🔒 Security Hardening
+
+**Security Utilities** (1,296 lines of new code):
+- **Secrets Detection** (`src/utils/secrets.js`):
+  * Detects 15+ secret patterns (OpenAI, GitHub, AWS, Notion, etc.)
+  * Entropy-based heuristic detection for unknown patterns
+  * Automatic sanitization in all logger and telemetry output
+  * Functions: `detectSecrets()`, `sanitizeSecrets()`, `isLikelySecret()`
+  
+- **Config Validation** (`src/utils/validate.js`):
+  * Validates configuration against injection attacks
+  * Detects: directory traversal, shell injection, command substitution
+  * Scans config tree for accidentally included secrets
+  * Circular reference handling with depth limit
+  * Path validation preventing `..` and absolute paths
+  
+- **Rate Limiting** (`src/utils/rate-limit.js`):
+  * Token bucket algorithm (3 req/sec for Notion and AI APIs)
+  * Exponential backoff with jitter (3 retries)
+  * Wrapper functions: `executeNotionRequest()`, `executeAIRequest()`
+  * Batch request processing
+
+**Runtime Integration**:
+- Config loader validates all inputs before loading
+- Logger sanitizes all console output automatically
+- Telemetry sanitizes error messages before sending to Sentry
+- All Notion API calls rate-limited to 3 req/sec
+- All AI API calls rate-limited to 3 req/sec
+
+**GitHub Actions Hardening**:
+- Actions pinned to commit SHAs (supply chain protection)
+- Minimal permissions (`contents: read` or `contents: write` only)
+- Security job with npm audit and secrets scanning
+- Fail-early strategy on security issues
+
+**Comprehensive Testing**:
+- 43 new security tests (fuzzing, injection, boundary conditions)
+- Total: 90 tests passing (47 main + 43 security)
+- Attack vectors tested: SQL injection, command injection, path traversal, YAML bomb, NoSQL, LDAP, XML injection
+
+**Documentation**:
+- New `SECURITY.md` with threat model and security features
+- Updated `README.md` with security section
+- Updated `PRODUCTION_CHECKLIST.md` with security validation
+- Security badge in README
+
+### 📊 Testing
+- All 90 tests passing
+- 0 vulnerabilities in dependencies (519 packages audited)
+
 ## 0.4.3
 
 ### 🐛 Bug Fixes

package/README.md

@@ -8,9 +8,15 @@
                         🔍 Repository Intelligence CLI 📊
 ```
 
+[![Tests](https://img.shields.io/badge/tests-90%20passing-brightgreen)](https://github.com/CHAPIBUNNY/repolens/actions)
+[![Security](https://img.shields.io/badge/security-hardened-blue)](SECURITY.md)
+[![Vulnerabilities](https://img.shields.io/badge/vulnerabilities-0-brightgreen)](SECURITY.md)
+[![License](https://img.shields.io/badge/license-MIT-blue)](LICENSE)
+[![Security Audit](https://img.shields.io/badge/security%20audit-passed-brightgreen)](SECURITY.md)
+
 AI-assisted documentation intelligence system that generates architecture docs for engineers AND readable system docs for stakeholders
 
-**Current Status**: v0.4.0 — Production Ready
+**Current Status**: v0.6.0 — Team Features & Observability Dashboard
 
 RepoLens automatically generates and maintains living architecture documentation by analyzing your repository structure, extracting meaningful insights from your package.json, and creating visual dependency graphs. Run it once, or let it auto-update on every push.
 
@@ -22,7 +28,7 @@ RepoLens automatically generates and maintains living architecture documentation
 
 **Step 1: Install**
 ```bash
-npm install github:CHAPIBUNNY/repolens
+npm install @chappibunny/repolens
 ```
 
 **Step 2: Initialize** (creates config + GitHub Actions workflow)
@@ -30,19 +36,30 @@ npm install github:CHAPIBUNNY/repolens
 npx @chappibunny/repolens init
 ```
 
-**Step 3: Configure Notion** (optional, skip if using Markdown only)
+**Step 3: Configure Publishing** (optional, skip if using Markdown only)
+
+For Notion:
 ```bash
 # Edit .env and add:
 NOTION_TOKEN=secret_xxx
 NOTION_PARENT_PAGE_ID=xxx
 ```
 
+For Confluence:
+```bash
+# Edit .env and add:
+CONFLUENCE_URL=https://your-company.atlassian.net/wiki
+CONFLUENCE_EMAIL=your@email.com
+CONFLUENCE_API_TOKEN=your-token
+CONFLUENCE_SPACE_KEY=DOCS
+```
+
 **Step 4: Publish**
 ```bash
 npx @chappibunny/repolens publish
 ```
 
-**Done!** Your docs are now live in Notion and/or `.repolens/` directory.
+**Done!** Your docs are now live in Notion, Confluence, and/or `.repolens/` directory.
 
 **🔄 Upgrading from v0.3.0 or earlier?**
 Run `npx @chappibunny/repolens migrate` to automatically update your workflow files. See [MIGRATION.md](MIGRATION.md) for details.
@@ -107,53 +124,148 @@ RepoLens automatically detects:
 ✅ **Deterministic Fallback** - Always generates docs even if AI unavailable  
 ✅ **Business Domain Inference** - Automatically maps code to business functions  
 ✅ **Data Flow Analysis** - Understands how information moves through your system  
-✅ **Multiple Publishers** - Output to Notion, Markdown, or both  
+✅ **Multiple Publishers** - Output to Notion, Confluence, Markdown, or all three  
 ✅ **Branch-Aware** - Prevent doc conflicts across branches  
 ✅ **GitHub Actions** - Autonomous operation on every push  
+✅ **Team Notifications** - Discord integration with rich embeds (NEW in v0.6.0)  
+✅ **Observability Dashboard** - Interactive HTML metrics dashboard (NEW in v0.6.0)  
+✅ **Health Score Tracking** - Monitor documentation quality over time (NEW in v0.6.0)  
+✅ **GitHub Pages Deployment** - Automated public dashboard hosting (NEW in v0.6.0)  
+
+---
+
+## 👥 Team Features & Observability (New in v0.6.0)
+
+### 📊 Interactive Dashboard
+
+RepoLens now generates a beautiful HTML dashboard with real-time metrics and trends:
+
+**Features:**
+- **Health Score** — 0-100 rating based on coverage, freshness, and quality
+- **Coverage Metrics** — Module, API, and page documentation coverage with progress bars
+- **Freshness Tracking** — Identifies stale documentation (>90 days old)
+- **Quality Issues** — Lists undocumented modules, APIs, and pages with severity badges
+- **Trend Charts** — SVG visualization of coverage and health score over time
+- **Quick Links** — Direct links to Notion, GitHub, and Markdown documentation
+
+**Access your dashboard:**
+- **Local**: `.repolens/dashboard/index.html` after running `repolens publish`
+- **Public**: `https://OWNER.github.io/REPO/` (with GitHub Pages enabled)
+
+**Setup GitHub Pages (Optional):**
+
+1. **Add workflow** (created by `repolens init` in v0.6.0+):
+   - File: `.github/workflows/deploy-dashboard.yml`
+   - Triggers: Runs on every push to main
+
+2. **Enable GitHub Pages**:
+   - Go to repo Settings → Pages
+   - Source: **GitHub Actions**
+   - Save
+
+3. **Add secrets** (if using publishers or notifications):
+   ```
+   NOTION_TOKEN
+   NOTION_PARENT_PAGE_ID
+   CONFLUENCE_URL
+   CONFLUENCE_EMAIL
+   CONFLUENCE_API_TOKEN
+   CONFLUENCE_SPACE_KEY
+   CONFLUENCE_PARENT_PAGE_ID  # Optional
+   DISCORD_WEBHOOK_URL  # Optional
+   ```
+   DISCORD_WEBHOOK_URL
+   ```
+
+Your dashboard will be live at `https://OWNER.github.io/REPO/` within minutes!
+
+### 💬 Discord Notifications
+
+Get notified when documentation changes significantly:
+
+**Features:**
+- Rich embeds with coverage, health score, and change percentage
+- Threshold-based notifications (only for significant changes)
+- Branch filtering with glob pattern support
+- Secure webhook configuration via environment variable
+
+**Setup Discord Notifications:**
+
+1. **Create a webhook** in your Discord server:
+   - Server Settings → Integrations → Webhooks → New Webhook
+   - Copy the webhook URL
+
+2. **Add to environment**:
+   ```bash
+   # .env (never commit!)
+   DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/xxx/xxx
+   ```
+
+3. **Configure in `.repolens.yml`** (optional):
+   ```yaml
+   discord:
+     enabled: true                  # Default: true (if webhook configured)
+     notifyOn: significant          # Options: always, significant, never
+     significantThreshold: 10       # Notify if change >10% (default)
+     branches:                      # Which branches to notify (default: all)
+       - main
+       - develop
+   ```
+
+4. **Add GitHub Actions secret** (for CI/CD):
+   - Repo Settings → Secrets and variables → Actions
+   - New repository secret: `DISCORD_WEBHOOK_URL`
+
+**Notification includes:**
+- Branch and commit information
+- Files scanned and modules analyzed
+- Coverage percentage and health score
+- Change percentage from previous run
+- Direct links to dashboard, Notion, and GitHub
 
 ---
 
 ## 📦 Installation
 
-### Recommended: GitHub Install
+### Recommended: npm Registry
 
 ```bash
-npm install github:CHAPIBUNNY/repolens
+npm install @chappibunny/repolens
 ```
 
-This installs directly from the latest GitHub commit. Perfect for early access.
+Installs from npm registry. ✨ **Now available in beta!**
 
 ### Alternative Methods
 
 <details>
-<summary><b>Option B: Local Development</b></summary>
+<summary><b>Option B: GitHub Direct Install</b></summary>
 
-Clone and link for development:
+Install from the latest GitHub commit:
 
 ```bash
-git clone https://github.com/CHAPIBUNNY/repolens.git
-cd repolens
-npm link
+npm install github:CHAPIBUNNY/repolens
 ```
 </details>
 
 <details>
-<summary><b>Option C: GitHub Release Tarball</b></summary>
+<summary><b>Option C: Local Development</b></summary>
 
-Install from a specific version:
+Clone and link for development:
 
 ```bash
-npm install https://github.com/CHAPIBUNNY/repolens/releases/download/v0.2.0/repolens-0.2.0.tgz
+git clone https://github.com/CHAPIBUNNY/repolens.git
+cd repolens
+npm link
 ```
 </details>
 
 <details>
-<summary><b>Option D: npm Registry (Coming v1.0)</b></summary>
+<summary><b>Option D: GitHub Release Tarball</b></summary>
 
-Once published to npm:
+Install from a specific version:
 
 ```bash
-npm install -g repolens
+npm install https://github.com/CHAPIBUNNY/repolens/releases/download/v0.2.0/repolens-0.2.0.tgz
 ```
 </details>
 
@@ -187,8 +299,9 @@ Open `.repolens.yml` and verify the `publishers` section:
 
 ```yaml
 publishers:
-  - markdown  # Always works, no setup needed
-  - notion    # Requires NOTION_TOKEN and NOTION_PARENT_PAGE_ID
+  - markdown    # Always works, no setup needed
+  - notion      # Requires NOTION_TOKEN and NOTION_PARENT_PAGE_ID
+  - confluence  # Requires CONFLUENCE_URL, CONFLUENCE_EMAIL, CONFLUENCE_API_TOKEN, CONFLUENCE_SPACE_KEY
 ```
 
 **Markdown Only** (simplest):
@@ -196,6 +309,18 @@ publishers:
 publishers:
   - markdown
 ```
+
+**Notion Only**:
+```yaml
+publishers:
+  - notion
+```
+
+**Confluence Only**:
+```yaml
+publishers:
+  - confluence
+```
 Documentation lands in `.repolens/` directory. Commit these files or ignore them.
 
 **Notion + Markdown** (recommended):
@@ -206,6 +331,23 @@ publishers:
 ```
 Docs published to Notion for team visibility, plus local Markdown backups.
 
+**Confluence + Markdown**:
+```yaml
+publishers:
+  - confluence
+  - markdown
+```
+Docs published to Confluence for enterprise teams, plus local Markdown backups.
+
+**All Three**:
+```yaml
+publishers:
+  - notion
+  - confluence
+  - markdown
+```
+Maximum visibility: Notion for async collaboration, Confluence for enterprise docs, Markdown for local backups.
+
 ### Step 3: Enable AI Features (Optional)
 
 **AI-enhanced documentation adds natural language explanations for non-technical audiences.**
@@ -296,15 +438,82 @@ Add as repository secrets:
    - Name: `NOTION_TOKEN`, Value: `secret_xxxxx`
    - Name: `NOTION_PARENT_PAGE_ID`, Value: `xxxxxx`
 
+### Step 4a: Set Up Confluence Integration (Optional)
+
+If using the Confluence publisher:
+
+**4a.1: Generate Confluence API Token**
+1. Go to [id.atlassian.com/manage-profile/security/api-tokens](https://id.atlassian.com/manage-profile/security/api-tokens)
+2. Click **"Create API token"**
+3. Name it **"RepoLens"**
+4. Copy the generated token (save it securely - you won't see it again!)
+
+**4a.2: Find Your Space Key**
+1. Navigate to your Confluence space
+2. Go to **Space Settings** → **Space details**
+3. Note the **Space Key** (e.g., `DOCS`, `ENG`, `TECH`)
+
+**4a.3: Get Parent Page ID (Optional)**
+1. Navigate to the page where you want RepoLens docs nested
+2. Click **"..."** menu → **"Page information"**
+3. Copy the page ID from the URL: `pageId=123456789`
+4. If skipped, docs will be created at space root level
+
+**4a.4: Add Environment Variables**
+
+**For Local Development:**
+Create `.env` in your project root:
+```bash
+CONFLUENCE_URL=https://your-company.atlassian.net/wiki
+CONFLUENCE_EMAIL=your@email.com
+CONFLUENCE_API_TOKEN=your-api-token-here
+CONFLUENCE_SPACE_KEY=DOCS
+CONFLUENCE_PARENT_PAGE_ID=123456789  # Optional
+```
+
+**For Confluence Server/Data Center** (self-hosted):
+```bash
+CONFLUENCE_URL=https://confluence.yourcompany.com
+CONFLUENCE_EMAIL=your-username  # Use username instead of email
+CONFLUENCE_API_TOKEN=your-personal-access-token
+CONFLUENCE_SPACE_KEY=DOCS
+CONFLUENCE_PARENT_PAGE_ID=123456789  # Optional
+```
+
+**For GitHub Actions:**
+Add as repository secrets:
+1. Go to your repo → **Settings** → **Secrets and variables** → **Actions**
+2. Click **"New repository secret"**
+3. Add:
+   - Name: `CONFLUENCE_URL`, Value: `https://your-company.atlassian.net/wiki`
+   - Name: `CONFLUENCE_EMAIL`, Value: `your@email.com`
+   - Name: `CONFLUENCE_API_TOKEN`, Value: `your-token`
+   - Name: `CONFLUENCE_SPACE_KEY`, Value: `DOCS`
+   - Name: `CONFLUENCE_PARENT_PAGE_ID`, Value: `123456789` (optional)
+
+**Confluence + Notion + Markdown** (all three!):
+```yaml
+publishers:
+  - markdown
+  - notion
+  - confluence
+```
+
+Docs published to both Notion and Confluence for maximum visibility!
+
 ### Step 5: Configure Branch Publishing (Recommended)
 
-Prevent documentation conflicts by limiting which branches publish to Notion:
+Prevent documentation conflicts by limiting which branches publish to Notion/Confluence:
 
 ```yaml
 notion:
   branches:
     - main              # Only main branch publishes
   includeBranchInTitle: false  # Clean titles (no [branch-name] suffix)
+
+confluence:
+  branches:
+    - main              # Only main branch publishes to Confluence
 ```
 
 **Options:**
@@ -348,8 +557,8 @@ npx @chappibunny/repolens publish
 
 **Expected output:**
 ```
-RepoLens v0.2.0
-────────────────────────────────────────
+RABITAI 🐰
+────────────────────────────────────────────────────
 [RepoLens] Using config: /path/to/.repolens.yml
 [RepoLens] Loading configuration...
 [RepoLens] Scanning repository...
@@ -547,6 +756,131 @@ When you open a pull request, RepoLens posts:
 
 ---
 
+## 🔒 Privacy & Telemetry
+
+RepoLens includes **opt-in** error tracking and usage telemetry to help improve reliability, understand adoption patterns, and prioritize features.
+
+**Privacy First:**
+- ✅ **Disabled by default** - telemetry is opt-in
+- ✅ **No code collection** - your source code never leaves your machine
+- ✅ **No secrets** - API keys and tokens are never sent
+- ✅ **Anonymous** - no personal information or repository names
+- ✅ **Transparent** - see exactly what data is collected
+
+**To enable telemetry**, add to `.env`:
+```bash
+REPOLENS_TELEMETRY_ENABLED=true
+```
+
+**What's collected (when enabled):**
+
+*Error Tracking (Phase 1):*
+- Error messages and stack traces (for debugging)
+- Command that failed (e.g., `publish`, `migrate`)
+- Basic system info (Node version, platform)
+
+*Usage Metrics (Phase 2):*
+- Command execution times (scan, render, publish)
+- Repository size (file count, module count)
+- Feature usage (AI enabled, publishers used)
+- Success/failure rates
+
+**Why enable it?**
+- 🐛 **Faster bug fixes** - issues you encounter are fixed proactively
+- 📊 **Better features** - development focused on real-world usage
+- ⚡ **Performance** - optimizations based on actual bottlenecks
+- 🎯 **Prioritization** - roadmap guided by community needs
+
+For full details and example data, see [TELEMETRY.md](TELEMETRY.md).
+
+---
+
+## 🛡️ Security
+
+RepoLens implements **defense-in-depth** security to protect your credentials, code, and infrastructure.
+
+### Security Architecture (Phase 3)
+
+**Layer 1: Input Validation** (`src/utils/validate.js`)
+- ✅ Schema validation with required field enforcement
+- ✅ Injection attack detection (shell, command substitution)
+- ✅ Directory traversal prevention (`..`, absolute paths, null bytes)
+- ✅ Secret scanning in configuration files
+- ✅ Circular reference protection (depth limit: 20 levels)
+
+**Layer 2: Secret Detection** (`src/utils/secrets.js`)
+- ✅ **15+ credential patterns**: OpenAI, GitHub, AWS, Notion, Generic API keys
+- ✅ **Entropy-based detection**: High-entropy strings (Shannon entropy > 4.5)
+- ✅ **Automatic sanitization**: All logger output, telemetry, error messages
+- ✅ **Format**: `sk-abc123xyz` → `sk-ab***yz` (first 2 + last 2 chars visible)
+
+**Layer 3: Rate Limiting** (`src/utils/rate-limit.js`)
+- ✅ **Token bucket algorithm**: 3 requests/second for Notion & AI APIs
+- ✅ **Exponential backoff**: Automatic retry with jitter (500ms → 1s → 2s)
+- ✅ **Cost protection**: Prevents runaway API usage
+- ✅ **Retryable errors**: 429, 500, 502, 503, 504, network timeouts
+
+**Layer 4: Supply Chain Security**
+- ✅ **Action pinning**: GitHub Actions pinned to commit SHAs (not tags)
+- ✅ **Minimal permissions**: `contents: read` or `contents: write` only
+- ✅ **Dependency audits**: CI/CD fails on critical/high vulnerabilities
+- ✅ **npm audit**: 0 vulnerabilities in 519 dependencies
+
+**Layer 5: Comprehensive Testing**
+- ✅ **43 security tests**: Fuzzing, injection, boundary conditions
+- ✅ **Attack vectors tested**: SQL, command, path, YAML, NoSQL, LDAP, XML
+- ✅ **90 total tests**: 47 functional + 43 security (100% passing)
+
+### Security Validation (Automatic)
+
+```bash
+# Every configuration load:
+✅ No injection patterns detected (;|&`$())
+✅ No secrets in configuration files
+✅ Safe path patterns only (no .. or absolute paths)
+✅ Valid schema (configVersion: 1)
+
+# Every runtime operation:
+✅ All logs sanitized (secrets redacted)
+✅ Telemetry sanitized (no credentials sent)
+✅ Rate limiting active (3 req/sec)
+✅ Type validation active (prevents type confusion)
+
+# Every CI/CD run:
+✅ npm audit passing (0 vulnerabilities)
+✅ Security tests passing (43/43)
+✅ Secrets scanner passing (no hardcoded credentials)
+```
+
+### Vulnerability Reporting
+
+- 📧 **Email**: [your-email@example.com] (replace with actual contact)
+- 🚨 **DO NOT** open public issues for security bugs
+- ⏱️ **Response**: Within 48 hours
+- 🔒 **Fix Timeline**: Critical issues within 7 days, others within 30 days
+- 📢 **Disclosure**: Coordinated disclosure after fix is released
+
+### Security Best Practices
+
+**✅ DO:**
+- Store secrets in GitHub Secrets (not `.repolens.yml`)
+- Use environment variables for sensitive data
+- Review generated documentation before publishing
+- Enable telemetry to catch security issues early
+- Run `npm audit` regularly
+- Pin workflows to specific versions
+
+**❌ DON'T:**
+- Commit API keys to version control
+- Share `.env` files publicly
+- Disable security validation
+- Use overly broad scan patterns (`**/*`)
+- Ignore security warnings
+
+For complete security documentation and threat model, see [SECURITY.md](SECURITY.md).
+
+---
+
 ## ⚙️ Configuration Reference
 
 ### Complete Example
@@ -571,6 +905,21 @@ notion:
     - release/*         # Glob patterns supported
   includeBranchInTitle: false  # Clean titles without [branch-name]
 
+# Discord notifications (optional, new in v0.6.0)
+discord:
+  enabled: true                  # Default: true (if DISCORD_WEBHOOK_URL set)
+  notifyOn: significant          # Options: always, significant, never
+  significantThreshold: 10       # Notify if change >10% (default)
+  branches:                      # Which branches to notify (default: all)
+    - main
+    - develop
+
+# Observability dashboard (optional, new in v0.6.0)
+dashboard:
+  enabled: true                  # Default: true
+  githubPages: true             # Deploy to GitHub Pages
+  staleThreshold: 90            # Flag docs older than 90 days
+
 # GitHub integration (optional)
 github:
   owner: "your-username"
@@ -633,6 +982,13 @@ features:
 | `publishers` | array | Yes | Output targets: `notion`, `markdown` |
 | `notion.branches` | array | No | Branch whitelist for Notion publishing. Supports globs. |
 | `notion.includeBranchInTitle` | boolean | No | Add `[branch-name]` to titles (default: `true`) |
+| `discord.enabled` | boolean | No | Enable Discord notifications (default: `true` if webhook set) |
+| `discord.notifyOn` | string | No | Notification policy: `always`, `significant`, `never` (default: `significant`) |
+| `discord.significantThreshold` | number | No | Change % threshold for notifications (default: `10`) |
+| `discord.branches` | array | No | Branch filter for notifications. Supports globs. (default: all) |
+| `dashboard.enabled` | boolean | No | Generate HTML dashboard (default: `true`) |
+| `dashboard.githubPages` | boolean | No | Deploy to GitHub Pages (default: `false`) |
+| `dashboard.staleThreshold` | number | No | Days before docs flagged as stale (default: `90`) |
 | `github.owner` | string | No | GitHub org/username for SVG hosting |
 | `github.repo` | string | No | Repository name for SVG hosting |
 | `scan.include` | array | Yes | Glob patterns for files to scan |
@@ -653,6 +1009,12 @@ Required for Notion publisher:
 | `NOTION_PARENT_PAGE_ID` | Yes | Page ID where docs will be created |
 | `NOTION_VERSION` | No | API version (default: `2022-06-28`) |
 
+Optional for Discord notifications (new in v0.6.0):
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `DISCORD_WEBHOOK_URL` | No | Discord webhook URL for team notifications |
+
 **Local Development:** Create `.env` file in project root  
 **GitHub Actions:** Add as repository secrets in Settings → Secrets and variables → Actions
 
@@ -894,6 +1256,6 @@ MIT
 
 <div align="center">
 
-**Made with 🔍 for developers who care about architecture**
+**Made with RABITAI for developers who care about architecture**
 
 </div>