@esoteric-logic/praxis-harness 2.6.0 → 2.7.0

package/base/configs/ci/lint-stack.yml

@@ -0,0 +1,126 @@
+# Polyglot Lint Stack — 3-Layer CI Template
+# Copy to: .github/workflows/lint-stack.yml
+# Conditional: each tool runs only if its language files exist in the repo.
+# Pin actions to SHA — update hashes when upgrading versions.
+
+name: Lint Stack
+on:
+  pull_request:
+    branches: [main, develop]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  # ─────────────────────────────────────────────
+  # LAYER 1: Fast Feedback (~10s per tool)
+  # ─────────────────────────────────────────────
+  lint:
+    name: L1 — Lint + Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Python — Ruff
+      - name: Ruff check
+        if: hashFiles('**/*.py') != ''
+        uses: astral-sh/ruff-action@9700c1666704e06e2cf8f9046755e3dfc6297e40 # v3.2.1
+        with:
+          args: "check"
+      - name: Ruff format check
+        if: hashFiles('**/*.py') != ''
+        uses: astral-sh/ruff-action@9700c1666704e06e2cf8f9046755e3dfc6297e40 # v3.2.1
+        with:
+          args: "format --check"
+
+      # JS/TS — Biome
+      - name: Setup Biome
+        if: hashFiles('**/*.js', '**/*.ts', '**/*.jsx', '**/*.tsx') != ''
+        uses: biomejs/setup-biome@1cbe33ead22c7a2fded3b52fa2893611c815c3d2 # v2.5.0
+      - name: Biome CI
+        if: hashFiles('**/*.js', '**/*.ts', '**/*.jsx', '**/*.tsx') != ''
+        run: biome ci .
+
+      # Go — golangci-lint
+      - name: golangci-lint
+        if: hashFiles('go.mod') != ''
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
+        with:
+          version: v2.1
+
+      # Rust — Clippy
+      - name: Setup Rust toolchain
+        if: hashFiles('Cargo.toml') != ''
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
+        with:
+          toolchain: stable
+          components: clippy, rustfmt
+      - name: Clippy
+        if: hashFiles('Cargo.toml') != ''
+        run: cargo clippy --all-targets --all-features -- -D warnings
+      - name: rustfmt check
+        if: hashFiles('Cargo.toml') != ''
+        run: cargo fmt --all -- --check
+
+      # Shell — ShellCheck
+      - name: ShellCheck
+        if: hashFiles('**/*.sh') != ''
+        run: |
+          sudo apt-get install -y shellcheck
+          find . -name '*.sh' -not -path './node_modules/*' -not -path './vendor/*' | xargs shellcheck -s bash
+
+  # ─────────────────────────────────────────────
+  # LAYER 2: Quality Gates (~2min)
+  # ─────────────────────────────────────────────
+  security-scan:
+    name: L2 — Semgrep
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: semgrep/semgrep-action@713efdd345ae26c72e79b5b32927be8e0e6bab83 # v1
+        with:
+          config: >-
+            p/default
+            p/secrets
+            p/owasp-top-ten
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+
+  # Uncomment to add SonarQube quality gate (requires self-hosted server)
+  # sonarqube:
+  #   name: L2 — SonarQube
+  #   runs-on: ubuntu-latest
+  #   needs: lint
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #       with:
+  #         fetch-depth: 0
+  #     - uses: SonarSource/sonarqube-scan-action@0e1a25e90571a34e2ec5c72ee40ba45cc73a1e6e # v4
+  #       env:
+  #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  #         SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+  #     - uses: SonarSource/sonarqube-quality-gate-action@dc2f7b0dd95544cd550de3066f25f47e3fc20894 # v1.1.0
+  #       timeout-minutes: 5
+  #       env:
+  #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  # ─────────────────────────────────────────────
+  # LAYER 3: AI Review (~2min, optional)
+  # ─────────────────────────────────────────────
+  # Uncomment to enable AI-powered PR review.
+  # Requires OPENAI_API_KEY secret or self-hosted Ollama.
+  #
+  # ai-review:
+  #   name: L3 — AI Review
+  #   runs-on: ubuntu-latest
+  #   needs: [security-scan]
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #     - uses: Codium-ai/pr-agent@main
+  #       env:
+  #         OPENAI_KEY: ${{ secrets.OPENAI_API_KEY }}
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       with:
+  #         command: review

package/base/configs/linters/.markdownlint.json

@@ -0,0 +1,7 @@
+{
+  "default": true,
+  "MD013": false,
+  "MD024": { "siblings_only": true },
+  "MD033": false,
+  "MD041": true
+}

package/base/configs/linters/.pre-commit-config.yaml

@@ -0,0 +1,63 @@
+repos:
+  # General file hygiene
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+      - id: check-added-large-files
+        args: ['--maxkb=500']
+      - id: detect-private-key
+      - id: check-merge-conflict
+
+  # Layer 1: Python — Ruff
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.11.6
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format
+
+  # Layer 1: JS/TS — Biome
+  - repo: https://github.com/biomejs/pre-commit
+    rev: v2.0.0
+    hooks:
+      - id: biome-check
+        additional_dependencies: ["@biomejs/biome@2.0.0"]
+
+  # Layer 1: Shell — ShellCheck
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: [-s, bash]
+
+  # Layer 1: Go — golangci-lint
+  - repo: https://github.com/golangci/golangci-lint
+    rev: v2.1.0
+    hooks:
+      - id: golangci-lint
+
+  # Layer 1: Rust — rustfmt + clippy
+  - repo: local
+    hooks:
+      - id: rustfmt
+        name: rustfmt
+        entry: rustfmt
+        language: system
+        types: [rust]
+      - id: clippy
+        name: clippy
+        entry: cargo clippy -- -D warnings
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+  # Layer 2: Semgrep security scan
+  - repo: https://github.com/semgrep/semgrep
+    rev: v1.120.0
+    hooks:
+      - id: semgrep
+        args: ['--config', 'auto', '--error']

package/base/configs/linters/biome.json

@@ -0,0 +1,41 @@
+{
+  "$schema": "https://biomejs.dev/schemas/2.0.0/schema.json",
+  "organizeImports": { "enabled": true },
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true,
+      "complexity": {
+        "noExcessiveCognitiveComplexity": {
+          "level": "warn",
+          "options": { "maxAllowedComplexity": 15 }
+        }
+      },
+      "suspicious": {
+        "noExplicitAny": "warn",
+        "noConsoleLog": "warn"
+      },
+      "correctness": {
+        "noUnusedVariables": "error",
+        "noUnusedImports": "error"
+      }
+    }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 100
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "single",
+      "semicolons": "always"
+    }
+  },
+  "json": {
+    "formatter": {
+      "indentWidth": 2
+    }
+  }
+}

package/base/configs/linters/clippy.toml

@@ -0,0 +1,4 @@
+cognitive-complexity-threshold = 20
+too-many-arguments-threshold = 7
+type-complexity-threshold = 250
+single-char-binding-names-threshold = 4

package/base/configs/linters/ruff.toml

@@ -0,0 +1,26 @@
+target-version = "py312"
+line-length = 100
+fix = true
+
+[lint]
+select = [
+  "E", "W",    # pycodestyle
+  "F",         # pyflakes
+  "I",         # isort
+  "N",         # pep8-naming
+  "UP",        # pyupgrade
+  "S",         # bandit (security)
+  "B",         # flake8-bugbear
+  "A",         # flake8-builtins
+  "C4",        # flake8-comprehensions
+  "SIM",       # flake8-simplify
+  "RUF",       # ruff-specific
+]
+ignore = ["E501"]  # line length handled by formatter
+
+[lint.per-file-ignores]
+"tests/**" = ["S101"]  # allow assert in tests
+
+[format]
+quote-style = "double"
+indent-style = "space"

package/base/configs/linters/rustfmt.toml

@@ -0,0 +1,7 @@
+edition = "2024"
+max_width = 100
+tab_spaces = 4
+use_field_init_shorthand = true
+use_try_shorthand = true
+imports_granularity = "Crate"
+group_imports = "StdExternalCrate"

package/base/configs/linters/semgrep.yml

@@ -0,0 +1,65 @@
+rules:
+  # Usage:
+  #   semgrep --config auto                   (recommended community rules)
+  #   semgrep --config p/owasp-top-ten        (OWASP Top 10)
+  #   semgrep --config p/secrets              (secret detection)
+  #   semgrep --config .semgrep.yml           (this file — custom rules)
+
+  # Custom: ban f-string SQL queries
+  - id: no-fstring-sql-execute
+    patterns:
+      - pattern: cursor.execute($QUERY, ...)
+      - pattern-not: cursor.execute("...", ...)
+      - metavariable-pattern:
+          metavariable: $QUERY
+          pattern: |
+            f"..."
+    message: "Use parameterized queries instead of f-strings in SQL"
+    severity: ERROR
+    languages: [python]
+
+  # Custom: no hardcoded secrets in source
+  - id: hardcoded-secret-assignment
+    pattern-either:
+      - pattern: $KEY = "..."
+    metavariable-regex:
+      metavariable: $KEY
+      regex: ".*(secret|password|token|api_key|apikey|auth_token).*"
+    message: "Possible hardcoded secret — use environment variables"
+    severity: WARNING
+    languages: [python, javascript, typescript, java, go, rust]
+
+  # Custom: no unsafe unwrap in Rust production code
+  - id: rust-no-unwrap
+    pattern: $X.unwrap()
+    message: "Avoid .unwrap() — use .expect() with context or propagate with ?"
+    severity: WARNING
+    languages: [rust]
+    paths:
+      exclude:
+        - "*_test.rs"
+        - "tests/**"
+        - "benches/**"
+
+  # Custom: no fmt.Println in Go production code
+  - id: go-no-fmt-println
+    pattern: fmt.Println(...)
+    message: "Use structured logging instead of fmt.Println"
+    severity: WARNING
+    languages: [go]
+    paths:
+      exclude:
+        - "*_test.go"
+        - "cmd/**"
+
+# Paths to exclude from scanning
+paths:
+  exclude:
+    - node_modules
+    - vendor
+    - .terraform
+    - target
+    - dist
+    - build
+    - "*.min.js"
+    - "*.generated.*"

package/base/configs/registry.json

@@ -30,7 +30,15 @@
       {"name": "gitleaks", "feature": "secret-scanning", "install": "brew install gitleaks"},
       {"name": "osv-scanner", "feature": "dep-audit", "install": "go install github.com/google/osv-scanner/cmd/osv-scanner@latest"},
       {"name": "pip-audit", "feature": "dep-audit-python", "install": "pip install pip-audit"},
-      {"name": "docker", "feature": "docker-sandbox", "install": "brew install --cask docker"}
+      {"name": "docker", "feature": "docker-sandbox", "install": "brew install --cask docker"},
+      {"name": "biome", "feature": "lint-js", "install": "npm install -g @biomejs/biome"},
+      {"name": "ruff", "feature": "lint-python", "install": "pip install ruff"},
+      {"name": "semgrep", "feature": "security-scan", "install": "pip install semgrep"},
+      {"name": "markdownlint", "feature": "lint-markdown", "install": "npm install -g markdownlint-cli"},
+      {"name": "pre-commit", "feature": "pre-commit-hooks", "install": "pip install pre-commit"},
+      {"name": "golangci-lint", "feature": "lint-go", "install": "brew install golangci-lint"},
+      {"name": "rustfmt", "feature": "format-rust", "install": "rustup component add rustfmt"},
+      {"name": "clippy", "feature": "lint-rust", "install": "rustup component add clippy"}
     ]
   },
   "env_vars": {

package/base/hooks/quality-check.sh

@@ -61,6 +61,18 @@ case "$EXT" in
       taplo format "$FILE_PATH" 2>/dev/null
     fi
     ;;
+  js|jsx|ts|tsx)
+    if command -v biome &>/dev/null; then
+      biome format --write "$FILE_PATH" 2>/dev/null
+    elif command -v prettier &>/dev/null; then
+      prettier --write "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
+  rs)
+    if command -v rustfmt &>/dev/null; then
+      rustfmt "$FILE_PATH" 2>/dev/null
+    fi
+    ;;
   md)
     if command -v prettier &>/dev/null; then
       prettier --write --prose-wrap always "$FILE_PATH" 2>/dev/null
@@ -111,6 +123,30 @@ case "$EXT" in
       fi
     fi
     ;;
+  js|jsx|ts|tsx)
+    if command -v biome &>/dev/null; then
+      LINT_OUT=$(biome lint "$FILE_PATH" 2>&1) || true
+      if [ -n "$LINT_OUT" ] && ! echo "$LINT_OUT" | grep -q "No diagnostics"; then
+        ISSUES+=("biome: $LINT_OUT")
+      fi
+    fi
+    ;;
+  rs)
+    if command -v cargo &>/dev/null; then
+      DIR=$(dirname "$FILE_PATH")
+      # Walk up to find Cargo.toml for crate context
+      CRATE_DIR="$DIR"
+      while [ "$CRATE_DIR" != "/" ] && [ ! -f "$CRATE_DIR/Cargo.toml" ]; do
+        CRATE_DIR=$(dirname "$CRATE_DIR")
+      done
+      if [ -f "$CRATE_DIR/Cargo.toml" ]; then
+        LINT_OUT=$(cd "$CRATE_DIR" && cargo clippy --quiet -- -D warnings 2>&1) || true
+        if [ -n "$LINT_OUT" ]; then
+          ISSUES+=("clippy: $LINT_OUT")
+        fi
+      fi
+    fi
+    ;;
   yml|yaml)
     if command -v yamllint &>/dev/null; then
       LINT_OUT=$(yamllint -f parsable "$FILE_PATH" 2>&1) || true

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@esoteric-logic/praxis-harness",
-  "version": "2.6.0",
+  "version": "2.7.0",
   "description": "Layered Claude Code harness — workflow discipline, AI-Kits, persistent vault integration",
   "bin": {
     "praxis-harness": "./bin/praxis.js"