codetrust 1.5.0__tar.gz

codetrust-1.5.0/.cursorrules

@@ -0,0 +1,49 @@
+# .cursorrules — CodeTrust Enforcement for Cursor AI
+
+#
+
+# These rules apply to ALL AI agents working in this project
+
+# They mirror CLAUDE.md enforcement but in Cursor's format
+
+## MANDATORY: CodeTrust Enforcement Protocol
+
+Before writing ANY code:
+
+1. Call codetrust_pre_action with a description of what you plan to do
+2. If verdict is BLOCK → stop and fix the plan
+3. If verdict is WARN → acknowledge each warning
+
+After writing or modifying ANY file:
+
+1. Call codetrust_static_scan on every file you changed
+2. Call codetrust_deep_scan if you created new files or modified imports
+3. If any finding has severity BLOCK → fix immediately
+4. If any finding has severity WARN → fix or explain
+
+Before committing:
+
+1. Call codetrust_post_action with repo root and list of changed files
+2. All BLOCK findings must be resolved — zero tolerance
+3. Run ruff check src/ tests/ — zero warnings
+
+## Absolute Prohibitions (enforced by CodeTrust pre-commit hook)
+
+- No eval() or exec()
+- No hardcoded secrets (use environment variables)
+- No heredocs (use template files)
+- No pickle.load with untrusted data
+- No SQL string formatting (use parameterized queries)
+- No print() — use structlog
+- No wildcard imports
+- No bare except:
+- No Any types
+- No mutable default arguments
+
+## Quality Standards
+
+- Every function has type annotations
+- Every public function has a docstring
+- Max 40 lines per function
+- All external HTTP calls wrapped in try/except
+- All Pydantic models use strict=True

codetrust-1.5.0/.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: CI
+
+on:
+    push:
+        branches: [main]
+    pull_request:
+        branches: [main]
+
+permissions:
+    contents: read
+    security-events: write
+
+jobs:
+    lint-and-test:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Set up Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: "3.12"
+
+            - name: Install dependencies
+              run: |
+                  python -m pip install --upgrade pip
+                  pip install -e ".[dev]"
+
+            - name: Lint with ruff
+              run: ruff check src/ tests/
+
+            - name: Run tests
+              run: pytest tests/ -v --tb=short
+
+    codetrust-scan:
+        runs-on: ubuntu-latest
+        needs: lint-and-test
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Set up Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: "3.12"
+
+            - name: Install dependencies
+              run: |
+                  python -m pip install --upgrade pip
+                  pip install -e ".[dev]"
+
+            - name: Run CodeTrust Scan
+              uses: ./
+              with:
+                  scan-type: "static"
+                  language: "python"
+                  path: "src/"
+                  fail-on: "block"
+                  sarif-file: "codetrust-results.sarif"
+
+            - name: Upload SARIF
+              if: always()
+              uses: github/codeql-action/upload-sarif@v3
+              with:
+                  sarif_file: codetrust-results.sarif
+              continue-on-error: true

codetrust-1.5.0/.github/workflows/codetrust-scan.yml

@@ -0,0 +1,87 @@
+name: CodeTrust Scan
+
+on:
+    pull_request:
+        branches: [main, master]
+    push:
+        branches: [main, master]
+
+permissions:
+    contents: read
+    pull-requests: write
+
+jobs:
+    codetrust-scan:
+        name: CodeTrust Quality Gate
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0 # Full history for diff
+
+            - name: Set up Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: "3.12"
+
+            - name: Install CodeTrust
+              run: pip install httpx
+
+            - name: Get changed files
+              id: changed
+              run: |
+                  if [ "${{ github.event_name }}" = "pull_request" ]; then
+                    FILES=$(git diff --name-only --diff-filter=ACM ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -E '\.(py|js|ts|go|rs|java|sh)$' || true)
+                  else
+                    FILES=$(git diff --name-only --diff-filter=ACM HEAD~1 HEAD | grep -E '\.(py|js|ts|go|rs|java|sh)$' || true)
+                  fi
+                  echo "files<<EOF" >> $GITHUB_OUTPUT
+                  echo "$FILES" >> $GITHUB_OUTPUT
+                  echo "EOF" >> $GITHUB_OUTPUT
+
+            - name: Run CodeTrust Scan
+              id: scan
+              env:
+                  CODETRUST_API_URL: ${{ secrets.CODETRUST_API_URL || 'https://codetrust-api-production.up.railway.app' }}
+                  CODETRUST_API_KEY: ${{ secrets.CODETRUST_API_KEY }}
+                  CHANGED_FILES: ${{ steps.changed.outputs.files }}
+              run: python action/scan.py
+
+            - name: Post PR Comment
+              if: github.event_name == 'pull_request' && always()
+              uses: actions/github-script@v7
+              with:
+                  script: |
+                      const fs = require('fs');
+                      if (!fs.existsSync('codetrust-report.md')) return;
+                      const body = fs.readFileSync('codetrust-report.md', 'utf8');
+
+                      // Find existing CodeTrust comment
+                      const { data: comments } = await github.rest.issues.listComments({
+                        owner: context.repo.owner,
+                        repo: context.repo.repo,
+                        issue_number: context.issue.number,
+                      });
+                      const existing = comments.find(c =>
+                        c.body.includes('<!-- codetrust-scan -->')
+                      );
+
+                      const commentBody = `<!-- codetrust-scan -->\n${body}`;
+
+                      if (existing) {
+                        await github.rest.issues.updateComment({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          comment_id: existing.id,
+                          body: commentBody,
+                        });
+                      } else {
+                        await github.rest.issues.createComment({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          issue_number: context.issue.number,
+                          body: commentBody,
+                        });
+                      }

codetrust-1.5.0/.gitignore

@@ -0,0 +1,48 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+*.egg-info/
+dist/
+build/
+.eggs/
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Environment
+.env
+.env.*
+*.secret
+*.pem
+*.key
+
+# Testing
+.pytest_cache/
+htmlcov/
+.coverage
+coverage.xml
+
+# Docker
+docker-compose.override.yml
+
+# Session log (private, never committed)
+SESSION_LOG.md
+
+# Node (in case of front-end components)
+node_modules/
+codetrust.db
+codetrust-report.md

codetrust-1.5.0/CHANGELOG.md

@@ -0,0 +1,156 @@
+# Changelog
+
+All notable changes to CodeTrust will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.5.0] - 2026-02-11
+
+### Added
+
+- **VS Code / Cursor Extension** (Phase 10) — editor extension for inline code verification
+  - `extension/` TypeScript project with full VS Code extension scaffolding
+  - Scan on save — automatic static analysis when saving supported files
+  - Command palette: Scan File, Deep Scan, Verify Imports, Verify Dockerfile, Clear Diagnostics
+  - Inline diagnostics — findings shown as squiggly lines (error/warning/info severity)
+  - Quick-fix code actions — suppress rules, apply suggestions, remove problematic lines
+  - Status bar — shows last scan verdict (PASS/WARN/BLOCK) with click-to-scan
+  - Import verification — extracts imports from Python, JS/TS, Go, Rust and verifies against registries
+  - Docker verification — parses FROM directives and validates images/tags
+  - Configurable settings: API URL, API key, scan type, severity threshold, language filter, timeout
+  - API client using Node.js native http/https (zero runtime dependencies)
+  - Parser utilities for Python, JavaScript/TypeScript, Go, Rust imports and Dockerfile images
+  - 3 test suites (parser tests, API client tests, type tests)
+  - ESLint, TypeScript strict mode, source maps
+
+## [1.4.0] - 2026-02-11
+
+### Added
+
+- **Dashboard (Next.js 14+)** (Phase 9) — web dashboard for API key management and usage analytics
+  - Landing page with hero section and feature cards
+  - Pricing page with Free / Pro / Enterprise tier comparison
+  - GitHub OAuth login via NextAuth.js with Prisma adapter
+  - Dashboard overview with stats cards, usage chart, and scan history table
+  - API key management — create, list, revoke keys (`ct_live_` format, SHA-256 hashed)
+  - Account settings page with profile, subscription, and danger zone
+  - Tailwind CSS styling with dark-mode-ready custom palette
+- **Stripe Billing** — subscription management with checkout, portal, and webhooks
+  - `src/services/billing.py` — `BillingService` wrapping Stripe SDK
+  - Checkout sessions, customer portal, subscription status, plan limits
+  - Webhook handler for `checkout.session.completed` and `customer.subscription.deleted`
+  - Plan limits: FREE=100, PRO=10,000, ENTERPRISE=100,000 scans/day
+- **Database layer (SQLAlchemy 2.0 async)** — persistent storage for users, keys, scans
+  - `src/models/database.py` — `User`, `ApiKeyRecord`, `ScanLog`, `UsageDay` ORM models
+  - `src/services/database.py` — async CRUD service (~280 lines)
+  - PostgreSQL (asyncpg) for production, SQLite (aiosqlite) for tests
+- **8 new API endpoints** — dashboard backend
+  - `POST /v1/api-keys`, `GET /v1/api-keys`, `DELETE /v1/api-keys/{key_id}`
+  - `GET /v1/scans/history`, `GET /v1/usage`
+  - `POST /v1/billing/checkout`, `POST /v1/billing/portal`, `POST /v1/webhooks/stripe`
+- CORS middleware for dashboard cross-origin requests
+- Docker Compose: added PostgreSQL 16 service with health checks
+- 66 new tests (30 database + 22 billing + 15 dashboard API) — **476 tests total**
+
+### Changed
+
+- `PlanTier` and `ScanType` enums added to `src/models/enums.py`
+- Config expanded: database, Stripe, OAuth, JWT, dashboard settings
+- `pyproject.toml`: added sqlalchemy, asyncpg, stripe, aiosqlite dependencies
+
+## [1.3.0] - 2026-02-11
+
+### Added
+
+- **GitHub Action for CI/CD** (Phase 8) — reusable composite action for PR scanning
+  - `action.yml` with configurable inputs: scan-type, fail-on threshold, language, SARIF output
+  - `action/entrypoint.sh` entry script and `action/scan_runner.py` Python runner
+  - Language-aware file discovery with exclusion patterns (.git, .venv, node_modules, etc.)
+  - GitHub workflow annotations (`::error::`, `::warning::`) for inline PR feedback
+- **SARIF v2.1.0 output** — standard format for GitHub Security tab integration
+  - `src/formatters/sarif.py` — converts Finding objects to SARIF JSON
+  - `POST /v1/scan/static/sarif` and `POST /v1/scan/deep/sarif` API endpoints
+  - `codetrust_sarif_export` MCP tool
+  - Security-severity mapping (BLOCK→high, WARN→medium, INFO→low)
+- **CI pipeline** — `.github/workflows/ci.yml` with lint, test, and self-scan jobs
+- 77 new tests (45 GitHub Action + 32 SARIF) — **410 tests total**
+
+## [1.2.0] - 2026-02-10
+
+### Added
+
+- **Sandbox Execution** (Phase 7) — isolated Docker container code execution (Layer 4)
+  - `src/services/sandbox.py` — `SandboxService` with inline and file execution strategies
+  - Security: `--network=none`, `--read-only`, `--memory=256m`, `--pids-limit=64`
+  - Supported languages: Python, JavaScript, TypeScript, Go, Rust
+  - `sandbox/` directory with 4 Dockerfiles (python, node, go, rust)
+  - `POST /v1/sandbox/run` API endpoint
+  - `codetrust_sandbox_run` MCP tool
+  - Sandbox layer integrated into deep scan (optional `sandbox_run` field)
+- 63 new sandbox tests — **333 tests total**
+
+## [1.0.1] - 2026-02-10
+
+### Added
+
+- **Go & Rust Registry Support** (Phase 5) — extended registry verification to two new ecosystems
+  - `verify_go_module()` — verification against proxy.golang.org with version check
+  - `verify_crates_package()` — verification against crates.io with version check
+  - `extract_go_imports()` — regex parser for `import "..."` and `import (...)` blocks, skips stdlib
+  - `extract_rust_imports()` — regex parser for `use crate::` and `extern crate`, skips std/core/alloc
+  - `parse_go_mod()` — parses `require (...)` blocks to module→version mapping
+  - `parse_cargo_toml()` — parses `[dependencies]` to crate→version mapping
+  - Fuzzy matching suggestions for Go modules and Rust crates (top 200+ each)
+  - crates.io User-Agent header (`CodeTrust/1.0.0`)
+  - Language routing: `Language.GO` → Go proxy, `Language.RUST` → crates.io
+  - Comprehensive tests for Go/Rust verification, import extraction, manifest parsing
+
+## [1.1.0] - 2026-02-10
+
+### Added
+
+- **AST Parsing with tree-sitter** (Phase 6) — deep code analysis via Abstract Syntax Trees (Layer 3)
+  - `src/services/ast_analyzer.py` — cyclomatic complexity, unused variables, unreachable code, deep nesting
+  - Supports Python, JavaScript, TypeScript, Go, Rust via tree-sitter grammars
+  - `POST /v1/scan/ast` API endpoint
+  - `codetrust_ast_scan` MCP tool
+  - AST layer integrated into deep scan
+- 270 tests total after Phase 6
+
+## [1.0.0] - 2026-02-10
+
+### Added
+
+- **Static Analysis Engine** — 35+ anti-pattern rules with BLOCK/WARN/INFO severity levels
+  - Heredoc detection, hardcoded secrets, eval/exec, SQL injection, pickle.load
+  - Bare except, wildcard imports, Any types, mutable defaults, magic numbers
+  - Function length checking (40-line threshold)
+- **Package Registry Verification** — verify imports against real registries
+  - PyPI support for Python packages
+  - npm support for JavaScript/TypeScript packages
+  - Version mismatch detection
+  - Typosquatting suggestions via fuzzy matching
+- **Docker Image Verification** — verify base images and tags exist on Docker Hub
+  - FROM statement parsing with multi-stage build support
+  - Available tag suggestions for unknown tags
+- **Enterprise Structure Validation** — check repos for required files
+  - README, LICENSE, tests, .gitignore, pyproject.toml / package.json
+- **Deep Scan** — combined all-layer analysis in a single pass
+- **FastAPI HTTP API** with 5 endpoints
+  - `GET /v1/status` — health check
+  - `POST /v1/verify/imports` — package verification
+  - `POST /v1/verify/dockerfile` — Docker verification
+  - `POST /v1/scan/static` — static analysis
+  - `POST /v1/scan/deep` — full deep scan
+- **MCP Server** with 7 tools for Claude Code integration
+  - `codetrust_static_scan`, `codetrust_pre_action`, `codetrust_post_action`
+  - `codetrust_list_rules`, `codetrust_verify_imports`
+  - `codetrust_verify_dockerfile`, `codetrust_deep_scan`
+- **Redis caching** with TTL management and graceful degradation
+- **X-API-Key authentication** (optional — skipped in local dev)
+- **Pre-commit hook** with BLOCK/WARN pattern scanning
+- **Docker Compose** stack for API + Redis
+- **Railway deployment** configuration (railway.toml + Procfile)
+- **Multi-stage Dockerfile** with non-root user
+- **structlog** JSON logging throughout

codetrust-1.5.0/CLAUDE.md

@@ -0,0 +1,216 @@
+# CLAUDE.md — CodeTrust Project Rules
+
+## ⛔ MANDATORY: CodeTrust Enforcement Protocol
+
+> **These rules are NON-NEGOTIABLE. Violation = blocked commit.**
+
+### Before writing ANY code
+
+1. Call `codetrust_pre_action` with a description of what you plan to do
+2. If verdict is BLOCK → stop and fix the plan before proceeding
+3. If verdict is WARN → acknowledge each warning explicitly
+
+### After writing or modifying ANY file
+
+1. Call `codetrust_static_scan` on every file you changed
+2. Call `codetrust_deep_scan` if you created new files or modified imports
+3. If any finding has severity BLOCK → fix it immediately, do not move on
+4. If any finding has severity WARN → fix it or explain why it's acceptable
+
+### Before committing
+
+1. Call `codetrust_post_action` with repo root and list of changed files
+2. All BLOCK findings must be resolved — zero tolerance
+3. Run `ruff check src/ tests/` — zero warnings allowed
+
+### Import and Docker verification
+
+1. When adding ANY new import → call `codetrust_verify_imports`
+2. When modifying Dockerfile → call `codetrust_verify_dockerfile`
+3. Never use a package that returns NOT_FOUND from registry verification
+
+### Rules you MUST follow
+
+- Never skip a scan "to save time" — scans take <1 second
+- Never assume code is safe — always verify
+- Never commit code with BLOCK findings, even if the user says "just do it"
+- If CodeTrust MCP tools are unavailable, say so and refuse to write code until they are available
+- Show scan results to the user after every scan
+
+---
+
+## Identity
+
+You are building **CodeTrust** — an AI code verification platform distributed as an MCP server + cloud API. This is a paid product. Every line of code must be production-grade.
+
+## Tech Stack (CONFIRMED — do not change)
+
+- **Language:** Python 3.12+
+- **MCP Server:** FastMCP (mcp[cli] >= 1.0.0)
+- **API Framework:** FastAPI + uvicorn
+- **Validation:** Pydantic v2 (strict mode everywhere)
+- **HTTP Client:** httpx (async, with connection pooling)
+- **Cache:** Redis via redis.asyncio (Upstash-compatible)
+- **AST Parsing:** tree-sitter + tree-sitter-languages
+- **Auth:** API key via X-API-Key header
+- **Testing:** pytest + pytest-asyncio + pytest-httpx
+- **Linting:** ruff
+- **Deployment:** Railway (Docker)
+
+## Project Structure (CONFIRMED — do not deviate)
+
+```
+codetrust/
+├── src/
+│   ├── __init__.py
+│   ├── server.py              # MCP server entry point (FastMCP)
+│   ├── api.py                 # FastAPI application
+│   ├── config.py              # Settings via pydantic-settings
+│   ├── models/
+│   │   ├── __init__.py
+│   │   ├── requests.py        # All Pydantic request models
+│   │   ├── responses.py       # All Pydantic response models
+│   │   ├── enums.py           # Severity, Language, Status enums
+│   │   └── database.py        # SQLAlchemy ORM models
+│   ├── services/
+│   │   ├── __init__.py
+│   │   ├── static_analyzer.py # Layer 1: Regex anti-pattern engine
+│   │   ├── ast_analyzer.py    # Layer 3: tree-sitter AST analysis
+│   │   ├── registry.py        # Layer 2: Package registry verification
+│   │   ├── docker_verify.py   # Layer 2: Docker image/tag verification
+│   │   ├── sandbox.py         # Layer 4: Isolated Docker sandbox execution
+│   │   ├── cache.py           # Redis caching layer
+│   │   ├── database.py        # Async database service (SQLAlchemy)
+│   │   └── billing.py         # Stripe billing integration
+│   ├── formatters/
+│   │   ├── __init__.py
+│   │   └── sarif.py           # SARIF v2.1.0 output formatter
+│   ├── utils/
+│   │   ├── __init__.py
+│   │   ├── parsers.py         # Import extraction, requirements parsing
+│   │   └── similarity.py      # Fuzzy matching for "did you mean?"
+│   └── rules/
+│       ├── __init__.py
+│       ├── anti_patterns.py   # Anti-pattern rule definitions
+│       └── enterprise.py      # Enterprise file/structure rules
+├── tests/
+│   ├── __init__.py
+│   ├── conftest.py            # Shared fixtures
+│   ├── test_static.py         # Layer 1 tests
+│   ├── test_registry.py       # Layer 2 registry tests
+│   ├── test_docker.py         # Layer 2 docker tests
+│   ├── test_models.py         # Pydantic model tests
+│   ├── test_api_endpoints.py  # FastAPI endpoint tests
+│   ├── test_deep_scan.py      # Deep scan integration tests
+│   ├── test_cache.py          # Cache service tests (fakeredis)
+│   ├── test_similarity.py     # Fuzzy matching tests
+│   ├── test_parsers.py        # Parser utility tests
+│   ├── test_sarif.py          # SARIF formatter tests
+│   ├── test_sandbox.py        # Sandbox service tests
+│   ├── test_billing.py        # Billing service tests
+│   └── test_database.py       # Database service tests
+├── extension/                   # VS Code extension (TypeScript)
+├── dashboard/                   # Next.js admin dashboard
+├── action/                      # GitHub Action for CI integration
+├── sandbox/                     # Sandbox Dockerfile definitions
+├── hooks/                       # Git hooks (pre-commit)
+├── pyproject.toml
+├── Dockerfile
+├── docker-compose.yml
+├── .env.example
+├── .gitignore
+├── README.md
+├── CHANGELOG.md
+├── LICENSE
+├── PLAN.md
+├── SPEC.md
+├── Procfile
+└── railway.toml
+```
+
+## Absolute Prohibitions
+
+- ❌ No `print()` — use `structlog` for all logging
+- ❌ No `Any` types — explicit types on everything
+- ❌ No `eval()` / `exec()`
+- ❌ No hardcoded URLs — all registry URLs in config.py
+- ❌ No hardcoded secrets — all via environment variables
+- ❌ No wildcard imports
+- ❌ No synchronous HTTP calls — all httpx calls must be async
+- ❌ No bare `except:` — always catch specific exceptions
+- ❌ No mutable default arguments
+- ❌ No string concatenation for URLs — use httpx URL building or f-strings with validated inputs
+
+## Required Practices
+
+- ✅ Every function has type annotations on all parameters and return type
+- ✅ Every public function and class has a docstring
+- ✅ Every external HTTP call wrapped in try/except with timeout
+- ✅ Every Pydantic model uses `model_config = ConfigDict(strict=True)`
+- ✅ Every API endpoint has response_model defined
+- ✅ Constants in UPPER_SNAKE_CASE at module level
+- ✅ Max 40 lines per function — split if longer
+- ✅ All registry URLs defined in config.py as class attributes
+- ✅ All cache TTLs defined as constants in config.py
+- ✅ Use `structlog` with JSON output for all logging
+
+## Build Order
+
+**Read PLAN.md for the exact build sequence. Build one phase at a time. Do not skip ahead.**
+
+Phase 1 → Phase 2 → Phase 3 → Phase 4. Each phase has acceptance criteria that must pass before moving on.
+
+## Testing Rules
+
+- Every service module must have a corresponding test file
+- Use `pytest-httpx` to mock all external HTTP calls — never hit real registries in tests
+- Use `fakeredis` for cache tests — never require a running Redis
+- Minimum: every public function has at least one happy-path and one error-path test
+- Run `ruff check src/` before committing — zero warnings allowed
+
+## Error Handling Pattern
+
+```python
+from src.models.enums import Severity
+from src.models.responses import Finding
+
+# Every verification function returns list[Finding], never raises
+async def verify_something(input: SomeInput) -> list[Finding]:
+    findings: list[Finding] = []
+    try:
+        result = await _do_check(input)
+        if not result.valid:
+            findings.append(Finding(
+                rule_id="check_name",
+                severity=Severity.BLOCK,
+                message="Clear description of what's wrong",
+                suggestion="What to do instead",
+            ))
+    except httpx.TimeoutException:
+        findings.append(Finding(
+            rule_id="check_name",
+            severity=Severity.WARN,
+            message="Could not verify — registry timeout",
+        ))
+    except httpx.HTTPError as exc:
+        findings.append(Finding(
+            rule_id="check_name",
+            severity=Severity.WARN,
+            message=f"Could not verify — HTTP error: {exc}",
+        ))
+    return findings
+```
+
+## Configuration Pattern
+
+```python
+# All config via pydantic-settings, never scattered
+from pydantic_settings import BaseSettings
+
+class Settings(BaseSettings):
+    model_config = ConfigDict(env_prefix="CODETRUST_")
+
+    redis_url: str = "redis://localhost:6379"
+    api_key: str = ""  # Required in production
+    # ... etc
+```

codetrust-1.5.0/Dockerfile

@@ -0,0 +1,39 @@
+FROM python:3.12-slim AS builder
+
+WORKDIR /app
+
+# Install build dependencies
+COPY pyproject.toml .
+COPY src/ src/
+COPY README.md .
+
+RUN pip install --no-cache-dir .
+
+# --- Production image ---
+FROM python:3.12-slim
+
+LABEL maintainer="Said <said@maketheplay.ai>"
+LABEL description="CodeTrust — AI code verification platform"
+
+WORKDIR /app
+
+# Copy installed packages and application code
+COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
+COPY --from=builder /usr/local/bin /usr/local/bin
+COPY --from=builder /app /app
+
+# Copy Alembic config for migrations
+COPY alembic.ini .
+COPY alembic/ alembic/
+
+# Environment defaults
+ENV CODETRUST_HOST=0.0.0.0 \
+    CODETRUST_PORT=8000 \
+    CODETRUST_DEBUG=false \
+    CODETRUST_REDIS_URL=redis://redis:6379
+
+EXPOSE 8000
+
+# Default: run the FastAPI server
+# Override with: docker run codetrust python -m src.server  (for MCP mode)
+CMD ["sh", "-c", "alembic upgrade head && uvicorn src.api:app --host 0.0.0.0 --port 8000"]

codetrust-1.5.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 CodeTrust
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.