codetrust 2.2.2__tar.gz → 2.3.0__tar.gz

codetrust-2.3.0/.env.example

@@ -0,0 +1,74 @@
+# ============================================================
+#  CodeTrust — Environment Variables
+#  Copy to .env and fill in your values:  cp .env.example .env
+#  All variables are prefixed with CODETRUST_.
+# ============================================================
+
+# --- Server ---
+CODETRUST_HOST=0.0.0.0
+CODETRUST_PORT=8000
+CODETRUST_DEBUG=false
+
+# --- Auth ---
+# API key for authenticating requests (≥32 chars, leave empty for local dev)
+# Generate with: openssl rand -hex 32
+CODETRUST_API_KEY=
+
+# --- Redis ---
+CODETRUST_REDIS_URL=redis://localhost:6379
+CODETRUST_REDIS_ENABLED=true
+
+# --- Cache TTLs (seconds) ---
+CODETRUST_CACHE_TTL_PACKAGE_EXISTS=86400
+CODETRUST_CACHE_TTL_PACKAGE_VERSION=3600
+CODETRUST_CACHE_TTL_DOCKER_TAG=86400
+CODETRUST_CACHE_TTL_API_ENDPOINT=1800
+CODETRUST_CACHE_TTL_NOT_FOUND=3600
+
+# --- HTTP ---
+CODETRUST_HTTP_TIMEOUT=10.0
+CODETRUST_HTTP_MAX_CONNECTIONS=50
+CODETRUST_HTTP_MAX_KEEPALIVE=20
+
+# --- Sandbox ---
+CODETRUST_SANDBOX_ENABLED=false
+CODETRUST_SANDBOX_MEMORY_LIMIT=256m
+CODETRUST_SANDBOX_DEFAULT_TIMEOUT=10
+CODETRUST_SANDBOX_MAX_TIMEOUT=30
+
+# --- Rate Limits ---
+CODETRUST_FREE_TIER_DAILY_LIMIT=100
+CODETRUST_PRO_TIER_DAILY_LIMIT=10000
+
+# --- Database ---
+# Local dev: sqlite. Production: PostgreSQL (Railway provides this)
+CODETRUST_DATABASE_URL=sqlite+aiosqlite:///codetrust.db
+# Production example:
+# CODETRUST_DATABASE_URL=postgresql+asyncpg://user:pass@host:5432/codetrust
+CODETRUST_DATABASE_ECHO=false
+CODETRUST_DATABASE_POOL_SIZE=10
+CODETRUST_DATABASE_MAX_OVERFLOW=20
+
+# --- Stripe (required for billing) ---
+# Dashboard: https://dashboard.stripe.com/apikeys
+CODETRUST_STRIPE_SECRET_KEY=
+CODETRUST_STRIPE_WEBHOOK_SECRET=
+CODETRUST_STRIPE_PRICE_PRO=price_xxx
+CODETRUST_STRIPE_PRICE_ENTERPRISE=price_xxx
+
+# --- OAuth / GitHub (required for /v1/auth/github) ---
+# Create app: https://github.com/settings/applications/new
+# Callback URL: https://your-domain/auth/callback
+CODETRUST_GITHUB_CLIENT_ID=
+CODETRUST_GITHUB_CLIENT_SECRET=
+# JWT secret (≥32 chars, generate with: openssl rand -hex 32)
+CODETRUST_JWT_SECRET=
+CODETRUST_JWT_ALGORITHM=HS256
+CODETRUST_JWT_EXPIRE_MINUTES=1440
+
+# --- Dashboard ---
+CODETRUST_DASHBOARD_URL=http://localhost:3000
+
+# --- SARIF ---
+CODETRUST_SARIF_SCHEMA_URL=https://json.schemastore.org/sarif-2.1.0.json
+CODETRUST_TOOL_INFO_URI=https://github.com/codetrust-ai/codetrust

{codetrust-2.2.2 → codetrust-2.3.0}/.gitignore

@@ -14,7 +14,9 @@ venv/
 env/
 
 # IDE
-.vscode/
+.vscode/*
+!.vscode/extensions.json
+!.vscode/settings.json
 .idea/
 *.swp
 *.swo
@@ -26,6 +28,7 @@ Thumbs.db
 # Environment
 .env
 .env.*
+!.env.example
 *.secret
 *.pem
 *.key
@@ -41,19 +44,16 @@ docker-compose.override.yml
 
 # Local-only files (plans, notes, secrets)
 .local/
-
-# Internal docs — blueprints, specs, build plans (private, never committed)
 SESSION_LOG.md
-SPEC.md
-PLAN.md
-PRODUCT.md
-PITCH.md
-COMPARISON.md
-CLAUDE.md
-TEST_EVIDENCE.md
+
+# CodeTrust runtime artifacts
+.codetrust/
+!.codetrust.toml
 
 # Node (in case of front-end components)
 node_modules/
+.next/
+next-env.d.ts
 codetrust.db
 codetrust-report.md
 codetrust-results.sarif
@@ -61,4 +61,3 @@ codetrust-results.sarif
 # VS Code Extension builds
 *.vsix
 CTfavicon.png
-.gitignore

{codetrust-2.2.2 → codetrust-2.3.0}/CHANGELOG.md

@@ -5,6 +5,116 @@ All notable changes to CodeTrust will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+### Fixed
+
+---
+
+## [2.3.0] - 2026-02-16
+
+### Added
+
+- New `database_url_credentials` rule — catches database URLs with embedded passwords
+  (e.g. `postgresql+asyncpg://user:pass@host/db`). Handles `+asyncpg`, `+pymysql`, etc.
+- Path alias test (`test_path_alias_skipped`) for `@/`, `~/`, `#/` aliases
+
+- VS Code extension:
+  - Profile support commands: Create/Apply CodeTrust Profile
+  - Scan-on-type (opt-in, debounced, offline)
+  - Expanded Quick Fix coverage (deterministic transforms)
+  - Guided onboarding: configure API URL/key + run first scan
+  - API key now stored in VS Code Secret Storage (migrated from settings)
+  - Onboarding success confirmation message
+- GitHub Action:
+  - PR-mode default (auto on pull_request): scans changed files and gates on new findings only
+  - New input `pr-mode: auto|always|never` to override behavior
+  - Markdown report + GitHub Actions step summary output (for PR review workflows)
+  - PR comment posted/updated automatically (requires `pull-requests: write`)
+  - Hard gate: new-findings-only baseline vs HEAD (fails PR if baseline cannot be computed)
+  - PR comment is idempotent (start/end markers), machine-readable, and includes actionable CLI commands
+  - Added a real-runner selftest workflow to verify action behavior on PRs (PASS/BLOCK + idempotent comment)
+- CLI:
+  - `codetrust add` stack presets for `.vscode/settings.json` (`--stack auto|nextjs|node|python|go|generic`)
+  - Noise-control flags: `--dedupe`, `--changed-only`, `--suppress-lint-noise` (opt-in)
+  - Repo-aware commands: `codetrust pr-risk`, `codetrust trust-diff`, `codetrust trend record/show`
+  - Baseline-aware gating: `codetrust scan --baseline <ref> --fail-on-new BLOCK` (new findings only)
+  - Doctor onboarding: `codetrust doctor --fix` installs missing enforcement layers
+  - Safe autofix: `codetrust fix` (preview by default, `--apply` to write)
+  - Policy Wizard: `codetrust policy wizard` generates governance presets + installs `.taplo.toml` + `.codetrust.schema.json` for autocomplete
+
+### Fixed
+
+- `hardcoded_secret` rule now handles Python type annotations (`secret_key: str = "change-me"`)
+  and compound names (`secret_key`, `secret_token`, etc.)
+- `api_key_in_config` rule scoped to config file types (`.yml/.yaml/.toml/.ini/.cfg/.conf`) to avoid false BLOCK findings in Python runtime code
+- CI self-scan (`fail-on: block`) stabilized by removing false-positive BLOCK on `settings.stripe_secret_key` assignment in Python service code
+- JS/TS import verification no longer flags `@/components`, `@/lib`, `~/config`, `#/db`
+  as hallucinated packages — these are Next.js/Vite/TypeScript path aliases
+- Rule count updated: 76 scan + 57 gateway = 133 total
+- Test count: 1358
+
+- Pre-commit and CLI interoperability:
+  - Deterministic `codetrust scan --json` output (pure JSON on stdout)
+  - Hook/template JSON parsing made robust (accurate warn/info counts)
+- Extension tests now compile before running to ensure TS tests are executed
+
+- Pre-commit hook reliability:
+  - Hook/template no longer crashes when `.venv/bin/python` is missing (new repo onboarding)
+  - Subprocess failures/timeouts now gracefully fall back instead of blocking commits
+
+- API optional-auth semantics:
+  - When auth is not configured, `X-API-Key` / Bearer headers are ignored (no surprising 401)
+  - When auth is configured, invalid keys still return 401 with actionable guidance
+
+- VS Code extension verification hardening:
+  - Added VS Code test-harness integration coverage for activation + `codetrust.scanFile` → diagnostics
+  - Added regression coverage for settings → SecretStorage API key migration
+
+---
+
+## [2.2.4] - 2026-02-13
+
+### Fixed
+
+- Removed public release-process text from root README to keep product-facing docs clean
+- Strengthened release sync guard to validate version parity across extension/package, pyproject,
+  changelog, and website (without depending on public README strings)
+- Synced release-prep versioning across backend/API docs/site to `2.2.4`
+
+### Changed
+
+- Prepared manual release candidate `2.2.4` locally (no deploy, no push)
+
+### Released
+
+- Published `codetrust==2.2.4` to PyPI
+- Published `SaidBorna.codetrust v2.2.4` to VS Code Marketplace
+
+---
+
+## [2.2.3] - 2026-02-13
+
+### Fixed
+
+- VS Code extension lint blockers resolved:
+  - removed unnecessary regex escape in embedded scanner rules
+  - added explicit return types for registered command handlers
+  - removed unused status bar variable
+- Dashboard build blockers resolved:
+  - added missing dependency `@next-auth/prisma-adapter`
+  - updated Stripe API version typing in webhook route
+  - deferred Stripe client initialization to request-time with env validation to avoid build-time failure
+
+### Released
+
+- Published to VS Code Marketplace: `SaidBorna.codetrust` **v2.2.3**
+- PyPI release remains pending (Python package version unchanged)
+
+---
+
 ## [2.2.2] - 2026-02-13
 
 ### Security
@@ -242,7 +352,7 @@ Not just a snapshot — a real metric that tracks how your codebase is evolving.
 - **Procfile** — removed `alembic upgrade head &&` that blocked server start; migration now handled by `preDeployCommand`
 - **railway.toml** — removed `preDeployCommand` (alembic migration was hanging on DB lock)
 - **blocking_prestart self-scan** — split regex string with concatenation to prevent rule definitions from self-matching in `cli.py`, `anti_patterns.py`, `pre-commit`, `templates/pre-commit`
-- **GitHub Action heredoc** — replaced `<<EOF` with dynamic delimiter in `.github/workflows/codetrust-scan.yml`
+- **GitHub Action heredoc** — replaced a fixed heredoc delimiter with a dynamic delimiter in `.github/workflows/codetrust-scan.yml`
 - **4 except_swallow BLOCK violations** in production code:
   - `src/cli.py:522` — `except: pass` → `hooks_path_set = False`
   - `src/services/registry.py:539` — `except: pass` → `logger.debug()`

{codetrust-2.2.2 → codetrust-2.3.0}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: codetrust
-Version: 2.2.2
-Summary: AI code safety platform — 132 rules, 10 enforcement layers, 3 moats no other tool has. AI Governance Gateway blocks destructive AI agent actions before execution (57 real-time rules). Hallucination Detection verifies every import against PyPI/npm/crates.io/Go proxy. Trust Score tracks code safety drift over time. 27 API endpoints, 17 MCP tools, 1314 tests. CLI, VS Code extension, GitHub Action, and MCP server.
+Version: 2.3.0
+Summary: AI code safety platform — 133 rules, 10 enforcement layers, 3 moats no other tool has. AI Governance Gateway blocks destructive AI agent actions before execution (57 real-time rules). Hallucination Detection verifies every import against PyPI/npm/crates.io/Go proxy. Trust Score tracks code safety drift over time. 27 API endpoints, 17 MCP tools, 1358 tests. CLI, VS Code extension, GitHub Action, and MCP server.
 Project-URL: Homepage, https://codetrust.saidborna.com
 Project-URL: Repository, https://github.com/S-Borna/codetrust
 Project-URL: Documentation, https://codetrust.saidborna.com
@@ -48,13 +48,17 @@ Requires-Dist: ruff>=0.5.0; extra == 'dev'
 Description-Content-Type: text/markdown
 
 <p align="center">
-  <img src="https://raw.githubusercontent.com/S-Borna/codetrust/main/docs/logo.png" alt="CodeTrust" width="420">
+  <img src="https://codetrust.saidborna.com/logo.png" alt="CodeTrust" width="420">
 </p>
 
 <p align="center">
   <strong>Trust the code. Ship with proof.</strong>
 </p>
 
+<p align="center">
+  <code>Current: v2.3.0</code> &middot; <code>1358 tests</code> &middot; <code>133 rules</code> &middot; <code>10 layers</code>
+</p>
+
 <p align="center">
   <a href="https://pypi.org/project/codetrust/"><img src="https://img.shields.io/pypi/v/codetrust?style=flat-square&color=38d8fd" alt="PyPI"></a>
   <a href="https://marketplace.visualstudio.com/items?itemName=SaidBorna.codetrust"><img src="https://img.shields.io/visual-studio-marketplace/v/SaidBorna.codetrust?style=flat-square&color=5bca78" alt="VS Code Marketplace"></a>
@@ -74,7 +78,7 @@ Description-Content-Type: text/markdown
 
 ## What CodeTrust Is
 
-**AI Governance Enforcement Platform** — 132 rules across 10 enforcement layers, 17 MCP tools, 27 API endpoints. 1,314 tests.
+**AI Governance Enforcement Platform** — 133 rules across 10 enforcement layers, 17 MCP tools, 27 API endpoints. 1,358 tests.
 
 CodeTrust prevents unsafe, hallucinated, and destructive AI-generated code from reaching production. It enforces safety across the entire development lifecycle — before execution, during development, before commit, during CI/CD, and before deployment.
 
@@ -139,7 +143,7 @@ AI writes code fast. But fast doesn't mean safe. **78% of developers** use AI co
 | Failure Mode | What Happens | Who Catches It |
 |---|---|---|
 | **Hallucinated packages** | `pip install` fails — or worse: typosquatted malware installs | CodeTrust verifies imports against live registries |
-| **Destructive agent commands** | `rm -rf /`, `eval()`, `curl\|sh` — data loss, RCE, supply chain compromise | CodeTrust Gateway intercepts before execution |
+| **Destructive agent commands** | `rm -rf /`, dynamic code execution, `curl\|sh` — data loss, RCE, supply chain compromise | CodeTrust Gateway intercepts before execution |
 | **Ghost Docker images** | AI references images that don't exist — build breaks at 2AM | CodeTrust validates images against Docker Hub |
 | **Invisible code drift** | AI code quality degrades gradually — no one measures it | CodeTrust tracks trust score over time |
 
@@ -160,7 +164,7 @@ Unlike traditional tools, CodeTrust uniquely combines pre-execution interception
 
 CodeTrust scans code across 10 layers covering static analysis, root cause analysis, SQL safety, AST structural analysis, container hardening, infrastructure-as-code, framework-specific rules (React, Kubernetes, CI/CD), live import verification, Docker image verification, and the real-time AI governance gateway.
 
-**75 scan rules + 57 gateway rules = 132 total.** Every rule produces a BLOCK, WARN, or INFO verdict.
+**76 scan rules + 57 gateway rules = 133 total.** Every rule produces a BLOCK, WARN, or INFO verdict.
 
 ---
 
@@ -229,9 +233,9 @@ codetrust scan .
 |---------|---------|--------------|
 | **CLI** | `pip install codetrust` | Full scan from terminal with exit code enforcement |
 | **VS Code** | Install from Marketplace | Scan on save, inline diagnostics, AI governance |
-| **GitHub Action** | `uses: S-Borna/codetrust@v2` | PR checks with SARIF upload to Security tab |
+| **GitHub Action** | `uses: S-Borna/codetrust@v2.3.0` | PR checks with SARIF upload to Security tab |
 | **MCP Server** | 17 tools for AI agents | Claude Code / Cursor get real-time safety feedback |
-| **REST API** | 27 endpoints, authenticated | Integrate into any pipeline or platform |
+| **REST API** | 27 endpoints with rate limiting | Integrate into any pipeline or platform |
 
 ---
 
@@ -243,10 +247,19 @@ codetrust scan src/                # Scan a directory
 codetrust scan . --sarif           # SARIF output for CI
 codetrust scan . --json            # JSON output
 codetrust scan . --no-verify-imports  # Skip registry checks (offline)
+codetrust scan . --changed-only --dedupe  # Reduce noise in large repos
+codetrust scan . --suppress-lint-noise    # Optional suppression for lint-heavy output
 
 codetrust status                   # Check enforcement status
 codetrust doctor                   # Diagnose installation
 
+codetrust pr-risk                  # Repo-aware PR risk summary (git diff aware)
+codetrust trust-diff               # Compare trust score: HEAD vs working tree
+codetrust trend record             # Record a local snapshot
+codetrust trend show               # Show recorded snapshots
+
+codetrust policy wizard            # Generate governance policy presets + TOML autocomplete
+
 codetrust governance --status      # Governance overview
 codetrust governance --mode audit  # Switch to audit mode
 codetrust audit --hours 24         # Review recent actions
@@ -261,17 +274,28 @@ code --install-extension SaidBorna.codetrust
 ```
 
 - Scans on save (configurable)
+- Scan on type (opt-in, debounced) using the embedded offline scanner
 - Inline diagnostics with severity levels
 - Works fully offline — all scan rules embedded
 - "Scan Workspace" — up to 500 files with progress UI
+- Profile create/apply commands for quick setup
+- Quick Fixes for common findings
+- Health Check command for connectivity and config sanity
 - AI governance controls built in
 - Deep scan mode for full analysis
 
 | Setting | Default | Description |
 |---------|---------|-------------|
+| `codetrust.apiUrl` | `https://codetrust-api-production.up.railway.app` | API server URL (or `http://localhost:8000` self-hosted) |
+| `codetrust.apiKey` | `""` | API key for authentication (`X-API-Key`) |
 | `codetrust.scanOnSave` | `true` | Auto-scan on save |
+| `codetrust.scanOnType` | `false` | Scan while typing (embedded offline scanner) |
+| `codetrust.scanOnTypeDebounceMs` | `600` | Debounce delay for scan while typing |
 | `codetrust.severityThreshold` | `INFO` | Minimum severity to show |
+| `codetrust.enabledLanguages` | `[...]` | Languages to scan |
 | `codetrust.scanType` | `static` | `static` or `deep` |
+| `codetrust.verifyImportsOnSave` | `false` | Verify imports on save (network) |
+| `codetrust.timeout` | `15000` | Request timeout in milliseconds |
 | `codetrust.governance.enabled` | `true` | Enable AI governance |
 | `codetrust.governance.mode` | `enforce` | `enforce` / `audit` / `off` |
 
@@ -279,16 +303,27 @@ code --install-extension SaidBorna.codetrust
 
 ## GitHub Action
 
+Minimum permissions required for PR comments and SARIF upload:
+
 ```yaml
-- uses: S-Borna/codetrust@v2
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+  security-events: write
+```
+
+```yaml
+- uses: S-Borna/codetrust@v2.3.0
   with:
     fail-on: block
     scan-type: static
     sarif: true
-  env:
-    CODETRUST_API_KEY: ${{ secrets.CODETRUST_API_KEY }}
 
-- uses: github/codeql-action/upload-sarif@v3
+# Optional (default: auto on pull_request)
+# pr-comment: auto|always|never
+
+- uses: github/codeql-action/upload-sarif@v4
   if: always()
   with:
     sarif_file: codetrust-results.sarif
@@ -361,7 +396,7 @@ See `codetrust init` for a starter configuration.
 |---------|---------|
 | **PyPI** | `pip install codetrust` |
 | **VS Code Marketplace** | `code --install-extension SaidBorna.codetrust` |
-| **GitHub Action** | `uses: S-Borna/codetrust@v2` |
+| **GitHub Action** | `uses: S-Borna/codetrust@v2.3.0` |
 | **Cloud API** | Available at `codetrust-api.saidborna.com` |
 | **MCP Server** | Included in the package |
 | **Website** | [codetrust.saidborna.com](https://codetrust.saidborna.com) |
@@ -372,7 +407,7 @@ See `codetrust init` for a starter configuration.
 
 ```bash
 pip install -e ".[dev]"
-pytest tests/ -v           # 1314 tests
+pytest tests/ -v           # 1358 tests
 ruff check src/ tests/     # zero warnings
 ```
 

{codetrust-2.2.2 → codetrust-2.3.0}/README.md

@@ -1,11 +1,15 @@
 <p align="center">
-  <img src="https://raw.githubusercontent.com/S-Borna/codetrust/main/docs/logo.png" alt="CodeTrust" width="420">
+  <img src="https://codetrust.saidborna.com/logo.png" alt="CodeTrust" width="420">
 </p>
 
 <p align="center">
   <strong>Trust the code. Ship with proof.</strong>
 </p>
 
+<p align="center">
+  <code>Current: v2.3.0</code> &middot; <code>1358 tests</code> &middot; <code>133 rules</code> &middot; <code>10 layers</code>
+</p>
+
 <p align="center">
   <a href="https://pypi.org/project/codetrust/"><img src="https://img.shields.io/pypi/v/codetrust?style=flat-square&color=38d8fd" alt="PyPI"></a>
   <a href="https://marketplace.visualstudio.com/items?itemName=SaidBorna.codetrust"><img src="https://img.shields.io/visual-studio-marketplace/v/SaidBorna.codetrust?style=flat-square&color=5bca78" alt="VS Code Marketplace"></a>
@@ -25,7 +29,7 @@
 
 ## What CodeTrust Is
 
-**AI Governance Enforcement Platform** — 132 rules across 10 enforcement layers, 17 MCP tools, 27 API endpoints. 1,314 tests.
+**AI Governance Enforcement Platform** — 133 rules across 10 enforcement layers, 17 MCP tools, 27 API endpoints. 1,358 tests.
 
 CodeTrust prevents unsafe, hallucinated, and destructive AI-generated code from reaching production. It enforces safety across the entire development lifecycle — before execution, during development, before commit, during CI/CD, and before deployment.
 
@@ -90,7 +94,7 @@ AI writes code fast. But fast doesn't mean safe. **78% of developers** use AI co
 | Failure Mode | What Happens | Who Catches It |
 |---|---|---|
 | **Hallucinated packages** | `pip install` fails — or worse: typosquatted malware installs | CodeTrust verifies imports against live registries |
-| **Destructive agent commands** | `rm -rf /`, `eval()`, `curl\|sh` — data loss, RCE, supply chain compromise | CodeTrust Gateway intercepts before execution |
+| **Destructive agent commands** | `rm -rf /`, dynamic code execution, `curl\|sh` — data loss, RCE, supply chain compromise | CodeTrust Gateway intercepts before execution |
 | **Ghost Docker images** | AI references images that don't exist — build breaks at 2AM | CodeTrust validates images against Docker Hub |
 | **Invisible code drift** | AI code quality degrades gradually — no one measures it | CodeTrust tracks trust score over time |
 
@@ -111,7 +115,7 @@ Unlike traditional tools, CodeTrust uniquely combines pre-execution interception
 
 CodeTrust scans code across 10 layers covering static analysis, root cause analysis, SQL safety, AST structural analysis, container hardening, infrastructure-as-code, framework-specific rules (React, Kubernetes, CI/CD), live import verification, Docker image verification, and the real-time AI governance gateway.
 
-**75 scan rules + 57 gateway rules = 132 total.** Every rule produces a BLOCK, WARN, or INFO verdict.
+**76 scan rules + 57 gateway rules = 133 total.** Every rule produces a BLOCK, WARN, or INFO verdict.
 
 ---
 
@@ -180,9 +184,9 @@ codetrust scan .
 |---------|---------|--------------|
 | **CLI** | `pip install codetrust` | Full scan from terminal with exit code enforcement |
 | **VS Code** | Install from Marketplace | Scan on save, inline diagnostics, AI governance |
-| **GitHub Action** | `uses: S-Borna/codetrust@v2` | PR checks with SARIF upload to Security tab |
+| **GitHub Action** | `uses: S-Borna/codetrust@v2.3.0` | PR checks with SARIF upload to Security tab |
 | **MCP Server** | 17 tools for AI agents | Claude Code / Cursor get real-time safety feedback |
-| **REST API** | 27 endpoints, authenticated | Integrate into any pipeline or platform |
+| **REST API** | 27 endpoints with rate limiting | Integrate into any pipeline or platform |
 
 ---
 
@@ -194,10 +198,19 @@ codetrust scan src/                # Scan a directory
 codetrust scan . --sarif           # SARIF output for CI
 codetrust scan . --json            # JSON output
 codetrust scan . --no-verify-imports  # Skip registry checks (offline)
+codetrust scan . --changed-only --dedupe  # Reduce noise in large repos
+codetrust scan . --suppress-lint-noise    # Optional suppression for lint-heavy output
 
 codetrust status                   # Check enforcement status
 codetrust doctor                   # Diagnose installation
 
+codetrust pr-risk                  # Repo-aware PR risk summary (git diff aware)
+codetrust trust-diff               # Compare trust score: HEAD vs working tree
+codetrust trend record             # Record a local snapshot
+codetrust trend show               # Show recorded snapshots
+
+codetrust policy wizard            # Generate governance policy presets + TOML autocomplete
+
 codetrust governance --status      # Governance overview
 codetrust governance --mode audit  # Switch to audit mode
 codetrust audit --hours 24         # Review recent actions
@@ -212,17 +225,28 @@ code --install-extension SaidBorna.codetrust
 ```
 
 - Scans on save (configurable)
+- Scan on type (opt-in, debounced) using the embedded offline scanner
 - Inline diagnostics with severity levels
 - Works fully offline — all scan rules embedded
 - "Scan Workspace" — up to 500 files with progress UI
+- Profile create/apply commands for quick setup
+- Quick Fixes for common findings
+- Health Check command for connectivity and config sanity
 - AI governance controls built in
 - Deep scan mode for full analysis
 
 | Setting | Default | Description |
 |---------|---------|-------------|
+| `codetrust.apiUrl` | `https://codetrust-api-production.up.railway.app` | API server URL (or `http://localhost:8000` self-hosted) |
+| `codetrust.apiKey` | `""` | API key for authentication (`X-API-Key`) |
 | `codetrust.scanOnSave` | `true` | Auto-scan on save |
+| `codetrust.scanOnType` | `false` | Scan while typing (embedded offline scanner) |
+| `codetrust.scanOnTypeDebounceMs` | `600` | Debounce delay for scan while typing |
 | `codetrust.severityThreshold` | `INFO` | Minimum severity to show |
+| `codetrust.enabledLanguages` | `[...]` | Languages to scan |
 | `codetrust.scanType` | `static` | `static` or `deep` |
+| `codetrust.verifyImportsOnSave` | `false` | Verify imports on save (network) |
+| `codetrust.timeout` | `15000` | Request timeout in milliseconds |
 | `codetrust.governance.enabled` | `true` | Enable AI governance |
 | `codetrust.governance.mode` | `enforce` | `enforce` / `audit` / `off` |
 
@@ -230,16 +254,27 @@ code --install-extension SaidBorna.codetrust
 
 ## GitHub Action
 
+Minimum permissions required for PR comments and SARIF upload:
+
 ```yaml
-- uses: S-Borna/codetrust@v2
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+  security-events: write
+```
+
+```yaml
+- uses: S-Borna/codetrust@v2.3.0
   with:
     fail-on: block
     scan-type: static
     sarif: true
-  env:
-    CODETRUST_API_KEY: ${{ secrets.CODETRUST_API_KEY }}
 
-- uses: github/codeql-action/upload-sarif@v3
+# Optional (default: auto on pull_request)
+# pr-comment: auto|always|never
+
+- uses: github/codeql-action/upload-sarif@v4
   if: always()
   with:
     sarif_file: codetrust-results.sarif
@@ -312,7 +347,7 @@ See `codetrust init` for a starter configuration.
 |---------|---------|
 | **PyPI** | `pip install codetrust` |
 | **VS Code Marketplace** | `code --install-extension SaidBorna.codetrust` |
-| **GitHub Action** | `uses: S-Borna/codetrust@v2` |
+| **GitHub Action** | `uses: S-Borna/codetrust@v2.3.0` |
 | **Cloud API** | Available at `codetrust-api.saidborna.com` |
 | **MCP Server** | Included in the package |
 | **Website** | [codetrust.saidborna.com](https://codetrust.saidborna.com) |
@@ -323,7 +358,7 @@ See `codetrust init` for a starter configuration.
 
 ```bash
 pip install -e ".[dev]"
-pytest tests/ -v           # 1314 tests
+pytest tests/ -v           # 1358 tests
 ruff check src/ tests/     # zero warnings
 ```
 

{codetrust-2.2.2 → codetrust-2.3.0}/action/entrypoint.sh

@@ -13,6 +13,9 @@ MAX_FILE_SIZE="${CODETRUST_MAX_FILE_SIZE:-500000}"
 INCLUDE_PATTERN="${CODETRUST_INCLUDE_PATTERN:-}"
 CT_AUTH="${CODETRUST_API_KEY:-}"
 API_URL="${CODETRUST_API_URL:-https://api.codetrust.dev}"
+PR_MODE="${CODETRUST_PR_MODE:-auto}"
+PR_COMMENT="${CODETRUST_PR_COMMENT:-auto}"
+NEW_FINDINGS_ONLY="${CODETRUST_NEW_FINDINGS_ONLY:-auto}"
 
 # ---- Resolve action root ----
 ACTION_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
@@ -32,6 +35,9 @@ python3 "${ACTION_ROOT}/action/scan_runner.py" \
   --fail-on "${FAIL_ON}" \
   --max-file-size "${MAX_FILE_SIZE}" \
   --include-pattern "${INCLUDE_PATTERN}" \
+  --pr-mode "${PR_MODE}" \
+  --pr-comment "${PR_COMMENT}" \
+  --new-findings-only "${NEW_FINDINGS_ONLY}" \
   --api-key "${CT_AUTH}" \
   --api-url "${API_URL}"