diff --git a/.claude/commands/address-pr-feedback.md b/.claude/commands/address-pr-feedback.md index eb4f008..cb9251a 100644 --- a/.claude/commands/address-pr-feedback.md +++ b/.claude/commands/address-pr-feedback.md @@ -37,8 +37,10 @@ gh api "repos/{owner}/{repo}/pulls/{pr}/comments" --paginate \ - review/inline comments (pulls comments endpoint), or - PR-level comments (issues comments endpoint — this is where AQ posts its "Critical Issue" summary). -If neither is present, inform the user: -> "Amazon Q hasn't reviewed this PR yet. Wait for its review, then re-run this command." +**Important — Amazon Q does NOT auto-trigger.** AQ only reviews on initial PR open (and only if the org has the integration installed) or when explicitly asked via `/q review` as a PR comment. Waiting alone will never produce a review if it hasn't already started. + +If no AQ activity is present, inform the user: +> "Amazon Q hasn't reviewed this PR yet. Post `/q review` as a PR comment to request a review (AQ does not auto-trigger on push), then re-run this command once it lands." ```bash # Check both channels for AQ activity @@ -54,7 +56,9 @@ gh api "repos/{owner}/{repo}/issues/{pr}/comments" --paginate \ CodeRabbit re-reviews on every push. If you ran a previous round of `/address-pr-feedback`, pushed a fix commit, and CodeRabbit's response to that push hasn't landed yet, the next round will miss the new findings and cause exactly the bug this section exists to prevent. -**Amazon Q does NOT re-review automatically on push** — it only reviews on initial PR open (or when explicitly triggered). After any fix push, AQ's `commit_id` will lag HEAD and that is *expected*. Don't block on it. +**Amazon Q does NOT re-review automatically on push** — it only reviews when explicitly triggered (initial PR open if the integration is wired up, or by posting `/q review` as a PR comment). After any fix push, AQ's `commit_id` will lag HEAD and that is *expected*. Don't block on it. + +If you (or the user) want AQ to re-review the latest commit before processing feedback, post `/q review` as a PR comment and wait for the new review to land. Otherwise, proceed with the existing AQ findings and note that they reflect an earlier commit. ```bash # Compare the head SHA of the PR to the most recent CodeRabbit review's commit_id @@ -68,7 +72,7 @@ echo "Last CR review commit: $LATEST_CR_COMMIT" If `$LATEST_CR_COMMIT` does not match `$HEAD_SHA`, CodeRabbit hasn't reviewed the latest commit yet. Tell the user: > "CodeRabbit's latest review is on commit `` but PR head is ``. Wait a few minutes for the new review to land, then re-run." -For Amazon Q, optionally surface its review `commit_id` for context but **do not block** on a mismatch — note to the user that AQ's findings (if any) will be from its initial review pass and proceed. +For Amazon Q, optionally surface its review `commit_id` for context but **do not block** on a mismatch — note to the user that AQ's findings (if any) will be from its initial review pass and proceed. If the user wants a fresh AQ review on the latest commit, they (or you) must post `/q review` as a PR comment; AQ will not catch up on its own. ### 3. Fetch review comments (token-efficient two-pass approach) diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..bf5940a --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,71 @@ +# Zift + +Static analysis tool that scans codebases for embedded authorization logic and generates Policy as Code (PaC). Rego/OPA today; architecture is designed to grow into other policy languages (e.g. Cedar) over time. + +> This file is the canonical instructions document for AI coding agents working on Zift. `CLAUDE.md` is a symlink to this file so Claude Code picks it up automatically; other agents (Codex, Aider, Cursor, etc.) should read `AGENTS.md` directly. + +## Setup + +After cloning, configure the pre-commit hook: + +```bash +git config core.hooksPath .githooks +``` + +## Build & Development + +```bash +cargo build +cargo build --release +cargo test +cargo fmt # required before committing +cargo clippy -- -D warnings +``` + +## Architecture + +- **CLI** (`src/cli.rs`): Subcommands — `scan`, `extract`, `report`, `rules`, `init` +- **Scanner** (`src/scanner/`): Tree-sitter AST parsing and pattern matching across languages +- **Rules** (`rules/`): TOML-based pattern definitions with tree-sitter queries and policy templates (Rego today) +- **Rego** (`src/rego/`): Policy-as-Code generation from scan findings (Rego/OPA today; additional engines like Cedar planned) +- **Output** (`src/output/`): Formatters (JSON, text; SARIF planned) + +### Design principles + +- Two-pass architecture: structural scan (tree-sitter, fast) then optional semantic scan (LLM-assisted) +- Rules are data (TOML), not code — easy to add new patterns without touching Rust +- Same finding schema for both passes + +### Language support + +- v0.1: TypeScript, JavaScript, Java, Python, Go +- v0.2 (planned): C#, Kotlin, Ruby, PHP + +## Conventional Commits & Versioning + +Uses release-plz for automated version bumping and changelog generation. + +Trigger prefixes (cause version bump — see bump table below; exact bump depends on pre/post-1.0): +- `feat:` — new feature +- `fix:` — bug fix +- `refactor:` — code refactoring +- `perf:` — performance improvement + +Skipped prefixes (no version bump): +- `docs:`, `test:`, `ci:`, `chore:`, `style:`, `build:` + +PR titles must use a conventional commit prefix. + +### Bump size (Cargo 0.x SemVer) + +While the crate is below `1.0.0`, release-plz follows Cargo's 0.x convention: the **minor** position acts as the major. That changes how prefixes map to bumps: + +Placeholders below: pre-1.0 uses `0.M.p` (minor `M`, patch `p`); post-1.0 uses `m.n.p` (major `m`, minor `n`, patch `p`). + +| Commit | Pre-1.0 bump | Post-1.0 bump | +| --------------------------------------- | --------------------------- | --------------------------- | +| `fix:` / `refactor:` / `perf:` | patch (`0.M.p → 0.M.(p+1)`) | patch (`m.n.p → m.n.(p+1)`) | +| `feat:` | patch (`0.M.p → 0.M.(p+1)`) | minor (`m.n.p → m.(n+1).0`) | +| `feat!:` or `BREAKING CHANGE:` footer | minor (`0.M.p → 0.(M+1).0`) | major (`m.n.p → (m+1).0.0`) | + +Practical consequence: a plain `feat:` on `0.1.x` will **not** produce `0.2.0`. To cut `0.2.0` deliberately, land the headline change with `feat!:` (or include a `BREAKING CHANGE:` footer). For example, Python and Go structural support landed as plain `feat:` PRs and rolled into `v0.1.5`; the next language batch will use `feat!:` so it cuts `v0.2.0`. diff --git a/CLAUDE.md b/CLAUDE.md deleted file mode 100644 index 73740e2..0000000 --- a/CLAUDE.md +++ /dev/null @@ -1,56 +0,0 @@ -# Zift - -Static analysis tool that scans codebases for embedded authorization logic and generates Policy as Code (PaC). Rego/OPA today; architecture is designed to grow into other policy languages (e.g. Cedar) over time. - -## Setup - -After cloning, configure the pre-commit hook: - -```bash -git config core.hooksPath .githooks -``` - -## Build & Development - -```bash -cargo build -cargo build --release -cargo test -cargo fmt # required before committing -cargo clippy -- -D warnings -``` - -## Architecture - -- **CLI** (`src/cli.rs`): Subcommands — `scan`, `extract`, `report`, `rules`, `init` -- **Scanner** (`src/scanner/`): Tree-sitter AST parsing and pattern matching across languages -- **Rules** (`rules/`): TOML-based pattern definitions with tree-sitter queries and policy templates (Rego today) -- **Rego** (`src/rego/`): Policy-as-Code generation from scan findings (Rego/OPA today; additional engines like Cedar planned) -- **Output** (`src/output/`): Formatters (JSON, text; SARIF planned) - -### Design principles - -- Two-pass architecture: structural scan (tree-sitter, fast) then optional semantic scan (LLM-assisted) -- Rules are data (TOML), not code — easy to add new patterns without touching Rust -- Same finding schema for both passes - -### Language support - -- v0.1: TypeScript, JavaScript (Java in progress) -- v0.2: Python, Go -- v0.3: C#, Kotlin, Ruby, PHP - -## Conventional Commits & Versioning - -Uses release-plz for automated version bumping and changelog generation. - -Trigger prefixes (cause version bump): -- `feat:` — new feature (minor) -- `fix:` — bug fix (patch) -- `refactor:` — code refactoring (patch) -- `perf:` — performance improvement (patch) - -Skipped prefixes (no version bump): -- `docs:`, `test:`, `ci:`, `chore:`, `style:`, `build:` - -PR titles must use a conventional commit prefix. diff --git a/CLAUDE.md b/CLAUDE.md new file mode 120000 index 0000000..47dc3e3 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1 @@ +AGENTS.md \ No newline at end of file diff --git a/README.md b/README.md index 25ea320..bb1486e 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Sift through your codebase for embedded authorization logic. Extract it into Policy as Code (PaC) — [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) for [OPA](https://www.openpolicyagent.org/) today, with other engines (e.g. Cedar) on the roadmap. -> **Status:** v0.1 — structural scanning ready for TypeScript, JavaScript, Java, and Python. `--deep` (LLM-assisted) mode functional via any OpenAI-compatible endpoint or MCP-capable agent host. +> **Status:** v0.1 — structural scanning ready for TypeScript, JavaScript, Java, Python, and Go. `--deep` (LLM-assisted) mode functional via any OpenAI-compatible endpoint or MCP-capable agent host. ## What is zift? @@ -27,7 +27,7 @@ zift report . # detailed findings report 1. **Structural scan** (tree-sitter) — fast, deterministic, zero-cost. Finds known authorization patterns: role checks, permission guards, auth middleware, security annotations. -2. **Semantic scan** (`--deep`, opt-in) — sends candidate code regions to an LLM that classifies authorization logic the structural pass missed or misjudged. Useful for business rules that implicitly encode access control, and for languages where structural support hasn't shipped yet (Go, etc.). +2. **Semantic scan** (`--deep`, opt-in) — sends candidate code regions to an LLM that classifies authorization logic the structural pass missed or misjudged. Useful for business rules that implicitly encode access control, and for languages where structural support hasn't shipped yet (C#, Kotlin, etc.). ## Supported languages @@ -36,11 +36,11 @@ zift report . # detailed findings report | TypeScript / JavaScript | yes (v0.1) | yes (v0.1) | Express, NestJS, Next.js | | Java | yes (v0.1) | yes (v0.1) | Spring Security, Jakarta Security | | Python | yes (v0.1) | yes (v0.1) | Django, Flask, FastAPI | -| Go | planned (v0.2) | yes (v0.1) | Gin, Echo | -| C# | planned (v0.3) | yes (v0.1) | ASP.NET Core | -| Kotlin | planned (v0.3) | yes (v0.1) | Spring (Kotlin) | -| Ruby | planned (v0.3) | yes (v0.1) | Rails | -| PHP | planned (v0.3) | yes (v0.1) | Laravel | +| Go | yes (v0.1) | yes (v0.1) | Gin, Echo | +| C# | planned (v0.2) | yes (v0.1) | ASP.NET Core | +| Kotlin | planned (v0.2) | yes (v0.1) | Spring (Kotlin) | +| Ruby | planned (v0.2) | yes (v0.1) | Rails | +| PHP | planned (v0.2) | yes (v0.1) | Laravel | Deep mode walks the full source tree by extension and detects auth-y function names with regex — so it produces useful results in any language well before structural support lands.