From ed340dd1c7728a723151648136e3f25bcb358ba5 Mon Sep 17 00:00:00 2001 From: Jamkris Date: Mon, 27 Apr 2026 13:46:07 +0900 Subject: [PATCH 1/2] chore: add Greptile and GitGuardian configs (OSS-free tier) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both tools are free for public OSS repos under MIT/Apache/GPL — Greptile via the OSS Perks program, GitGuardian via the public-repo free tier. Cubic is also free for public repos but is configured purely through the GitHub App, with no in-repo file needed. greptile.json - strictness 2 + commentTypes [logic, syntax] (matches CodeRabbit's "bugs and security over style" stance) - ignoreKeywords: bump version / release / chore: bump / chore(release) / chore(deps) so dependabot and release PRs don't get noisy reviews - disabledLabels: release, skip-review (manual escape hatch) - ignorePatterns: lockfiles, node_modules, *.DS_Store, binary doc assets - instructions: project base prompt — Gemini CLI extension, not a typical app; common false-positive flags called out - customContext.rules: per-path guidance mirroring path_instructions in .coderabbit.yaml — agents (tool allowlist), commands (egc- prefix), skills, hooks, scripts, rules, docs - customContext.files: pins .gemini/styleguide.md and the gemini-tools lib as authoritative references .gitguardian.yaml - secret.ignored_paths: lockfiles, node_modules, binary doc assets, plus tests/lint/fixtures/** and tests/ci/** (the latter embeds `${{ github.event.pull_request.head.sha }}` strings as hostile workflow fixtures, which entropy-style detectors can misfire on) - ignored_detectors: 'Generic High Entropy Secret' to suppress noise from documentation examples and curl snippets Lint clean / 187 tests pass. Action items for the maintainer (not in-repo): - Install Cubic GitHub App: https://github.com/apps/cubic-dev-ai - Apply for Greptile OSS plan: https://www.ossperks.com/programs/greptile - GitGuardian app should already pick up .gitguardian.yaml automatically once the org is on the free OSS tier --- .gitguardian.yaml | 35 ++++++++++++++++++++++++++ greptile.json | 63 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 .gitguardian.yaml create mode 100644 greptile.json diff --git a/.gitguardian.yaml b/.gitguardian.yaml new file mode 100644 index 0000000..5d6a44f --- /dev/null +++ b/.gitguardian.yaml @@ -0,0 +1,35 @@ +version: 2 + +# Public OSS repo on the GitGuardian Free tier. Defaults are fine for most +# of the tree; we only add path-level excludes for noise (lockfiles, vendored +# binary assets) and intentional dummy values used in security-hook tests. + +exit_zero: false +verbose: false + +secret: + ignored_paths: + # Lockfiles and machine-generated artifacts + - 'package-lock.json' + - '**/package-lock.json' + - 'node_modules/**' + - '*.lock' + - '.DS_Store' + + # Binary/static assets that scanners shouldn't probe + - 'docs/**/*.png' + - 'docs/**/*.jpg' + + # Test fixtures: tests/lint/fixtures/agents/* contains intentionally + # malformed YAML and tests/ci/* embeds GitHub Actions expression + # strings (`${{ github.event.pull_request.head.sha }}`) — neither is + # a real secret but pattern-matchers can flag the latter. + - 'tests/lint/fixtures/**' + - 'tests/ci/**' + + # Reduce noise from broad detectors that misfire on documentation + # examples (curl snippets, example tokens like "sk-proj-xxxxx"). + ignored_detectors: + - 'Generic High Entropy Secret' + + show_secrets: false diff --git a/greptile.json b/greptile.json new file mode 100644 index 0000000..ea1615f --- /dev/null +++ b/greptile.json @@ -0,0 +1,63 @@ +{ + "$schema": "https://www.greptile.com/schemas/greptile.json", + "strictness": 2, + "commentTypes": ["logic", "syntax"], + "triggerOnUpdates": true, + "triggerOnDrafts": false, + "shouldUpdateDescription": false, + "summarySection": true, + "confidenceScoreSection": true, + "sequenceDiagramSection": false, + "ignoreKeywords": "bump version\nrelease\nchore: bump\nchore(release)\nchore(deps)", + "ignorePatterns": "node_modules/**\npackage-lock.json\n*.lock\n.DS_Store\nassets/**\ndocs/**/*.png\ndocs/**/*.jpg", + "disabledLabels": ["release", "skip-review"], + "instructions": "This is a Gemini CLI extension (everything-gemini-code) — not a typical application. Codebase consists of: shell/Node scripts (scripts/), TOML commands (commands/), Markdown skills (skills/) and agents (agents/), JSON hooks (hooks/), and multilingual docs (docs/{en,ko-KR,zh-CN}). Be concise and direct. Prioritize bugs and security issues over style. Do NOT flag emoji usage in markdown, long TOML prompt fields, or skills referencing ~/.gemini/ paths.", + "customContext": { + "rules": [ + { + "rule": "Gemini CLI agent definitions. YAML frontmatter MUST include `name`, `description`, and `tools`. The `tools:` array may ONLY contain valid Gemini CLI built-in tools: read_file, read_many_files, write_file, replace, glob, search_file_content, list_directory, run_shell_command, save_memory, web_fetch, google_web_search. Reject Claude-style names (search_files, replace_in_file, Read, Edit), MCP tool references (mcp__*) — those are auto-discovered at runtime and rejected by the schema if declared. Reject frontmatter keys outside the schema (color, model). Authoritative allowlist lives in scripts/lib/gemini-tools.js.", + "scope": ["agents/**/*.md"] + }, + { + "rule": "Gemini CLI command definitions in TOML. Filename MUST start with the `egc-` prefix (avoids collision with built-in /plan, /docs). `description` must be non-empty.", + "scope": ["commands/**/*.toml"] + }, + { + "rule": "Skill definitions. Frontmatter must include `name` and `description`. The body must contain a `## When to Use` section with specific, actionable trigger conditions — not `When to Activate` or `When to Apply`.", + "scope": ["skills/**/*.md"] + }, + { + "rule": "Hook scripts and hooks.json. Hooks run automatically on Gemini CLI tool events (BeforeTool, AfterTool, SessionStart, SessionEnd, PreCompress, AfterAgent) — any failure impacts every session. Verify error handling, quiet logging, and intentional exit codes (0 = allow, 2 = block in BeforeTool).", + "scope": ["hooks/**", "scripts/hooks/**"] + }, + { + "rule": "Shell scripts must use `set -euo pipefail`, quote all variables, and avoid interpolating shell variables into `node -e` strings (use process.env instead). Support both macOS and Linux — no GNU-only flags.", + "scope": ["scripts/**/*.sh", "**/*.sh"] + }, + { + "rule": "Node.js 20+ project. Avoid mutation — prefer spread/immutable patterns. Handle errors explicitly; never swallow silently. Functions should be under 50 lines (soft target — vendored upstream ports may exceed). No console.log in hook scripts (hooks must run silently on success).", + "scope": ["scripts/**/*.js", "tests/**/*.js"] + }, + { + "rule": "Coding rules shipped to end users at ~/.gemini/rules/. Cross-references between common/ and language-specific files must use relative paths (../common/xxx.md) and the targets must exist.", + "scope": ["rules/**/*.md"] + }, + { + "rule": "User-facing multilingual documentation. Tool-name mapping tables (Claude Code ↔ Gemini CLI) must list ONLY valid Gemini CLI tool names — incorrect mappings here propagate into agent/skill definitions.", + "scope": ["docs/**/*.md"] + } + ], + "files": [ + { + "path": ".gemini/styleguide.md", + "description": "Project conventions for shell scripts, TOML commands, agents, skills, hooks, and CI workflows.", + "scope": ["**"] + }, + { + "path": "scripts/lib/gemini-tools.js", + "description": "Authoritative source of valid Gemini CLI agent tool names and forbidden frontmatter keys.", + "scope": ["agents/**", "scripts/ci/validate-agents.js"] + } + ] + } +} From e97b09c953f7142953f4a612e982bc409ef5b52d Mon Sep 17 00:00:00 2001 From: Jamkris Date: Mon, 27 Apr 2026 13:57:26 +0900 Subject: [PATCH 2/2] fix: address review feedback on PR #49 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeRabbit + cubic + Greptile flagged five issues; all valid. greptile.json - section fields now use the documented object shape { included, collapsible, defaultOpen } instead of bare booleans (cubic P2; verified against greptile.com/docs/code-review-bot/greptile-json) - removed the bare "release" keyword from ignoreKeywords; was too broad — would have skipped review on PRs titled "Add release notes", "Document release process", "Fix memory release bug", etc. Replaced with the more specific `chore: release`. Other entries (chore: bump, chore(release), chore(deps)) keep the dependabot/ release-PR coverage. (cubic P2, Greptile P2) - split the Node.js general-style rule from the hook-specific "no console.log" directive. The original rule scoped console.log enforcement to scripts/**/*.js + tests/**/*.js, which would flag every test file (tests legitimately use console.log to report results). The no-console-log clause now lives on the hooks-scoped rule. (CodeRabbit nitpick, cubic P2) - aligned the shell-script rule with .gemini/styleguide.md: the styleguide mandates `set -e`, the rule had `set -euo pipefail`. Greptile would have flagged styleguide-compliant scripts as non-compliant. (Greptile P2) .gitguardian.yaml - removed the global `ignored_detectors: ['Generic High Entropy Secret']` entry. Disabling the detector repo-wide could mask a real leaked secret outside the noisy paths. (CodeRabbit major, cubic P1) - replaced with two additional path-scoped entries that target the actual sources of false positives: rules/**/security.md — documentation examples (e.g. the fake `sk-proj-xxxxx` placeholder) **/SKILL.md — skill docs that may show fake API tokens for illustration The detector remains active for the rest of the tree. Lint clean / 187 tests pass. --- .gitguardian.yaml | 9 +++++---- greptile.json | 26 +++++++++++++++++++------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.gitguardian.yaml b/.gitguardian.yaml index 5d6a44f..4263871 100644 --- a/.gitguardian.yaml +++ b/.gitguardian.yaml @@ -27,9 +27,10 @@ secret: - 'tests/lint/fixtures/**' - 'tests/ci/**' - # Reduce noise from broad detectors that misfire on documentation - # examples (curl snippets, example tokens like "sk-proj-xxxxx"). - ignored_detectors: - - 'Generic High Entropy Secret' + # Documentation examples that show fake secret literals (e.g. the + # `sk-proj-xxxxx` placeholder in rules/typescript/security.md). These + # are illustrative and never match a real key. + - 'rules/**/security.md' + - '**/SKILL.md' show_secrets: false diff --git a/greptile.json b/greptile.json index ea1615f..133fe19 100644 --- a/greptile.json +++ b/greptile.json @@ -5,10 +5,22 @@ "triggerOnUpdates": true, "triggerOnDrafts": false, "shouldUpdateDescription": false, - "summarySection": true, - "confidenceScoreSection": true, - "sequenceDiagramSection": false, - "ignoreKeywords": "bump version\nrelease\nchore: bump\nchore(release)\nchore(deps)", + "summarySection": { + "included": true, + "collapsible": false, + "defaultOpen": true + }, + "confidenceScoreSection": { + "included": true, + "collapsible": false, + "defaultOpen": true + }, + "sequenceDiagramSection": { + "included": false, + "collapsible": false, + "defaultOpen": false + }, + "ignoreKeywords": "bump version\nchore: bump\nchore: release\nchore(release)\nchore(deps)", "ignorePatterns": "node_modules/**\npackage-lock.json\n*.lock\n.DS_Store\nassets/**\ndocs/**/*.png\ndocs/**/*.jpg", "disabledLabels": ["release", "skip-review"], "instructions": "This is a Gemini CLI extension (everything-gemini-code) — not a typical application. Codebase consists of: shell/Node scripts (scripts/), TOML commands (commands/), Markdown skills (skills/) and agents (agents/), JSON hooks (hooks/), and multilingual docs (docs/{en,ko-KR,zh-CN}). Be concise and direct. Prioritize bugs and security issues over style. Do NOT flag emoji usage in markdown, long TOML prompt fields, or skills referencing ~/.gemini/ paths.", @@ -27,15 +39,15 @@ "scope": ["skills/**/*.md"] }, { - "rule": "Hook scripts and hooks.json. Hooks run automatically on Gemini CLI tool events (BeforeTool, AfterTool, SessionStart, SessionEnd, PreCompress, AfterAgent) — any failure impacts every session. Verify error handling, quiet logging, and intentional exit codes (0 = allow, 2 = block in BeforeTool).", + "rule": "Hook scripts and hooks.json. Hooks run automatically on Gemini CLI tool events (BeforeTool, AfterTool, SessionStart, SessionEnd, PreCompress, AfterAgent) — any failure impacts every session. Verify error handling, intentional exit codes (0 = allow, 2 = block in BeforeTool), and that the script runs silently on success: NO console.log in hook scripts, only stderr writes for blocking diagnostics.", "scope": ["hooks/**", "scripts/hooks/**"] }, { - "rule": "Shell scripts must use `set -euo pipefail`, quote all variables, and avoid interpolating shell variables into `node -e` strings (use process.env instead). Support both macOS and Linux — no GNU-only flags.", + "rule": "Shell scripts must use `set -e` at the top (per .gemini/styleguide.md), quote all variables, and avoid interpolating shell variables into `node -e` strings (use process.env instead). Support both macOS and Linux — no GNU-only flags.", "scope": ["scripts/**/*.sh", "**/*.sh"] }, { - "rule": "Node.js 20+ project. Avoid mutation — prefer spread/immutable patterns. Handle errors explicitly; never swallow silently. Functions should be under 50 lines (soft target — vendored upstream ports may exceed). No console.log in hook scripts (hooks must run silently on success).", + "rule": "Node.js 20+ project. Avoid mutation — prefer spread/immutable patterns. Handle errors explicitly; never swallow silently. Functions should be under 50 lines (soft target — vendored upstream ports may exceed). console.log is fine in scripts and tests (the no-console rule lives on the hooks rule above).", "scope": ["scripts/**/*.js", "tests/**/*.js"] }, {