chore: comprehensive repository improvements and infrastructure enhancements

.coderabbit.yaml

@@ -1,16 +1,49 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
 # CodeRabbit AI Configuration for ContextForge Memory
-# https://docs.coderabbit.ai/guides/code-review-best-practices/
 
-# Top-level tone instructions (max 250 chars)
-tone_instructions: "Professional tone focusing on security, performance, code quality, best practices, and documentation"
+tone_instructions: "Be concise and professional. Prioritize security, determinism, performance, API correctness, and documentation quality."
+
+language: en-US
 
-# Review configuration
 reviews:
-  # Optional: Consider enabling additional external review tools in CodeRabbit UI
-  # such as gitleaks (secrets scanning), semgrep (SAST), and checkov (IaC scanning)
-  # for broader security coverage. These are configured in the CodeRabbit UI, not here.
-  # Path filters for excluding files and directories
+  profile: assertive
+  request_changes_workflow: true
+  high_level_summary: true
+  review_status: true
+  commit_status: true
+  fail_commit_status: true
+  collapse_walkthrough: true
+  changed_files_summary: true
+  suggested_labels: true
+  suggested_reviewers: true
+  related_issues: true
+  related_prs: true
+  poem: false
+
+  # Focus the reviewer signal; keep your existing excludes but add positive includes
   path_filters:
+    # --- include sets (repo-critical) ---
+    - "src/**"
+    - "clients/**"
+    - "openapi/**/*.{yaml,yml,json}"
+    - ".github/**"
+    - "Makefile"
+    - "pyproject.toml"
+    - "requirements*.txt"
+    - "Pipfile"
+    - "Pipfile.lock"
+    - "package.json"
+    - "package-lock.json"
+    - "pnpm-lock.yaml"
+    - "uv.lock"
+    - "devcontainer.json"
+    - ".devcontainer/**"
+    # IaC / containers
+    - "{**/*.tf,**/Dockerfile,**/Dockerfile.*,**/docker-compose*.yml,helm/**,k8s/**,kubernetes/**}"
+    # docs that define rules/security
+    - "CONTRIBUTING.md"
+    - "SECURITY.md"
+    # --- global excludes (noise) ---
     - "!**/*.pyc"
     - "!**/__pycache__/**"
     - "!**/.pytest_cache/**"
@@ -27,87 +60,102 @@ reviews:
     - "!**/dist/**"
     - "!**/build/**"
     - "!**/.mypy_cache/**"
+    - "!**/*.egg-info/**"
+    - "!**/.DS_Store"
+    - "!**/.git/**"
+    # de-noise prose unless they are the only changes
+    - "!docs/**"
+    - "!**/*.md"
 
-  # Path-specific review instructions
+  # Repo-aware instructions
   path_instructions:
-    # API and main application code
-    - path: "src/**/*.py"
-      instructions: |
-        Focus on:
-        - API design and RESTful principles
-        - Error handling and validation
-        - Security considerations (input validation, authentication)
-        - Performance implications
-        - Type hints and documentation
-        - FastAPI best practices
-
-    # Client libraries
-    - path: "clients/**/*"
+    - path: "openapi/**/*.{yaml,yml,json}"
       instructions: |
-        Focus on:
-        - API client design patterns
-        - Error handling and retry logic
-        - Type safety and interfaces
-        - Documentation and examples
-        - Cross-platform compatibility
-
-    # CI/CD and workflows
-    - path: ".github/**/*"
-      instructions: |
-        Focus on:
-        - Security best practices
-        - Workflow efficiency
-        - Proper permissions and secrets handling
-        - Dependabot configuration
-        - Security scanning setup
-
-    # Infrastructure-as-Code and container security (canonical rule)
-    - path: "{**/*.tf,**/Dockerfile,**/Dockerfile.*,**/docker-compose.yml,**/docker-compose.*.yml,helm/**/*,k8s/**/*,kubernetes/**/*}"
+        Validate OpenAPI structure and parity with FastAPI handlers.
+        Call out missing error responses, auth/permission descriptions, inconsistent schemas, and undocumented fields.
+        Ensure response models and status codes match reality; flag breaking changes to generated clients.
+
+    - path: "src/**/*.py"
       instructions: |
-        Focus on:
-        - IaC security and misconfigurations (least privilege, restricted policies)
-        - Safe defaults (no hard-coded secrets, pinned images, versioned modules)
-        - Container best practices (non-root user, slim base images, healthchecks)
-        - Network exposure and port/security group rules
-        - Kubernetes/Helm best practices (resource limits, probes, RBAC)
-
-    # Documentation (markdown files in root and docs directory)
-    - path: "**/*.md"
+        Enforce FastAPI + Pydantic v2 best practices, input validation, and security (authn/z, secrets handling).
+        Check deterministic behavior (no hidden time/random/network nondeterminism without explicit guards).
+        Verify timeouts/retries/backoff around I/O, structured logging, and type hints throughout.
+        Prefer Ruff rules; flag potential performance pitfalls and memory growth in long-running workers.
+
+    - path: "clients/typescript/**"
       instructions: |
-        Focus on:
-        - Clarity and completeness
-        - Up-to-date information
-        - Proper markdown formatting
-        - Security policy accuracy
-        - Contribution guidelines
-
-    # Configuration files
-    - path: "requirements.txt"
+        Ensure strict typing, accurate DTOs from OpenAPI, consistent error shapes, and robust timeout/retry semantics.
+        Prefer fetch/axios configurations with sane defaults; avoid throwing ambiguous any-typed errors.
+
+    - path: "clients/python/**"
       instructions: |
-        Focus on:
-        - Dependency security and versions
-        - Configuration best practices
-        - Security implications
-        - Proper formatting and structure
+        Ensure session reuse, timeouts, and exception taxonomy maps cleanly for downstream users.
+        Check docstrings and typing for public functions; verify parity with OpenAPI.
 
-    - path: "pyproject.toml"
+    - path: ".github/**/*"
       instructions: |
-        Focus on:
-        - Dependency security and versions
-        - Configuration best practices
-        - Security implications
-        - Proper formatting and structure
+        Verify least-privilege permissions, pinned actions SHAs, secret usage, concurrency/cancellation,
+        and fast-fail patterns. Suggest caching and matrix splits where build times benefit.
 
-    - path: "*.yaml"
+    - path: "{**/*.tf,**/Dockerfile,**/Dockerfile.*,**/docker-compose*.yml,helm/**,k8s/**,kubernetes/**}"
       instructions: |
-        Focus on:
-        - Configuration best practices
-        - Security implications
-        - Proper formatting and structure
+        Enforce IaC/container hardening: no hard-coded secrets; pinned base images; non-root users; healthchecks;
+        RBAC least privilege; CPU/memory limits; network exposure minimized; image provenance.
 
-    - path: "*.yml"
+    - path: "{pyproject.toml,requirements*.txt,Pipfile*,package*.json,pnpm-lock.yaml,uv.lock}"
       instructions: |
-        Focus on:
-        - Configuration best practices
-        - Security implications
-        - Proper formatting and structure
+        Flag vulnerable or unpinned deps; suggest safer alternatives; check tool configs (ruff, mypy, pytest, coverage).
+
+  auto_review:
+    enabled: true
+    auto_incremental_review: true
+    drafts: false
+    ignore_title_keywords: ["WIP", "DRAFT", "SPIKE"]
+    labels: ["!wip"]
+    base_branches: [".*"]
+    ignore_usernames:
+      - "dependabot[bot]"
+      - "renovate[bot]"
+      - "github-actions[bot]"
+
+  finishing_touches:
+    docstrings:
+      enabled: true
+    unit_tests:
+      enabled: true
+
+# Let CodeRabbit ingest your house rules
+knowledge_base:
+  opt_out: false
+  code_guidelines:
+    enabled: true
+    filePatterns:
+      - "**/.cursorrules"
+      - ".cursor/rules/*.mdc"  # Add cursor rules
+      - "CONTRIBUTING.md"
+      - "SECURITY.md"
+      - "**/CODING_STANDARDS.md"
+
+# First-party tool runners (where supported by your plan)
+tools:
+  ruff:
+    enabled: true
+  eslint:
+    enabled: true
+  shellcheck:
+    enabled: true
+  gitleaks:
+    enabled: true
+  semgrep:
+    enabled: true
+  checkov:
+    enabled: true
+  ast-grep:
+    enabled: true
+    essential_rules: true
+    rule_dirs:
+      - ".codequality/ast-grep/rules"
+    util_dirs:
+      - ".codequality/ast-grep/utils"
+
+early_access: false