feat: add security scanning and code quality tools (#129)

* feat(docs): landing page improvements and new standalone pages

- Add QuickStart section with 3-step installation guide
- Add UseCases section showcasing Figma, GitHub, Linear, Notion workflows
- Create /templates page with all 18 templates from ralph-templates repo
- Create /use-cases page with detailed workflow explanations
- Create /integrations page with setup guides for all sources
- Add navbar links to new pages
- Remove tooltips from ClientShowcase section
- Fix robots.txt invalid syntax (orphaned directives)
- Add Google Analytics 4 tracking (G-4HSM6GRG3R)
- Update docs to use ralph-starter config commands instead of export
- Add docs:dev, docs:build, docs:serve scripts to root package.json

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(docs): prevent subtitle line break in QuickStart section

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: update LLM provider configuration instructions

- Add config commands for Anthropic, OpenAI, and OpenRouter
- Update config.md with all provider keys and env variables
- Fix storage location (config.json, not sources.json)
- Add Figma token to documented config keys

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: link to ghuntley.com/ralph instead of inline explanation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: remove duplicate command tables and sections

Removed redundant sections:
- Integrations & Input Sources (duplicated main Integrations section)
- Quick Setup table (duplicated integrations table)
- Managing Integrations (duplicated integrations code examples)
- Integration Commands (duplicated integrations section)
- Source Commands (Legacy) (outdated)
- Managing Config (duplicated Config Commands)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: streamline README structure

- Fix Table of Contents to match actual sections
- Remove redundant "Summary" header
- Keep Key Features table in a cleaner position

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(git): add labels support to createPullRequest

- Add labels field to PROptions interface
- Auto-create labels using gh label create --force
- Apply labels to PR using --label flags

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(git): add semantic PR title generator

- Add generateSemanticPrTitle() function
- Infer type from task: fix, test, docs, refactor, perf
- Format: type(scope): lowercase description
- Ensures title passes semantic PR validation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(git): add PR body formatter with issue linking

- Add formatPrBody() function for proper markdown PR bodies
- Include issue linking with Closes owner/repo#number format
- Add task summary, commits list, and execution details
- Properly detected by pr-issue-check.yml action

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(executor): use semantic titles and AUTO label for auto mode

- Import new git utilities for title generation and body formatting
- Add prLabels, prIssueRef, prType to LoopOptions interface
- Generate semantic PR titles: feat(auto): description
- Format PR body with proper markdown sections
- Auto-add AUTO label when running in auto mode
- Include issue reference for auto-close on merge

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(run): extract issue reference from source metadata

- Import IssueRef type from git module
- Extract owner/repo/number from GitHub source metadata
- Pass prIssueRef and prLabels to loop executor
- Remove hardcoded prTitle generation (let executor handle it)
- AUTO label added for auto mode runs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: update CHANGELOG.md and auto-generate on release

- Backfill CHANGELOG.md with all beta releases from 0.1.1-beta.1 to beta.15
- Update prepare-release workflow to auto-generate changelog entries
- Use node script to avoid YAML parsing issues with markdown syntax

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: add security scanning and code quality tools

- Add CodeRabbit config with custom review instructions
- Add security.yml with CodeQL, Trivy, Gitleaks, OSSF Scorecard
- Add SonarCloud integration for code quality metrics
- Add bundle analysis workflow for PR size monitoring
- Add stale workflow to keep issues/PRs clean
- Add workflow to trigger CodeRabbit on all open PRs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: remove SonarCloud (not needed for now)

* fix: remove invalid CodeRabbit properties and fix dependency-review

* chore: add CodeRabbit as default reviewer in CODEOWNERS

* feat: smart auto-labeling and auto-assign for PRs

- Add auto-label.yml with intelligent label detection:
  - Labels based on changed files (core, docs, ci/cd, security, etc.)
  - Labels based on PR title (feat, fix, docs, etc.)
  - Only adds candidate-release for actual src changes
- Auto-assign @rubenmarcus on PRs they create
- Remove duplicate auto-label job from prepare-release.yml

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: address CodeRabbit review feedback on workflows

- bundle-analysis.yml: Add build failure handling, fix divide-by-zero, fix shell substitution in JS
- coderabbit-review.yml: Use pagination for PRs, handle empty TS files, deduplicate issues
- prepare-release.yml: Extract changelog logic to external script with dynamic insertion
- security.yml: Remove redundant Trivy (have CodeQL + Dependency Review), fix scorecard permissions
- stale.yml: Remove bug/enhancement from exempt labels, add release to exempt PR labels

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: add manual trigger to security scanning workflow

* fix: migrate dependency-review to config file (fix deprecation warning)

* fix(security): update dependencies to fix high/medium vulnerabilities

- Fix @modelcontextprotocol/sdk cross-client data leak (HIGH)
- Fix hono XSS, cache deception, IP spoofing vulnerabilities (MEDIUM)

Remaining issues are in dev-only dependencies (esbuild, lodash, tmp)
and don't affect the published CLI.

* fix: remove allow-licenses from dependency-review config

* fix: shorten CodeRabbit tone_instructions (max 250 chars)

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: rubenmarcus

.coderabbit.yaml

@@ -0,0 +1,67 @@
+# CodeRabbit Configuration
+# Documentation: https://docs.coderabbit.ai/configuration
+
+language: en-US
+
+# Review settings
+reviews:
+  # Enable automatic reviews on PRs
+  auto_review:
+    enabled: true
+    # Review drafts too
+    drafts: false
+    # Base branches to review
+    base_branches:
+      - main
+      - develop
+
+  # Review profile - assertive for thorough reviews
+  profile: assertive
+
+  # Request changes instead of just commenting when issues found
+  request_changes_workflow: true
+
+  # High-level summary at the top of review
+  high_level_summary: true
+
+  # Add poem to reviews (fun touch)
+  poem: false
+
+  # Review scope
+  path_filters:
+    # Always review these
+    - "src/**"
+    - "docs/**"
+    - ".github/**"
+    # Ignore these
+    - "!**/node_modules/**"
+    - "!**/dist/**"
+    - "!**/*.lock"
+    - "!**/pnpm-lock.yaml"
+    - "!**/package-lock.json"
+
+  # Collapse walkthrough for large PRs
+  collapse_walkthrough: true
+
+  # Enable sequence diagrams for complex flows
+  sequence_diagrams: true
+
+# Chat settings for interacting with CodeRabbit
+chat:
+  # Enable chat commands in PR comments
+  auto_reply: true
+
+# Early access features
+early_access: true
+
+# Knowledge base for project context
+knowledge_base:
+  # Learn from merged PRs
+  learnings:
+    scope: auto
+  # Learn from repo issues
+  issues:
+    scope: auto
+
+# Tone and style instructions (max 250 chars)
+tone_instructions: "Be constructive. Focus on security (OWASP), TypeScript best practices, performance, and test coverage. This is a CLI tool - check for credential handling, path traversal, proper exit codes."

.github/CODEOWNERS

@@ -2,7 +2,7 @@
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
 # Default owner for everything
-* @rubenmarcus
+* @rubenmarcus @coderabbitai
 
 # Core CLI source code
 /src/ @rubenmarcus

.github/dependency-review-config.yml

@@ -0,0 +1,15 @@
+# Dependency Review Configuration
+# https://github.com/actions/dependency-review-action#configuration-options
+
+# Fail on high/critical vulnerabilities
+fail-on-severity: high
+
+# Deny copyleft licenses that could cause licensing issues
+# (can't use both allow and deny, so we deny problematic ones)
+deny-licenses:
+  - GPL-3.0
+  - GPL-3.0-only
+  - GPL-3.0-or-later
+  - AGPL-3.0
+  - AGPL-3.0-only
+  - AGPL-3.0-or-later

.github/scripts/update-changelog.js

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+/**
+ * Updates CHANGELOG.md with a new release entry
+ *
+ * Usage: node update-changelog.js <title>
+ * Environment variables:
+ *   - NEW_VERSION: The new version number
+ *   - TODAY: The release date (YYYY-MM-DD)
+ *   - CHANGE_TYPE: The type of change (Added, Fixed, Changed)
+ *   - SOURCE_PR: The PR number
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const version = process.env.NEW_VERSION;
+const date = process.env.TODAY;
+const changeType = process.env.CHANGE_TYPE;
+const pr = process.env.SOURCE_PR;
+const title = process.argv[2];
+
+if (!version || !date || !changeType || !pr || !title) {
+  console.error('Missing required environment variables or arguments');
+  console.error('Required env: NEW_VERSION, TODAY, CHANGE_TYPE, SOURCE_PR');
+  console.error('Required arg: title');
+  process.exit(1);
+}
+
+const changelogPath = path.join(process.cwd(), 'CHANGELOG.md');
+const entry = `## [${version}] - ${date}\n\n### ${changeType}\n- ${title} (#${pr})\n\n`;
+
+let changelog = fs.readFileSync(changelogPath, 'utf8');
+const lines = changelog.split('\n');
+
+// Find insertion point dynamically
+// First try to find a sentinel marker
+let insertIdx = lines.findIndex(l => l.trim().startsWith('<!-- CHANGELOG_ENTRY -->'));
+
+// If no marker, find the first version heading
+if (insertIdx === -1) {
+  insertIdx = lines.findIndex(l => l.trim().match(/^## \[\d/));
+}
+
+// If still not found, default to after header (line 6)
+if (insertIdx === -1) {
+  insertIdx = 6;
+}
+
+// Build the new changelog
+const header = lines.slice(0, insertIdx).join('\n');
+const rest = lines.slice(insertIdx).join('\n');
+
+changelog = header + '\n\n' + entry + rest;
+fs.writeFileSync(changelogPath, changelog);
+
+console.log(`Updated CHANGELOG.md with entry for v${version}`);

.github/workflows/auto-label.yml

@@ -0,0 +1,150 @@
+name: Auto Label & Assign
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  auto-assign-and-label:
+    name: Auto Assign & Smart Label
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v47
+        with:
+          files_yaml: |
+            src:
+              - 'src/**'
+            docs:
+              - 'docs/**'
+              - '**/*.md'
+              - '!CHANGELOG.md'
+            ci:
+              - '.github/workflows/**'
+              - '.github/actions/**'
+            security:
+              - '.github/workflows/security.yml'
+              - '.coderabbit.yaml'
+              - 'SECURITY.md'
+              - '.gitleaks.toml'
+            config:
+              - 'package.json'
+              - 'tsconfig.json'
+              - '.eslintrc*'
+              - '.prettierrc*'
+            tests:
+              - '**/*.test.ts'
+              - '**/*.spec.ts'
+              - 'vitest.config.*'
+              - 'jest.config.*'
+
+      - name: Auto assign and label
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const pr = context.payload.pull_request;
+            const prNumber = pr.number;
+            const prAuthor = pr.user.login;
+            const prTitle = pr.title.toLowerCase();
+
+            // Auto-assign if author is rubenmarcus
+            if (prAuthor === 'rubenmarcus') {
+              await github.rest.issues.addAssignees({
+                owner, repo,
+                issue_number: prNumber,
+                assignees: ['rubenmarcus']
+              });
+              console.log('Auto-assigned rubenmarcus');
+            }
+
+            // Collect labels to add
+            const labelsToAdd = new Set();
+
+            // Labels based on changed files
+            const srcChanged = '${{ steps.changed-files.outputs.src_any_changed }}' === 'true';
+            const docsChanged = '${{ steps.changed-files.outputs.docs_any_changed }}' === 'true';
+            const ciChanged = '${{ steps.changed-files.outputs.ci_any_changed }}' === 'true';
+            const securityChanged = '${{ steps.changed-files.outputs.security_any_changed }}' === 'true';
+            const configChanged = '${{ steps.changed-files.outputs.config_any_changed }}' === 'true';
+            const testsChanged = '${{ steps.changed-files.outputs.tests_any_changed }}' === 'true';
+
+            if (srcChanged) labelsToAdd.add('core');
+            if (docsChanged) labelsToAdd.add('documentation');
+            if (ciChanged) labelsToAdd.add('ci/cd');
+            if (securityChanged) labelsToAdd.add('security');
+            if (configChanged) labelsToAdd.add('config');
+            if (testsChanged) labelsToAdd.add('tests');
+
+            // Labels based on PR title (conventional commits)
+            if (prTitle.startsWith('feat')) labelsToAdd.add('enhancement');
+            if (prTitle.startsWith('fix')) labelsToAdd.add('bug');
+            if (prTitle.startsWith('docs')) labelsToAdd.add('documentation');
+            if (prTitle.startsWith('chore')) labelsToAdd.add('chore');
+            if (prTitle.startsWith('refactor')) labelsToAdd.add('refactor');
+            if (prTitle.startsWith('perf')) labelsToAdd.add('performance');
+            if (prTitle.startsWith('test')) labelsToAdd.add('tests');
+            if (prTitle.startsWith('ci')) labelsToAdd.add('ci/cd');
+
+            // Special keywords in title
+            if (prTitle.includes('security') || prTitle.includes('vulnerability')) labelsToAdd.add('security');
+            if (prTitle.includes('breaking')) labelsToAdd.add('breaking-change');
+            if (prTitle.includes('devops') || prTitle.includes('automation')) labelsToAdd.add('devops');
+            if (prTitle.includes('dependabot') || prTitle.includes('deps')) labelsToAdd.add('dependencies');
+
+            // Only add candidate-release if src files changed (actual code changes)
+            if (srcChanged && !prTitle.startsWith('chore') && !prTitle.startsWith('docs')) {
+              labelsToAdd.add('candidate-release');
+            }
+
+            // Convert to array and filter out empty
+            const labels = Array.from(labelsToAdd).filter(Boolean);
+
+            if (labels.length > 0) {
+              // Ensure labels exist
+              for (const label of labels) {
+                try {
+                  await github.rest.issues.getLabel({ owner, repo, name: label });
+                } catch (e) {
+                  // Create label if it doesn't exist
+                  const colors = {
+                    'core': '0052CC',
+                    'documentation': '0075CA',
+                    'ci/cd': '7057FF',
+                    'security': 'B60205',
+                    'config': 'FBCA04',
+                    'tests': '1D76DB',
+                    'enhancement': 'A2EEEF',
+                    'bug': 'D73A4A',
+                    'chore': 'FEF2C0',
+                    'refactor': 'D4C5F9',
+                    'performance': '0E8A16',
+                    'breaking-change': 'B60205',
+                    'devops': '5319E7',
+                    'dependencies': '0366D6',
+                    'candidate-release': 'EDEDED'
+                  };
+                  await github.rest.issues.createLabel({
+                    owner, repo,
+                    name: label,
+                    color: colors[label] || 'EDEDED'
+                  });
+                }
+              }
+
+              // Add labels to PR
+              await github.rest.issues.addLabels({
+                owner, repo,
+                issue_number: prNumber,
+                labels
+              });
+              console.log(`Added labels: ${labels.join(', ')}`);
+            }