feat: context selection for git diff

Author: nikolay-e

.github/workflows/cd.yml

@@ -86,7 +86,7 @@ jobs:
           fi
           COMMIT_SHA=$(git rev-parse HEAD)
           echo "Commit SHA: $COMMIT_SHA"
-          echo "commit_sha=$COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "commit_sha=$COMMIT_SHA" >> "$GITHUB_OUTPUT"
 
       - name: Check tag doesn't already exist
         run: |
@@ -121,8 +121,8 @@ jobs:
       - name: Set outputs
         id: set_outputs
         run: |
-          echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
-          echo "tag_name=v${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+          echo "version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
+          echo "tag_name=v${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
 
   build-assets:
     name: Build Assets
@@ -218,7 +218,7 @@ jobs:
               echo "Detected ARM on macOS"
           fi
           echo "Determined ARCH: $ARCH"
-          echo "arch=$ARCH" >> $GITHUB_OUTPUT
+          echo "arch=$ARCH" >> "$GITHUB_OUTPUT"
 
       - name: Rename asset with proper name
         shell: bash

.gitignore

@@ -5,7 +5,7 @@ __pycache__/
 
 # C extensions
 *.so
-
+tree.yaml
 # Distribution / packaging
 .Python
 build/

.markdownlintignore

@@ -0,0 +1 @@
+docs/

.pre-commit-config.yaml

@@ -1,3 +1,11 @@
+minimum_pre_commit_version: '3.5.0'
+default_stages: [pre-commit]
+default_language_version:
+  python: python3.12
+  node: system
+
+fail_fast: false
+
 repos:
   # ============================================================================
   # BASIC FILE QUALITY CHECKS (baseline hygiene)
@@ -22,58 +30,81 @@ repos:
       - id: name-tests-test
         args: ["--pytest-test-first"]
         exclude: ^tests/(utils|conftest)\.py$
+      - id: fix-byte-order-marker
+      - id: detect-private-key
 
   # ============================================================================
-  # CODE FORMATTING (minimal - consistency only, not quality)
-  # Order matters: isort must run before black to avoid conflicts
+  # GITHUB ACTIONS VALIDATION
+  # ============================================================================
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.35.0
+    hooks:
+      - id: check-github-workflows
+        name: Validate GitHub workflows
+        args: ['--verbose']
+      - id: check-dependabot
+        name: Validate Dependabot config
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.8
+    hooks:
+      - id: actionlint
+        name: Lint GitHub Actions
+
+  # ============================================================================
+  # CODE FORMATTING (Order: isort → black to avoid conflicts)
   # ============================================================================
   - repo: https://github.com/pycqa/isort
-    rev: 5.13.2
+    rev: 7.0.0
     hooks:
       - id: isort
 
   - repo: https://github.com/psf/black
-    rev: 25.9.0
+    rev: 25.1.0
     hooks:
       - id: black
         language_version: python3
 
+  - repo: https://github.com/asottile/pyupgrade
+    rev: v3.21.1
+    hooks:
+      - id: pyupgrade
+        name: pyupgrade (auto-upgrade Python syntax)
+        args: ['--py312-plus']
+        files: ^src/.*\.py$
+
   # ============================================================================
-  # STATIC TYPING (proven to reduce TypeError/AttributeError in production)
-  # Evidence: Dropbox/Instagram case studies show 15-40% reduction in type errors
+  # STATIC TYPING
   # ============================================================================
   - repo: https://github.com/pre-commit/mirrors-mypy
     rev: v1.18.2
     hooks:
       - id: mypy
-        name: mypy (strict mode for code health)
-        # Runtime deps + stubs needed for mypy's isolated virtualenv
+        name: mypy (strict mode)
         additional_dependencies:
           - types-PyYAML
           - PyYAML
           - pathspec
         files: ^src/
 
+  # ============================================================================
+  # LINTING (Ruff for speed + correctness)
+  # ============================================================================
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.14.0
+    hooks:
+      - id: ruff
+        name: ruff (correctness-focused checks)
+        args: ["--fix", "--unsafe-fixes"]
+
   # ============================================================================
   # SECURITY & VULNERABILITY DETECTION
-  # Evidence: CVE databases with reproducible advisories
   # ============================================================================
   - repo: https://github.com/trailofbits/pip-audit
     rev: v2.9.0
     hooks:
       - id: pip-audit
         name: pip-audit (CVE detection in dependencies)
-        # CVE Ignores Documentation:
-        # - GHSA-4xh5-x5gv-qwph (CVE-2025-8869): pip tar extraction path traversal.
-        #   Fix planned for pip 25.3 (not yet released). Low risk: requires attacker-controlled
-        #   sdist AND Python < 3.11.4. Project uses Python 3.9+ with modern interpreters.
-        #   Review after pip 25.3 release.
-        # - GHSA-gm62-xv2j-4w53 (CVE-2025-66418): urllib3 decompression chain DoS.
-        #   Fixed in urllib3 2.6.0. Transitive dependency from pip-audit itself.
-        #   Project pins urllib3>=2.6.0 in pyproject.toml.
-        # - GHSA-2xpw-w6gg-jr37 (CVE-2025-66471): urllib3 highly compressed data handling.
-        #   Fixed in urllib3 2.6.0. Transitive dependency from pip-audit itself.
-        #   Project pins urllib3>=2.6.0 in pyproject.toml.
         args:
           [
             "--desc",
@@ -93,12 +124,14 @@ repos:
       - id: detect-secrets
         args: ["--baseline", ".secrets.baseline"]
 
-  # ============================================================================
-  # SEMANTIC SECURITY ANALYSIS (replaces basic Bandit)
-  # Evidence: Testable rulepacks, widely adopted in SAST programs
-  # ============================================================================
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.29.0
+    hooks:
+      - id: gitleaks
+        name: Scan for secrets (gitleaks)
+
   - repo: https://github.com/returntocorp/semgrep
-    rev: v1.89.0
+    rev: v1.99.0
     hooks:
       - id: semgrep
         name: semgrep (AST-based security & policy)
@@ -113,8 +146,7 @@ repos:
         files: ^src/
 
   # ============================================================================
-  # DEAD CODE DETECTION (reduces attack surface & maintenance burden)
-  # Evidence: Direct verification - unused code is measurably wasteful
+  # DEAD CODE DETECTION
   # ============================================================================
   - repo: https://github.com/jendrikseipp/vulture
     rev: v2.14
@@ -126,9 +158,7 @@ repos:
         pass_filenames: false
 
   # ============================================================================
-  # CODE DUPLICATION DETECTION (reduces maintenance burden & bug propagation)
-  # Evidence: Studies show duplicated code increases bug density by 2-3x
-  # Detects copy-pasted code blocks that should be refactored into functions
+  # CODE DUPLICATION DETECTION
   # ============================================================================
   - repo: https://github.com/PyCQA/pylint
     rev: v4.0.1
@@ -147,29 +177,17 @@ repos:
         files: ^src/
 
   # ============================================================================
-  # LINTING (focused on correctness, not style)
-  # Using Ruff for speed; flake8 removed to avoid redundancy
-  # ============================================================================
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.0
-    hooks:
-      - id: ruff
-        name: ruff (correctness-focused checks)
-        args: ["--fix", "--unsafe-fixes"]
-
-  # ============================================================================
-  # SPELL CHECKING (reduces documentation defects)
+  # SPELL CHECKING
   # ============================================================================
   - repo: https://github.com/codespell-project/codespell
     rev: v2.4.1
     hooks:
       - id: codespell
-        args:
-          ["--write-changes", "--ignore-words-list=crate,nd,ser,llm,async,cli,theses,datas"]
+        args: ["--write-changes", "--ignore-words-list=crate,nd,ser,llm,async,cli,theses,datas"]
         exclude: ^(\.git/|\.venv/|venv/)
 
   # ============================================================================
-  # YAML/JSON LINTING
+  # YAML LINTING
   # ============================================================================
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.37.1
@@ -182,6 +200,34 @@ repos:
             {line-length: {max: 120}, document-start: disable,
             indentation: disable, comments: disable}}
 
+  # ============================================================================
+  # SHELL LINTING
+  # ============================================================================
+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: v3.12.0-2
+    hooks:
+      - id: shfmt
+        name: shfmt (shell script formatting)
+        args: [-w, -i, '2']
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.11.0.1
+    hooks:
+      - id: shellcheck
+        name: shellcheck (shell script linting)
+        args: [-x]
+
+  # ============================================================================
+  # MARKDOWN LINTING
+  # ============================================================================
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.45.0
+    hooks:
+      - id: markdownlint
+        name: Lint Markdown files
+        args: ['--fix']
+        files: \.(md|markdown)$
+
   # ============================================================================
   # COMMIT MESSAGE QUALITY
   # ============================================================================
@@ -190,18 +236,3 @@ repos:
     hooks:
       - id: commitizen
         stages: [commit-msg]
-
-# ============================================================================
-# TOOLS DEFERRED TO CI (too slow or complex for pre-commit)
-# ============================================================================
-# - CodeQL: GitHub-specific, requires workflow setup
-# - Pysa: Requires framework-specific taint configuration
-# - SonarQube/Cloud: Platform-based, not a hook
-# - Radon: No official pre-commit hook, run via pip in CI
-# - Hypothesis: Property-based testing, runs with pytest in CI
-# - Mutation testing (mutmut/Cosmic Ray): Too slow, CI only
-# - Coverage: Measured in CI with pytest-cov
-# - Import Linter: Requires project-specific contract definition
-# - Atheris/CrossHair: Fuzzing/symbolic execution - CI only
-#
-# See .github/workflows/ci.yml for integration of these tools

.treemapperignore

@@ -1 +1,38 @@
+# Tests and test artifacts
 tests
+.hypothesis
+.pytest_cache
+.coverage
+htmlcov
+.treemapperignore
+
+# Build and cache
+build
+dist
+*.egg-info
+.mypy_cache
+.ruff_cache
+__pycache__
+
+# Config files (not code)
+.gitignore
+.pre-commit-config.yaml
+.secrets.baseline
+.dockerignore
+renovate.json
+
+# Output files
+tree.yaml
+tree.json
+tree.md
+tree.txt
+.markdownlintignore
+
+# Other
+LICENSE
+README.md
+CLAUDE.md
+*.bbl
+*.bib
+*.tmp
+.claude