Refactor env, Docker, and docs; improve CLI defaults

Consolidates environment variable examples into .env.example and removes .env.webapp.example. Deletes Dockerfiles for GitHub, queue, and Telegram modes. Moves documentation images from docs/ to images/ and updates README references accordingly. Refactors pr_security_review/__main__.py to set CLI argument defaults from environment variables for GitHub App, docs directory, queue listener, and continuous monitoring. Cleans up README to remove redundant configuration file instructions.

Author: fredrik0x

.env.example

@@ -9,45 +9,47 @@ FLASK_ENV=development
 WEB_APP_PORT=5000
 FINDINGS_SERVER_PORT=8000
 FINDINGS_SERVER_URL=http://localhost:8000
-
-# Database Configuration
+AUTHORIZED_EMAILS=[email protected] # Admin email for accessing the web app, comma-separated for multiple
 DATABASE_URL=postgresql://username:password@localhost:5432/security_findings
 
-# Authorized Email Addresses (comma-separated)
-AUTHORIZED_EMAILS=[email protected]
+# Continuous Monitoring
+MONITOR_CONTINUOUS=false
 
-# Optional: Telegram Configuration (if using Telegram notifications)
+# Telegram Notifications
 TELEGRAM_BOT_TOKEN=your_telegram_bot_token_here
 TELEGRAM_CHAT_ID=your_telegram_chat_id_here
 
-# Optional: LLM Provider API Keys
-OPENAI_API_KEY=your_openai_api_key_here
-ANTHROPIC_API_KEY=your_anthropic_api_key_here
-GOOGLE_AI_API_KEY=your_google_ai_api_key_here
-
-# GitHub PAT token for accessing repositories
-GITHUB_TOKEN=your_github_token_here
-
 # Email Notifications (Amazon SES)
 AWS_SES_REGION=us-east-1
 SES_FROM_EMAIL=[email protected]
 BASE_URL=https://your-domain.com
 AWS_ACCESS_KEY_ID=your_aws_access_key_here
 AWS_SECRET_ACCESS_KEY=your_aws_secret_access_key_here
 
-# Notification Settings
+# LLM Provider API Keys
+OPENAI_API_KEY=your_openai_api_key_here
+ANTHROPIC_API_KEY=your_anthropic_api_key_here
+GOOGLE_AI_API_KEY=your_google_ai_api_key_here
+
+# GitHub PAT token for accessing repositories - requires repo scope read access
+GITHUB_TOKEN=your_github_token_here
+
+# Notification Settings (notify on all or only potentially bad commits)
 NOTIFY_CLEAN_COMMITS=false
 
-# Embeddings API key (required for Claude with docs)
+# Embeddings API key (required for using Claude with docs)
+DOCS_DIR=./docs
 VOYAGE_API_KEY=your_voyage_api_key_here
 
 # GitHub App Settings
+GITHUB_APP=false
 GITHUB_APP_ID=12345
 GITHUB_PRIVATE_KEY_PATH=./privatekey.pem
 GITHUB_WEBHOOK_SECRET=your_webhook_secret_here
 GITHUB_CLIENT_SECRET=your_github_client_secret_here
 
 # AMQP Message Queue (optional)
+LISTEN_QUEUE=false
 AMQP_URL=amqp://guest:guest@localhost:5672/
 QUEUE_NAME=security_review_requests
 RESPONSE_QUEUE_NAME=security_review_responses
@@ -62,39 +64,22 @@ LLAMA_WEIGHT=1
 # Optional: Enable SQL query debugging (set to true to see SQL queries in logs)
 SQL_DEBUG=false
 
-# LLM Prompts Configuration
+# LLM Prompts Configuration (optional overrides for default prompts)
 LLM_SECURITY_PROMPT_INTRO="You are a security expert specializing in Ethereum client implementations and blockchain security."
-
 LLM_SECURITY_PROMPT_FOCUS_AREAS="Pay special attention to Blockchain specific vulnerabilities."
-
 LLM_SECURITY_PROMPT_IMPORTANT_NOTES="IMPORTANT:\n- Focus on concrete exploitable vulnerabilities."
-
 LLM_SECURITY_PROMPT_EXAMPLES="Examples of concrete vulnerabilities:\n- Gas costs that deviate from EIP specifications."
-
 LLM_SECURITY_PROMPT_RESPONSE_FORMAT="CRITICAL: Your response must be ONLY the following JSON object, with no additional text, explanation, or markdown formatting:\n{\n    \"confidence_score\": <use highest confidence from findings, or 100 if no vulnerabilities>,\n    \"has_vulnerabilities\": <true/false>,\n    \"findings\": [\n        {\n            \"severity\": \"<HIGH|MEDIUM|LOW>\",\n            \"description\": \"<specific vulnerability with exact code location>\",\n            \"recommendation\": \"<precise fix required>\",\n            \"confidence\": <0-100, how certain you are about this specific vulnerability>,\n            \"detailed_explanation\": \"<comprehensive explanation of what the issue is>\",\n            \"impact_explanation\": \"<what can happen if this vulnerability is exploited>\",\n            \"detailed_recommendation\": \"<detailed explanation of how to fix the issue>\",\n            \"code_example\": \"<the existing problematic code block, with proposed changes highlighted using html-style comments>\",\n            \"additional_resources\": \"<links to documentation or other resources>\"\n        }\n    ],\n    \"summary\": \"<only mention concrete vulnerabilities found>\"\n}\n\nIMPORTANT: The overall confidence_score should match the highest confidence score from the findings.\nFor example, if you find one vulnerability with 90% confidence, the overall confidence_score should also be 90."
-
 LLM_SECURITY_PROMPT_NO_VULNS_RESPONSE="If no clear vulnerabilities are found in the code changes, return:\n{\n    \"confidence_score\": 100,\n    \"has_vulnerabilities\": false,\n    \"findings\": [],\n    \"summary\": \"No concrete vulnerabilities identified in the changed code.\"\n}"
-
 LLM_SKEPTICAL_VERIFICATION_INTRO="You are a skeptical security auditor tasked with CRITICALLY reviewing and VERIFYING potential vulnerabilities."
-
 LLM_SKEPTICAL_VERIFICATION_CRITICAL_QUESTIONS="Ask yourself is this is really a vulnerability."
-
 LLM_SKEPTICAL_VERIFICATION_BE_CRITICAL="Keep a critical mindset."
-
 LLM_SKEPTICAL_VERIFICATION_ONLY_CONFIRM="Only confirm vulnerabilities you are very sure about."
-
 LLM_SKEPTICAL_VERIFICATION_RESPONSE_FORMAT="Return ONLY a JSON object with your verification results:\n{\n    \"verified_findings\": [\n        {\n            \"original_index\": <index of the original finding, starting from 0>,\n            \"is_real_vulnerability\": <true/false>,\n            \"verification_confidence\": <0-100>,\n            \"reason\": \"<why you believe this is or isnt a real vulnerability>\"\n        }\n    ],\n    \"summary\": \"<brief summary of your verification>\"\n}"
-
 LLM_SYNTHESIS_PROMPT_INTRO="You are a security expert tasked with synthesizing multiple security analyses into a single coherent report."
-
 LLM_SYNTHESIS_PROMPT_INSTRUCTION="Please synthesize these analyses into a single, coherent security report. Combine similar findings, use the highest confidence scores where appropriate, and create a unified summary."
-
 LLM_SYNTHESIS_SYSTEM_PROMPT="You are a security expert specializing in code review. Return ONLY JSON output with no additional text or explanation."
-
 LLM_SYNTHESIS_SYSTEM_PROMPT_ANTHROPIC="You are a skeptical security auditor. Return ONLY JSON output with no additional text or explanation."
-
 LLM_SYNTHESIS_SYSTEM_PROMPT_SYNTHESIZE="You are a security expert specializing in synthesizing multiple analyses. Return ONLY JSON output with no additional text or explanation."
 
-
-# End of .env.example
-# Note: Rename this file to .env and fill in the actual values before running the application.
+# End of .env.example

.env.webapp.example

@@ -150,8 +150,8 @@ This will then:
 #### One-Shot
 Examples using Anthropic
 
-<a href="docs/cli.png">
-  <img src="docs/cli.png" width="200"/>
+<a href="images/cli.png">
+  <img src="images/cli.png" width="200"/>
 </a>
 
 ##### Single PR Review
@@ -235,7 +235,7 @@ You can use the commit monitoring feature that track repositories for new commit
 
 ##### Quick Start
 
-###### Option 1: Add repositories manually
+###### Add repositories manually
 
 ```bash
 # Add a repository to monitor (e.g., Nethermind's master branch)
@@ -248,34 +248,6 @@ python -m pr_security_review --monitor-check
 python -m pr_security_review --monitor-continuous
 ```
 
-##### Option 2: Use a configuration file
-
-Create a JSON configuration file with your repositories:
-
-```json
-{
-  "repositories": [
-    {
-      "url": "https://github.com/fredrik0x/go-ethereum",
-      "branches": ["master"]
-    },
-    {
-      "url": "https://github.com/ethereum/solidity",
-      "branches": ["develop", "main"]
-    }
-  ]
-}
-```
-
-Then run with the config file:
-
-```bash
-# Check for new commits using config file
-python -m pr_security_review --monitor-check --config-file config.json
-
-# Start continuous monitoring using config file
-python -m pr_security_review --monitor-continuous --config-file config.json
-```
 ##### Common Commands
 
 ```bash
@@ -300,8 +272,8 @@ You can use a supported AMQP queue (such as rabbitmq) to receive incoming review
 You can also run the tool as a GitHub App, which allows for command-based triggering of security reviews on PRs.
 Example: https://github.com/fredrik0x/go-ethereum/pull/1
 
-<a href="docs/github.png">
-  <img src="docs/github.png" width="200"/>
+<a href="images/github.png">
+  <img src="images/github.png" width="200"/>
 </a>
 
 
@@ -360,17 +332,17 @@ Add your API key(s) and other environmental variables to your repository secrets
 
 
 ### Web Application
-<a href="docs/web1.png">
-  <img src="docs/web1.png" width="200"/>
+<a href="images/web1.png">
+  <img src="images/web1.png" width="200"/>
 </a>
 
-<a href="docs/web2.png">
-  <img src="docs/web2.png" width="200"/>
+<a href="images/web2.png">
+  <img src="images/web2.png" width="200"/>
 </a>
 
 
-<a href="docs/web3.png">
-  <img src="docs/web3.png" width="200"/>
+<a href="images/web3.png">
+  <img src="images/web3.png" width="200"/>
 </a>
 
 
@@ -391,8 +363,8 @@ You can receive an email whenever a new finding is found by setting the AWS SES
 
 #### Telegram Notifications
 
-<a href="docs/telegram.png">
-  <img src="docs/telegram.png" width="200"/>
+<a href="images/telegram.png">
+  <img src="images/telegram.png" width="200"/>
 </a>
 
 You can receive telegram notifications when a review has found a potential vulnerability (or all reviews)