* feat(github): add issue templates and auto-labeler
- Add bug_report.yml and feature_request.yml templates
- Add config.yml for issue creation options
- Add auto-label.yml workflow to label issues based on content
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(php): add --json and --sarif flags to QA commands
Adds machine-readable output support to PHP quality assurance commands:
- test: --json flag for JUnit XML output
- fmt: --json flag for JSON formatted output from Pint
- stan: --json and --sarif flags for PHPStan output
- psalm: --json and --sarif flags for Psalm output
- qa: --json flag for JSON summary output
SARIF output enables integration with GitHub Security tab for
static analysis results.
Closes#51
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(php): address CodeRabbit review feedback
- Guard progress messages when JSON/SARIF output is enabled
- Guard success messages when JSON/SARIF output is enabled
- Guard QA results display when JSON output is enabled
- Rename misleading JSON field to JUnit in TestOptions (outputs JUnit XML)
- Add mutual exclusion validation for --json and --sarif flags
- Remove empty conditional block in auto-label workflow
- Add i18n translation for json_sarif_exclusive error
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(php): additional CodeRabbit fixes
- Rename test --json flag to --junit (outputs JUnit XML, not JSON)
- Add actual JSON marshaling for QA command JSON output
- Add JSON tags to QARunResult and QACheckRunResult structs
- Add i18n translation for junit flag
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Make AppVersion injectable via ldflags at build time
- Replace GoReleaser with simple GitHub Actions workflow
- Build for linux/darwin/windows on amd64/arm64
- Generate checksums.txt for integrity verification
- Inject version from git tag into binary
Fixes#37
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(dev): add safe git operations for AI agents
Adds agent-safe commands to prevent common git mistakes:
- `core dev sync <file> --to="pattern"`: Sync files across repos
- Auto-pulls before copying (safe sync)
- Optional commit with --message
- Optional push with --push
- Dry-run mode with --dry-run
- `core dev apply --command="..."`: Run commands across repos
- Execute shell commands in each repo
- Execute scripts with --script
- Optional commit/push after changes
- Continue on error with --continue
- Filter repos with --repos
Safety features:
- Never force push
- Auto-pull before push on rejection
- Report failures without stopping other repos
- Dry-run support for previewing changes
Closes#53
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(dev): address CodeRabbit review feedback
- Use errors.E() for consistent error handling in cmd_apply.go and cmd_file_sync.go
- Add path traversal validation to reject ".." in source paths
- Execute scripts directly to honor shebangs (not via sh)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(php): add CI/CD pipeline command
Adds `core php ci` command for CI/CD integration:
- Runs all QA checks in optimal order (test, stan, psalm, fmt, audit, security)
- Generates combined reports in multiple formats:
- JSON (--json) for machine consumption
- Markdown summary (--summary) for PR comments
- SARIF (--sarif) for static analysis tools
- Uploads SARIF to GitHub Security tab (--upload-sarif)
- Configurable failure threshold (--fail-on=critical|high|warning)
Example usage:
core php ci # Run full pipeline
core php ci --json # Output JSON report
core php ci --summary # Output markdown for PR
core php ci --sarif --upload-sarif # Generate and upload SARIF
Closes#52
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(php): address CodeRabbit review feedback on CI command
- Remove unused --parallel flag
- Validate git SHA before SARIF upload
- Properly handle and validate SARIF generation output
- Exit with correct code when --json flag is used and pipeline fails
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(security): add core security command for vulnerability alerts
Adds `core security` command area to expose GitHub security data:
- `core security alerts` - aggregated view of all security alerts
- `core security deps` - Dependabot vulnerability alerts with upgrade paths
- `core security scan` - CodeQL and code scanning alerts
- `core security secrets` - secret scanning alerts
Features:
- Filter by --repo, --severity (critical,high,medium,low)
- JSON output with --json for AI agent consumption
- Aggregated summary with severity breakdown
- Shows patched versions for easy upgrades
Closes#48
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(security): address CodeRabbit review feedback
- Remove unused flattened fields from DependabotAlert struct
- Add Unknown field to AlertSummary for unrecognized severities
- Add doc comments for exported Add and String methods
- Use cli.Wrap for contextual error wrapping
- Fix secret scanning summary counting after filter
- Remove unused --vulnerable flag from deps command
- Fix JSON output to only include open alerts in secrets command
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(security): handle json.MarshalIndent errors
Address CodeRabbit review feedback by properly handling errors from
json.MarshalIndent in all security subcommands instead of ignoring them.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(monitor): add security findings aggregation command
Implements `core monitor` to aggregate security findings from GitHub:
- Code scanning alerts (Semgrep, Trivy, Gitleaks, CodeQL, etc.)
- Dependabot vulnerability alerts
- Secret scanning alerts
Features:
- Scan current repo, specific repo, or all repos via registry
- Filter by severity (--severity critical,high)
- JSON output for piping to other tools (--json)
- Grouped output by repo with severity highlighting
Closes#49
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(monitor): address CodeRabbit review feedback
- Fix DependabotAlert JSON parsing with proper nested struct for
dependency.manifest_path field
- Remove unnecessary --jq flag from code scanning API call
- Fix truncate() to use runes for proper UTF-8 handling
- Sort repo names for deterministic output ordering
- Document hardcoded org fallback behavior
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(monitor): improve error handling per CodeRabbit review
- Use errors.E() consistently instead of errors.Wrap()
- Pass underlying errors to errors.E() for better context
- Return errors from fetch functions instead of swallowing
- Distinguish expected conditions (feature not enabled) from real errors
- Display fetch warnings in non-JSON mode
- Continue scanning other repos even if one fails
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Add complexity dropdown to feature request template
- Auto-detect complexity from dropdown selection
- Heuristic fallback based on: checklist count, code blocks,
section headers, file references, and keywords
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add bug_report.yml and feature_request.yml templates
- Add config.yml for issue creation options
- Add auto-label.yml workflow to label issues based on content
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use manual temp directory management with time.Sleep before cleanup
to avoid race condition where state file writes race with t.TempDir's
automatic cleanup.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker containers were creating files as root, causing Go test cleanup
to fail with "permission denied". Now passes --user flag on Unix systems
to run containers as the current user.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add qa watch command for CI monitoring (#47)
Implements `core qa watch` to monitor GitHub Actions after a push:
- Polls workflow runs for a commit until completion
- Shows live progress with pass/fail counts
- On failure, shows job name, failed step, and link to logs
- Exits with appropriate code (0 = passed, 1 = failed)
Usage:
core qa watch # Watch current repo's HEAD
core qa watch --repo X # Watch specific repo
core qa watch --timeout 5m # Custom timeout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): address CodeRabbit feedback on watch command
- Add length check before slicing commitSha to prevent panic on short SHAs
- Count all non-success conclusions as failures (cancelled, timed_out, etc.)
- Use errors.E/Wrap pattern for consistent error handling with operation context
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add context-aware commands and log parsing
- Use exec.CommandContext with timeout context for all gh invocations
so commands are cancelled when deadline expires
- Implement fetchErrorFromLogs using 'gh run view --log-failed'
to extract first meaningful error line from failed workflows
- Pass context through call chain for proper timeout propagation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add review command for PR status (#62)
Add `core qa review` command to show PR review status with actionable
next steps. Answers: "What do I need to do to get my PRs merged?"
and "What reviews am I blocking?"
Features:
- Shows your open PRs with merge status (CI, reviews, conflicts)
- Shows PRs where your review is requested
- Provides actionable suggestions (rebase, address feedback, etc.)
- Flags: --mine, --requested, --repo
Closes#62
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add review command for PR status (#62)
Add `core qa review` command to show PR review status with actionable
next steps. Answers: "What do I need to do to get my PRs merged?"
and "What reviews am I blocking?"
Features:
- Shows your open PRs with merge status (CI, reviews, conflicts)
- Shows PRs where your review is requested
- Provides actionable suggestions (rebase, address feedback, etc.)
- Flags: --mine, --requested, --repo
Closes#62
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): address CodeRabbit feedback on review command
- Fix truncate to use runes for UTF-8 safe string slicing
- Remove unused user parameter from showMyPRs and showRequestedReviews
- Remove unused getCurrentUser function
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): remove duplicate i18n block and improve error handling
- Remove duplicate cmd.qa block in en_GB.json
- Use errors.E consistently for error wrapping
- Require --repo flag when not in a git repository
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix(i18n): restore missing translation keys for health command
The locale consolidation in 39de3c2 removed keys still used by
cmd_health.go. Added back:
- cmd.dev.health.* keys (long, repos, to_push, to_pull, etc.)
- common.status.* keys (dirty, clean, synced, up_to_date)
- common.flag.registry
Also fixed workspace.LoadConfig() returning default PackagesDir
when no .core/workspace.yaml exists, which was overriding repo
paths from repos.yaml.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: add nil checks for workspace.LoadConfig callers
LoadConfig now returns nil when no .core/workspace.yaml exists.
Added defensive nil checks to all callers to prevent panics.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: align workspace.LoadConfig error handling
Both call sites now gracefully ignore errors and fall back to defaults,
since workspace config is optional for setup commands.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add qa watch command for CI monitoring (#47)
Implements `core qa watch` to monitor GitHub Actions after a push:
- Polls workflow runs for a commit until completion
- Shows live progress with pass/fail counts
- On failure, shows job name, failed step, and link to logs
- Exits with appropriate code (0 = passed, 1 = failed)
Usage:
core qa watch # Watch current repo's HEAD
core qa watch --repo X # Watch specific repo
core qa watch --timeout 5m # Custom timeout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): address CodeRabbit feedback on watch command
- Add length check before slicing commitSha to prevent panic on short SHAs
- Count all non-success conclusions as failures (cancelled, timed_out, etc.)
- Use errors.E/Wrap pattern for consistent error handling with operation context
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add context-aware commands and log parsing
- Use exec.CommandContext with timeout context for all gh invocations
so commands are cancelled when deadline expires
- Implement fetchErrorFromLogs using 'gh run view --log-failed'
to extract first meaningful error line from failed workflows
- Pass context through call chain for proper timeout propagation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(setup): add github command for repo configuration (#45)
Implements `core setup github` to configure GitHub repos with org
standards including labels, webhooks, branch protection, and security
settings. Supports dry-run mode, per-repo or all-repos operation, and
selective sync of specific settings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(setup): address CodeRabbit feedback on github command
- Sort map keys for deterministic diff output in github_diff.go
- Preserve partial results by adding changes before continue on errors
- Reject conflicting --repo and --all flags with clear error message
- Allow empty webhook URLs (skip instead of error) for optional env vars
- Add content_type comparison in webhook sync
- Add required_status_checks comparison in branch protection sync
- Add DisableDependabotSecurityUpdates for bidirectional security control
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(setup): address additional CodeRabbit feedback
- Use filepath.Join for OS-portable path construction in github_config.go
- Fix stringSliceEqual to use frequency counting for proper duplicate handling
- Simplify change accumulation with variadic append
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Add pkg/workspace package with config and commands
- Integrate with pkg/php/cmd.go for context switching
- Refactor pkg/repos to use pkg/workspace for config
- Register workspace commands in full variant
* fix(docs): respect workspace.yaml packages_dir setting (fixes#46)
* fix(workspace): improve config loading logic (CR feedback)
- Expand ~ before resolving relative paths in cmd_registry
- Handle LoadWorkspaceConfig errors properly
- Update Repo.Path when PackagesDir overrides default
- Validate workspace config version
- Add unit tests for workspace config loading
* docs: add comments and increase test coverage (CR feedback)
- Add docstrings to exported functions in pkg/cli
- Add unit tests for Semantic Output (pkg/cli/output.go)
- Add unit tests for CheckBuilder (pkg/cli/check.go)
- Add unit tests for IPC Query/Perform (pkg/framework/core)
* fix(test): fix panics and failures in php package tests
- Fix panic in TestLookupLinuxKit_Bad by mocking paths
- Fix assertion errors in TestGetSSLDir_Bad and TestGetPackageInfo_Bad
- Fix formatting in test files
* fix(test): correct syntax in services_extended_test.go
* fix(ci): point coverage workflow to go.mod instead of go.work
* fix(ci): build CLI before running coverage
* fix(ci): run go generate for updater package in coverage workflow
* fix(github): allow dry-run publish without gh CLI authentication
Moves validation check after dry-run check so tests can verify dry-run behavior in CI environments.
Add build tags to separate Unix and Windows process handling in pkg/php:
- services_unix.go: Unix-specific process group handling (Setpgid, Getpgid, Kill)
- services_windows.go: Windows-compatible alternatives using os.Signal
- services.go: Use platform-agnostic helper functions
The pkg/php package now compiles on Windows. Process termination works
via os.Interrupt/os.Kill instead of Unix signals.
Fixes#56
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
LinuxKit v1.8.2+ requires double-dash flags (--format, --name, etc.)
instead of single-dash flags. The old flags were being parsed incorrectly,
e.g., `-name` was interpreted as `-n` with value `ame`.
Files updated:
- pkg/build/builders/linuxkit.go
- pkg/php/container.go
- pkg/release/publishers/linuxkit.go
- pkg/release/publishers/linuxkit_test.go
Fixes#50
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Replaces lipgloss/fmt with cli.* functions
- Adds unit tests for new cli components
- Fixes all build errors
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Check() fluent builder for check results
- Task() for task headers
- Section() for section headers
- Hint() for labelled hints
- Severity() for severity-styled output
- Result() for pass/fail results
Consuming packages now have zero display logic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replaces lipgloss with internal ANSI styling
- Updates output functions to use new style and glyph system
- Removes external dependencies from strings.go and errors.go
- Fixes redeclarations in utils.go and runtime.go
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replaces lipgloss with ~100 lines of owned code.
Supports bold, dim, italic, underline, RGB/hex colors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements trust model for distributed agent work:
- Tracks implementer when agent:wip is added
- Requests verification when agent:review is added
- Blocks self-verification (implementer != verifier)
- Records verification result
- Resets to agent:ready on verify-failed
Labels flow: agent:ready → agent:wip → agent:review → verified/verify-failed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `core go qa` command with subcommands:
- fmt: check/fix code formatting (gofmt)
- vet: run go vet
- lint: run golangci-lint
- test: run tests
- race: run tests with race detector
- vuln: check for vulnerabilities (govulncheck)
- sec: run security scanner (gosec)
- quick: fmt, vet, lint only
- full: all checks
Default (no subcommand) runs fmt, vet, lint, test.
All commands support --fix flag where applicable.
Also update Taskfile.yml to use core CLI commands throughout.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add cli.Fatal(err) that prints styled error and exits
- Change cli.Main() to handle errors internally via Fatal()
- Simplify main.go to just: cli.Main()
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract logging to pkg/log for use outside CLI:
- Logger with Debug/Info/Warn/Error levels
- Key-value pairs for structured logging
- Customisable styling and output
- Optional Core framework integration via Service
Enhance pkg/errors with:
- Wrap() and WrapCode() helpers
- Code() for error codes
- Op(), ErrCode(), Message(), Root() extractors
- Standard library wrappers (Is, As, New, Join)
Update pkg/cli/log.go to use pkg/log with CLI styling.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements defence in depth through build variants - only compiled code
exists in the binary. Commands now self-register via cli.RegisterCommands()
in their init() functions, mirroring the i18n.RegisterLocales() pattern.
Structure changes:
- cmd/{ai,build,ci,dev,docs,doctor,go,php,pkg,sdk,setup,test,vm}/ → pkg/*/cmd_*.go
- cmd/core_dev.go, cmd/core_ci.go → cmd/variants/{full,ci,php,minimal}.go
- Added pkg/cli/commands.go with RegisterCommands API
- Updated pkg/cli/runtime.go to attach registered commands
Build variants:
- go build → full (21MB, all 13 command groups)
- go build -tags ci → ci (18MB, build/ci/sdk/doctor)
- go build -tags php → php (14MB, php/doctor)
- go build -tags minimal → minimal (11MB, doctor only)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Design for moving cmd/ into self-registering packages in pkg/:
- RegisterCommands() pattern like RegisterLocales()
- rootCmd stored in core.App
- Build variants via import files with build tags
- Smaller attack surface through selective compilation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add i18n.RegisterLocales(fsys, dir) for packages to register translations
- Locales are automatically loaded when i18n.Init() is called
- Fix gram.word.* loading bug (strings were in wrong switch case)
- Fix loadJSON to merge messages instead of replacing
- Add common.* keys to base locale (labels, flags, progress, etc.)
- Add pkg/php/locales with PHP-specific translations
- pkg/php/i18n.go registers locales via init()
This enables the idiomatic pattern where packages register their
locale files and they're automatically loaded by the i18n system.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add i18n.SetDefault() in CLI service for global i18n.T() access
- Replace explicit cmd.php.qa.* keys with grammar-based composition
- Use i18n.Label(), i18n.ProgressSubject() for structured messages
- Use i18n.done.*, i18n.fail.*, i18n.count.* magic namespaces
- Simplify GetIssueMessage() to use grammar patterns
This reduces translation key explosion by composing messages from
grammar primitives rather than defining explicit keys for every phrase.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename "analyse" check to "stan" (PHPStan is commonly called "stan")
- Command: `core php stan` (with "analyse" alias for compatibility)
- Update QA pipeline to use "stan" for check name
- Update dependency chain: fmt → stan → psalm → test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add QARunner that wraps process.Service and process.Runner
- Replace sequential runQACheck() with dependency-ordered execution
- Checks run in proper sequence: audit → fmt → analyse → psalm → test → rector/infection
- Process events broadcast via Core ACTION() messages
- Display results with stage grouping and duration tracking
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
