* feat(security): add core security command for vulnerability alerts
Adds `core security` command area to expose GitHub security data:
- `core security alerts` - aggregated view of all security alerts
- `core security deps` - Dependabot vulnerability alerts with upgrade paths
- `core security scan` - CodeQL and code scanning alerts
- `core security secrets` - secret scanning alerts
Features:
- Filter by --repo, --severity (critical,high,medium,low)
- JSON output with --json for AI agent consumption
- Aggregated summary with severity breakdown
- Shows patched versions for easy upgrades
Closes#48
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(security): address CodeRabbit review feedback
- Remove unused flattened fields from DependabotAlert struct
- Add Unknown field to AlertSummary for unrecognized severities
- Add doc comments for exported Add and String methods
- Use cli.Wrap for contextual error wrapping
- Fix secret scanning summary counting after filter
- Remove unused --vulnerable flag from deps command
- Fix JSON output to only include open alerts in secrets command
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(security): handle json.MarshalIndent errors
Address CodeRabbit review feedback by properly handling errors from
json.MarshalIndent in all security subcommands instead of ignoring them.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(monitor): add security findings aggregation command
Implements `core monitor` to aggregate security findings from GitHub:
- Code scanning alerts (Semgrep, Trivy, Gitleaks, CodeQL, etc.)
- Dependabot vulnerability alerts
- Secret scanning alerts
Features:
- Scan current repo, specific repo, or all repos via registry
- Filter by severity (--severity critical,high)
- JSON output for piping to other tools (--json)
- Grouped output by repo with severity highlighting
Closes#49
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(monitor): address CodeRabbit review feedback
- Fix DependabotAlert JSON parsing with proper nested struct for
dependency.manifest_path field
- Remove unnecessary --jq flag from code scanning API call
- Fix truncate() to use runes for proper UTF-8 handling
- Sort repo names for deterministic output ordering
- Document hardcoded org fallback behavior
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(monitor): improve error handling per CodeRabbit review
- Use errors.E() consistently instead of errors.Wrap()
- Pass underlying errors to errors.E() for better context
- Return errors from fetch functions instead of swallowing
- Distinguish expected conditions (feature not enabled) from real errors
- Display fetch warnings in non-JSON mode
- Continue scanning other repos even if one fails
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add qa watch command for CI monitoring (#47)
Implements `core qa watch` to monitor GitHub Actions after a push:
- Polls workflow runs for a commit until completion
- Shows live progress with pass/fail counts
- On failure, shows job name, failed step, and link to logs
- Exits with appropriate code (0 = passed, 1 = failed)
Usage:
core qa watch # Watch current repo's HEAD
core qa watch --repo X # Watch specific repo
core qa watch --timeout 5m # Custom timeout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): address CodeRabbit feedback on watch command
- Add length check before slicing commitSha to prevent panic on short SHAs
- Count all non-success conclusions as failures (cancelled, timed_out, etc.)
- Use errors.E/Wrap pattern for consistent error handling with operation context
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add context-aware commands and log parsing
- Use exec.CommandContext with timeout context for all gh invocations
so commands are cancelled when deadline expires
- Implement fetchErrorFromLogs using 'gh run view --log-failed'
to extract first meaningful error line from failed workflows
- Pass context through call chain for proper timeout propagation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add review command for PR status (#62)
Add `core qa review` command to show PR review status with actionable
next steps. Answers: "What do I need to do to get my PRs merged?"
and "What reviews am I blocking?"
Features:
- Shows your open PRs with merge status (CI, reviews, conflicts)
- Shows PRs where your review is requested
- Provides actionable suggestions (rebase, address feedback, etc.)
- Flags: --mine, --requested, --repo
Closes#62
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add review command for PR status (#62)
Add `core qa review` command to show PR review status with actionable
next steps. Answers: "What do I need to do to get my PRs merged?"
and "What reviews am I blocking?"
Features:
- Shows your open PRs with merge status (CI, reviews, conflicts)
- Shows PRs where your review is requested
- Provides actionable suggestions (rebase, address feedback, etc.)
- Flags: --mine, --requested, --repo
Closes#62
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): address CodeRabbit feedback on review command
- Fix truncate to use runes for UTF-8 safe string slicing
- Remove unused user parameter from showMyPRs and showRequestedReviews
- Remove unused getCurrentUser function
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): remove duplicate i18n block and improve error handling
- Remove duplicate cmd.qa block in en_GB.json
- Use errors.E consistently for error wrapping
- Require --repo flag when not in a git repository
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix(i18n): restore missing translation keys for health command
The locale consolidation in 39de3c2 removed keys still used by
cmd_health.go. Added back:
- cmd.dev.health.* keys (long, repos, to_push, to_pull, etc.)
- common.status.* keys (dirty, clean, synced, up_to_date)
- common.flag.registry
Also fixed workspace.LoadConfig() returning default PackagesDir
when no .core/workspace.yaml exists, which was overriding repo
paths from repos.yaml.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: add nil checks for workspace.LoadConfig callers
LoadConfig now returns nil when no .core/workspace.yaml exists.
Added defensive nil checks to all callers to prevent panics.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: align workspace.LoadConfig error handling
Both call sites now gracefully ignore errors and fall back to defaults,
since workspace config is optional for setup commands.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add qa watch command for CI monitoring (#47)
Implements `core qa watch` to monitor GitHub Actions after a push:
- Polls workflow runs for a commit until completion
- Shows live progress with pass/fail counts
- On failure, shows job name, failed step, and link to logs
- Exits with appropriate code (0 = passed, 1 = failed)
Usage:
core qa watch # Watch current repo's HEAD
core qa watch --repo X # Watch specific repo
core qa watch --timeout 5m # Custom timeout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(qa): address CodeRabbit feedback on watch command
- Add length check before slicing commitSha to prevent panic on short SHAs
- Count all non-success conclusions as failures (cancelled, timed_out, etc.)
- Use errors.E/Wrap pattern for consistent error handling with operation context
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add context-aware commands and log parsing
- Use exec.CommandContext with timeout context for all gh invocations
so commands are cancelled when deadline expires
- Implement fetchErrorFromLogs using 'gh run view --log-failed'
to extract first meaningful error line from failed workflows
- Pass context through call chain for proper timeout propagation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(setup): add github command for repo configuration (#45)
Implements `core setup github` to configure GitHub repos with org
standards including labels, webhooks, branch protection, and security
settings. Supports dry-run mode, per-repo or all-repos operation, and
selective sync of specific settings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(setup): address CodeRabbit feedback on github command
- Sort map keys for deterministic diff output in github_diff.go
- Preserve partial results by adding changes before continue on errors
- Reject conflicting --repo and --all flags with clear error message
- Allow empty webhook URLs (skip instead of error) for optional env vars
- Add content_type comparison in webhook sync
- Add required_status_checks comparison in branch protection sync
- Add DisableDependabotSecurityUpdates for bidirectional security control
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(setup): address additional CodeRabbit feedback
- Use filepath.Join for OS-portable path construction in github_config.go
- Fix stringSliceEqual to use frequency counting for proper duplicate handling
- Simplify change accumulation with variadic append
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Add i18n.RegisterLocales(fsys, dir) for packages to register translations
- Locales are automatically loaded when i18n.Init() is called
- Fix gram.word.* loading bug (strings were in wrong switch case)
- Fix loadJSON to merge messages instead of replacing
- Add common.* keys to base locale (labels, flags, progress, etc.)
- Add pkg/php/locales with PHP-specific translations
- pkg/php/i18n.go registers locales via init()
This enables the idiomatic pattern where packages register their
locale files and they're automatically loaded by the i18n system.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move grammar data (verbs, nouns, articles) from "common" to "gram"
namespace - a tribute to Gram (grandmother) and short for grammar.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite i18n package to handle nested JSON natively
- Remove go-i18n dependency in favour of simple custom implementation
- Flatten nested keys to dot notation internally (cli.confirm.yes)
- Support pluralisation with one/other keys
- Template interpolation with {{.Var}} syntax
- Update tests for new API and nested structure
Nested JSON is the standard format for translation tools,
making it easier to manage with external translation services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add pkg/framework/core with GUI-agnostic DI/service framework
(extracted from core-gui, Wails dependencies removed)
- Add pkg/agentic/prompts with embedded commit instructions
- Improve dev push: detect uncommitted changes, offer Claude commit
- Add claudeEditCommit for cases needing Write/Edit permissions
- Add i18n keys for diverged branches and uncommitted changes
- Fix infinite loop when only untracked files remain after commit
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename en.json to en_GB.json (British English)
- Add en_US.json with American spellings (color, analyze, etc.)
- Add en_AU.json for Australian English
- Set BritishEnglish as the bundle default language
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
