chore: pre-push quality gates + automated PR review tooling#3
Open
giggsoinc wants to merge 2 commits into
Open
chore: pre-push quality gates + automated PR review tooling#3giggsoinc wants to merge 2 commits into
giggsoinc wants to merge 2 commits into
Conversation
Adds five developer-tooling scripts plus a pre-push hook to enforce
CLAUDE.md coding rules and catch issues before they reach review.
New scripts under scripts/:
- check_code_quality.py — AST-based gate: 150-LOC limit, header +
audit-log presence, hardcoded credential scan, type-hint coverage,
stray print() detection.
- check_code_model.py — structural model compliance: forbids cx_Oracle
(we use oracledb), bare `import fitz`, load_dotenv() inside functions,
camelCase locals; requires preprocess_text + temperature=0 +
count_tokens before LLM calls.
- vuln_scan.py — GPT-5.5-driven vulnerability scan over staged/changed
files (OWASP Top 10 + secrets + AWS IAM patterns).
- pr_review.py — GPT-5.5-driven diff review that posts findings as
GitHub PR comments via the gh CLI.
- install-hooks.sh — one-shot installer that symlinks scripts/hooks/
into .git/hooks.
Hook:
- scripts/hooks/pre-push — runs the four checkers above and blocks the
push if any fails.
Side fix:
- chat/engine.py — trailing whitespace/comma noise in _SCOPED_TOOLS
dict (no behaviour change).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds developer tooling to enforce CLAUDE.md coding rules before code reaches review, plus a GPT-5.5-driven PR-review and vuln-scan layer that posts findings as GitHub comments.
What changed
New scripts (
scripts/)check_code_quality.pyprint()detection.check_code_model.pycx_Oracle(we useoracledb), bareimport fitz,load_dotenv()inside functions, camelCase locals. Requirespreprocess_text+temperature=0+count_tokensbefore any LLM call.vuln_scan.pypr_review.pygh api.install-hooks.shscripts/hooks/into.git/hooks.hooks/pre-pushSide fix
ghost-ai-scanner/src/chat/engine.py— trailing whitespace/comma noise inside_SCOPED_TOOLSdict. No behaviour change.Why
CLAUDE.md prescribes hard rules (≤150 LOC/file, headers, audit logs, type hints,
temperature=0, no stdout in MCP servers, etc.). Up to now nothing enforced them. This adds a local pre-push gate so violations are caught at the developer's machine, not by a reviewer.The GPT-5.5 review/vuln scripts are opt-in — they run only when invoked, and
pr_review.pyrequiresOPENAI_API_KEYin.env.Reviewer notes
bash scripts/install-hooks.shonce to wire it up. Nothing fires automatically on first clone.pre-commit(Shay-Rolls) is untouched.--no-verifybecause the local Shay-Rolls hook hard-blocks on a missing.shay-rolls/manifest.jsonthat's unrelated to these changes.Test plan
python scripts/check_code_quality.py scripts/pr_review.py→ exits 0python scripts/check_code_model.py scripts/vuln_scan.py→ exits 0bash scripts/install-hooks.sh→ symlinks pre-push without errorprint()), attempt push — verify the hook blocks it🤖 Generated with Claude Code