chore: add dev rig — CI, pre-commit hooks, release-plz

[boorad]

Summary

Adds development infrastructure: CI pipeline, pre-commit hooks, automated releases, and project conventions.

Changes

• CLAUDE.md — project overview, build commands, architecture summary, conventional commit rules
• Pre-commit hook (.githooks/pre-commit) — cargo fmt --check, cargo clippy -D warnings, cargo test
• CI workflow (.github/workflows/ci.yml) — fmt, clippy, test on PRs and main pushes; concurrency group to cancel stale runs
• Release automation (release-plz.toml + .github/workflows/release-plz.yml) — automated version bumps, changelogs, and GitHub releases via conventional commits
• rust-toolchain.toml — pins stable with rustfmt and clippy components
• cargo fmt — applied across existing codebase to pass CI checks
• .gitignore — added .claude/settings.local.json and .claude/worktrees/

Testing

cargo fmt -- --check  # passes
cargo clippy -- -D warnings  # passes
cargo test  # 60/60 pass

Summary by CodeRabbit

• Chores

  • Added pre-commit checks to validate formatting, linting, and tests before commits
  • Added CI workflow to run formatting, linting, and tests on pushes and PRs
  • Added automated release workflow and release configuration
  • Pinned Rust toolchain and required components
  • Updated ignore rules for local tooling files

• Documentation

  • Added comprehensive project documentation

• Style

  • Applied formatting and stylistic cleanups across the codebase

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds local pre-commit checks and GitHub Actions workflows for CI and releases, pins the Rust toolchain, updates project docs/configs, and applies non-functional formatting refactors across multiple Rust source files. (No public API or behavioral changes.)

Changes

Cohort / File(s)	Summary
CI/CD Workflows & Hook .githooks/pre-commit, .github/workflows/ci.yml, .github/workflows/release-plz.yml	Adds a pre-commit hook that runs cargo fmt -- --check, cargo clippy -- -D warnings, and cargo test. Adds CI workflow for format/lint/test and a release-plz workflow for automated releases/PRs.
Config & Docs .gitignore, CLAUDE.md, release-plz.toml, rust-toolchain.toml	Ignores local Claude files; adds CLAUDE.md with setup/architecture/conventions; adds release-plz configuration; pins Rust toolchain to stable and requests rustfmt and clippy.
Formatting & Minor Local Edits src/cli.rs, src/commands/rules.rs, src/commands/scan.rs, src/config.rs, src/output/json.rs, src/output/text.rs, src/rego/grouping.rs, src/rego/templates.rs, src/rego/validator.rs, src/rules/embedded.rs, src/rules/mod.rs, src/scanner/discovery.rs, src/scanner/imports.rs, src/scanner/matcher.rs, src/types.rs	Widespread non-functional reformatting (reflowed expressions, multi-line -> single-line changes), minor message text tweaks and one error message index boundary text change. No logic or API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feat: implement zift CLI scanner and Rego policy generation #1: Modifies many of the same source files that were reformatted here (e.g., src/cli.rs, src/commands/*), indicating related styling/cleanup changes.
• EnforceAuth/mono#282: Changes documentation and .claude-related files overlapping with the .gitignore and CLAUDE.md edits in this PR.

Poem

🐰
I hopped through lines both bold and neat,
I nudged the hooks to guard each feat,
CI hums and release-plz sings,
Rustfmt trims my fluffy things,
Clippy watches every beat.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 55.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding development infrastructure (CI, pre-commit hooks, and release-plz automation) which aligns with the file additions and modifications documented in the PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Summary

This PR establishes development infrastructure for the Zift project, including CI pipeline, pre-commit hooks, and automated release workflows. The changes are well-structured and align with conventional commit practices.

Critical Issue

Permission inconsistency in release-plz workflow: The release-plz-release job specifies pull-requests: read which conflicts with the workflow-level pull-requests: write permission. This will cause the release action to fail when attempting to update pull requests. The job-level permission takes precedence and must be corrected to pull-requests: write.

Assessment

Once the permission issue is resolved, this PR will provide a solid foundation for automated testing, formatting enforcement, and semantic versioning. The infrastructure choices (GitHub Actions, release-plz, pre-commit hooks) are appropriate for a Rust project of this type.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

CLAUDE.md (1)

19-21: Document the CI-exact formatting check command for clarity.

Line 19 says cargo fmt (writes changes), while CI enforces cargo fmt -- --check. Adding the check command here helps contributors preflight exactly what CI runs.

Suggested patch

 cargo test
-cargo fmt          # required before committing
+cargo fmt          # format locally
+cargo fmt -- --check
 cargo clippy -- -D warnings

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CLAUDE.md` around lines 19 - 21, Update the CLAUDE.md formatting instructions
to match the CI command: replace or augment the plain "cargo fmt" line with the
exact check invocation "cargo fmt -- --check" (or add it alongside "cargo fmt")
so contributors run the same check CI enforces; keep the existing "cargo clippy
-- -D warnings" line as-is. Ensure the guidance mentions this is the CI-exact
preflight command and mirrors the current diff lines referencing "cargo fmt" and
"cargo clippy -- -D warnings".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-plz.yml:
- Around line 11-52: Add a workflow-level concurrency block to serialize all
release jobs (so release-plz-release and release-plz-pr cannot run concurrently)
by adding a top-level concurrency key with a stable group string (e.g., group:
release-plz-${{ github.ref }} or release-plz-${{ github.workflow }}) and set
cancel-in-progress appropriately (false to let running jobs finish) so only one
release workflow for the same group runs at a time; update the workflow YAML to
include this concurrency block above the jobs section.

In `@src/scanner/matcher.rs`:
- Around line 71-76: The bounds error message in the ZiftError::General
construction inside the scanner/matcher logic reports the maximum as
compiled.capture_names.len(), which is off-by-one; update the message to show
the highest valid index (compiled.capture_names.len().saturating_sub(1) or
formatted as `{}` using `len - 1`) so it reads "max <highest_valid_index>" and
keep the same context including compiled.rule.id and capture.index to locate the
code.

---

Nitpick comments:
In `@CLAUDE.md`:
- Around line 19-21: Update the CLAUDE.md formatting instructions to match the
CI command: replace or augment the plain "cargo fmt" line with the exact check
invocation "cargo fmt -- --check" (or add it alongside "cargo fmt") so
contributors run the same check CI enforces; keep the existing "cargo clippy --
-D warnings" line as-is. Ensure the guidance mentions this is the CI-exact
preflight command and mirrors the current diff lines referencing "cargo fmt" and
"cargo clippy -- -D warnings".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1cb95ced-0bc1-4084-b998-2f4d546d009f

📥 Commits

Reviewing files that changed from the base of the PR and between 01eb8e7 and 3f70a4b.

📒 Files selected for processing (22)

• .githooks/pre-commit
• .github/workflows/ci.yml
• .github/workflows/release-plz.yml
• .gitignore
• CLAUDE.md
• release-plz.toml
• rust-toolchain.toml
• src/cli.rs
• src/commands/rules.rs
• src/commands/scan.rs
• src/config.rs
• src/output/json.rs
• src/output/text.rs
• src/rego/grouping.rs
• src/rego/templates.rs
• src/rego/validator.rs
• src/rules/embedded.rs
• src/rules/mod.rs
• src/scanner/discovery.rs
• src/scanner/imports.rs
• src/scanner/matcher.rs
• src/types.rs

[coderabbitai]

♻️ Duplicate comments (1)

src/scanner/matcher.rs (1)

67-77: ⚠️ Potential issue | 🟡 Minor

Use saturating_sub(1) in the error message to guard against potential usize underflow.

While the capture_names vector is guaranteed to be non-empty at runtime (the compile_query function requires a @match capture to exist), the subtraction at line 75 can technically underflow. Use compiled.capture_names.len().saturating_sub(1) to ensure safe error reporting.

Proposed fix

                 .ok_or_else(|| {
                     ZiftError::General(format!(
                         "rule '{}': capture index {} out of range (max {})",
                         compiled.rule.id,
                         capture.index,
-                        compiled.capture_names.len() - 1,
+                        compiled.capture_names.len().saturating_sub(1),
                     ))
                 })?;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/scanner/matcher.rs` around lines 67 - 77, The error message building in
the block that accesses compiled.capture_names for capture.index can underflow
when subtracting 1 from compiled.capture_names.len(); update the error string
construction (the ZiftError::General creation used when .get(...) returns None)
to use compiled.capture_names.len().saturating_sub(1) instead of
compiled.capture_names.len() - 1 to prevent usize underflow while keeping the
same diagnostic text; locate the code around the capture_names access in
function/method handling compiled and capture.index and replace the subtraction
with saturating_sub(1).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/scanner/matcher.rs`:
- Around line 67-77: The error message building in the block that accesses
compiled.capture_names for capture.index can underflow when subtracting 1 from
compiled.capture_names.len(); update the error string construction (the
ZiftError::General creation used when .get(...) returns None) to use
compiled.capture_names.len().saturating_sub(1) instead of
compiled.capture_names.len() - 1 to prevent usize underflow while keeping the
same diagnostic text; locate the code around the capture_names access in
function/method handling compiled and capture.index and replace the subtraction
with saturating_sub(1).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 02783fb9-8af7-428d-b168-2e9e6981ec30

📥 Commits

Reviewing files that changed from the base of the PR and between 3f70a4b and 062d7d2.

📒 Files selected for processing (2)

• .github/workflows/release-plz.yml
• src/scanner/matcher.rs

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/release-plz.yml