chore: add Greptile and GitGuardian configs

[Jamkris]

Summary

Adds in-repo configuration for two of the three review/security bots in active use on the upstream everything-claude-code. All three are free for our case (MIT-licensed public repo).

Tool	Free for us?	In-repo config?
Greptile	✅ via the OSS Perks program (MIT/Apache/GPL)	greptile.json (this PR)
GitGuardian	✅ public-repo free tier	.gitguardian.yaml (this PR)
Cubic	✅ unlimited for public repos	None — GitHub App only

greptile.json

Mirrors the intent of .coderabbit.yaml:

• strictness: 2 + commentTypes: [logic, syntax] — bugs and security over style
• ignoreKeywords — release PRs and dependabot PRs are skipped
• disabledLabels: ["release", "skip-review"] — manual escape hatch
• instructions — project base prompt that frames the repo as a Gemini CLI extension and lists the common false-positive patterns to ignore (emoji in markdown, long TOML prompt fields, ~/.gemini/ paths in skills)
• customContext.rules — per-path guidance for agents/, commands/, skills/, hooks/, scripts/, rules/, docs/ (mirrors path_instructions from CodeRabbit, including the agent tool allowlist)
• customContext.files — pins .gemini/styleguide.md and scripts/lib/gemini-tools.js as the authoritative references the bot should consult

.gitguardian.yaml

Defaults are fine for most of the tree; this just suppresses noise:

• secret.ignored_paths — lockfiles, node_modules, binary doc assets, plus tests/lint/fixtures/** and tests/ci/** (the latter embeds intentional hostile-workflow fixtures with ${{ github.event.pull_request.head.sha }} strings that some entropy detectors misfire on)
• ignored_detectors: ['Generic High Entropy Secret'] — kills the most common false positive, documentation/curl examples

Cubic

No in-repo file. Custom rules are configured in their dashboard, optionally synced from .cursor/rules/ if the team uses those (we don't). Just need to install the app on the repo.

Action items for the maintainer

Out of scope of a code change — these need account/dashboard work:

• Install the Cubic GitHub App: https://github.com/apps/cubic-dev-ai
• Apply for the Greptile OSS plan via OSS Perks (https://www.ossperks.com/programs/greptile) — required for free tier; otherwise the trial expires and greptile.json becomes dead config
• GitGuardian should already pick up .gitguardian.yaml automatically once the org is on the free OSS tier — if not yet installed, install via dashboard

Test plan

• node -e "JSON.parse(...)" parses greptile.json
• js-yaml parses .gitguardian.yaml (v2 schema)
• npm run lint — clean
• npm test — 187/187 pass (no behavior change)
• After merge, watch the next non-release PR to verify Greptile picks up the config (instructions visible in walkthrough, dependabot/release titles correctly skipped)

Summary by CodeRabbit

• Chores
  • Configured automated secret scanning to detect and prevent sensitive credentials and information from entering the repository, with customized detection patterns and exclusions for various file types, dependencies, and directories.
  • Added comprehensive code quality and governance configuration with specific rules, guidelines, and standards to enforce best practices and consistency throughout the project.

---

Summary by cubic

Add in-repo configs for Greptile (code review) and GitGuardian (secret scanning) on OSS free tiers. Tightens review focus on bugs/security and reduces noise without hiding real issues.

• New Features

  • greptile.json: strictness: 2 with commentTypes: [logic, syntax]; precise skip rules via ignoreKeywords (e.g., chore: release, dependabot) and disabledLabels: ["release", "skip-review"]; section fields use objects; ignores lockfiles/assets. Adds project instructions, per-path rules, and pins .gemini/styleguide.md and scripts/lib/gemini-tools.js as references. Rule fixes: hooks-only “no console.log”; shell scripts require set -e (aligned with the styleguide).
  • .gitguardian.yaml: keeps detectors enabled; uses path-scoped ignores for known false positives (rules/**/security.md, **/SKILL.md) and suppresses noise from lockfiles, node_modules, binary docs, and test fixtures. Fails on real findings.

• Migration

  • Apply for the Greptile OSS plan so the config is active.
  • Ensure the GitGuardian app is installed; it will auto-load .gitguardian.yaml.

^{Written for commit e97b09c. Summary will update on new commits.}

[coderabbitai]

Walkthrough

This PR introduces two new configuration files: GitGuardian setup for secret detection with customized exclusions and disabled entropy detector, and Greptile configuration for AI-assisted code review with governance rules, scanning controls, and tool validation guidance.

Changes

Cohort / File(s)	Summary
Configuration Files .gitguardian.yaml, greptile.json	New configuration files: GitGuardian excludes specific paths (lockfiles, node_modules, docs assets, test fixtures) and disables high-entropy detector to reduce false positives; Greptile enables AI code review with embedded governance rules for CLI extensions, command naming/description, markdown sections, and schema validation constraints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

security

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately summarizes the main change: adding two configuration files (Greptile and GitGuardian) to the repository.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/code-review-bot-configs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.gitguardian.yaml:
- Around line 32-33: Remove the global disabling of the "Generic High Entropy
Secret" detector under the ignored_detectors key and instead scope exceptions to
known test/example files: delete the entry '- 'Generic High Entropy Secret''
from ignored_detectors and add path-scoped ignores or inline allowlists for the
specific fixtures/docs that contain fake secrets (use the config's per-path
ignore rules or inline allowlisting mechanism) so the detector remains active
for the rest of the repo.

In `@greptile.json`:
- Around line 38-39: The rule text and its "scope" are mismatched: update
greptile.json so the ban on console.log applies only to hook scripts (e.g.,
change "scope" to ["hooks/**/*.js"] or split into two rules — one rule with the
Node.js guidance scoped to ["scripts/**/*.js","tests/**/*.js"] and a separate
rule whose "rule" string specifically forbids console.log and whose "scope" is
["hooks/**/*.js"]); ensure you edit the "rule" and corresponding "scope" entries
(the JSON keys "rule" and "scope") so each rule's text matches its scope.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d3cefd1c-64a5-4d05-aed9-0712da85f677

📥 Commits

Reviewing files that changed from the base of the PR and between 2c0f7e7 and ed340dd.

📒 Files selected for processing (2)

• .gitguardian.yaml
• greptile.json

[greptile-apps]

Greptile Summary

This PR adds greptile.json and .gitguardian.yaml to configure two OSS-free review/security bots. Both files are well-structured — the Greptile config correctly aligns shell-script rules with the styleguide's set -e standard and the ignoreKeywords list avoids the overly-broad bare "release" token.

• The PR description states that .gitguardian.yaml includes ignored_detectors: ['Generic High Entropy Secret'], but this field is absent from the committed file. Files outside the listed ignored_paths (e.g. READMEs with curl examples) may still trigger false positives from that detector.

Confidence Score: 4/5

Safe to merge with one minor discrepancy to resolve or document.

Both config files are structurally valid and well-reasoned. The only finding is a P2 discrepancy between the PR description's claim about ignored_detectors and the actual file content — no behavior in the codebase is broken, but the GitGuardian scan may be noisier than intended for files outside the explicit exclusion paths.

.gitguardian.yaml — verify whether ignored_detectors: ['Generic High Entropy Secret'] was intentionally omitted or accidentally dropped.

Important Files Changed

Filename	Overview
greptile.json	New Greptile config: strictness 2, logic/syntax comments only, correct set -e shell rule, per-path context rules, and two pinned reference files. Previous review concerns (bare release keyword, shell flag mismatch) are resolved.
.gitguardian.yaml	New GitGuardian v2 config with good path exclusions for lockfiles, assets, and test fixtures; however, ignored_detectors: ['Generic High Entropy Secret'] is mentioned in the PR description but absent from the committed file.

_{Reviews (3): Last reviewed commit: "fix: address review feedback on PR #49" | Re-trigger Greptile}

[greptile-apps]

Greptile Summary

This PR adds two bot configuration files — greptile.json for Greptile code review and .gitguardian.yaml for secret scanning — with no changes to application logic. The tool allowlist in greptile.json matches scripts/lib/gemini-tools.js exactly, per-path rules align with existing CI validators, and .gitguardian.yaml correctly suppresses known false-positive detectors on lockfiles and test fixtures.

Confidence Score: 5/5

Safe to merge — both config files are well-structured with no application logic changes; only minor P2 findings remain.

All findings are P2 (style/suggestion level): a shell-safety-directive mismatch between greptile.json and the styleguide that may produce noisy bot comments, and a broad directory exclusion in .gitguardian.yaml that is a known trade-off documented in the PR. Neither blocks correct behavior of the application or CI.

The greptile.json shell rule should be aligned with .gemini/styleguide.md before the next non-release PR to avoid spurious bot comments on compliant scripts.

Important Files Changed

Filename	Overview
greptile.json	Adds Greptile bot configuration with per-path rules, agent tool allowlist, and PR filtering; the shell script safety directive (set -euo pipefail) conflicts with the styleguide's set -e requirement and may cause false-positive bot comments.
.gitguardian.yaml	Adds GitGuardian v2 secret-scanning config; path exclusions and detector suppression are reasonable, though the broad tests/ci/** exclusion creates a blind spot for that directory.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    PR[Pull Request opened/updated] --> GG{GitGuardian\nsecret scan}
    PR --> GR{Greptile\ncode review}

    GG --> GG_IGNORE{ignored_paths\nor ignored_detectors?}
    GG_IGNORE -- Yes --> GG_SKIP[Skip / no alert]
    GG_IGNORE -- No --> GG_SCAN[Scan for secrets]
    GG_SCAN --> GG_RESULT{Secret found?}
    GG_RESULT -- Yes, exit_zero=false --> GG_FAIL[Check fails]
    GG_RESULT -- No --> GG_PASS[Check passes]

    GR --> GR_KEYWORD{Title matches\nignoreKeywords?}
    GR_KEYWORD -- Yes --> GR_SKIP[Skip review]
    GR_KEYWORD -- No --> GR_LABEL{Has\ndisabledLabel?}
    GR_LABEL -- Yes --> GR_SKIP
    GR_LABEL -- No --> GR_DRAFT{Draft PR?}
    GR_DRAFT -- Yes --> GR_SKIP
    GR_DRAFT -- No --> GR_REVIEW[Review with\nstrictness=2\nlogic+syntax only]
    GR_REVIEW --> GR_RULES[Apply per-path\ncustomContext rules]
    GR_RULES --> GR_POST[Post inline comments\n+ summary section]

Loading

_{Reviews (2): Last reviewed commit: "chore: add Greptile and GitGuardian conf..." | Re-trigger Greptile}

[cubic-dev-ai]

4 issues found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".gitguardian.yaml">

<violation number="1" location=".gitguardian.yaml:32">
P1: Disabling `Generic High Entropy Secret` globally weakens secret scanning coverage and can hide real leaked credentials. Prefer path-scoped ignores for noisy fixtures instead of turning off this detector for the whole repository.</violation>
</file>

<file name="greptile.json">

<violation number="1" location="greptile.json:8">
P2: Section config fields use booleans, but Greptile expects objects for `summarySection`/`confidenceScoreSection`/`sequenceDiagramSection`.</violation>

<violation number="2" location="greptile.json:11">
P2: The bare keyword `"release"` in `ignoreKeywords` will cause Greptile to skip review on **any** PR whose title or description contains the word "release" as a substring — e.g., "Add release notes", "Document feature release process", or "Fix memory release bug". The other entries (`chore: bump`, `chore(release)`, `chore(deps)`) are specific enough. Consider removing the bare `release` or replacing it with a more specific pattern like `chore: release` to avoid unintended review suppression.</violation>

<violation number="3" location="greptile.json:39">
P2: The `"No console.log in hook scripts"` directive is hook-specific, but the `scope` includes `tests/**/*.js` where `console.log` is perfectly normal. This will generate false positive comments on test files. Narrow the scope to hook-related paths only, or split into separate rules.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}