feat: v0.2 batch — 6 issues (#106 #79 #85 #80 #74 #108)

[ajianaz]

Summary

Batch implementation of 6 issues for v0.2 release.

Quick Wins

• feat: Add output footer watermark to review results #106 — Output footer watermark (terminal/SARIF/JSON) showing Cora version
• 🔧 Blanket #![allow(dead_code)] masks genuinely unused code #79 — Remove blanket #![allow(dead_code)], targeted cleanup (27 warnings → 0)
• 📦 Install cargo-audit for dependency CVE scanning #85 — Add cargo-audit CI job for dependency CVE scanning

Medium

• 🔧 Naive .gitignore parser misses edge cases #80 — Replace naive .gitignore parser with ignore crate (ripgrep-grade correctness)
• 🔒 Security: No TLS certificate configuration for corporate proxies #74 — Add REQUESTS_CA_BUNDLE env var support for corporate proxy TLS certs

Feature

• feat: --progress flag for structured machine-readable progress output #108 — Add --progress flag for NDJSON stderr progress output (Termul/GUI prerequisite)

Stats

• 16 files changed, +336 / -403 lines (excluding lockfile)
• 224 tests passing, 0 clippy warnings, fmt clean
• New module: src/progress.rs (399 lines)

Summary by CodeRabbit

• New Features

  • Added --progress flag to review command for structured progress updates
  • Added "Reviewed by Cora" watermark to all output formats when issues are detected
  • Support for custom CA certificates via REQUESTS_CA_BUNDLE environment variable
  • System prompt customization for review analysis

• Chores

  • Enhanced security audit checks in CI pipeline
  • Improved project scanning performance

[coderabbitai]

Warning

Review limit reached

@ajianaz, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 32 minutes and 26 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc706a29-6064-4679-89e7-bc028d2d2ce3

📥 Commits

Reviewing files that changed from the base of the PR and between 0e57ed7 and 3bdb66c.

📒 Files selected for processing (5)

• .github/actions/cora-review/action.yml
• .github/workflows/ci.yml
• src/engine/llm.rs
• src/engine/scanner.rs
• src/main.rs

📝 Walkthrough

Walkthrough

This PR introduces structured progress reporting for cora review via a new NDJSON event stream, integrates it throughout the review pipeline, adds version watermarks to all output formatters, improves file scanning with the ignore crate, and performs API cleanup with dead-code annotations.

Changes

Progress Reporting and Review Pipeline Enhancement

Layer / File(s)	Summary
Progress Reporting Infrastructure src/progress.rs, Cargo.toml	New ProgressEvent enum with lifecycle variants (started, parsing_diff, calling_llm, llm_response, complete, error), TokenInfo struct for token counts/costs, ProgressReporter that serializes events to NDJSON on stderr when enabled or acts as no-op when disabled, and diff_stats() utility extracting file/line counts from unified diffs.
CLI Integration and Main Wiring src/main.rs	Adds --progress boolean flag to review subcommand, removes crate-level dead-code suppression, creates and manages ProgressReporter instance based on flag, threads progress field through Command and ReviewOpts, emits started event on command initialization, and forces quiet=true when progress is enabled.
Review Command Progress Events src/commands/review.rs, src/main.rs	execute_review now accepts ProgressReporter, computes diff stats and emits parsing_diff event, wraps LLM call with timing and emits calling_llm before invocation and llm_response/error after, emits final complete event with issue count and token usage. Removes EXIT_ERROR constant, retaining only EXIT_OK.
LLM Engine Quiet Mode src/engine/llm.rs	review_diff accepts new quiet: bool parameter that conditionally creates spinner (None when quiet, Some when not). All spinner operations gated behind Option using spinner.as_ref() pattern, including parse-retry paths. Adds custom CA certificate support via REQUESTS_CA_BUNDLE env var. Marks Usage struct dead_code for API completeness.
Review Engine Quiet Threading and System Prompts src/engine/review.rs	Threads quiet parameter through review_diff_with_cache to llm::review_diff. Adds resolve_system_prompt() function with inline-first precedence and canonical-path traversal guard. Removes exported review_diff, review_diff_with_stream, and scan_project functions. Removes ScanResponse import.
Output Formatting Watermarks src/formatters/compact.rs, src/formatters/json_fmt.rs, src/formatters/pretty.rs, src/formatters/sarif.rs	All formatters add "Reviewed by Cora v{CARGO_PKG_VERSION}" watermark when issues non-empty: compact and pretty append text footer; JSON adds reviewed_by object with tool/version; SARIF adds invocations array with cora.watermark property. Tests verify watermark absence for empty issues and presence when issues exist.
File Scanning Migration and API Cleanup src/engine/scanner.rs, Cargo.toml, src/config/providers.rs, src/engine/types.rs, src/git/diff.rs, src/git/files.rs, src/hook/install.rs	Replaces walkdir with ignore crate's WalkBuilder for native nested .gitignore support. Removes manual gitignore filtering. Changes providers.rs from first_detected_preset() to detected_presets(). Adds #[allow(dead_code)] annotations to IssueType, CLI constants, is_inside_git_repo, and is_hook_installed for future API completeness. Clears src/git/files.rs.
CI Security Audit .github/workflows/ci.yml	Adds new audit job running actions-rs/audit-check with GITHUB_TOKEN on ubuntu-latest before the test job.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• ajianaz/cora-cli#106: PR implements the requested output watermark footer across all formatters (compact, pretty, JSON, SARIF) showing "Reviewed by Cora v".
• ajianaz/cora-cli#108: PR implements the exact NDJSON progress API (ProgressReporter, ProgressEvent variants, diff_stats, --progress CLI flag, stderr emission) described in the issue.

Possibly related PRs

• ajianaz/cora-cli#43: Both PRs modify the review pipeline's --quiet flag handling; this PR threads quiet into llm::review_diff to control spinner behavior, building on prior CLI flag wiring.
• ajianaz/cora-cli#109: Both PRs modify spinner creation and state management in src/engine/llm.rs; this PR refactors around conditional quiet-based spinner creation while the related PR addresses create_spinner error handling.

Poem

🐰 Progress whispers down the wire,
NDJSON events now inspire,
Watermarks of Cora trace,
Each review's finishing grace,
Quiet spinners, streaming fire! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the PR as a batch of v0.2 changes implementing six specific GitHub issues, which aligns with the actual changeset scope and objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/v0.2-batch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Cora AI Code Review

❌ Blocked — critical issues found.

🔴 Error (3)

• src/git/files.rs:1 — The entire contents of src/git/files.rs were replaced with a comment. Functions like open_repo, list_tracked_files, list_changed_files, list_staged_files, list_all_changed_files, filter_by_globs, and is_gitignored were all removed. If any other module in the codebase imports and uses these functions, this will cause compilation errors. Even if no current callers exist, this is a significant removal of public API surface that should be verified carefully.
• src/engine/review.rs:62 — The scan_project function was entirely removed from src/engine/review.rs. If the scan command or any other module calls crate::engine::review::scan_project, this will cause a compilation error. The ScanResponse type import was also removed from this file.
• src/config/providers.rs:65 — The first_detected_preset function was removed. If any module calls crate::config::providers::first_detected_preset, this will cause a compilation error.

---

Review powered by cora-cli · BYOK · MIT

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

3-7: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Workflow triggers violate coding guideline: missing push to develop branch.

The coding guideline requires CI/CD to run on push to the develop branch, but the workflow currently only triggers on push to main. This means commits pushed directly to develop will not be validated.

📋 Proposed fix to add develop branch trigger

 on:
   pull_request:
     branches: [develop]
   push:
-    branches: [main]
+    branches: [main, develop]

As per coding guidelines: "CI/CD must run build, test, clippy, and fmt checks on push to develop branch and on all PRs using the ci.yml workflow".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 3 - 7, The workflow's triggers under
the on: block only run push to main and misses pushes to develop; update the
push trigger (the push key under on:) to include the develop branch so CI runs
on pushes to develop as required by policy and still runs on PRs (pull_request).
Locate the on: -> push configuration in ci.yml and add "develop" to the branches
list so both main and develop are included.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 50-58: The CI job named "audit" currently uses the archived action
identifier actions-rs/audit-check@35b7b53b...; replace that uses entry with the
maintained rustsec action (rustsec/audit-check) and pin it to an immutable ref
(specific commit SHA) instead of the archived actions-rs one, preserving the
existing with: block (token: ${{ secrets.GITHUB_TOKEN }}) and the job name
"audit" and runs-on setting. Ensure the new action's inputs match the current
token usage and any required args from rustsec/audit-check.

In `@src/engine/scanner.rs`:
- Around line 72-77: WalkBuilder::new(root) currently enables
git_ignore/git_global/git_exclude but leaves the default require_git behavior,
so .gitignore files won't be honored outside a git repository; update the
WalkBuilder chain (the builder that calls hidden(), git_ignore(), git_global(),
git_exclude(), and build()) to explicitly call require_git(false) before build()
so .gitignore and global excludes are respected even when the root is not inside
a git repo.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 3-7: The workflow's triggers under the on: block only run push to
main and misses pushes to develop; update the push trigger (the push key under
on:) to include the develop branch so CI runs on pushes to develop as required
by policy and still runs on PRs (pull_request). Locate the on: -> push
configuration in ci.yml and add "develop" to the branches list so both main and
develop are included.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8908b7da-8906-4d82-bd51-a1b1ae4b5df0

📥 Commits

Reviewing files that changed from the base of the PR and between 592cda7 and 0e57ed7.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (17)

• .github/workflows/ci.yml
• Cargo.toml
• src/commands/review.rs
• src/config/providers.rs
• src/engine/llm.rs
• src/engine/review.rs
• src/engine/scanner.rs
• src/engine/types.rs
• src/formatters/compact.rs
• src/formatters/json_fmt.rs
• src/formatters/pretty.rs
• src/formatters/sarif.rs
• src/git/diff.rs
• src/git/files.rs
• src/hook/install.rs
• src/main.rs
• src/progress.rs

💤 Files with no reviewable changes (1)

• src/config/providers.rs