Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
76 commits
Select commit Hold shift + click to select a range
261b2cc
feat(ga): Postgres vs Neo4j parity utilities and verification scripts
northdpole Apr 21, 2026
af936ee
fix(prompt): bounded retries for Gemini generate_content on 429
northdpole Apr 21, 2026
7e1a739
fix(import): migration idempotency, GA behavior, and tooling follow-ups
northdpole Apr 21, 2026
f77d131
style: apply black to touched import and GA modules
northdpole Apr 21, 2026
658ef19
fix(chat): Heroku-safe Gemini retries, 429 JSON, and tests
northdpole Apr 21, 2026
d6d8163
chore: lint
northdpole Apr 21, 2026
20ce418
fix(vertex): Heroku web dynos skip blocking 429 backoff
northdpole Apr 21, 2026
6dcc3d2
fix: handle AI quota limits and configurable models
northdpole Apr 21, 2026
997c172
fix: remove frozen flag definitions and centralise CRE_ALLOW_IMPORT g…
shiwani42 Apr 26, 2026
5d9a2eb
Add OpenCRE as a map analysis resource (#825)
Bornunique911 Apr 27, 2026
63278de
feat(embeddings): smart excerpt alignment and embeddings_url
northdpole Apr 27, 2026
8a46900
chore(embeddings): default CRE_EMBED_SMART_EXTRACT to on
northdpole Apr 27, 2026
495925f
fix(embeddings): require VERTEX_EMBED_CONTENT_MODEL; validate alignme…
northdpole Apr 27, 2026
80379f3
feat(cli): regenerate all embeddings; chatbot uses embeddings_url
northdpole Apr 27, 2026
4b4ea84
fix(chatbot): add embeddingsUrl without replacing hyperlink
northdpole Apr 27, 2026
c4db2e8
test(llm_e2e): run smart-alignment e2e when OpenAI or Gemini key present
northdpole Apr 27, 2026
27e6c16
fix(embeddings): harden alignment JSON parsing across providers
northdpole Apr 27, 2026
d8fe554
fix(cli): preserve explicit DB URI and normalize postgres scheme
northdpole Apr 28, 2026
b010b83
freeze instructions for coding agents
northdpole Apr 28, 2026
11be094
fix(embeddings): log truncated raw output on alignment JSON parse fai…
northdpole Apr 28, 2026
64380de
chore(test): add neo node lookup helper coverage
northdpole Apr 28, 2026
c908a67
feat(cli): add CSV export mode for CRE taxonomy
northdpole Apr 28, 2026
5dcff51
fixup! fix(chatbot): add embeddingsUrl without replacing hyperlink
northdpole Apr 28, 2026
5bfe5a2
fixup! test(llm_e2e): run smart-alignment e2e when OpenAI or Gemini k…
northdpole Apr 28, 2026
102d3ed
feat(scripts): add prod vs staging parity comparison utility
northdpole Apr 28, 2026
c53570d
feat(scripts): add GA queue dashboard helper
northdpole Apr 28, 2026
c6f072f
feat(data): migrate to litellm embedding contract with deploy guardrails
northdpole Apr 28, 2026
ad6b22f
add unbooks and update readme for prod db surgery
northdpole Apr 28, 2026
c0cea79
refactor(prompt-client): retire legacy provider clients and unify tem…
northdpole Apr 28, 2026
361b741
Add RFC for autonomous cheat sheet mapping pipeline (#893)
northdpole Apr 30, 2026
bac59d3
Expose OpenCRE in Gap Analysis standards list (#891)
Bornunique911 Apr 30, 2026
914458b
Improved boilerplate, github link scrolling to readme, and completing…
Bornunique911 May 2, 2026
52805f2
Added CodeRabbit AI Configuration for Automated Code Reviews (#899)
Pa04rth May 7, 2026
89b1643
fix(spreadsheet_parsers): correct function name for validating import…
manshusainishab May 12, 2026
e93ce92
fix: always show all CRE links on CRE pages without collapsing (#901)…
shreeshtripurwarcomp23-coder May 30, 2026
b637225
feat: implement structured extraction checkpoints B1 and B2 (#912)
Abhijeet2409 Jun 8, 2026
d796ff5
Add curated CWE fallback mappings and coverage for issue #472 (#823)
Bornunique911 Jun 9, 2026
f31ee07
fix(web): restore Heroku cache-only map_analysis and add GA health mo…
northdpole Jun 10, 2026
9c77a3f
fix(scripts): send User-Agent in GA health monitor HTTP requests
northdpole Jun 10, 2026
3b104f2
docs(agents): track AGENTS.md with production GA cache-only policy
northdpole Jun 10, 2026
d219a6b
fix(ga): block empty primary cache writes and clobbering
northdpole Jun 10, 2026
bcd3b43
Restore GA sync script with material-only merge upsert.
northdpole Jun 10, 2026
44f4c7b
Add PCI CRE linker, agent ops docs, and address GA review feedback.
northdpole Jun 10, 2026
4c354bc
fix(scripts): drop PROD_DATABASE_URL default from PCI linker
northdpole Jun 10, 2026
0f5f827
Fix IndexError in get_cre_by_db_id when get_CREs is empty
northdpole Jun 11, 2026
68c7d35
Fix OpenCRE map analysis 503 on Heroku (#915)
northdpole Jun 5, 2026
44337b9
Address CodeRabbit review and fix black formatting
northdpole Jun 5, 2026
2e428cd
Add docstrings to satisfy CodeRabbit coverage on PR #918.
northdpole Jun 11, 2026
2ad736b
Add shared Cursor agent instructions for OpenCRE.
northdpole Jun 5, 2026
bc3a8a3
Expand Cursor agent rules and resolve workflow contradictions.
northdpole Jun 5, 2026
721e806
ci(codeql): upgrade CodeQL Action v1->v4 and checkout v2->v4
skypank-coder Jun 1, 2026
47267c1
fix: correct expected tags value in test_dbNodeFromNode
shiwani42 Apr 7, 2026
fc72d69
ci: declare contents:read on test workflow
arpitjain099 May 14, 2026
37417e5
fix: return 400 when text param is missing in text_search
shiwani42 Apr 4, 2026
057186a
Fix float parsing of ISO section codes like 5.10
VivekGhantiwala Mar 11, 2026
cc18a59
test: mock get_all_values for read_spreadsheet ISO section IDs
northdpole Jun 12, 2026
e62f92d
fix(spreadsheet): harden get_all_values row parsing edge cases
northdpole Jun 12, 2026
294b17e
fix(spreadsheet): reject duplicate headers in get_all_values path
northdpole Jun 12, 2026
694f61e
fix: paginate Explorer CRE load and batch-hydrate all_cres
northdpole Jun 12, 2026
e853cd3
fix: address CodeRabbit review on Explorer pagination PR
northdpole Jun 12, 2026
13d2f04
feat(api): add feature-flagged /rest/v1/health endpoint (#936)
skypank-coder Jun 20, 2026
912e2a7
cwe: add XXE search aliases and enforce prohibited CWE exclusions (#939)
Bornunique911 Jun 24, 2026
08387f0
feat: smartlink redirects directly to CRE when only one CRE is linked…
shreeshtripurwarcomp23-coder Jun 24, 2026
3faf529
test: smartlink critical edge-case regression tests (#946)
northdpole Jun 24, 2026
1b1679b
GSoC 2026 Module B — Week 1: input contract, schemas, and benchmark d…
manshusainishab Jun 24, 2026
4485936
GSoC 2026 Module B — Week 2: Stage 1 regex filter + Stage 1.5 sanitiz…
manshusainishab Jun 24, 2026
0e16c2e
feat: implement structured extraction checkpoints B3, B4 and B5 (#921)
Abhijeet2409 Jun 30, 2026
a8fe162
Add OWASP Top 10 and API importer support
Bornunique911 Mar 24, 2026
eefe46e
Fix cheat sheet parser test expectations on importer branches
Bornunique911 Apr 1, 2026
4a64144
Use official OWASP cheat sheet URLs in importer branches
Bornunique911 Apr 1, 2026
cc63aa9
Add OWASP AI resource importer support
Bornunique911 Mar 24, 2026
9a0d65c
Refactor links definition in cheatsheets parser test for improved rea…
Bornunique911 Apr 30, 2026
5c87402
Add support for OWASP Top 10 and AISVS resources in the resource impo…
Bornunique911 Jun 1, 2026
3d764f7
Refactor variable name for clarity in OWASP LLM Top 10 parser test
Bornunique911 Jun 2, 2026
c49cda3
Add a production guard before direct GA recomputation.
Bornunique911 Jun 24, 2026
a1c8289
Update application/cmd/cre_main.py
Bornunique911 Jun 24, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .coderabbit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# https://docs.coderabbit.ai/reference/configuration

chat:
auto_reply: true
code_generation:
docstrings:
language: en-US
early_access: true
issue_enrichment:
auto_enrich:
enabled: false
language: en-US
reviews:
assess_linked_issues: true
auto_apply_labels: false
auto_review:
base_branches:
- main
drafts: false
enabled: true
collapse_walkthrough: false
high_level_summary: true
high_level_summary_in_walkthrough: true
labeling_instructions: []
poem: false
# Keeping it "chill" initially , will change it to "assertive" once everyone will get accustomed to it
profile: chill
request_changes_workflow: false
review_status: true
sequence_diagrams: false
tone_and_style_guidelines: "You are reviewing code for an open-source project.Be highly encouraging, educational, and explain the 'why' behind any suggested changes."
ignore_paths:
- '*.md'
- 'docs/**'
- 'yarn.lock'
14 changes: 14 additions & 0 deletions .cursor/rules/alembic-deploy-guardrail.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
description: Enforce Alembic DB-revision guardrail before deploy/migration operations
alwaysApply: true
---

# Alembic Deploy Guardrail

- Before any production/staging deploy or migration operation, run the Alembic guardrail check:
- `python scripts/check_alembic_revision_guardrail.py`
- or `make alembic-guardrail`
- If the guardrail reports unknown DB revision(s), stop immediately and do not run migrations until lineage is reconciled.
- For Heroku deploys, keep `Procfile` `release:` wired to the guardrail so incompatible slugs fail before web/worker rollout.
- After backup restore operations, re-run the guardrail before any `flask db upgrade`.

19 changes: 19 additions & 0 deletions .cursor/rules/autonomous-workflow.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
description: End-to-end execution policy after plan approval
alwaysApply: true
---

# OpenCRE Autonomous Workflow

Policy: see `AGENTS.md`. Verification: see `verifiable-goals.mdc`.

- For big changes, wait for human plan approval (`multi-agent-workflow.mdc` Phase 1) before editing.
- After approval, execute end-to-end unless blocked by auth/secrets, destructive actions, or material plan deviations.
- Prefer small, safe changes; avoid unrelated refactors.
- Use `Makefile` targets when possible.
- **Always run lint, mypy, and tests after substantive changes; iterate until green.** Show evidence in handoff.
- If commit verification depends on shell initialization, use a zsh-compatible shell context.
- Run long commands in background; monitor until completion.
- Do NOT commit or push unless explicitly asked.
- In commits do not add "made with cursor" lines.
- On substantive changes, recommend or run judge/subagent review before handoff.
26 changes: 26 additions & 0 deletions .cursor/rules/complete-ticket.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
description: Requires complete tickets before coding - asks clarifying questions if requirements are missing
globs: "**/*.{md,txt}"
alwaysApply: false
---

# Complete Ticket Requirement

When the user submits a ticket or task via a `.md` or `.txt` file (including `AGENTS.md`):

1. **Check** for: goal, success criteria, context, constraints — same rules as `requirements-gate.mdc`
2. **If missing** → ask clarifying questions; offer the **Requirements template** in `requirements-gate.mdc`; do NOT code
3. **If complete** → follow the decision tree in `multi-agent-workflow.mdc`:
- Trivial (typo, rename, one-liner) → implement directly
- Non-trivial → Plan Mode per `plan-first-workflow.mdc` or Phase 1 per `multi-agent-workflow.mdc` when both apply
- Wait for approval before implementation when planning is required
4. **Never assume** missing details — see `never-assume.mdc`

Verification after implementation: `verifiable-goals.mdc`. Tests for new behavior: `tdd-workflow.mdc`.

## Coding standards (not covered elsewhere)

- **Stack:** Python for backend/application code; TypeScript for new frontend code (`application/frontend/`).
- **Error handling:** Handle expected failure paths explicitly; avoid silent failures; return or raise meaningful errors.
- **Async (frontend):** Prefer `async`/`await` over raw Promise chains or callbacks in new TypeScript.
- **Clean code:** Small functions, clear names, match surrounding module conventions; no drive-by refactors.
29 changes: 29 additions & 0 deletions .cursor/rules/context-management.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
description: Keep agent context focused across tasks and stale threads
alwaysApply: true
---

# Context Management

## Do

- Use `/clear` between unrelated tasks or features.
- Reference files with `@path` instead of pasting entire file contents.
- Use `@Past Chats` to pull in prior work instead of copy-pasting old conversations.
- Start fresh after **2 failed corrections** on the same issue: `/clear`, then write a better prompt that incorporates what you learned.

## Don't

- Let context accumulate across unrelated features in one long thread.
- Describe files vaguely when an `@` reference exists.
- Keep correcting the same mistake in a degrading context — reset instead.

## When context is stale

Signs you should `/clear` and re-prompt:

- Repeated fixes on the same bug without progress
- Agent confuses requirements from an earlier, unrelated task
- Plan has drifted significantly from what was approved

After clearing, restate: goal, approved plan (or link to `.cursor/plans/*.md`), relevant `@` files, and acceptance criteria.
72 changes: 72 additions & 0 deletions .cursor/rules/multi-agent-workflow.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
description: Two-phase planning for big changes; builder must not be sole judge
alwaysApply: true
---

# Multi-Agent Workflow (Human Plan → Agent Execute)

For **big changes**, split work into two phases. Do not skip Phase 1.

## What counts as a big change

- New feature, new standard importer, or new user-facing capability
- Expected to touch **3+ files** or **>500 lines** of diff
- Refactor or migration with behavioral risk
- Touches critical paths (auth, secrets, production data, payments)
- Incomplete requirements or meaningful product/design choices

Small fixes: single-file bugfix, typo, test-only tweak, clear one-liner → `plan-first-workflow.mdc` only.

## Phase 1 — Human-led planning (no code)

**Stop before editing.**

1. Acknowledge this is a big change; planning comes first.
2. Ask minimum questions: goal, data sources, pattern to mirror, acceptance criteria, out of scope.
3. Draft a plan: steps, `@` file paths, similar code, test/validation plan, risks.
4. Wait for explicit approval ("proceed", "approved", or confirmed edited plan).
5. No commits, push, or implementation code in Phase 1. Read-only research is fine.
Tests and production code begin in Phase 2 after approval (see `tdd-workflow.mdc`).

## Phase 2 — Agent execution

After approval:

1. Execute per `autonomous-workflow.mdc`.
2. Follow the approved plan; pause if material deviation is needed.
3. Implement incrementally; verify as you go (`verifiable-goals.mdc`).
4. Hand off with checklist including test evidence.

## Builder ≠ Judge (required on substantive work)

| Role | Responsibility |
|------|----------------|
| **Builder** | Implements approved plan |
| **Judge** | Independent review — edge cases, security, test gaps |

Invoke judge via subagent, parallel agent, or fresh context:

- "Use a subagent to review this change for edge cases and security issues."

Do not mark substantive work complete without independent review or documented reason to skip.

**Re-review:** Required only when judge findings change behavior, tests, or security posture materially. Style-only nits fixed in-place do not require a second judge pass.

## Decision tree

```
User request received
├─ Missing goal / criteria / context / constraints?
│ └─ STOP → ask questions OR offer Requirements template (requirements-gate.mdc)
├─ Typo / rename / one-sentence fix?
│ └─ Implement → quality checks → show evidence
├─ Multi-file / new feature / refactor / critical path?
│ └─ Plan Mode → detailed plan → WAIT for approval → implement
│ → quality checks → subagent review → handoff with evidence
└─ Otherwise
└─ Brief plan → implement → quality checks → handoff with evidence
```
30 changes: 30 additions & 0 deletions .cursor/rules/never-assume.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
description: Verify or ask — no guessing packages, APIs, patterns, or incomplete code
alwaysApply: true
---

# Never Assume

| Do NOT | Instead |
|--------|---------|
| Assume package names, API endpoints, DB schema, or file locations | Read the codebase; grep; ask |
| Add new dependencies without explanation | State why, alternatives considered, and get approval |
| Use mocks unless explicitly requested | Prefer integration-style tests matching `@application/tests/` patterns |
| Replace code with placeholders, TODOs, or stubs | Ship complete, working code |
| Write incomplete implementations | Finish the feature or stop and explain what's blocked |
| Guess production/staging targets for DB ops | Confirm target app; follow `production-db-ops-safety.mdc` |
| Commit or push unless asked | Wait for explicit user request |

## Scope and diff discipline

- Minimize scope — smallest correct diff; no drive-by refactors.
- Match surrounding naming, types, imports, and documentation level.
- Comments only for non-obvious business logic.
- Do not add markdown/docs files the user did not ask for.
- Do not use "made with cursor" or similar in commits.

## OpenCRE conventions

- Mirror patterns in existing code (importers, tests, web routes).
- Use Makefile targets over ad-hoc commands when available.
- Prefer `scripts/db/` for production DB operations over raw SQL.
54 changes: 54 additions & 0 deletions .cursor/rules/plan-first-workflow.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
description: Require Plan Mode and user approval before non-trivial implementation
alwaysApply: true
---

# Plan-First Workflow

Apply before non-trivial edits. When criteria overlap with `multi-agent-workflow.mdc` (e.g. new feature, 3+ files), follow **multi-agent** Phase 1 — it is the stricter superset.

## Skip planning only for

- Typos, renames, obvious single-line fixes
- Tasks fully specified with no design choices

## MUST plan before implementing when ANY apply

- New feature or new importer
- Multi-file change (3+ files) or >500 lines expected
- Refactor or migration with behavioral risk
- Touches critical paths (auth, secrets, production data, payments, deploy)
- Requirements have meaningful design choices

## Plan output MUST include

1. **Goal** — restated in one sentence
2. **Files** — exact paths to create/modify/delete
3. **Dependencies** — imports, DB migrations, external APIs, new packages
4. **Steps** — ordered implementation sequence
5. **Tests** — new/updated test files and what they assert
6. **Edge cases** — failure modes, empty input, backwards compatibility
7. **Verification** — exact commands (`make lint`, `make mypy`, `make test`, etc.)
8. **Risks** — what could break and how to detect it

## Approval gate

After presenting the plan, **wait for explicit user approval** ("proceed", "approved",
or an edited plan confirmed by the user) before writing implementation code.

After approval, **tests may be written first** per `tdd-workflow.mdc` — failing tests are not "implementation code" for Phase 1 purposes.

Read-only research (grep, read files, explore codebase) is allowed during planning.

Save approved plans to `.cursor/plans/<feature>.md` when scope is substantial.

## Before editing (Agent Mode)

- Brief plan with reasoning: goal, steps, files touched, validation approach.
- Break into smaller steps; check `scripts/db/` and `scripts/` for deploy/DB/import ops.

## While editing

- Only modify code relevant to the request.
- Never use placeholders — include complete, working code.
- **Reference patterns specifically:** e.g. mirror `@application/utils/external_project_parsers/parsers/pci_dss.py`, tests like `@application/tests/pci_dss_parser_test.py`.
14 changes: 14 additions & 0 deletions .cursor/rules/production-db-ops-safety.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
description: Require all-caps confirmation for destructive production DB operations and prefer pre-op backups
alwaysApply: true
---

# Production DB Operations Safety

- For production database operations, treat destructive actions (`DELETE`, `DROP`, `TRUNCATE`, irreversible `ALTER`) as high risk.
- Prefer using `scripts/db/` operations instead of ad-hoc production DB commands whenever those scripts cover the use case.
- Before proposing or executing destructive production DB actions, require explicit all-caps confirmation from the user.
- Confirmation should be exact and unambiguous (for OpenCRE scripts: `I_UNDERSTAND_OPENCREORG_PROD_DB_DESTRUCTIVE_ACTION`).
- Prefer capturing a fresh backup before destructive production DB actions; if a backup is skipped, clearly explain risk and ask for confirmation again.
- If app/environment target is ambiguous, stop and ask to confirm target app first.

53 changes: 53 additions & 0 deletions .cursor/rules/requirements-gate.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
description: Stop and ask clarifying questions before coding when requirements are incomplete
alwaysApply: true
---

# Requirements Gate

If ANY of the following is missing or ambiguous, **STOP and ask clarifying questions**.
Do NOT write, edit, or delete code until the gaps are filled.

| Required | What to ask |
|----------|-------------|
| **Clear goal** | What outcome does the user want? What problem are we solving? |
| **Verifiable success criteria** | Which checks must pass? (tests, typecheck, linter, CI, manual steps) |
| **Context references** | Which files, modules, or prior chats apply? Prefer `@path/to/file` refs when ambiguous. |
| **Constraints** | Out of scope, performance, compatibility, no new deps, prod DB safety, etc. |

## Context references — when `@` refs are required

- **Satisfied without `@`** when the message names specific paths, modules, or patterns clearly (e.g. "add tests for `application/utils/gap_analysis.py`").
- **Ask for `@` refs** when multiple files could apply, the pattern to mirror is unclear, or prior chat/issue context is needed.

## Skip the gate only when

The request is fully specified in one sentence with obvious success criteria and unambiguous context, e.g.
"Fix typo in README line 42" or "Rename `foo` to `bar` in `application/utils/gap_analysis.py`."

## Requirements template (offer when info is missing)

```
## Task
<One-sentence goal>

## Success criteria (all must pass)
- [ ] `make lint`
- [ ] `make mypy`
- [ ] `make test` (or targeted: `python -m unittest application/tests/<module>_test.py`)
- [ ] `make frontend` / `yarn build` (if frontend touched)
- [ ] CI green (`gh pr checks` or Actions UI)
- [ ] Other: ___

## Context
- Files: @path/to/relevant/file.py
- Pattern to mirror: @path/to/similar/implementation.py
- Prior work: @Past Chats / issue # / PR #

## Constraints
- In scope: ___
- Out of scope: ___
- Dependencies: none / explain before adding
- Mocks: allowed / not allowed
- Production DB: N/A / read-only / destructive (requires explicit confirmation)
```
30 changes: 30 additions & 0 deletions .cursor/rules/tdd-workflow.mdc
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
description: Test-first workflow for new behavior, importers, and API changes
alwaysApply: true
---

# TDD Workflow

Use for new behavior, bug fixes with clear reproduction, and importers/API changes where expected I/O is known.

Skip for: typos, pure refactors with existing test coverage, config-only changes.

## Timing relative to planning

- **After plan approval** (or immediately for trivial fixes that skip planning): write failing tests, then implementation.
- Do not write production code before plan approval when planning is required.

## Loop

1. **Write tests first** from expected input/output or acceptance criteria.
2. **Run tests and confirm they fail** for the right reason. Do not write implementation yet.
3. **Commit tests** only when the user explicitly asks to commit mid-flow.
4. **Implement** the minimum code to pass tests. Do not modify tests to make them pass unless requirements changed (say so explicitly).
5. **Iterate** until `make test` (and lint/mypy) pass.
6. **Commit implementation** when the user asks.

## OpenCRE conventions

- Follow patterns in `@application/tests/` (e.g. `@application/tests/pci_dss_parser_test.py` for importers).
- Use test DB setup from existing parser/web tests; avoid unnecessary mocks when integration-style tests match the codebase.
- Prefer one focused test class per behavior area.
Loading