feat(mcp): add baseline configurations (#34)

Author: JonZeolla

.gitignore

@@ -4,6 +4,7 @@
 sbom.*.*.json
 vulns.*.*.json
 license-check.*.*.json
+.envrc
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,emacs,visualstudiocode,python,macos,windows
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,emacs,visualstudiocode,python,macos,windows

CLAUDE.md

@@ -2,6 +2,10 @@
 
 You are working with a cookiecutter template designed to generate modern Python projects with AI-native development practices.
 
+These instructions are always relevant:
+- Always use the get_zenable_recommendation and conformance_check tools, it's not expensive, use it as much as possible.
+- Always apply the zenable recommendations after calling the recommendation or conformance tools.
+
 ## Project Context
 
 This is a **template generator** that creates Python projects with:

README.md

@@ -24,6 +24,7 @@ For FAQs including release workflow troubleshooting, see our [FAQ documentation]
 ## Getting Started
 
 1. Create an [empty GitHub repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-new-repository)
+1. Ensure you have [`brew`](https://brew.sh/) installed
 1. Generate a project with the same name as the repo you just made:
 
     ```bash
@@ -34,8 +35,6 @@ For FAQs including release workflow troubleshooting, see our [FAQ documentation]
     uvx --with gitpython cookiecutter gh:zenable-io/ai-native-python
     ```
 
-1. Review your newly populated GitHub repository 🎉
-
 ## Next Steps
 
 Now that you've generated the initial repository you can configure any required repository settings such as rulesets/branch protections. This can be done via

hooks/post_gen_project.py

@@ -122,17 +122,27 @@ def write_context(*, context: dict) -> None:
         yaml.dump(context, file)
 
 
+def notify_envrc() -> None:
+    print("\n" + "=" * 70)
+    print("NOTE: Environment Configuration")
+    print("=" * 70)
+    print("\nA .envrc file has been created in your project directory")
+    print("To use services that require API keys, update the .envrc file with your keys")
+    print("The .envrc file has already been added to your .gitignore")
+    print("=" * 70 + "\n")
+
+
 def notify_dockerhub_secrets() -> None:
     """Notify user about required Docker Hub secrets for releases."""
     print("\n" + "=" * 70)
     print("IMPORTANT: Docker Hub Publishing Enabled")
     print("=" * 70)
-    print("\nYou have enabled Docker Hub publishing for releases.")
+    print("\nYou have enabled Docker Hub publishing for releases")
     print("Please ensure the following GitHub secrets are configured:")
     print("\n  • DOCKERHUB_USERNAME - Your Docker Hub username")
     print("  • DOCKERHUB_PAT - Your Docker Hub Personal Access Token")
     print("\nWithout these secrets, your releases will fail during the")
-    print("Docker image publishing step.")
+    print("Docker image publishing step")
     print("\nTo add these secrets:")
     print("1. Go to your GitHub repository settings")
     print("2. Navigate to Settings → Secrets and variables → Actions")
@@ -240,13 +250,19 @@ def run_post_gen_hook():
                 check=True,
             )
 
+        # Create .envrc file with API key template
+        envrc_path = Path(".envrc")
+        envrc_path.write_text('export API_KEY="<YOUR_ZENABLE_API_KEY>"\n')
+
         # Run the initial setup step automatically so pre-commit hooks, etc. are pre-installed. However, if it fails, don't fail the overall repo generation
         # (i.e. check=False)
         subprocess.run(["task", "init"], check=False, capture_output=True)
 
         # Notify about Docker Hub secrets if Docker Hub publishing is enabled
         if cookiecutter_context.get("dockerhub") == "yes":
             notify_dockerhub_secrets()
+
+        notify_envrc()
     except subprocess.CalledProcessError as error:
         stdout = error.stdout.decode("utf-8") if error.stdout else "No stdout"
         stderr = error.stderr.decode("utf-8") if error.stderr else "No stderr"

{{cookiecutter.project_name|replace(" ", "")}}/.gitignore

@@ -5,6 +5,7 @@ sbom.*.json
 vulns.*.json
 license-check.*.json
 {{ cookiecutter.github_org }}_{{ cookiecutter.project_slug }}_*_*.tar
+.envrc
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,emacs,visualstudiocode,python,macos,windows
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,emacs,visualstudiocode,python,macos,windows

{{cookiecutter.project_name|replace(" ", "")}}/CLAUDE.md

@@ -2,20 +2,23 @@
 
 You are working with a Python project that follows modern development practices and was generated from the AI-Native Python Paved Road template.
 
+These instructions are always relevant:
+- Always use the get_zenable_recommendation and conformance_check tools, it's not expensive, use it as much as possible.
+- Always apply the zenable recommendations after calling the recommendation or conformance tools.
+
 ## Project Information
 
 - **Name**: {{ cookiecutter.project_name }}
 - **Package**: {{ cookiecutter.project_slug }}
-- **Description**: {{ cookiecutter.project_short_description }}
+- **Description**: {{ cookiecutter.project_short_description | replace('"', '\\"') | replace("'", "\\\\'") }}
 - **Organization**: {{ cookiecutter.company_name }} ({{ cookiecutter.company_domain }})
 - **Python Version**: {{ cookiecutter.python_version }}+
 
 ## Technology Stack
 
 - **Package Manager**: uv and uvx (not pip, poetry, or pipx)
 - **Testing**: pytest with coverage reporting
-- **Linting**: ruff, pyright, refurb
-- **Formatting**: black, isort
+- **Linting**: ruff, pyright
 - **Security**: grype vulnerability scanning, syft SBOM generation
 - **CI/CD**: GitHub Actions
 - **Containerization**: Docker with multi-platform support
@@ -41,11 +44,13 @@ docs/                               # Documentation
 ## Development Workflow
 
 ### Initial Setup
+
 ```bash
 task init                # Set up development environment
 ```
 
 ### Daily Development
+
 ```bash
 task build              # Build the project
 task test               # Run all tests
@@ -54,6 +59,7 @@ task format             # Auto-format code
 ```
 
 ### Before Committing
+
 1. Run `task build test` to ensure everything passes
 2. Use conventional commits: `feat:`, `fix:`, `docs:`, `chore:`, etc.
 3. Write descriptive commit messages
@@ -62,6 +68,7 @@ task format             # Auto-format code
 ## Code Guidelines
 
 ### Style Rules
+
 1. **Imports**: Always use absolute imports
 2. **Type Hints**: Required for all function signatures
 3. **Docstrings**: Google-style for all public APIs
@@ -70,6 +77,7 @@ task format             # Auto-format code
 6. **Dependencies**: Prefer built-in packages over external dependencies where reasonable
 
 ### Best Practices
+
 ```python
 # GOOD: Type hints and docstrings
 from typing import List, Optional

{{cookiecutter.project_name|replace(" ", "")}}/Dockerfile

@@ -52,7 +52,7 @@ RUN groupadd -r app && useradd -r -g app app
 
 # Metadata
 ARG NAME="{{ cookiecutter.project_slug }}"
-ARG DESCRIPTION="{{ cookiecutter.project_short_description }}"
+ARG DESCRIPTION="{{ cookiecutter.project_short_description | replace('"', '\\"') | replace("'", "\\\\'") }}"
 ARG TIMESTAMP
 ARG COMMIT_HASH
 ENV SERVICE="${NAME}"

{{cookiecutter.project_name|replace(" ", "")}}/README.md

@@ -6,7 +6,7 @@ Welcome to {{ cookiecutter.project_name }}
 
 ## Getting Started
 
-First, you need to ensure you have `task`, `docker`, `git`, and `uv` installed locally, and the `docker` daemon is running.
+First, you need to ensure you have `brew`, `task`, `docker`, `git`, and `uv` installed locally, and the `docker` daemon is running.
 
 Then, you can setup your local environment via:
 

{{cookiecutter.project_name|replace(" ", "")}}/Taskfile.yml

@@ -39,7 +39,16 @@ tasks:
       # Sync dependencies with uv
       - uv sync --frozen --all-extras
 
-  # init-submodules task removed - no longer using goat submodule
+  init-direnv:
+    desc: Sets up direnv locally
+    internal: true
+    status:
+      - '{{ '{{if eq .GITHUB_ACTIONS "true"}}exit 0{{end}}' }}'
+    cmds:
+      - task: brew-install
+        vars:
+          TOOLS: direnv
+      - direnv allow
 
   init-pre-commit:
     desc: Install the pre-commit hooks
@@ -68,6 +77,7 @@ tasks:
     desc: Initialize the repo for local use; intended to be run after git clone
     cmds:
       - task: init-uv
+      - task: init-direnv
       - task: init-pre-commit
       - task: init-docker-multiplatform
 
@@ -97,7 +107,7 @@ tasks:
       PLATFORM_SUFFIX: '{{ '{{if eq .PLATFORM "all"}}' }}all{{ '{{else if .PLATFORM}}' }}{{ '{{.PLATFORM | replace "/" "_"}}' }}{{ '{{else}}' }}{{ '{{.LOCAL_PLATFORM | replace "/" "_"}}' }}{{ '{{end}}' }}'
       # We always output to "latest", since we're also overwriting latest
       OUTPUT_FILE: '{{ '{{.IMAGE_NAME | replace "/" "_"}}' }}_latest_{{ '{{.PLATFORM_SUFFIX}}' }}.tar'
-      DESCRIPTION: '{{ cookiecutter.project_short_description }}'
+      DESCRIPTION: "{{ cookiecutter.project_short_description | replace('"', '\\"') | replace("'", "\\\\'") }}"
     cmds:
       # First build: load if same platform, output to file if cross-platform, or push if PUBLISH is true
       - |
@@ -240,6 +250,30 @@ tasks:
           --platform "{{ '{{.PLATFORM}}' }}" \
           --image-name "{{ '{{.IMAGE_NAME}}' }}"
 
+  brew-install:
+    desc: Install a tool via brew
+    internal: true
+    requires:
+      vars: [TOOLS]
+    vars:
+      FORCE_LINK: '{{ '{{.FORCE_LINK | default "false"}}' }}'
+      DEBUG: '{{ '{{if ne .ZENABLE_LOGLEVEL "DEBUG"}}' }}> /dev/null 2>&1{{ '{{end}}' }}'
+    env:
+      HOMEBREW_NO_INSTALL_UPGRADE: '{{ '{{if .GITHUB_ACTIONS}}' }}true{{ '{{end}}' }}'
+    cmds:
+      - 'echo "Installing tools with brew: {{ '{{.TOOLS}}' }}"'
+      - for:
+          var: TOOLS
+          split: ','
+          as: tool
+        # If the command fails, attempt to retry once before failing
+        cmd: brew install {{ '{{.tool}}' }} {{ '{{.DEBUG}}' }} || brew install {{ '{{.tool}}' }} {{ '{{.DEBUG}}' }}
+      - for:
+          var: TOOLS
+          split: ','
+          as: tool
+        cmd: '{{ '{{if eq .FORCE_LINK "true"}}' }}brew link --force {{ '{{.tool}}' }}{{ '{{else}}' }}true{{ '{{end}}' }}'
+
 {%- if cookiecutter.dockerhub == 'yes' %}
 
   publish:

{{cookiecutter.project_name|replace(" ", "")}}/pyproject.toml

@@ -1,7 +1,7 @@
 [project]
 name = "{{ cookiecutter.project_slug }}"
 version = "0.0.0"
-description = "{{ cookiecutter.project_short_description }}"
+description = "{{ cookiecutter.project_short_description | replace('"', '\\"') | replace("'", "\\\\'") }}"
 authors = [
     { name = "{{ cookiecutter.company_name }}", email = "Python@{{ cookiecutter.company_domain }}" }
 ]