chore: add test suite, CI/CD, LICENSE, CHANGELOG for PyPI readiness

- MIT LICENSE file
- CHANGELOG.md (v0.1.0)
- 48 pytest tests: all 5 pattern detectors, CLI integration, data models
- GitHub Actions: test.yml (matrix py3.9-3.12) + publish.yml (trusted publishing)
- Fixed pytest config to exclude fixture files from collection
- Verified build produces clean sdist + wheel

Author: Mike Bumpus

.github/workflows/publish.yml

@@ -0,0 +1,66 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  id-token: write  # Required for trusted publishing
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: python -m pip install --upgrade pip build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [build, test]
+    environment: pypi
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        # Uses trusted publishing — no API token needed
+        # Configure at: https://pypi.org/manage/account/publishing/

.github/workflows/test.yml

@@ -0,0 +1,43 @@
+name: Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Lint with ruff
+        run: ruff check codesentry/
+
+      - name: Type check with mypy
+        run: mypy codesentry/ --ignore-missing-imports
+        continue-on-error: true
+
+      - name: Run tests
+        run: pytest tests/ -v --tb=short --cov=codesentry --cov-report=term-missing
+
+      - name: Verify CLI works
+        run: |
+          codesentry --version
+          codesentry patterns
+          codesentry scan tests/fixtures/clean_file.py

.gitignore

@@ -14,3 +14,13 @@ venv/
 *.swo
 .idea/
 .vscode/
+
+# Crewly Codes internal artifacts
+history.md
+bugs.yaml
+specs/
+testing/
+dist/
+.pytest_cache/
+__pycache__/
+*.egg-info/

CHANGELOG.md

@@ -0,0 +1,21 @@
+# Changelog
+
+All notable changes to CodeSentry will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-01-31
+
+### Added
+- Initial release — Phase 0 MVP
+- 5 AST-based pattern detectors:
+  - **CS001**: Generic exception swallowing
+  - **CS002**: Placeholder code in production (TODO/FIXME with stubs)
+  - **CS003**: Blocking calls in async functions
+  - **CS004**: Hardcoded secrets
+  - **CS005**: Mutable default arguments
+- CLI with `scan`, `patterns`, and `version` commands
+- Output modes: default, `--teach`, `--quick`, `--format json`
+- Exit codes: 0 (clean), 1 (warnings), 2 (errors), 3 (critical)
+- Decorator and inheritance-aware detection (reduces false positives)

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mike Bumpus
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

demo/app.py

@@ -0,0 +1,95 @@
+"""
+Demo app.py for CodeSentry screenshot
+Triggers CS001 at line 47 and CS003 at line 82
+"""
+
+import asyncio
+import time
+import json
+
+
+# ============================================
+# Normal code padding to get line numbers right
+# ============================================
+
+def process_data(data):
+    """Process incoming data."""
+    result = []
+    for item in data:
+        if item.get("active"):
+            result.append(item["value"])
+    return result
+
+
+def validate_input(user_input):
+    """Validate user input."""
+    if not user_input:
+        return False
+    if len(user_input) > 1000:
+        return False
+    return True
+
+
+def format_response(data):
+    """Format data for API response."""
+    return {
+        "status": "success",
+        "data": data,
+        "timestamp": "2026-02-03T12:00:00Z"
+    }
+
+
+class DataProcessor:
+    # Line 47: CS001 - generic-exception-swallow (indented for col 5)
+    def fetch_config(self):
+        try:
+            with open("config.json") as f:
+                return json.load(f)
+        except Exception:
+            pass
+
+    def calculate_metrics(self, values):
+        """Calculate metrics from values."""
+        if not values:
+            return {}
+        return {
+            "total": sum(values),
+            "average": sum(values) / len(values),
+            "count": len(values)
+        }
+
+    def get_user_preferences(self, user_id):
+        """Get user preferences from cache."""
+        cache = {}
+        return cache.get(user_id, {})
+
+    def normalize_text(self, text):
+        """Normalize text input."""
+        if text is None:
+            return ""
+        return text.strip().lower()
+
+
+class AsyncService:
+    """Async service for remote operations."""
+
+    async def connect(self):
+        """Establish connection."""
+        pass
+
+    # Line 82: CS003 - blocking-call-in-async (indented for col 9)
+    async def sync_with_server(self):
+        """Sync data with remote server."""
+        print("Starting sync...")
+        time.sleep(5)  # Blocking call in async!
+        print("Sync complete")
+
+
+async def main():
+    """Main async entry point."""
+    service = AsyncService()
+    await service.sync_with_server()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

pyproject.toml

@@ -80,3 +80,4 @@ testpaths = ["tests"]
 python_files = ["test_*.py"]
 python_functions = ["test_*"]
 addopts = "-v --tb=short"
+norecursedirs = ["tests/fixtures"]

tests/conftest.py

@@ -0,0 +1,40 @@
+"""Shared test fixtures for CodeSentry"""
+
+import ast
+from pathlib import Path
+
+import pytest
+
+from codesentry.analyzer import AnalysisEngine
+from codesentry.patterns import ALL_PATTERNS
+
+
+FIXTURES_DIR = Path(__file__).parent / "fixtures"
+
+
+@pytest.fixture
+def engine():
+    """Analysis engine with all patterns loaded."""
+    return AnalysisEngine(ALL_PATTERNS)
+
+
+@pytest.fixture
+def analyze(engine):
+    """Helper that analyzes a fixture file by name."""
+    def _analyze(fixture_name: str):
+        path = FIXTURES_DIR / fixture_name
+        assert path.exists(), f"Fixture not found: {path}"
+        return engine.analyze_file(path)
+    return _analyze
+
+
+@pytest.fixture
+def analyze_source(engine):
+    """Helper that analyzes a source string."""
+    def _analyze(source: str):
+        import tempfile
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
+            f.write(source)
+            f.flush()
+            return engine.analyze_file(Path(f.name))
+    return _analyze

tests/test_clean.py

@@ -0,0 +1,8 @@
+"""Test that clean code produces no issues."""
+
+
+def test_clean_file_has_no_issues(analyze):
+    result = analyze("clean_file.py")
+    assert result.total_issues == 0
+    assert result.parse_error is None
+    assert result.max_severity_code == 0