chore: add production documentation and CI hardening

Patel230 · Patel230 · commit 8cc4fdd4d0c7 · 2026-05-11T16:05:04.000+05:30
- Add README.md with API docs, usage examples, presets
- Add CHANGELOG.md documenting v0.1.0 through v0.4.0
- Add SECURITY.md with vulnerability disclosure policy
- Add CONTRIBUTING.md with development guidelines
- Add .golangci.yml (govet, errcheck, staticcheck, gosec, misspell)
- Update CI with linting job and coverage reporting
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.26"
+          go-version: "1.26.1"
           cache: true
 
       - name: Build
@@ -26,3 +26,19 @@ jobs:
 
       - name: Test
         run: go test ./... -race -count=1 -timeout=60s
+
+      - name: Coverage
+        run: |
+          go test -coverprofile=coverage.out ./...
+          go tool cover -func=coverage.out | tail -1
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.26.1'
+      - uses: golangci/golangci-lint-action@v7
+        with:
+          version: v2.1.0
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,26 @@
+version: "2"
+
+linters:
+  default: none
+  enable:
+    - govet
+    - ineffassign
+    - unused
+    - errcheck
+    - staticcheck
+    - misspell
+    - nilerr
+
+linters-settings:
+  errcheck:
+    check-type-assertions: true
+  misspell:
+    locale: US
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - errcheck
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,45 @@
+# Changelog
+
+All notable changes to sight are documented here.
+Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+
+---
+
+## [0.4.0] — 2026-05-08
+
+### Added
+- Multi-concern parallel review with configurable concern specs
+- Self-reflection pass for false-positive elimination
+- Incremental review with last-reviewed commit tracking
+- Eval framework for review quality regression testing
+- Custom checks via .sight/checks/ markdown files
+- Project rules ingestion from CLAUDE.md, CONTRIBUTING.md, .cursor/rules/
+- SARIF output format
+- MCP server integration (sight_review, sight_describe, sight_improve)
+
+### Changed
+- Improved token budget estimation with 4:1 input:output ratio
+- Finding deduplication across concerns
+
+---
+
+## [0.2.0] — 2026-04-30
+
+### Added
+- Describe operation (PR description generation)
+- Improve operation (code improvement suggestions)
+- Filter findings with LLM validation
+- InlineComment mapping for GitHub/GitLab posting
+- TOML/JSON configuration file support
+- File exclusion patterns
+
+---
+
+## [0.1.0] — 2026-04-28
+
+### Added
+- Initial release: Review() function with Provider interface
+- Finding type with severity, CWE, file/line location
+- Functional options pattern for configuration
+- Quick, Standard, Thorough presets
+- Concurrent concern processing
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,39 @@
+# Contributing to sight
+
+## Setup
+
+```bash
+git clone https://github.com/GrayCodeAI/sight.git
+cd sight
+make test
+```
+
+## Requirements
+
+- Go 1.26+
+- No external dependencies beyond mcp-go
+
+## Development
+
+```bash
+make test        # Run tests
+make test-race   # With race detector
+make cover       # Coverage report
+make lint        # Static analysis
+make bench       # Benchmarks
+```
+
+## Guidelines
+
+- All tests must pass with `-race` flag
+- Use `t.Parallel()` in tests that don't share state
+- Provider interface changes require discussion first
+- Add tests for new functionality
+- Follow existing patterns (functional options, internal packages)
+
+## Pull Requests
+
+1. Open an issue first for significant changes
+2. Run `make all` before submitting (vet + test + build)
+3. Include test coverage for new code
+4. Update CHANGELOG.md
diff --git a/README.md b/README.md
@@ -0,0 +1,96 @@
+# sight
+
+AI-powered code review on diffs. Parses unified diffs, enriches with surrounding code context and git history, then runs parallel multi-concern reviews through an LLM provider.
+
+## Design
+
+- **Library only** — no CLI, no binary
+- **No LLM SDK dependency** — defines a Provider interface; consumers implement it
+- **No opinions** — consumers inject their own LLM client (e.g., via eyrie)
+
+## Install
+
+```bash
+go get github.com/GrayCodeAI/sight@latest
+```
+
+## Usage
+
+### One-shot review
+
+```go
+result, err := sight.Review(ctx, diffText,
+    sight.WithProvider(myProvider),
+    sight.Thorough,
+)
+for _, f := range result.Findings {
+    fmt.Printf("[%s] %s:%d - %s\n", f.Severity, f.File, f.Line, f.Message)
+}
+```
+
+### Reusable reviewer
+
+```go
+r := sight.NewReviewer(sight.WithProvider(p), sight.Thorough)
+result1, _ := r.Review(ctx, diff1)
+result2, _ := r.Review(ctx, diff2)
+```
+
+### Provider interface
+
+Implement this with any LLM client:
+
+```go
+type Provider interface {
+    Complete(ctx context.Context, messages []Message) (string, error)
+}
+```
+
+## Presets
+
+| Preset | Concerns | Use case |
+|--------|----------|----------|
+| Quick | security, correctness | Fast PR checks |
+| Standard | all (default) | Balanced review |
+| Thorough | all + deeper analysis | Critical code |
+| SecurityFocus | security only | Security audit |
+| CI | all + fail-on threshold | CI/CD gates |
+
+## Findings
+
+Each finding includes:
+- **Concern**: security, performance, correctness, maintainability, testing
+- **Severity**: critical, high, medium, low, info
+- **File** and **Line**: exact location in diff
+- **Message**: human-readable description
+- **Fix**: suggested code fix
+- **CWE**: reference (e.g., CWE-79)
+
+## Output Formats
+
+- Inline comments (GitHub/GitLab PR comments)
+- SARIF (static analysis interchange)
+- Human-readable terminal output
+
+## Configuration
+
+File-based config via `.sight.toml`:
+
+```toml
+fail-on = "high"
+exclude = ["vendor/", "generated/"]
+concerns = ["security", "performance", "correctness"]
+```
+
+## Testing
+
+```bash
+make test        # Unit tests
+make test-race   # With race detector
+make bench       # Benchmarks
+make cover       # Coverage report
+```
+
+## License
+
+MIT
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.4.x   | Yes |
+| 0.2.x   | Yes |
+| < 0.2   | No  |
+
+## Reporting a Vulnerability
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Email: security@graycode.ai
+
+### Response Timeline
+- Acknowledgment: 48 hours
+- Initial assessment: 5 business days
+- Fix: 7-30 days depending on severity
+
+## Security Considerations
+
+- sight is a library — it does not make network calls itself
+- LLM provider calls are made by the consumer (via Provider interface)
+- Diff content is passed to the LLM; consumers are responsible for redacting secrets
+- No credentials are stored or transmitted by sight itself
diff --git a/coverage.out b/coverage.out
