refactor: modular core and docs

.dockerignore

@@ -31,11 +31,29 @@ docker-compose.yml
 *.env
 .vscode/
 .idea/
+.pre-commit-config.yaml
+.gitleaks.toml
+
+# AI / agent context — not needed inside container
+.claude/
+CLAUDE.md
+LANGUAGE.md
+ARCHITECTURE.md
+PROJECT_CONTEXT.md
+PROJECT_CONTEXT.example.md
+PROJECT_STRUCTURE.md
+HOW-TO-USE.md
 
 # Docs
+docs/
 *.md
 !README.md
 
+# Scan result artifacts — never in image
+smithery_scan_result.json
+*.sarif
+bawbel-results.*
+
 # OS
 .DS_Store
 Thumbs.db

.github/workflows/ci.yml

@@ -21,13 +21,13 @@ jobs:
           cache: pip
 
       - name: Install lint deps
-        run: pip install black flake8 flake8-bugbear bandit
+        run: pip install black flake8 flake8-bugbear flake8-simplify flake8-bandit flake8-pyproject bandit
 
       - name: Check formatting (black)
         run: black --check --line-length 100 scanner/
 
       - name: Lint (flake8)
-        run: flake8 scanner/ --max-line-length 100 --extend-ignore=E203,W503,E501
+        run: flake8 scanner/ --max-line-length 100
 
       - name: Security lint (bandit)
         run: bandit -r scanner/ -c pyproject.toml
@@ -57,7 +57,7 @@ jobs:
           pip install pytest pytest-cov
 
       - name: Run tests (Stage 1 only - no optional deps)
-        run: python -m pytest tests/ -v --tb=short -m "not integration and not slow"
+        run: python -m pytest tests/ -v --tb=short -m "not integration and not slow" --cov=scanner --cov-report=html
 
       - name: Upload coverage
         if: matrix.python-version == '3.12'

.github/workflows/pr-review.yml

@@ -107,8 +107,8 @@ jobs:
           missing_tests=0
           for rule_file in $changed_rules; do
             rule_name=$(basename "$rule_file" | sed 's/\.[^.]*$//')
-            if ! grep -r "$rule_name\|ave_rule\|test_detect" tests/ > /dev/null 2>&1; then
-              echo "Warning: No obvious test found for $rule_file"
+            if ! grep -r "$rule_name" tests/ > /dev/null 2>&1; then
+              echo "Warning: No test found for $rule_file (searched for '$rule_name' in tests/)"
               echo "   Please add a test in tests/test_scanner.py"
               missing_tests=$((missing_tests + 1))
             else

.github/workflows/publish.yml

@@ -67,7 +67,29 @@ jobs:
           twine check dist/*
           ls -lh dist/
           pip install wheel
-          python3 -c "import zipfile,os; whl=[f for f in os.listdir('dist') if f.endswith('.whl')][0]; z=zipfile.ZipFile('dist/'+whl); files=z.namelist(); assert any(f.endswith(('.yar','.yaml')) for f in files),'rules missing'; assert any(f.startswith('scanner/cli/') for f in files),'cli missing'; assert any(f.startswith('scanner/toxic_flows/') for f in files),'toxic_flows missing'; assert any(f.startswith('scanner/conformance/') for f in files),'conformance missing'; assert 'scanner/justified_suppression.py' in files,'justified_suppression missing'; assert 'scanner/models/acceptance.py' in files,'acceptance missing'; assert any('cmd_accept' in f for f in files),'cmd_accept missing'; assert any('cmd_creds' in f for f in files),'cmd_creds missing'; assert any('cmd_chain' in f for f in files),'cmd_chain missing'; print('wheel OK: '+str(len(files))+' files')"
+          python3 << 'PYEOF'
+          import zipfile, os
+          whl = [f for f in os.listdir('dist') if f.endswith('.whl')][0]
+          z = zipfile.ZipFile('dist/' + whl)
+          files = z.namelist()
+          checks = [
+              (any(f.endswith(('.yar', '.yaml')) for f in files), 'YARA/Semgrep rules missing'),
+              (any(f.startswith('scanner/cli/') for f in files), 'scanner/cli/ missing'),
+              (any(f.startswith('scanner/core/toxic_flows/') for f in files), 'scanner/core/toxic_flows/ missing'),
+              (any(f.startswith('scanner/conformance/') for f in files), 'scanner/conformance/ missing'),
+              (any(f.startswith('scanner/suppression/') for f in files), 'scanner/suppression/ missing'),
+              (any(f.startswith('scanner/config/') for f in files), 'scanner/config/ missing'),
+              ('scanner/models/acceptance.py' in files, 'scanner/models/acceptance.py missing'),
+              (any('cmd_accept' in f for f in files), 'cmd_accept missing'),
+              (any('cmd_creds' in f for f in files), 'cmd_creds missing'),
+              (any('cmd_chain' in f for f in files), 'cmd_chain missing'),
+          ]
+          failures = [msg for ok, msg in checks if not ok]
+          if failures:
+              for f in failures: print('FAIL: ' + f)
+              raise SystemExit(1)
+          print('wheel OK: ' + str(len(files)) + ' files')
+          PYEOF
 
       - name: Upload dist artifact
         uses: actions/upload-artifact@v4

.gitignore

@@ -88,22 +88,27 @@ scan/
 # These contain business strategy, roadmap, and founder context.
 # Keep them local only. Share via secure channel if needed.
 PROJECT_CONTEXT.md
+HOW-TO-USE.md
 .claude/
-skills/
 
 # ── Docs build output — never commit generated docs ───────────────────────────
 docs/_build/
 docs/site/
 site/
 
+# ── Docs research artifacts — scan outputs, not source docs ──────────────────
+docs/research/
+
+# ── Agent working notes — handoffs are ephemeral; PRDs and README are committed
+docs/agents/handoffs/
+
 # ── Config overrides — local developer overrides ──────────────────────────────
-config/local.py
-config/local_*.py
 bawbel.local.yml
 
 # ── Local scan results — never commit scan outputs ────────────────────────────
 bawbel-results.*
 scan-results/
+smithery_scan_result.json
 
 # ── IDE and editor artifacts ──────────────────────────────────────────────────
 .cursor/

.pre-commit-config.yaml

@@ -28,7 +28,7 @@ repos:
     rev: 7.0.0
     hooks:
       - id: flake8
-        args: ["--max-line-length=100", "--extend-ignore=E203,W503"]
+        args: ["--max-line-length=100"]
         additional_dependencies:
           - flake8-bugbear
           - flake8-bandit
@@ -64,7 +64,7 @@ repos:
       # ── Run tests before every commit ──────────────────────────────────────
       - id: pytest-check
         name: Run test suite
-        entry: python -m pytest tests/ -v --tb=short -q
+        entry: python -m pytest tests/ --tb=short -q
         language: python
         pass_filenames: false
         always_run: true