Merge branch 'main' into add-zenable-check-hook

JonZeolla · web-flow · commit 670b496b63c7 · 2025-09-17T21:08:14.000-04:00
diff --git a/.github/.grant.yml b/.github/.grant.yml
@@ -1,13 +1,48 @@
-rules:
-  - pattern: "*"
-    name: "Block AGPL licenses"
-    mode: "block"
-    reason: "AGPL licenses are not allowed in this project"
-    licenses:
-      - "agpl"
-      - "agpl-1.0"
-      - "agpl-1.0-only"
-      - "agpl-1.0-or-later"
-      - "agpl-3.0"
-      - "agpl-3.0-only"
-      - "agpl-3.0-or-later"
+require-license: false  # Some packages may not have explicit licenses
+require-known-license: false
+
+# Allow list - licenses that are permitted
+allow:
+  # Permissive licenses
+  - MIT
+  - Apache-2.0
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - BSD
+  - BSD-License
+  - ISC
+  - ISC-License
+  - 0BSD
+
+  # Python-specific licenses
+  - PSF-2.0
+  - Python-2.0
+  - Dual-License
+
+  # Weak copyleft licenses (generally acceptable)
+  - LGPL
+  - LGPL-2.1
+  - LGPL-2.1-or-later
+  - LGPL-3.0
+  - LGPL-3.0-or-later
+  - MPL-2.0
+
+  # Other licenses
+  - Unlicense
+  - CC0-1.0
+  - WTFPL
+  - Artistic-License
+  - GPL-3.0-only
+
+# Block list - licenses that are not allowed
+block:
+  - AGPL-1.0
+  - AGPL-1.0-only
+  - AGPL-1.0-or-later
+  - AGPL-3.0
+  - AGPL-3.0-only
+  - AGPL-3.0-or-later
+
+# Ignore specific packages if needed
+ignore-packages:
+  - "UnknownPackage:*"
diff --git a/.github/etc/dictionary.txt b/.github/etc/dictionary.txt
@@ -5,7 +5,6 @@ cookiecutter
 dependabot
 digestabot
 dockerhub
-envrc
 htmlcov
 pylance
 pythonpath
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: 'false'
       - name: Bootstrap repository
@@ -44,14 +44,14 @@ jobs:
       contents: write
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         # Necessary for hooks to succeed during tests for commits/schedule
         if: github.event_name != 'pull_request'
         with:
           fetch-depth: 0
           persist-credentials: 'false'
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         # Necessary for hooks to succeed during tests for PRs
         if: github.event_name == 'pull_request'
         with:
@@ -121,7 +121,7 @@ jobs:
             exit 1
           fi
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Scan workflow logs for warnings and errors
         run: scripts/scan_workflow_logs.sh ${{ github.run_id }}
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
       tag: ${{ steps.release.outputs.tag }}
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: 'false'
       - name: Bootstrap repository
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
@@ -22,7 +22,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: 'false'
       - name: Bootstrap repository
diff --git a/.github/workflows/validate_pr_titles.yml b/.github/workflows/validate_pr_titles.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -2,5 +2,5 @@
 - id: zenable-check
   name: Run a Zenable check on all changed files
   language: system
-  entry: uvx zenable-mcp check
+  entry: uvx zenable-mcp@latest check
   pass_filenames: true
diff --git a/ai_native_python/__init__.py b/ai_native_python/__init__.py
@@ -5,4 +5,4 @@
 __maintainer__ = "Zenable"
 __copyright__ = "(c) 2025 Zenable, Inc."
 __project_name__ = "ai-native-python"
-__version__ = "0.2.0"
+__version__ = "0.3.1"
diff --git a/docs/ai-ide-support.md b/docs/ai-ide-support.md
@@ -1,46 +1,25 @@
 # AI IDE Support
 
-The AI-Native Python template includes configuration files to work seamlessly with AI-powered development tools.
+The AI-Native Python template automatically configures AI-powered development tools during project generation.
 
 [← Back to Documentation Index](index.md)
 
 
-## Tool-agnostic configurations
+## Automatic Configuration
 
-### .mcp.json
+When you generate a new project, the post-generation hook automatically detects which IDEs and AI assistants you have installed and creates appropriate configuration files:
 
-Model Context Protocol configuration pre-set to integrate with:
+- Model Context Protocol (MCP) configuration for [Zenable](https://zenable.io) and other MCP servers (if supported tools are detected)
+- IDE-specific configuration files based on what's installed (Claude, GitHub Copilot, Cursor, etc.)
+- Project-specific context and guidelines tailored to your project
 
-- [Zenable](https://zenable.io)'s MCP server
-- [Context7](https://context7.com/)'s MCP server
-
-## Specific IDE configurations
-
-### Claude Code
-
-Every generated project includes a `CLAUDE.md` file with:
+These configurations are dynamically generated based on your installed IDEs and project settings, and include:
 
 - Project-specific context and guidelines
 - Technology stack information
 - Code style rules and patterns
 - Common tasks and workflows
-
-### GitHub Copilot Configuration
-
-The template includes `.github/copilot-instructions.md` with:
-
-- Project-specific context for GitHub Copilot
-- Code conventions and patterns
-- Testing requirements and workflow
+- Testing requirements and patterns
 - Security considerations
-- Common code patterns and examples
-- Task automation commands
-
-### Cursor IDE Configuration
-
-The template includes `.cursor/rules/` directory with:
-
-- `project.mdc`: Always-active rules with project info, tech stack, and key commands
-- `testing.mdc`: Auto-attached rules for test files with testing guidelines and patterns
 
 For more details on testing configuration and practices, see the [Testing Guide](testing.md).
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -40,13 +40,9 @@ After your project is generated, you are able to make any changes you'd like. He
 
 ### Environment Variables
 
-Create or modify the `.envrc` file in your project root:
+Set environment variables for development:
 
 ```bash
-# API Keys
-export ZENABLE_API_KEY="your-api-key-here"
-
-# Development settings
 export PYTHONPATH="${PWD}/src:${PYTHONPATH}"
 export UV_PYTHON_PREFERENCE="only-system"
 ```
diff --git a/docs/hooks.md b/docs/hooks.md
@@ -14,17 +14,15 @@ The `post_gen_project.py` hook runs after project generation to:
 2. Create the project's initial commit
 3. Set up GitHub remote (if credentials available)
 4. Generate a fully up-to-date `uv.lock` file
-5. Create an `.envrc` with API keys
-6. Run `task init` to install dependencies
-7. Push to GitHub and create an initial release
+5. Run `task init` to install dependencies
+6. Push to GitHub and create an initial release
 
 ### Configuration
 
 Environment variables can be set before running cookiecutter to modify hook behavior:
 
 - `SKIP_GIT_PUSH=true` - Skip automatic Git push
 - `RUN_POST_HOOK=false` - Skip the post-generation hook entirely (not recommended)
-- `ZENABLE_API_KEY="..."` - Auto-populate API key in .envrc
 
 For more environment variable options, see the [Optional Setup Guide](optional-setup.md#environment-variable-configuration).
 
diff --git a/docs/optional-setup.md b/docs/optional-setup.md
@@ -48,8 +48,4 @@ uvx --with gitpython cookiecutter git+ssh://git@github.com/zenable-io/ai-native-
 
 ## Environment Variable Configuration
 
-Generated projects include an `.envrc` file for environment-specific settings. API keys can be pre-populated during project generation by setting environment
-variables before running cookiecutter (see the [Hooks Guide](hooks.md#configuration)).
-
-To request support for additional API keys, please [open an issue](https://github.com/Zenable-io/ai-native-python/issues/new) or [pull
-request](../CONTRIBUTING.md)!
+Set environment variables before running cookiecutter to modify hook behavior (see the [Hooks Guide](hooks.md#configuration)).
diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py
@@ -122,36 +122,9 @@ def write_context(*, context: dict) -> None:
         yaml.dump(context, file)
 
 
-def populate_envrc() -> None:
-    """Create and populate the .envrc file with API key."""
-    envrc_path = Path(".envrc")
-    zenable_api_key = os.environ.get("ZENABLE_API_KEY")
-
-    if zenable_api_key:
-        envrc_path.write_text(f'export API_KEY="{zenable_api_key}"\n')
-    else:
-        envrc_path.write_text('export API_KEY="<YOUR_ZENABLE_API_KEY>"\n')
-
-    # Restrict permissions to read-only, by the owner/current user
-    envrc_path.chmod(0o600)
-
-
-def notify_envrc() -> None:
-    zenable_api_key = os.environ.get("ZENABLE_API_KEY")
-    print("\n" + "=" * 70)
-    print("NOTE: Environment Configuration")
-    print("=" * 70)
-    print("\nA .envrc file has been created in your project directory")
-    print("To use services that require API keys, update the .envrc file with your keys")
-    print("The .envrc file has already been added to your .gitignore")
-    print("=" * 70 + "\n")
-    if zenable_api_key:
-        print("Your ZENABLE_API_KEY has been automatically populated from the environment")
-    print("=" * 70 + "\n")
-
-
 def notify_dockerhub_secrets() -> None:
     """Notify user about required Docker Hub secrets for releases."""
+    # We no longer need this once https://github.com/docker/roadmap/issues/314 is available
     print("\n" + "=" * 70)
     print("IMPORTANT: Docker Hub Publishing Enabled")
     print("=" * 70)
@@ -168,6 +141,46 @@ def notify_dockerhub_secrets() -> None:
     print("=" * 70 + "\n")
 
 
+def opportunistically_install_zenable_tools() -> None:
+    """Opportunistically install zenable-mcp if uvx is available."""
+    # Check if uvx is not available
+    if not shutil.which("uvx"):
+        # uvx is not available, notify the user
+        print("\n" + "=" * 70)
+        print("NOTE: Skipped configuring the Zenable AI coding guardrails")
+        print("=" * 70)
+        print("\nConfiguring the Zenable AI coding guardrails requires the uv package manager.")
+        print("To set this up later:")
+        print("\n1. Install uv via https://docs.astral.sh/uv/getting-started/installation/")
+        print("2. Run: uvx zenable-mcp@latest install")
+        print("=" * 70 + "\n")
+
+        LOG.warning("uvx was not found in PATH, so the Zenable integrations were not installed.")
+        return
+
+    # uvx is available, attempt to install zenable-mcp
+    LOG.debug("uvx is available in PATH, attempting to install the Zenable tools...")
+    try:
+        subprocess.run(["uvx", "zenable-mcp@latest", "install"], check=True, timeout=60)
+        print("\n" + "=" * 70)
+        print("Successfully configured the Zenable AI coding guardrails 🚀")
+        print("To start using it, just open the IDE of your choice, login to the MCP server, and you're all set 🤖")
+        print("Learn more at https://docs.zenable.io")
+        print("=" * 70 + "\n")
+    except Exception:
+        # Log the error but don't fail - this is opportunistic
+        LOG.warning("Failed to configure the Zenable AI coding guardrails")
+        print("\n" + "=" * 70)
+        print("WARNING: Failed to configure the Zenable AI coding guardrails")
+        print("=" * 70)
+        print("You can retry it later by running:")
+        print("\n  uvx zenable-mcp@latest install")
+        print("\nTo report issues, please contact:")
+        print("  • https://zenable.io/feedback")
+        print("  • support@zenable.io")
+        print("=" * 70 + "\n")
+
+
 def run_post_gen_hook():
     """Run post generation hook"""
     try:
@@ -185,6 +198,8 @@ def run_post_gen_hook():
 
         subprocess.run(["git", "init", "--initial-branch=main"], capture_output=True, check=True)
 
+        opportunistically_install_zenable_tools()
+
         # This is important for testing project generation for CI
         if (
             os.environ.get("GITHUB_ACTIONS") == "true"
@@ -268,18 +283,13 @@ def run_post_gen_hook():
                 check=True,
             )
 
-        # Create .envrc file with API key template
-        populate_envrc()
-
         # Run the initial setup step automatically so pre-commit hooks, etc. are pre-installed. However, if it fails, don't fail the overall repo generation
         # (i.e. check=False)
         subprocess.run(["task", "init"], check=False, capture_output=True)
 
         # Notify about Docker Hub secrets if Docker Hub publishing is enabled
         if cookiecutter_context.get("dockerhub") == "yes":
             notify_dockerhub_secrets()
-
-        notify_envrc()
     except subprocess.CalledProcessError as error:
         stdout = error.stdout.decode("utf-8") if error.stdout else "No stdout"
         stderr = error.stderr.decode("utf-8") if error.stderr else "No stderr"
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "ai-native-python"
-version = "0.2.0"
+version = "0.3.1"
 description = "The AI-Native python paved road generator"
 authors = [
     { name = "Zenable", email = "Python@zenable.io" }
diff --git a/uv.lock b/uv.lock
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/.gitignore b/{{cookiecutter.project_name|replace(" ", "")}}/.gitignore
@@ -1,11 +1,9 @@
-.mcp.json
 .task/*
 .lycheecache
 sbom.*.json
 vulns.*.json
 license-check.*.json
 {{ cookiecutter.github_org }}_{{ cookiecutter.project_slug }}_*_*.tar
-.envrc
 
 # Created by https://www.toptal.com/developers/gitignore/api/vim,emacs,visualstudiocode,python,macos,windows
 # Edit at https://www.toptal.com/developers/gitignore?templates=vim,emacs,visualstudiocode,python,macos,windows
diff --git a/{{cookiecutter.project_name|replace(" ", "")}}/Taskfile.yml b/{{cookiecutter.project_name|replace(" ", "")}}/Taskfile.yml
