chore: repo hardening — add CodeQL, pre-commit docs, pip-tools; finalize structure and docs

Author: CalorieApp Maintainer

.editorconfig

@@ -0,0 +1,16 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+[*.kv]
+indent_size = 4
+
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false

.github/workflows/ci.yml

@@ -0,0 +1,78 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-test:
+    name: ${{ matrix.os }} / Python ${{ matrix.python-version }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Lint (flake8)
+        run: |
+          python -m flake8 src tests
+
+      - name: Format check (black)
+        run: |
+          python -m black --check src tests
+
+      - name: Run tests (pytest)
+        run: |
+          python -m pytest -q --disable-warnings --maxfail=1 --cov=src --cov-report=xml --cov-report=term-missing
+
+      - name: Upload coverage to Codecov (public repos only)
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+          flags: ${{ matrix.os }}-py${{ matrix.python-version }}
+          fail_ci_if_error: true
+        continue-on-error: true
+
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ matrix.python-version }}
+          path: ./coverage.xml
+          if-no-files-found: ignore
+
+  summary:
+    name: CI Summary
+    runs-on: ubuntu-latest
+    needs: build-test
+    if: always()
+    steps:
+      - name: Generate summary
+        run: |
+          echo "All matrix jobs finished: ${{ needs.build-test.result }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 7 * * 1' # Every Monday at 07:00 UTC
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (Python)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies (optional)
+        run: |
+          python -m pip install --upgrade pip
+          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/kv-sanity.yml

@@ -0,0 +1,34 @@
+name: KV Sanity Check
+
+on:
+  push:
+    paths:
+      - 'src/core/kv/**/*.kv'
+      - 'scripts/kv_sanity_check.py'
+      - 'requirements.txt'
+  pull_request:
+    paths:
+      - 'src/core/kv/**/*.kv'
+      - 'scripts/kv_sanity_check.py'
+      - 'requirements.txt'
+
+jobs:
+  kv-check-windows:
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run KV sanity check
+        run: |
+          python -u scripts/kv_sanity_check.py

.github/workflows/lint.yml

@@ -0,0 +1,41 @@
+name: Lint
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  lint:
+    name: Lint (flake8, black --check, isort --check)
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python-version: ['3.12']
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install tools
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install flake8 black isort
+
+      - name: Black check
+        run: |
+          python -m black --check .
+
+      - name: Isort check
+        run: |
+          python -m isort --check-only .
+
+      - name: Flake8
+        run: |
+          python -m flake8 src tests

.github/workflows/ux_tour.yml

@@ -0,0 +1,56 @@
+name: UX Tour Tests
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  ux-tour:
+    runs-on: windows-latest
+    
+    steps:
+    - uses: actions/checkout@v3
+    
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.12'
+    
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    
+    - name: Run UX Tour
+      run: python scripts/ux_tour.py
+      env:
+        OFFLINE_MODE: '0'
+    
+    - name: Upload test report
+      if: always()
+      uses: actions/upload-artifact@v3
+      with:
+        name: ux-tour-report
+        path: docs/ui_tour/**/test_report.txt
+    
+    - name: Upload screenshots
+      if: always()
+      uses: actions/upload-artifact@v3
+      with:
+        name: ux-tour-screenshots
+        path: docs/ui_tour/**/*.png
+    
+    - name: Check test results
+      run: |
+        $report = Get-Content -Path (Get-ChildItem -Path docs/ui_tour -Recurse -Filter test_report.txt | Select-Object -Last 1).FullName -Raw
+        if ($report -match "Failed: (\d+)") {
+          $failed = [int]$matches[1]
+          if ($failed -gt 0) {
+            Write-Error "UX Tour had $failed failing tests"
+            exit 1
+          }
+        }
+        Write-Output "All UX Tour tests passed!"