Merge pull request #7 from LLM-Coding/feature/tier1-tier2-mitigations

chore: Tier 1+2 mitigations — ESLint, Prettier, Hooks, CI, CodeQL

Author: raifdmueller

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint-and-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - run: npm ci
+
+      - name: Lint
+        run: npx eslint src/
+
+      - name: Format check
+        run: npx prettier --check src/
+
+      - name: Dependency audit
+        run: npm audit --audit-level=high
+
+      - name: Build
+        run: npm run build

.github/workflows/codeql.yml

@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    strategy:
+      matrix:
+        language: [javascript]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

.prettierrc

@@ -0,0 +1,7 @@
+{
+  "semi": true,
+  "singleQuote": false,
+  "trailingComma": "all",
+  "printWidth": 120,
+  "tabWidth": 2
+}

CLAUDE.md

@@ -12,7 +12,7 @@ npm run preview      # Preview production build locally
 npm run docs         # Render AsciiDoc docs with Asciidoctor
 ```
 
-No test framework is configured. No linter is configured.
+No test framework is configured. ESLint + Prettier are configured (see `eslint.config.js`, `.prettierrc`). Pre-commit hooks via husky + lint-staged.
 
 ## Architecture
 
@@ -48,26 +48,30 @@ GitHub Actions workflow (`.github/workflows/deploy.yml`) builds the React app an
 _Generated by `/risk-assess` on 2026-02-11_
 
 ### Module: vibe-coding-risk-radar
-| Dimension | Score | Level | Evidence |
-|-----------|-------|-------|----------|
-| Code Type | 0 | UI / CSS / Docs | Only .jsx components, .css styling, .js config — no auth, API, or DB code |
-| Language | 2 | Dynamically typed | 5 .jsx + 4 .js files (JavaScript) |
-| Deployment | 2 | Public-facing app | Static site on GitHub Pages, publicly accessible |
-| Data Sensitivity | 0 | Public data | No real data processing, PII/PHI mentions only in documentation text |
-| Blast Radius | 0 | Cosmetic / Tech debt | Static visualization tool, no data storage or user accounts |
+
+| Dimension        | Score | Level                | Evidence                                                                  |
+| ---------------- | ----- | -------------------- | ------------------------------------------------------------------------- |
+| Code Type        | 0     | UI / CSS / Docs      | Only .jsx components, .css styling, .js config — no auth, API, or DB code |
+| Language         | 2     | Dynamically typed    | 5 .jsx + 4 .js files (JavaScript)                                         |
+| Deployment       | 2     | Public-facing app    | Static site on GitHub Pages, publicly accessible                          |
+| Data Sensitivity | 0     | Public data          | No real data processing, PII/PHI mentions only in documentation text      |
+| Blast Radius     | 0     | Cosmetic / Tech debt | Static visualization tool, no data storage or user accounts               |
 
 **Tier: 2 — Moderat** (determined by Language = 2 and Deployment = 2)
 
 ### Mitigations: vibe-coding-risk-radar (Tier 2)
-| Measure | Status | Details |
-|---------|--------|---------|
-| Linter & Formatter | ❌ Missing | No .eslintrc, .prettierrc, or lint script |
-| Type Checking | ❌ Missing | No tsconfig.json (plain JS, not TS) |
-| Pre-Commit Hooks | ❌ Missing | No .husky/, no .pre-commit-config.yaml |
-| Dependency Check | ❌ Missing | No audit step in CI |
-| CI Build & Unit Tests | ⚠️ Partial | CI builds (deploy.yml) but no test framework configured |
-| SAST (Semgrep/CodeQL) | ❌ Missing | No SAST in CI workflows |
-| AI Code Review | ✅ Present | claude-code-review.yml workflow |
-| Property-Based Tests | ❌ Missing | No test framework at all |
-| SonarQube Quality Gate | ❌ Missing | No sonar-project.properties |
-| Sampling Review | ❌ Missing | No branch protection / review requirement |
+
+_Updated by `/risk-mitigate` on 2026-02-11_
+
+| Measure                | Status     | Details                                              |
+| ---------------------- | ---------- | ---------------------------------------------------- |
+| Linter & Formatter     | ✅ Set up  | eslint.config.js + .prettierrc                       |
+| Type Checking          | ⬜ N/A     | Plain JS project, no TypeScript                      |
+| Pre-Commit Hooks       | ✅ Set up  | husky + lint-staged (eslint --fix, prettier --write) |
+| Dependency Check       | ✅ Set up  | npm audit --audit-level=high in ci.yml               |
+| CI Build & Unit Tests  | ✅ Set up  | ci.yml: lint, format check, audit, build             |
+| SAST (CodeQL)          | ✅ Set up  | codeql.yml: weekly + on push/PR                      |
+| AI Code Review         | ✅ Present | claude-code-review.yml                               |
+| Property-Based Tests   | ⬜ Pending | No test framework configured                         |
+| SonarQube Quality Gate | ⬜ Pending | Needs SonarCloud account                             |
+| Sampling Review        | ⬜ Pending | No branch protection configured                      |

eslint.config.js

@@ -0,0 +1,29 @@
+import js from "@eslint/js";
+import globals from "globals";
+import reactHooks from "eslint-plugin-react-hooks";
+import reactRefresh from "eslint-plugin-react-refresh";
+import prettier from "eslint-config-prettier";
+
+export default [
+  { ignores: ["dist/"] },
+  js.configs.recommended,
+  {
+    files: ["**/*.{js,jsx}"],
+    languageOptions: {
+      ecmaVersion: 2024,
+      sourceType: "module",
+      globals: { ...globals.browser },
+      parserOptions: { ecmaFeatures: { jsx: true } },
+    },
+    plugins: {
+      "react-hooks": reactHooks,
+      "react-refresh": reactRefresh,
+    },
+    rules: {
+      ...reactHooks.configs.recommended.rules,
+      "react-refresh/only-export-components": ["warn", { allowConstantExport: true }],
+      "no-unused-vars": ["warn", { argsIgnorePattern: "^_", varsIgnorePattern: "^[A-Z]" }],
+    },
+  },
+  prettier,
+];