Add comprehensive CODEX-REVIEW.md repository audit

CODEX-REVIEW.md

@@ -0,0 +1,42 @@
+# CODEX-REVIEW
+
+## Executive Summary
+Agentic-Index is a Python-based indexing pipeline and web/CLI toolchain for scoring AI-agent repositories, backed by a substantial documentation set and a large test suite. The overall architecture is clear, but key configuration and packaging paths diverge between `pyproject.toml`, `setup.cfg`, and the CLI/docs, which risks broken installs or confusing user experiences. The API surface has a reasonable request/response flow, yet the authentication defaults and missing dependency declarations introduce production-level risk. With focused cleanup around auth defaults, dependency declarations, and CLI entrypoints, the project can move toward a more reliable and maintainable release posture.
+
+## Critical Issues
+1. **API authentication defaults allow a known key (“test-key”) in production.** The API config defaults to `API_KEY="test-key"` with an empty whitelist, and the auth middleware only rejects requests when neither the IP whitelist nor header key match. That means any caller who sends `X-API-KEY: test-key` can hit protected endpoints if defaults are deployed. See `agentic_index_api/config.py` lines 11–12 and `agentic_index_api/server.py` lines 111–126. This should be forced to a non-default value or require explicit configuration.
+2. **Missing runtime dependency: `pydantic_settings` is imported but not declared.** The API config imports `pydantic_settings` (`agentic_index_api/config.py` line 5), but this dependency is not present in `pyproject.toml` dependencies (lines 14–21) or `requirements.txt` (lines 1–26). This can cause API startup failures in clean environments.
+
+## Priority Improvements
+### Quick wins (< 1 hour each)
+- **Document the full environment variable surface.** `.env.example` only lists three variables (lines 1–4), but runtime code reads others such as `NETWORK_RETRIES`, `NETWORK_TIMEOUT`, and `NETWORK_BACKOFF` (`agentic_index_cli/github_client.py` lines 14–16) and `SENTRY_DSN` (`agentic_index_cli/logging_config.py` lines 26–35). Document these in `README.md`/`docs` and/or expand `.env.example`.
+- **Fix CLI documentation mismatches.** `docs/cli.md` documents commands like `faststart` and `prune` (lines 21–33), while the Typer CLI registers functions named `faststart_cmd` and `prune_cmd` (which become `faststart-cmd` and `prune-cmd`) in `agentic_index_cli/__main__.py` lines 51–67. The README also advertises `agentic-index faststart` and `agentic-index rank` (README.md lines 118–126 and 158–162), but `rank` is not registered in the Typer CLI. Align the docs/README with the actual CLI or rename commands to match.
+- **Return an explicit error for missing issue tokens in `/issue`.** The `/issue` endpoint forwards a `None` token to `issue_logger.create_issue`/`post_comment` (server.py lines 192–213), which raises an `APIError` if no token is present (issue_logger.py lines 64–69). Map this to a 401/400 response instead of a 500.
+
+### Medium effort (half-day to few days)
+- **Consolidate packaging metadata and CLI entrypoints.** `pyproject.toml` registers `agentic_index_cli.cli:main` (line 25) while `setup.cfg` registers `agentic_index_cli.__main__:main` (line 16). These entrypoints expose different CLIs and different dependency sets (`typer` is only in `setup.cfg`, lines 9–12). Pick one entrypoint and align dependencies so installation behaves consistently.
+- **Unify or clearly separate the two scraping pipelines.** There is a script-based scraper (`scripts/scrape_repos.py`, e.g., lines 1–188) and an internal CLI scraper (`agentic_index_cli/internal/scrape.py`, lines 129–240) with different outputs (`docs_score` vs. `doc_completeness`). Decide which is canonical or formalize the schema differences so downstream consumers aren’t surprised.
+- **Align coverage thresholds across config and scripts.** `pyproject.toml` uses `fail_under = 70` (line 32), while `scripts/coverage_gate.py` enforces a 74% threshold (line 9). This can lead to CI/local mismatch and should be consolidated.
+- **Avoid tests that silently skip core failures.** `tests/test_api_auth.py` skips the suite if the API server fails to import (lines 7–17). That masks import/dependency failures; consider failing hard so CI catches missing dependencies and runtime regressions.
+
+### Substantial (requires dedicated focus)
+- **Separate production and development dependencies.** `requirements.txt` currently mixes runtime libraries (FastAPI, requests) with test and tooling dependencies (pytest, bandit) (requirements.txt lines 1–26). Establish a clear split (e.g., `requirements.txt` + `requirements-dev.txt` or `pyproject` optional groups) and lock each set to reduce production bloat.
+- **Harden API authentication and deployment defaults.** Consider enforcing `API_KEY` to be set (no defaults), validating `IP_WHITELIST`, and providing safer local/dev bootstrap flows. The current defaults and auth behavior (config.py lines 11–12; server.py lines 111–126) are risky for production deployments.
+
+## Latent Risks
+- **Scrape failures abort the entire run on a single request error.** In `agentic_index_cli/internal/scrape.py`, the async gather raises on any exception (lines 199–225), so transient errors can halt the pipeline rather than returning partial results.
+- **Tokens are captured at import time, not at request time.** `agentic_index_cli/github_client.py` reads `GITHUB_TOKEN` once at module import (lines 10–12). If tokens are rotated or injected later (e.g., tests), the default headers won’t update.
+- **Default `.env` disables network actions.** `.env.example` sets `CI_OFFLINE=1` (line 4), which forces badge fetches into offline mode in `agentic_index_cli/internal/badges.py` (lines 9–20). Users following README instructions may unknowingly disable network-dependent behavior.
+
+## Questions for the Maintainer
+1. Which CLI entrypoint is authoritative for end users: `agentic_index_cli.cli:main` or `agentic_index_cli.__main__:main`? Do you want the Typer subcommands to be the canonical interface?
+2. Is `scripts/scrape_repos.py` still in active use, or is the internal scraper (`agentic_index_cli/internal/scrape.py`) intended to replace it?
+3. Should the API server require `API_KEY` to be explicitly set, or is the “test-key” default intended for local-only usage? If local-only, how should production deployments guard against misconfiguration?
+4. Is Python 3.11 required (docs/DEVELOPMENT.md lines 26–29) or is the stated `>=3.8` support in `pyproject.toml` (line 9) still intended?
+5. Are there additional env vars that should be considered part of the public configuration surface (e.g., `NETWORK_*`, `SENTRY_DSN`), and if so, where should they be documented?
+
+## What’s Actually Good
+- **Strong documentation footprint.** The repository includes onboarding and development guidance, with explicit steps for setup and testing (e.g., docs/DEVELOPMENT.md lines 18–69; README.md lines 148–166).
+- **Clear API request logging and structured logging setup.** The API server instruments requests and uses structured logging (`agentic_index_api/server.py` lines 82–108; `agentic_index_cli/logging_config.py` lines 8–23).
+- **Network reliability measures are present.** HTTP utilities include retries, backoff, and rate-limit handling (`agentic_index_cli/internal/http_utils.py` lines 14–72), which is a solid foundation for robust scraping.
+- **Large, targeted test suite.** The tests cover API auth, scraping, and CLI behavior (e.g., tests/test_api_auth.py lines 20–69), indicating strong emphasis on regression coverage.