chore: 0.1.5 CI modernization, pre-commit, and docs

.github/workflows/claude-code-review.yml

@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 

.github/workflows/claude.yml

@@ -26,7 +26,7 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 

.github/workflows/lint.yml

@@ -16,6 +16,7 @@ on:
       - "tests/**/*.py"
       - "scripts/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/lint.yml"
@@ -27,6 +28,7 @@ on:
       - "tests/**/*.py"
       - "scripts/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/lint.yml"
@@ -36,7 +38,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Install uv
       uses: astral-sh/setup-uv@v7
@@ -60,15 +62,11 @@ jobs:
     - name: Run ruff format check
       run: uv run ruff format --check .
 
-
-
     - name: Run pycodestyle
       run: uv run pycodestyle src/ tests/ scripts/
 
     - name: Run pydocstyle
       run: uv run pydocstyle src/ scripts/
-
-
 
     - name: Minimize uv cache
       run: uv cache prune --ci

.github/workflows/pre-commit.yml

@@ -0,0 +1,64 @@
+name: Pre-commit Checks
+
+permissions:
+  contents: read
+  actions: write
+
+concurrency:
+  group: pre-commit-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - "src/**/*.py"
+      - "tests/**/*.py"
+      - "config/**"
+      - "pyproject.toml"
+      - ".pre-commit-config.yaml"
+      - ".github/workflows/pre-commit.yml"
+  pull_request:
+    types: [opened, synchronize]
+    branches: [ main ]
+    paths:
+      - "src/**/*.py"
+      - "tests/**/*.py"
+      - "config/**"
+      - "pyproject.toml"
+      - ".pre-commit-config.yaml"
+      - ".github/workflows/pre-commit.yml"
+
+jobs:
+  pre-commit:
+    name: Pre-commit Hook Validation
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: '3.11'
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+      with:
+        version: "latest"
+        enable-cache: true
+
+    - name: Install dependencies
+      run: uv sync --dev
+
+    - name: Cache pre-commit
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/pre-commit
+        key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
+
+    - name: Run pre-commit on all files
+      run: uv run pre-commit run --all-files --show-diff-on-failure
+
+    - name: Minimize uv cache
+      run: uv cache prune --ci

.github/workflows/publish-packages.yml

@@ -14,7 +14,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Set up Python
       uses: actions/setup-python@v6

.github/workflows/security.yml

@@ -1,5 +1,9 @@
 name: Security Scanning
 
+permissions:
+  contents: read
+  actions: write
+
 concurrency:
   group: security-${{ github.ref }}
   cancel-in-progress: true
@@ -11,6 +15,7 @@ on:
       - "src/**/*.py"
       - "tests/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/security.yml"
@@ -21,6 +26,7 @@ on:
       - "src/**/*.py"
       - "tests/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/security.yml"
@@ -29,27 +35,33 @@ jobs:
   security:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          version: "latest"
+          enable-cache: true
+
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install bandit safety
+          # Using uv for consistency
+          uv sync --dev
 
       - name: Run Bandit (Security Linter)
         run: |
-          bandit -r src/ -f json -o bandit-report.json --exit-zero
-          bandit -r src/ -ll --exit-zero
+          uv run bandit -r src/ -f json -o bandit-report.json --exit-zero
+          uv run bandit -r src/ -ll --exit-zero
 
       - name: Run Safety (Dependency Scanner)
         run: |
-          safety check --output json > safety-report.json || true
-          safety check
+          uv run safety check --output json > safety-report.json || true
+          uv run safety check
 
       - name: SQL Injection Pattern Check
         run: |

.github/workflows/test.yml

@@ -16,6 +16,7 @@ on:
       - "src/**/*.py"
       - "tests/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/test.yml"
@@ -26,6 +27,7 @@ on:
       - "src/**/*.py"
       - "tests/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/test.yml"
@@ -39,7 +41,7 @@ jobs:
         python-version: ["3.10", "3.11", "3.12"]
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Install uv
       uses: astral-sh/setup-uv@v7
@@ -104,7 +106,7 @@ jobs:
     needs: test
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Install uv
       uses: astral-sh/setup-uv@v7
@@ -140,3 +142,66 @@ jobs:
 
     - name: Minimize uv cache
       run: uv cache prune --ci
+
+  coverage-delta:
+    name: Modified File Coverage
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v7
+      with:
+        version: "latest"
+        enable-cache: true
+
+    - name: Set up Python 3.11
+      uses: actions/setup-python@v6
+      with:
+        python-version: "3.11"
+
+    - name: Install dependencies
+      run: uv sync --dev
+
+    - name: Get modified Python files
+      id: changed-files
+      env:
+        BASE_REF: ${{ github.base_ref }}
+      run: |
+        CHANGED=$(git diff --name-only "origin/${BASE_REF}...HEAD" -- 'src/**/*.py' | tr '\n' ',' | sed 's/,$//')
+        echo "files=$CHANGED" >> "$GITHUB_OUTPUT"
+        if [ -z "$CHANGED" ]; then
+          echo "No Python source files modified"
+          echo "skip=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Modified files: $CHANGED"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Run coverage on modified files
+      if: steps.changed-files.outputs.skip != 'true'
+      env:
+        CHANGED_FILES: ${{ steps.changed-files.outputs.files }}
+      run: |
+        COV_ARGS=""
+        IFS=',' read -ra FILES <<< "$CHANGED_FILES"
+        for file in "${FILES[@]}"; do
+          module=$(echo "$file" | sed 's|src/||' | sed 's|\.py$||' | tr '/' '.')
+          COV_ARGS="$COV_ARGS --cov=${module%.}"
+        done
+        echo "Running: uv run pytest $COV_ARGS --cov-report=term-missing --cov-fail-under=60"
+        uv run pytest $COV_ARGS --cov-report=term-missing --cov-fail-under=60 || {
+          echo "::warning::Modified file coverage below 60%. Consider adding tests for new code."
+          exit 0
+        }
+
+    - name: Skip message
+      if: steps.changed-files.outputs.skip == 'true'
+      run: echo "No Python source files modified - skipping coverage check"
+
+    - name: Minimize uv cache
+      run: uv cache prune --ci

.github/workflows/typecheck.yml

@@ -15,6 +15,7 @@ on:
       - "src/**/*.py"
       - "tests/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/typecheck.yml"
@@ -25,6 +26,7 @@ on:
       - "src/**/*.py"
       - "tests/**/*.py"
       - "examples/json/**/*.json"
+      - "config/**"
       - "pyproject.toml"
       - "Makefile"
       - ".github/workflows/typecheck.yml"
@@ -34,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - name: Install uv
       uses: astral-sh/setup-uv@v7

.github/workflows/update-benchmark-images.yml

@@ -14,12 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Fetch all history for ASV
 
       - name: Checkout wiki
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: ${{ github.repository }}.wiki
           path: wiki-repo

.github/workflows/wiki-sync.yml

@@ -15,7 +15,7 @@ jobs:
     if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'push' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0