chore: add Greptile and GitGuardian configs

.gitguardian.yaml

@@ -0,0 +1,36 @@
+version: 2
+
+# Public OSS repo on the GitGuardian Free tier. Defaults are fine for most
+# of the tree; we only add path-level excludes for noise (lockfiles, vendored
+# binary assets) and intentional dummy values used in security-hook tests.
+
+exit_zero: false
+verbose: false
+
+secret:
+  ignored_paths:
+    # Lockfiles and machine-generated artifacts
+    - 'package-lock.json'
+    - '**/package-lock.json'
+    - 'node_modules/**'
+    - '*.lock'
+    - '.DS_Store'
+
+    # Binary/static assets that scanners shouldn't probe
+    - 'docs/**/*.png'
+    - 'docs/**/*.jpg'
+
+    # Test fixtures: tests/lint/fixtures/agents/* contains intentionally
+    # malformed YAML and tests/ci/* embeds GitHub Actions expression
+    # strings (`${{ github.event.pull_request.head.sha }}`) — neither is
+    # a real secret but pattern-matchers can flag the latter.
+    - 'tests/lint/fixtures/**'
+    - 'tests/ci/**'
+
+    # Documentation examples that show fake secret literals (e.g. the
+    # `sk-proj-xxxxx` placeholder in rules/typescript/security.md). These
+    # are illustrative and never match a real key.
+    - 'rules/**/security.md'
+    - '**/SKILL.md'
+
+  show_secrets: false

greptile.json

@@ -0,0 +1,75 @@
+{
+	"$schema": "https://www.greptile.com/schemas/greptile.json",
+	"strictness": 2,
+	"commentTypes": ["logic", "syntax"],
+	"triggerOnUpdates": true,
+	"triggerOnDrafts": false,
+	"shouldUpdateDescription": false,
+	"summarySection": {
+		"included": true,
+		"collapsible": false,
+		"defaultOpen": true
+	},
+	"confidenceScoreSection": {
+		"included": true,
+		"collapsible": false,
+		"defaultOpen": true
+	},
+	"sequenceDiagramSection": {
+		"included": false,
+		"collapsible": false,
+		"defaultOpen": false
+	},
+	"ignoreKeywords": "bump version\nchore: bump\nchore: release\nchore(release)\nchore(deps)",
+	"ignorePatterns": "node_modules/**\npackage-lock.json\n*.lock\n.DS_Store\nassets/**\ndocs/**/*.png\ndocs/**/*.jpg",
+	"disabledLabels": ["release", "skip-review"],
+	"instructions": "This is a Gemini CLI extension (everything-gemini-code) — not a typical application. Codebase consists of: shell/Node scripts (scripts/), TOML commands (commands/), Markdown skills (skills/) and agents (agents/), JSON hooks (hooks/), and multilingual docs (docs/{en,ko-KR,zh-CN}). Be concise and direct. Prioritize bugs and security issues over style. Do NOT flag emoji usage in markdown, long TOML prompt fields, or skills referencing ~/.gemini/ paths.",
+	"customContext": {
+		"rules": [
+			{
+				"rule": "Gemini CLI agent definitions. YAML frontmatter MUST include `name`, `description`, and `tools`. The `tools:` array may ONLY contain valid Gemini CLI built-in tools: read_file, read_many_files, write_file, replace, glob, search_file_content, list_directory, run_shell_command, save_memory, web_fetch, google_web_search. Reject Claude-style names (search_files, replace_in_file, Read, Edit), MCP tool references (mcp__*) — those are auto-discovered at runtime and rejected by the schema if declared. Reject frontmatter keys outside the schema (color, model). Authoritative allowlist lives in scripts/lib/gemini-tools.js.",
+				"scope": ["agents/**/*.md"]
+			},
+			{
+				"rule": "Gemini CLI command definitions in TOML. Filename MUST start with the `egc-` prefix (avoids collision with built-in /plan, /docs). `description` must be non-empty.",
+				"scope": ["commands/**/*.toml"]
+			},
+			{
+				"rule": "Skill definitions. Frontmatter must include `name` and `description`. The body must contain a `## When to Use` section with specific, actionable trigger conditions — not `When to Activate` or `When to Apply`.",
+				"scope": ["skills/**/*.md"]
+			},
+			{
+				"rule": "Hook scripts and hooks.json. Hooks run automatically on Gemini CLI tool events (BeforeTool, AfterTool, SessionStart, SessionEnd, PreCompress, AfterAgent) — any failure impacts every session. Verify error handling, intentional exit codes (0 = allow, 2 = block in BeforeTool), and that the script runs silently on success: NO console.log in hook scripts, only stderr writes for blocking diagnostics.",
+				"scope": ["hooks/**", "scripts/hooks/**"]
+			},
+			{
+				"rule": "Shell scripts must use `set -e` at the top (per .gemini/styleguide.md), quote all variables, and avoid interpolating shell variables into `node -e` strings (use process.env instead). Support both macOS and Linux — no GNU-only flags.",
+				"scope": ["scripts/**/*.sh", "**/*.sh"]
+			},
+			{
+				"rule": "Node.js 20+ project. Avoid mutation — prefer spread/immutable patterns. Handle errors explicitly; never swallow silently. Functions should be under 50 lines (soft target — vendored upstream ports may exceed). console.log is fine in scripts and tests (the no-console rule lives on the hooks rule above).",
+				"scope": ["scripts/**/*.js", "tests/**/*.js"]
+			},
+			{
+				"rule": "Coding rules shipped to end users at ~/.gemini/rules/. Cross-references between common/ and language-specific files must use relative paths (../common/xxx.md) and the targets must exist.",
+				"scope": ["rules/**/*.md"]
+			},
+			{
+				"rule": "User-facing multilingual documentation. Tool-name mapping tables (Claude Code ↔ Gemini CLI) must list ONLY valid Gemini CLI tool names — incorrect mappings here propagate into agent/skill definitions.",
+				"scope": ["docs/**/*.md"]
+			}
+		],
+		"files": [
+			{
+				"path": ".gemini/styleguide.md",
+				"description": "Project conventions for shell scripts, TOML commands, agents, skills, hooks, and CI workflows.",
+				"scope": ["**"]
+			},
+			{
+				"path": "scripts/lib/gemini-tools.js",
+				"description": "Authoritative source of valid Gemini CLI agent tool names and forbidden frontmatter keys.",
+				"scope": ["agents/**", "scripts/ci/validate-agents.js"]
+			}
+		]
+	}
+}