pumpfun-cli/.coderabbit.yaml at main · chainstacklabs/pumpfun-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

language: "en-US"
early_access: false

tone_instructions: >-
  Be concise and direct. Focus on correctness, security, and architectural
  consistency. This is a Solana CLI that handles real funds — treat
  protocol-layer changes with extra scrutiny.

reviews:
  profile: "assertive"
  request_changes_workflow: true
  high_level_summary: true
  poem: false
  review_status: true
  collapse_walkthrough: true
  sequence_diagrams: true
  changed_files_summary: true

  pre_merge_checks:
    title:
      mode: "error"
      requirements: "Must follow conventional commits: feat|fix|chore|docs|style|test|ci|refactor|perf"
    description:
      mode: "warning"
    custom_checks:
      - name: "No print() calls"
        mode: "error"
        instructions: |
          Fail if any changed Python file in src/ uses bare print() instead of
          render() or error() from pumpfun_cli.output.
      - name: "Layer separation"
        mode: "error"
        instructions: |
          Fail if any file in src/pumpfun_cli/commands/ imports directly from
          pumpfun_cli.protocol. Commands must only import from core.
      - name: "RpcClient cleanup"
        mode: "warning"
        instructions: |
          Warn if any new RpcClient usage lacks a finally block that calls .close().

  finishing_touches:
    simplify:
      enabled: true

  high_level_summary_instructions: |
    Focus on: (1) whether protocol/ code that handles real funds is affected,
    (2) architectural layer violations, (3) security implications for wallet
    handling or transaction construction. Always mention if the PR touches
    code paths that send Solana transactions.

  suggested_labels: true
  auto_apply_labels: true
  labeling_instructions:
    - label: "protocol"
      instructions: "Apply when files in src/pumpfun_cli/protocol/ are changed"
    - label: "security"
      instructions: "Apply when crypto.py, wallet-related code, or transaction construction code is changed"
    - label: "cli"
      instructions: "Apply when files in src/pumpfun_cli/commands/ are changed"
    - label: "core"
      instructions: "Apply when files in src/pumpfun_cli/core/ are changed"
    - label: "tests"
      instructions: "Apply when files in tests/ are changed"
    - label: "ci"
      instructions: "Apply when files in .github/workflows/ or Makefile are changed"

  auto_review:
    enabled: true
    drafts: false
    auto_incremental_review: true
    ignore_title_keywords:
      - "WIP"
      - "DO NOT MERGE"
    ignore_usernames:
      - "dependabot[bot]"
      - "renovate[bot]"

  path_filters:
    - "!docs/**"
    - "!.claude/**"
    - "!.github/**"
    - "!idl/**"
    - "!uv.lock"

  path_instructions:
    - path: "src/pumpfun_cli/commands/**"
      instructions: |
        CLI layer (Typer). Rules:
        - MUST NOT import from `protocol/` directly — only `core/`. Flag
          any `from pumpfun_cli.protocol` as a layer violation.
        - Use `render()` or `error()` for output. Flag bare `print()`.
        - Wallet-decryption commands must catch `ValueError`.

    - path: "src/pumpfun_cli/core/**"
      instructions: |
        Business logic layer. Rules:
        - MUST NOT import from `commands/`. May import from `protocol/`.
        - RpcClient must be closed in `finally` blocks. Flag unclosed clients.
        - No floating-point arithmetic for lamport/token amounts.

    - path: "src/pumpfun_cli/protocol/**"
      instructions: |
        CRITICAL — builds Solana transactions that move real funds.
        - MUST NOT import from `commands/` or `core/`.
        - Verify account keys in instructions are correct.
        - Flag any hardcoded private keys or secrets.
        - Flag TODO/FIXME/HACK comments.

    - path: "src/pumpfun_cli/crypto.py"
      instructions: |
        Wallet encryption (AES-256-GCM + scrypt).
        - Flag any reduction in encryption strength.
        - Passwords must never be logged or stored in plaintext.

    - path: "tests/**"
      instructions: |
        - Tests must use mocks for RPC calls, no real network.
        - Flag hardcoded private keys or real wallet credentials.

  tools:
    ruff:
      enabled: true
    gitleaks:
      enabled: true
    semgrep:
      enabled: true
    shellcheck:
      enabled: true

chat:
  auto_reply: true

knowledge_base:
  opt_out: false
  learnings:
    scope: "auto"
  issues:
    scope: "auto"
  pull_requests:
    scope: "auto"