From 75309cf591b6ea5795bbf28036d1fd2366032f1a Mon Sep 17 00:00:00 2001 From: Scott McCarty Date: Sun, 15 Mar 2026 17:40:07 -0400 Subject: [PATCH 1/2] Add Gemini Code Assist styleguide from constitution --- .gemini/styleguide.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .gemini/styleguide.md diff --git a/.gemini/styleguide.md b/.gemini/styleguide.md new file mode 100644 index 0000000..1d5e34e --- /dev/null +++ b/.gemini/styleguide.md @@ -0,0 +1,42 @@ +# CrunchTools MCP Server Code Review Standards + +## Architecture +- Business logic belongs in `tools/*.py`, NOT in `server.py` +- `server.py` contains ONLY `@mcp.tool()` decorated functions that validate args and delegate +- MCP registration (`@mcp.tool()`) MUST NOT appear in `tools/*.py` +- HTTP calls go through `client.py` — tools never call `httpx` directly + +## Security (Five-Layer Model) +- API credentials MUST use `SecretStr` — never logged, never in `repr()` +- Credentials MUST come from environment variables only — no hardcoded values +- No `eval()`, `exec()`, filesystem access, or shell execution +- Auth MUST go in headers, never in URLs +- URL path parameters MUST be encoded to prevent path traversal +- Pydantic models MUST use `extra="forbid"` + +## Testing +- Every new tool MUST have a corresponding mocked test +- `test_tool_count` MUST be updated when tools are added or removed +- Tests use `httpx.AsyncClient` mocking — no live API calls +- Pydantic models need valid, invalid, and injection-prevention tests +- Security tests: token sanitization, ID truncation, config repr safety + +## Naming +- PyPI package: `mcp--crunchtools` +- Python module: `mcp__crunchtools` +- CLI command: `mcp--crunchtools` + +## Containerfile +- Use `Containerfile`, not `Dockerfile` +- Base on Hummingbird images (`quay.io/hummingbird/*`) +- Include OCI labels: `org.opencontainers.image.source`, `.description`, `.licenses` +- Always `dnf clean all` after installs + +## Versioning +- Semantic Versioning 2.0.0 strictly +- AI-assisted commits MUST include `Co-Authored-By` trailer +- All code MUST pass gourmand checks before merge + +## Distribution +- Every release MUST be available via uvx, pip, AND container +- All three MCP transports MUST work: stdio, SSE, streamable-http From a5446ce8a72c08235a2e723258dfb27f7a188cde Mon Sep 17 00:00:00 2001 From: Scott McCarty Date: Sun, 15 Mar 2026 17:40:08 -0400 Subject: [PATCH 2/2] Add Gemini Code Assist config --- .gemini/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .gemini/config.yaml diff --git a/.gemini/config.yaml b/.gemini/config.yaml new file mode 100644 index 0000000..bc55c07 --- /dev/null +++ b/.gemini/config.yaml @@ -0,0 +1,5 @@ +ignore_patterns: + - "vendor/**" + - "*.min.js" + - ".gourmand-cache/**" + - "*.lock"