docs: comprehensive documentation, security, and CI hardening

[unclesp1d3r]

Summary

This PR encompasses a broad set of documentation, security, CI, and developer experience improvements spanning the project's push toward OpenSSF Best Practices compliance and overall project maturity.

Documentation

• AGENTS.md: Corrected to accurately reflect implemented vs. planned features, with explicit current limitations section
• README.md: Added OpenSSF Best Practices and Scorecard badges; streamlined roadmap into summary table
• ROADMAP.md: Extracted detailed roadmap with linked GitHub issues (refactor: split evaluator/mod.rs into focused submodules #59-refactor: convert evaluator/types.rs to a types/ directory module #63) into standalone file
• SECURITY.md: Expanded with scope, safe harbor policy, responsible disclosure guidelines, and PGP key
• CONTRIBUTING.md: Added DCO requirement and code review standards
• Security Assurance Case: New appendix documenting threat model, trust boundaries, CWE/OWASP countermeasures, and supply chain measures
• Release Verification Guide: New guide for verifying Sigstore-signed release artifacts
• Project Governance: Added governance model and updated development guide

CI/CD & Supply Chain Security

• Pinned all GitHub Actions to SHA hashes for supply chain integrity (including dtolnay/rust-toolchain)
• Added SPDX license and copyright headers to all source files
• Committed Cargo.lock and mise.lock for reproducible builds
• Added git-cliff changelog generation and simplified justfile
• Fixed Qlty coverage upload path to match actual LCOV output location
• Fixed docs.yml build ordering to prevent mdBook from overwriting rustdoc API docs

Developer Experience — Claude Code Skills

5 project-level skills optimized for Rust/libmagic-rs:

• tdd-workflow: TDD with cargo test/nextest, llvm-cov, proptest
• security-review: memory safety, buffer bounds, unsafe code, supply chain
• verification-loop: cargo check/clippy/fmt/test/audit pipeline
• strategic-compact: context management for long sessions
• api-design: Rust library API patterns, builder, error design, clap CLI

Developer Experience — Claude Code Hooks & Rules

• DCO sign-off hook: PreToolUse hook blocks git commit without -s flag (POSIX-portable grep patterns)
• 4 hookify rules for Rust code safety warnings:
  • warn-unsafe-code: flags unsafe blocks/fn/impl (project forbids unsafe)
  • warn-direct-string-slice: flags &str[n..] (use strip_prefix instead)
  • warn-panic-in-lib: flags .unwrap()/.expect()/panic!() in src/ (use Result)
  • warn-emoji-in-code: flags emoji in code/docs (with bypass for emoji-processing code)

Review Fixes

• Addressed all Copilot review comments across two rounds (22 comments total)
• Fixed cliff.toml: case-insensitive doc grouping, BREAKING CHANGE priority, compact template
• Fixed justfile: coverage threshold 9.7→85, added scorecard.yml to lint-actions
• Fixed AGENTS.md: note style consistency, string type description accuracy, vulnerability timeline alignment
• Fixed security-assurance.md: workspace lint references instead of crate attribute
• Fixed ROADMAP.md: removed unsubstantiated coverage claims
• Fixed .gitignore: expanded Cargo.lock rationale for binary reproducibility
• Fixed DCO hook: tighter regex to avoid matching git commit-tree
• Applied CodeRabbit fix: POSIX-portable grep patterns in hook script

Architecture Issues Created

• refactor: split evaluator/mod.rs into focused submodules #59: Split evaluator/mod.rs into focused submodules (v0.2.0)
• refactor: rename evaluator::MatchResult to disambiguate from output::MatchResult #60: Disambiguate MatchResult types (v0.2.0)
• refactor: extract CLI tests from main.rs into integration tests #61: Extract CLI tests into integration tests (v0.2.0)
• refactor: pre-create evaluator submodules for v0.2.0 features #62: Pre-create evaluator submodules for new features (v0.2.0)
• refactor: convert evaluator/types.rs to a types/ directory module #63: Convert evaluator/types.rs to directory module (v0.3.0)

Test plan

• Verify cargo test passes (no source code changes, only docs/config)
• Verify cargo clippy -- -D warnings passes
• Verify mdbook builds successfully with new chapters
• Confirm GitHub Actions workflows still run correctly with SHA-pinned actions
• Verify SPDX headers present on all source files
• Confirm project-level skills are discoverable by Claude Code
• Confirm DCO sign-off hook blocks commits without -s
• Confirm hookify rules trigger on matching patterns

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

Walkthrough

Expanded public type/operator enums (structured TypeKind and new Operator variants), extensive documentation and workflow pinning, added changelog tooling and recipes, security/contributing docs revised, many files received license headers; no runtime logic changes beyond public API surface and build-time helpers.

Changes

Cohort / File(s)	Summary
Core public types src/lib.rs, src/parser/ast.rs, src/evaluator/types.rs, AGENTS.md	TypeKind changed to structured variants (Byte, Short { endian, signed }, Long { endian, signed }, String { max_length: Option<usize> }); Operator extended with BitwiseAnd and BitwiseAndMask(u64). Docs updated to reflect new signatures.
Build-time helpers & builtin rules src/build_helpers.rs, src/builtin_rules.rs	New build helper APIs: parse_and_generate_builtin_rules, format_parse_error, and a lazily-initialized BUILTIN_RULES static; supports generating/serializing built-in rules at build time.
Documentation & governance AGENTS.md, README.md, CHANGELOG.md, SECURITY.md, CONTRIBUTING.md	Reorganized AGENTS into implemented vs planned sections; README badges added; new CHANGELOG and cliff config; SECURITY replaced with formal vulnerability-reporting workflow and PGP key; CONTRIBUTING expanded CI/review requirements.
Changelog tooling & recipes cliff.toml, justfile, mise.toml	Added cliff.toml; justfile removed Goreleaser recipes, replaced mise_exec wrappers with direct just invocations, and added docs:changelog* recipes; mise.toml adds git-cliff and scorecard tools.
CI / GitHub Actions & Dependabot .github/workflows/*, .github/dependabot.yml	Pinned many GitHub Action usages from tags to exact commit SHAs (inline version comments); added Dependabot github-actions weekly config. Workflow logic unchanged.
License headers & small hygiene edits many src/..., tests/..., benches/*, build.rs, .gitignore	Added copyright/SPDX headers across source, tests, benches; .gitignore updated to commit Cargo.lock.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: built-in rules build time compilation fallback #28 — touches build-time builtin rules generation and likely interacts with src/build_helpers.rs / BUILTIN_RULES.
• Test infrastructure, compatibility tests, and architecture improvements #31 — adjusts operator semantics and relates to the new Operator variants (BitwiseAnd / BitwiseAndMask) in evaluator logic.
• feat: Create rmagic cli #7 — modifies the public AST enums and parsing code that overlap the updated TypeKind structured variants.

Poem

🐇
I hopped through docs and nibbled the log,
pinned tiny hashes in the actions' bog,
Cliff stitched the changelog, neat as a seed,
trimmed recipes so my hops run at speed,
badges and PGP — a rabbit's dev-time glee!

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main
Title check	✅ Passed	The title accurately summarizes the main changes: comprehensive documentation improvements, security enhancements, and CI hardening across the project.
Description check	✅ Passed	The PR description is comprehensive and directly addresses the changeset, covering documentation updates, CI/CD improvements, and developer experience enhancements across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 50-docs-correct-agentsmd-to-accurately-reflect-implemented-features

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This pull request updates the AGENTS.md documentation to accurately distinguish between currently implemented features and planned future enhancements in libmagic-rs. The documentation now clearly reflects the v0.1.0 MVP status with explicit version-tagged sections and a comprehensive "Current Limitations" section.

Changes:

• Clarifies implementation status by adding version-specific headings and blockquote notes throughout the documentation
• Expands code examples to show the actual structure of TypeKind and Operator enums with their variants
• Adds a new "Current Limitations" section detailing missing features in type system, operators, offset specifications, and magic file syntax
• Updates dependency descriptions to clarify that regex is used only in tests and aho-corasick is planned but not yet added
• Revises the development roadmap to show 5 phases from MVP to production-ready with specific feature sets

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated no new comments.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

.github/dependabot.yml:16

• The new Dependabot entries use an unquoted weekly value, while the existing cargo entry uses "weekly". YAML will parse both, but mixing styles makes the file harder to scan and can confuse future edits. Consider quoting weekly here for consistency with the rest of the file.

    - package-ecosystem: "github-actions"
      directory: "/"
      schedule:
          interval: weekly

    - package-ecosystem: "devcontainers"
      directory: "/"
      schedule:
          interval: weekly

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 73 out of 76 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

.github/workflows/docs.yml:39

• The docs workflow installs mdBook via jontze/action-mdbook with mdbook-version: latest, which makes the build non-reproducible and can drift from the pinned toolchain in mise.lock (e.g., mdBook 0.5.2). To keep docs builds stable, pin mdbook-version to the same version as mise (or remove this step and use the mise-provisioned mdbook).

            - name: Setup mdBook
              uses: jontze/action-mdbook@6c0be56d14c4bf16861b00af61f50ff7400ce502 # v4.0.0
              with:
                  token: ${{ secrets.GITHUB_TOKEN }}
                  mdbook-version: latest
                  use-mermaid: true

[Copilot]

Pull request overview

Copilot reviewed 73 out of 76 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

.github/workflows/docs.yml:39

• mdbook-version: latest makes the docs build non-reproducible and can cause unexpected breakages when mdBook releases. Since the repo already pins mdBook in mise.toml/mise.lock, consider using that pinned version here (or otherwise pin an explicit mdBook version) to keep CI deterministic.

            - name: Setup mdBook
              uses: jontze/action-mdbook@6c0be56d14c4bf16861b00af61f50ff7400ce502 # v4.0.0
              with:
                  token: ${{ secrets.GITHUB_TOKEN }}
                  mdbook-version: latest
                  use-mermaid: true

[Copilot]

Pull request overview

Copilot reviewed 73 out of 76 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 73 out of 76 changed files in this pull request and generated 2 comments.

[Copilot]

The docs workflow installs mdBook via jontze/action-mdbook using mdbook-version: latest, but the repo already pins cargo:mdbook (and plugins) in mise.toml/mise.lock. Using latest (and a second installer) undermines reproducibility and can lead to CI using a different mdBook version than local dev. Prefer using the mise-managed mdBook (e.g., run mdbook via mise exec -- mdbook ...) or set mdbook-version to the pinned version to keep builds deterministic.

[Copilot]

README currently shows a Crates.io version badge at the top, but the roadmap table still lists “crates.io publication” as a v1.0.0 milestone item. These statements conflict; please align the README by either removing/qualifying the Crates.io badge until the crate is published, or updating the roadmap milestone text if publication has already happened.

Suggested change

	| **v1.0.0** | 95%+ GNU `file` compatibility, stable API, crates.io publication |
	| **v1.0.0** | 95%+ GNU `file` compatibility, stable API, crates.io 1.0 stabilization |