Add hygiene files, .github workflows, and updated skills

Author: celticht32

.editorconfig

@@ -0,0 +1,26 @@
+# Copyright (c) 2026 Chris Ahrendt — SPDX-License-Identifier: MIT
+# https://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{yml,yaml,json,toml,md,html,css,js,jsx,ts,tsx}]
+indent_size = 2
+
+[Makefile]
+indent_style = tab
+
+[*.{sh,bash}]
+indent_size = 2
+
+# Don't trim trailing whitespace from markdown — two trailing spaces
+# means line break.
+[*.md]
+trim_trailing_whitespace = false

.env.example

@@ -0,0 +1,67 @@
+# Copyright (c) 2026 Chris Ahrendt
+# SPDX-License-Identifier: MIT
+#
+# Copy to .env and fill in.
+
+# ── MCP server ────────────────────────────────────────────────────────────────
+# Bearer token used by claude.ai to call the MCP server. Min 32 chars.
+# Generate with: python -c "import secrets; print(secrets.token_urlsafe(48))"
+MCP_API_KEY=
+
+# Bind address and port for the MCP server.
+MCP_HOST=0.0.0.0
+MCP_PORT=8000
+
+# Public URLs (only needed when behind a TLS reverse proxy).
+# MCP_SERVER_URL=https://mcp.example.com
+# MCP_ISSUER_URL=https://mcp.example.com
+
+# ── Couchbase cluster (single-cluster mode) ───────────────────────────────────
+CB_ANALYTICS_HOST=localhost
+CB_ANALYTICS_USERNAME=Administrator
+CB_ANALYTICS_PASSWORD=password
+CB_ANALYTICS_CLUSTER_NAME=default
+CB_ANALYTICS_TLS=false
+CB_ANALYTICS_VERIFY_SSL=true
+CB_ANALYTICS_MGMT_PORT=8091
+CB_ANALYTICS_ANALYTICS_PORT=8095
+CB_ANALYTICS_TIMEOUT_SECONDS=60
+CB_ANALYTICS_MAX_RETRIES=3
+
+# Multi-cluster mode (overrides single-cluster vars if set).
+# CB_ANALYTICS_CLUSTERS_FILE=/app/config/clusters.json
+
+# ── Capella Management API (optional, enables capella_* tools) ────────────────
+# CB_CAPELLA_API_KEY_SECRET=your-capella-api-key
+# CB_CAPELLA_BASE_URL=https://cloudapi.cloud.couchbase.com
+
+# ── GUI ───────────────────────────────────────────────────────────────────────
+# Enable the admin/query GUI in the same process as the MCP server.
+GUI_ENABLED=true
+GUI_HOST=0.0.0.0
+GUI_PORT=8080
+
+# Login credentials for the GUI (used for admin/query access).
+GUI_USERNAME=admin
+GUI_PASSWORD=changeme
+
+# Secret used to sign GUI sessions. Generate with:
+# python -c "import secrets; print(secrets.token_urlsafe(48))"
+GUI_SESSION_SECRET=
+
+# ── Observability ─────────────────────────────────────────────────────────────
+LOG_LEVEL=INFO                          # DEBUG | INFO | WARNING | ERROR
+LOG_FORMAT=json                         # json | console
+LOG_FILE=                               # leave blank to log only to stdout
+
+AUDIT_LOG_FILE=./audit.log              # Where to append audit records
+AUDIT_LOG_ENABLED=true
+
+# OpenTelemetry tracing
+OTEL_ENABLED=false
+# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+OTEL_SERVICE_NAME=cb-analytics-mcp
+
+# Prometheus metrics endpoint
+METRICS_ENABLED=true
+METRICS_PORT=9100

.gitattributes

@@ -0,0 +1,41 @@
+# Copyright (c) 2026 Chris Ahrendt — SPDX-License-Identifier: MIT
+#
+# Force LF line endings for text files (prevents CRLF damage on Windows
+# checkouts). Mark binary types explicitly.
+
+* text=auto eol=lf
+
+# Source
+*.py    text diff=python
+*.html  text
+*.css   text
+*.js    text
+*.md    text
+*.yml   text
+*.yaml  text
+*.toml  text
+*.json  text
+*.sh    text eol=lf
+*.cfg   text
+*.ini   text
+
+# Templates and config
+Dockerfile text
+Makefile   text
+
+# Binaries
+*.png   binary
+*.jpg   binary
+*.jpeg  binary
+*.ico   binary
+*.gif   binary
+*.pdf   binary
+*.zip   binary
+*.tar   binary
+*.gz    binary
+*.tgz   binary
+*.whl   binary
+
+# Generated artifacts that GitHub should hide in PR diffs
+docs/img/* linguist-generated=true
+src/cb_analytics_mcp/gui/static/js/htmx.min.js linguist-vendored=true

.github/CODEOWNERS

@@ -0,0 +1,19 @@
+# Copyright (c) 2026 Chris Ahrendt — SPDX-License-Identifier: MIT
+#
+# These owners will be automatically requested for review when someone
+# opens a PR that modifies the matching files. See:
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default: every file
+*                       @celticht32
+
+# Critical paths get the same default, but listed explicitly so additions
+# don't accidentally lose review coverage if you add more entries later.
+/.github/               @celticht32
+/src/cb_analytics_mcp/  @celticht32
+/tests/                 @celticht32
+/docs/                  @celticht32
+/.claude/               @celticht32
+/Dockerfile             @celticht32
+/docker-compose.yml     @celticht32
+/pyproject.toml         @celticht32

.github/FUNDING.yml

@@ -0,0 +1,19 @@
+# Copyright (c) 2026 Chris Ahrendt — SPDX-License-Identifier: MIT
+#
+# Uncomment and fill any line below to enable a "Sponsor" button on the
+# repo page. Leave all commented if you don't want sponsorships.
+
+# github: [celticht32]
+# patreon: your_patreon_username
+# open_collective: your_collective_name
+# ko_fi: your_ko_fi_username
+# tidelift: pypi/cb-analytics-mcp
+# community_bridge: your_project_name
+# liberapay: your_liberapay_username
+# issuehunt: your_issuehunt_username
+# otechie: your_otechie_username
+# lfx_crowdfunding: your_lfx_crowdfunding_username
+# polar: your_polar_username
+# buy_me_a_coffee: your_buy_me_a_coffee_username
+# thanks_dev: your_thanks_dev_username
+# custom: ['https://example.com/sponsor']

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,40 @@
+---
+name: Bug report
+about: Something isn't working as documented
+title: '[bug] '
+labels: bug
+assignees: ''
+---
+
+## What happened
+
+A clear, specific description. Include the tool name or GUI page.
+
+## What you expected
+
+What you thought should happen.
+
+## Reproduction steps
+
+1. Configure with `…`
+2. Run `cb-analytics-mcp …`
+3. From Claude / the GUI, call `…`
+
+## Logs
+
+Paste the relevant lines. Redact any secrets that slipped through.
+
+```
+…
+```
+
+## Environment
+
+- `cb-analytics-mcp --version`:
+- Python version (`python --version`):
+- Couchbase Server / Capella version:
+- Deployment (Docker / venv / k8s):
+
+## Anything else
+
+Screenshots, config diffs, related issues, etc.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/celticht32/cb-analytics-mcp/security/advisories/new
+    about: Please report security issues privately, not as a public issue.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,28 @@
+---
+name: Feature request
+about: Suggest a new tool, GUI feature, or behaviour change
+title: '[feature] '
+labels: enhancement
+assignees: ''
+---
+
+## What you want to do
+
+Describe the use case in one or two sentences. Concrete examples help.
+
+## The friction today
+
+What's missing or awkward? Which existing tools come closest?
+
+## Proposed shape
+
+If you have one — a tool signature, an env var, a GUI flow. Doesn't have
+to be final; this is a starting point for discussion.
+
+## Alternatives considered
+
+What else did you try or think about?
+
+## Anything else
+
+Couchbase docs links, related issues, prior art in other tools.

.github/dependabot.yml

@@ -0,0 +1,41 @@
+# Copyright (c) 2026 Chris Ahrendt — SPDX-License-Identifier: MIT
+#
+# Keep dependencies fresh and patched. Weekly cadence is enough for an app
+# at this scale; daily generates noise.
+
+version: 2
+updates:
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+    open-pull-requests-limit: 5
+    groups:
+      # Patch + minor pyproject deps grouped into one PR
+      python-runtime:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+    labels: ["dependencies", "python"]
+    commit-message:
+      prefix: "deps"
+      include: scope
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 5
+    labels: ["dependencies", "ci"]
+    commit-message:
+      prefix: "ci"
+      include: scope
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 3
+    labels: ["dependencies", "docker"]

.github/pull_request_template.md

@@ -0,0 +1,26 @@
+<!--
+Thanks for the contribution! A few quick checks before you submit.
+-->
+
+## What this changes
+
+A short summary of the user-visible behaviour change, or "internal refactor"
+if there isn't one.
+
+## Why
+
+Link an issue if there is one. Otherwise describe the problem this solves.
+
+## How to test
+
+The reviewer will run `make scan`. If your change needs special setup
+(real Couchbase, a Capella sandbox, env vars), say so here.
+
+## Checklist
+
+- [ ] `make scan` passes locally (pyflakes + ruff + mypy strict + bandit + pytest)
+- [ ] Coverage is still ≥ 80 %
+- [ ] Added tests for new behaviour
+- [ ] Updated `CHANGELOG.md` under `## [Unreleased]`
+- [ ] Updated docs (`docs/` or skill files) if behaviour changed
+- [ ] No new secrets in logs (redactor still catches them)