Feature/run sat on repo and upload reports

[xueyulinn]

Summary

Add a repository-level SAT runner flow that runs after the repo fetch/upload step and uploads analysis reports back to object storage. This also reorganizes the code indexing Docker assets by moving the repo fetcher into its own repo_fetcher package.

Related Issue

Closes #13

Type of Change

• Bug fix
• New feature
• Refactor
• Documentation
• Test
• CI/CD
• Chore

Changes Made

• Move the existing repo fetch/upload Docker assets under codehawk/code_index/repo_fetcher/ for clearer code index organization.
• Add a new sat_runner Docker image and script that:
  • Downloads the uploaded repository archive.
  • Extracts the archive and resolves the Python repository root.
  • Runs SAT analysis with the default runner behavior or a custom SAT_COMMAND.
  • Uploads the generated SAT report to object storage.
• Extend DockerRunner to launch the SAT runner container after the repo fetcher completes.
• Wait for the repo fetcher container with await asyncio.to_thread(...) before starting SAT analysis, preventing the SAT runner from downloading the archive before upload finishes.
• Add MinIO helpers for:
  • Repo archive upload URLs.
  • Repo archive download URLs.
  • SAT report upload URLs.
• Store repo archives and SAT reports under separate object prefixes:
  • repo-archives/.../source.tar.gz
  • sat-reports/.../sat-report.json
• Add SAT_RUNNER_IMAGE wiring to docker-compose.yaml.

How to Test

1. Build or provide the configured Docker images for CODE_INDEXER_IMAGE and SAT_RUNNER_IMAGE.
2. Start the local stack with MinIO and the backend.
3. Trigger a GitHub PR webhook event.
4. Verify the repo fetcher uploads source.tar.gz under the repo-archives prefix.
5. Verify the SAT runner starts after the fetcher exits successfully.
6. Verify the SAT report is uploaded under the sat-reports prefix.

Checklist

• Code builds successfully
• Tests added or updated
• Existing tests pass
• Documentation updated if needed
• No secrets or sensitive data included
• Breaking changes documented

Breaking Changes

None expected.

[codehawky]

Summary by CodeHawky

Status

• Summary type: full_pr_summary
• Current head: 282b5894b75863e53610d113c798ed4632855c29
• Generated at: 2026-05-10T23:30:32.193986+00:00

Summary

• Adds a repository-level code indexing/SAT flow: fetch a PR repo into an archive, upload it to MinIO, then run a SAT container and upload sat-report.json.
• Introduces Docker assets and orchestration for repo_fetcher, sat_runner, backend image, MinIO, and docker-compose.yaml wiring.
• Adds GitHub webhook handling for PR opened/synchronize events, installation token auth/cache, PR summary/review agents, and GitHub API DTO/client code.
• Adds a Go CLI for local config/review workflows, including .codehawk.yaml creation/validation and diff collection.

Risk

• Medium — broad PR with 51 files across backend webhooks, Docker orchestration, object storage, GitHub API auth, agents, and a new CLI; tests are present for config/signature paths but not for the end-to-end SAT/container flow.

Review Path

1. Review the PR event flow first: codehawk/api/endpoints/github_webhook.py, codehawk/handlers/github_handler.py, and codehawk/services/*.
2. Inspect SAT/indexing orchestration: codehawk/services/code_indexing.py, codehawk/docker_runner/docker_client.py, codehawk/minio/minio_client.py.
3. Review container scripts and runtime assumptions: codehawk/code_index/repo_fetcher/*, codehawk/code_index/sat_runner/*, codehawk/Dockerfile, docker-compose.yaml.
4. Check GitHub integration and agent behavior: codehawk/github/*, codehawk/agents/*.
5. Review the new CLI separately: cli/cmd/*, cli/utils/*, cli/models/*, and cli/utils/config_test.go.

Open Questions

• End-to-end build/run status for the Docker and SAT upload flow is not provided in the context.

[codehawky]

The pull request introduces a repository-level SAT runner and a refactor/move for the repo fetcher assets. The integration between the Docker runner and MinIO client, as well as the new SAT runner, overall appears well structured. However, there are a few issues identified that could potentially affect the reliability and observability of the indexing pipeline.

Key concerns are:

1. The new control flow in clone_repo does not log or handle SAT runner failures at all—if the SAT runner fails (container fails or exits with non-zero), this will go unnoticed and the system will not alert or propagate that failure, leading to silent data gaps.
2. The SAT runner uploads a report even if the analysis tool fails, but this is not documented nor surfaced to any monitoring/alerting system.

See inline comments for actionable changes.

[codehawky]

Summary by CodeHawky

Status

• Summary type: incremental_pr_summary
• Current head: 64b8adaeda71c42a20c6b8040705dc6a19b2199d
• Generated at: 2026-05-10T23:36:24.161233+00:00

Summary

• Adds types-docker>=7.1.0.20260508 to the dev dependency group in pyproject.toml.
• Updates uv.lock to include types-docker and its added locked dependency metadata, including types-paramiko.

Risk

• Low — change is limited to development/type-checking dependencies and the corresponding lockfile entries; no runtime code is modified.

Review Path

1. Check pyproject.toml to confirm types-docker belongs in the dev dependency group.
2. Review uv.lock for consistency with the declared dependency, especially the new types-docker and types-paramiko package entries.
3. Verify the lockfile only reflects the intended dependency additions and does not include unrelated package churn.