Fix quality

Author: Mehdi-Bl

.env

@@ -0,0 +1,54 @@
+# This file is committed to git no secrets.
+
+#!/usr/bin/env bash
+
+# Vault environment loader wrapper
+# Usage: source .env.vault (never run directly)
+
+set -o pipefail
+
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    echo "This script must be sourced: source .env.vault" >&2
+    exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+HELPER_PATH="${VAULT_HELPER_PATH:-${SCRIPT_DIR}/scripts/vault-helper.sh}"
+
+if [[ ! -r "$HELPER_PATH" ]]; then
+    echo "Vault helper not found at $HELPER_PATH" >&2
+    return 1
+fi
+
+# shellcheck source=./scripts/vault-helper.sh
+source "$HELPER_PATH"
+
+DEFAULT_VAULT_SECRET_DEFS=$'kv/Sonarqube/sonarqube|SONAR_TOKEN=SONAR_TOKEN SONAR_TOKEN=sonar_token SONAR_TOKEN=token\nkv/dependencytrack|DTRACK_API_KEY=DTRACK_API_KEY DTRACK_API_KEY=api_key DTRACK_API_KEY=token'
+DEFAULT_VAULT_REQUIRED_VARS="SONAR_TOKEN DTRACK_API_KEY"
+
+if [[ -z "${VAULT_TOKEN:-}" ]]; then
+    token_candidates=()
+    if [[ -n "${VAULT_TOKEN_FILE:-}" ]]; then
+        token_candidates+=("$VAULT_TOKEN_FILE")
+    fi
+    token_candidates+=("${HOME}/.vault-token" "/home/vscode/.vault-token" "/root/.vault-token")
+    for token_path in "${token_candidates[@]}"; do
+        if [[ -r "$token_path" ]]; then
+            VAULT_TOKEN_FILE="$token_path"
+            export VAULT_TOKEN_FILE
+            break
+        fi
+    done
+fi
+
+SECRET_DEFS="${VAULT_SECRET_PATHS:-$DEFAULT_VAULT_SECRET_DEFS}"
+REQUIRED_VARS="${VAULT_REQUIRED_VARS:-$DEFAULT_VAULT_REQUIRED_VARS}"
+
+vault_helper::load_from_definitions "$SECRET_DEFS" "$REQUIRED_VARS" "$VAULT_TOKEN_FILE"
+
+# Commented out for CI/automated testing
+# SONAR_TOKEN=""
+DTR_PROJECT_KEY=
+# DTRACK_API_KEY=""
+DTRACK_PROJECT=sonarqube-mcp
+DTRACK_PROJECT_VERSION=main

.gitignore

@@ -124,14 +124,40 @@ celerybeat.pid
 *.sage.py
 
 # Environments
-.env
+.env.vault
+.env.cloud
 .venv
 env/
 venv/
 ENV/
 env.bak/
 venv.bak/
 
+# SonarQube scanner working directory
+dist/quality/sonar/scannerwork/
+
+# Quality and Security Artifacts
+dist/quality/
+dist/security/
+dist/artifacts/
+
+# Gitleaks reports
+*.gitleaks-report.json
+gitleaks-report.json
+
+# SBOM reports
+*.sbom.json
+sbom.json
+cyclonedx-*.json
+
+# Renovate reports
+renovate-report.json
+renovate-summary-*.txt
+
+# Semgrep reports
+semgrep-report*.json
+semgrep-report*.sarif
+
 # Spyder project settings
 .spyderproject
 .spyproject
@@ -328,4 +354,4 @@ tests/__pycache__/
 docs/start.md
 docs/typescript-translation-plan.md
 
-# Note: test scripts in tests/ directory should be tracked in git
+# Note: test scripts in tests/ directory should be tracked in git

Makefile

@@ -1,5 +1,32 @@
 # Claude Code API - Simple & Working
 
+SHELL := /bin/bash
+.DEFAULT_GOAL := help
+
+# Directory structure
+ARTIFACTS_DIR ?= dist/artifacts
+QUALITY_DIR ?= dist/quality
+SECURITY_DIR ?= dist/security
+TESTS_DIR ?= dist/tests
+
+BUILD_DIR := $(ARTIFACTS_DIR)/bin
+COVERAGE_DIR := $(QUALITY_DIR)/coverage
+SONAR_DIR := $(QUALITY_DIR)/sonar
+SBOM_DIR := $(SECURITY_DIR)/sbom
+GITLEAKS_DIR := $(SECURITY_DIR)/gitleaks
+
+# Version info
+VERSION_FILE := $(shell cat VERSION 2>/dev/null || echo "1.0.0")
+VERSION ?= $(VERSION_FILE)
+COMMIT ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+BUILD_DATE ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || "")
+
+# Dependency-Track settings
+DTRACK_BASE_URL ?=
+DTRACK_API_KEY ?=
+DTRACK_PROJECT ?= claude-code-api
+DTRACK_PROJECT_VERSION ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo "dev")
+
 # Python targets
 install:
 	pip install -e .
@@ -56,6 +83,105 @@ kill:
 		fi; \
 	fi
 
+# Quality and Security targets
+.PHONY: sonar sonar-cloud coverage-sonar sbom sbom-upload gitleaks fmt lint vet
+
+sonar: ## Run sonar-scanner for SonarQube analysis
+	@mkdir -p $(SONAR_DIR) $(COVERAGE_DIR)
+	@echo "Generating coverage report for SonarQube..."
+	@python -m pytest --cov=claude_code_api --cov-report=xml --cov-report=term-missing -v tests/
+	@if command -v sonar-scanner >/dev/null 2>&1; then \
+		if [ -f ".env.vault" ]; then \
+			. ./.env.vault; \
+		fi; \
+		if [ -f ".env" ]; then \
+			set -a; . ./.env; set +a; \
+		fi; \
+		if [ -n "$${VAULT_SECRET_PATHS:-}" ] || [ -n "$${VAULT_REQUIRED_VARS:-}" ]; then \
+			if [ -f "./scripts/vault-helper.sh" ]; then \
+				. ./scripts/vault-helper.sh; \
+				vault_helper::load_from_definitions "$${VAULT_SECRET_PATHS:-}" "$${VAULT_REQUIRED_VARS:-}" "$${VAULT_TOKEN_FILE:-}"; \
+			fi; \
+		fi; \
+		SONAR_HOST_URL="$${SONAR_HOST_URL:-$${SONAR_URL:-}}"; \
+		if [ -z "$$SONAR_HOST_URL" ]; then \
+			echo "SONAR_URL or SONAR_HOST_URL is required (e.g., https://sonarcloud.io or https://sonar.local)"; \
+			exit 1; \
+		fi; \
+		case "$$SONAR_HOST_URL" in \
+			http://*|https://*) ;; \
+			*) echo "SONAR_URL must include http(s) scheme: $$SONAR_HOST_URL"; exit 1 ;; \
+		esac; \
+		if [ -z "$${SONAR_TOKEN:-}" ]; then \
+			echo "SONAR_TOKEN not set - proceeding without authentication"; \
+		fi; \
+		sonar-scanner \
+			-Dsonar.host.url=$$SONAR_HOST_URL \
+			-Dsonar.token=$$SONAR_TOKEN \
+			-Dsonar.projectVersion=$${VERSION:-1.0.0} \
+			-Dsonar.working.directory=$(SONAR_DIR)/scannerwork; \
+	else \
+		echo "sonar-scanner not found. Install with: brew install sonar-scanner or download from https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/"; \
+		exit 1; \
+	fi
+
+sonar-cloud: ## Run sonar-scanner for SonarCloud (uses different token/env)
+	@echo "Running SonarCloud scanner..."
+	@./scripts/run-sonar-cloud.sh
+
+coverage-sonar: ## Generate coverage for SonarQube
+	@mkdir -p $(COVERAGE_DIR)
+	@python -m pytest --cov=claude_code_api --cov-report=xml --cov-report=term-missing -v tests/
+	@echo "Coverage XML generated: $(COVERAGE_DIR)/coverage.xml"
+
+sbom: ## Generate SBOM with syft
+	@mkdir -p $(SBOM_DIR)
+	@if command -v syft >/dev/null 2>&1; then \
+		syft dir:. -o cyclonedx-json=$(SBOM_DIR)/sbom.json; \
+		echo "SBOM generated: $(SBOM_DIR)/sbom.json"; \
+	else \
+		echo "syft not found. Install with: brew install syft or visit https://github.com/anchore/syft"; \
+		exit 1; \
+	fi
+
+sbom-upload: sbom ## Generate (if needed) and upload SBOM to Dependency-Track
+	@./scripts/upload-sbom.sh $(SBOM_DIR)/sbom.json
+
+gitleaks: ## Run gitleaks to detect secrets
+	@mkdir -p $(GITLEAKS_DIR)
+	@if command -v gitleaks >/dev/null 2>&1; then \
+		gitleaks detect --source . --report-path $(GITLEAKS_DIR)/gitleaks-report.json; \
+	else \
+		echo "gitleaks not found. Install with: brew install gitleaks"; \
+		exit 1; \
+	fi
+
+fmt: ## Format Python code with black
+	@if command -v black >/dev/null 2>&1; then \
+		black claude_code_api/ tests/; \
+	else \
+		echo "black not found. Install with: pip install black"; \
+	fi
+
+lint: ## Run Python linters (flake8, isort)
+	@if command -v flake8 >/dev/null 2>&1; then \
+		flake8 claude_code_api/ tests/; \
+	else \
+		echo "flake8 not found. Install with: pip install flake8"; \
+	fi
+	@if command -v isort >/dev/null 2>&1; then \
+		isort --check-only claude_code_api/ tests/; \
+	else \
+		echo "isort not found. Install with: pip install isort"; \
+	fi
+
+vet: ## Run type checking with mypy
+	@if command -v mypy >/dev/null 2>&1; then \
+		mypy claude_code_api/; \
+	else \
+		echo "mypy not found. Install with: pip install mypy"; \
+	fi
+
 help:
 	@echo "Claude Code API Commands:"
 	@echo ""
@@ -70,14 +196,25 @@ help:
 	@echo "  make start-prod  - Start Python API server (production)"
 	@echo ""
 	@echo "TypeScript API:"
-	@echo "  make install-js     - Install TypeScript dependencies" 
+	@echo "  make install-js     - Install TypeScript dependencies"
 	@echo "  make test-js        - Run TypeScript unit tests"
 	@echo "  make test-js-real   - Run Python test suite against TypeScript API"
 	@echo "  make start-js       - Start TypeScript API server (production)"
 	@echo "  make start-js-dev   - Start TypeScript API server (development with reload)"
 	@echo "  make start-js-prod  - Build and start TypeScript API server (production)"
 	@echo "  make build-js       - Build TypeScript project"
 	@echo ""
+	@echo "Quality & Security:"
+	@echo "  make sonar         - Run SonarQube analysis (generates coverage + scans)"
+	@echo "  make sonar-cloud   - Run SonarCloud scanner (uses SONAR_CLOUD_TOKEN)"
+	@echo "  make coverage-sonar - Generate coverage XML for SonarQube"
+	@echo "  make sbom          - Generate SBOM with syft"
+	@echo "  make sbom-upload   - Upload SBOM to Dependency-Track"
+	@echo "  make gitleaks      - Run gitleaks to detect secrets"
+	@echo "  make fmt           - Format Python code with black"
+	@echo "  make lint          - Run Python linters (flake8, isort)"
+	@echo "  make vet           - Run type checking with mypy"
+	@echo ""
 	@echo "General:"
 	@echo "  make clean       - Clean up Python cache files"
 	@echo "  make kill PORT=X - Kill process on specific port"

README.md

@@ -52,9 +52,12 @@ make start
 
 ## Supported Models
 
-- `claude-opus-4-20250514` - Claude Opus 4 (Most powerful)
-- `claude-sonnet-4-20250514` - Claude Sonnet 4 (Latest Sonnet)
-- `claude-3-7-sonnet-20250219` - Claude Sonnet 3.7 (Advanced)
+Model definitions live in `claude_code_api/config/models.json`.
+Override with `CLAUDE_CODE_API_MODELS_PATH` to point at a custom JSON file.
+
+- `claude-opus-4-5-20250929` - Claude Opus 4.5 (Most powerful)
+- `claude-sonnet-4-5-20250929` - Claude Sonnet 4.5 (Latest Sonnet)
+- `claude-haiku-4-5-20250929` - Claude Haiku 4.5 (Fast & cost-effective)
 - `claude-3-5-haiku-20241022` - Claude Haiku 3.5 (Fast & cost-effective)
 
 ## Quick Start
@@ -133,7 +136,7 @@ make check-claude   # Check if Claude Code CLI is available
 curl -X POST http://localhost:8000/v1/chat/completions \
   -H "Content-Type: application/json" \
   -d '{
-    "model": "claude-3-5-haiku-20241022",
+    "model": "claude-sonnet-4-5-20250929",
     "messages": [
       {"role": "user", "content": "Hello!"}
     ]
@@ -152,7 +155,7 @@ curl http://localhost:8000/v1/models
 curl -X POST http://localhost:8000/v1/chat/completions \
   -H "Content-Type: application/json" \
   -d '{
-    "model": "claude-3-5-haiku-20241022", 
+    "model": "claude-sonnet-4-5-20250929",
     "messages": [
       {"role": "user", "content": "Tell me a joke"}
     ],
@@ -273,4 +276,4 @@ Response:
 
 ## License
 
-This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
+This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.

VERSION

@@ -0,0 +1 @@
+1.0.0