feat: complete OSS infrastructure setup

aviralgarg05 · aviralgarg05 · commit 626d6229dcf8 · 2026-02-06T21:46:17.000+05:30
- Add MIT LICENSE file
- Add CodeQL security analysis workflow
- Add dependency review workflow for PRs
- Add comprehensive TESTING.md documentation
- Update Cargo.toml with license and metadata
- Add badges to README (CodeQL, Codecov, License, etc.)
- Document all CI/CD workflows and testing procedures
- Document known issues (unmaintained deps, Release Please)

This completes the open source readiness setup with:
- Security scanning (CodeQL, dependency review)
- Quality gates (CI, tests, coverage)
- Documentation (TESTING.md, README badges)
- Proper licensing (MIT)

Signed-off-by: aviralgarg05 &lt;gargaviral99@gmail.com&gt;
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,38 @@
+name: "CodeQL Security Analysis"
+
+on:
+    push:
+        branches: [main]
+    pull_request:
+        branches: [main]
+    schedule:
+        - cron: "0 0 * * 1" # Weekly on Monday
+
+permissions:
+    actions: read
+    contents: read
+    security-events: write
+
+jobs:
+    analyze:
+        name: Analyze
+        runs-on: ubuntu-latest
+
+        strategy:
+            fail-fast: false
+            matrix:
+                language: ["python"]
+
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v3
+              with:
+                  languages: ${{ matrix.language }}
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v3
+              with:
+                  category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+name: "Dependency Review"
+
+on:
+    pull_request:
+        branches: [main]
+
+permissions:
+    contents: read
+    pull-requests: write
+
+jobs:
+    dependency-review:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout Repository
+              uses: actions/checkout@v4
+
+            - name: Dependency Review
+              uses: actions/dependency-review-action@v4
+              with:
+                  fail-on-severity: moderate
+                  comment-summary-in-pr: always
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2025 Aviral Garg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -1,4 +1,9 @@
 [![CI](https://github.com/aviralgarg05/NexumDB/actions/workflows/ci.yml/badge.svg)](https://github.com/aviralgarg05/NexumDB/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/aviralgarg05/NexumDB/actions/workflows/codeql.yml/badge.svg)](https://github.com/aviralgarg05/NexumDB/actions/workflows/codeql.yml)
+[![codecov](https://codecov.io/gh/aviralgarg05/NexumDB/branch/main/graph/badge.svg)](https://codecov.io/gh/aviralgarg05/NexumDB)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Rust](https://img.shields.io/badge/rust-1.70%2B-orange.svg)](https://www.rust-lang.org/)
+[![Python](https://img.shields.io/badge/python-3.9%2B-blue.svg)](https://www.python.org/)
 
 # NexumDB - AI-Native Database
 
diff --git a/TESTING.md b/TESTING.md
@@ -0,0 +1,149 @@
+# Testing Guide for NexumDB
+
+This document describes all testing and quality assurance processes for NexumDB.
+
+## Local Testing
+
+### Rust Tests
+```bash
+# Set PyO3 compatibility for Python 3.14
+export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1
+
+# Format check
+cargo fmt --all -- --check
+
+# Linting
+cargo clippy --workspace --all-targets -- -D warnings
+
+# Run tests (single-threaded for consistent results)
+cargo test --workspace -- --test-threads=1
+
+# Security audit
+cargo audit
+
+# Generate documentation
+cargo doc --no-deps --workspace
+```
+
+### Python Tests
+```bash
+cd nexum_ai
+
+# Lint with ruff
+ruff check .
+
+# Syntax check
+python3 -m compileall *.py
+
+# Run tests with coverage
+pytest --cov=. --cov-report=xml --cov-report=html
+```
+
+## CI/CD Workflows
+
+### Continuous Integration (.github/workflows/ci.yml)
+Runs on: Every push and PR
+- **Rust checks**:
+  - Format check with `cargo fmt`
+  - Linting with `cargo clippy`
+  - Unit and integration tests
+  - Security audit with `cargo audit`
+  - Documentation build
+  - Code coverage with `cargo-llvm-cov` → Codecov
+  
+- **Python checks**:
+  - Linting with `ruff`
+  - Syntax check with `compileall`
+  - Tests with `pytest`
+  - Coverage with `pytest-cov` → Codecov
+
+- **Benchmarks** (PR only):
+  - Criterion-based performance tests
+  - Comparison with main branch
+
+### Security Workflows
+
+#### CodeQL Analysis (.github/workflows/codeql.yml)
+Runs on: Push to main, PRs, weekly schedule
+- Static security analysis for Python code
+- Identifies potential vulnerabilities
+
+#### Dependency Review (.github/workflows/dependency-review.yml)
+Runs on: Pull requests
+- Reviews dependency changes
+- Fails on moderate+ severity vulnerabilities
+- Comments summary in PR
+
+#### SBOM Generation (.github/workflows/sbom.yml)
+Runs on: Release tags
+- Generates Software Bill of Materials
+- Tracks all dependencies
+
+### Code Quality
+
+#### DCO Check (.github/workflows/dco.yml)
+Runs on: Pull requests
+- Verifies Developer Certificate of Origin
+- Ensures proper commit sign-off
+
+#### Stale Issues (.github/workflows/stale.yml)
+Runs on: Schedule (daily)
+- Marks inactive issues/PRs as stale
+- Auto-closes after inactivity period
+
+### Release & Distribution
+
+#### Release Please (.github/workflows/release-please.yml)
+Runs on: Push to main
+- Automated release PR generation
+- Version bumping based on conventional commits
+- Changelog generation
+- **Current Status**: Requires repository settings update (see RELEASE_PLEASE_FIX.md)
+
+#### Docker Release (.github/workflows/docker-release.yml)
+Runs on: Release tags
+- Builds and publishes Docker images
+- Multi-platform support
+
+## Known Issues
+
+### Unmaintained Dependencies
+The following dependencies are flagged as unmaintained by `cargo audit`:
+- `fxhash 0.2.1` - Used by sled (indirect)
+- `instant 0.1.13` - Used by sled (indirect)
+
+These are **warnings only**, not security vulnerabilities. They come from the `sled` database dependency. Monitor for:
+- Updates to `sled` that might replace these
+- Alternative database backends if needed
+- Security advisories (none currently)
+
+### Release Please Permissions
+The Release Please workflow requires repository settings update. See `/tmp/release-please-fix.md` for instructions.
+
+## Coverage Requirements
+
+- **Target**: Maintain >80% code coverage
+- **Tracking**: Codecov integration for both Rust and Python
+- **Reports**: 
+  - Rust: `lcov.info` generated by `cargo-llvm-cov`
+  - Python: `coverage.xml` generated by `pytest-cov`
+
+## Pre-commit Checklist
+
+Before pushing changes:
+1. ✅ Run `cargo fmt --all`
+2. ✅ Run `cargo clippy --workspace --all-targets`
+3. ✅ Run `cargo test --workspace`
+4. ✅ Run `ruff check nexum_ai/` (if Python changes)
+5. ✅ Run `pytest` in nexum_ai/ (if Python changes)
+6. ✅ Ensure all tests pass locally
+7. ✅ Sign commits with DCO (`git commit -s`)
+
+## Continuous Improvement
+
+Consider adding:
+- [ ] Mutation testing for test quality assessment
+- [ ] Performance regression detection
+- [ ] Fuzzing for SQL parser
+- [ ] Integration tests with real workloads
+- [ ] Load testing scenarios
diff --git a/nexum_cli/Cargo.toml b/nexum_cli/Cargo.toml
@@ -2,6 +2,11 @@
 name = "nexum_cli"
 version = "0.4.0"
 edition = "2021"
+license = "MIT"
+authors = ["Aviral Garg"]
+repository = "https://github.com/aviralgarg05/NexumDB"
+description = "Command-line interface for NexumDB"
+keywords = ["database", "cli", "sql"]
 
 [[bin]]
 name = "nexum"
diff --git a/nexum_core/Cargo.toml b/nexum_core/Cargo.toml
@@ -2,6 +2,12 @@
 name = "nexum_core"
 version = "0.4.0"
 edition = "2021"
+license = "MIT"
+authors = ["Aviral Garg"]
+repository = "https://github.com/aviralgarg05/NexumDB"
+description = "AI-native database core engine with SQL and semantic caching"
+keywords = ["database", "ai", "sql", "semantic-cache"]
+categories = ["database-implementations"]
 
 [dependencies]
 sled = { workspace = true }
