feat: add enterprise-grade quality tooling and CLI binary

Add comprehensive quality assurance infrastructure:

**Quality Tools & Configuration:**
- Rust: Clippy (pedantic+nursery+cargo), cargo-audit, cargo-deny, cargo-geiger
- Rust: cargo-tarpaulin, cargo-nextest, cargo-udeps, cargo-machete, cargo-bloat
- Elixir: Credo, Dialyxir, Doctor, Sobelow, mix_audit, ExCoveralls
- Security: gitleaks, shellcheck
- Analysis: tokei, jscpd
- Configuration files: clippy.toml, deny.toml, .credo.exs, .jscpd.json

**CLI Binary (singularity-rca):**
- Full-featured command-line interface with feature gates
- Commands: analyze, metrics, languages, complexity, report, compare
- Support for multiple output formats (table, json, csv, pretty)
- Built with clap, anyhow, comfy-table, indicatif
- Comprehensive documentation in CLI.md

**Build & Development:**
- Nix flake with all quality tools pre-installed
- devenv.nix with pre-commit hooks (rustfmt, clippy, cargo-audit, credo)
- justfile with quality targets (just quality runs everything)
- Makefile alternative with same targets

**GitHub Actions:**
- Claude Code PR review automation (.github/workflows/claude-review.yml)
- Claude Code interactive assistant (.github/workflows/claude.yml)
- Enhanced CI with FlakeHub and Cachix caching
- Release workflow builds CLI binary + source/binary tarballs

**Documentation:**
- CLI.md: Complete CLI usage guide
- QUALITY.md: Quality tools and standards
- SETUP.md: Development environment setup
- CACHIX.md: Binary cache documentation

**GitHub Secrets:**
- CLAUDE_CODE_OAUTH_TOKEN
- GH_TOKEN
- CACHIX_AUTH_TOKEN
- FLAKEHUB_PUSH_TOKEN

All tools follow enterprise-grade standards with strict linting,
security scanning, and comprehensive test coverage.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: mikkihugo

.credo.exs

@@ -0,0 +1,142 @@
+# Credo Configuration for Singularity Analysis Engine
+# Enterprise-grade code quality standards for Elixir
+
+%{
+  configs: [
+    %{
+      name: "default",
+      files: %{
+        included: [
+          "lib/",
+          "src/",
+          "test/",
+          "web/",
+          "apps/*/lib/",
+          "apps/*/src/",
+          "apps/*/test/",
+          "apps/*/web/"
+        ],
+        excluded: [~r"/_build/", ~r"/deps/", ~r"/node_modules/"]
+      },
+      plugins: [],
+      requires: [],
+      strict: true,
+      parse_timeout: 5000,
+      color: true,
+      checks: %{
+        enabled: [
+          # Consistency Checks
+          {Credo.Check.Consistency.ExceptionNames, []},
+          {Credo.Check.Consistency.LineEndings, []},
+          {Credo.Check.Consistency.ParameterPatternMatching, []},
+          {Credo.Check.Consistency.SpaceAroundOperators, []},
+          {Credo.Check.Consistency.SpaceInParentheses, []},
+          {Credo.Check.Consistency.TabsOrSpaces, []},
+          {Credo.Check.Consistency.UnusedVariableNames, []},
+
+          # Design Checks
+          {Credo.Check.Design.AliasUsage,
+           [priority: :low, if_nested_deeper_than: 2, if_called_more_often_than: 0]},
+          {Credo.Check.Design.TagFIXME, [exit_status: 0]},
+          {Credo.Check.Design.TagTODO, [exit_status: 0]},
+
+          # Readability Checks
+          {Credo.Check.Readability.AliasOrder, []},
+          {Credo.Check.Readability.FunctionNames, []},
+          {Credo.Check.Readability.LargeNumbers, []},
+          {Credo.Check.Readability.MaxLineLength, [priority: :low, max_length: 120]},
+          {Credo.Check.Readability.ModuleAttributeNames, []},
+          {Credo.Check.Readability.ModuleDoc, [priority: :high]},
+          {Credo.Check.Readability.ModuleNames, []},
+          {Credo.Check.Readability.ParenthesesInCondition, []},
+          {Credo.Check.Readability.ParenthesesOnZeroArityDefs, []},
+          {Credo.Check.Readability.PipeIntoAnonymousFunctions, []},
+          {Credo.Check.Readability.PredicateFunctionNames, []},
+          {Credo.Check.Readability.PreferImplicitTry, []},
+          {Credo.Check.Readability.RedundantBlankLines, []},
+          {Credo.Check.Readability.Semicolons, []},
+          {Credo.Check.Readability.SpaceAfterCommas, []},
+          {Credo.Check.Readability.StringSigils, []},
+          {Credo.Check.Readability.TrailingBlankLine, []},
+          {Credo.Check.Readability.TrailingWhiteSpace, []},
+          {Credo.Check.Readability.UnnecessaryAliasExpansion, []},
+          {Credo.Check.Readability.VariableNames, []},
+          {Credo.Check.Readability.WithSingleClause, []},
+
+          # Refactoring Opportunities
+          {Credo.Check.Refactor.Apply, []},
+          {Credo.Check.Refactor.CondStatements, []},
+          {Credo.Check.Refactor.CyclomaticComplexity, [max_complexity: 12]},
+          {Credo.Check.Refactor.FilterCount, []},
+          {Credo.Check.Refactor.FilterFilter, []},
+          {Credo.Check.Refactor.FunctionArity, [max_arity: 6]},
+          {Credo.Check.Refactor.LongQuoteBlocks, [max_line_count: 100]},
+          {Credo.Check.Refactor.MapJoin, []},
+          {Credo.Check.Refactor.MatchInCondition, []},
+          {Credo.Check.Refactor.NegatedConditionsInUnless, []},
+          {Credo.Check.Refactor.NegatedConditionsWithElse, []},
+          {Credo.Check.Refactor.Nesting, [max_nesting: 3]},
+          {Credo.Check.Refactor.RedundantWithClauseResult, []},
+          {Credo.Check.Refactor.RejectReject, []},
+          {Credo.Check.Refactor.UnlessWithElse, []},
+          {Credo.Check.Refactor.WithClauses, []},
+
+          # Warning Checks
+          {Credo.Check.Warning.ApplicationConfigInModuleAttribute, []},
+          {Credo.Check.Warning.BoolOperationOnSameValues, []},
+          {Credo.Check.Warning.Dbg, []},
+          {Credo.Check.Warning.ExpensiveEmptyEnumCheck, []},
+          {Credo.Check.Warning.IExPry, []},
+          {Credo.Check.Warning.IoInspect, []},
+          {Credo.Check.Warning.MissedMetadataKeyInLoggerConfig, []},
+          {Credo.Check.Warning.OperationOnSameValues, []},
+          {Credo.Check.Warning.OperationWithConstantResult, []},
+          {Credo.Check.Warning.RaiseInsideRescue, []},
+          {Credo.Check.Warning.SpecWithStruct, []},
+          {Credo.Check.Warning.UnsafeExec, []},
+          {Credo.Check.Warning.UnusedEnumOperation, []},
+          {Credo.Check.Warning.UnusedFileOperation, []},
+          {Credo.Check.Warning.UnusedKeywordOperation, []},
+          {Credo.Check.Warning.UnusedListOperation, []},
+          {Credo.Check.Warning.UnusedPathOperation, []},
+          {Credo.Check.Warning.UnusedRegexOperation, []},
+          {Credo.Check.Warning.UnusedStringOperation, []},
+          {Credo.Check.Warning.UnusedTupleOperation, []},
+          {Credo.Check.Warning.WrongTestFileExtension, []}
+        ],
+        disabled: [
+          # Optional/Opinionated checks that may be too strict
+          {Credo.Check.Design.DuplicatedCode, []},
+          {Credo.Check.Readability.AliasAs, []},
+          {Credo.Check.Readability.BlockPipe, []},
+          {Credo.Check.Readability.ImplTrue, []},
+          {Credo.Check.Readability.MultiAlias, []},
+          {Credo.Check.Readability.NestedFunctionCalls, []},
+          {Credo.Check.Readability.OneArityFunctionInPipe, []},
+          {Credo.Check.Readability.OnePipePerLine, []},
+          {Credo.Check.Readability.SeparateAliasRequire, []},
+          {Credo.Check.Readability.SingleFunctionToBlockPipe, []},
+          {Credo.Check.Readability.SinglePipe, []},
+          {Credo.Check.Readability.Specs, []},
+          {Credo.Check.Readability.StrictModuleLayout, []},
+          {Credo.Check.Readability.WithCustomTaggedTuple, []},
+          {Credo.Check.Refactor.ABCSize, []},
+          {Credo.Check.Refactor.AppendSingleItem, []},
+          {Credo.Check.Refactor.DoubleBooleanNegation, []},
+          {Credo.Check.Refactor.IoPuts, []},
+          {Credo.Check.Refactor.MapInto, []},
+          {Credo.Check.Refactor.MapMap, []},
+          {Credo.Check.Refactor.ModuleDependencies, []},
+          {Credo.Check.Refactor.NegatedIsNil, []},
+          {Credo.Check.Refactor.PassAsyncInTestCases, []},
+          {Credo.Check.Refactor.PipeChainStart, []},
+          {Credo.Check.Refactor.RejectFilter, []},
+          {Credo.Check.Refactor.VariableRebinding, []},
+          {Credo.Check.Warning.LazyLogging, []},
+          {Credo.Check.Warning.LeakyEnvironment, []},
+          {Credo.Check.Warning.MapGetUnsafePass, []}
+        ]
+      }
+    }
+  ]
+}

.envrc

@@ -6,6 +6,11 @@ use flake
 # Optional: Add any project-specific environment variables here
 # export DATABASE_URL="postgresql://localhost/singularity_dev"
 
+# Load Cachix auth token and other secrets from .envrc.local if it exists
+if [ -f .envrc.local ]; then
+  source .envrc.local
+fi
+
 # Optional: Load secrets from .env.local if it exists (not committed to git)
 if [ -f .env.local ]; then
   dotenv .env.local

.envrc.local.example

@@ -0,0 +1,14 @@
+# Binary cache authentication tokens
+# Copy this file to .envrc.local and replace <TOKEN> placeholders with your actual tokens
+
+# Cachix authentication token
+# Get your token from https://app.cachix.org/personal-auth-tokens
+export CACHIX_AUTH_TOKEN="<CACHIX_TOKEN>"
+
+# FlakeHub authentication token
+# Get your token from https://flakehub.com/settings/tokens
+export FLAKEHUB_PUSH_TOKEN="<FLAKEHUB_TOKEN>"
+
+# Example token formats (DO NOT COMMIT):
+# export CACHIX_AUTH_TOKEN="eyJhbGciOiJIUzI1NiJ9..."
+# export FLAKEHUB_PUSH_TOKEN="019a70a3-93a6-7f78-a389-45cf47e3bf30"

.github/workflows/ci.yml

@@ -23,6 +23,20 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: Setup FlakeHub Cache
+        uses: DeterminateSystems/flakehub-cache-action@v7
+        with:
+          cache-name: "singularity-analysis"
+          visibility: "public"
+        env:
+          FLAKEHUB_PUSH_TOKEN: ${{ secrets.FLAKEHUB_PUSH_TOKEN }}
+      - uses: cachix/cachix-action@v15
+        with:
+          name: mikkihugo
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - name: Check compilation
@@ -37,6 +51,20 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: Setup FlakeHub Cache
+        uses: DeterminateSystems/flakehub-cache-action@v7
+        with:
+          cache-name: "singularity-analysis"
+          visibility: "public"
+        env:
+          FLAKEHUB_PUSH_TOKEN: ${{ secrets.FLAKEHUB_PUSH_TOKEN }}
+      - uses: cachix/cachix-action@v15
+        with:
+          name: mikkihugo
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - name: Run tests
@@ -58,7 +86,7 @@ jobs:
         run: cargo fmt -- --check
 
   clippy:
-    name: Clippy
+    name: Clippy (Strict)
     runs-on: ubuntu-latest
     container:
       image: mcr.microsoft.com/devcontainers/rust:1-bullseye
@@ -70,8 +98,21 @@ jobs:
         with:
           components: clippy
       - uses: Swatinem/rust-cache@v2
-      - name: Run clippy
-        run: cargo clippy --lib -- -D warnings
+      - name: Run clippy with strictest settings
+        run: |
+          cargo clippy --workspace --all-targets --all-features -- \
+            -D warnings \
+            -D clippy::all \
+            -D clippy::pedantic \
+            -D clippy::nursery \
+            -D clippy::cargo \
+            -W clippy::restriction \
+            -A clippy::missing_docs_in_private_items \
+            -A clippy::implicit_return \
+            -A clippy::missing_inline_in_public_items \
+            -A clippy::question_mark_used \
+            -A clippy::mod_module_files \
+            -A clippy::self_named_module_files
 
   build:
     name: Build Release

.github/workflows/claude-review.yml

@@ -0,0 +1,61 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  claude-review:
+    runs-on: ubuntu-latest
+    if: github.actor != 'dependabot[bot]'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get PR diff
+        id: diff
+        run: |
+          git fetch origin ${{ github.base_ref }}
+          git diff origin/${{ github.base_ref }}...${{ github.sha }} > pr-diff.txt
+          echo "diff-size=$(wc -l < pr-diff.txt)" >> $GITHUB_OUTPUT
+
+      - name: Run Claude Code Review
+        if: steps.diff.outputs.diff-size > 0
+        env:
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          # Install Claude Code if not available
+          if ! command -v claude &> /dev/null; then
+            curl -fsSL https://raw.githubusercontent.com/anthropics/claude-code/main/install.sh | sh
+          fi
+
+          # Configure Claude Code
+          export ANTHROPIC_API_KEY=$CLAUDE_CODE_OAUTH_TOKEN
+
+          # Review the PR
+          claude review \
+            --pr-number ${{ github.event.pull_request.number }} \
+            --repo ${{ github.repository }} \
+            --format markdown \
+            > review-output.md
+
+          # Post review as comment
+          gh pr comment ${{ github.event.pull_request.number }} \
+            --body-file review-output.md \
+            --repo ${{ github.repository }}
+
+      - name: Upload review artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: claude-review
+          path: |
+            pr-diff.txt
+            review-output.md

.github/workflows/claude.yml

@@ -0,0 +1,72 @@
+name: Claude Code Assistant
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  claude-assist:
+    runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'issue_comment' &&
+      contains(github.event.comment.body, '@claude') &&
+      github.event.issue.pull_request
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.issue.pull_request.head.ref }}
+          fetch-depth: 0
+
+      - name: Extract Claude command
+        id: command
+        run: |
+          COMMENT="${{ github.event.comment.body }}"
+          COMMAND=$(echo "$COMMENT" | grep -oP '@claude \K.*' || echo "help")
+          echo "command=$COMMAND" >> $GITHUB_OUTPUT
+
+      - name: Run Claude Code
+        env:
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          # Install Claude Code if not available
+          if ! command -v claude &> /dev/null; then
+            curl -fsSL https://raw.githubusercontent.com/anthropics/claude-code/main/install.sh | sh
+          fi
+
+          # Configure Claude Code
+          export ANTHROPIC_API_KEY=$CLAUDE_CODE_OAUTH_TOKEN
+
+          # Execute command
+          claude ${{ steps.command.outputs.command }} > claude-output.txt
+
+      - name: Commit changes if any
+        run: |
+          git config --local user.email "claude-bot@anthropic.com"
+          git config --local user.name "Claude Code Bot"
+
+          if [[ -n $(git status -s) ]]; then
+            git add -A
+            git commit -m "feat: changes by Claude Code
+
+@claude ${{ steps.command.outputs.command }}
+
+Co-Authored-By: Claude <noreply@anthropic.com>"
+            git push
+          fi
+
+      - name: Post response
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          gh pr comment ${{ github.event.issue.number }} \
+            --body-file claude-output.txt \
+            --repo ${{ github.repository }}