From f35f52083c216a63cb2338314018aadac96bde11 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 29 Mar 2026 08:18:02 +0000
Subject: [PATCH 1/2] Initial plan


From 9b1493c3eb28231ab2f60da163ec013e6aec469a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 29 Mar 2026 08:22:52 +0000
Subject: [PATCH 2/2] Add GitLab CI parity for rhiza_validate: security,
 pip-audit, typecheck jobs and activate semgrep/license workflows

Agent-Logs-Url: https://github.com/Jebel-Quant/rhiza/sessions/6b5a2c93-68c7-4b6d-9b6f-a27217939f53

Co-authored-by: tschm <2046079+tschm@users.noreply.github.com>
---
 .gitlab-ci.yml                       | 16 +++++++++
 .gitlab/COMPARISON.md                |  5 +++
 .gitlab/README.md                    | 49 ++++++++++++++++++++++++----
 .gitlab/workflows/rhiza_license.yml  |  9 +++++
 .gitlab/workflows/rhiza_validate.yml | 46 ++++++++++++++++++++++++--
 5 files changed, 117 insertions(+), 8 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5006b60b..2c9ca9b3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -52,6 +52,22 @@ include:
       - if: $CI_PIPELINE_SOURCE == "merge_request_event"
       - if: $CI_COMMIT_BRANCH
 
+  # Semgrep - Static analysis with numpy rules
+  - local: '.gitlab/workflows/rhiza_semgrep.yml'
+    rules:
+      - if: $CI_COMMIT_TAG
+        when: never
+      - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      - if: $CI_COMMIT_BRANCH
+
+  # License compliance - Check for copyleft dependencies
+  - local: '.gitlab/workflows/rhiza_license.yml'
+    rules:
+      - if: $CI_COMMIT_TAG
+        when: never
+      - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      - if: $CI_COMMIT_BRANCH
+
   # Quality - Dependency checks, pre-commit hooks, docs coverage, link checking
   - local: '.gitlab/workflows/rhiza_quality.yml'
     rules:
diff --git a/.gitlab/COMPARISON.md b/.gitlab/COMPARISON.md
index 930eacee..686c7c0f 100644
--- a/.gitlab/COMPARISON.md
+++ b/.gitlab/COMPARISON.md
@@ -9,6 +9,11 @@ This document provides a side-by-side comparison of GitHub Actions and GitLab CI
 | Main Config | `.github/workflows/*.yml` | `.gitlab-ci.yml` + `.gitlab/workflows/*.yml` | ✅ Complete |
 | CI Testing | `rhiza_ci.yml` | `rhiza_ci.yml` | ✅ Complete |
 | Validation | `rhiza_validate.yml` | `rhiza_validate.yml` | ✅ Complete |
+| Semgrep | `rhiza_validate.yml` (semgrep job) | `rhiza_semgrep.yml` | ✅ Complete |
+| Security | `rhiza_validate.yml` (security job) | `rhiza_validate.yml` (validate:security job) | ✅ Complete |
+| Pip-audit | `rhiza_validate.yml` (pip-audit job) | `rhiza_validate.yml` (validate:pip-audit job) | ✅ Complete |
+| Type checking | `rhiza_validate.yml` (typecheck job) | `rhiza_validate.yml` (validate:typecheck job) | ✅ Complete |
+| License | `rhiza_validate.yml` (license job) | `rhiza_license.yml` | ✅ Complete |
 | Dependencies | `rhiza_deptry.yml` | `rhiza_deptry.yml` | ✅ Complete |
 | Pre-commit | `rhiza_pre-commit.yml` | `rhiza_pre-commit.yml` | ✅ Complete |
 | Documentation | `rhiza_book.yml` | `rhiza_book.yml` | ✅ Complete |
diff --git a/.gitlab/README.md b/.gitlab/README.md
index acf05f46..432aa3f5 100644
--- a/.gitlab/README.md
+++ b/.gitlab/README.md
@@ -8,8 +8,10 @@ This directory contains GitLab CI/CD workflow configurations that mirror the fun
 .gitlab/
 ├── workflows/
 │   ├── rhiza_ci.yml           # Continuous Integration - Python matrix testing
-│   ├── rhiza_validate.yml     # Rhiza configuration validation
+│   ├── rhiza_validate.yml     # Rhiza configuration validation, security and type checking
 │   ├── rhiza_quality.yml      # Quality checks (deptry, pre-commit, docs coverage, link check)
+│   ├── rhiza_semgrep.yml      # Semgrep static analysis (numpy rules)
+│   ├── rhiza_license.yml      # License compliance scan
 │   ├── rhiza_marimo.yml       # Marimo notebook execution and artefact publishing
 │   ├── rhiza_book.yml         # Documentation building (GitLab Pages)
 │   ├── rhiza_sync.yml         # Template synchronization
@@ -41,15 +43,19 @@ This directory contains GitLab CI/CD workflow configurations that mirror the fun
 ---
 
 ### 2. Validate (`rhiza_validate.yml`)
-**Purpose:** Validate Rhiza configuration against template.
+**Purpose:** Validate Rhiza configuration against template, run security scans and type checking.
 
 **Trigger:**
 - On push to any branch
 - On merge requests to main/master
+- `pip-audit` job only runs on scheduled pipelines
 
 **Key Features:**
 - Runs `make validate`, which fires the full hook chain (`pre-validate`, `rhiza-test`, `uvx rhiza validate .`, `post-validate`)
 - Skips validation in the rhiza repository itself (handled internally by `make validate`)
+- Runs `make security` (pip-audit + bandit) on push/MR
+- Runs `uvx pip-audit` on scheduled pipelines for dependency vulnerability scanning
+- Runs `make typecheck` (ty type checker) on push/MR
 
 **Equivalent GitHub Action:** `.github/workflows/rhiza_validate.yml`
 
@@ -72,7 +78,38 @@ This directory contains GitLab CI/CD workflow configurations that mirror the fun
 
 ---
 
-### 4. Marimo (`rhiza_marimo.yml`)
+### 4. Semgrep (`rhiza_semgrep.yml`)
+**Purpose:** Run static analysis using Semgrep with local numpy rules to detect common NumPy-related bugs and security issues.
+
+**Trigger:**
+- On push to any branch
+- On merge requests to main/master
+
+**Key Features:**
+- Runs `make semgrep` using `.rhiza/semgrep.yml` local rules
+- Skips if `SOURCE_FOLDER` is not found
+
+**Equivalent GitHub Action:** `.github/workflows/rhiza_validate.yml` (semgrep job)
+
+---
+
+### 5. License (`rhiza_license.yml`)
+**Purpose:** Check that no copyleft-licensed dependencies (GPL, LGPL, AGPL) have been introduced via transitive updates.
+
+**Trigger:**
+- On push to any branch
+- On merge requests to main/master
+
+**Key Features:**
+- Runs `make license` to fail on forbidden licenses
+- Generates `LICENSES.md` markdown report of all dependency licenses
+- Publishes `LICENSES.md` as a GitLab CI artifact (retained 30 days)
+
+**Equivalent GitHub Action:** `.github/workflows/rhiza_validate.yml` (license job)
+
+---
+
+### 6. Marimo (`rhiza_marimo.yml`)
 **Purpose:** Discover and execute all Marimo notebooks in the repository, publishing results as artefacts.
 
 **Trigger:**
@@ -90,7 +127,7 @@ This directory contains GitLab CI/CD workflow configurations that mirror the fun
 
 ---
 
-### 5. Book (`rhiza_book.yml`)
+### 7. Book (`rhiza_book.yml`)
 **Purpose:** Build and deploy documentation to GitLab Pages.
 
 **Trigger:**
@@ -107,7 +144,7 @@ This directory contains GitLab CI/CD workflow configurations that mirror the fun
 
 ---
 
-### 6. Sync (`rhiza_sync.yml`)
+### 8. Sync (`rhiza_sync.yml`)
 **Purpose:** Synchronize repository with its template.
 
 **Trigger:**
@@ -126,7 +163,7 @@ This directory contains GitLab CI/CD workflow configurations that mirror the fun
 
 ---
 
-### 7. Release (`rhiza_release.yml`)
+### 9. Release (`rhiza_release.yml`)
 **Purpose:** Create releases and publish packages to PyPI.
 
 **Trigger:**
diff --git a/.gitlab/workflows/rhiza_license.yml b/.gitlab/workflows/rhiza_license.yml
index 40d931d8..b3485b44 100644
--- a/.gitlab/workflows/rhiza_license.yml
+++ b/.gitlab/workflows/rhiza_license.yml
@@ -13,8 +13,17 @@ license:check:
   stage: test
   needs: []
   image: ghcr.io/astral-sh/uv:0.9.30-bookworm
+  variables:
+    UV_EXTRA_INDEX_URL: "${UV_EXTRA_INDEX_URL}"
   script:
     - make license
+    - uv run --with pip-licenses pip-licenses --format markdown --output-file LICENSES.md
+  artifacts:
+    name: LICENSES.md
+    paths:
+      - LICENSES.md
+    when: always
+    expire_in: 30 days
   rules:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH
diff --git a/.gitlab/workflows/rhiza_validate.yml b/.gitlab/workflows/rhiza_validate.yml
index aa727831..04535c36 100644
--- a/.gitlab/workflows/rhiza_validate.yml
+++ b/.gitlab/workflows/rhiza_validate.yml
@@ -3,9 +3,13 @@
 #
 # Workflow: Rhiza Validate (GitLab CI)
 #
-# Purpose: Validates Rhiza configuration
+# Purpose: Validates Rhiza configuration, runs security scans, type checking,
+#          and scheduled dependency vulnerability audits.
 #
-# Trigger: This workflow runs on every push and on merge requests to main/master
+# Trigger: This workflow runs on every push and on merge requests to main/master.
+#          pip-audit runs only on scheduled pipelines.
+#
+# Equivalent GitHub Action: .github/workflows/rhiza_validate.yml
 
 validate:rhiza:
   stage: test
@@ -16,3 +20,41 @@ validate:rhiza:
   rules:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH
+
+validate:security:
+  stage: test
+  needs: []
+  image: ghcr.io/astral-sh/uv:0.9.30-bookworm
+  variables:
+    UV_EXTRA_INDEX_URL: "${UV_EXTRA_INDEX_URL}"
+  script:
+    - make security
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH
+
+validate:pip-audit:
+  stage: test
+  needs: []
+  image: ghcr.io/astral-sh/uv:0.9.30-bookworm
+  script:
+    - uvx pip-audit
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+    - if: $CI_PIPELINE_SOURCE == "web"
+
+validate:typecheck:
+  stage: test
+  needs: []
+  image: ghcr.io/astral-sh/uv:0.9.30-bookworm
+  variables:
+    UV_EXTRA_INDEX_URL: "${UV_EXTRA_INDEX_URL}"
+  script:
+    - make typecheck
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH