ci: add GitHub Actions pipeline with lint, typecheck, and tests

Add CI workflow (ruff, mypy, pytest) and fix all lint/type errors
to ensure clean pipeline on push and PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

.github/workflows/ci.yml

@@ -0,0 +1,63 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  TELEGRAM_BOT_TOKEN: test-token-for-ci
+  ANTHROPIC_API_KEY: sk-ant-test-key
+
+jobs:
+  lint:
+    name: Lint & Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Ruff check
+        run: ruff check src/ tests/
+
+      - name: Ruff format check
+        run: ruff format --check src/ tests/
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: MyPy
+        run: mypy src/
+
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Run tests
+        run: pytest --cov=src --cov-report=term-missing

src/agent.py

@@ -14,15 +14,16 @@
 from typing import TYPE_CHECKING, Any
 
 from anthropic import AsyncAnthropic
-from anthropic.types import Message, ToolUseBlock
 
 from src.config import settings
-from src.security import SecurityGuard
-from src.state import StateManager
-from src.tools import ToolRegistry, ToolResult
 
 if TYPE_CHECKING:
+    from anthropic.types import Message, ToolUseBlock
+
+    from src.security import SecurityGuard
     from src.ssh_manager import SSHManager
+    from src.state import StateManager
+    from src.tools import ToolRegistry, ToolResult
 
 logger = logging.getLogger(__name__)
 
@@ -211,7 +212,10 @@ async def run(
 
             while iterations < self._max_iterations:
                 iterations += 1
-                logger.info(f"Agent iteration {iterations}/{self._max_iterations}, model={active_model}")
+                logger.info(
+                    f"Agent iteration {iterations}/{self._max_iterations},"
+                    f" model={active_model}"
+                )
 
                 # Call Claude API
                 response = await self._call_claude(messages, tool_schemas, active_model)

src/bot.py

@@ -13,7 +13,12 @@
 from aiogram import Bot, Dispatcher, F, Router
 from aiogram.client.default import DefaultBotProperties
 from aiogram.enums import ParseMode
-from aiogram.types import CallbackQuery, InlineKeyboardButton, InlineKeyboardMarkup, Message
+from aiogram.types import (
+    CallbackQuery,
+    InlineKeyboardButton,
+    InlineKeyboardMarkup,
+    Message,
+)
 
 from src.agent import DevOpsAgent
 from src.config import settings
@@ -308,7 +313,9 @@ async def _handle_health(self, message: Message) -> None:
         # Use agent to check health via SSH
         result = await self._agent.run(
             user_id=user_id,
-            query="Покажи состояние системы: CPU, память, диск (df -h, free -m, uptime)",
+            query=(
+                "Покажи состояние системы: CPU, память, диск (df -h, free -m, uptime)"
+            ),
             model=model_id,
         )
 
@@ -348,7 +355,10 @@ async def _handle_logs(self, message: Message) -> None:
         # Use agent to read logs via SSH
         result = await self._agent.run(
             user_id=user_id,
-            query=f"Покажи последние 50 строк логов сервиса {service} (journalctl -u {service} -n 50)",
+            query=(
+                f"Покажи последние 50 строк логов сервиса {service}"
+                f" (journalctl -u {service} -n 50)"
+            ),
             model=model_id,
         )
 
@@ -446,10 +456,13 @@ async def _handle_model(self, message: Message) -> None:
 
         # Build inline keyboard
         buttons = []
-        for key, (model_id, name) in MODELS.items():
+        for key, (_model_id, name) in MODELS.items():
             marker = " ✓" if key == current_key else ""
             buttons.append(
-                InlineKeyboardButton(text=f"{name}{marker}", callback_data=f"model:{key}")
+                InlineKeyboardButton(
+                    text=f"{name}{marker}",
+                    callback_data=f"model:{key}",
+                )
             )
 
         keyboard = InlineKeyboardMarkup(inline_keyboard=[buttons])
@@ -487,18 +500,22 @@ async def _handle_model_callback(self, callback: CallbackQuery) -> None:
 
         # Update keyboard with new selection
         buttons = []
-        for key, (model_id, name) in MODELS.items():
+        for key, (_model_id, name) in MODELS.items():
             marker = " ✓" if key == model_key else ""
             buttons.append(
-                InlineKeyboardButton(text=f"{name}{marker}", callback_data=f"model:{key}")
+                InlineKeyboardButton(
+                    text=f"{name}{marker}",
+                    callback_data=f"model:{key}",
+                )
             )
 
         keyboard = InlineKeyboardMarkup(inline_keyboard=[buttons])
 
-        await callback.message.edit_text(
-            f"<b>Выбор модели Claude</b>\n\nТекущая: {model_name}",
-            reply_markup=keyboard,
-        )
+        if callback.message and hasattr(callback.message, "edit_text"):
+            await callback.message.edit_text(
+                f"<b>Выбор модели Claude</b>\n\nТекущая: {model_name}",
+                reply_markup=keyboard,
+            )
         await callback.answer(f"Модель: {model_name}")
 
     async def _handle_message(self, message: Message) -> None:

src/config.py

@@ -57,4 +57,4 @@ def effective_ssh_permissions_path(self) -> Path:
         return self.base_dir / "config" / "ssh_permissions.json"
 
 
-settings = Settings()
+settings = Settings()  # type: ignore[call-arg]

src/security.py

@@ -278,7 +278,8 @@ def validate_command(
         Args:
             user_id: User requesting command execution.
             command: Command to validate.
-            skip_allowlist: If True, skip allowlist check (for SSH per-level validation).
+            skip_allowlist: If True, skip allowlist check
+                (for SSH per-level validation).
 
         Returns:
             Tuple of (is_allowed, list_of_warnings).

src/ssh_manager.py

@@ -11,7 +11,7 @@
 import json
 import re
 from dataclasses import dataclass, field
-from enum import Enum
+from enum import StrEnum
 from pathlib import Path
 from typing import TYPE_CHECKING
 
@@ -24,7 +24,7 @@
 logger = structlog.get_logger()
 
 
-class PermissionLevel(str, Enum):
+class PermissionLevel(StrEnum):
     """Permission levels for SSH hosts."""
 
     READONLY = "readonly"
@@ -122,7 +122,8 @@ class SSHSettings:
     r"^ifconfig(\s+|$)",
 ]
 
-OPERATOR_PATTERNS: list[str] = READONLY_PATTERNS + [
+OPERATOR_PATTERNS: list[str] = [
+    *READONLY_PATTERNS,
     # Service management
     r"^systemctl\s+(restart|start|stop|reload)\s+",
     r"^systemctl\s+daemon-reload$",
@@ -160,7 +161,9 @@ def __init__(
         self._permissions_path = permissions_path
         self._security = security
         self._ssh_config_path = ssh_config_path or Path.home() / ".ssh" / "config"
-        self._known_hosts_path = known_hosts_path or Path.home() / ".ssh" / "known_hosts"
+        self._known_hosts_path = (
+            known_hosts_path or Path.home() / ".ssh" / "known_hosts"
+        )
         self._settings: SSHSettings | None = None
         self._logger = logger.bind(component="ssh_manager")
 
@@ -246,11 +249,7 @@ def is_command_allowed_for_level(
         )
 
         # Check if command matches any allowed pattern
-        for pattern in patterns:
-            if re.match(pattern, command):
-                return True
-
-        return False
+        return any(re.match(pattern, command) for pattern in patterns)
 
     def _truncate_output(self, output: str) -> tuple[str, bool, str | None]:
         """Truncate output if it exceeds limits.
@@ -332,8 +331,12 @@ async def execute(
             return SSHResult(
                 success=False,
                 output="",
-                error=f"Команда запрещена на {host} (уровень: {host_config.level.value}). "
-                f"На этом сервере разрешены только команды для уровня '{host_config.level.value}'.",
+                error=(
+                    f"Команда запрещена на {host}"
+                    f" (уровень: {host_config.level.value}). "
+                    f"На этом сервере разрешены только команды"
+                    f" для уровня '{host_config.level.value}'."
+                ),
                 exit_code=-1,
                 host=host,
             )
@@ -369,8 +372,8 @@ async def execute(
                     timeout=timeout,
                 )
 
-            stdout = result.stdout or ""
-            stderr = result.stderr or ""
+            stdout = str(result.stdout or "")
+            stderr = str(result.stderr or "")
             exit_code = result.exit_status or 0
 
             # Truncate output if needed
@@ -443,7 +446,7 @@ async def execute(
                 host=host,
             )
 
-        except asyncio.TimeoutError:
+        except TimeoutError:
             log.error("SSH command timeout", timeout=timeout)
             return SSHResult(
                 success=False,

src/state.py

@@ -356,7 +356,7 @@ async def add_message(
         await self.update_session_activity(session_id)
 
         return Message(
-            id=message_id,
+            id=message_id or 0,
             session_id=session_id,
             role=role,
             content=content,
@@ -557,7 +557,7 @@ async def save_incident(
             await db.commit()
 
         return Incident(
-            id=incident_id,
+            id=incident_id or 0,
             user_id=user_id,
             timestamp=now,
             query=query,
@@ -748,12 +748,14 @@ async def get_user_model(self, user_id: int) -> str:
         """
         await self._ensure_initialized()
 
-        async with aiosqlite.connect(self._db_path) as db:
-            async with db.execute(
+        async with (
+            aiosqlite.connect(self._db_path) as db,
+            db.execute(
                 "SELECT model FROM user_settings WHERE user_id = ?",
                 (user_id,),
-            ) as cursor:
-                row = await cursor.fetchone()
+            ) as cursor,
+        ):
+            row = await cursor.fetchone()
 
         return row[0] if row else "sonnet"
 

src/tools.py

@@ -116,7 +116,7 @@ class SSHExecuteTool(Tool):
         "required": ["command"],
     }
 
-    async def execute(
+    async def execute(  # type: ignore[override]
         self,
         command: str,
         host: str | None = None,
@@ -172,8 +172,9 @@ class SSHListHostsTool(Tool):
 
     name: ClassVar[str] = "ssh_list_hosts"
     description: ClassVar[str] = (
-        "List all available SSH hosts with their permission levels and descriptions. "
-        "Use this to see which servers are available and what actions are allowed on each."
+        "List all available SSH hosts with their permission "
+        "levels and descriptions. Use this to see which servers "
+        "are available and what actions are allowed on each."
     )
     parameters: ClassVar[dict[str, Any]] = {
         "type": "object",

tests/conftest.py

@@ -0,0 +1,7 @@
+"""Shared test configuration."""
+
+import os
+
+# Set test environment variables before any src imports
+os.environ.setdefault("TELEGRAM_BOT_TOKEN", "test-token-for-ci")
+os.environ.setdefault("ANTHROPIC_API_KEY", "sk-ant-test-key")

tests/test_config.py

@@ -1,29 +1,29 @@
 """Tests for configuration."""
 
-from pathlib import Path
-
-import pytest
-
 
 class TestSettings:
     """Tests for Settings class."""
 
     def test_base_dir_exists(self) -> None:
         """Base directory should exist."""
         from src.config import settings
+
         assert settings.base_dir.exists()
 
     def test_default_model(self) -> None:
         """Default model should be set."""
         from src.config import settings
+
         assert "claude" in settings.model
 
     def test_max_iterations_positive(self) -> None:
         """Max iterations should be positive."""
         from src.config import settings
+
         assert settings.max_iterations > 0
 
     def test_tool_timeout_positive(self) -> None:
         """Tool timeout should be positive."""
         from src.config import settings
+
         assert settings.tool_timeout > 0