acgetchell · acgetchell · Apr 30, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
@@ -6,15 +6,14 @@
 #
 # Recommended enabled tools:
 # - markdownlint: documentation linting
+# - opengrep: repository-owned Rust Semgrep rules from semgrep.yaml
 # - ruff: Python utility linting
 # - shellcheck: shell-script linting
 # - duplication: advisory duplicate-code metric
 # - lizard: advisory complexity feedback
 #
 # Recommended disabled tools:
 # - bandit, prospector, pylintpython3: redundant with Ruff/ty for this repo
-# - opengrep: keep broad/default rules disabled until repo-owned rules in
-#   .semgrep.yaml are cleaned up and enabled
 # - trivy: dependency vulnerability scanning is handled by cargo-audit and
 #   Dependabot unless this repository adds containers or IaC
 # - jacksonlinter, spectral: not relevant to the current project surface
@@ -50,6 +49,9 @@ engines:
       - "**/*.md"
     config:
       file: ".markdownlint.json"
+  opengrep:
+    include_paths:
+      - "src/**/*.rs"
   ruff:
     include_paths:
       - "scripts/**/*.py"

@@ -106,11 +106,11 @@ reviews:
     yamllint:
       enabled: true
 
-    # Semantic code analysis is intentionally disabled until the staged,
-    # repository-owned rules in .semgrep.yaml are enabled after legacy cleanup.
-    # Default Semgrep packs are noisy here and duplicate CodeQL/cargo-audit.
+    # Semantic code analysis uses only the focused, repository-owned rules in
+    # semgrep.yaml. Default Semgrep packs remain disabled in CodeRabbit.
     semgrep:
-      enabled: false
+      enabled: true
-    # Semantic code analysis uses only the focused, repository-owned rules in
-    # .semgrep.yaml. Default Semgrep packs remain disabled in CodeRabbit.
-    semgrep:
-      enabled: false
-      enabled: true
+    # Semantic code analysis uses only the focused, repository-owned rules in
+    # .semgrep.yaml. Default Semgrep packs remain disabled in CodeRabbit.
+    semgrep:
+      enabled: true
+      config_file: .semgrep.yaml
-    # Semantic code analysis uses only the focused, repository-owned rules in
-    # .semgrep.yaml. Default Semgrep packs remain disabled in CodeRabbit.
-    semgrep:
-      enabled: false
-      enabled: true
+    # Semantic code analysis uses only the focused, repository-owned rules in
+    # .semgrep.yaml. Default Semgrep packs remain disabled in CodeRabbit.
+    semgrep:
+      enabled: true
+      config_file: .semgrep.yaml
+      config_file: semgrep.yaml
 
     # Python linter (ruff provides comprehensive Python analysis)
     ruff:

@@ -3,14 +3,14 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# This workflow checks out code, runs Codacy's Markdownlint engine only, and
-# integrates the results with GitHub Advanced Security code scanning.
+# This workflow checks out code, runs selected Codacy engines, and integrates
+# the results with GitHub Advanced Security code scanning.
 # For more information on the Codacy analysis action usage and
 # parameters, see https://github.com/codacy/codacy-analysis-cli-action.
 # For more information on Codacy Analysis CLI in general, see
 # https://github.com/codacy/codacy-analysis-cli.
 
-name: Codacy Markdownlint Scan
+name: Codacy Quality Scan
 
 concurrency:
   # This concurrency group ensures that only one Codacy analysis runs at a time
@@ -30,7 +30,7 @@ permissions:
   contents: read
 
 jobs:
-  codacy-markdownlint-scan:
+  codacy-quality-scan:
     permissions:
       # for actions/checkout to fetch code
       contents: read
@@ -39,9 +39,15 @@ jobs:
       # only required for a private repository by
       # github/codeql-action/upload-sarif to get the Action run status
       actions: read
-    name: Codacy Markdownlint Scan
+    name: Codacy ${{ matrix.tool }} Scan
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        tool:
+          - markdownlint
+          - opengrep
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
@@ -51,17 +57,17 @@ jobs:
         run: |
           set -euo pipefail
           echo "CODACY_WORKDIR=$RUNNER_TEMP/codacy-src" >> "$GITHUB_ENV"
-          echo "CODACY_SARIF=$RUNNER_TEMP/results.sarif" >> "$GITHUB_ENV"
+          echo "CODACY_SARIF=$RUNNER_TEMP/results-${{ matrix.tool }}.sarif" >> "$GITHUB_ENV"
 
       - name: Prepare workspace copy without .git
         run: |
           set -euo pipefail
           mkdir -p "$CODACY_WORKDIR"
           rsync -a --delete --exclude '.git' ./ "$CODACY_WORKDIR/"
 
-      # Execute Codacy Analysis CLI with a single tool. The Codacy GitHub App may
-      # run curated PR-quality tools, but this SARIF workflow stays Markdownlint
-      # only so maintainability checks are not mirrored into GitHub Code Scanning.
+      # Execute Codacy Analysis CLI with one selected tool per matrix entry.
+      # Opengrep reads the repository-owned rules from semgrep.yaml; broad
+      # default Semgrep/Opengrep packs remain disabled.
       - name: Run Codacy Analysis CLI
         # Cap Codacy runtime so a hung analyzer does not consume the full job timeout.
         timeout-minutes: 20
@@ -76,7 +82,7 @@ jobs:
           directory: ${{ env.CODACY_WORKDIR }}
           output: ${{ env.CODACY_SARIF }}
           format: sarif
-          tool: markdownlint
+          tool: ${{ matrix.tool }}
           skip-uncommitted-files-check: true
           # Adjust severity of non-security issues
           gh-code-scanning-compat: true

@@ -28,7 +28,7 @@ The delaunay project follows a standard Rust library structure with additional t
 > ```bash
 > # Requires tree command (install with: brew install tree or apt-get install tree)
 > git --no-pager ls-files | LC_ALL=C sort | \
->   LC_ALL=C tree --charset UTF-8 --dirsfirst --noreport \
+>   LC_ALL=C tree -a --charset UTF-8 --dirsfirst --noreport \
 >     -I 'target|.git|**/*.png|**/*.svg' -F --fromfile
 >
 > # Alternative using find (when tree is not available):
@@ -52,8 +52,8 @@ delaunay/
 │   │   ├── benchmarks.yml
 │   │   ├── ci.yml
 │   │   ├── codacy.yml
-│   │   ├── codeql.yml
 │   │   ├── codecov.yml
+│   │   ├── codeql.yml
 │   │   ├── generate-baseline.yml
 │   │   ├── profiling-benchmarks.yml
 │   │   └── rust-clippy.yml
@@ -64,6 +64,7 @@ delaunay/
 │   ├── README.md
 │   ├── ci_performance_suite.rs
 │   ├── circumsphere_containment.rs
+│   ├── cold_path_predicates.rs
 │   ├── large_scale_performance.rs
 │   ├── profiling_suite.rs
 │   └── topology_guarantee_construction.rs
@@ -94,6 +95,7 @@ delaunay/
 │   ├── dev/
 │   │   ├── commands.md
 │   │   ├── debug_env_vars.md
+│   │   ├── python.md
 │   │   ├── rust.md
 │   │   └── testing.md
 │   ├── templates/
@@ -113,8 +115,8 @@ delaunay/
 │   └── workflows.md
 ├── examples/
 │   ├── README.md
-│   ├── delaunayize_repair.rs
 │   ├── convex_hull_3d_100_points.rs
+│   ├── delaunayize_repair.rs
 │   ├── into_from_conversions.rs
 │   ├── memory_analysis.rs
 │   ├── pachner_roundtrip_4d.rs
@@ -123,6 +125,8 @@ delaunay/
 │   ├── triangulation_3d_100_points.rs
 │   └── zero_allocation_iterator_demo.rs
 ├── scripts/
+│   ├── ci/
+│   │   └── capture_profiling_metadata.sh
 │   ├── tests/
 │   │   ├── __init__.py
 │   │   ├── conftest.py
@@ -222,6 +226,11 @@ delaunay/
 │   │   └── flips.rs
 │   └── lib.rs
 ├── tests/
+│   ├── semgrep/
+│   │   └── src/
+│   │       └── core/
+│   │           └── algorithms/
+│   │               └── no_std_hash_collections.rs
 │   ├── COVERAGE.md
 │   ├── README.md
 │   ├── allocation_api.rs
@@ -232,12 +241,14 @@ delaunay/
 │   ├── dedup_batch_construction.rs
 │   ├── delaunay_edge_cases.rs
 │   ├── delaunay_incremental_insertion.rs
+│   ├── delaunay_public_api_coverage.rs
 │   ├── delaunay_repair_fallback.rs
 │   ├── delaunayize_workflow.rs
 │   ├── euler_characteristic.rs
 │   ├── insert_with_statistics.rs
 │   ├── k3_cycle_predicate.rs
 │   ├── large_scale_debug.rs
+│   ├── prelude_exports.rs
 │   ├── proptest_cell.rs
 │   ├── proptest_convex_hull.rs
 │   ├── proptest_delaunay_triangulation.proptest-regressions
@@ -268,7 +279,6 @@ delaunay/
 ├── .gitleaks.toml
 ├── .markdownlint.json
 ├── .python-version
-├── .semgrep.yaml
 ├── .taplo.toml
 ├── .yamllint
 ├── AGENTS.md
@@ -281,13 +291,15 @@ delaunay/
 ├── LICENSE
 ├── README.md
 ├── REFERENCES.md
+├── SECURITY.md
 ├── cliff.toml
 ├── clippy.toml
 ├── justfile
 ├── proptest.toml
 ├── pyproject.toml
 ├── rust-toolchain.toml
 ├── rustfmt.toml
+├── semgrep.yaml
 ├── ty.toml
 ├── typos.toml
 └── uv.lock

@@ -303,8 +303,8 @@ help-workflows:
 # All linting: code + documentation + configuration
 lint: lint-code lint-docs lint-config
 
-# Code linting: Rust (fmt-check, clippy, docs) + Python (ruff, ty, mypy) + Shell scripts
-lint-code: fmt-check clippy doc-check python-lint shell-lint
+# Code linting: Rust (fmt-check, clippy, docs, Semgrep) + Python (ruff, ty, mypy) + Shell scripts
+lint-code: fmt-check clippy doc-check semgrep semgrep-test python-lint shell-lint
 
 # Configuration validation: JSON, TOML, YAML, GitHub Actions workflows
 lint-config: validate-json toml-lint toml-fmt-check yaml-lint action-lint
@@ -580,10 +580,15 @@ python-sync: _ensure-uv
 python-typecheck: _ensure-uv
     uv run ty check scripts/ --error all
 
-# Repository-owned Semgrep rules. Currently opt-in because the Rust rules are
-# staged but disabled while legacy diagnostics are cleaned up.
+# Repository-owned Semgrep rules for project-specific Rust diagnostics.
 semgrep: _ensure-uv
-    uv run semgrep --config .semgrep.yaml .
+    uv run semgrep --error --strict --timeout 30 --config semgrep.yaml .
+
+semgrep-test: _ensure-uv
+    #!/usr/bin/env bash
+    set -euo pipefail
+    cd tests/semgrep
+    uv run semgrep scan --test --strict --config ../../semgrep.yaml src/core/algorithms/no_std_hash_collections.rs
 
 # Development setup
 setup: setup-tools