Complete IMP-005 and TD-009 tickets

.cursor/README.md

@@ -19,4 +19,3 @@ These documents are designed to help:
 ## Project Summary
 
 The Access project analyzes spatial accessibility to conservation land in Maine, calculating walking times from Census block centroids to conserved properties and analyzing demographic disparities, particularly for CEJST-identified disadvantaged communities.
-

.cursor/project.md

@@ -212,4 +212,3 @@ See `NOTES.md` for:
 - Census data product documentation links
 - Package documentation links
 - Statistical test guidance
-

.cursor/quick-reference.md

@@ -78,4 +78,3 @@ python src/find_centroids.py -g data/graphs/maine_walk.graphml input.shp -o _cus
 - Analysis region: Maine state
 - Primary unit: Census blocks
 - Key threshold: 10-minute walk
-

.editorconfig

@@ -0,0 +1,66 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+trim_trailing_whitespace = true
+
+# Python files
+[*.py]
+indent_style = space
+indent_size = 4
+max_line_length = 100
+
+# YAML files
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+# JSON files
+[*.json]
+indent_style = space
+indent_size = 2
+
+# TOML files
+[*.toml]
+indent_style = space
+indent_size = 4
+
+# Markdown files
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false
+
+# Shell scripts
+[*.sh]
+indent_style = space
+indent_size = 2
+
+# Makefiles
+[Makefile]
+indent_style = tab
+
+# HTML/CSS/JavaScript
+[*.{html,css,js}]
+indent_style = space
+indent_size = 2
+
+# Jupyter notebooks (JSON)
+[*.ipynb]
+indent_style = space
+indent_size = 1
+
+# CSV files (don't modify)
+[*.csv]
+insert_final_newline = false
+trim_trailing_whitespace = false
+
+# Data files (don't modify)
+[*.{shp,dbf,shx,prj,graphml,geojson}]
+insert_final_newline = false
+trim_trailing_whitespace = false

.gitattributes

@@ -22,4 +22,3 @@ data/**/*.cpg filter=lfs diff=lfs merge=lfs -text
 
 # Track graph files
 data/**/*.graphml filter=lfs diff=lfs merge=lfs -text
-

.github/dependabot.yml

@@ -0,0 +1,44 @@
+# Dependabot configuration for automated dependency updates
+# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Note: This project uses uv for dependency management (pyproject.toml + uv.lock)
+# As of March 2025, Dependabot natively supports the "uv" package-ecosystem
+# See: https://github.blog/changelog/2025-03-13-dependabot-version-updates-now-support-uv-in-general-availability/
+
+version: 2
+updates:
+  # Monitor Python dependencies (managed by uv)
+- package-ecosystem: uv
+  directory: /
+  schedule:
+    interval: weekly
+    day: monday
+    time: 09:00
+  open-pull-requests-limit: 5
+  labels:
+  - dependencies
+  - python
+  commit-message:
+    prefix: deps
+    include: scope
+  reviewers:
+  - PhilipMathieu
+    # Group minor and patch updates together
+  groups:
+    minor-and-patch:
+      patterns:
+      - '*'
+      update-types:
+      - minor
+      - patch
+
+  # Monitor GitHub Actions
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: monthly
+  labels:
+  - dependencies
+  - github-actions
+  commit-message:
+    prefix: ci

.github/workflows/code-quality.yml

@@ -0,0 +1,126 @@
+name: Code Quality
+
+on:
+  push:
+    branches: ["main", "claude/**"]
+  pull_request:
+    branches: ["main"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint and Format Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Check code formatting with Black
+        run: uv run black --check --diff src/ tests/
+
+      - name: Check import sorting with isort
+        run: uv run isort --check-only --diff src/ tests/
+
+      - name: Lint with Ruff
+        run: uv run ruff check src/ tests/
+
+  type-check:
+    name: Type Checking
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Type check with mypy
+        run: uv run mypy src/
+        continue-on-error: true  # Don't fail on type errors initially
+
+  test:
+    name: Run Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Run pytest
+        run: uv run pytest tests/ -v --cov=src --cov-report=xml --cov-report=term
+
+      - name: Upload coverage reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.xml
+          retention-days: 30
+
+  pre-commit:
+    name: Pre-commit Hooks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Cache pre-commit
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Run pre-commit
+        run: uv run pre-commit run --all-files --show-diff-on-failure
+        continue-on-error: true  # Don't fail initially

.github/workflows/security.yml

@@ -0,0 +1,84 @@
+name: Security Scanning
+
+on:
+  push:
+    branches: ["main", "claude/**"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    # Run weekly on Monday at 9:00 AM UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  dependency-scan:
+    name: Dependency Vulnerability Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Run pip-audit
+        run: uv run pip-audit --desc --format json --output pip-audit-report.json || true
+
+      - name: Display pip-audit results
+        run: uv run pip-audit --desc
+
+      - name: Upload pip-audit results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: pip-audit-report
+          path: pip-audit-report.json
+          retention-days: 30
+
+  bandit-scan:
+    name: Security Code Scan (Bandit)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Run bandit
+        run: uv run bandit -r src/ -f json -o bandit-report.json || true
+
+      - name: Display bandit results
+        run: uv run bandit -r src/ -f screen
+
+      - name: Upload bandit results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bandit-report
+          path: bandit-report.json
+          retention-days: 30

.gitignore

@@ -169,4 +169,4 @@ data/CHANGELOG.json
 data/notifications.json
 data/update_log.txt
 data/processing_log.txt
-data/validation_log.txt
+data/validation_log.txt