feat: use altimate-code check for deterministic SQL analysis

.altimate.yml.example

@@ -1,110 +1,160 @@
 # Altimate Code Review Configuration
 # Place this file as .altimate.yml at the root of your repository.
 # All fields are optional — sensible defaults are applied for anything omitted.
+#
+# Two schema versions are supported:
+#   version: 1  — built-in regex rules (works without the altimate-code CLI)
+#   version: 2  — delegates to `altimate-code check` for richer analysis
 
-version: 1
+# =============================================================================
+# VERSION 1 (regex rule engine — no CLI required)
+# =============================================================================
+# version: 1
+#
+# sql_review:
+#   enabled: true
+#   severity_threshold: warning  # info | warning | error | critical
+#
+#   rules:
+#     select_star:
+#       enabled: true
+#       severity: warning
+#     cartesian_join:
+#       enabled: true
+#       severity: error
+#     missing_partition:
+#       enabled: true
+#       severity: warning
+#     non_deterministic:
+#       enabled: true
+#       severity: warning
+#     correlated_subquery:
+#       enabled: true
+#       severity: warning
+#     implicit_type_cast:
+#       enabled: true
+#       severity: info
+#     or_in_join:
+#       enabled: true
+#       severity: warning
+#     missing_group_by:
+#       enabled: true
+#       severity: error
+#     order_by_ordinal:
+#       enabled: true
+#       severity: info
+#     union_without_all:
+#       enabled: true
+#       severity: info
+#     nested_subquery:
+#       enabled: true
+#       severity: warning
+#     missing_where_clause:
+#       enabled: true
+#       severity: warning
+#     leading_wildcard_like:
+#       enabled: true
+#       severity: info
+#     duplicate_column_alias:
+#       enabled: true
+#       severity: error
+#
+#   include:
+#     - "models/**/*.sql"
+#     - "analyses/**/*.sql"
+#   exclude:
+#     - "models/staging/legacy/**"
+#
+#   custom_patterns:
+#     - name: no_delete_without_where
+#       pattern: "DELETE\\s+FROM\\s+\\w+\\s*;"
+#       message: "DELETE without WHERE clause"
+#       severity: critical
+#     - name: no_truncate
+#       pattern: "\\bTRUNCATE\\b"
+#       message: "TRUNCATE detected — use DELETE with WHERE for safer data removal"
+#       severity: error
+#
+# impact_analysis:
+#   enabled: true
+#   warn_threshold: 10
+#   fail_threshold: 50
+#
+# cost_estimation:
+#   enabled: false
+#   warn_threshold: 100
+#   fail_threshold: 0
+#
+# pii_detection:
+#   enabled: true
+#   categories: [email, ssn, phone, credit_card, ip_address]
+#
+# comment:
+#   mode: single
+#   max_issues_shown: 20
+#   show_clean_files: false
+#
+# dialect: auto
 
-# ─── SQL Review ─────────────────────────────────────────────────────────────
-sql_review:
-  enabled: true
-  severity_threshold: warning  # info | warning | error | critical
 
-  rules:
-    select_star:
-      enabled: true
-      severity: warning
-    cartesian_join:
-      enabled: true
-      severity: error
-    missing_partition:
-      enabled: true
-      severity: warning
-    non_deterministic:
-      enabled: true
-      severity: warning
-    correlated_subquery:
-      enabled: true
-      severity: warning
-    implicit_type_cast:
-      enabled: true
-      severity: info
-    or_in_join:
-      enabled: true
-      severity: warning
-    missing_group_by:
-      enabled: true
-      severity: error
-    order_by_ordinal:
-      enabled: true
-      severity: info
-    union_without_all:
-      enabled: true
-      severity: info
-    nested_subquery:
-      enabled: true
-      severity: warning
-    missing_where_clause:
-      enabled: true
-      severity: warning
-    leading_wildcard_like:
-      enabled: true
-      severity: info
-    duplicate_column_alias:
-      enabled: true
-      severity: error
+# =============================================================================
+# VERSION 2 (delegates to `altimate-code check` CLI)
+# =============================================================================
+# Requires the altimate-code CLI to be installed. If the CLI is unavailable,
+# the action falls back to the v1 regex engine automatically.
 
-  # Glob patterns for which files to include/exclude
-  include:
-    - "models/**/*.sql"
-    - "analyses/**/*.sql"
-  exclude:
-    - "models/staging/legacy/**"
+version: 2
 
-  # Custom patterns: flag SQL that matches these regexes
-  custom_patterns:
-    - name: no_delete_without_where
-      pattern: "DELETE\\s+FROM\\s+\\w+\\s*;"
-      message: "DELETE without WHERE clause"
-      severity: critical
-    - name: no_truncate
-      pattern: "\\bTRUNCATE\\b"
-      message: "TRUNCATE detected — use DELETE with WHERE for safer data removal"
-      severity: error
+# ─── Checks ─────────────────────────────────────────────────────────────────
+# Each check maps to a category in `altimate-code check --checks <list>`.
+# Disable any check by setting `enabled: false`.
+checks:
+  lint:
+    enabled: true
+    # disabled_rules:
+    #   - L001   # select_star
+    #   - L009   # order_by_ordinal
+    # severity_overrides:
+    #   L002: error   # cartesian_join promoted to error
 
-# ─── Impact Analysis ────────────────────────────────────────────────────────
-impact_analysis:
-  enabled: true
-  warn_threshold: 10   # warn if > N downstream models affected
-  fail_threshold: 50   # fail if > N downstream models affected
+  validate:
+    enabled: true   # DataFusion SQL validation
 
-# ─── Cost Estimation ────────────────────────────────────────────────────────
-cost_estimation:
-  enabled: false
-  warn_threshold: 100  # warn if monthly cost delta > $N
-  fail_threshold: 0    # 0 = disabled
+  safety:
+    enabled: true   # SQL injection detection
 
-# ─── PII Detection ─────────────────────────────────────────────────────────
-pii_detection:
-  enabled: true
-  categories:
-    - email
-    - ssn
-    - phone
-    - credit_card
-    - ip_address
+  policy:
+    enabled: false
+    # file: .altimate-policy.yml   # custom guardrails policy file
 
-  # Custom PII column patterns
-  # custom_patterns:
-  #   - name: employee_id
-  #     column_pattern: "emp_id|employee_number"
-  #     severity: warning
+  pii:
+    enabled: true
+    categories:
+      - email
+      - ssn
+      - phone
+      - credit_card
+      - ip_address
+
+  semantic:
+    enabled: false   # requires schema resolution
+
+  grade:
+    enabled: false   # SQL quality grading
+
+# ─── Schema Resolution ─────────────────────────────────────────────────────
+# schema:
+#   source: dbt             # dbt | files | warehouse
+#   dbt:
+#     manifest_path: target/manifest.json
+#   # paths:                # for source: files
+#   #   - schema/warehouse.yml
 
 # ─── Comment Settings ──────────────────────────────────────────────────────
 comment:
-  mode: single            # single | inline | both
-  max_issues_shown: 20    # cap the number of issues in the summary
-  show_clean_files: false  # include files that passed with no issues
+  mode: single              # single | inline | both
+  max_issues_shown: 20
+  show_clean_files: false
 
 # ─── Dialect ────────────────────────────────────────────────────────────────
-# "auto" detects dialect from file content and project settings.
 dialect: auto

README.md

@@ -19,16 +19,47 @@
 
 Altimate Code Actions brings production-grade SQL analysis, dbt impact assessment, query cost estimation, and PII detection directly into your GitHub pull request workflow. Every SQL change gets reviewed automatically before it merges.
 
+## Powered by altimate-code
+
+With `version: 2` in your `.altimate.yml`, the action delegates all static checks to the [`altimate-code`](https://github.com/AltimateAI/altimate-code) CLI. This unlocks 40+ capabilities across 7 check categories:
+
+| Category | Checks | Description |
+|----------|--------|-------------|
+| **Lint** | 26 rules (L001-L026) | AST-level SQL anti-pattern detection |
+| **Validate** | SQL parsing | DataFusion-based syntax validation |
+| **Safety** | Injection, destructive ops | SQL injection vectors, privilege escalation |
+| **Policy** | Custom guardrails | Block patterns, require standards, enforce governance |
+| **PII** | 15 categories | Column, literal, and comment scanning |
+| **Semantic** | Schema-aware | Join correctness, type mismatches, missing columns |
+| **Grade** | Quality scoring | Letter grades (A-F) per file |
+
+V2 is fully backward compatible. If the CLI is not installed, the action falls back to built-in regex rules automatically.
+
+```yaml
+# Quick start with v2
+version: 2
+checks:
+  lint:
+    enabled: true
+  safety:
+    enabled: true
+  validate:
+    enabled: true
+```
+
+See [V2 Configuration Reference](docs/configuration.md#v2-configuration-reference) and [Migration Guide](docs/v2-migration.md) for details.
+
 ## What It Does
 
 | | Capability | Description |
 |---|---|---|
 | :zap: | **Executive Summary** | One-line scope, impact, cost, and severity overview at the top of every review |
-| :mag: | **SQL Quality Analysis** | Detects anti-patterns, performance issues, and correctness bugs across 19 rule categories |
+| :mag: | **SQL Quality Analysis** | 26 lint rules + safety + validation + policy enforcement (v2) or 19 regex rules (v1) |
 | :deciduous_tree: | **dbt Impact Analysis** | Maps changed models to downstream dependencies, exposures, and tests in your dbt DAG |
 | :world_map: | **Mermaid DAG Visualization** | Colored dependency graph rendered inline using GitHub-native Mermaid |
 | :moneybag: | **Cost Estimation** | Estimates query cost deltas so you catch expensive changes before they hit production |
 | :shield: | **PII Detection** | Identifies personally identifiable information across 15 categories to prevent data leaks |
+| :lock: | **Policy Enforcement** | Custom organizational guardrails via `.altimate-policy.yml` (v2) |
 | :speech_balloon: | **Inline Comments** | Critical issues posted directly on diff lines for faster triage |
 | :video_game: | **Interactive Commands** | `@altimate review`, `@altimate impact`, `@altimate cost`, `@altimate help` in PR comments |
 
@@ -197,15 +228,20 @@ Configure trigger phrases with the `mentions` input (default: `@altimate,/altima
 
 ## What Altimate Adds Beyond dbt Cloud
 
-| Feature | dbt Cloud CI | Altimate Code |
-|---------|-------------|---------------|
-| Slim CI (build changed models) | Yes | No (use dbt Cloud for this) |
-| SQL anti-pattern detection | No | Yes (19 rules) |
-| Impact blast radius in PR | Limited | Yes (full DAG visualization) |
-| Query cost estimation | No | Yes (Snowflake, BigQuery) |
-| PII detection | No | Yes (15 categories) |
-| Schema breaking changes | No | Yes |
-| AI-powered review | No | Yes |
+| Feature | dbt Cloud CI | Altimate Code (v1) | Altimate Code (v2) |
+|---------|-------------|-------------------|-------------------|
+| Slim CI (build changed models) | Yes | No (use dbt Cloud) | No (use dbt Cloud) |
+| SQL anti-pattern detection | No | 19 regex rules | 26 AST-level lint rules |
+| SQL syntax validation | No | No | Yes (DataFusion) |
+| SQL injection detection | No | No | Yes |
+| Policy enforcement | No | No | Yes (custom guardrails) |
+| Impact blast radius in PR | Limited | Full DAG visualization | Full DAG visualization |
+| Query cost estimation | No | Yes (Snowflake, BigQuery) | Yes (Snowflake, BigQuery) |
+| PII detection | No | 15 categories (regex) | 15 categories (AST-aware) |
+| Semantic analysis | No | No | Yes (schema-aware) |
+| SQL quality grading | No | No | Yes (A-F grades) |
+| Schema breaking changes | No | Yes | Yes |
+| AI-powered review | No | Yes | Yes |
 
 Altimate Code Actions and dbt Cloud CI are complementary. Use dbt Cloud for build/test orchestration and slim CI, and Altimate for deep SQL quality analysis, cost estimation, and PII detection on every pull request.