Propagate changes from main into development

.codecov.yml

@@ -11,8 +11,22 @@ coverage:
 # Fail CI if Codecov upload/report indicates a problem
 require_ci_to_pass: yes
 
-# Exclude folders from Codecov (adjust as needed)
+# Exclude folders from Codecov
 ignore:
-  - tests/*
-  - docs/*
-  - .github/*
+  - "**/tests/*"
+  - "**/test/*"
+  - "**/__tests__/*"
+  - "**/test_*.go"
+  - "**/*_test.go"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "docs/*"
+  - ".github/*"
+  - "scripts/*"
+  - "tools/*"
+  - "frontend/node_modules/*"
+  - "frontend/dist/*"
+  - "frontend/coverage/*"
+  - "backend/cmd/seed/*"
+  - "backend/data/*"
+  - "*.md"

.dockerignore

@@ -1,27 +1,75 @@
+# Version control
 .git
 .gitignore
-node_modules
-venv
-__pycache__
-*.pyc
-*.pyo
-*.pyd
+.github/
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
 .Python
+.venv/
+venv/
 env/
-build/
-dist/
-*.egg-info
-.DS_Store
-.idea/
-.vscode/
-.env
-.env.*
-coverage/
-.coverage
+ENV/
 .pytest_cache/
-*.log
+.coverage
+*.cover
+.hypothesis/
+htmlcov/
+*.egg-info/
+
+# Node/Frontend build artifacts
+frontend/node_modules/
+frontend/coverage/
+frontend/.vite/
+frontend/*.tsbuildinfo
+# Keep frontend/dist - needed in final image
+
+# Go/Backend
+backend/*.out
+backend/coverage.*.out
+# Keep backend/api binary - needed in final image
+
+# Databases (runtime)
+backend/data/*.db
+backend/cmd/api/data/*.db
+*.sqlite
 *.sqlite3
 
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Logs
+*.log
+logs/
+
+# Environment
+.env.local
+.env.*.local
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Documentation
+docs/
+*.md
+!README.md
+
 # Docker
-docker-compose.override.yml
+docker-compose*.yml
 **/Dockerfile.*
+
+# CI/CD
+.github/
+.pre-commit-config.yaml
+
+# Scripts
+scripts/
+tools/

.github/renovate.json

@@ -0,0 +1,70 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    ":separateMultipleMajorReleases",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranches": ["development"],
+  "timezone": "UTC",
+  "dependencyDashboard": true,
+  "prConcurrentLimit": 10,
+  "prHourlyLimit": 5,
+  "labels": ["dependencies"],
+  "rebaseWhen": "conflicted",
+  "vulnerabilityAlerts": { "enabled": true },
+  "schedule": ["every weekday"],
+  "rangeStrategy": "bump",
+  "packageRules": [
+    {
+      "description": "Automerge safe patch updates",
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "description": "Frontend npm: automerge minor for devDependencies",
+      "matchManagers": ["npm"],
+      "matchDepTypes": ["devDependencies"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "labels": ["dependencies", "npm"]
+    },
+    {
+      "description": "Backend Go modules",
+      "matchManagers": ["gomod"],
+      "labels": ["dependencies", "go"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": false
+    },
+    {
+      "description": "GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "labels": ["dependencies", "github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
+      "matchManagers": ["dockerfile"],
+      "matchPackageNames": ["caddy"],
+      "allowedVersions": "<3.0.0",
+      "labels": ["dependencies", "docker"],
+      "automerge": true
+    },
+    {
+      "description": "Group non-breaking npm minor/patch",
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm minor/patch",
+      "prPriority": -1
+    },
+    {
+      "description": "Group docker base minor/patch",
+      "matchManagers": ["dockerfile"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "docker base updates",
+      "prPriority": -1
+    }
+  ]
+}

.github/workflows/auto-add-to-project.yml

@@ -10,15 +10,23 @@ jobs:
   add-to-project:
     runs-on: ubuntu-latest
     steps:
-      - name: Skip if PROJECT_URL not provided
+      - name: Determine project URL presence
+        id: project_check
         run: |
-          if [ -z "${{ secrets.PROJECT_URL }}" ]; then
-            echo "PROJECT_URL secret not set; skipping add-to-project job."
-            exit 0
+          if [ -n "${{ secrets.PROJECT_URL }}" ]; then
+            echo "has_project=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_project=false" >> $GITHUB_OUTPUT
           fi
 
       - name: Add issue or PR to project
+        if: steps.project_check.outputs.has_project == 'true'
         uses: actions/add-to-project@1b844f0c5ac6446a402e0cb3693f9be5eca188c5 # v0.6.1
+        continue-on-error: true
         with:
           project-url: ${{ secrets.PROJECT_URL }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+
+      - name: Skip summary
+        if: steps.project_check.outputs.has_project == 'false'
+        run: echo "PROJECT_URL secret missing; skipping project assignment." >> $GITHUB_STEP_SUMMARY

.github/workflows/caddy-major-monitor.yml

@@ -0,0 +1,62 @@
+name: Monitor Caddy Major Release
+
+on:
+  schedule:
+    - cron: '17 7 * * 1' # Mondays at 07:17 UTC
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  check-caddy-major:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for Caddy v3 and open issue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const upstream = { owner: 'caddyserver', repo: 'caddy' };
+            const { data: releases } = await github.rest.repos.listReleases({
+              ...upstream,
+              per_page: 50,
+            });
+            const latestV3 = releases.find(r => /^v3\./.test(r.tag_name));
+            if (!latestV3) {
+              core.info('No Caddy v3 release detected.');
+              return;
+            }
+
+            const issueTitle = `Track upgrade to Caddy v3 (${latestV3.tag_name})`;
+
+            const { data: existing } = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              per_page: 100,
+            });
+
+            if (existing.some(i => i.title === issueTitle)) {
+              core.info('Issue already exists — nothing to do.');
+              return;
+            }
+
+            const body = [
+              'Caddy v3 has been released upstream and detected by the scheduled monitor.',
+              '',
+              `Detected release: ${latestV3.tag_name} (${latestV3.html_url})`,
+              '',
+              '- Create a feature branch to evaluate the v3 migration.',
+              '- Review breaking changes and update Docker base images/workflows.',
+              '- Validate Trivy scans and update any policies as needed.',
+              '',
+              'Current policy: remain on latest 2.x until v3 is validated.'
+            ].join('\n');
+
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: issueTitle,
+              body,
+            });