chore(deps): update dependency black to >=24.10.0

.codecov.yml

@@ -11,8 +11,22 @@ coverage:
 # Fail CI if Codecov upload/report indicates a problem
 require_ci_to_pass: yes
 
-# Exclude folders from Codecov (adjust as needed)
+# Exclude folders from Codecov
 ignore:
-  - tests/*
-  - docs/*
-  - .github/*
+  - "**/tests/*"
+  - "**/test/*"
+  - "**/__tests__/*"
+  - "**/test_*.go"
+  - "**/*_test.go"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "docs/*"
+  - ".github/*"
+  - "scripts/*"
+  - "tools/*"
+  - "frontend/node_modules/*"
+  - "frontend/dist/*"
+  - "frontend/coverage/*"
+  - "backend/cmd/seed/*"
+  - "backend/data/*"
+  - "*.md"

.dockerignore

@@ -1,27 +1,75 @@
+# Version control
 .git
 .gitignore
-node_modules
-venv
-__pycache__
-*.pyc
-*.pyo
-*.pyd
+.github/
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
 .Python
+.venv/
+venv/
 env/
-build/
-dist/
-*.egg-info
-.DS_Store
-.idea/
-.vscode/
-.env
-.env.*
-coverage/
-.coverage
+ENV/
 .pytest_cache/
-*.log
+.coverage
+*.cover
+.hypothesis/
+htmlcov/
+*.egg-info/
+
+# Node/Frontend build artifacts
+frontend/node_modules/
+frontend/coverage/
+frontend/.vite/
+frontend/*.tsbuildinfo
+# Keep frontend/dist - needed in final image
+
+# Go/Backend
+backend/*.out
+backend/coverage.*.out
+# Keep backend/api binary - needed in final image
+
+# Databases (runtime)
+backend/data/*.db
+backend/cmd/api/data/*.db
+*.sqlite
 *.sqlite3
 
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Logs
+*.log
+logs/
+
+# Environment
+.env.local
+.env.*.local
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Documentation
+docs/
+*.md
+!README.md
+
 # Docker
-docker-compose.override.yml
+docker-compose*.yml
 **/Dockerfile.*
+
+# CI/CD
+.github/
+.pre-commit-config.yaml
+
+# Scripts
+scripts/
+tools/

.github/renovate.json

@@ -0,0 +1,70 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    ":separateMultipleMajorReleases",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranches": ["development"],
+  "timezone": "UTC",
+  "dependencyDashboard": true,
+  "prConcurrentLimit": 10,
+  "prHourlyLimit": 5,
+  "labels": ["dependencies"],
+  "rebaseWhen": "conflicted",
+  "vulnerabilityAlerts": { "enabled": true },
+  "schedule": ["every weekday"],
+  "rangeStrategy": "bump",
+  "packageRules": [
+    {
+      "description": "Automerge safe patch updates",
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "description": "Frontend npm: automerge minor for devDependencies",
+      "matchManagers": ["npm"],
+      "matchDepTypes": ["devDependencies"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "labels": ["dependencies", "npm"]
+    },
+    {
+      "description": "Backend Go modules",
+      "matchManagers": ["gomod"],
+      "labels": ["dependencies", "go"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": false
+    },
+    {
+      "description": "GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "labels": ["dependencies", "github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
+      "matchManagers": ["dockerfile"],
+      "matchPackageNames": ["caddy"],
+      "allowedVersions": "<3.0.0",
+      "labels": ["dependencies", "docker"],
+      "automerge": true
+    },
+    {
+      "description": "Group non-breaking npm minor/patch",
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm minor/patch",
+      "prPriority": -1
+    },
+    {
+      "description": "Group docker base minor/patch",
+      "matchManagers": ["dockerfile"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "docker base updates",
+      "prPriority": -1
+    }
+  ]
+}

.github/workflows/auto-add-to-project.yml

@@ -10,15 +10,23 @@ jobs:
   add-to-project:
     runs-on: ubuntu-latest
     steps:
-      - name: Skip if PROJECT_URL not provided
+      - name: Determine project URL presence
+        id: project_check
         run: |
-          if [ -z "${{ secrets.PROJECT_URL }}" ]; then
-            echo "PROJECT_URL secret not set; skipping add-to-project job."
-            exit 0
+          if [ -n "${{ secrets.PROJECT_URL }}" ]; then
+            echo "has_project=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_project=false" >> $GITHUB_OUTPUT
           fi
 
       - name: Add issue or PR to project
-        uses: actions/add-to-project@v0.5.0
+        if: steps.project_check.outputs.has_project == 'true'
+        continue-on-error: true
+        uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0
         with:
           project-url: ${{ secrets.PROJECT_URL }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+
+      - name: Skip summary
+        if: steps.project_check.outputs.has_project == 'false'
+        run: echo "PROJECT_URL secret missing; skipping project assignment." >> $GITHUB_STEP_SUMMARY

.github/workflows/auto-label-issues.yml

@@ -11,7 +11,7 @@ jobs:
       issues: write
     steps:
       - name: Auto-label based on title and body
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const issue = context.payload.issue;

.github/workflows/caddy-major-monitor.yml

@@ -0,0 +1,62 @@
+name: Monitor Caddy Major Release
+
+on:
+  schedule:
+    - cron: '17 7 * * 1' # Mondays at 07:17 UTC
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  check-caddy-major:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for Caddy v3 and open issue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const upstream = { owner: 'caddyserver', repo: 'caddy' };
+            const { data: releases } = await github.rest.repos.listReleases({
+              ...upstream,
+              per_page: 50,
+            });
+            const latestV3 = releases.find(r => /^v3\./.test(r.tag_name));
+            if (!latestV3) {
+              core.info('No Caddy v3 release detected.');
+              return;
+            }
+
+            const issueTitle = `Track upgrade to Caddy v3 (${latestV3.tag_name})`;
+
+            const { data: existing } = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              per_page: 100,
+            });
+
+            if (existing.some(i => i.title === issueTitle)) {
+              core.info('Issue already exists — nothing to do.');
+              return;
+            }
+
+            const body = [
+              'Caddy v3 has been released upstream and detected by the scheduled monitor.',
+              '',
+              `Detected release: ${latestV3.tag_name} (${latestV3.html_url})`,
+              '',
+              '- Create a feature branch to evaluate the v3 migration.',
+              '- Review breaking changes and update Docker base images/workflows.',
+              '- Validate Trivy scans and update any policies as needed.',
+              '',
+              'Current policy: remain on latest 2.x until v3 is validated.'
+            ].join('\n');
+
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: issueTitle,
+              body,
+            });

.github/workflows/ci.yml

@@ -7,67 +7,35 @@ on:
     branches: [ main, development ]
 
 jobs:
-  lint:
-    name: Lint (ruff & flake8)
+  test-backend:
+    name: Backend Tests (Go)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          python-version: '3.12'
-      - name: Cache pip
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
-      - name: Install dev dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.dev.txt
-      - name: Run pre-commit
-        run: |
-          pre-commit run --all-files
-      - name: Run ruff
-        run: |
-          ruff check .
-      - name: Run flake8
+          go-version: '1.22'
+          cache-dependency-path: backend/go.sum
+      - name: Run Go tests
+        working-directory: backend
         run: |
-          flake8 . || true
+          go test -v ./...
 
-  test-and-coverage:
-    name: Tests & Coverage
+  test-frontend:
+    name: Frontend Tests (React)
     runs-on: ubuntu-latest
-    needs: [lint]
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
         with:
-          python-version: '3.12'
-      - name: Cache pip
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt || true
-          pip install -r requirements.dev.txt
-      - name: Run tests with coverage
-        run: |
-          # run pytest under coverage and fail if tests fail
-          coverage run -m pytest -q
-          coverage report -m --fail-under=75
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
-        with:
-          fail_ci_if_error: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Optional: set CODECOV_TOKEN in repo secrets if needed for private repos
+        working-directory: frontend
+        run: npm ci
+      - name: Run frontend tests
+        working-directory: frontend
+        run: npm test