Propagate changes from development into feature/beta-release

.github/renovate.json

@@ -7,7 +7,6 @@
     "helpers:pinGitHubActionDigests"
   ],
   "baseBranchPatterns": [
-    "feature/beta-release",
     "development"
   ],
   "postUpdateOptions": ["npmDedupe"],
@@ -264,19 +263,12 @@
       "matchPackageNames": [
         "*"
       ]
-    },
-        {
-      "description": "Feature branches: Auto-merge non-major updates after proven stable",
-      "matchBaseBranches": ["feature/**"],
-      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
-      "automerge": false
     },
     {
       "description": "Development branch: Auto-merge non-major updates after proven stable",
       "matchBaseBranches": ["development"],
       "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
-      "automerge": false,
-      "minimumReleaseAge": "14 days"
+      "automerge": false
     },
     {
       "description": "Preserve your custom Caddy patch labels but allow them to group into a single PR",

Dockerfile

@@ -486,7 +486,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 # Note: In production, users should provide their own MaxMind license key
 # This uses the publicly available GeoLite2 database
 # In CI, timeout quickly rather than retrying to save build time
-ARG GEOLITE2_COUNTRY_SHA256=62049119bd084e19fff4689bebe258f18a5f27a386e6d26ba5180941b613fc2b
+ARG GEOLITE2_COUNTRY_SHA256=c880cbc7e6b1a9b1a96d530c34996480d6d809d2c89a6bd73a5072e4fffbc01c
 RUN mkdir -p /app/data/geoip && \
         if [ "$CI" = "true" ] || [ "$CI" = "1" ]; then \
             echo "⏱️  CI detected - quick download (10s timeout, no retries)"; \

backend/internal/api/handlers/logs_handler.go

@@ -93,8 +93,9 @@ func (h *LogsHandler) Download(c *gin.Context) {
 		}
 	}()
 
-	// #nosec G304 -- path is validated via LogService.GetLogPath
-	srcFile, err := os.Open(path) // nosemgrep: go.gin.path-traversal.gin-path-traversal-taint.gin-path-traversal-taint
+	// #nosec G304 -- path is validated via LogService.GetLogPath which enforces
+	// filepath.Base equality check and path prefix validation.
+	srcFile, err := os.Open(path) //nolint:gosec // nosemgrep: go.gin.path-traversal.gin-path-traversal-taint.gin-path-traversal-taint
 	if err != nil {
 		if err := tmpFile.Close(); err != nil {
 			logger.Log().WithError(err).Warn("failed to close temp file")

lefthook.yml

@@ -104,6 +104,11 @@ pre-commit:
       glob: "frontend/**/*.{ts,tsx,js,jsx}"
       run: cd frontend && npm run lint
 
+    semgrep:
+      glob: "{**/*.{go,ts,tsx,js,jsx,sh,yml,yaml,json},Dockerfile*}"
+      exclude: 'frontend/(coverage|dist|node_modules|\.vite)/'
+      run: scripts/pre-commit-hooks/semgrep-scan.sh {staged_files}
+
 
 # ============================================================
 # MANUAL: security-full

scripts/pre-commit-hooks/golangci-lint-fast.sh

@@ -59,5 +59,7 @@ echo "Using golangci-lint: $GOLANGCI_LINT"
 echo "Version: $($GOLANGCI_LINT version)"
 
 # Change to backend directory and run golangci-lint
+# --new-from-rev HEAD: only report issues in lines changed since the last commit,
+# preventing pre-existing issues in unrelated files from blocking commits.
 cd "$(dirname "$0")/../../backend" || exit 1
-exec "$GOLANGCI_LINT" run --config .golangci-fast.yml ./...
+exec "$GOLANGCI_LINT" run --config .golangci-fast.yml --new-from-rev HEAD ./...

scripts/pre-commit-hooks/semgrep-scan.sh

@@ -32,6 +32,13 @@ else
   echo "Running Semgrep with configs: p/golang, p/javascript, p/typescript, p/react, p/secrets, p/dockerfile"
 fi
 
+# Use staged files passed by lefthook if provided; fall back to full scan.
+if [ "$#" -gt 0 ]; then
+  TARGETS=("$@")
+else
+  TARGETS=(Dockerfile backend frontend/src scripts .github/workflows)
+fi
+
 semgrep scan \
   "${SEMGREP_CONFIGS[@]}" \
   --severity ERROR \
@@ -40,4 +47,4 @@ semgrep scan \
   --exclude "frontend/node_modules" \
   --exclude "frontend/coverage" \
   --exclude "frontend/dist" \
-  Dockerfile backend frontend/src scripts .github/workflows
+  "${TARGETS[@]}"