Skip to content

chore: bootstrap operational hygiene (CI, hooks, templates, configs)#1

Merged
madhavcodez merged 1 commit into
mainfrom
cleanup/phase-0-ops-hygiene
May 18, 2026
Merged

chore: bootstrap operational hygiene (CI, hooks, templates, configs)#1
madhavcodez merged 1 commit into
mainfrom
cleanup/phase-0-ops-hygiene

Conversation

@madhavcodez
Copy link
Copy Markdown
Owner

@madhavcodez madhavcodez commented May 18, 2026

Summary

This is PR 1 of 4 in a critical-cleanup sweep informed by parallel architecture / code / security / performance / refactor reviews.

This PR adds only net-new files (plus pyproject.toml and .gitignore expansions). Zero application code changes. The goal is to land the safety net before later PRs touch runtime code.

Why this is first

The repo currently has no CI, no pre-commit hooks, no Dependabot, no PR/issue templates, no CONTRIBUTING/SECURITY/COC, and pyproject.toml declares no linter/formatter/type-checker configuration. Subsequent PRs (security fixes, reliability fixes, deletions) are much safer with these gates in place.

What's added

CI / security workflows

  • .github/workflows/ci.yml — backend (ruff, black, isort, mypy, pytest with coverage) + dashboard (eslint, tsc, vitest, build). Postgres 16 + Redis 7 service containers wired.
  • .github/workflows/security.yml — Bandit SAST, pip-audit, npm audit, gitleaks, CodeQL (Python + JS/TS). Runs on PRs and weekly Mondays.
  • .github/dependabot.yml — pip, npm, GitHub Actions, Docker. Grouped to keep PR volume sane.

Repo metadata

  • .github/PULL_REQUEST_TEMPLATE.md — security + migration safety checklist
  • .github/ISSUE_TEMPLATE/{bug_report,feature_request,config} — routes security reports to private GitHub Security Advisories
  • .github/CODEOWNERS — default + voice/migrations carve-outs

Project docs

  • CONTRIBUTING.md — local setup, branch/commit conventions, quality bar
  • SECURITY.md — disclosure policy, hardening guidance, known debt
  • CODE_OF_CONDUCT.md — Contributor Covenant 2.1
  • CHANGELOG.md — Keep a Changelog skeleton

Tooling

  • backend/pyproject.toml — ruff (security + async + bugbear + import rules), black, isort, mypy with pydantic plugin, coverage config. Pinned requires-python = ">=3.13" (was >=3.10) to match the python:3.13-slim Docker base.
  • .pre-commit-config.yaml — ruff, black, isort, eslint, gitleaks, large-file guard, private-key detector
  • .editorconfig + .gitattributes — LF normalization, indent rules, binary patterns
  • .gitignore — explicit *.zip/archive patterns, .env.* glob, mypy/ruff caches

Test plan

  • All new YAML/JSON/TOML parses (added check-yaml/check-toml/check-json to pre-commit)
  • CI workflow runs green on this PR (verifies the new gates actually work end-to-end)
  • Security workflow surfaces existing known issues (this PR doesn't fix them — that's PR 2)
  • Dependabot will open follow-up PRs over the next week
  • Manual: pre-commit install && pre-commit run --all-files locally (expect existing code to surface lint hits — those land in later PRs)

Follow-up PRs in this sweep

  • PR 2 — Critical security fixes: Python executor sandbox (RestrictedPython), Twilio + Resend webhook signature validation, init_db() silent-fail, SSRF blocklist, IDOR fixes on voice/findings/missions, auth rate limits.
  • PR 3 — Critical reliability + performance: Lifespan fail-fast, APScheduler→Celery Beat, wire SourceCache into Exa/Gemini, missing DB indexes, pagination, asyncio.create_task migration.
  • PR 4 — Safe deletions: services/workflows/, api/routes/, files.zip, backend/seed.py, dead TS components/hooks, duplicate test files, Dockerfile relocation.

Notes on findings (for context)

Cross-agent review surfaced these CRITICALs that this PR does NOT fix (intentionally — addressed in PR 2/3):

  • backend/app/services/crews/tools/python_executor.py:39-45 — string-scan blocklist is bypassed by __import__('o'+'s'), importlib, open().
  • backend/app/api/voice_webhooks.py — zero Twilio signature validation.
  • backend/app/api/webhooks.pyresend_webhook_secret configured but never used.
  • backend/app/database.py:38except Exception: pass in init_db().
  • backend/app/services/scheduler.py — APScheduler in-process will multi-fire under uvicorn --workers >1.

CI landing first means these fixes will have a real test gate when they ship.

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 18, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@jchauhan1975
chore: bootstrap operational hygiene (CI, hooks, templates, configs)
f025314 
Establishes the missing foundation for safe iteration across the rest of
the cleanup. None of these changes touch application code or behavior.

CI / security
- .github/workflows/ci.yml — backend (ruff/black/isort/mypy/pytest) +
  dashboard (eslint/tsc/vitest/build), Postgres + Redis service containers
- .github/workflows/security.yml — Bandit SAST, pip-audit, npm audit,
  gitleaks, CodeQL (Python + JS/TS), weekly schedule
- .github/dependabot.yml — pip, npm, GitHub Actions, Docker (grouped)

Repo metadata
- .github/PULL_REQUEST_TEMPLATE.md — security + migration checklists
- .github/ISSUE_TEMPLATE/{bug_report,feature_request,config}
  — routes security reports to private GitHub Security Advisories
- .github/CODEOWNERS — default + voice/migrations carve-outs

Project docs
- CONTRIBUTING.md — local setup, commit/branch conventions, quality bar
- SECURITY.md — disclosure policy, hardening guidance, known debt
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1
- CHANGELOG.md — Keep a Changelog skeleton, Unreleased entry seeded

Tooling
- backend/pyproject.toml — ruff (E/W/F/I/B/C4/UP/SIM/RUF/ASYNC/S/T20/...),
  black (line-length=100), isort (black profile), mypy (strict_optional,
  check_untyped_defs, pydantic plugin), coverage config; pinned
  requires-python = ">=3.13" to match Dockerfile
- .pre-commit-config.yaml — ruff, black, isort, eslint, gitleaks,
  large-file + private-key guards, EOL normalization
- .editorconfig — LF, UTF-8, 4-space Python / 2-space TS
- .gitattributes — explicit LF for source, binary patterns, linguist hints
- .gitignore — explicit archive patterns (*.zip etc.), .env.* glob,
  mypy/ruff caches, additional editor/OS junk

Refs: architectural review TOP-10 #9 (delete dead/orphan dirs follows in
later PR), code review #4 (gates needed before broader refactor), security
review TOP-10 items will land in the next PR with CI as a safety net.
This was referenced May 18, 2026
Merged
Open
Open
@madhavcodez madhavcodez merged commit ba52319 into main May 18, 2026
7 of 9 checks passed
@madhavcodez madhavcodez deleted the cleanup/phase-0-ops-hygiene branch May 18, 2026 04:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@madhavcodez @github-advanced-security @jchauhan1975