Add QA test outputs, build scripts, and Dockerfile validation

- Created `qa-test-output-after-fix.txt` and `qa-test-output.txt` to log results of certificate page authentication tests.
- Added `build.sh` for deterministic backend builds in CI, utilizing `go list` for efficiency.
- Introduced `codeql_scan.sh` for CodeQL database creation and analysis for Go and JavaScript/TypeScript.
- Implemented `dockerfile_check.sh` to validate Dockerfiles for base image and package manager mismatches.
- Added `sourcery_precommit_wrapper.sh` to facilitate Sourcery CLI usage in pre-commit hooks.

tools/build.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# Deterministic, fast backend build step for CI/CodeQL extraction
+# Use `go list` to avoid long-running builds and network downloads.
+# Set GOPROXY to a standard proxy to avoid interactive network issues.
+set -euo pipefail
+cd backend
+export GOPROXY=${GOPROXY:-https://proxy.golang.org}
+export GOMODCACHE=${GOMODCACHE:-$(go env GOMODCACHE)}
+# First, list packages for fast JS extraction/diagnostics
+go list ./...
+# Ensure dependencies are downloaded and run a proper Go build so CodeQL can extract symbols
+go mod download
+go build ./...

tools/codeql_scan.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -e
+
+# Check if gh is installed
+if ! command -v gh &> /dev/null; then
+    echo "Error: GitHub CLI (gh) is not installed."
+    exit 1
+fi
+
+# Check if gh-codeql extension is installed
+if ! gh extension list | grep -q "github/gh-codeql"; then
+    echo "Installing GitHub CodeQL extension..."
+    gh extension install github/gh-codeql
+fi
+
+echo "Creating CodeQL database..."
+# Remove existing db if any
+rm -rf codeql-db
+
+# Clean up build artifacts and coverage reports to prevent false positives
+echo "Cleaning up build artifacts..."
+rm -rf frontend/dist backend/coverage
+
+# Create the database cluster
+echo "Creating CodeQL database cluster..."
+# We specify --command to ensure Go builds correctly
+# We include javascript to scan the frontend (TypeScript/React)
+# We use --db-cluster to support multiple languages
+gh codeql database create codeql-db --language=go,javascript --db-cluster --source-root . --command "./tools/build.sh" --overwrite
+
+echo "Analyzing CodeQL database..."
+# Analyze Go
+echo "Analyzing Go..."
+gh codeql database analyze codeql-db/go codeql/go-queries:codeql-suites/go-security-and-quality.qls --format=sarif-latest --output=codeql-results-go.sarif --download
+
+# Analyze JavaScript/TypeScript
+echo "Analyzing JavaScript/TypeScript..."
+gh codeql database analyze codeql-db/javascript codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls --format=sarif-latest --output=codeql-results-js.sarif --download
+
+echo "Scan complete."
+echo "Go results: codeql-results-go.sarif"
+echo "JS/TS results: codeql-results-js.sarif"

tools/dockerfile_check.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# Dockerfile validation script
+# Checks for common mismatches between base images and package managers
+
+set -e
+
+DOCKERFILE="${1:-Dockerfile}"
+
+if [ ! -f "$DOCKERFILE" ]; then
+    echo "Error: $DOCKERFILE not found"
+    exit 1
+fi
+
+echo "Checking $DOCKERFILE for base image / package manager mismatches..."
+
+# Read file content
+dockerfile_content=$(cat "$DOCKERFILE")
+
+# Check for golang:latest or golang:1.x (Debian) with apk commands in the same stage
+while IFS= read -r line; do
+    if echo "$line" | grep -qE "^FROM\s+golang:(latest|[0-9]+(\.[0-9]+)?)\s"; then
+        # Found a Debian-based golang image, check the next 20 lines for apk
+        current_stage="$line"
+        checking_stage=true
+    elif echo "$line" | grep -qE "^FROM\s+" && [ "$checking_stage" = true ]; then
+        # New FROM statement, reset
+        checking_stage=false
+    fi
+
+    if [ "$checking_stage" = true ] && echo "$line" | grep -qE "RUN.*apk\s+(add|update|del)"; then
+        echo "❌ ERROR: Found Debian-based golang image with Alpine package manager (apk)"
+        echo "   Stage: $current_stage"
+        echo "   Command: $line"
+        echo "   Fix: Use 'golang:alpine' or 'golang:1.x-alpine' instead"
+        exit 1
+    fi
+done < "$DOCKERFILE"
+
+# Check for node:latest or node:XX (Debian) with apk commands
+if echo "$dockerfile_content" | grep -E "FROM\s+node:(latest|[0-9]+)\s" > /dev/null; then
+    if echo "$dockerfile_content" | grep -A 10 "FROM\s\+node:(latest|[0-9]\+)\s" | grep -E "RUN.*apk\s+(add|update)" > /dev/null; then
+        echo "❌ ERROR: Found Debian-based node image (node:latest or node:XX) with Alpine package manager (apk)"
+        echo "   Fix: Use 'node:alpine' or 'node:XX-alpine' instead"
+        exit 1
+    fi
+fi
+
+# Check for alpine images with apt/apt-get
+if echo "$dockerfile_content" | grep -E "FROM\s+.*:.*alpine" > /dev/null; then
+    if echo "$dockerfile_content" | grep -A 10 "FROM\s\+.*:.*alpine" | grep -E "RUN.*(apt-get|apt)\s+(install|update)" > /dev/null; then
+        echo "❌ ERROR: Found Alpine-based image with Debian package manager (apt/apt-get)"
+        echo "   Fix: Use 'apk add' instead of 'apt install'"
+        exit 1
+    fi
+fi
+
+echo "✓ Dockerfile validation passed"
+exit 0

tools/sourcery_precommit_wrapper.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wrapper for Sourcery pre-commit hook.
+# Run Sourcery if the CLI is available or a token is provided.
+# This supports both interactive `sourcery login` and token-based CI usage.
+
+if command -v sourcery >/dev/null 2>&1; then
+  exec sourcery "$@"
+fi
+
+# Try python -m sourcery as a fallback
+if python -m sourcery --version >/dev/null 2>&1; then
+  exec python -m sourcery "$@"
+fi
+
+# If CLI not found but token env var present, try to run via 'sourcery' anyway
+if [ -n "${SOURCERY_TOKEN:-}" ] || [ -n "${SOURCERY_API_TOKEN:-}" ] || [ -n "${SOURCERY_API_KEY:-}" ]; then
+  if command -v sourcery >/dev/null 2>&1; then
+    exec sourcery "$@"
+  fi
+  if python -m sourcery --version >/dev/null 2>&1; then
+    exec python -m sourcery "$@"
+  fi
+fi
+
+echo "Sourcery CLI not available and no token detected; skipping sourcery pre-commit check."
+exit 0