Merge branch 'development' into main

.github/agents/Backend_Dev.agent.md

@@ -45,6 +45,7 @@ Your priority is writing code that is clean, tested, and secure by default.
     - Run `go fmt ./...`.
     - Run `go test ./...` to ensure no regressions.
     - **Coverage (MANDATORY)**: Run the coverage script explicitly. This is NOT run by pre-commit automatically.
+        - **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
         - **VS Code Task**: Use "Test: Backend with Coverage" (recommended)
         - **Manual Script**: Execute `/projects/Charon/scripts/go-test-coverage.sh` from the root directory
         - **Minimum**: 85% coverage (configured via `CHARON_MIN_COVERAGE` or `CPM_MIN_COVERAGE`)

.github/agents/Frontend_Dev.agent.md

@@ -52,6 +52,7 @@ You do not just "make it work"; you make it **feel** professional, responsive, a
     - **Gate 2: Logic**:
         - Run `npm run test:ci`.
     - **Gate 3: Coverage (MANDATORY)**:
+        - **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
         - **VS Code Task**: Use "Test: Frontend with Coverage" (recommended)
         - **Manual Script**: Execute `/projects/Charon/scripts/frontend-test-coverage.sh` from the root directory
         - **Minimum**: 85% coverage (configured via `CHARON_MIN_COVERAGE` or `CPM_MIN_COVERAGE`)

.github/agents/QA_Security.agent.md

@@ -75,6 +75,7 @@ The task is not complete until ALL of the following pass with zero issues:
     - Zero Critical/High issues allowed
 
 2. **Coverage Tests (MANDATORY - Run Explicitly)**:
+    - **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
     - **Backend**: Run VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`
     - **Frontend**: Run VS Code task "Test: Frontend with Coverage" or execute `scripts/frontend-test-coverage.sh`
     - **Why**: These are in manual stage of pre-commit for performance. You MUST run them via VS Code tasks or scripts.

.github/codeql/codeql-config.yml

@@ -2,46 +2,10 @@
 # See: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
 name: "Charon CodeQL Config"
 
-# Query filters to exclude specific alerts with documented justification
-query-filters:
-  # ===========================================================================
-  # SSRF False Positive Exclusion
-  # ===========================================================================
-  # File: backend/internal/utils/url_testing.go (line 276)
-  # Rule: go/request-forgery
-  #
-  # JUSTIFICATION: This file implements comprehensive 4-layer SSRF protection:
-  #
-  # Layer 1: Format Validation (utils.ValidateURL)
-  #   - Validates URL scheme (http/https only)
-  #   - Parses and validates URL structure
-  #
-  # Layer 2: Security Validation (security.ValidateExternalURL)
-  #   - Performs DNS resolution with timeout
-  #   - Blocks 13+ private/reserved IP CIDR ranges:
-  #     * RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
-  #     * Loopback: 127.0.0.0/8, ::1/128
-  #     * Link-Local: 169.254.0.0/16 (AWS/GCP/Azure metadata), fe80::/10
-  #     * Reserved: 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32
-  #     * IPv6 ULA: fc00::/7
-  #
-  # Layer 3: Connection-Time Validation (ssrfSafeDialer)
-  #   - Re-resolves DNS at connection time (prevents DNS rebinding)
-  #   - Re-validates all resolved IPs against blocklist
-  #   - Blocks requests if any IP is private/reserved
-  #
-  # Layer 4: Request Execution (TestURLConnectivity)
-  #   - HEAD request only (minimal data exposure)
-  #   - 5-second timeout
-  #   - Max 2 redirects with redirect target validation
-  #
-  # Security Review: Approved - defense-in-depth prevents SSRF attacks
-  # Last Review Date: 2026-01-01
-  # ===========================================================================
-  - exclude:
-      id: go/request-forgery
-
 # Paths to ignore from all analysis (use sparingly - prefer query-filters)
-# paths-ignore:
-#   - "**/vendor/**"
-#   - "**/testdata/**"
+paths-ignore:
+  - "frontend/coverage/**"
+  - "frontend/dist/**"
+  - "playwright-report/**"
+  - "test-results/**"
+  - "coverage/**"

.github/instructions/copilot-instructions.md

@@ -67,7 +67,7 @@ Before proposing ANY code change or fix, you must build a mental map of the feat
 
 ## Documentation
 
-- **Features**: Update `docs/features.md` when adding capabilities.
+- **Features**: Update `docs/features.md` when adding capabilities. This is a short "marketing" style list. Keep details to their individual docs.
 - **Links**: Use GitHub Pages URLs (`https://wikid82.github.io/charon/`) for docs and GitHub blob links for repo files.
 
 ## CI/CD & Commit Conventions
@@ -108,6 +108,7 @@ Before marking an implementation task as complete, perform the following in orde
     - Do not output code that violates pre-commit standards.
 
 3. **Coverage Testing** (MANDATORY - Non-negotiable):
+    - **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
     - **Backend Changes**: Run the VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`.
         - Minimum coverage: 85% (set via `CHARON_MIN_COVERAGE` or `CPM_MIN_COVERAGE`).
         - If coverage drops below threshold, write additional tests to restore coverage.

.github/skills/security-scan-codeql-scripts/run.sh

@@ -17,6 +17,12 @@ source "${SKILLS_SCRIPTS_DIR}/_error_handling_helpers.sh"
 # shellcheck source=../scripts/_environment_helpers.sh
 source "${SKILLS_SCRIPTS_DIR}/_environment_helpers.sh"
 
+# Some helper scripts may not define ANSI color variables; ensure they exist
+# before using them later in this script (set -u is enabled).
+RED="${RED:-\033[0;31m}"
+GREEN="${GREEN:-\033[0;32m}"
+NC="${NC:-\033[0m}"
+
 PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
 
 # Set defaults
@@ -89,12 +95,18 @@ run_codeql_scan() {
     local source_root=$2
     local db_name="codeql-db-${lang}"
     local sarif_file="codeql-results-${lang}.sarif"
-    local query_suite=""
+    local build_mode_args=()
+    local codescanning_config="${PROJECT_ROOT}/.github/codeql/codeql-config.yml"
 
-    if [[ "${lang}" == "go" ]]; then
-        query_suite="codeql/go-queries:codeql-suites/go-security-and-quality.qls"
-    else
-        query_suite="codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls"
+    # Remove generated artifacts that can create noisy/false findings during CodeQL analysis
+    rm -rf "${PROJECT_ROOT}/frontend/coverage" \
+          "${PROJECT_ROOT}/frontend/dist" \
+          "${PROJECT_ROOT}/playwright-report" \
+          "${PROJECT_ROOT}/test-results" \
+          "${PROJECT_ROOT}/coverage"
+
+    if [[ "${lang}" == "javascript" ]]; then
+        build_mode_args=(--build-mode=none)
     fi
 
     log_step "CODEQL" "Scanning ${lang} code in ${source_root}/"
@@ -106,7 +118,9 @@ run_codeql_scan() {
     log_info "Creating CodeQL database..."
     if ! codeql database create "${db_name}" \
         --language="${lang}" \
+        "${build_mode_args[@]}" \
         --source-root="${source_root}" \
+        --codescanning-config="${codescanning_config}" \
         --threads="${CODEQL_THREADS}" \
         --overwrite 2>&1 | while read -r line; do
             # Filter verbose output, show important messages
@@ -121,9 +135,8 @@ run_codeql_scan() {
     fi
 
     # Run analysis
-    log_info "Analyzing with security-and-quality suite..."
+    log_info "Analyzing with Code Scanning config (CI-aligned query filters)..."
     if ! codeql database analyze "${db_name}" \
-        "${query_suite}" \
         --format=sarif-latest \
         --output="${sarif_file}" \
         --sarif-add-baseline-file-info \

.github/skills/security-scan-trivy-scripts/run.sh

@@ -28,7 +28,9 @@ set_default_env "TRIVY_SEVERITY" "CRITICAL,HIGH,MEDIUM"
 set_default_env "TRIVY_TIMEOUT" "10m"
 
 # Parse arguments
-SCANNERS="${1:-vuln,secret,misconfig}"
+# Default scanners exclude misconfig to avoid non-actionable policy bundle issues
+# that can cause scan errors unrelated to the repository contents.
+SCANNERS="${1:-vuln,secret}"
 FORMAT="${2:-table}"
 
 # Validate format
@@ -63,6 +65,29 @@ log_info "Timeout: ${TRIVY_TIMEOUT}"
 
 cd "${PROJECT_ROOT}"
 
+# Avoid scanning generated/cached artifacts that commonly contain fixture secrets,
+# non-Dockerfile files named like Dockerfiles, and large logs.
+SKIP_DIRS=(
+    ".git"
+    ".venv"
+    ".cache"
+    "node_modules"
+    "frontend/node_modules"
+    "frontend/dist"
+    "frontend/coverage"
+    "test-results"
+    "codeql-db-go"
+    "codeql-db-js"
+    "codeql-agent-results"
+    "my-codeql-db"
+    ".trivy_logs"
+)
+
+SKIP_DIR_FLAGS=()
+for d in "${SKIP_DIRS[@]}"; do
+    SKIP_DIR_FLAGS+=("--skip-dirs" "/app/${d}")
+done
+
 # Run Trivy via Docker
 if docker run --rm \
     -v "$(pwd):/app:ro" \
@@ -71,7 +96,11 @@ if docker run --rm \
     aquasec/trivy:latest \
     fs \
     --scanners "${SCANNERS}" \
+    --timeout "${TRIVY_TIMEOUT}" \
+    --exit-code 1 \
+    --severity "CRITICAL,HIGH" \
     --format "${FORMAT}" \
+    "${SKIP_DIR_FLAGS[@]}" \
     /app; then
     log_success "Trivy scan completed - no issues found"
     exit 0

.github/skills/test-backend-unit-scripts/run.sh

@@ -36,12 +36,30 @@ cd "${PROJECT_ROOT}/backend"
 # Execute tests
 log_step "EXECUTION" "Running backend unit tests"
 
-# Run go test with all passed arguments
-if go test "$@" ./...; then
-    log_success "Backend unit tests passed"
-    exit 0
-else
-    exit_code=$?
-    log_error "Backend unit tests failed (exit code: ${exit_code})"
-    exit "${exit_code}"
+# Check if short mode is enabled
+SHORT_FLAG=""
+if [[ "${CHARON_TEST_SHORT:-false}" == "true" ]]; then
+    SHORT_FLAG="-short"
+    log_info "Running in short mode (skipping integration and heavy network tests)"
+fi
+
+# Run tests with gotestsum if available, otherwise fall back to go test
+if command -v gotestsum &> /dev/null; then
+    if gotestsum --format pkgname -- $SHORT_FLAG "$@" ./...; then
+        log_success "Backend unit tests passed"
+        exit 0
+    else
+        exit_code=$?
+        log_error "Backend unit tests failed (exit code: ${exit_code})"
+        exit "${exit_code}"
+    fi
+else
+    if go test $SHORT_FLAG "$@" ./...; then
+        log_success "Backend unit tests passed"
+        exit 0
+    else
+        exit_code=$?
+        log_error "Backend unit tests failed (exit code: ${exit_code})"
+        exit "${exit_code}"
+    fi
 fi

.github/workflows/docker-build.yml

@@ -235,7 +235,7 @@ jobs:
 
       # Generate SBOM (Software Bill of Materials) for supply chain security
       - name: Generate SBOM
-        uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+        uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0.21.1
         if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
         with:
           image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
@@ -244,7 +244,7 @@ jobs:
 
       # Create verifiable attestation for the SBOM
       - name: Attest SBOM
-        uses: actions/attest-sbom@115c3be05ff3974bcbd596578934b3f9ce39bf68 # v2.2.0
+        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
         if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

.github/workflows/renovate.yml

@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 1
 
       - name: Run Renovate
-        uses: renovatebot/github-action@f7fad228a053c69a98e24f8e4f6cf40db8f61e08 # v44.2.1
+        uses: renovatebot/github-action@a7e89c349a53ab0c9d8458eb85f4b415e55848e7 # v44.2.3
         with:
           configurationFile: .github/renovate.json
           token: ${{ secrets.RENOVATE_TOKEN }}