fix(api): fallback 409 for duplicate anchor (Closes #557)

.github/ISSUE_TEMPLATE/security-sensitive.md

@@ -0,0 +1,24 @@
+name: Security-sensitive change
+about: Use this for issues that propose changes affecting security, keys, secrets, or crypto-critical paths.
+title: "[SECURITY] "
+labels: security
+
+---
+
+### Summary
+
+Describe the proposed change and why it's security-sensitive.
+
+### Risk assessment
+
+- What components are affected?
+- What is the blast radius if this introduces a vulnerability?
+
+### Mitigations and testing
+
+- Testing performed (unit, integration, formal verification)
+- Rollback plan
+
+### Secrets and keys
+
+List any new secrets/keys and how they will be provisioned securely.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +1,19 @@
 ## Summary
 
+Describe the change and why it's needed.
+
+## Security Considerations (required for security-sensitive changes)
+
+If this change touches security-sensitive areas (keys, secrets, crypto, auth), include:
+
+- A brief summary of the risk.
+- Tests performed and their results.
+- How secrets will be stored and rotated.
+- Rollback plan in case of issues.
+
+If not applicable, write "Not security-sensitive".
+## Summary
+
 ## Type of change
 - [ ] Bug fix
 - [ ] New feature
@@ -14,5 +28,6 @@ Closes #
 - [ ] Tests pass
 - [ ] No new lint warnings
 - [ ] Docs updated if needed
+- [ ] CHANGELOG.md updated
 - [ ] PR targets `develop`
 - [ ] Supabase queries audited for SQL injection (no raw SQL, parameterized methods used)

.github/dependabot.yml

@@ -39,3 +39,17 @@ updates:
       # Flag major version bumps for manual review
       - dependency-name: "*"
         update-types: [version-update:semver-major]
+
+  # GitHub Actions — monthly to reduce noise
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+    ignore:
+      # Flag major version bumps for manual review
+      - dependency-name: "*"
+        update-types: [version-update:semver-major]

.github/workflows/audit.yml

@@ -11,6 +11,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  issues: write
 
 jobs:
   npm-audit:
@@ -42,6 +43,20 @@ jobs:
               repo: context.repo.repo,
               body: `### ${status} pnpm audit\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``
             });
+      - name: Create Issue on failure (Scheduled)
+        if: github.event_name == 'schedule' && steps.npm_audit.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const output = fs.readFileSync('/tmp/npm-audit.txt', 'utf8');
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: '🚨 Weekly pnpm audit failed: High-severity vulnerabilities detected',
+              body: `The weekly pnpm audit found high-severity vulnerabilities in JS dependencies.\n\n### Audit Output:\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``,
+              labels: ['security', 'devops']
+            });
       - name: Fail if audit found high/critical issues
         if: steps.npm_audit.outcome == 'failure'
         run: exit 1
@@ -54,7 +69,7 @@ jobs:
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: "1.85.0"
+          toolchain: "1.88.0"
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: apps/contracts
@@ -79,6 +94,20 @@ jobs:
               repo: context.repo.repo,
               body: `### ${status} cargo audit\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``
             });
+      - name: Create Issue on failure (Scheduled)
+        if: github.event_name == 'schedule' && steps.cargo_audit.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const output = fs.readFileSync('/tmp/cargo-audit.txt', 'utf8');
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: '🚨 Weekly cargo audit failed: Vulnerabilities detected',
+              body: `The weekly cargo audit found vulnerabilities in Rust dependencies.\n\n### Audit Output:\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``,
+              labels: ['security', 'devops']
+            });
       - name: Fail if audit found vulnerabilities
         if: steps.cargo_audit.outcome == 'failure'
         run: exit 1

.github/workflows/ci.yml

@@ -14,6 +14,16 @@ jobs:
   web:
     name: Web (lint + type-check + test + build)
     runs-on: ubuntu-latest
+    services:
+      redis:
+        image: redis:7-alpine
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 3
     steps:
       - uses: actions/checkout@v4
 
@@ -51,17 +61,26 @@ jobs:
           TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
       - run: pnpm test
         working-directory: apps/web
+      - name: Run tests with coverage
+        run: pnpm vitest run --coverage
+        working-directory: apps/web
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          files: apps/web/coverage/lcov.info
+          flags: web
+          fail_ci_if_error: false
       - run: pnpm build
         working-directory: apps/web
         env:
-          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL || 'https://placeholder.supabase.co' }}
-          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY || 'placeholder' }}
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
           NEXT_PUBLIC_STELLAR_NETWORK: testnet
           NEXT_PUBLIC_ENERGY_TOKEN_ID: placeholder
           NEXT_PUBLIC_AUDIT_REGISTRY_ID: placeholder
           NEXT_PUBLIC_COMMUNITY_GOVERNANCE_ID: placeholder
-          SUPABASE_SERVICE_ROLE_KEY: placeholder
-          MINTER_SECRET_KEY: SAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+          SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
+          MINTER_SECRET_KEY: ${{ secrets.MINTER_SECRET_KEY }}
           TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
           TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
@@ -104,6 +123,21 @@ jobs:
       - name: Validate openapi.yaml
         run: npx --yes @redocly/cli@1 lint openapi.yaml --format=github-actions
 
+  license-compliance:
+    name: License compliance check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: npx license-checker --onlyAllow "$(node -e "const c=require('./.license-checker.json');console.log(c.allowedLicenses.join(';'))")" --excludePrivatePackages
+
   contracts:
     name: Contracts (fmt + clippy + test)
     runs-on: ubuntu-latest
@@ -128,14 +162,23 @@ jobs:
       - name: fmt
         run: cargo fmt --all -- --check
         working-directory: apps/contracts
+        env:
+          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
       - name: clippy
         run: cargo clippy --all-targets --all-features -- -D warnings
         working-directory: apps/contracts
+        env:
+          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
       - name: test
         run: cargo test --all
         working-directory: apps/contracts
+        env:
+          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
   proptest:
     name: Property-based tests (proptest)
@@ -177,3 +220,44 @@ jobs:
       - name: fuzz_vote (30 s)
         run: cargo fuzz run fuzz_vote -- -max_total_time=30 corpus/fuzz_vote
         working-directory: apps/contracts/fuzz
+
+  image-scan:
+    name: Docker image vulnerability scan (Trivy)
+    runs-on: ubuntu-latest
+    needs: web
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          docker build \
+            --file apps/web/Dockerfile \
+            --tag solarproof/web:${{ github.sha }} \
+            .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          image-ref: solarproof/web:${{ github.sha }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+          exit-code: '1'
+          ignore-unfixed: true
+
+      - name: Upload Trivy SARIF results as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-scan-results
+          path: trivy-results.sarif
+          retention-days: 30
+
+      - name: Upload SARIF to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

.github/workflows/contracts-ci.yml

@@ -0,0 +1,48 @@
+name: Contracts CI
+
+on:
+  pull_request:
+    branches: [main, develop]
+    paths:
+      - "apps/contracts/**"
+      - ".github/workflows/contracts-ci.yml"
+  push:
+    branches: [main, develop]
+    paths:
+      - "apps/contracts/**"
+      - ".github/workflows/contracts-ci.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Rust contracts (fmt + clippy + test)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: "1.85.0"
+          targets: wasm32-unknown-unknown
+          components: rustfmt, clippy
+
+      - name: Cache Rust build artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: apps/contracts
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+        working-directory: apps/contracts
+
+      - name: Clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+        working-directory: apps/contracts
+
+      - name: Run tests
+        run: cargo test --all
+        working-directory: apps/contracts

.github/workflows/deploy-production.yml

@@ -0,0 +1,49 @@
+name: Deploy Production
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  ci:
+    name: CI gate
+    uses: ./.github/workflows/ci.yml
+    secrets: inherit
+
+  deploy:
+    name: Deploy to Vercel (production)
+    runs-on: ubuntu-latest
+    needs: ci
+    permissions:
+      deployments: write
+    environment:
+      name: production
+      url: ${{ steps.promote.outputs.url }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Vercel CLI
+        run: npm install -g vercel@latest
+
+      - name: Build & deploy preview (green)
+        id: deploy
+        env:
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+        run: |
+          url=$(vercel deploy --token "$VERCEL_TOKEN" --yes 2>&1 | tail -1)
+          echo "url=$url" >> "$GITHUB_OUTPUT"
+
+      - name: Promote to production
+        id: promote
+        env:
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+        run: |
+          vercel promote "${{ steps.deploy.outputs.url }}" \
+            --token "$VERCEL_TOKEN" --scope "$VERCEL_ORG_ID"
+          echo "url=${{ steps.deploy.outputs.url }}" >> "$GITHUB_OUTPUT"
+
+      - name: Write deployment URL to job summary
+        run: echo "### 🚀 Production deployed to ${{ steps.promote.outputs.url }}" >> "$GITHUB_STEP_SUMMARY"