v1.8.0

[devakesu]

Description

feat: v1.8.0 - build transparency, security hardening, and documentation overhaul

BREAKING CHANGES:

• Documentation structure reorganized: 8 separate docs merged into 2 comprehensive guides

FEATURES:

• Add /build-info page with terminal-style UI for build provenance transparency

  • Display build metadata (version, commit SHA, timestamp, GitHub run details)
  • Show security audit status (Trivy scan results)
  • Show SLSA attestation status with links to GitHub artifacts
  • Add direct links to source code, build logs, attestations, and security scorecard
  • Include educational "What is Build Provenance?" section
  • Handle dev/production modes with appropriate placeholders

• Enhance /api/provenance endpoint with 7 new fields:

  • github_repo: Repository identifier from build context
  • github_run_id: GitHub Actions run ID for traceability
  • github_run_number: Human-readable run number
  • build_timestamp: ISO 8601 build timestamp
  • audit_status: Trivy scan result (PASSED/SKIPPED/UNKNOWN)
  • signature_status: Attestation status (SIGNED/UNSIGNED/SLSA_PROVENANCE_GENERATED)
  • image_digest: Docker image digest (fallback to commit SHA in dev)

• Add dependency security overrides with full CVE documentation:

  • tar@^7.5.6: Fix path traversal vulnerabilities (5 CVEs from 2021)
  • fast-xml-parser@^5.3.4: Fix XXE and prototype pollution
  • js-yaml@^4.1.1: Fix code execution vulnerability (CVE-2021-23343)
  • glob@^13.0.4: Performance and security hardening
  • source-map@^0.7.6: Dependency resolution conflicts
  • Selective overrides for @Redocly packages: ajv@^8.18.0 (CVE-2025-69873 ReDoS)

PERFORMANCE:

• Enable gzip compression in Next.js config (70-90% size reduction)
• Add Node.js memory limit: 2.5GB heap for 4GB server optimization
• Configure rate limiting: 30 req/10s general, 5 req/60s auth endpoints
• Existing protections: Circuit breaker, request deduplication, max 3 concurrent Ezygo calls

DOCUMENTATION:

• Create docs/DEVELOPER_GUIDE.md (701 lines):

  • Consolidates: VERSIONING.md, GPG_SETUP.md, GPG_QUICK_START.md, COSIGN_VERIFICATION.md, BOT_PAT_SETUP.md, BUILD_PERFORMANCE.md
  • Comprehensive development setup, versioning, release process, and verification guides
  • All version references use vX.Y.Z placeholders to prevent outdated examples

• Create docs/EZYGO_INTEGRATION.md (363 lines):

  • Consolidates: EZYGO_RATE_LIMITING.md, EZYGO_VERIFICATION.md
  • Documents three-layer protection system for Ezygo API
  • Performance characteristics and verification procedures

• Enhance SECURITY.md (+235 lines):

  • Add "Dependency Security Overrides" section documenting all 6 overrides
  • Add "Known Issues" section with CVE-2025-69873 mitigation details for ESLint
  • Document accepted dev-only trade-off: ESLint dependencies retain older ajv
  • Document 7-day security patch SLA and maintenance policy
  • Update verification examples to use :latest tag instead of :main
  • Replace hardcoded versions with vX.Y.Z placeholders

• Update README.md:

  • Add build-info/ route to project structure
  • Add "Build Transparency 🔍" to key features
  • Update feature descriptions

• Consolidate CONTRIBUTING.md:

  • Remove redundant sections covered by DEVELOPER_GUIDE.md
  • Streamline contribution workflow
  • Update version reference examples

FIXES:

• Update footer link from /api/provenance to /build-info with "verified" label
• Fix sitemap tests after adding /build-info route (5 URLs total, different priorities)
• Remove unused asset: src/assets/bunkr.svg (0 references found)
• Update Docker image tag references from :main to :latest (aligns with release.yml)
• Add tracking-wide class to build-info heading for better letter spacing
• Fix pre-commit ESLint failure by removing global ajv override (selective overrides only)

BUILD:

• Update Dockerfile with 6 new build args (removed IMAGE_DIGEST as post-build only):
  • GITHUB_REPOSITORY, GITHUB_RUN_ID, GITHUB_RUN_NUMBER
  • BUILD_TIMESTAMP, AUDIT_STATUS, SIGNATURE_STATUS
• Update .github/workflows/release.yml:
  • Add 6 new build args to Docker build step
  • Fix IMAGE_NAME secret masking by using environment variable pattern
• Add NODE_OPTIONS="--max-old-space-size=2560" in Dockerfile (lines 207-209)
• Update .env and .example.env with rate limiting configuration

DEPENDENCIES:

• npm audit: 10 moderate vulnerabilities (all in dev-only ESLint dependencies)
• ajv <8.18.0 in ESLint: Accepted trade-off (global override breaks ESLint)
• Production dependencies: 0 vulnerabilities

DATABASE:

• Update Supabase migration: 20260212090500 → 20260217174834
• Add check_225_attendance_limit trigger function
• Update RLS policies and table structures

REFACTOR:

• Update all components to use Link from 'next/link' instead of deprecated imports
• Improve type definitions in assets.d.ts
• Standardize error handling across dashboard, notifications, and tracking clients
• Update UI component prop types for better type safety

TESTS:

• Update sitemap tests to reflect new /build-info route
• Fix test expectations for different page priority levels

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test updates

Version Bump

• Version automatically bumped by workflow (same-repo PRs)
• Version manually bumped using node scripts/bump-version.js (fork PRs)
• Version already up-to-date (no bump needed)

[github-actions]

✅ Version already bumped to v1.8.0

No automatic version bump needed - the PR already includes a version update.

This PR is ready for review! 🚀

[Copilot]

Pull request overview

This PR introduces v1.8.0 with build transparency features, documentation consolidation, and extensive Tailwind CSS refactoring. However, it contains critical syntax errors that will break visual styling across the entire application.

Changes:

• Added /build-info page and enhanced /api/provenance endpoint with 7 new fields for build transparency
• Consolidated 8 documentation files into 2 comprehensive guides (DEVELOPER_GUIDE.md and EZYGO_INTEGRATION.md)
• Attempted Tailwind CSS v4 syntax migration but introduced systematic errors across 15+ component files

Reviewed changes

Copilot reviewed 51 out of 54 changed files in this pull request and generated 28 comments.

Show a summary per file

File	Description
src/app/(public)/build-info/page.tsx	New build transparency page with terminal UI (391 lines)
src/app/api/provenance/route.ts	Enhanced with 7 new build metadata fields
docs/DEVELOPER_GUIDE.md	New consolidated development guide (701 lines)
docs/EZYGO_INTEGRATION.md	New EzyGo API integration guide (402 lines)
docs/*.md (deleted)	8 documentation files consolidated
src/components/**/*.tsx	Tailwind CSS refactoring with critical syntax errors
src/components/ui/*.tsx	UI component updates with invalid Tailwind classes
Dockerfile	Added 6 build args and Node.js memory limit configuration
.github/workflows/release.yml	Added build metadata args and secret masking fix
package.json	Version bump to 1.8.0 and dependency updates
.example.env	Updated rate limiting and added new configuration options
supabase/migrations/*.sql	Database schema updates for triggers
SECURITY.md	Enhanced with dependency overrides documentation (+235 lines)
README.md	Updated with build-info route and improved structure

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devakesu]

@copilot open a new pull request to apply changes based on the unresolved comments in this thread. The Tailwind syntaxes are valid and do no require any changes.

[Copilot]

@devakesu I've opened a new pull request, #399, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 51 out of 54 changed files in this pull request and generated 57 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devakesu]

@copilot open a new pull request to apply changes based on the unresolved comments in this thread The Tailwind syntaxes are valid and do no require any changes.

[Copilot]

@devakesu I've opened a new pull request, #400, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 51 out of 54 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devakesu]

@copilot open a new pull request to apply changes based on the comments in this thread The Tailwind syntaxes are valid and do no require any changes.

[Copilot]

@devakesu I've opened a new pull request, #404, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 51 out of 54 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 63 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 63 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devakesu]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@devakesu I've opened a new pull request, #414, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 63 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devakesu]

@copilot Fix failing unit-tests

⎯⎯⎯⎯⎯⎯⎯ Failed Tests 1 ⎯⎯⎯⎯⎯⎯⎯

 FAIL  src/components/legal/__tests__/AcceptTermsForm.test.tsx > AcceptTermsForm > Link Interaction > should stop propagation when clicking terms link
Error: expect(element).not.toBeChecked()

Received element is checked:
  <button
  aria-checked="true"
  aria-labelledby="terms-label"
  class="peer dark:bg-input/30 data-[state=checked]:text-primary-foreground dark:data-[state=checked]:bg-primary focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive size-4 shrink-0 rounded-lg border shadow-xs transition-shadow outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 border-zinc-600 data-[state=checked]:bg-purple-600 data-[state=checked]:border-purple-600"
  data-slot="checkbox"
  data-state="checked"
  id="terms"
  role="checkbox"
  type="button"
  value="on"
/>
 ❯ src/components/legal/__tests__/AcceptTermsForm.test.tsx:354:28
    352|       const checkbox = screen.getByRole('checkbox');
    353|       // Checkbox should remain unchecked since we clicked the link, n…
    354|       expect(checkbox).not.toBeChecked();
       |                            ^
    355|     });
    356|   });

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[1/1]⎯


 Test Files  1 failed | 31 passed | 1 skipped (33)
      Tests  1 failed | 521 passed | 4 todo (526)
   Start at  16:49:02
   Duration  21.96s (transform 2.03s, setup 6.98s, import 5.35s, tests 14.13s, environment 25.40s)


Error: Error: expect(element).not.toBeChecked()

Received element is checked:
  <button
  aria-checked="true"
  aria-labelledby="terms-label"
  class="peer dark:bg-input/30 data-[state=checked]:text-primary-foreground dark:data-[state=checked]:bg-primary focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive size-4 shrink-0 rounded-lg border shadow-xs transition-shadow outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 border-zinc-600 data-[state=checked]:bg-purple-600 data-[state=checked]:border-purple-600"
  data-slot="checkbox"
  data-state="checked"
  id="terms"
  role="checkbox"
  type="button"
  value="on"
/>
 ❯ src/components/legal/__tests__/AcceptTermsForm.test.tsx:354:28


Error: Process completed with exit code 1.

[Copilot]

@devakesu I've opened a new pull request, #415, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 63 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@devakesu I've opened a new pull request, #416, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 63 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.