eliott/br-acc
1
0
Fork 0
mirror of https://github.com/kharonsec/br-acc synced 2026-04-25 17:15:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
150 Commits 1 Branch 0 Tags
main
Commit Graph

28 Commits

Author SHA1 Message Date
lspassos1
c499154937 fix(ci): grant pull-requests write permission in auto-label workflow (#60) 
Maintainer triage on March 8, 2026: merged after manual label fix and green required checks.
 2026-03-08 01:13:14 -03:00
Davi Rezende
461ff067ca fix(ci): use lowercase image prefix for OCI compliance (#49) 2026-03-05 01:02:40 -03:00
Davi Rezende
d4179af665 feat(frontend/security): add npm audit to CI and document env guidelines (#41) 
* chore(ci): add npm audit job for frontend deps in security workflow

* docs(frontend/security): document VITE env and JWT storage in CONTRIBUTING

* fix(frontend): resolve high-severity npm audit (minimatch, rollup)

- npm audit fix for ReDoS in minimatch and path traversal in rollup
- Unblocks Security / NPM Audit (frontend) CI check per review

Made-with: Cursor

---------

Co-authored-by: Bruno César <bruno@sekai.cx>
 2026-03-03 21:27:54 -03:00
Davi Rezende
d889569a78 feat(ci): add docker-ci workflow for GHCR and optional image-based deploy (#47) 
* feat(ci): add docker-ci workflow for Buildx and GHCR push

* refactor(docker): use per-service builds in root docker-compose

* refactor(etl): use uv and uv.lock in ETL Dockerfile

* fix(api): add uv.lock to API Dockerfile for reproducible builds

* feat(deploy): add optional GHCR image pull and prod images override

* refactor(docker): use uv in root Dockerfile etl stage, document canonical Dockerfiles

* chore(docker): extend .dockerignore for build context

* docs: add Docker Compose start option to README
 2026-03-03 21:26:32 -03:00
Bruno César
add44821e8 sync: upstream convergence 2026-03-02 
Co-authored-by: bruno cesar <brunoclz@brunos-MacBook-Pro.local>
 2026-03-02 03:51:26 -03:00
AbraaoAlves
2c2b32d0c5 feat: Update PR label from description template (#27) 
* feat: update PR label from template

- Search the PR text for checkboxes marked in the format [x] release:...``
- Only accepts these labels (the same as the pull_request_template.md template): release:major, release:feature, release:patterns, release:api, release:data, release:privacy, release:fix, release:docs, release:infra, release:security

- The job fails if more than one release:* is checked
 - Removes other old release:* from the PR and adds only the chosen one (keeps “exactly one” in sync)

* fix(ci): run auto-labeler on pull_request_target

---------

Co-authored-by: bruno cesar <brunoclz@brunos-MacBook-Pro.local>
 2026-03-01 22:19:06 -03:00
Bruno César
9bad9beb28 feat: add bootstrap-all orchestration and public trust hardening (#25) 
Co-authored-by: bruno cesar <brunoclz@brunos-MacBook-Pro.local>
 2026-03-01 21:17:32 -03:00
bruno cesar
0800806fe9 ci: improve feedback speed with concurrency and shared quality scripts 2026-03-01 19:25:30 -03:00
Bruno César
4db4307888 fix: remove linear audit from PR governor and tolerate fork comments (#13) 
Co-authored-by: bruno cesar <brunoclz@brunos-MacBook-Pro.local>
 2026-03-01 18:48:51 -03:00
Bruno César
262defc6e2 feat: add claude PR governor with deterministic merge gate (#9) 
Co-authored-by: bruno cesar <brunoclz@brunos-MacBook-Pro.local>
 2026-03-01 18:08:04 -03:00
bruno cesar
4f822b3bd4 docs+ci: require explicit pattern-level release details 2026-03-01 17:54:13 -03:00
bruno cesar
35275d8b2b feat: port 8 public-safe patterns and release system 2026-03-01 17:38:03 -03:00
bruno cesar
6c088a1f2e refactor: rename icarus namespace to bracc and clean public identity 2026-03-01 13:52:40 -03:00
bruno cesar
fc23ff954f chore(public): rename public repo references to br-acc 2026-03-01 12:26:15 -03:00
bruno cesar
91f211394a refactor(public): ship full public edition with patterns disabled 2026-03-01 02:05:05 -03:00
bruno cesar
24cd427209 ci(api): use community tier defaults in public repo 2026-03-01 00:43:38 -03:00
bruno cesar
685f5ccf5e open-core: split intelligence layer and harden public snapshot boundary 2026-03-01 00:24:26 -03:00
bruno cesar
d7e6e1373c compliance: add legal-ethics protection pack and CI gate 2026-02-28 23:30:12 -03:00
bruno cesar
29247cc005 ci: gate integration tests behind repo variable 2026-02-28 21:25:40 -03:00
bruno cesar
989e81cf20 release: add public snapshot tooling docs and privacy gates 2026-02-28 21:21:01 -03:00
bruno cesar
2adb3c9350 Fix security workflow pip-audit export to exclude local project 2026-02-28 14:33:51 -03:00
bruno cesar
a4451e7c05 Stabilization 10/10: security gates, neo4j db pinning, and source governance closure 2026-02-28 14:31:54 -03:00
bruno cesar
ddd4f87a0f Fix CI dependency install to include dev extras 2026-02-27 01:01:13 -03:00
bruno cesar
d9b0e71bfb Document private-repo branch protection limits and add CODEOWNERS fallback 2026-02-27 00:38:49 -03:00
bruno cesar
51928dd572 Prepare first GitHub push: readiness, security and Linear-first setup 2026-02-27 00:28:58 -03:00
bruno cesar
13fc81b8cf Harden production deployment — memory tuning, backups, monitoring 
- .env.example: document Neo4j memory settings for 40M+ node production
- docker-compose.prod.yml: remove misleading VITE_API_URL runtime env
  (Vite bakes env at build time; Caddy proxies relative paths correctly)
- deploy.sh: health check through Caddy (HTTPS) instead of direct API port
- deploy.yml: pin appleboy/ssh-action to commit hash (supply-chain safety)
- backup-cron.sh: installer for daily Neo4j dump backup at 03:00 UTC
- snapshot-volume.sh: Hetzner Cloud volume snapshot via hcloud CLI
- healthcheck-cron.sh: uptime monitor every 5 min with webhook alerts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-22 14:08:17 -03:00
bruno cesar
393e7dc3f0 Phase 6: Auth, integration tests, deployment, ETL rewrite, frontend polish 
Auth: JWT auth with python-jose + passlib, invite-code registration,
user model + 3 Cypher queries, auth router, owner-scoped investigations.
Rate limiting: slowapi on auth endpoints.

Integration tests: testcontainers-based tests for entity, graph, search.

Deployment: docker-compose.prod.yml, Caddyfile, backup + deploy scripts,
GitHub Actions deploy workflow, deploy docs.

ETL rewrite: CNPJ pipeline handles real Receita Federal CSV layout (37 cols),
chunked file reading, proper field mapping. Download + explore scripts.
Test fixtures with real CSV samples.

Frontend polish: Spinner component, responsive CSS improvements across
all pages, better navigation, visual refinements.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-22 04:59:39 -03:00
bruno cesar
f5f825c8bd Phase 5: Polish — security fixes, code review fixes, CI, README 
Security: constrain tag entity match, mask password in seed script,
enforce graph depth + LIMIT 500, shared PEP_ROLES constant.
Code quality: fix SearchResponse field mismatch, PATCH vs PUT,
addEntity URL, replace assert with RuntimeError, extract inline
Cypher, add model field length limits, fix i18n in Zustand store,
neutrality fix in API description.
Infra: GitHub Actions CI (api, etl, frontend, neutrality audit).
Docs: bilingual README (PT-BR + EN).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-22 03:52:59 -03:00