Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,35 @@ on:
workflow_dispatch:

jobs:
lint-test:
name: Lint and Format Check
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: backend/package-lock.json

- name: Install backend dependencies
run: cd backend && npm ci

- name: Run ESLint
run: cd backend && npm run lint

- name: Run Prettier check
run: cd backend && npm run format:check

- name: Run tests
run: cd backend && npm test

code-quality:
name: Code Quality & Security
runs-on: ubuntu-latest
Expand Down
120 changes: 120 additions & 0 deletions .github/workflows/security-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
name: Security Scanning and SBOM

on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
# Run weekly on Monday at 2 AM UTC
- cron: '0 2 * * 1'
Comment on lines +8 to +10

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description mentions scans running “Mondays 3AM EST”, but this workflow is scheduled for 0 2 * * 1 (2 AM UTC), which is not 3 AM America/New_York and may even run on Sunday evening in EST/EDT. Align the cron/timezone comment with the intended schedule (or adjust the cron) to avoid surprises.

Copilot uses AI. Check for mistakes.
workflow_dispatch:

jobs:
sbom-generation:
name: Generate SBOM
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install Syft
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Installing Syft via curl | sh from the main branch is a supply-chain risk and reduces reproducibility. Prefer a pinned version (e.g., a specific release artifact or a GitHub Action pinned to a tag/commit SHA) and verify checksums when downloading binaries.

Suggested change
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
set -euo pipefail
SYFT_VERSION="v1.6.0"
TARBALL="syft_${SYFT_VERSION#v}_linux_amd64.tar.gz"
CHECKSUMS_FILE="syft_${SYFT_VERSION#v}_checksums.txt"
curl -sSfL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/${TARBALL}" -o "${TARBALL}"
curl -sSfL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/${CHECKSUMS_FILE}" -o "${CHECKSUMS_FILE}"
grep " ${TARBALL}\$" "${CHECKSUMS_FILE}" | sha256sum -c -
sudo tar -xzf "${TARBALL}" -C /usr/local/bin syft

Copilot uses AI. Check for mistakes.

- name: Generate SBOM for backend
run: |
syft dir:./backend -o spdx-json=backend-sbom.spdx.json
syft dir:./backend -o cyclonedx-json=backend-sbom.cyclonedx.json

- name: Generate SBOM for frontend
run: |
syft dir:./frontend -o spdx-json=frontend-sbom.spdx.json
syft dir:./frontend -o cyclonedx-json=frontend-sbom.cyclonedx.json

- name: Upload SBOM artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-reports
path: |
*-sbom.*.json
retention-days: 90

trivy-scan:
name: Trivy Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner (filesystem)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'

Comment on lines +57 to +65

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using aquasecurity/trivy-action@master is not pinned and can change unexpectedly (supply-chain/reproducibility risk). Pin to a stable release tag or, ideally, a full commit SHA.

Copilot uses AI. Check for mistakes.
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'

- name: Run Trivy vulnerability scanner (JSON output)
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'json'
output: 'trivy-results.json'

Comment on lines +72 to +79

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Second Trivy invocation is also using aquasecurity/trivy-action@master and should be pinned to a release tag or commit SHA for reproducibility/supply-chain safety.

Copilot uses AI. Check for mistakes.
- name: Upload Trivy JSON results
uses: actions/upload-artifact@v4
if: always()
with:
name: trivy-scan-results
path: trivy-results.json
retention-days: 90

dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'

- name: Audit backend dependencies
run: |
cd backend
npm audit --audit-level=moderate --json > ../backend-audit.json || true

- name: Audit frontend dependencies
run: |
cd frontend
npm audit --audit-level=moderate --json > ../frontend-audit.json || true

- name: Upload audit results
uses: actions/upload-artifact@v4
with:
name: npm-audit-results
path: |
backend-audit.json
frontend-audit.json
retention-days: 30
4 changes: 4 additions & 0 deletions .husky/pre-commit
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Husky hook sources .husky/_/husky.sh, but the PR doesn’t add the .husky/_ directory (including husky.sh) that husky install generates, so the hook will fail when invoked. Either commit the generated .husky/_ contents (as Husky expects) or adjust the setup so prepare installs hooks into the location that matches the committed hook files.

Suggested change
. "$(dirname -- "$0")/_/husky.sh"
HUSKY_SH="$(dirname -- "$0")/_/husky.sh"
if [ -f "$HUSKY_SH" ]; then
. "$HUSKY_SH"
fi

Copilot uses AI. Check for mistakes.

cd backend && npx lint-staged
152 changes: 139 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,29 @@ This repository integrates with:
- n8n webhook URL
- Cloudflare API token

### Optional Heavy Dependencies

This project supports optional heavy ML/AI dependencies via npm's `optionalDependencies`. These are not installed by default to keep the base installation lightweight:

- **@huggingface/transformers** - Hugging Face transformers for local ML models
- **@pinecone-database/pinecone** - Pinecone vector database client
- **weaviate-ts-client** - Weaviate vector database client
- **@opentelemetry/*** - OpenTelemetry instrumentation (see Telemetry section)
Comment on lines +61 to +66

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm installs optionalDependencies by default; they’re only “optional” in the sense that install failures don’t abort. The README currently states these deps are “not installed by default”, which is inaccurate and could mislead users about install size/behavior; update the text/commands accordingly (e.g., document --omit=optional for a lightweight install).

Copilot uses AI. Check for mistakes.

**Note**: ChromaDB is available separately but may require additional configuration due to OpenAI SDK version compatibility.

To install with optional dependencies:
```bash
cd backend
npm install --include=optional
```

To install without optional dependencies (default):
```bash
cd backend
npm install
```
Comment on lines +70 to +80

Copilot AI Feb 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm install --include=optional is effectively the default behavior for npm, while npm install will include optionalDependencies unless --omit=optional is used. The install instructions here are reversed/misleading; update the commands so users who want a minimal install use --omit=optional (and optionally mention --include=optional only if you also document --omit).

Copilot uses AI. Check for mistakes.

### Quick Start - Full Stack Application

For detailed setup instructions, see [FULLSTACK_SETUP.md](FULLSTACK_SETUP.md)
Expand All @@ -80,6 +103,52 @@ npm start

Visit `http://localhost:3000` to access the application.

### Configuration Validation

The backend uses typed configuration validation with Zod to ensure all environment variables are correctly set before the application starts:

```bash
# Validate configuration without starting the server
cd backend
npm run build
npm run test:smoke
```

Configuration schema validates:
- Port numbers are valid (1-65535)
- Required API keys are present
- Database connection strings are properly formatted
- Environment is one of: development, production, test

If validation fails, detailed error messages will indicate which configuration values are missing or invalid.

### Telemetry (Optional)

The application supports optional OpenTelemetry instrumentation for distributed tracing and monitoring. Telemetry is **disabled by default** and requires optional dependencies.

To enable telemetry:

1. Install optional dependencies:
```bash
cd backend
npm install --include=optional
```

2. Set environment variables in `.env`:
```env
TELEMETRY_ENABLED=true
TELEMETRY_SERVICE_NAME=time-machines-backend
OTEL_EXPORTER_OTLP_ENDPOINT=http://your-otlp-collector:4318/v1/traces
```

Supported telemetry backends:
- Jaeger
- Zipkin
- Any OTLP-compatible collector
- Cloud providers (AWS X-Ray, Google Cloud Trace, Azure Monitor)

**Note**: No vendor lock-in - uses OpenTelemetry standard protocol.

### Quick Start - Docker

```bash
Expand Down Expand Up @@ -118,10 +187,17 @@ docker-compose logs -f

### CI/CD Pipeline
Runs on every push and pull request:
- Code quality and security scanning
- CodeQL analysis
- Dependency review
- Integration health checks
- **Lint and Format Check** - ESLint and Prettier validation
- **Code quality and security scanning** - CodeQL analysis
- **Dependency review** - Automated dependency vulnerability checks
- **Integration health checks** - Validates external service connections

### Security Scanning and SBOM
Automated security scanning with SBOM generation:
- **Trivy scanning** - Vulnerability detection in dependencies and code
- **SBOM generation** - Software Bill of Materials in SPDX and CycloneDX formats
- **npm audit** - Regular dependency vulnerability scans
- Runs weekly and on pull requests to main branch

### Cross-Repository Integration
Enables synchronization across repositories:
Expand All @@ -130,10 +206,13 @@ Enables synchronization across repositories:
- Coordinate updates across the ecosystem

### Dependency Management
Weekly automated checks:
- Dependency updates
- Security audits
- Cross-repository synchronization
Automated dependency updates via Renovate:
- **Renovate bot** - Automated dependency updates ([renovate.json](renovate.json))
- Weekly update schedule (Mondays before 3 AM EST)
- Grouped updates for heavy ML/AI dependencies
- Security vulnerability alerts with high priority
- Auto-merge for patch updates on dev dependencies
- See [Renovate Dashboard](https://app.renovatebot.com/dashboard) for update status

## 💡 Usage Examples

Expand Down Expand Up @@ -163,6 +242,40 @@ We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) f
- Integration development
- Submitting pull requests

### Development Setup

1. **Install dependencies**:
```bash
cd backend
npm install
```

2. **Set up pre-commit hooks** (optional but recommended):
```bash
cd backend
npm run prepare # Installs Husky hooks
```

Pre-commit hooks will automatically:
- Run ESLint to check for code issues
- Run Prettier to format code
- Run on staged files only (via lint-staged)

3. **Run linting and formatting**:
```bash
cd backend
npm run lint # Check for issues
npm run lint:fix # Fix issues automatically
npm run format # Format code with Prettier
```

4. **Run tests**:
```bash
cd backend
npm test # Run all tests
npm run test:smoke # Run smoke tests (config validation)
```

## 📊 Project Status

![CI Status](https://github.com/lippytm/Time-Machines-Builders-/actions/workflows/ci.yml/badge.svg)
Expand All @@ -176,11 +289,24 @@ We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) f
## 🔒 Security

This project uses multiple security measures:
- CodeQL analysis for vulnerabilities
- Trivy container scanning
- Dependency review on pull requests
- Secret scanning enabled
- Regular security audits
- **CodeQL analysis** - Automated code vulnerability detection
- **Trivy container scanning** - Filesystem and dependency scanning
- **SBOM generation** - Software Bill of Materials for transparency
- SPDX format for compliance
- CycloneDX format for tooling integration
- Available as CI artifacts (90-day retention)
- **Dependency review** - Automated checks on pull requests
- **Secret scanning** - Prevents credential leaks
- **Renovate** - Automated dependency updates with security alerts
- **npm audit** - Regular dependency vulnerability scans
- **Pre-commit hooks** - Lint and format checks before commit

### Security Scanning

View security scan results:
- **GitHub Security tab** - CodeQL and Trivy SARIF results
- **Actions artifacts** - SBOM files and detailed scan reports
- **Renovate Dashboard** - Dependency update status

Report security issues via GitHub Security Advisories.

Expand Down
6 changes: 6 additions & 0 deletions backend/.env.example
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,9 @@ MONGODB_URI=mongodb://localhost:27017/timemachines

# CORS Configuration
CORS_ORIGIN=http://localhost:3000

# Telemetry Configuration (optional)
# Set to 'true' to enable OpenTelemetry instrumentation
TELEMETRY_ENABLED=false
TELEMETRY_SERVICE_NAME=time-machines-backend
# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318/v1/traces
25 changes: 25 additions & 0 deletions backend/.eslintrc.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
module.exports = {
parser: '@typescript-eslint/parser',
parserOptions: {
ecmaVersion: 2020,
sourceType: 'module',
project: './tsconfig.json',
},
extends: [
'eslint:recommended',
'plugin:@typescript-eslint/recommended',
'plugin:prettier/recommended',
],
plugins: ['@typescript-eslint', 'prettier'],
rules: {
'prettier/prettier': 'error',
'@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
'@typescript-eslint/explicit-module-boundary-types': 'off',
'@typescript-eslint/no-explicit-any': 'warn',
},
env: {
node: true,
es2020: true,
},
ignorePatterns: ['dist', 'node_modules', '*.js'],
};
4 changes: 4 additions & 0 deletions backend/.prettierignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
dist
node_modules
coverage
*.log
Loading
Loading