feat: fix critical gaps — security, audit logging, uploads, CI/CD

.env.example

@@ -25,6 +25,14 @@ MINIO_BUCKET=quicktrust-evidence
 LITELLM_MODEL=gpt-4o-mini
 OPENAI_API_KEY=sk-your-key-here
 
+# SMTP Email (optional — notifications fall back to logging when not configured)
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASSWORD=
+SMTP_FROM_EMAIL=notifications@quicktrust.dev
+SMTP_USE_TLS=true
+
 # Frontend
 NEXT_PUBLIC_API_URL=http://localhost:8000
 NEXT_PUBLIC_KEYCLOAK_URL=http://localhost:8080

.github/workflows/ci.yml

@@ -0,0 +1,105 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  backend-lint:
+    name: Backend Lint
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: backend
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install ruff
+      - run: ruff check .
+      - run: ruff format --check .
+
+  backend-test:
+    name: Backend Tests
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: backend
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - run: pip install -e ".[dev]"
+      - run: pytest --tb=short -q
+
+  frontend-lint:
+    name: Frontend Lint & Type Check
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: pnpm
+          cache-dependency-path: frontend/pnpm-lock.yaml
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm lint
+      - run: pnpm exec tsc --noEmit
+
+  frontend-build:
+    name: Frontend Build
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: pnpm
+          cache-dependency-path: frontend/pnpm-lock.yaml
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build
+
+  docker-build:
+    name: Docker Build Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build backend image
+        run: docker build -t quicktrust-api --target production backend/
+      - name: Build frontend image
+        run: docker build -t quicktrust-web --target production frontend/
+
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install safety
+        run: pip install safety
+      - name: Check Python dependencies
+        run: cd backend && pip install -e . && safety check --output text || true
+        continue-on-error: true

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+        exclude: frontend/pnpm-lock.yaml
+      - id: check-merge-conflict
+      - id: detect-private-key
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: ruff
+        args: [--fix]
+        files: ^backend/
+      - id: ruff-format
+        files: ^backend/

Makefile

@@ -0,0 +1,69 @@
+.PHONY: help dev dev-backend dev-frontend build lint test test-backend test-frontend format migrate seed clean
+
+help: ## Show this help
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
+
+# === Development ===
+
+dev: ## Start all services via Docker Compose
+	docker compose up
+
+dev-backend: ## Start only the API service
+	docker compose up api
+
+dev-frontend: ## Start the frontend dev server locally
+	cd frontend && pnpm dev
+
+# === Build ===
+
+build: ## Build frontend for production
+	cd frontend && pnpm build
+
+docker-build: ## Build Docker images for backend and frontend
+	docker build -t quicktrust-api --target production backend/
+	docker build -t quicktrust-web --target production frontend/
+
+# === Quality ===
+
+lint: ## Run linters (backend + frontend)
+	cd backend && ruff check . && ruff format --check .
+	cd frontend && pnpm lint
+
+format: ## Auto-format code
+	cd backend && ruff format .
+	cd frontend && pnpm lint --fix
+
+test: test-backend test-frontend ## Run all tests
+
+test-backend: ## Run backend tests
+	cd backend && pytest --tb=short -q
+
+test-frontend: ## Run frontend type check
+	cd frontend && pnpm exec tsc --noEmit
+
+# === Database ===
+
+migrate: ## Run database migrations
+	cd backend && alembic upgrade head
+
+migrate-new: ## Create a new migration (usage: make migrate-new MSG="description")
+	cd backend && alembic revision --autogenerate -m "$(MSG)"
+
+seed: ## Seed the database with sample data
+	docker compose exec api python -m seeds.run_seeds
+
+# === Utilities ===
+
+clean: ## Clean up Docker volumes and build artifacts
+	docker compose down -v
+	rm -rf frontend/.next frontend/node_modules/.cache
+	rm -f backend/quicktrust.db
+
+logs: ## Tail all service logs
+	docker compose logs -f
+
+shell-api: ## Open a shell in the API container
+	docker compose exec api bash
+
+shell-db: ## Open a psql shell
+	docker compose exec postgres psql -U quicktrust -d quicktrust