Cameroon-Developer-Network · chojuninengu · Apr 28, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,7 +4,7 @@ on:
   pull_request:
     branches: [main, develop]
   push:
-    branches: [develop]
+    branches: [main, develop]
 
 concurrency:
   group: ci-${{ github.ref }}
@@ -114,10 +114,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
       - name: Rust audit
-        uses: rustsec/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+        run: cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2026-0097
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -132,3 +133,42 @@ jobs:
       - name: npm audit (web)
         working-directory: apps/web
         run: pnpm install --frozen-lockfile && pnpm audit --audit-level=high
+
+  # ─── Deploy (Latest) ──────────────────────────────────────────────────────
+  deploy:
+    name: Deploy — Build & Push (Latest)
+    needs: [rust, web, vscode, audit]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push API (latest)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: crates/server/Dockerfile
+          push: true
+          tags: ghcr.io/${{ github.repository }}-api:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build and push Web (latest)
+        uses: docker/build-push-action@v5
+        with:
+          context: ./apps/web
+          push: true
+          tags: ghcr.io/${{ github.repository }}-web:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: write
     steps:
       - uses: actions/checkout@v4
 
@@ -30,3 +31,59 @@ jobs:
           generate_release_notes: true
           draft: false
           prerelease: ${{ contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
+
+  docker-publish:
+    name: Build & publish images
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (API)
+        id: meta-api
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}-api
+          tags: |
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ !contains(github.ref, '-') }}
+
+      - name: Build and push Zenvra API
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: crates/server/Dockerfile
+          push: true
+          tags: ${{ steps.meta-api.outputs.tags }}
+          labels: ${{ steps.meta-api.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Extract metadata (Web)
+        id: meta-web
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}-web
+          tags: |
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable=${{ !contains(github.ref, '-') }}
+
+      - name: Build and push Zenvra Web
+        uses: docker/build-push-action@v5
+        with:
+          context: ./apps/web
+          push: true
+          tags: ${{ steps.meta-web.outputs.tags }}
+          labels: ${{ steps.meta-web.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.gitignore b/.gitignore
@@ -12,9 +12,11 @@ node_modules
 .next
 out
 dist
+build
 
 # VS Code extension output
 extensions/vscode/out
+extensions/vscode/*.vsix
 
 # OS
 .DS_Store
@@ -32,3 +34,6 @@ coverage
 .idea
 *.swp
 *.swo
+*~
+*.tmp
+deploy-ghcr.sh
diff --git a/CONFIG_GUIDE.md b/CONFIG_GUIDE.md
@@ -0,0 +1,75 @@
+# Zenvra Configuration & Hardcoded Values
+
+## Current State
+
+### ✅ Already Configurable via Environment Variables
+
+1. **Backend API URL** — `PUBLIC_API_URL` (default: `http://localhost:8080`)
+   - Used in: `apps/web/src/lib/api.ts`, `apps/web/src/lib/stores/aiConfig.svelte.ts`
+   - Allows pointing to different API endpoints (local dev, staging, production)
+
+2. **AI Provider Configuration** — Persisted in localStorage
+   - **Provider**: anthropic, openai, google, custom (user-selected)
+   - **API Key**: User-provided via Settings UI
+   - **Model**: User-selected from available models for provider
+   - **Endpoint**: Optional, user-provided for custom providers
+   - Allows bring-your-own-key pattern ✓
+
+3. **Database URL** — `DATABASE_URL` in `.env` (for server)
+   - Allows local dev, Docker, or cloud databases
+
+4. **CVE Data Feeds** — `NVD_API_KEY` in `.env`
+   - Synced on server startup or manual trigger
+
+### ⚠️ Hardcoded Values to Consider
+
+1. **Server Port** — `8080` (hardcoded in server)
+   - Suggestion: Make configurable via `PORT` env var
+
+2. **Web Dev Port** — `5173` (Vite default)
+   - Vite automatically uses next available port if occupied
+
+3. **Database Credentials** — `postgres:postgres@localhost:5433/zenvra`
+   - Should be parameterized in `.env`
+
+4. **Scan Engines** — Hardcoded in CLI/server (sast, sca, secrets, ai_code)
+   - Already configurable per-request via `--disable` flag and API
+
+5. **Severity Thresholds** — Default `low` in CLI
+   - Already configurable via `--severity` flag
+
+### 📋 Recommended Next Steps
+
+1. **Server** — Add `PORT` and `HOST` env vars
+2. **Web** — Consider `PUBLIC_APP_NAME`, `PUBLIC_VERSION` for UI
+3. **Database** — Already parametrized in `.env`
-3. **Database** — Already parametrized in `.env`
+3. **Database** — Already parameterized in `.env`
-3. **Database** — Already parametrized in `.env`
+3. **Database** — Already parameterized in `.env`
+4. **AI Config** — Already per-user via localStorage + Settings UI
+
+## How to Use Development Environment
+
+```bash
+# Terminal 1: Start PostgreSQL + Redis
+docker compose up -d postgres redis
+
+# Terminal 2: Start API Server
+set -a && source .env && set +a
+cargo run -p zenvra-server
+
+# Terminal 3: Sync CVE data
+cargo run -p zenvra-server -- sync
+
+# Terminal 4: Start Web Frontend
+cd apps/web
+pnpm dev
+
+# Open http://localhost:5174 in browser
-# Open http://localhost:5174 in browser
+# Open http://localhost:5173 in browser
-# Open http://localhost:5174 in browser
+# Open http://localhost:5173 in browser
+```
+
+## API Endpoints
+
+- `/health` — Health check
+- `/api/v1/scan` — Submit code scan (returns scan ID)
+- `/api/v1/scan/:id/events` — Stream scan results via SSE
+- `/api/v1/history` — Get scan history
+- `/api/v1/sync` — Trigger manual CVE sync
+- `/api/v1/ai/models` — Fetch available AI models for provider