feat(security): comprehensive security scanning (SAST, SCA, SBOM, DAST, coverage)

.github/actions/pnpm-setup/action.yml

@@ -0,0 +1,49 @@
+name: Setup Node + pnpm
+description: >-
+  Composite action that installs pnpm, sets up Node with the pnpm store cached,
+  and runs `pnpm install --frozen-lockfile` at the repo root. Used across CI,
+  CD, and security workflows to keep setup logic in one place.
+
+inputs:
+  node-version:
+    description: Node.js version
+    required: false
+    default: "22"
+  install:
+    description: Whether to run `pnpm install --frozen-lockfile` after setup
+    required: false
+    default: "true"
+  ignore-scripts:
+    description: Pass --ignore-scripts to pnpm install (faster, skips postinstalls)
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Install pnpm
+      uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: 'pnpm'
+
+    - name: Install dependencies
+      if: inputs.install == 'true'
+      shell: bash
+      # SECURITY: pass inputs through env rather than interpolating them
+      # into the shell body. Direct `${{ inputs.* }}` interpolation is a
+      # GHA command-injection vector even for composite actions (a caller
+      # workflow could pass a crafted value); env-var indirection is the
+      # standard mitigation.
+      env:
+        IGNORE_SCRIPTS: ${{ inputs.ignore-scripts }}
+      run: |
+        set -euo pipefail
+        if [ "${IGNORE_SCRIPTS:-false}" = "true" ]; then
+          pnpm install --frozen-lockfile --ignore-scripts
+        else
+          pnpm install --frozen-lockfile
+        fi

.github/codeql/codeql-config.yml

@@ -0,0 +1,23 @@
+name: "Enclosed CodeQL config"
+
+# Use extended query suites for deeper coverage than the default
+queries:
+  - uses: security-extended
+  - uses: security-and-quality
+
+paths:
+  - packages
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/dist"
+  - "**/dist-*"
+  - "**/.output"
+  - "**/.nuxt"
+  - "**/.nitro"
+  - "**/.wrangler"
+  - "**/coverage"
+  - "**/*.test.ts"
+  - "**/*.spec.ts"
+  - "**/*.e2e.test.ts"
+  - "packages/docs"

.github/dependabot.yml

@@ -0,0 +1,104 @@
+version: 2
+updates:
+  # Keep GitHub Actions pinned and up-to-date.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Docker base images (node:22-slim / node:22-alpine).
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(docker)"
+      include: "scope"
+
+  # npm security-only updates across every workspace package.
+  # Renovate handles day-to-day version bumps; Dependabot's role here is to
+  # raise CVE fixes quickly (daily cadence) via GitHub's native security
+  # advisory integration. open-pull-requests-limit: 0 disables version PRs,
+  # so only vulnerability-driven PRs are created, avoiding overlap with
+  # Renovate.
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/app-client"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/app-server"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/cli"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/crypto"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/lib"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/docs"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 0
+    labels:
+      - "dependencies"
+      - "security"

.github/workflows/cd-app-prod.yaml

@@ -5,6 +5,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
+concurrency:
+  # Never cancel production deploys mid-flight; serialize them instead.
+  group: cd-app-prod
+  cancel-in-progress: false
+
 jobs:
   publish-app-prod:
     runs-on: ubuntu-latest

.github/workflows/cd-docker-release.yaml

@@ -35,6 +35,11 @@ permissions:
   contents: read
   packages: write
 
+concurrency:
+  # Serialize releases — never cancel a publish in-flight.
+  group: cd-docker-release-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   publish-crypto:
     name: Publish @enclosed/crypto to npm

.github/workflows/cd-preview-build.yaml

@@ -5,6 +5,13 @@ on:
     pull_request:
       types: [opened, synchronize]
 
+permissions:
+  contents: read
+
+concurrency:
+  group: cd-preview-build-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build-app-preview:
     runs-on: ubuntu-latest

.github/workflows/cd-preview-deploy.yaml

@@ -12,6 +12,10 @@ permissions:
   contents: read
   pull-requests: write
 
+concurrency:
+  group: cd-preview-deploy-${{ github.event.workflow_run.head_branch }}
+  cancel-in-progress: true
+
 jobs:
   deploy-app-preview:
     runs-on: ubuntu-latest

.github/workflows/ci-app-client.yaml

@@ -2,9 +2,26 @@ name: CI - App Client
 
 on:
   pull_request:
+    paths:
+      - 'packages/app-client/**'
+      - 'packages/lib/**'
+      - 'packages/crypto/**'
+      - 'pnpm-lock.yaml'
+      - 'pnpm-workspace.yaml'
+      - 'package.json'
+      - '.github/workflows/ci-app-client.yaml'
+      - '.github/actions/pnpm-setup/**'
   push:
     branches:
       - main
+      - twn-main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-app-client-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   ci-app-client:
@@ -16,18 +33,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-
-      - uses: actions/setup-node@v4
         with:
-          node-version: 22
-          cache: 'pnpm'
+          persist-credentials: false
 
-      - name: Install dependencies
-        run: pnpm i
-        working-directory: ./
+      - name: Setup Node + pnpm
+        uses: ./.github/actions/pnpm-setup
 
       - name: Run linters
         run: pnpm lint

.github/workflows/ci-app-server.yaml

@@ -2,9 +2,26 @@ name: CI - App Server
 
 on:
   pull_request:
+    paths:
+      - 'packages/app-server/**'
+      - 'packages/lib/**'
+      - 'packages/crypto/**'
+      - 'pnpm-lock.yaml'
+      - 'pnpm-workspace.yaml'
+      - 'package.json'
+      - '.github/workflows/ci-app-server.yaml'
+      - '.github/actions/pnpm-setup/**'
   push:
     branches:
       - main
+      - twn-main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-app-server-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   ci-app-server:
@@ -16,18 +33,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-
-      - uses: actions/setup-node@v4
         with:
-          node-version: 22
-          cache: 'pnpm'
+          persist-credentials: false
 
-      - name: Install dependencies
-        run: pnpm i
-        working-directory: ./
+      - name: Setup Node + pnpm
+        uses: ./.github/actions/pnpm-setup
 
       - name: Run linters
         run: pnpm lint

.github/workflows/ci-cli.yaml

@@ -2,9 +2,26 @@ name: CI - Cli
 
 on:
   pull_request:
+    paths:
+      - 'packages/cli/**'
+      - 'packages/lib/**'
+      - 'packages/crypto/**'
+      - 'pnpm-lock.yaml'
+      - 'pnpm-workspace.yaml'
+      - 'package.json'
+      - '.github/workflows/ci-cli.yaml'
+      - '.github/actions/pnpm-setup/**'
   push:
     branches:
       - main
+      - twn-main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-cli-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   ci-cli:
@@ -16,18 +33,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-
-      - uses: actions/setup-node@v4
         with:
-          node-version: 22
-          cache: 'pnpm'
+          persist-credentials: false
 
-      - name: Install dependencies
-        run: pnpm i
-        working-directory: ./
+      - name: Setup Node + pnpm
+        uses: ./.github/actions/pnpm-setup
 
       - name: Run linters
         run: pnpm lint