feat: add various shell scripts for bootstrapping, deployment, CI, and infrastructure management.

[pedrorichil]

No description provided.

[brunoclz]

Blocked in this review cycle.

Reason:

• infra/scripts/seed-dev.sh was changed from env-based password handling to -p "${NEO4J_PASSWORD}", which exposes the secret in process arguments.

Required remediation:

1. Restore secret-safe auth invocation (env-based pattern, no plaintext password in CLI args).
2. Update PR summary/title to match the actual diff scope.
3. Re-run CI/Security and keep exactly one release label (release:infra).

After that, this PR can be re-evaluated for merge.

[brunoclz]

Blocking security issue remains in infra/scripts/seed-dev.sh: password is passed via CLI argument (), which can be exposed in process listings/history. Please switch back to non-argument secret handling (e.g., or equivalent) and push updated checks.

[brunoclz]

Blocking security issue remains in infra/scripts/seed-dev.sh: password is passed via CLI argument (-p "${NEO4J_PASSWORD}"), which can be exposed in process listings/history. Please switch back to non-argument secret handling (for example, --env NEO4J_PASSWORD or equivalent) and push updated checks.

[brunoclz]

Blocking security finding remains in infra/scripts/seed-dev.sh: password is passed via CLI argument (-p "${NEO4J_PASSWORD}"), which can leak via process inspection. Please restore non-argument secret handling (e.g., --env NEO4J_PASSWORD) for both local and docker exec paths, then rerun checks.

[brunoclz]

Blocking findings remain: (1) security regression in seed script still passes password via CLI arg (-p "${NEO4J_PASSWORD}"), which can leak via process inspection; (2) latest checks also include red Pip Audit (Python deps) under strict no-red policy. Please restore non-argument secret handling (--env NEO4J_PASSWORD-style) and re-run checks to green.

[brunoclz]

Checks are now green, but this PR is still blocked by a security regression in infra/scripts/seed-dev.sh: password is passed via CLI argument (-p "${NEO4J_PASSWORD}") in both code paths, which can leak via process inspection. Please restore non-argument secret handling (--env NEO4J_PASSWORD or equivalent) and push an updated diff.

[brunoclz]

Blocking security regression remains in infra/scripts/seed-dev.sh: password is passed via CLI argument (-p "${NEO4J_PASSWORD}") in both execution paths. Please restore non-argument secret handling (--env NEO4J_PASSWORD-style) before merge.

[brunoclz]

Policy decision for cycle dated 2026-03-06: refused for merge in this cycle and kept open.

Current blockers:

• Security regression in infra/scripts/seed-dev.sh: password passed via CLI argument (-p "${NEO4J_PASSWORD}")
• reviewDecision=CHANGES_REQUESTED
• Change touches denylisted path class (infra/**) under conservative automerge policy

Unblock criteria for reconsideration:

1. Restore non-argument secret handling (--env NEO4J_PASSWORD-style) in both execution paths.
2. Re-run required checks with all green.
3. Address blocking review items and move out of CHANGES_REQUESTED.

No merge will be performed until all criteria above are met.

[brunoclz]

Maintainer triage on March 7, 2026: refused for merge in this cycle and kept open.

Blockers:

• Security regression remains in infra/scripts/seed-dev.sh: the Neo4j password is passed via CLI argument, which can leak via process inspection.
• reviewDecision=CHANGES_REQUESTED is still unresolved.
• This PR touches infra/**, outside the conservative merge scope for this cycle.

Required next step: restore non-argument secret handling, clear the blocking review state, and push an updated branch for re-evaluation.

[lucasbsimao]

@pedrorichil I believe the right approach here is to actually omit the -p flag and let cypher-shell retrieve it directly from the environment on its own.