Iteration 3

.env.example

@@ -28,14 +28,28 @@ RECAPTCHA_2_API_KEY=your_recaptcha_2_api_key
 
 # Config 3: productive setup fargate (Enterprise)
 RECAPTCHA_3_SITE_KEY=your_recaptcha_3_site_key
-RECAPTCHA_3_SECRET_KEY=disabled
+# RECAPTCHA_3_SECRET_KEY=disabled
+RECAPTCHA_3_SECRET_KEY=enabled
 RECAPTCHA_3_PROJECT_ID=your_recaptcha_3_project_id
 RECAPTCHA_3_API_KEY=your_recaptcha_3_api_key
 
-# Default Config (1 for localhost, 3 for fargate)
+# Config 4: productive setup fargate score (Enterprise)
+RECAPTCHA_4_SITE_KEY=your_recaptcha_4_site_key
+RECAPTCHA_4_SECRET_KEY=your_recaptcha_4_secret_key
+RECAPTCHA_4_PROJECT_ID=your_recaptcha_4_project_id
+RECAPTCHA_4_API_KEY=your_recaptcha_4_api_key
+
+# Default Config (1 for localhost, 3 for fargate, 4 for fargate score)
 RECAPTCHA_DEFAULT_CONFIG=2
 
-# AWS SES Configuration
+# Email Configuration
+# Default: Local Mailpit/MailHog (http://localhost:8025)
+SPRING_MAIL_HOST=localhost
+SPRING_MAIL_PORT=1025
+SPRING_MAIL_AUTH=false
+SPRING_MAIL_STARTTLS=false
+
+# AWS SES Configuration (Set these to use real SES in prod or local testing)
 SES_USERNAME=your_ses_smtp_username
 SES_PASSWORD=your_ses_smtp_password
 SES_FROM=noreply@example.com
@@ -51,6 +65,7 @@ SES_FROM=noreply@example.com
 JWT_SECRET=defaultSecretKeyWithAtLeast32CharactersLongForSecurity
 
 # Landing Page Message
+LANDING_MESSAGE_MODE=OFF
 LANDING_MESSAGE_EN=
 LANDING_MESSAGE_DE_CH=
 

.github/workflows/build.yml

@@ -14,6 +14,20 @@ jobs:
   backend-test:
     name: Backend Test
     runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: pgvector/pgvector:pg17
+        env:
+          POSTGRES_DB: angularai
+          POSTGRES_USER: admin
+          POSTGRES_PASSWORD: admin
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
     steps:
       - uses: actions/checkout@v4
 
@@ -30,6 +44,13 @@ jobs:
           GIT_SHA: ${{ github.sha }}
           BUILD_TIME: ${{ github.event.head_commit.timestamp || github.event.pull_request.updated_at || github.event.repository.updated_at }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          SPRING_PROFILES_ACTIVE: postgres,dev,mock,test
+          SPRING_DATASOURCE_URL: jdbc:postgresql://127.0.0.1:5432/angularai?stringtype=unspecified&currentSchema=app,public
+          SPRING_DATASOURCE_USERNAME: admin
+          SPRING_DATASOURCE_PASSWORD: admin
+          AI_QUICK_ADD_PROVIDER: mock
+          AI_ARCHITECTURE_PROVIDER: mock
+          AI_EMBEDDING_PROVIDER: mock
 
   frontend-test:
     name: Frontend Test
@@ -66,6 +87,7 @@ jobs:
   commit-lint:
     name: Commit Lint
     runs-on: ubuntu-latest
+    continue-on-error: true
     if: github.event_name == 'pull_request'
     steps:
       - uses: actions/checkout@v4
@@ -75,3 +97,18 @@ jobs:
         run: npm install --save-dev @commitlint/config-conventional @commitlint/cli
       - name: Validate PR commits
         run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+
+  sonar:
+    name: SonarCloud
+    runs-on: ubuntu-latest
+    needs: [ backend-test, frontend-test ]
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@v2
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/code-review.yml

@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch: # Allows manual trigger from Actions tab
   push:
@@ -203,11 +206,6 @@ jobs:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: |
           mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-            -Dsonar.projectKey=JuergGood_angularai \
-            -Dsonar.organization=juerggood \
-            -Dsonar.javascript.lcov.reportPaths=frontend/coverage/lcov.info \
-            -Dsonar.coverage.jacoco.xmlReportPaths=backend/target/site/jacoco/jacoco.xml,test-client/target/site/jacoco/jacoco.xml \
-            -Dsonar.exclusions=android/** \
             -Dsonar.scm.disabled=true \
             -Ddependency-check.skip=false
 
@@ -227,7 +225,7 @@ jobs:
 
       - name: Build Docker image
         run: |
-          docker build -t angularai-app:${{ github.sha }} .
+          docker build -t angularai-app:${{ github.sha }} -f deploy/dev/Dockerfile .
 
       - name: Run Trivy vulnerability scanner (Image)
         uses: aquasecurity/trivy-action@0.28.0
@@ -263,7 +261,7 @@ jobs:
         uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: 'config'
-          scan-ref: 'Dockerfile'
+          scan-ref: 'deploy/dev/Dockerfile'
           hide-progress: false
           format: 'table'
           exit-code: '1'
@@ -275,7 +273,7 @@ jobs:
         uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: 'config'
-          scan-ref: 'Dockerfile'
+          scan-ref: 'deploy/dev/Dockerfile'
           hide-progress: false
           format: 'sarif'
           output: 'trivy-config.sarif.json'

.github/workflows/deploy.yml

@@ -85,10 +85,10 @@ jobs:
           # Use NVD_API_KEY if available as a secret
           if [ -n "$NVD_API_KEY" ]; then
             echo "$NVD_API_KEY" > nvd_api_key.txt
-            docker build --secret id=NVD_API_KEY,src=nvd_api_key.txt -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+            docker build --secret id=NVD_API_KEY,src=nvd_api_key.txt -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f deploy/dev/Dockerfile .
             rm nvd_api_key.txt
           else
-            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f deploy/dev/Dockerfile .
           fi
           docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
           docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

.github/workflows/docs-validation.yml

@@ -0,0 +1,17 @@
+name: Documentation Validation
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate Junie Tasks
+        shell: pwsh
+        run: ./scripts/validate-junie-tasks.ps1

.github/workflows/playwright.yml

@@ -35,8 +35,8 @@ jobs:
 
       - name: Build and Start Application (Docker)
         run: |
-          docker compose -f docker-compose.yml -f docker-compose.ci.yml build
-          docker compose -f docker-compose.yml -f docker-compose.ci.yml up -d
+          docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml build
+          docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml up -d
         env:
           E2E_BYPASS_SECRET: "ci-secret"
           JWT_SECRET: "ci-jwt-secret-at-least-32-chars-long"
@@ -64,7 +64,7 @@ jobs:
 
       - name: Run Playwright E2E tests
         working-directory: frontend
-        run: npx playwright test e2e/ux-guardrails.spec.ts e2e/auth-flow.spec.ts e2e/tasks-ux.spec.ts --reporter=line
+        run: npx playwright test e2e/ux-guardrails.spec.ts e2e/auth-flow.spec.ts e2e/tasks-ux.spec.ts e2e/quick-add-ai.spec.ts e2e/architecture-page.spec.ts --reporter=line
         env:
           PLAYWRIGHT_TEST_BASE_URL: http://localhost:8080
           USE_PLAYWRIGHT_WEB_SERVER: 'false'
@@ -81,8 +81,8 @@ jobs:
       - name: Upload Container Logs
         if: always()
         run: |
-          docker compose logs app > app-container.log
-          docker compose logs mailpit > mailpit-container.log
+          docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml logs app > app-container.log
+          docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml logs postgres > postgres-container.log
 
       - name: Upload Logs as Artifact
         if: always()
@@ -93,7 +93,7 @@ jobs:
 
       - name: Stop Application
         if: always()
-        run: docker compose down
+        run: docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml down
 
   ux-docs:
     name: UX Screenshot Docs (manual)
@@ -119,8 +119,8 @@ jobs:
 
       - name: Build and Start Application (Docker)
         run: |
-          docker compose -f docker-compose.yml -f docker-compose.ci.yml build
-          docker compose -f docker-compose.yml -f docker-compose.ci.yml up -d
+          docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml build
+          docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml up -d
         env:
           E2E_BYPASS_SECRET: "ci-secret"
           JWT_SECRET: "ci-jwt-secret-at-least-32-chars-long"
@@ -162,4 +162,4 @@ jobs:
 
       - name: Stop Application
         if: always()
-        run: docker compose down
+        run: docker compose -f deploy/dev/docker-compose.yml -f deploy/dev/docker-compose.ci.yml down

.github/workflows/validate-tasks.yml

@@ -0,0 +1,24 @@
+name: Validate Junie Task Files
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: pip install pyyaml
+
+      - name: Validate task files
+        run: python scripts/validate_tasks.py doc/knowledge/junie-tasks

.gitignore

@@ -19,11 +19,17 @@
 /scripts/update-aws-secret.ps1
 /secret_utf8.json
 /monitoring-server/target/
-/backend/data/dependency-check/
-/backend/data/*.db
-/backend/data/*.trace.db
-/frontend/data/dependency-check/
+/backend/data/
+/frontend/data/
+*.db
+*.trace.db
 /presentation/presentations/Iteration-2/old/
 /doc/normalized-tasks/
 /doc/tasks-normalized/
 /releases_test/
+/doc/doc/
+/node_modules/
+/frontend/node_modules/
+/sonar/.sonar-export/issues/
+/sonar/.github-code-scanning-export/alerts/
+/qodana-results/

.junie/AI_Usage_Guidelines.md

@@ -40,26 +40,28 @@ When using AI:
 - Run all relevant tests before reporting a task as done
 - Sensitive data must not be shared
 - Outputs are reviewed like human contributions
-- **Task Logging in Markdown**: When a task is assigned via a dedicated Markdown file (e.g., in `doc/prototype-maturity/`), strictly follow the template in `doc/prototype-maturity/md-prompt-log.md`.
-    - **CRITICAL**: This is a mandatory step for every task assigned via .md file.
-    - Every iteration must have an entry with `Date: YYYY.MM.DD HH:MM` and a `Summary:`.
-    - **MANDATORY**: New entries must be added to the top of the log section. Never overwrite or replace previous entries.
-    - For the first completion, use `**DONE:**` and provide `Implementation details:`.
-    - For subsequent iterations (fixes/updates), omit `**DONE:**` and only provide `Date` and `Summary`.
-    - **Example of Multi-Iteration Log**:
+- **Task Logging in Markdown**: When a task is assigned via a dedicated Markdown file, follow the appropriate standard:
+        - **Normalized Tasks** (e.g., `AI-ARCH-*`, `SEC-*`): Strictly follow the **Normalized Markdown Format v1.0** as defined in `.junie/guidelines.md` and `doc/knowledge/junie-tasks/taskset-9/junie-task-format-guideline.md`.
+        - **Prototype/Other Tasks** (e.g., `doc/knowledge/junie-tasks/`): Use the template in `doc/knowledge/junie-tasks/md-prompt-log.md`.
+    - **CRITICAL**: Task logging is mandatory for every task assigned via .md file.
+    - **MANDATORY**: New entries must be added to the top of the log section (directly under the heading). Never overwrite or replace previous entries.
+    - **Normalized Task Entry Format**:
       ```markdown
-      Date: 2026.02.13 11:00
-      Summary: Fix for failing tests in iteration 1.
-
-      Date: 2026.02.13 10:30
+      ### YYYY-MM-DD HH:MM
+      - Summary:
+      - Outcome:
+      - Open items:
+      - Evidence:
+      ```
+    - **Prototype Task Entry Format**:
+      ```markdown
+      Date: YYYY.MM.DD HH:MM
       Summary: Initial completion of the task.
       **DONE:**
       Implementation details:
-      - Detail 1
-      - Detail 2
       ```
     - **Failed Acceptance Iterations** must be incremented whenever a failure is reported, and **never** decremented.
-    - Status (`Status: COMPLETED` or similar), `Iterations` count, and `Last Updated` timestamp must be kept up to date.
+    - Status, `iterations` count, and `updated` timestamp must be kept up to date.
     - Updates to the file are sorted: the latest 'Date:' entry must be at the top of the logs section.
     - If a prompt includes the keyword `-detail-`, `-full-`, `-verbose-`, `-detailed-`, or `-expand-`, provide full implementation details in the 'DONE' comment even for follow-up tasks.
 - Business logic takes precedence over tests: Never change the application's implementation or business logic solely to make tests pass. Instead, adjust the tests to reflect the actual business logic. If you believe a business logic change is truly necessary to improve testability or fix a bug, you MUST specifically ask for approval before proceeding.