Recovery iteration 3 fix

.dockerignore

@@ -0,0 +1,65 @@
+# Node
+node_modules/
+npm-debug.log
+yarn-error.log
+
+# Build outputs
+dist/
+build/
+target/
+
+# IDEs
+.idea/
+.vscode/
+*.swp
+*.swo
+*.iml
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Environment files
+.env
+.env.local
+
+# Git
+.git/
+
+# Frontend specific
+frontend/node_modules/
+frontend/dist/
+frontend/.angular/
+frontend/playwright-report/
+frontend/test-results/
+frontend/e2e-screenshots/
+
+# Backend specific
+backend/target/
+backend/bin/
+backend/.settings/
+backend/.classpath/
+backend/.project/
+backend/*.iml
+
+# Test Client specific
+test-client/target/
+test-client/bin/
+test-client/*.iml
+
+# Android specific (to keep the root context clean)
+android/app/build/
+android/.gradle/
+android/local.properties
+android/*.iml
+
+# Miscellaneous
+tmp/
+*.log
+build_all.txt
+build_output.txt
+build_tests.txt
+build_tests_2.txt
+final_build_output.txt
+sonar-issues-v2.json
+test-results/

.env.example

@@ -0,0 +1,96 @@
+# .env.example - Template for local environment variables
+# Copy this file to .env and replace with real values if available
+
+# Note: The values set in .env are also used by scripts/check-secrets.ps1 
+# to prevent accidental commits of these specific secrets.
+
+# IPStack API Configuration
+IPSTACK_API_KEY=your_ipstack_api_key
+IPSTACK_API_URL=http://api.ipstack.com/
+
+# SonarCloud Token for static code analysis
+SONAR_TOKEN=your_sonar_token
+
+# Google reCAPTCHA Enterprise
+# Set RECAPTCHA_X_SECRET_KEY to 'disabled' to skip verification during development
+
+# Config 1: localhost-score (Enterprise)
+RECAPTCHA_1_SITE_KEY=your_recaptcha_1_site_key
+RECAPTCHA_1_SECRET_KEY=disabled
+RECAPTCHA_1_PROJECT_ID=your_recaptcha_1_project_id
+RECAPTCHA_1_API_KEY=your_recaptcha_1_api_key
+
+# Config 2: localhost-visible (Legacy v2)
+RECAPTCHA_2_SITE_KEY=your_recaptcha_2_site_key
+RECAPTCHA_2_SECRET_KEY=disabled
+RECAPTCHA_2_PROJECT_ID=your_recaptcha_2_project_id
+RECAPTCHA_2_API_KEY=your_recaptcha_2_api_key
+
+# Config 3: productive setup fargate (Enterprise)
+RECAPTCHA_3_SITE_KEY=your_recaptcha_3_site_key
+# RECAPTCHA_3_SECRET_KEY=disabled
+RECAPTCHA_3_SECRET_KEY=enabled
+RECAPTCHA_3_PROJECT_ID=your_recaptcha_3_project_id
+RECAPTCHA_3_API_KEY=your_recaptcha_3_api_key
+
+# Config 4: productive setup fargate score (Enterprise)
+RECAPTCHA_4_SITE_KEY=your_recaptcha_4_site_key
+RECAPTCHA_4_SECRET_KEY=your_recaptcha_4_secret_key
+RECAPTCHA_4_PROJECT_ID=your_recaptcha_4_project_id
+RECAPTCHA_4_API_KEY=your_recaptcha_4_api_key
+
+# Default Config (1 for localhost, 3 for fargate, 4 for fargate score)
+RECAPTCHA_DEFAULT_CONFIG=2
+
+# Email Configuration
+# Default: Local Mailpit/MailHog (http://localhost:8025)
+SPRING_MAIL_HOST=localhost
+SPRING_MAIL_PORT=1025
+SPRING_MAIL_AUTH=false
+SPRING_MAIL_STARTTLS=false
+
+# AWS SES Configuration (Set these to use real SES in prod or local testing)
+SES_USERNAME=your_ses_smtp_username
+SES_PASSWORD=your_ses_smtp_password
+SES_FROM=noreply@example.com
+
+# App Configuration
+# Optional: Set APP_BASE_URL to override the defaults:
+# - Local IDE: Defaults to http://localhost:4200
+# - Local Docker: Defaults to http://localhost
+# - AWS Fargate: Set in task definition (https://goodone.ch)
+# APP_BASE_URL=http://localhost:4200
+
+# JWT Secret for local development
+JWT_SECRET=defaultSecretKeyWithAtLeast32CharactersLongForSecurity
+
+# Landing Page Message
+LANDING_MESSAGE_MODE=OFF
+LANDING_MESSAGE_EN=
+LANDING_MESSAGE_DE_CH=
+
+# Vulnerability Database API Key
+NVD_API_KEY=your_nvd_api_key
+
+# AWS Infrastructure Identifiers (Used for deployment scripts)
+AWS_ACCOUNT_ID=your_aws_account_id
+VPC_ID=your_vpc_id
+EFS_ID=your_efs_id
+EFS_AP_ID=your_efs_access_point_id
+EFS_SG_ID=your_efs_sg_id
+TARGET_GROUP_ARN=your_target_group_arn
+
+# Default User Passwords and Emails
+ADMIN_PASSWORD=admin123
+USER_PASSWORD=user123
+ADMIN_READ_PASSWORD=admin123
+ADMIN_EMAIL=admin@example.com
+USER_EMAIL=user@example.com
+ADMIN_READ_EMAIL=admin-read@example.com
+
+# E2E Bypass Secret
+E2E_BYPASS_SECRET=your_e2e_bypass_secret
+
+# Database Configuration
+H2_USERNAME=sa
+H2_PASSWORD=

.github/pull_request_template.md

@@ -0,0 +1,47 @@
+## UX / UI Change PR
+
+### Scope
+- [ ] Dark mode
+- [ ] Mobile layout
+- [ ] Tables/logs/admin views
+- [ ] Tasks/list layouts
+- [ ] Other:
+
+### Acceptance criteria (must be explicit)
+1.
+2.
+3.
+
+### What changed (systemic first)
+- Tokens/theme:
+- Shared components/styles:
+- Component-specific changes (only if necessary):
+
+### Screens / viewports verified
+- [ ] Mobile 375×667 light
+- [ ] Mobile 375×667 dark
+- [ ] Desktop 1440×900 light
+- [ ] Desktop 1440×900 dark
+
+### UX Regression Checklist (must all be ✅)
+**Theme & contrast**
+- [ ] Action icons visible in dark mode (incl. `mat-icon-button` + destructive actions)
+- [ ] Menus/dialogs/selects have readable contrast in dark mode
+- [ ] Focus ring visible (keyboard navigation)
+
+**Mobile space & layout**
+- [ ] Header density acceptable (content above the fold on 375×667)
+- [ ] No unintended horizontal scrolling on mobile
+
+**Responsive patterns**
+- [ ] Tables on mobile: cards or usable scroll (no clipped headers)
+- [ ] Toolbars/filters don’t create orphan controls / accidental wraps
+- [ ] Titles don’t break mid-word; truncation/wrapping intentional
+
+**Maintainability**
+- [ ] No new hardcoded hex colors (unless added to tokens)
+- [ ] No new `!important` (or justified below)
+
+### Justifications (required if any)
+- New `!important` added because:
+- Component-specific workaround added because:

.github/workflows/build.yml

@@ -0,0 +1,114 @@
+name: Build & Test
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+
+jobs:
+  backend-test:
+    name: Backend Test
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: pgvector/pgvector:pg17
+        env:
+          POSTGRES_DB: angularai
+          POSTGRES_USER: admin
+          POSTGRES_PASSWORD: admin
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Run Backend Tests
+        run: mvn -pl backend verify -DskipTests=false
+        env:
+          GIT_SHA: ${{ github.sha }}
+          BUILD_TIME: ${{ github.event.head_commit.timestamp || github.event.pull_request.updated_at || github.event.repository.updated_at }}
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          SPRING_PROFILES_ACTIVE: postgres,dev,mock,test
+          SPRING_DATASOURCE_URL: jdbc:postgresql://127.0.0.1:5432/angularai?stringtype=unspecified&currentSchema=app,public
+          SPRING_DATASOURCE_USERNAME: admin
+          SPRING_DATASOURCE_PASSWORD: admin
+          AI_QUICK_ADD_PROVIDER: mock
+          AI_ARCHITECTURE_PROVIDER: mock
+          AI_EMBEDDING_PROVIDER: mock
+
+  frontend-test:
+    name: Frontend Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21 (for backend in Playwright)
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install dependencies
+        working-directory: frontend
+        run: npm ci --legacy-peer-deps
+
+      - name: Run Lint
+        working-directory: frontend
+        run: npm run lint
+
+      - name: Run Frontend Unit Tests
+        working-directory: frontend
+        run: npm run test
+
+  commit-lint:
+    name: Commit Lint
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install commitlint
+        run: npm install --save-dev @commitlint/config-conventional @commitlint/cli
+      - name: Validate PR commits
+        run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+
+  sonar:
+    name: SonarCloud
+    runs-on: ubuntu-latest
+    needs: [ backend-test, frontend-test ]
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@v2
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}