Develop

.github/copilot-instructions.md

@@ -103,4 +103,77 @@ When implementing new features, consider:
 2. Resource usage and performance implications
 3. User experience and workflow efficiency
 4. Error scenarios and recovery procedures
-5. Documentation and help text requirements
+5. Documentation and help text requirements
+
+## Commit Message Convention
+
+This project uses **Conventional Commits** for automatic versioning and changelog generation.
+Every commit message MUST follow this format:
+
+```
+<type>(<scope>): <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+### Types
+
+| Type | Purpose | Version Impact |
+|------|---------|----------------|
+| `feat` | New feature or capability | **Minor** bump (0.X.0) |
+| `fix` | Bug fix | **Patch** bump (0.0.X) |
+| `docs` | Documentation only | Patch bump |
+| `style` | Formatting, whitespace, no code change | Patch bump |
+| `refactor` | Code restructuring, no behavior change | Patch bump |
+| `perf` | Performance improvement | Patch bump |
+| `test` | Adding or updating tests | Patch bump |
+| `chore` | Build, tooling, dependencies | Patch bump |
+| `ci` | CI/CD pipeline changes | Patch bump |
+
+### Breaking Changes → Major Bump
+
+A breaking change triggers a **Major** version bump (X.0.0). Mark it with either:
+
+- An `!` after the type/scope: `feat!: remove legacy API`
+- A `BREAKING CHANGE:` footer in the commit body
+
+### Scopes
+
+- `api` – Backend API routes/endpoints
+- `ui` – Frontend components/pages
+- `auth` – Authentication/security
+- `db` – Database/models/migrations
+- `docker` – Docker/deployment
+- `backup` – Backup engine/operations
+- `storage` – Remote storage (S3, FTP, WebDAV)
+- `scheduler` – APScheduler/task scheduling
+- `ws` – WebSocket connections
+
+### Rules
+
+- Type and description are **required**
+- Scope is optional but encouraged
+- Description must be lowercase, imperative mood ("add" not "added" or "adds")
+- No period at the end of the description
+- Body and footer are optional
+- Use `!` or `BREAKING CHANGE:` only for genuinely incompatible changes
+
+### Examples
+
+```
+feat(backup): add incremental backup support
+fix(ui): correct progress bar not updating
+refactor(storage): simplify S3 upload handler
+docs: update README with Docker Compose examples
+feat!: redesign backup scheduling API
+chore(deps): update FastAPI to 0.115
+ci: add ARM64 Docker build
+perf(db): add index on backup.created_at
+```
+
+## Language
+
+- Commit messages in **English**
+- Code comments in **English**

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - name: Wait for Tests workflow
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             // Wait up to 10 minutes for Tests workflow to complete
@@ -91,33 +91,98 @@ jobs:
       - name: Determine version
         id: version
         run: |
-          # Get commit count for consistent versioning across branches
-          COMMIT_COUNT=$(git rev-list --count HEAD)
-
           REF="${{ github.event_name == 'workflow_run' && format('refs/heads/{0}', github.event.workflow_run.head_branch) || github.ref }}"
           BRANCH="${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name }}"
 
-          if [[ "$REF" == refs/tags/vdev.* ]]; then
-            # Dev tag (e.g., vdev.0.0.103 -> dev.0.0.103)
-            VERSION=${GITHUB_REF#refs/tags/v}
-            IS_PRERELEASE=true
-            BUILD_ENV=development
-          elif [[ "$REF" == refs/tags/v* ]]; then
-            # Stable tag (e.g., v1.2.3 -> 1.2.3)
+          if [[ "$REF" == refs/tags/v* ]]; then
+            # Manual tag push - use the tag version directly
             VERSION=${GITHUB_REF#refs/tags/v}
-            IS_PRERELEASE=false
-            BUILD_ENV=production
-          elif [[ "$REF" == refs/heads/main ]]; then
-            # Main branch - stable release with same count as dev
-            VERSION="0.0.${COMMIT_COUNT}"
-            IS_PRERELEASE=false
-            BUILD_ENV=production
+            if [[ "$VERSION" == *-dev* ]] || [[ "$VERSION" == dev.* ]]; then
+              IS_PRERELEASE=true
+              BUILD_ENV=development
+            else
+              IS_PRERELEASE=false
+              BUILD_ENV=production
+            fi
           else
-            # Develop branch - prerelease with dev prefix
-            VERSION="dev.0.0.${COMMIT_COUNT}"
-            IS_PRERELEASE=true
-            BUILD_ENV=development
+            # Auto-version: find highest version across ALL tags (dev + stable)
+            HIGHEST_TAG=""
+            HIGHEST_MAJOR=0
+            HIGHEST_MINOR=0
+            HIGHEST_PATCH=0
+
+            for tag in $(git tag -l 'v*'); do
+              ver="$tag"
+              ver="${ver#v}"
+              ver="${ver#dev.}"
+              ver="${ver%%-dev*}"
+
+              M=$(echo "$ver" | cut -d. -f1)
+              m=$(echo "$ver" | cut -d. -f2)
+              P=$(echo "$ver" | cut -d. -f3)
+
+              [[ "$M" =~ ^[0-9]+$ ]] || continue
+              [[ "$m" =~ ^[0-9]+$ ]] || continue
+              [[ "$P" =~ ^[0-9]+$ ]] || continue
+
+              if (( M > HIGHEST_MAJOR )) || \
+                 (( M == HIGHEST_MAJOR && m > HIGHEST_MINOR )) || \
+                 (( M == HIGHEST_MAJOR && m == HIGHEST_MINOR && P > HIGHEST_PATCH )); then
+                HIGHEST_MAJOR=$M
+                HIGHEST_MINOR=$m
+                HIGHEST_PATCH=$P
+                HIGHEST_TAG="$tag"
+              fi
+            done
+
+            echo "Highest existing version: ${HIGHEST_MAJOR}.${HIGHEST_MINOR}.${HIGHEST_PATCH} (tag: ${HIGHEST_TAG:-none})"
+
+            # Analyze commits since last tag for conventional commit bump type
+            BUMP="patch"
+            if [ -n "$HIGHEST_TAG" ]; then
+              COMMITS=$(git log "${HIGHEST_TAG}..HEAD" --pretty=format:"%s%n%b" 2>/dev/null || echo "")
+            else
+              COMMITS=$(git log --pretty=format:"%s%n%b" 2>/dev/null || echo "")
+            fi
+
+            if echo "$COMMITS" | grep -qiE '(^[a-z]+!:|BREAKING CHANGE)'; then
+              BUMP="major"
+            elif echo "$COMMITS" | grep -qiE '^feat(\(|:)'; then
+              BUMP="minor"
+            fi
+
+            echo "Bump type: $BUMP"
+
+            case "$BUMP" in
+              major)
+                NEXT_MAJOR=$((HIGHEST_MAJOR + 1))
+                NEXT_MINOR=0
+                NEXT_PATCH=0
+                ;;
+              minor)
+                NEXT_MAJOR=$HIGHEST_MAJOR
+                NEXT_MINOR=$((HIGHEST_MINOR + 1))
+                NEXT_PATCH=0
+                ;;
+              patch)
+                NEXT_MAJOR=$HIGHEST_MAJOR
+                NEXT_MINOR=$HIGHEST_MINOR
+                NEXT_PATCH=$((HIGHEST_PATCH + 1))
+                ;;
+            esac
+
+            VERSION="${NEXT_MAJOR}.${NEXT_MINOR}.${NEXT_PATCH}"
+
+            if [[ "$REF" == refs/heads/main ]]; then
+              IS_PRERELEASE=false
+              BUILD_ENV=production
+            else
+              VERSION="${VERSION}-dev"
+              IS_PRERELEASE=true
+              BUILD_ENV=development
+            fi
           fi
+
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
           echo "is_prerelease=${IS_PRERELEASE}" >> $GITHUB_OUTPUT
           echo "build_env=${BUILD_ENV}" >> $GITHUB_OUTPUT
@@ -158,7 +223,7 @@ jobs:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v4
@@ -203,11 +268,11 @@ jobs:
           CURRENT_VERSION="${{ needs.prepare.outputs.version }}"
           BRANCH="${{ github.ref_name }}"
 
-          # Find the last tag based on branch
+          # Find the last tag for changelog comparison
           if [[ "$BRANCH" == "develop" ]]; then
-            LAST_TAG=$(git tag -l 'vdev.*' --sort=-version:refname | head -n1 || echo "")
+            LAST_TAG=$(git tag -l --sort=-creatordate | grep -E '(^vdev\.|.*-dev$)' | head -n1 || echo "")
           else
-            LAST_TAG=$(git tag -l 'v*' --sort=-version:refname | grep -v '^vdev\.' | head -n1 || echo "")
+            LAST_TAG=$(git tag -l 'v*' --sort=-version:refname | grep -vE '(^vdev\.|.*-dev$)' | head -n1 || echo "")
           fi
 
           echo "Branch: $BRANCH"
@@ -304,7 +369,7 @@ jobs:
         with:
           tag_name: ${{ startsWith(github.ref, 'refs/tags/') && github.ref_name || format('v{0}', needs.prepare.outputs.version) }}
           target_commitish: ${{ github.sha }}
-          name: ${{ needs.prepare.outputs.branch_name == 'develop' && format('Development Build {0}', needs.prepare.outputs.version) || format('Release {0}', needs.prepare.outputs.version) }}
+          name: ${{ needs.prepare.outputs.is_prerelease == 'true' && format('Development Build {0}', needs.prepare.outputs.version) || format('Release {0}', needs.prepare.outputs.version) }}
           body_path: release_notes.md
           draft: false
           prerelease: ${{ needs.prepare.outputs.is_prerelease }}

.github/workflows/security-scan.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Upload Bandit results
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: bandit-results
           path: bandit-results.json
@@ -88,7 +88,7 @@ jobs:
 
       - name: Upload results
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: pip-audit-results
           path: pip-audit-results.json
@@ -128,7 +128,7 @@ jobs:
 
       - name: Upload results
         if: always()
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: npm-audit-results
           path: frontend/npm-audit-results.json

.github/workflows/test.yml

@@ -52,7 +52,7 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
 
     - name: Archive coverage report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: backend-coverage-report
         path: backend/htmlcov/
@@ -64,7 +64,7 @@ jobs:
     - uses: actions/checkout@v6
 
     - name: Set up Node.js 24
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '24'
         cache: 'npm'
@@ -87,7 +87,7 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
 
     - name: Archive coverage report
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: frontend-coverage-report
         path: frontend/coverage/
@@ -104,7 +104,7 @@ jobs:
         python-version: '3.14'
 
     - name: Set up Node.js 24
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v6
       with:
         node-version: '24'
         cache: 'npm'
@@ -149,7 +149,7 @@ jobs:
     - uses: actions/checkout@v6
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
 
     - name: Build Docker image
       run: |
@@ -214,7 +214,7 @@ jobs:
         python-version: '3.14'
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@0.28.0
+      uses: aquasecurity/trivy-action@0.35.0
       with:
         scan-type: 'fs'
         scan-ref: '.'
@@ -223,7 +223,7 @@ jobs:
       continue-on-error: true
 
     - name: Upload Trivy scan results
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@v4
       if: always()
       with:
         sarif_file: 'trivy-results.sarif'

.gitignore

@@ -32,7 +32,8 @@ env/
 
 # IDE
 .idea/
-.vscode/
+.vscode/*
+!.vscode/settings.json
 *.swp
 *.swo
 *~

.vscode/settings.json

@@ -0,0 +1,11 @@
+{
+    "chat.tools.terminal.autoApprove": {
+        "npx tsc": true,
+        "npx eslint": true
+    },
+    "github.copilot.chat.commitMessageGeneration.instructions": [
+        {
+            "text": "Use Conventional Commits format: <type>(<scope>): <description>. Types: feat (minor bump), fix (patch bump), docs, style, refactor, perf, test, chore, ci. Use ! after type for breaking changes (major bump). Scopes: api, ui, auth, db, docker, backup, storage, scheduler, ws. Description must be lowercase, imperative mood, no period at end. English only."
+        }
+    ]
+}

Dockerfile

@@ -40,8 +40,8 @@ WORKDIR /app
 
 # Install build dependencies for Python packages
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    build-essential=12.12 \
-    libffi-dev=3.4.8-2 \
+    build-essential \
+    libffi-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy requirements first for caching
@@ -76,14 +76,14 @@ WORKDIR /app
 
 # Install only runtime dependencies (no build tools)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    nginx=1.26.3-3+deb13u2 \
-    supervisor=4.2.5-3 \
-    curl=8.14.1-2+deb13u2 \
-    rsync=3.4.1+ds1-5+deb13u1 \
-    openssh-client=1:10.0p1-7 \
-    tini=0.19.0-3+b5 \
-    openssl=3.5.4-1~deb13u2 \
-    sudo=1.9.16p2-3 \
+    nginx \
+    supervisor \
+    curl \
+    rsync \
+    openssh-client \
+    tini \
+    openssl \
+    sudo \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean \
     && rm -f /etc/nginx/sites-enabled/default
@@ -163,3 +163,4 @@ VOLUME ["/app/data", "/backups"]
 
 # Entrypoint handles docker group setup and starts supervisord
 ENTRYPOINT ["/entrypoint.sh"]
+