chore: sync with master

.codacy.yml

@@ -21,3 +21,8 @@ exclude_paths:
   # payloads like '$MONGO_GT' and '`id`' must NOT expand. SC2034 (BASE_URL) is used
   # further down in the same script.
   - ".pentest/**"
+
+  # Monitoring infrastructure templates — SMTP environment variable references
+  # in docker-compose look like credentials to static scanners. alertmanager.yml
+  # is gitignored (only .example is tracked).
+  - "docker-compose.monitoring.yml"

.env.example

@@ -94,6 +94,31 @@ SCRAPER_API_URL=https://scraper.prostaff.gg
 # Must match SCRAPER_API_KEY configured on the scraper service
 SCRAPER_API_KEY=
 
+# ===========================================
+# prostaff-events Integration (Phoenix event bus)
+# ===========================================
+# Real-time WebSocket hub and event bus. Rails publishes domain events to Redis
+# pub/sub (channel: prostaff:events:<org_id>), Phoenix subscribes and broadcasts
+# to connected frontend clients.
+#
+# Leave blank to disable event publishing (events are silently dropped).
+# When set, Events::EventPublisher will publish to Redis on every domain event.
+#
+# Internal JWT secret shared with prostaff-events for service-to-service auth.
+# Must match INTERNAL_JWT_SECRET configured in prostaff-events.
+PHOENIX_EVENTS_ENABLED=false
+PHOENIX_EVENTS_URL=http://localhost:4000
+INTERNAL_JWT_SECRET=
+
+# ===========================================
+# Sidekiq Web UI (production access)
+# ===========================================
+# Credentials for /sidekiq dashboard (HTTP Basic Auth).
+# Both must be set — UI stays inaccessible if either is blank (safe default).
+# Generate password: openssl rand -hex 32
+SIDEKIQ_WEB_USER=
+SIDEKIQ_WEB_PASSWORD=
+
 # ===========================================
 # HashID Configuration (for public URL obfuscation)
 # ===========================================

.github/branch-protection-ruleset.json

@@ -28,6 +28,10 @@
           {
             "context": "Security Scan",
             "integration_id": null
+          },
+          {
+            "context": "codacy/pr-quality-review",
+            "integration_id": null
           }
         ],
         "strict_required_status_checks_policy": true

.github/workflows/README.md

@@ -250,7 +250,7 @@ new-feature-test:
     - name: Setup Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 3.4.5
+        ruby-version: 3.4.8
         bundler-cache: true
     - name: Setup Database
       run: bundle exec rails db:migrate RAILS_ENV=test

.github/workflows/codeql.yml

@@ -30,6 +30,7 @@ on:
 
 permissions:
   security-events: write  # upload SARIF para o Security tab
+  pull-requests: write    # postar comentario de resumo no PR
   packages: read
   actions: read
   contents: read

.github/workflows/deploy-production.yml

@@ -92,7 +92,7 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd  # v1
         with:
-          ruby-version: 3.4.5
+          ruby-version: 3.4.8
           bundler-cache: true
 
       - name: Install dependencies
@@ -236,7 +236,7 @@ jobs:
 
     steps:
       - name: Manual approval checkpoint
-        run: |
+        run: | # nosemgrep: yaml.github-actions.security.run-shell-injection.run-shell-injection
           echo "=================================="
           echo "🚨 PRODUCTION DEPLOYMENT"
           echo "=================================="
@@ -511,7 +511,7 @@ jobs:
           fi
 
       - name: Display notification
-        run: |
+        run: | # nosemgrep: yaml.github-actions.security.run-shell-injection.run-shell-injection
           echo "=============================================="
           echo "${{ env.STATUS }}"
           echo "${{ env.MESSAGE }}"

.github/workflows/deploy-staging.yml

@@ -51,7 +51,7 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd  # v1
         with:
-          ruby-version: 3.4.5
+          ruby-version: 3.4.8
           bundler-cache: true
 
       - name: Install dependencies
@@ -262,7 +262,7 @@ jobs:
           fi
 
       - name: Display notification
-        run: |
+        run: | # nosemgrep: yaml.github-actions.security.run-shell-injection.run-shell-injection
           echo "======================================"
           echo "${{ env.STATUS }}"
           echo "${{ env.MESSAGE }}"

.github/workflows/nightly-security.yml

@@ -1,10 +1,9 @@
 name: Nightly Security Audit
 
 on:
-  # TODO: Reativar quando em produção
-  # schedule:
-  #   # Run every night at 1am UTC
-  #   - cron: '0 1 * * *'
+  schedule:
+    # Run every night at 1am UTC
+    - cron: '0 1 * * *'
   workflow_dispatch:
 
 permissions:
@@ -15,6 +14,8 @@ jobs:
   full-security-audit:
     name: Complete Security Audit
     runs-on: ubuntu-latest
+    env:
+      FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
     services:
       postgres:
         image: postgres:14
@@ -46,38 +47,40 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd  # v1
         with:
-          ruby-version: 3.4.5
+          ruby-version: 3.4.8
           bundler-cache: true
 
       - name: Setup Database
         env:
           RAILS_ENV: test
-          DATABASE_URL: postgres://postgres:postgres@localhost:5432/prostaff_test
+          TEST_DATABASE_URL: postgres://postgres:postgres@localhost:5432/prostaff_test
+          REDIS_URL: redis://localhost:6379/0
+          SECRET_KEY_BASE: nightly_audit_secret_key_base_not_for_production
+          JWT_SECRET_KEY: nightly_audit_jwt_secret_not_for_production
         run: |
           bundle exec rails db:create
           bundle exec rails db:migrate
 
       - name: Start Rails Server
         env:
           RAILS_ENV: test
-          DATABASE_URL: postgres://postgres:postgres@localhost:5432/prostaff_test
+          TEST_DATABASE_URL: postgres://postgres:postgres@localhost:5432/prostaff_test
           REDIS_URL: redis://localhost:6379/0
+          SECRET_KEY_BASE: nightly_audit_secret_key_base_not_for_production
+          JWT_SECRET_KEY: nightly_audit_jwt_secret_not_for_production
         run: |
-          bundle exec rails server -p 3333 -e test &
-          sleep 10
-          curl -f http://localhost:3333/up || exit 1
+          bundle exec rails server -p 3333 -e test -d
+          timeout 60 bash -c 'until curl -sf http://localhost:3333/up; do sleep 2; done'
 
-      - name: Install Security Tools
-        run: |
-          gem install brakeman bundler-audit
-          docker pull zaproxy/zap-stable
+      - name: Install ZAP
+        run: docker pull zaproxy/zap-stable
 
       - name: Create Reports Directory
         run: mkdir -p security_tests/reports/nightly
 
       - name: Run Brakeman
         run: |
-          brakeman --rails7 \
+          bundle exec brakeman --rails7 \
             --format json \
             --output security_tests/reports/nightly/brakeman.json \
             --format html \
@@ -86,13 +89,18 @@ jobs:
 
       - name: Run Bundle Audit
         run: |
-          bundle-audit update
-          bundle-audit check > security_tests/reports/nightly/bundle-audit.txt || true
+          bundle exec bundler-audit update
+          bundle exec bundler-audit check \
+            --format json \
+            --output security_tests/reports/nightly/bundle-audit.json \
+            || true
+          # Also write plain text for human readability
+          bundle exec bundler-audit check > security_tests/reports/nightly/bundle-audit.txt || true
 
       - name: Run ZAP Baseline Scan
         run: |
           docker run --rm --network="host" \
-            -v $(pwd)/security_tests/reports/nightly:/zap/wrk:rw \
+            -v "$(pwd)/security_tests/reports/nightly:/zap/wrk:rw" \
             zaproxy/zap-stable \
             zap-baseline.py \
             -t http://localhost:3333 \
@@ -102,10 +110,10 @@ jobs:
       - name: Run ZAP API Scan
         run: |
           docker run --rm --network="host" \
-            -v $(pwd)/security_tests/reports/nightly:/zap/wrk:rw \
+            -v "$(pwd)/security_tests/reports/nightly:/zap/wrk:rw" \
             zaproxy/zap-stable \
             zap-api-scan.py \
-            -t http://localhost:3333/api-docs/v1/swagger.json \
+            -t http://localhost:3333/api-docs/v1/swagger.yaml \
             -f openapi \
             -r zap-api.html \
             -J zap-api.json || true
@@ -114,114 +122,116 @@ jobs:
         id: parse
         run: |
           # Brakeman
-          BRAKEMAN_HIGH=$(jq '[.warnings[] | select(.confidence == "High")] | length' security_tests/reports/nightly/brakeman.json)
-          BRAKEMAN_TOTAL=$(jq '.warnings | length' security_tests/reports/nightly/brakeman.json)
+          BRAKEMAN_HIGH=$(jq '[.warnings[] | select(.confidence == "High")] | length' \
+            security_tests/reports/nightly/brakeman.json 2>/dev/null || echo "0")
+          BRAKEMAN_TOTAL=$(jq '.warnings | length' \
+            security_tests/reports/nightly/brakeman.json 2>/dev/null || echo "0")
 
           # Bundle Audit
-          if grep -q "Vulnerabilities found" security_tests/reports/nightly/bundle-audit.txt; then
+          if grep -q "Vulnerabilities found" security_tests/reports/nightly/bundle-audit.txt 2>/dev/null; then
             VULNERABILITIES="true"
           else
             VULNERABILITIES="false"
           fi
 
           # ZAP
-          ZAP_HIGH=$(jq '[.site[0].alerts[] | select(.riskcode == "3")] | length' security_tests/reports/nightly/zap-baseline.json 2>/dev/null || echo "0")
-          ZAP_MEDIUM=$(jq '[.site[0].alerts[] | select(.riskcode == "2")] | length' security_tests/reports/nightly/zap-baseline.json 2>/dev/null || echo "0")
+          ZAP_HIGH=$(jq '[.site[0].alerts[] | select(.riskcode == "3")] | length' \
+            security_tests/reports/nightly/zap-baseline.json 2>/dev/null || echo "0")
+          ZAP_MEDIUM=$(jq '[.site[0].alerts[] | select(.riskcode == "2")] | length' \
+            security_tests/reports/nightly/zap-baseline.json 2>/dev/null || echo "0")
 
-          echo "brakeman_high=$BRAKEMAN_HIGH" >> $GITHUB_OUTPUT
-          echo "brakeman_total=$BRAKEMAN_TOTAL" >> $GITHUB_OUTPUT
-          echo "vulnerabilities=$VULNERABILITIES" >> $GITHUB_OUTPUT
-          echo "zap_high=$ZAP_HIGH" >> $GITHUB_OUTPUT
-          echo "zap_medium=$ZAP_MEDIUM" >> $GITHUB_OUTPUT
+          echo "brakeman_high=$BRAKEMAN_HIGH"   >> "$GITHUB_OUTPUT"
+          echo "brakeman_total=$BRAKEMAN_TOTAL" >> "$GITHUB_OUTPUT"
+          echo "vulnerabilities=$VULNERABILITIES" >> "$GITHUB_OUTPUT"
+          echo "zap_high=$ZAP_HIGH"             >> "$GITHUB_OUTPUT"
+          echo "zap_medium=$ZAP_MEDIUM"         >> "$GITHUB_OUTPUT"
 
       - name: Generate Summary
         if: always()
         run: |
-          cat > security_tests/reports/nightly/SUMMARY.md << EOF
-          # Nightly Security Audit Summary
-
-          **Date:** $(date)
-          **Run:** #${{ github.run_number }}
+          cat >> "$GITHUB_STEP_SUMMARY" << EOF
+          # Nightly Security Audit — $(date -u '+%Y-%m-%d %H:%M UTC')
 
-          ## Results
+          ## Brakeman (SAST)
+          - Total warnings: ${{ steps.parse.outputs.brakeman_total }}
+          - High confidence: ${{ steps.parse.outputs.brakeman_high }}
 
-          ### Brakeman (Code Security)
-          - Total Warnings: ${{ steps.parse.outputs.brakeman_total }}
-          - High Confidence: ${{ steps.parse.outputs.brakeman_high }}
-
-          ### Bundle Audit (Dependencies)
+          ## Bundle Audit (CVEs)
           - Vulnerabilities: ${{ steps.parse.outputs.vulnerabilities }}
 
-          ### OWASP ZAP (Runtime Security)
-          - High Risk: ${{ steps.parse.outputs.zap_high }}
-          - Medium Risk: ${{ steps.parse.outputs.zap_medium }}
+          ## OWASP ZAP (DAST)
+          - High risk: ${{ steps.parse.outputs.zap_high }}
+          - Medium risk: ${{ steps.parse.outputs.zap_medium }}
 
           ## Status
-
-          $(if [ "${{ steps.parse.outputs.brakeman_high }}" -gt "0" ] || [ "${{ steps.parse.outputs.vulnerabilities }}" == "true" ] || [ "${{ steps.parse.outputs.zap_high }}" -gt "0" ]; then
-            echo "⚠️ **ACTION REQUIRED:** Critical security issues detected!"
+          $(if [ "${{ steps.parse.outputs.brakeman_high }}" -gt "0" ] \
+              || [ "${{ steps.parse.outputs.vulnerabilities }}" = "true" ] \
+              || [ "${{ steps.parse.outputs.zap_high }}" -gt "0" ]; then
+            echo "⚠️ **ACTION REQUIRED — critical security issues detected!**"
           else
-            echo "✅ No critical security issues found."
+            echo "✅ No critical issues found."
           fi)
-
-          ## Reports
-
-          - [Brakeman HTML Report](brakeman.html)
-          - [ZAP Baseline Report](zap-baseline.html)
-          - [ZAP API Report](zap-api.html)
-          - [Bundle Audit Report](bundle-audit.txt)
           EOF
 
-      - name: Job Summary
-        if: always()
-        run: |
-          cat security_tests/reports/nightly/SUMMARY.md >> $GITHUB_STEP_SUMMARY
-
       - name: Upload Reports
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         with:
           name: nightly-security-reports-${{ github.run_number }}
           path: security_tests/reports/nightly/
+          retention-days: 30
 
       - name: Create GitHub Issue on Failure
-        if: steps.parse.outputs.brakeman_high > 0 || steps.parse.outputs.vulnerabilities == 'true' || steps.parse.outputs.zap_high > 0
+        if: >
+          steps.parse.outputs.brakeman_high > 0 ||
+          steps.parse.outputs.vulnerabilities == 'true' ||
+          steps.parse.outputs.zap_high > 0
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410  # v6
         with:
           script: |
-            const fs = require('fs');
-            const summary = fs.readFileSync('security_tests/reports/nightly/SUMMARY.md', 'utf8');
-
-            const issues = await github.rest.issues.listForRepo({
+            const date = new Date().toISOString().split('T')[0];
+            const title = `⚠️ Nightly Security Audit Failed — ${date}`;
+            const body = [
+              `## Nightly Security Audit — ${date}`,
+              '',
+              `- **Brakeman high**: ${{ steps.parse.outputs.brakeman_high }}`,
+              `- **CVEs found**: ${{ steps.parse.outputs.vulnerabilities }}`,
+              `- **ZAP high risk**: ${{ steps.parse.outputs.zap_high }}`,
+              `- **ZAP medium risk**: ${{ steps.parse.outputs.zap_medium }}`,
+              '',
+              `[View run artifacts](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`,
+            ].join('\n');
+
+            const { data: issues } = await github.rest.issues.listForRepo({
               owner: context.repo.owner,
               repo: context.repo.repo,
               state: 'open',
-              labels: 'security,automated'
+              labels: 'security,automated',
             });
 
-            const existingIssue = issues.data.find(issue =>
-              issue.title.includes('Nightly Security Audit Failed')
-            );
-
-            if (existingIssue) {
+            const existing = issues.find(i => i.title.includes('Nightly Security Audit Failed'));
+            if (existing) {
               await github.rest.issues.createComment({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                issue_number: existingIssue.number,
-                body: `## Update: ${new Date().toISOString()}\n\n${summary}`
+                issue_number: existing.number,
+                body: `## Update — ${new Date().toISOString()}\n\n${body}`,
               });
             } else {
               await github.rest.issues.create({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                title: `⚠️ Nightly Security Audit Failed - ${new Date().toISOString().split('T')[0]}`,
-                body: summary,
-                labels: ['security', 'automated', 'critical']
+                title,
+                body,
+                labels: ['security', 'automated', 'critical'],
               });
             }
 
       - name: Fail on Critical Issues
-        if: steps.parse.outputs.brakeman_high > 0 || steps.parse.outputs.vulnerabilities == 'true' || steps.parse.outputs.zap_high > 0
+        if: >
+          steps.parse.outputs.brakeman_high > 0 ||
+          steps.parse.outputs.vulnerabilities == 'true' ||
+          steps.parse.outputs.zap_high > 0
         run: |
-          echo "::error::Critical security issues detected!"
+          echo "::error::Critical security issues detected — check the uploaded reports."
           exit 1