Update footer credit and add contact link

.agents/auto-merge-deploy-fixes.yaml

@@ -0,0 +1,25 @@
+---
+name: "auto-merge-deploy-fixes"
+description: "Automatically merge deployment validation fixes generated by the repo-agent once their CI checks pass."
+schedule: "@every 15m"
+---
+
+You are an automation agent for Overseer. Your task is to automatically merge Pull Requests that were generated to fix deployment validation failures, provided their CI checks are green.
+
+### Research
+1.  List all open Pull Requests authored by `codebot-sfle` (or the configured robot account).
+    - Use `gh pr list --author codebot-sfle --state open --json number,title,headRefOid,mergeable`
+2.  Filter the list for PRs whose title contains "Deployment Validation Failure" or "deployment validation".
+
+### Strategy
+1.  For each matching PR, check the status of its CI checks using the GitHub API:
+    - `gh api repos/{owner}/{repo}/commits/{headRefOid}/check-runs`
+2.  Verify that all required checks (excluding "Post-Deployment Validation" and "Handle Deployment Failure", which run on main) have a conclusion of "success", "skipped", or "neutral".
+3.  Verify the PR has no merge conflicts (`mergeable` is `MERGEABLE` or `true`).
+
+### Execution
+1.  If the PR is clean and all CI checks are passing, use the GitHub CLI to squash and merge it:
+    - `gh pr merge <number> --squash --delete-branch`
+2.  Log the PR number that was merged.
+3.  If the PR is still pending checks, do nothing and wait for the next cycle.
+4.  Do not merge PRs that have failed checks or merge conflicts.

.agents/branch-cleanup.yaml

@@ -0,0 +1,23 @@
+name: "branch-cleanup"
+description: "Periodically identify and delete stale, merged, or orphaned branches to keep the repository clean."
+schedule: "@daily"
+instructions: |
+  You are a chore agent for Overseer. Your task is to perform housekeeping on the repository branches.
+
+  ### Research
+  1.  List all remote branches that have been merged into the default branch (`main`).
+  2.  List all remote branches that do NOT have an open Pull Request associated with them.
+  3.  Identify branches that are neither `main` nor other protected/active branches.
+
+  ### Strategy
+  1.  **For Merged Branches:**
+      -   Identify branches that Git confirms are fully merged into `main`.
+      -   Mark these for deletion.
+  2.  **For Orphaned Branches:**
+      -   Identify branches that have no associated open PR and haven't seen activity in over 2 weeks.
+      -   Mark these for deletion.
+
+  ### Execution
+  1.  Use `git push origin --delete <branch_name>` to remove the identified stale branches.
+  2.  Log the names of the branches that were deleted.
+  3.  Since this is a cleanup task on the remote, you may not need to commit any code changes, but ensure the remote state is updated.

.agents/security-audit.yaml

@@ -0,0 +1,56 @@
+name: "security-audit"
+description: >
+  Perform a weekly security and code quality audit of the application using
+  real-time security intelligence and Google Cloud native tools.
+schedule: "@weekly"
+instructions: |
+  You are a proactive security auditing agent for Overseer. Your task is to perform
+  a deep-dive security audit and track the results in GitHub.
+
+  ### Intelligence Gathering
+  1. **Web Research:** Use the internet to search for the latest vulnerabilities, CVEs,
+     and security advisories (from the last 30 days) related to our tech stack.
+  2. **Contextual Analysis:** Compare your findings against the current repository
+     state to identify any high-risk patterns.
+
+  ### Google Cloud Native Auditing
+  Since this application runs on Google Cloud, you MUST integrate these specific
+  checks into your audit:
+  1. **Artifact Registry Vulnerability Scanning:** Use the Google Cloud CLI (`gcloud`)
+     to check the vulnerability reports for the latest built container images in
+     Artifact Registry.
+     - Command: `gcloud artifacts vulnerabilities list --project=utba-swarmmap
+       --repository=swarmmap-repo --location=northamerica-northeast2`
+     - Analyze the output for any vulnerabilities with `SEVERITY="HIGH"` or `CRITICAL`.
+  2. **Cloud Run Security Posture:** Check the deployed Cloud Run services for
+     security best practices using `gcloud run services describe`.
+     - Ensure the service identity is using the principle of least privilege
+       (not the default compute service account).
+     - Ensure secrets are mounted via Secret Manager references, not passed
+       as plain environment variables.
+
+  ### Local Code Research
+  1. **Frontend Dependencies:** Run `npm audit` to check for known vulnerable packages.
+  2. **Backend Dependencies:** Inspect `go.mod` and run `govulncheck ./...` if available.
+  3. **Security Headers:** Verify the Content Security Policy (CSP) in
+     `backend/handlers/middleware.go`.
+
+  ### Strategy
+  1. **Master Tracking:** You MUST maintain a dedicated tracking issue titled
+     **"Weekly Security Audit & Validation Log"**. Search for this issue and append
+     your weekly high-level summary as a comment. Ensure the master issue has the
+     `security validation` label.
+  2. **Individual Triage:** Every single distinct vulnerability or security
+     misconfiguration you discover MUST be filed as a completely separate, individual
+     GitHub Issue. Do not group multiple vulnerabilities into a single bug report.
+
+  ### Execution
+  1. **Reporting Findings:** For *each* discovered vulnerability (including those
+     found via Google Cloud native tools), use `gh issue create` to open a new bug.
+     - **Title:** "Security Bug: [Specific CVE or Vulnerability Name]"
+     - **Body:** Detail the specific file(s) or GCP resource, the nature of the
+       threat, the output from the `gcloud` or `npm` command, and your concrete
+       recommendation for a fix.
+     - **Labels:** You MUST apply the `security validation`, `bug`, and `repo-agent`
+       labels to every single one of these individual issues. This ensures the
+       implementation agent picks them up immediately and fixes them one by one.

.dockerignore

@@ -1,3 +1,5 @@
+# Copyright (c) 2026 Frank Currie (frank@sfle.ca)
+
 # Ignore files not needed for the backend build
 frontend/
 frontend.Dockerfile

.gcloudignore

@@ -1,3 +1,5 @@
+# Copyright (c) 2026 Frank Currie (frank@sfle.ca)
+
 .gcloudignore
 .git
 .gitignore

.github/ISSUES.md

@@ -1,3 +1,4 @@
+<!-- Copyright (c) 2026 Frank Currie (frank@sfle.ca) -->
 # Known Issues
 
-All issues have been logged in the GitHub repository. Please refer to the [Issues page](https://github.com/fkcurrie/utba-swarmmap/issues) for the latest updates and details. 
+All issues have been logged in the GitHub repository. Please refer to the [Issues page](https://github.com/fkcurrie/utba-swarmmap/issues) for the latest updates and details.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,14 +4,14 @@ about: Create a report to help us improve
 title: ''
 labels: bug
 assignees: ''
-
 ---
 
 **Describe the bug**
 A clear and concise description of what the bug is.
 
 **To Reproduce**
 Steps to reproduce the behavior:
+
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
@@ -24,9 +24,10 @@ A clear and concise description of what you expected to happen.
 If applicable, add screenshots to help explain your problem.
 
 **Environment:**
- - OS: [e.g. iOS]
- - Browser [e.g. chrome, safari]
- - Version [e.g. 22]
+
+- OS: [e.g. iOS]
+- Browser [e.g. chrome, safari]
+- Version [e.g. 22]
 
 **Additional context**
-Add any other context about the problem here. 
+Add any other context about the problem here.

.github/workflows/deploy.yml

@@ -0,0 +1,198 @@
+# Copyright (c) 2026 Frank Currie (frank@sfle.ca)
+---
+name: Deploy to Cloud Run
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+  PROJECT_ID: utba-swarmmap
+  REGION: northamerica-northeast2
+  SERVICE: utba-swarmmap-backend
+  FRONTEND_SERVICE: utba-swarmmap-frontend
+  REPO: swarmmap-repo
+  GCS_BUCKET_NAME: utba-swarmmap-media
+
+jobs:
+  deploy:
+    name: Validate, Build, and Deploy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      issues: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'npm'
+
+      - name: Install Dependencies
+        run: npm ci
+
+      - name: Linting
+        run: |
+          npx eslint "frontend/static/js/**/*.js"
+          npx markdownlint "**/*.md" --ignore node_modules
+
+      - name: YAML Lint
+        uses: ibiqlik/action-yamllint@v3
+        with:
+          file_or_dir: .
+          config_file: .yamllint.yaml
+
+      - name: Commitlint
+        uses: wagoid/commitlint-github-action@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: backend/go.mod
+          cache-dependency-path: backend/go.sum
+
+      - name: Backend Testing
+        run: |
+          cd backend
+          go test -v ./...
+
+      - name: Docker Build Test
+        run: |
+          docker build -t test-backend ./backend
+          docker build -t test-frontend ./frontend
+
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: 'projects/18499119240/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+          service_account: 'github-actions-deployer@utba-swarmmap.iam.gserviceaccount.com'
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Configure Docker
+        run: |
+          gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet
+
+      - name: Build and Push Frontend
+        run: |
+          IMAGE_NAME="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPO }}/frontend"
+          docker build -t "$IMAGE_NAME:${{ github.sha }}" ./frontend
+          docker tag "$IMAGE_NAME:${{ github.sha }}" "$IMAGE_NAME:latest"
+          docker push "$IMAGE_NAME:${{ github.sha }}"
+          docker push "$IMAGE_NAME:latest"
+
+      - name: Deploy Frontend to Cloud Run
+        id: deploy-frontend
+        uses: google-github-actions/deploy-cloudrun@v2
+        with:
+          service: ${{ env.FRONTEND_SERVICE }}
+          region: ${{ env.REGION }}
+          image: ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPO }}/frontend:${{ github.sha }}
+          flags: --allow-unauthenticated
+
+      - name: Get Backend URL
+        id: backend-url
+        run: |
+          URL=$(gcloud run services describe "${{ env.SERVICE }}" \
+            --platform=managed \
+            --region="${{ env.REGION }}" \
+            --format='value(status.url)' 2>/dev/null || echo "")
+          if [ -z "$URL" ]; then
+            PROJECT_NUMBER=$(gcloud projects describe "${{ env.PROJECT_ID }}" --format='value(projectNumber)')
+            URL="https://${{ env.SERVICE }}-${PROJECT_NUMBER}.${{ env.REGION }}.run.app"
+          fi
+          echo "url=$URL" >> $GITHUB_OUTPUT
+
+      - name: Build and Push Backend
+        run: |
+          cp -r frontend/static backend/static
+          IMAGE_NAME="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPO }}/backend"
+          docker build -t "$IMAGE_NAME:${{ github.sha }}" ./backend
+          docker tag "$IMAGE_NAME:${{ github.sha }}" "$IMAGE_NAME:latest"
+          docker push "$IMAGE_NAME:${{ github.sha }}"
+          docker push "$IMAGE_NAME:latest"
+
+      - name: Deploy Backend to Cloud Run
+        id: deploy-backend
+        uses: google-github-actions/deploy-cloudrun@v2
+        with:
+          service: ${{ env.SERVICE }}
+          region: ${{ env.REGION }}
+          image: ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPO }}/backend:${{ github.sha }}
+          flags: --allow-unauthenticated
+          env_vars: |
+            GOOGLE_REDIRECT_URL=${{ steps.backend-url.outputs.url }}/auth/google/callback
+            GCP_PROJECT_ID=${{ env.PROJECT_ID }}
+            GCS_BUCKET_NAME=${{ env.GCS_BUCKET_NAME }}
+            FRONTEND_ASSETS_URL=${{ steps.deploy-frontend.outputs.url }}
+          secrets: |
+            GOOGLE_CLIENT_ID=google-oauth-client-id:latest
+            GOOGLE_CLIENT_SECRET=google-oauth-client-secret:latest
+            MAPBOX_ACCESS_TOKEN=mapbox-access-token:latest
+            GITHUB_TOKEN=github-pat:latest
+      - name: Health Check
+        id: health-check
+        run: |
+          curl --retry 5 --retry-all-errors --retry-delay 5 -I --fail --silent --show-error "${{ steps.deploy-backend.outputs.url }}"
+
+      - name: Install Playwright Browsers
+        run: |
+          sudo npx playwright install-deps chromium
+          npx playwright install chromium
+
+      - name: Post-Deployment Validation
+        id: validation
+        run: |
+          # Use outputs directly to ensure we have the latest values
+          DEPLOYED_URL="${{ steps.deploy-backend.outputs.url }}"
+          BACKEND_URL="${{ steps.backend-url.outputs.url }}"
+          FINAL_URL="${DEPLOYED_URL:-$BACKEND_URL}"
+
+          echo "Validating deployment at URL: $FINAL_URL"
+          if [ -z "$FINAL_URL" ] || [ "$FINAL_URL" == "http://localhost:8085" ]; then
+            echo "Error: Could not determine deployment URL. DEPLOYED_URL='$DEPLOYED_URL', BACKEND_URL='$BACKEND_URL'"
+            exit 1
+          fi
+
+          echo "Waiting 5 seconds for service readiness..."
+          sleep 5
+
+          # Pass DEPLOYED_URL explicitly to the test command
+          DEPLOYED_URL="$FINAL_URL" npx playwright test e2e/validate-deployment.spec.js --config e2e/playwright.config.js
+
+      - name: Handle Deployment Failure
+        if: failure() && (steps.validation.outcome == 'failure' || steps.health-check.outcome == 'failure')
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          chmod +x scripts/handle-deployment-failure.sh
+          ./scripts/handle-deployment-failure.sh \
+            "${{ env.SERVICE }}" \
+            "${{ env.FRONTEND_SERVICE }}" \
+            "${{ env.REGION }}" \
+            "${{ steps.deploy-backend.outputs.url }}" \
+            "${{ github.sha }}"
+
+      - name: Upload Test Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 30

.github/workflows/e2e-startup.yaml

@@ -1,6 +1,10 @@
+# Copyright (c) 2026 Frank Currie (frank@sfle.ca)
 ---
 name: E2E Application Startup Check
 
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 "on":
   pull_request:
     branches: [main]
@@ -11,10 +15,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Build Services
         run: docker compose build --progress=plain