Chore/test coverage hardening

.github/workflows/codeql.yml

@@ -1,10 +1,8 @@
-name: CodeQL
+name: "CodeQL (Scheduled)"
 
+# Schedule-only: weekly deep scan with latest CodeQL rules.
+# Push/PR analysis is handled by the main ci.yml workflow.
 on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
   schedule:
     - cron: '0 6 * * 1' # Weekly on Monday at 06:00 UTC
 
@@ -37,17 +35,18 @@ jobs:
           cache: maven
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/init@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
         with:
           languages: ${{ matrix.language }}
+          queries: security-extended
 
       - name: Set execute permission for mvnw
         run: chmod +x mvnw
 
       - name: Build
-        run: ./mvnw clean compile -DskipTests -B
+        run: ./mvnw clean compile -DskipTests -B --no-transfer-progress
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/analyze@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/docker-pull-notify.yml

@@ -3,6 +3,7 @@ name: Project Metrics Tracker
 on:
   schedule:
     - cron: '*/15 * * * *' # every 15 min — collect metrics + push to analytics
+    - cron: '0 18 * * *'    # daily — 6pm UTC, digest (only if activity)
     - cron: '0 9 * * 0'    # weekly — Sunday 9am UTC, Slack digest
   workflow_dispatch:
     inputs:
@@ -40,11 +41,14 @@ jobs:
             echo "week_docker=$(jq -r '.week_docker // 0' metrics.json)" >> "$GITHUB_OUTPUT"
             echo "week_stars=$(jq -r '.week_stars // 0' metrics.json)" >> "$GITHUB_OUTPUT"
             echo "week_forks=$(jq -r '.week_forks // 0' metrics.json)" >> "$GITHUB_OUTPUT"
+            echo "day_docker=$(jq -r '.day_docker // 0' metrics.json)" >> "$GITHUB_OUTPUT"
+            echo "day_stars=$(jq -r '.day_stars // 0' metrics.json)" >> "$GITHUB_OUTPUT"
+            echo "day_forks=$(jq -r '.day_forks // 0' metrics.json)" >> "$GITHUB_OUTPUT"
             echo "last_milestone=$(jq -r '.last_milestone // 0' metrics.json)" >> "$GITHUB_OUTPUT"
             echo "has_data=true" >> "$GITHUB_OUTPUT"
           else
             echo "has_data=false" >> "$GITHUB_OUTPUT"
-            for key in docker_pulls stars forks week_docker week_stars week_forks last_milestone; do
+            for key in docker_pulls stars forks week_docker week_stars week_forks day_docker day_stars day_forks last_milestone; do
               echo "${key}=0" >> "$GITHUB_OUTPUT"
             done
           fi
@@ -259,10 +263,72 @@ jobs:
               ]
             }"
 
+      # ── Daily digest (only if activity) ──────────────────────
+      - name: Daily digest
+        if: >-
+          github.event.schedule == '0 18 * * *'
+          && steps.prev.outputs.has_data == 'true'
+        continue-on-error: true
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+        run: |
+          if [ -z "$SLACK_WEBHOOK" ]; then
+            echo "No SLACK_WEBHOOK_URL configured, skipping"
+            exit 0
+          fi
+
+          PULLS=${{ steps.docker.outputs.pulls }}
+          STARS=${{ steps.github.outputs.stars }}
+          FORKS=${{ steps.github.outputs.forks }}
+          VIEWS=${{ steps.traffic.outputs.views }}
+          CLONES=${{ steps.traffic.outputs.clones }}
+
+          DAY_PULL_DIFF=$(( PULLS - ${{ steps.prev.outputs.day_docker }} ))
+          DAY_STAR_DIFF=$(( STARS - ${{ steps.prev.outputs.day_stars }} ))
+          DAY_FORK_DIFF=$(( FORKS - ${{ steps.prev.outputs.day_forks }} ))
+
+          # Only send if something actually changed today
+          if [ "$DAY_PULL_DIFF" -eq 0 ] && [ "$DAY_STAR_DIFF" -eq 0 ] && [ "$DAY_FORK_DIFF" -eq 0 ]; then
+            echo "No daily activity — skipping digest"
+            exit 0
+          fi
+
+          # Build sign prefixes
+          pull_sign=""; [ "$DAY_PULL_DIFF" -gt 0 ] && pull_sign="+"
+          star_sign=""; [ "$DAY_STAR_DIFF" -gt 0 ] && star_sign="+"
+          fork_sign=""; [ "$DAY_FORK_DIFF" -gt 0 ] && fork_sign="+"
+
+          PULLS_FMT=$(printf "%'d" "$PULLS")
+
+          curl -sf -X POST "$SLACK_WEBHOOK" \
+            -H 'Content-type: application/json' \
+            -d "{
+              \"blocks\": [
+                {
+                  \"type\": \"header\",
+                  \"text\": { \"type\": \"plain_text\", \"text\": \"📈  EDDI Daily Update\", \"emoji\": true }
+                },
+                {
+                  \"type\": \"section\",
+                  \"text\": {
+                    \"type\": \"mrkdwn\",
+                    \"text\": \"🐳 *Pulls:* ${PULLS_FMT} (${pull_sign}${DAY_PULL_DIFF})  ·  ⭐ *Stars:* ${STARS} (${star_sign}${DAY_STAR_DIFF})  ·  🍴 *Forks:* ${FORKS} (${fork_sign}${DAY_FORK_DIFF})\"
+                  }
+                },
+                {
+                  \"type\": \"context\",
+                  \"elements\": [
+                    { \"type\": \"mrkdwn\", \"text\": \"👀 Views: ${VIEWS} · 📥 Clones: ${CLONES} · <https://github.com/labsai/EDDI|GitHub>\" }
+                  ]
+                }
+              ]
+            }"
+
       # ── Save updated metrics ────────────────────────────────
       - name: Build metrics snapshot
         run: |
           IS_WEEKLY="${{ github.event.schedule == '0 9 * * 0' || github.event.inputs.force_digest == 'true' }}"
+          IS_DAILY="${{ github.event.schedule == '0 18 * * *' }}"
 
           # On weekly digest, reset the week baseline
           if [ "$IS_WEEKLY" = "true" ]; then
@@ -275,10 +341,24 @@ jobs:
             WEEK_FORKS=${{ steps.prev.outputs.week_forks }}
           fi
 
-          # First run: initialize week baseline
+          # On daily digest (or weekly), reset the day baseline
+          if [ "$IS_DAILY" = "true" ] || [ "$IS_WEEKLY" = "true" ]; then
+            DAY_DOCKER=${{ steps.docker.outputs.pulls }}
+            DAY_STARS=${{ steps.github.outputs.stars }}
+            DAY_FORKS=${{ steps.github.outputs.forks }}
+          else
+            DAY_DOCKER=${{ steps.prev.outputs.day_docker }}
+            DAY_STARS=${{ steps.prev.outputs.day_stars }}
+            DAY_FORKS=${{ steps.prev.outputs.day_forks }}
+          fi
+
+          # First run: initialize baselines
           [ "$WEEK_DOCKER" = "0" ] && WEEK_DOCKER=${{ steps.docker.outputs.pulls }}
           [ "$WEEK_STARS" = "0" ] && WEEK_STARS=${{ steps.github.outputs.stars }}
           [ "$WEEK_FORKS" = "0" ] && WEEK_FORKS=${{ steps.github.outputs.forks }}
+          [ "$DAY_DOCKER" = "0" ] && DAY_DOCKER=${{ steps.docker.outputs.pulls }}
+          [ "$DAY_STARS" = "0" ] && DAY_STARS=${{ steps.github.outputs.stars }}
+          [ "$DAY_FORKS" = "0" ] && DAY_FORKS=${{ steps.github.outputs.forks }}
 
           # Current milestone marker
           CURRENT_MS=$(( ${{ steps.docker.outputs.pulls }} / 10000 * 10000 ))
@@ -290,9 +370,13 @@ jobs:
             --argjson week_docker "$WEEK_DOCKER" \
             --argjson week_stars "$WEEK_STARS" \
             --argjson week_forks "$WEEK_FORKS" \
+            --argjson day_docker "$DAY_DOCKER" \
+            --argjson day_stars "$DAY_STARS" \
+            --argjson day_forks "$DAY_FORKS" \
             --argjson last_milestone "$CURRENT_MS" \
             '{docker_pulls: $docker_pulls, stars: $stars, forks: $forks,
               week_docker: $week_docker, week_stars: $week_stars, week_forks: $week_forks,
+              day_docker: $day_docker, day_stars: $day_stars, day_forks: $day_forks,
               last_milestone: $last_milestone}' > metrics.json
 
           echo "Saved metrics:"

.gitleaksignore

@@ -0,0 +1,13 @@
+# Gitleaks Ignore File
+# ─────────────────────────────────────────────────────────────────
+# Add fingerprints here to suppress known false positives.
+# Each entry must be justified with a comment explaining why.
+#
+# To get a fingerprint, run: gitleaks detect --report-format json
+# and copy the "Fingerprint" field from the finding.
+#
+# Format:
+#   <fingerprint>  # <reason for suppression>
+#
+# Review this file periodically to ensure suppressions are still valid.
+# ─────────────────────────────────────────────────────────────────

.trivyignore

@@ -0,0 +1,15 @@
+# Trivy Ignore File
+# ─────────────────────────────────────────────────────────────────
+# Add CVE IDs here to suppress known false positives or accepted risks.
+# Each entry must be justified with a comment explaining why.
+#
+# Format:
+#   # <reason for suppression>
+#   CVE-YYYY-NNNNN
+#
+# Example:
+#   # Disputed CVE — no actual impact in our usage of library X
+#   CVE-2024-99999
+#
+# Review this file periodically to ensure suppressions are still valid.
+# ─────────────────────────────────────────────────────────────────

AGENTS.md

@@ -97,7 +97,7 @@ Follow this order unless the user explicitly requests something different.
 | —     | GDPR/CCPA Framework      | Cascading erasure, data portability, Art. 18 restriction, per-category retention                    |
 | —     | Commit Flags             | Strict write discipline for memory — uncommit failed task data, error digest injection              |
 | —     | Template Preview         | REST endpoint for previewing resolved system prompts with sample/live data                          |
-| —     | RC2 Hardening            | 2,000+ unit tests, 250+ integration tests, branding overhaul, rules deserialization fix             |
+| —     | RC2 Hardening            | 3,500+ unit tests, 550+ integration tests, branding overhaul, rules deserialization fix             |
 | —     | Security Hardening v6.0.2 | SSRF prevention, SafeHttpClient, auth guard, vault salt, security headers, CodeQL + Trivy CI       |
 
 ### In Progress / Upcoming

README.md

@@ -2,9 +2,9 @@
 
 # E.D.D.I — Multi-Agent Orchestration Middleware for Conversational AI
 
-[![Codacy Badge](https://app.codacy.com/project/badge/Grade/2c5d183d4bd24dbaa77427cfbf5d4074)](https://app.codacy.com/organizations/gh/labsai/dashboard?utm_source=github.com&utm_medium=referral&utm_content=labsai/EDDI&utm_campaign=Badge_Grade) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12355/badge)](https://www.bestpractices.dev/projects/12355) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/labsai/EDDI/badge)](https://securityscorecards.dev/viewer/?uri=github.com/labsai/EDDI) ![Tests](https://img.shields.io/badge/tests-2%2C400%2B-brightgreen)
+[![Codacy Badge](https://app.codacy.com/project/badge/Grade/2c5d183d4bd24dbaa77427cfbf5d4074)](https://app.codacy.com/organizations/gh/labsai/dashboard?utm_source=github.com&utm_medium=referral&utm_content=labsai/EDDI&utm_campaign=Badge_Grade) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12355/badge)](https://www.bestpractices.dev/projects/12355) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/labsai/EDDI/badge)](https://securityscorecards.dev/viewer/?uri=github.com/labsai/EDDI)
 
-[![CI](https://github.com/labsai/EDDI/actions/workflows/ci.yml/badge.svg)](https://github.com/labsai/EDDI/actions/workflows/ci.yml) [![CodeQL](https://github.com/labsai/EDDI/actions/workflows/codeql.yml/badge.svg)](https://github.com/labsai/EDDI/actions/workflows/codeql.yml)
+[![CI](https://github.com/labsai/EDDI/actions/workflows/ci.yml/badge.svg)](https://github.com/labsai/EDDI/actions/workflows/ci.yml) [![CodeQL](https://github.com/labsai/EDDI/actions/workflows/codeql.yml/badge.svg)](https://github.com/labsai/EDDI/actions/workflows/codeql.yml) ![Tests](https://img.shields.io/badge/tests-4%2C600%2B-brightgreen) ![Coverage](https://img.shields.io/badge/coverage-%3E80%25-brightgreen)
 
 [![Docker Pulls](https://img.shields.io/docker/pulls/labsai/eddi)](https://hub.docker.com/r/labsai/eddi) [![Repository: AI Ready](https://img.shields.io/badge/Repository-AI_Ready-blueviolet?logo=robot)](AGENTS.md)
 
@@ -607,9 +607,16 @@ EDDI ships with security-by-default for production deployments:
 - **Secrets encrypted at rest** — Envelope encryption (PBKDF2 → AES-256-GCM) with per-deployment salt. Never plaintext in DB
 - **SSRF protection** — All LLM tool HTTP calls go through `SafeHttpClient` with private IP blocking, redirect validation, and scheme enforcement
 - **Security headers** — `X-Content-Type-Options`, `X-Frame-Options`, `Content-Security-Policy` configured out of the box
-- **CI scanning** — CodeQL (semantic analysis) + Trivy (CVE scanning) + dependency review on every PR
-
-For vulnerability reports, see our [Security Policy](SECURITY.md). For architecture details, see [Security Architecture](docs/architecture.md#security-architecture).
+- **CI/CD security gates** — Every push/PR is scanned by:
+  - **CodeQL** — Semantic SAST analysis with `security-extended` queries
+  - **Trivy** — CVE scanning for both filesystem dependencies and Docker images (blocking on CRITICAL/HIGH)
+  - **Gitleaks** — Git history scanning to prevent secret/credential leakage
+  - **ZAP** — DAST API scanning against the live Docker image (report-only)
+  - **CycloneDX** — SBOM generation for supply chain transparency
+  - **Jazzer** — Coverage-guided fuzz testing for security-critical parsers (PathNavigator, MatchingUtilities)
+  - All actions SHA-pinned to prevent supply-chain attacks
+
+For vulnerability reports, see our [Security Policy](SECURITY.md). For architecture details, see [Security Architecture](docs/security.md).
 
 ## 📜 Code of Conduct