jordanlambrecht · jordanlambrecht · Mar 27, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/.env.example b/.env.example
@@ -17,6 +17,7 @@ TZ=America/Chicago
 
 # PORT=3000
 # BASE_URL=https://trackertracker.example.com
+# SECURE_COOKIES=true
 # LOG_LEVEL=debug
 # POSTGRES_DB=tracker_tracker
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -42,7 +42,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 

diff --git a/.github/workflows/knip-report.yml b/.github/workflows/knip-report.yml
@@ -105,7 +105,7 @@ jobs:
           fi
 
       - name: Post PR Comment
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@v3
         with:
           header: knip-report
           path: knip-report.md

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -105,7 +105,7 @@ jobs:
 
       - name: Generate SBOM
         if: steps.tag.outputs.should_release == 'true'
-        uses: anchore/sbom-action@v0.23.1
+        uses: anchore/sbom-action@v0.24.0
         with:
           image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.version }}
           artifact-name: sbom-tracker-tracker.spdx.json

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -29,6 +29,9 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      - name: Check for known dependency vulnerabilities
+        run: pnpm audit --audit-level=high || echo "::warning::pnpm audit found high-severity vulnerabilities"
+
       - name: Verify security test count
         run: |
           COUNT=$(pnpm test:run -- src/lib/__tests__/security.test.ts 2>&1 \
@@ -37,19 +40,31 @@ jobs:
             | grep -oE '[0-9]+ test' \
             | grep -oE '[0-9]+')
           echo "Security tests: $COUNT"
-          if [ "$COUNT" -lt 98 ]; then
-            echo "::error::Security test count dropped below expected minimum (98). Was a test removed?"
+          if [ "$COUNT" -lt 106 ]; then
+            echo "::error::Security test count dropped below expected minimum (106). Was a test removed?"
             exit 1
           fi
 
       - name: Run security audit
         id: security-audit
         continue-on-error: true
         run: |
-          pnpm exec tsx scripts/security-audit.ts > /tmp/security-results.json
-          echo "exit_code=$?" >> "$GITHUB_OUTPUT"
+          pnpm exec tsx scripts/security-audit.ts > /tmp/security-results.json; echo "audit_exit=$?" >> "$GITHUB_OUTPUT"
           cat /tmp/security-results.json
 
+      - name: Verify audit check count
+        run: |
+          if [ ! -f /tmp/security-results.json ]; then
+            echo "::error::Security audit produced no output"
+            exit 1
+          fi
+          TOTAL=$(python3 -c "import json; print(json.load(open('/tmp/security-results.json'))['summary']['total'])")
+          echo "Audit checks: $TOTAL"
+          if [ "$TOTAL" -lt 36 ]; then
+            echo "::error::Audit check count dropped below expected minimum (36). Was a check removed?"
+            exit 1
+          fi
+
       - name: Comment on PR with security audit results
         if: github.event_name == 'pull_request'
         uses: actions/github-script@v8
@@ -214,5 +229,5 @@ jobs:
             }
 
       - name: Fail if security audit has critical findings
-        if: steps.security-audit.outcome == 'failure'
+        if: steps.security-audit.outputs.audit_exit != '0'
         run: exit 1
diff --git a/.markdownlint.json b/.markdownlint.json
@@ -1,5 +1,7 @@
 {
   "MD013": false,
   "MD024": false,
-  "MD025": false
+  "MD025": false,
+  "MD033": false,
+  "MD041": false
 }
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1 @@
+# docs/**/*.md
diff --git a/.trivyignore b/.trivyignore
@@ -1,19 +1,20 @@
-# Alpine zlib — fix requires base image rebuild. Will resolve when node:24-alpine or node:25-alpine ships with zlib 1.3.2-r0.
+# Alpine zlib — fix requires base image rebuild. Will resolve when node:24-alpine ships with zlib 1.3.2-r0.
 CVE-2026-22184
 
-# minimatch — transitive via npm internals. No direct dep to bump.
+# minimatch — transitive via npm internals baked into base image. Stripped from runner but may appear in intermediate stages.
 CVE-2026-26996
 CVE-2026-27903
 CVE-2026-27904
 
-# node-tar — transitive via npm internals. No direct dep to bump.
+# node-tar — transitive via npm internals baked into base image. Stripped from runner but may appear in intermediate stages.
 CVE-2026-26960
 CVE-2026-29786
 CVE-2026-31802
 
-# esbuild Go stdlib — build tool binary, not runtime; CVEs apply to the Go runtime bundled in esbuild (transitive via drizzle-kit).
-# Cannot fix until esbuild releases a version compiled with a patched Go toolchain.
+# esbuild Go stdlib (1.23.x) — build tool binary in schema-sync, not a runtime service. Runs once at startup for drizzle-kit push.
+# Cannot fix until esbuild ships a release built with Go 1.24.13+.
 CVE-2025-47912
+CVE-2025-58183
 CVE-2025-58185
 CVE-2025-58186
 CVE-2025-58187
@@ -22,8 +23,12 @@ CVE-2025-58189
 CVE-2025-61723
 CVE-2025-61724
 CVE-2025-61725
+CVE-2025-61726
 CVE-2025-61727
+CVE-2025-61728
+CVE-2025-61729
 CVE-2025-61730
+CVE-2025-68121
 CVE-2026-25679
 CVE-2026-27139
 CVE-2026-27142
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -15,5 +15,6 @@
   },
   "[css]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
-  }
+  },
+  "conventionalCommits.scopes": ["auth"]
 }