Mimah97 · pharuq411 · May 26, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/.env.dev.example b/.env.dev.example
@@ -26,6 +26,12 @@ DB_NAME=myfans
 # -----------------------------------------------------------------------------
 JWT_SECRET=dev-jwt-secret-change-me-to-a-strong-random-value
 
+# -----------------------------------------------------------------------------
+# Redis (optional — used for caching; defaults work with docker-compose.dev.yml)
+# -----------------------------------------------------------------------------
+REDIS_HOST=redis
+REDIS_PORT=6379
+
 # -----------------------------------------------------------------------------
 # Stellar / Soroban
 # Safe testnet defaults for local development

diff --git a/.github/workflows/audit-check.yml b/.github/workflows/audit-check.yml
@@ -25,6 +25,9 @@ jobs:
         with:
           node-version: "20"
 
+      - name: 🦀 Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+
       - name: 📦 Check backend audits
         id: backend-audit
         working-directory: ./backend
@@ -93,6 +96,46 @@ jobs:
             exit 1
           fi
 
+      - name: � Check Cargo audit (contract)
+        id: contract-audit
+        run: |
+          if [ -d "./contract" ] && [ -f "./contract/Cargo.toml" ]; then
+            echo "Installing cargo-audit..."
+            cargo install cargo-audit --quiet 2>&1 | grep -v "already installed" || true
+
+            cd ./contract
+            AUDIT_OUTPUT=$(cargo audit --json 2>/dev/null || echo '{"vulnerabilities":[]}')
+            CRITICAL=$(echo "$AUDIT_OUTPUT" | jq '[.vulnerabilities[] | select(.severity=="critical")] | length' 2>/dev/null || echo "0")
+            HIGH=$(echo "$AUDIT_OUTPUT" | jq '[.vulnerabilities[] | select(.severity=="high")] | length' 2>/dev/null || echo "0")
+            TOTAL=$(echo "$AUDIT_OUTPUT" | jq '.vulnerabilities | length' 2>/dev/null || echo "0")
+
+            echo "contract_critical=$CRITICAL" >> $GITHUB_OUTPUT
+            echo "contract_high=$HIGH" >> $GITHUB_OUTPUT
+            echo "contract_total=$TOTAL" >> $GITHUB_OUTPUT
+
+            echo "### 🔐 Contract (Cargo) Audit Results" >> $GITHUB_STEP_SUMMARY
+            echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
+            echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
+            echo "| High | $HIGH |" >> $GITHUB_STEP_SUMMARY
+            echo "| Total | $TOTAL |" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+
+            if (( CRITICAL > 0 )); then
+              echo "❌ **CRITICAL vulnerabilities detected**" >> $GITHUB_STEP_SUMMARY
+              echo "::error::Critical Cargo vulnerabilities: $CRITICAL"
+              exit 1
+            fi
+            if (( HIGH > 0 )); then
+              echo "❌ **HIGH vulnerabilities detected**" >> $GITHUB_STEP_SUMMARY
+              echo "::warning::High Cargo vulnerabilities: $HIGH"
+            fi
+          else
+            echo "contract_critical=0" >> $GITHUB_OUTPUT
+            echo "contract_high=0" >> $GITHUB_OUTPUT
+            echo "contract_total=0" >> $GITHUB_OUTPUT
+          fi
+
       - name: 💬 Comment on PR with audit summary
         if: github.event_name == 'pull_request' && always()
         uses: actions/github-script@v7
@@ -103,7 +146,9 @@ jobs:
             const backendHigh = '${{ steps.backend-audit.outputs.backend_high }}' || '0';
             const frontendCritical = '${{ steps.frontend-audit.outputs.frontend_critical }}' || '0';
             const frontendHigh = '${{ steps.frontend-audit.outputs.frontend_high }}' || '0';
-            const comment = '## 🔐 Security Audit Summary\n\n**Backend:**\n- 🔴 Critical: ' + backendCritical + '\n- 🟠 High: ' + backendHigh + '\n\n**Frontend:**\n- 🔴 Critical: ' + frontendCritical + '\n- 🟠 High: ' + frontendHigh + '\n\nRun locally with: `./scripts/check-audits.sh`';
+            const contractCritical = '${{ steps.contract-audit.outputs.contract_critical }}' || '0';
+            const contractHigh = '${{ steps.contract-audit.outputs.contract_high }}' || '0';
+            const comment = '## 🔐 Security Audit Summary\n\n**Backend (npm):**\n- 🔴 Critical: ' + backendCritical + '\n- 🟠 High: ' + backendHigh + '\n\n**Frontend (npm):**\n- 🔴 Critical: ' + frontendCritical + '\n- 🟠 High: ' + frontendHigh + '\n\n**Contract (Cargo):**\n- 🔴 Critical: ' + contractCritical + '\n- 🟠 High: ' + contractHigh + '\n\nRun locally with: `./scripts/check-audits.sh`';
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,

diff --git a/.github/workflows/backend-ci.yml b/.github/workflows/backend-ci.yml
@@ -2,37 +2,126 @@ name: Backend CI
 
 on:
   pull_request:
+    paths:
+      - 'backend/**'
+      - '.github/workflows/backend-ci.yml'
   push:
-    branches:
-      - main
-      - master
+    branches: [main, master]
+    paths:
+      - 'backend/**'
+      - '.github/workflows/backend-ci.yml'
   workflow_dispatch:
 
 jobs:
-  backend:
-    name: backend
+  lint:
+    name: Backend – Lint
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-
+    timeout-minutes: 10
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
           cache: npm
           cache-dependency-path: backend/package-lock.json
 
+      - name: Check package-lock is up to date
+        run: |
+          npm install --package-lock-only --ignore-scripts
+          git diff --exit-code package-lock.json || {
+            echo "::error::package-lock.json is out of sync with package.json. Run 'npm install' locally and commit the updated lockfile."
+            exit 1
+          }
+        working-directory: backend
+
       - name: Install dependencies
         run: npm ci
         working-directory: backend
 
-      - name: Build
-        run: npm run build
+  test:
+    name: Backend – Test (Node.js ${{ matrix.node }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        node: ['20', '22']
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: myfans_ci
+          POSTGRES_PASSWORD: myfans_ci
+          POSTGRES_DB: myfans_test
+        ports:
+          - 5432:5432
+        options: >
+          --health-cmd pg_isready
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+    env:
+      DB_HOST: localhost
+      DB_PORT: 5432
+      DB_USER: myfans_ci
+      DB_PASSWORD: myfans_ci
+      DB_NAME: myfans_test
+      JWT_SECRET: ci-test-secret-not-for-production
+      WEBHOOK_SECRET: ci-webhook-secret-not-for-production
+      NODE_ENV: test
+      STELLAR_NETWORK: testnet
+      SOROBAN_RPC_URL: https://soroban-testnet.stellar.org
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: ${{ matrix.node }}
+          cache: npm
+          cache-dependency-path: backend/package-lock.json
+      - run: npm ci
+        working-directory: backend
+      - run: npm test
+        working-directory: backend
+
+  build:
+    name: Backend – Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: [lint, test]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: backend/package-lock.json
+      - run: npm ci
+        working-directory: backend
+      - run: npm run build
         working-directory: backend
 
-      - name: Test
-        run: npm test
+      - name: 🔐 Run npm audit
+        id: npm-audit
+        continue-on-error: true
+        run: |
+          AUDIT_JSON=$(npm audit --json 2>/dev/null || echo '{"metadata":{"vulnerabilities":{"critical":0,"high":0,"moderate":0}}}')
+          CRITICAL=$(echo "$AUDIT_JSON" | jq '.metadata.vulnerabilities.critical // 0')
+          HIGH=$(echo "$AUDIT_JSON" | jq '.metadata.vulnerabilities.high // 0')
+          MODERATE=$(echo "$AUDIT_JSON" | jq '.metadata.vulnerabilities.moderate // 0')
+
+          echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
+          echo "high=$HIGH" >> $GITHUB_OUTPUT
+          echo "moderate=$MODERATE" >> $GITHUB_OUTPUT
+
+          echo "### 📦 Backend npm Audit" >> $GITHUB_STEP_SUMMARY
+          echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
+          echo "| High | $HIGH |" >> $GITHUB_STEP_SUMMARY
+          echo "| Moderate | $MODERATE |" >> $GITHUB_STEP_SUMMARY
+
+          if (( CRITICAL > 0 || HIGH > 0 )); then
+            echo "::error::High/Critical vulnerabilities detected - review and fix before merging"
+            exit 1
+          fi
         working-directory: backend
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,3 +1,15 @@
+# Jobs run in parallel by default (no `needs:` between backend/frontend/contract).
+# Only db-backup-drill and wasm-size have explicit sequencing requirements.
+#
+# Parallelism layout:
+#   backend  ──────────────────────────────────────────────────────┐
+#   backend-migrations ──────────────────────────────────────────┐ │
+#   frontend ──────────────────────────────────────────────────┐ │ │
+#   contract ──────────────────────────────────────────────┐   │ │ │
+#                                                           │   │ │ │
+#   wasm-size (needs: contract) ──────────────────────────►│   │ │ │
+#   db-backup-drill (needs: backend-migrations) ──────────►│   │ │ │
+#   ci-gate (needs: all) ─────────────────────────────────►└───┘─┘─┘
 name: CI
 
 on:
@@ -57,6 +69,15 @@ jobs:
           cache: 'npm'
           cache-dependency-path: backend/package-lock.json
 
+      - name: Check package-lock is up to date
+        run: |
+          npm install --package-lock-only --ignore-scripts
+          git diff --exit-code package-lock.json || {
+            echo "::error::package-lock.json is out of sync with package.json. Run 'npm install' locally and commit the updated lockfile."
+            exit 1
+          }
+        working-directory: backend
+
       - name: Install dependencies
         run: npm ci
         working-directory: backend
@@ -152,6 +173,15 @@ jobs:
           cache: 'npm'
           cache-dependency-path: frontend/package-lock.json
 
+      - name: Check package-lock is up to date
+        run: |
+          npm install --package-lock-only --ignore-scripts
+          git diff --exit-code package-lock.json || {
+            echo "::error::package-lock.json is out of sync with package.json. Run 'npm install' locally and commit the updated lockfile."
+            exit 1
+          }
+        working-directory: frontend
+
       - name: Install dependencies
         run: npm ci
         working-directory: frontend
@@ -252,9 +282,12 @@ jobs:
             ${{ runner.os }}-contract-target-
 
       - name: Install toolchain
-        run: rustup component add rustfmt clippy
+        run: rustup component add rustfmt clippy llvm-tools-preview
         working-directory: contract
 
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@cargo-llvm-cov
+
       - name: Check formatting
         run: cargo fmt --check
         working-directory: contract
@@ -263,8 +296,23 @@ jobs:
         run: cargo clippy --all-targets --all-features
         working-directory: contract
 
-      - name: Run tests
-        run: cargo test --all-features
+      - name: Run tests with coverage
+        run: cargo llvm-cov --all-features --lcov --output-path lcov.info
+        working-directory: contract
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: contract-coverage-lcov
+          path: contract/lcov.info
+          retention-days: 30
+          if-no-files-found: error
+
+      - name: Write coverage summary
+        run: |
+          echo "## Contract Coverage" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          cargo llvm-cov report --summary-only 2>&1 | tail -5 >> $GITHUB_STEP_SUMMARY
         working-directory: contract
 
       - name: Build
@@ -358,3 +406,24 @@ jobs:
           done < <(find "$WASM_DIR" -maxdepth 1 -name '*.wasm' -print0 | sort -z)
           TOTAL_KIB=$(echo "scale=1; $TOTAL / 1024" | bc)
           echo "| **TOTAL** | **$TOTAL** | **$TOTAL_KIB** |" >> $GITHUB_STEP_SUMMARY
+
+  # Single required status check for branch protection.
+  # All parallel jobs must pass before a PR can merge.
+  ci-gate:
+    name: CI Gate
+    runs-on: ubuntu-latest
+    if: always()
+    needs:
+      - backend
+      - backend-migrations
+      - frontend
+      - contract
+      - wasm-size
+      - db-backup-drill
+    steps:
+      - name: Check all jobs passed
+        run: |
+          results='${{ toJSON(needs) }}'
+          echo "$results" | grep -q '"result": "failure"' && exit 1
+          echo "$results" | grep -q '"result": "cancelled"' && exit 1
+          echo "All parallel jobs passed."