jpdevhub · jpdevhub · May 26, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -0,0 +1,10 @@
+language: "en-US"
+reviews:
+  auto_review: true
+  # Instruct the AI to evaluate complexity and apply labels
+  system_prompt: >
+    You are an expert open-source maintainer. Analyze the code changes and the PR description. 
+    Based on the complexity, automatically apply ONE of the following labels to the PR:
+    - 'complexity: basic' (for small UI tweaks, typos, simple bug fixes)
+    - 'complexity: intermediate' (for standard feature additions, new endpoints)
+    - 'complexity: high' (for major architecture changes, ML pipeline updates, complex logic)
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -5,7 +5,14 @@ body:
   - type: markdown
     attributes:
       value: |
+        > ⚠️ **Is this a security vulnerability?**
+        > Do NOT use this form. Read [SECURITY.md](https://github.com/jpdevhub/FreshScanAi/blob/main/SECURITY.md) and report it privately via email instead.
+        > Public disclosure of a security issue before a fix is shipped puts every user at risk.
+
+        ---
+
         Before submitting, search open issues to avoid duplicates.
+        Vague reports without reproduction steps will be closed.
 
   - type: textarea
     id: description

diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -1,7 +1,16 @@
 name: Feature Request
 description: Suggest a new feature or enhancement
-labels: [feature]
+labels: [feature, needs-discussion]
 body:
+  - type: markdown
+    attributes:
+      value: |
+        > ⚠️ **Is this a security concern?** Use [SECURITY.md](https://github.com/jpdevhub/FreshScanAi/blob/main/SECURITY.md) instead.
+
+        **Read before opening:**
+        - Features require maintainer approval before implementation work begins.
+        - A PR opened for a feature without a linked, approved issue will be closed.
+        - Check the [Roadmap in DOCUMENTATION.md](https://github.com/jpdevhub/FreshScanAi/blob/main/DOCUMENTATION.md#14-future-roadmap) first — if your idea is already planned, comment on the existing tracking issue instead.
   - type: textarea
     id: problem
     attributes:

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,18 +1,15 @@
-## Summary
-<!-- What does this PR do? -->
+<!--
+  Please ensure you have read CONTRIBUTING.md before opening a PR.
+-->
 
-## Motivation
-<!-- Why is this change needed? Link the related issue. Closes #<issue> -->
+## Description
 
-## Implementation Notes
-<!-- How did you approach the problem? Any trade-offs or decisions worth noting? -->
-
-## Screenshots (if applicable)
-<!-- Before / after screenshots for UI changes -->
+<!-- Provide a clear description of what this PR does and why it is needed. Link to the relevant issue (e.g., Closes #123). If it includes UI changes, please include screenshots here. -->
 
 ## Checklist
-- [ ] `npm run lint` passes
-- [ ] Backend tests pass (`python -m pytest backend/`)
-- [ ] No `.env` files or credentials committed
-- [ ] Branch is up to date with `main`
-- [ ] PR description is complete
+
+- [ ] `npm run lint` passes with no errors
+- [ ] `npm run build` compiles without TypeScript errors
+- [ ] `python -m pytest` passes (including new tests I added)
+- [ ] No `.env` files, API keys, secrets, model weights, or `__pycache__` in this diff
+- [ ] Branch is rebased on `main`, not merged
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,25 @@
+version: 2
+updates:
+  # Maintain NPM dependencies (Frontend)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+
+  # Maintain Python dependencies (Backend)
+  - package-ecosystem: "pip"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+
+  # Maintain GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    labels:
+      - "dependencies"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -60,14 +60,10 @@ jobs:
           cache: pip
 
       - name: Install dependencies
-        run: |
-          pip install fastapi uvicorn supabase Pillow numpy \
-                      python-dotenv python-multipart httpx pytest
+        run: pip install -r requirements-ci.txt
 
       - name: Lint with Ruff
-        run: |
-          pip install ruff
-          ruff check . --config ruff.toml
+        run: ruff check . --config ruff.toml
 
       - name: Run tests
         run: python -m pytest tests/test_ci.py -v

diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
@@ -0,0 +1,31 @@
+name: Greetings
+
+on:
+  pull_request_target:
+    types: [opened]
+  issues:
+    types: [opened]
+
+jobs:
+  greeting:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/first-interaction@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-message: |
+            👋 Welcome to FreshScan AI! Thank you for opening an issue.
+
+            Our maintainers will review this shortly. In the meantime, please ensure your report includes all necessary context and reproduction steps (if it's a bug). If this is a security issue, please close this and follow the `SECURITY.md` protocol.
+          pr-message: |
+            🎉 Thank you for your Pull Request! We're thrilled to have your contribution to FreshScan AI.
+
+            Before we review, please make sure you have:
+            - Followed the `CONTRIBUTING.md` guidelines.
+            - Ensured all automated CI checks (linting, tests) are passing.
+            - Checked that your commit messages follow the Conventional Commits format.
+
+            A maintainer will review your code as soon as possible!
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -0,0 +1,24 @@
+name: Stale Issue/PR Management
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove the stale label or comment, otherwise this will be closed in 7 days.'
+          stale-pr-message: 'This PR is stale because it has been open 30 days with no activity. Remove the stale label or comment, otherwise this will be closed in 7 days.'
+          close-issue-message: 'This issue was closed because it has been stalled for 7 days with no activity.'
+          close-pr-message: 'This PR was closed because it has been stalled for 7 days with no activity.'
+          days-before-stale: 30
+          days-before-close: 7
+          exempt-issue-labels: 'bug,help wanted,needs-discussion'
+          exempt-pr-labels: 'dependencies'
diff --git a/.gitignore b/.gitignore
@@ -39,6 +39,7 @@ __pycache__
 *.pyo
 *.pyd
 *.egg-info
+._*
 
 # Vite internals
 .vite
-Original file line number
+Diff line change
@@ Expand Up / @@ -39,6 +39,7 @@ __pycache__ @@
     *.pyo
     *.pyd
     *.egg-info
+    ._*
     # Vite internals
     .vite
@@ Expand Down @@