devSoniia · devSoniia · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -15,3 +15,4 @@ Closes #
 - [ ] No new lint warnings
 - [ ] Docs updated if needed
 - [ ] PR targets `develop`
+- [ ] Supabase queries audited for SQL injection (no raw SQL, parameterized methods used)
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -19,8 +19,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
-        with:
-          version: 10
       - uses: actions/setup-node@v4
         with:
           node-version: 22

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,8 +18,6 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
-        with:
-          version: 10
 
       - uses: actions/setup-node@v4
         with:
@@ -71,8 +69,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
-        with:
-          version: 10
       - uses: actions/setup-node@v4
         with:
           node-version: 22
@@ -114,7 +110,7 @@ jobs:
       - name: Install Rust toolchain (pinned via rust-toolchain.toml)
         uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: "1.85.0"
+          toolchain: "1.88.0"
           targets: wasm32-unknown-unknown
           components: rustfmt, clippy
 
@@ -134,6 +130,23 @@ jobs:
         run: cargo test --all
         working-directory: apps/contracts
 
+  proptest:
+    name: Property-based tests (proptest)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Rust toolchain (pinned via rust-toolchain.toml)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: "1.88.0"
+          targets: wasm32-unknown-unknown
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: apps/contracts/proptest
+      - name: Run proptest suite
+        run: cargo test
+        working-directory: apps/contracts/proptest
+
   fuzz:
     name: Fuzz (time-limited, corpus only)
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -34,6 +34,7 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
+          # security-and-quality includes checks for SQL injection (CWE-089)
           queries: security-and-quality
 
       # Rust requires an explicit build so CodeQL can trace it

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -13,8 +13,6 @@ jobs:
       - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
-        with:
-          version: 10
 
       - uses: actions/setup-node@v4
         with:

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -17,8 +17,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
-        with:
-          version: 10
       - uses: actions/setup-node@v4
         with:
           node-version: 22

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,8 +20,6 @@ jobs:
           persist-credentials: false
 
       - uses: pnpm/action-setup@v4
-        with:
-          version: 10
 
       - uses: actions/setup-node@v4
         with:

diff --git a/.github/workflows/supabase.yml b/.github/workflows/supabase.yml
@@ -24,9 +24,22 @@ jobs:
       - name: Start Supabase local stack
         run: supabase start
 
-      - name: Reset DB (applies all migrations + seed)
+      - name: Apply all migrations (forward)
         run: supabase db reset
 
+      - name: Verify rollback scripts exist for every migration
+        run: |
+          missing=0
+          for f in supabase/migrations/*.sql; do
+            base=$(basename "$f" .sql)
+            down="supabase/migrations/rollbacks/${base}.down.sql"
+            if [ ! -f "$down" ]; then
+              echo "Missing rollback: $down"
+              missing=1
+            fi
+          done
+          exit $missing
+
       - name: Stop Supabase local stack
         if: always()
         run: supabase stop
diff --git a/.github/workflows/zap-scan.yml b/.github/workflows/zap-scan.yml
@@ -0,0 +1,32 @@
+name: OWASP ZAP Integration Scan
+
+on:
+  schedule:
+    - cron: '0 0 * * 0' # Weekly on Sunday at midnight
+  workflow_dispatch:
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the web application
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: ZAP Baseline Scan
+        uses: zaproxy/action-baseline@v0.12.0
+        with:
+          target: 'https://staging.solarproof.example.com' # Replace with actual staging URL
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
+          issue_title: 'ZAP Scan Report: High/Critical Findings'
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fail_action: false
+
+      - name: Archive ZAP Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-scan-report
+          path: |
+            report_md.md
+            report_html.html
diff --git a/.zap/rules.tsv b/.zap/rules.tsv
@@ -0,0 +1,5 @@
+# OWASP ZAP Baseline Scan Rules
+# Format: <rule_id>\t<WARN|IGNORE|INFO|FAIL>
+# Document false positives below:
+# Example: Ignore Content Security Policy (CSP) Header Not Set because we handle it at the Edge level
+# 10038	IGNORE