feat: hourly CVE alerting with notification bell and API

Implements the full CVE alerting pipeline: CVE Monitor (scheduler.rs): - Replaces stub monitor_cves with actual OSV.dev scanning of all SBOM entries - Runs hourly by default (CVE_MONITOR_SCHEDULE, was daily) - Creates CveNotification for each new CVE (deduped by cve_id+repo+package) - Updates SBOM entries with discovered vulnerabilities - Upserts CveAlert records Notification Model (compliance-core/models/notification.rs): - CveNotification with status lifecycle: new → read → dismissed - NotificationSeverity (Low/Medium/High/Critical) from CVSS scores - parse_severity helper for OSV/NVD severity mapping API Endpoints (5 new routes): - GET /api/v1/notifications — List with status/severity/repo filters - GET /api/v1/notifications/count — Unread count (for badge) - PATCH /api/v1/notifications/:id/read — Mark as read - PATCH /api/v1/notifications/:id/dismiss — Dismiss - POST /api/v1/notifications/read-all — Bulk mark read Dashboard Notification Bell: - Floating bell icon (top-right) with unread count badge - Dropdown panel showing CVE details: severity, CVSS, package, repo, summary - Dismiss individual notifications - Auto-marks as read when panel opens - Polls count every 30 seconds Also: - Fix Dockerfile.dashboard: revert to dioxus-cli 0.7.3 --locked - Add cve_notifications collection with unique + status indexes - MongoDB indexes for efficient notification queries Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 12:32:58 +02:00
28 changed files with 161 additions and 749 deletions
@@ -1,10 +0,0 @@
 [advisories]
 ignore = [
    # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
    # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
    # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
    # requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
    # not a realistic attack surface here. Revisit when mongodb bumps hickory.
    "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
    "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
 ]
@@ -145,20 +145,13 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.agent == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_AGENT }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-agent
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.agent -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy agent"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-dashboard:
    name: Deploy Dashboard
@@ -166,20 +159,13 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.dashboard == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DASHBOARD }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-dashboard
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.dashboard -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy dashboard"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-docs:
    name: Deploy Docs
@@ -187,20 +173,13 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.docs == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DOCS }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-docs
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.docs -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy docs"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-mcp:
    name: Deploy MCP
@@ -208,17 +187,10 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.mcp == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_MCP }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-mcp
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.mcp -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy mcp"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
@@ -3524,9 +3524,9 @@ checksum = "224484c5d09285a7b8cb0a0c117e847ebd14cb6e4470ecf68cdb89c503b0edb9"
 [[package]]
 name = "mongodb"
-version = "3.6.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ef2c933617431ad0246fb5b43c425ebdae18c7f7259c87de0726d93b0e7e91b"
+checksum = "803dd859e8afa084c255a8effd8000ff86f7c8076a50cd6d8c99e8f3496f75c2"
 dependencies = [
 "base64",
 "bitflags",
@@ -3570,9 +3570,9 @@ dependencies = [
 [[package]]
 name = "mongodb-internal-macros"
-version = "3.6.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5758dc828eb2d02ec30563cba365609d56ddd833190b192beaee2b475a7bb3"
+checksum = "a973ef3dd3dbc6f6e65bbdecfd9ec5e781b9e7493b0f369a7c62e35d8e5ae2c8"
 dependencies = [
 "macro_magic",
 "proc-macro2",
@@ -4699,9 +4699,9 @@ dependencies = [
 [[package]]
 name = "rustls-webpki"
-version = "0.103.13"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
 "ring",
 "rustls-pki-types",
@@ -33,15 +33,9 @@ RUN pip3 install --break-system-packages ruff
 COPY --from=builder /app/target/release/compliance-agent /usr/local/bin/compliance-agent
 # Copy documentation for the help chat assistant
 COPY --from=builder /app/README.md /app/README.md
 COPY --from=builder /app/docs /app/docs
 ENV HELP_DOCS_PATH=/app
 # Ensure SSH key directory exists
 RUN mkdir -p /data/compliance-scanner/ssh
 EXPOSE 3001 3002
 ENTRYPOINT ["compliance-agent"]
@@ -20,4 +20,3 @@ ENV IP=0.0.0.0
 EXPOSE 8080
 ENTRYPOINT ["./compliance-dashboard"]
@@ -12,4 +12,3 @@ RUN rm /etc/nginx/conf.d/default.conf
 COPY docs/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/.vitepress/dist /usr/share/nginx/html
 EXPOSE 80
@@ -14,4 +14,3 @@ EXPOSE 8090
 ENV MCP_PORT=8090
 ENTRYPOINT ["compliance-mcp"]
@@ -25,7 +25,7 @@ uuid = { workspace = true }
 secrecy = { workspace = true }
 regex = { workspace = true }
 axum = "0.8"
-tower-http = { version = "0.6", features = ["cors", "trace", "set-header"] }
+tower-http = { version = "0.6", features = ["cors", "trace"] }
 git2 = "0.20"
 octocrab = "0.44"
 tokio-cron-scheduler = "0.13"
@@ -35,16 +35,11 @@ impl ComplianceAgent {
            config.litellm_model.clone(),
            config.litellm_embed_model.clone(),
        ));
        let http = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(30))
            .connect_timeout(std::time::Duration::from_secs(10))
            .build()
            .unwrap_or_default();
        Self {
            config,
            db,
            llm,
-            http,
+            http: reqwest::Client::new(),
            session_streams: Arc::new(DashMap::new()),
            session_pause: Arc::new(DashMap::new()),
            session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
@@ -104,58 +104,28 @@ fn load_docs(root: &Path) -> String {
 /// Returns a reference to the cached doc context string, initialised on
 /// first call via `OnceLock`.
 ///
 /// Discovery order:
 /// 1. `HELP_DOCS_PATH` env var (explicit override)
 /// 2. Walk up from the binary location
 /// 3. Current working directory
 /// 4. Common Docker paths (/app, /opt/compliance-scanner)
 fn doc_context() -> &'static str {
    DOC_CONTEXT.get_or_init(|| {
        // 1. Explicit env var
        if let Ok(path) = std::env::var("HELP_DOCS_PATH") {
            let p = PathBuf::from(&path);
            if p.join("README.md").is_file() || p.join("docs").is_dir() {
                tracing::info!("help_chat: loading docs from HELP_DOCS_PATH={path}");
                return load_docs(&p);
            }
            tracing::warn!("help_chat: HELP_DOCS_PATH={path} has no README.md or docs/");
        }
        // 2. Walk up from binary location
        let start = std::env::current_exe()
            .ok()
            .and_then(|p| p.parent().map(Path::to_path_buf))
            .unwrap_or_else(|| PathBuf::from("."));
-        if let Some(root) = find_project_root(&start) {
+        match find_project_root(&start) {
-            return load_docs(&root);
+            Some(root) => load_docs(&root),
-        }
+            None => {
-
+                // Fallback: try current working directory
-        // 3. Current working directory
+                let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
        if let Ok(cwd) = std::env::current_dir() {
            if let Some(root) = find_project_root(&cwd) {
                return load_docs(&root);
            }
                if cwd.join("README.md").is_file() {
                    return load_docs(&cwd);
                }
        }
        // 4. Common Docker/deployment paths
        for candidate in ["/app", "/opt/compliance-scanner", "/srv/compliance-scanner"] {
            let p = PathBuf::from(candidate);
            if p.join("README.md").is_file() || p.join("docs").is_dir() {
                tracing::info!("help_chat: found docs at {candidate}");
                return load_docs(&p);
            }
        }
                tracing::error!(
-            "help_chat: could not locate project root; doc context will be empty. \
+                    "help_chat: could not locate project root from {}; doc context will be empty",
-             Set HELP_DOCS_PATH to the directory containing README.md and docs/"
+                    start.display()
                );
                String::new()
            }
        }
    })
 }
@@ -1,10 +1,8 @@
 use std::sync::Arc;
 use axum::http::HeaderValue;
 use axum::{middleware, Extension};
 use tokio::sync::RwLock;
 use tower_http::cors::CorsLayer;
 use tower_http::set_header::SetResponseHeaderLayer;
 use tower_http::trace::TraceLayer;
 use crate::agent::ComplianceAgent;
@@ -16,24 +14,7 @@ pub async fn start_api_server(agent: ComplianceAgent, port: u16) -> Result<(), A
    let mut app = routes::build_router()
        .layer(Extension(Arc::new(agent.clone())))
        .layer(CorsLayer::permissive())
-        .layer(TraceLayer::new_for_http())
+        .layer(TraceLayer::new_for_http());
        // Security headers (defense-in-depth, primary enforcement via Traefik)
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::STRICT_TRANSPORT_SECURITY,
            HeaderValue::from_static("max-age=31536000; includeSubDomains"),
        ))
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::X_FRAME_OPTIONS,
            HeaderValue::from_static("DENY"),
        ))
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::X_CONTENT_TYPE_OPTIONS,
            HeaderValue::from_static("nosniff"),
        ))
        .layer(SetResponseHeaderLayer::overriding(
            axum::http::header::REFERRER_POLICY,
            HeaderValue::from_static("strict-origin-when-cross-origin"),
        ));
    if let (Some(kc_url), Some(kc_realm)) =
        (&agent.config.keycloak_url, &agent.config.keycloak_realm)
@@ -19,17 +19,12 @@ impl LlmClient {
        model: String,
        embed_model: String,
    ) -> Self {
        let http = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(300))
            .connect_timeout(std::time::Duration::from_secs(10))
            .build()
            .unwrap_or_default();
        Self {
            base_url,
            api_key,
            model,
            embed_model,
-            http,
+            http: reqwest::Client::new(),
        }
    }
@@ -4,7 +4,7 @@ use compliance_agent::{agent, api, config, database, scheduler, ssh, webhooks};
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    match dotenvy::dotenv() {
        Ok(path) => eprintln!("[dotenv] Loaded from: {}", path.display()),
-        Err(_) => eprintln!("[dotenv] No .env file found, using environment variables"),
+        Err(e) => eprintln!("[dotenv] FAILED: {e}"),
    }
    let _telemetry_guard = compliance_core::telemetry::init_telemetry("compliance-agent");
@@ -19,9 +19,7 @@ impl Scanner for GitleaksScanner {
    #[tracing::instrument(skip_all)]
    async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::time::timeout(
+        let output = tokio::process::Command::new("gitleaks")
            std::time::Duration::from_secs(300),
            tokio::process::Command::new("gitleaks")
            .args([
                "detect",
                "--source",
@@ -35,13 +33,8 @@ impl Scanner for GitleaksScanner {
                "0",
            ])
            .current_dir(repo_path)
-                .output(),
+            .output()
        )
            .await
        .map_err(|_| CoreError::Scanner {
            scanner: "gitleaks".to_string(),
            source: "timed out after 5 minutes".into(),
        })?
            .map_err(|e| CoreError::Scanner {
                scanner: "gitleaks".to_string(),
                source: Box::new(e),
@@ -174,26 +174,19 @@ impl PipelineOrchestrator {
                k.expose_secret().to_string()
            }),
        );
-        let cve_alerts = match tokio::time::timeout(
+        let cve_alerts = match async {
            std::time::Duration::from_secs(600),
            async {
            cve_scanner
                .scan_dependencies(&repo_id, &mut sbom_entries)
                .await
        }
-            .instrument(tracing::info_span!("stage_cve_scanning")),
+        .instrument(tracing::info_span!("stage_cve_scanning"))
        )
        .await
        {
-            Ok(Ok(alerts)) => alerts,
+            Ok(alerts) => alerts,
-            Ok(Err(e)) => {
+            Err(e) => {
                tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                Vec::new()
            }
            Err(_) => {
                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
                Vec::new()
            }
        };
        // Stage 4: Pattern Scanning (GDPR + OAuth)
@@ -322,15 +315,8 @@ impl PipelineOrchestrator {
                .await?;
        }
-        // Persist CVE alerts and create notifications
+        // Persist CVE alerts (upsert by cve_id + repo_id)
        {
            use compliance_core::models::notification::{parse_severity, CveNotification};
            let repo_name = repo.name.clone();
            let mut new_notif_count = 0u32;
        for alert in &cve_alerts {
                // Upsert the alert
            let filter = doc! {
                "cve_id": &alert.cve_id,
                "repo_id": &alert.repo_id,
@@ -343,46 +329,6 @@ impl PipelineOrchestrator {
                .update_one(filter, update)
                .upsert(true)
                .await?;
                // Create notification (dedup by cve_id + repo + package + version)
                let notif_filter = doc! {
                    "cve_id": &alert.cve_id,
                    "repo_id": &alert.repo_id,
                    "package_name": &alert.affected_package,
                    "package_version": &alert.affected_version,
                };
                let severity = parse_severity(alert.severity.as_deref(), alert.cvss_score);
                let mut notification = CveNotification::new(
                    alert.cve_id.clone(),
                    repo_id.clone(),
                    repo_name.clone(),
                    alert.affected_package.clone(),
                    alert.affected_version.clone(),
                    severity,
                );
                notification.cvss_score = alert.cvss_score;
                notification.summary = alert.summary.clone();
                notification.url = Some(format!("https://osv.dev/vulnerability/{}", alert.cve_id));
                let notif_update = doc! {
                    "$setOnInsert": mongodb::bson::to_bson(&notification).unwrap_or_default()
                };
                if let Ok(result) = self
                    .db
                    .cve_notifications()
                    .update_one(notif_filter, notif_update)
                    .upsert(true)
                    .await
                {
                    if result.upserted_id.is_some() {
                        new_notif_count += 1;
                    }
                }
            }
            if new_notif_count > 0 {
                tracing::info!("[{repo_id}] Created {new_notif_count} CVE notification(s)");
            }
        }
        // Stage 6: Issue Creation
@@ -5,22 +5,16 @@ use compliance_core::CoreError;
 #[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
 pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
-    let output = tokio::time::timeout(
+    let output = tokio::process::Command::new("syft")
        std::time::Duration::from_secs(300),
        tokio::process::Command::new("syft")
        .arg(repo_path)
        .args(["-o", "cyclonedx-json"])
        // Enable remote license lookups for all ecosystems
        .env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
        .env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
        .env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
        .env("SYFT_JAVA_USE_NETWORK", "true")
-            .output(),
+        .output()
    )
        .await
    .map_err(|_| CoreError::Scanner {
        scanner: "syft".to_string(),
        source: "timed out after 5 minutes".into(),
    })?
        .map_err(|e| CoreError::Scanner {
            scanner: "syft".to_string(),
            source: Box::new(e),
@@ -19,26 +19,11 @@ impl Scanner for SemgrepScanner {
    #[tracing::instrument(skip_all)]
    async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::time::timeout(
+        let output = tokio::process::Command::new("semgrep")
-            std::time::Duration::from_secs(600),
+            .args(["--config=auto", "--json", "--quiet"])
            tokio::process::Command::new("semgrep")
                .args([
                    "--config=auto",
                    "--json",
                    "--quiet",
                    "--max-memory",
                    "500",
                    "--jobs",
                    "1",
                ])
            .arg(repo_path)
-                .output(),
+            .output()
        )
            .await
        .map_err(|_| CoreError::Scanner {
            scanner: "semgrep".to_string(),
            source: "timed out after 10 minutes".into(),
        })?
            .map_err(|e| CoreError::Scanner {
                scanner: "semgrep".to_string(),
                source: Box::new(e),
@@ -6,16 +6,11 @@ use compliance_core::models::embedding::{CodeEmbedding, EmbeddingBuildRun, Embed
 use compliance_core::models::graph::CodeNode;
 use compliance_graph::graph::chunking::extract_chunks;
 use compliance_graph::graph::embedding_store::EmbeddingStore;
 use futures_util::stream::{FuturesUnordered, StreamExt};
 use tracing::{error, info};
 use crate::error::AgentError;
 use crate::llm::LlmClient;
 const EMBED_BATCH_SIZE: usize = 20;
 const EMBED_CONCURRENCY: usize = 4;
 const EMBED_FLUSH_EVERY: usize = 200;
 /// RAG pipeline for building embeddings and performing retrieval
 pub struct RagPipeline {
    llm: Arc<LlmClient>,
@@ -82,33 +77,25 @@ impl RagPipeline {
            .await
            .map_err(|e| AgentError::Other(format!("Failed to delete old embeddings: {e}")))?;
-        // Step 3: Batch embed with bounded concurrency. Flush to Mongo and
+        // Step 3: Batch embed (small batches to stay within model limits)
-        // update progress periodically so the dashboard can show live status.
+        let batch_size = 20;
-        let mut pending = Vec::with_capacity(EMBED_FLUSH_EVERY);
+        let mut all_embeddings = Vec::new();
        let mut embedded_count = 0u32;
-        // Build the list of batch indices to process.
+        for batch_start in (0..chunks.len()).step_by(batch_size) {
-        let batches: Vec<(usize, usize)> = (0..chunks.len())
+            let batch_end = (batch_start + batch_size).min(chunks.len());
-            .step_by(EMBED_BATCH_SIZE)
+            let batch_chunks = &chunks[batch_start..batch_end];
-            .map(|start| (start, (start + EMBED_BATCH_SIZE).min(chunks.len())))
+
            // Prepare texts: context_header + content
            let texts: Vec<String> = batch_chunks
                .iter()
                .map(|c| format!("{}\n{}", c.context_header, c.content))
                .collect();
-        let mut batch_iter = batches.into_iter();
+            match self.llm.embed(texts).await {
-        let mut in_flight = FuturesUnordered::new();
+                Ok(vectors) => {
        // Prime up to EMBED_CONCURRENCY batches.
        for _ in 0..EMBED_CONCURRENCY {
            if let Some((start, end)) = batch_iter.next() {
                in_flight.push(self.embed_batch(&chunks[start..end], start, end));
            }
        }
        while let Some(result) = in_flight.next().await {
            match result {
                Ok((start, end, vectors)) => {
                    let batch_chunks = &chunks[start..end];
                    for (chunk, embedding) in batch_chunks.iter().zip(vectors) {
-                        pending.push(CodeEmbedding {
+                        all_embeddings.push(CodeEmbedding {
                            id: None,
                            repo_id: repo_id.to_string(),
                            graph_build_id: graph_build_id.to_string(),
@@ -126,45 +113,9 @@ impl RagPipeline {
                        });
                    }
                    embedded_count += batch_chunks.len() as u32;
                    // Flush pending embeddings to Mongo periodically and update progress.
                    if pending.len() >= EMBED_FLUSH_EVERY {
                        self.embedding_store
                            .store_embeddings(&pending)
                            .await
                            .map_err(|e| {
                                AgentError::Other(format!("Failed to store embeddings: {e}"))
                            })?;
                        pending.clear();
                    }
                    // Always update the progress counter on the build doc — even if
                    // we haven't flushed embeddings yet — so the UI shows movement.
                    if let Err(e) = self
                        .embedding_store
                        .update_build(
                            repo_id,
                            graph_build_id,
                            EmbeddingBuildStatus::Running,
                            embedded_count,
                            None,
                        )
                        .await
                    {
                        error!("[{repo_id}] Failed to update build progress: {e}");
                    }
                    // Queue the next batch to keep concurrency saturated.
                    if let Some((s, e)) = batch_iter.next() {
                        in_flight.push(self.embed_batch(&chunks[s..e], s, e));
                    }
                }
                Err(e) => {
                    error!("[{repo_id}] Embedding batch failed: {e}");
                    // Flush whatever we have so partial progress isn't lost.
                    if !pending.is_empty() {
                        let _ = self.embedding_store.store_embeddings(&pending).await;
                    }
                    build.status = EmbeddingBuildStatus::Failed;
                    build.error_message = Some(e.to_string());
                    build.completed_at = Some(Utc::now());
@@ -183,13 +134,11 @@ impl RagPipeline {
            }
        }
-        // Step 4: Flush any remaining embeddings
+        // Step 4: Store all embeddings
        if !pending.is_empty() {
        self.embedding_store
-                .store_embeddings(&pending)
+            .store_embeddings(&all_embeddings)
            .await
            .map_err(|e| AgentError::Other(format!("Failed to store embeddings: {e}")))?;
        }
        // Step 5: Update build status
        build.status = EmbeddingBuildStatus::Completed;
@@ -212,21 +161,4 @@ impl RagPipeline {
        );
        Ok(build)
    }
    /// Embed one batch of chunks. Returns the (start, end, vectors) tuple so
    /// out-of-order completion from `FuturesUnordered` can still be reconciled
    /// against the original chunk slice.
    async fn embed_batch(
        &self,
        batch_chunks: &[compliance_graph::graph::chunking::CodeChunk],
        start: usize,
        end: usize,
    ) -> Result<(usize, usize, Vec<Vec<f64>>), AgentError> {
        let texts: Vec<String> = batch_chunks
            .iter()
            .map(|c| format!("{}\n{}", c.context_header, c.content))
            .collect();
        let vectors = self.llm.embed(texts).await?;
        Ok((start, end, vectors))
    }
 }
@@ -51,7 +51,7 @@ thiserror = { workspace = true }
 # Web-only
 reqwest = { workspace = true, optional = true }
-web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Element", "Window", "Storage", "MediaQueryList"] }
+web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Window"] }
 js-sys = { version = "0.3", optional = true }
 wasm-bindgen = { version = "0.2", optional = true }
 gloo-timers = { version = "0.3", features = ["futures"], optional = true }
@@ -61,77 +61,6 @@
    --ease-spring: cubic-bezier(0.34, 1.56, 0.64, 1);
 }
 /* ── Light theme tokens ──
   Applied when the user has explicitly chosen light (`data-theme="light"`)
   OR when their OS prefers light AND they have made no explicit choice. */
 :root[data-theme="light"] {
    --bg-primary: #f5f7fb;
    --bg-secondary: #ffffff;
    --bg-card: rgba(255, 255, 255, 0.85);
    --bg-card-solid: #ffffff;
    --bg-card-hover: #f1f5fb;
    --bg-elevated: #f8fafc;
    --text-primary: #0c1426;
    --text-secondary: #475569;
    --text-tertiary: #8a9bb4;
    --accent: #0070d4;
    --accent-hover: #0080f0;
    --accent-muted: rgba(0, 112, 212, 0.10);
    --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
    --border: #e2e8f0;
    --border-bright: #cbd5e1;
    --border-accent: rgba(0, 112, 212, 0.30);
    --danger: #dc2626;
    --danger-bg: rgba(220, 38, 38, 0.08);
    --warning: #d97706;
    --warning-bg: rgba(217, 119, 6, 0.08);
    --success: #16a34a;
    --success-bg: rgba(22, 163, 74, 0.08);
    --info: #2563eb;
    --info-bg: rgba(37, 99, 235, 0.08);
    --orange: #ea580c;
    --orange-bg: rgba(234, 88, 12, 0.08);
 }
@media (prefers-color-scheme: light) {
    :root:not([data-theme="dark"]) {
        --bg-primary: #f5f7fb;
        --bg-secondary: #ffffff;
        --bg-card: rgba(255, 255, 255, 0.85);
        --bg-card-solid: #ffffff;
        --bg-card-hover: #f1f5fb;
        --bg-elevated: #f8fafc;
        --text-primary: #0c1426;
        --text-secondary: #475569;
        --text-tertiary: #8a9bb4;
        --accent: #0070d4;
        --accent-hover: #0080f0;
        --accent-muted: rgba(0, 112, 212, 0.10);
        --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
        --border: #e2e8f0;
        --border-bright: #cbd5e1;
        --border-accent: rgba(0, 112, 212, 0.30);
        --danger: #dc2626;
        --danger-bg: rgba(220, 38, 38, 0.08);
        --warning: #d97706;
        --warning-bg: rgba(217, 119, 6, 0.08);
        --success: #16a34a;
        --success-bg: rgba(22, 163, 74, 0.08);
        --info: #2563eb;
        --info-bg: rgba(37, 99, 235, 0.08);
        --orange: #ea580c;
        --orange-bg: rgba(234, 88, 12, 0.08);
    }
 }
 /* ── Reset & Base ── */
@@ -467,44 +396,6 @@ code {
    background: rgba(0, 200, 255, 0.06);
 }
 .theme-toggle {
    background: none;
    border: none;
    border-top: 1px solid var(--border);
    color: var(--text-secondary);
    padding: 11px 18px;
    cursor: pointer;
    display: flex;
    align-items: center;
    gap: 11px;
    font-family: var(--font-body);
    font-size: 13.5px;
    font-weight: 500;
    transition: color 0.2s, background 0.2s;
    width: 100%;
    text-align: left;
 }
 .theme-toggle:hover {
    color: var(--accent);
    background: var(--accent-muted);
 }
 .theme-toggle svg {
    flex-shrink: 0;
    opacity: 0.75;
    transition: opacity 0.2s;
 }
 .theme-toggle:hover svg {
    opacity: 1;
 }
 .sidebar.collapsed .theme-toggle {
    justify-content: center;
    padding: 11px 0;
 }
 .sidebar.collapsed .sidebar-header {
    padding: 22px 0;
    justify-content: center;
@@ -3986,45 +3877,3 @@ tbody tr:last-child td {
 .notification-item-pkg { font-size: 12px; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
 .notification-item-repo { font-size: 11px; color: var(--text-secondary); margin-bottom: 4px; }
 .notification-item-summary { font-size: 11px; color: var(--text-secondary); line-height: 1.4; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; overflow: hidden; }
 /* ═══════════════════════════════════════════════════════════════
   COPY BUTTON — Reusable clipboard copy component
   ═══════════════════════════════════════════════════════════════ */
 .copy-btn { background: none; border: 1px solid var(--border); border-radius: 6px; padding: 5px 7px; color: var(--text-secondary); cursor: pointer; display: inline-flex; align-items: center; transition: color 0.15s, border-color 0.15s, background 0.15s; flex-shrink: 0; }
 .copy-btn:hover { color: var(--accent); border-color: var(--accent); background: var(--accent-muted); }
 .copy-btn-sm { padding: 3px 5px; border-radius: 4px; }
 /* Copyable inline field pattern: value + copy button side by side */
 .copyable { display: flex; align-items: center; gap: 6px; }
 .copyable code, .copyable .mono { flex: 1; min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 .code-snippet-wrapper { position: relative; }
 .code-snippet-header { display: flex; align-items: center; justify-content: space-between; margin-bottom: 4px; gap: 8px; }
 /* ═══════════════════════════════════════════════════════════════
   LIGHT THEME — surface overrides for the few hardcoded dark
   colors that don't go through CSS custom properties.
   ═══════════════════════════════════════════════════════════════ */
 :root[data-theme="light"] .main-content {
    background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
 }
 :root[data-theme="light"] .code-block {
    background: #f8fafc;
    color: #0c1426;
 }
 :root[data-theme="light"] .graph-stab-overlay {
    background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
 }
@media (prefers-color-scheme: light) {
    :root:not([data-theme="dark"]) .main-content {
        background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
    }
    :root:not([data-theme="dark"]) .code-block {
        background: #f8fafc;
        color: #0c1426;
    }
    :root:not([data-theme="dark"]) .graph-stab-overlay {
        background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
    }
 }
@@ -32,7 +32,7 @@ pub fn AppShell() -> Element {
            // Not authenticated — redirect to Keycloak login
            rsx! {
                document::Script {
-                    "window.location.href = '/auth';"
+                    dangerous_inner_html: "window.location.href = '/auth';"
                }
            }
        }
@@ -1,7 +1,5 @@
 use dioxus::prelude::*;
 use crate::components::copy_button::CopyButton;
 #[component]
 pub fn CodeSnippet(
    code: String,
@@ -9,19 +7,16 @@ pub fn CodeSnippet(
    #[props(default)] line_number: u32,
 ) -> Element {
    rsx! {
-        div { class: "code-snippet-wrapper",
+        div {
            div { class: "code-snippet-header",
            if !file_path.is_empty() {
-                    span {
+                div {
-                        style: "font-size: 12px; color: var(--text-secondary); font-family: monospace;",
+                    style: "font-size: 12px; color: var(--text-secondary); margin-bottom: 4px; font-family: monospace;",
                    "{file_path}"
                    if line_number > 0 {
                        ":{line_number}"
                    }
                }
            }
                CopyButton { value: code.clone(), small: true }
            }
            pre { class: "code-block", "{code}" }
        }
    }
@@ -1,49 +0,0 @@
 use dioxus::prelude::*;
 use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;
 /// A small copy-to-clipboard button that shows a checkmark after copying.
 ///
 /// Usage: `CopyButton { value: "text to copy" }`
 #[component]
 pub fn CopyButton(value: String, #[props(default = false)] small: bool) -> Element {
    let mut copied = use_signal(|| false);
    let size = if small { 12 } else { 14 };
    let class = if small {
        "copy-btn copy-btn-sm"
    } else {
        "copy-btn"
    };
    rsx! {
        button {
            class: class,
            title: if copied() { "Copied!" } else { "Copy to clipboard" },
            onclick: move |_| {
                let val = value.clone();
                // Escape for JS single-quoted string
                let escaped = val
                    .replace('\\', "\\\\")
                    .replace('\'', "\\'")
                    .replace('\n', "\\n")
                    .replace('\r', "\\r");
                let js = format!("navigator.clipboard.writeText('{escaped}')");
                document::eval(&js);
                copied.set(true);
                spawn(async move {
                    #[cfg(feature = "web")]
                    gloo_timers::future::TimeoutFuture::new(2000).await;
                    #[cfg(not(feature = "web"))]
                    tokio::time::sleep(std::time::Duration::from_secs(2)).await;
                    copied.set(false);
                });
            },
            if copied() {
                Icon { icon: BsCheckLg, width: size, height: size }
            } else {
                Icon { icon: BsClipboard, width: size, height: size }
            }
        }
    }
 }
@@ -2,7 +2,6 @@ pub mod app_shell;
 pub mod attack_chain;
 pub mod code_inspector;
 pub mod code_snippet;
 pub mod copy_button;
 pub mod file_tree;
 pub mod help_chat;
 pub mod notification_bell;
@@ -12,5 +11,4 @@ pub mod pentest_wizard;
 pub mod severity_badge;
 pub mod sidebar;
 pub mod stat_card;
 pub mod theme_toggle;
 pub mod toast;
@@ -4,7 +4,6 @@ use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;
 use crate::app::Route;
 use crate::components::theme_toggle::ThemeToggle;
 struct NavItem {
    label: &'static str,
@@ -107,7 +106,6 @@ pub fn Sidebar() -> Element {
            }
            // Spacer pushes footer to the bottom
            div { class: "sidebar-spacer" }
            ThemeToggle { collapsed: collapsed() }
            button {
                class: "sidebar-toggle",
                onclick: move |_| collapsed.set(!collapsed()),
@@ -1,104 +0,0 @@
 use dioxus::prelude::*;
 use dioxus_free_icons::icons::bs_icons::{BsMoonStars, BsSun};
 use dioxus_free_icons::Icon;
 #[cfg(feature = "web")]
 const STORAGE_KEY: &str = "compliance-scanner.theme";
 /// Sidebar-footer theme toggle. Reads the initial state on mount from
 /// localStorage (explicit user choice) or `prefers-color-scheme` (OS default),
 /// then writes back to both the `<html data-theme="...">` attribute and
 /// localStorage on every click.
 #[component]
 pub fn ThemeToggle(collapsed: bool) -> Element {
    // `None` until the on-mount effect resolves the real value, so SSR doesn't
    // render the wrong icon for the user's actual theme.
    let mut is_dark = use_signal(|| None::<bool>);
    use_effect(move || {
        let (dark, from_storage) = initial_theme();
        is_dark.set(Some(dark));
        // If the user already made an explicit choice (in localStorage), assert it
        // on the DOM so an OS-vs-stored mismatch can't briefly show the wrong theme.
        if from_storage {
            apply_theme(dark);
        }
    });
    let label = if collapsed {
        ""
    } else if is_dark().unwrap_or(true) {
        "Light mode"
    } else {
        "Dark mode"
    };
    let title = if is_dark().unwrap_or(true) {
        "Switch to light mode"
    } else {
        "Switch to dark mode"
    };
    rsx! {
        button {
            class: "theme-toggle",
            r#type: "button",
            title: "{title}",
            "aria-label": "{title}",
            onclick: move |_| {
                let next_dark = !is_dark().unwrap_or(true);
                is_dark.set(Some(next_dark));
                apply_theme(next_dark);
            },
            if is_dark().unwrap_or(true) {
                Icon { icon: BsSun, width: 16, height: 16 }
            } else {
                Icon { icon: BsMoonStars, width: 16, height: 16 }
            }
            if !collapsed {
                span { class: "theme-toggle-label", "{label}" }
            }
        }
    }
 }
 /// Returns `(is_dark, from_storage)`. `from_storage` is true when an explicit
 /// user choice is in localStorage; false when we fell back to OS preference
 /// (or to the dark default).
 #[cfg(feature = "web")]
 fn initial_theme() -> (bool, bool) {
    if let Some(window) = web_sys::window() {
        if let Ok(Some(storage)) = window.local_storage() {
            if let Ok(Some(value)) = storage.get_item(STORAGE_KEY) {
                return (value == "dark", true);
            }
        }
        if let Ok(Some(mql)) = window.match_media("(prefers-color-scheme: dark)") {
            return (mql.matches(), false);
        }
    }
    (true, false)
 }
 #[cfg(not(feature = "web"))]
 fn initial_theme() -> (bool, bool) {
    (true, false)
 }
 #[cfg(feature = "web")]
 fn apply_theme(dark: bool) {
    let theme = if dark { "dark" } else { "light" };
    if let Some(window) = web_sys::window() {
        if let Some(document) = window.document() {
            if let Some(root) = document.document_element() {
                let _ = root.set_attribute("data-theme", theme);
            }
        }
        if let Ok(Some(storage)) = window.local_storage() {
            let _ = storage.set_item(STORAGE_KEY, theme);
        }
    }
 }
 #[cfg(not(feature = "web"))]
 fn apply_theme(_dark: bool) {}
@@ -259,10 +259,7 @@ pub fn McpServersPage() -> Element {
                                                div { class: "mcp-detail-row",
                                                    Icon { icon: BsGlobe, width: 13, height: 13 }
                                                    span { class: "mcp-detail-label", "Endpoint" }
                                                    div { class: "copyable",
                                                    code { class: "mcp-detail-value", "{server.endpoint_url}" }
                                                        crate::components::copy_button::CopyButton { value: server.endpoint_url.clone(), small: true }
                                                    }
                                                }
                                                div { class: "mcp-detail-row",
                                                    Icon { icon: BsHddNetwork, width: 13, height: 13 }
@@ -137,20 +137,13 @@ pub fn RepositoriesPage() -> Element {
                                "For SSH URLs: add this deploy key (read-only) to your repository"
                            }
                            div {
-                                class: "copyable",
+                                style: "margin-top: 4px; padding: 8px; background: var(--bg-secondary); border-radius: 4px; font-family: monospace; font-size: 11px; word-break: break-all; user-select: all;",
                                style: "margin-top: 4px; padding: 8px; background: var(--bg-secondary); border-radius: 4px;",
                                code {
                                    style: "font-size: 11px; word-break: break-all; user-select: all;",
                                if ssh_public_key().is_empty() {
                                    "Loading..."
                                } else {
                                    "{ssh_public_key}"
                                }
                            }
                                if !ssh_public_key().is_empty() {
                                    crate::components::copy_button::CopyButton { value: ssh_public_key(), small: true }
                                }
                            }
                        }
                        // HTTPS auth fields
@@ -397,38 +390,29 @@ pub fn RepositoriesPage() -> Element {
                        }
                        div { class: "form-group",
                            label { "Webhook URL" }
-                            {
+                            input {
                                r#type: "text",
                                readonly: true,
                                style: "font-family: monospace; font-size: 12px;",
                                value: {
                                    #[cfg(feature = "web")]
                                    let origin = web_sys::window()
                                        .and_then(|w: web_sys::Window| w.location().origin().ok())
                                        .unwrap_or_default();
                                    #[cfg(not(feature = "web"))]
                                    let origin = String::new();
-                                let webhook_url = format!("{origin}/webhook/{}/{eid}", edit_webhook_tracker());
+                                    format!("{origin}/webhook/{}/{eid}", edit_webhook_tracker())
-                                rsx! {
+                                },
                                    div { class: "copyable",
                                        input {
                                            r#type: "text",
                                            readonly: true,
                                            style: "font-family: monospace; font-size: 12px; flex: 1;",
                                            value: "{webhook_url}",
                                        }
                                        crate::components::copy_button::CopyButton { value: webhook_url.clone() }
                                    }
                                }
                            }
                        }
                        div { class: "form-group",
                            label { "Webhook Secret" }
                            div { class: "copyable",
                            input {
                                r#type: "text",
                                readonly: true,
-                                    style: "font-family: monospace; font-size: 12px; flex: 1;",
+                                style: "font-family: monospace; font-size: 12px;",
                                value: "{secret}",
                            }
                                crate::components::copy_button::CopyButton { value: secret.clone() }
                            }
                        }
                    }
                    div { class: "modal-actions",
`@@ -20,4 +20,3 @@ ENV IP=0.0.0.0`
	`EXPOSE 8080`	`EXPOSE 8080`

	`ENTRYPOINT ["./compliance-dashboard"]`	`ENTRYPOINT ["./compliance-dashboard"]`
`@@ -14,4 +14,3 @@ EXPOSE 8090`
	`ENV MCP_PORT=8090`	`ENV MCP_PORT=8090`

	`ENTRYPOINT ["compliance-mcp"]`	`ENTRYPOINT ["compliance-mcp"]`