Create Release 0.1.0-alpha1

.github/copilot-instructions.md

@@ -4,7 +4,7 @@
 
 - AugmentedQuill is a web-based GUI for AI-assisted prose writing, with a FastAPI backend and a React + TypeScript SPA frontend (Vite).
 - Backend lives in src/augmentedquill/, frontend in src/frontend/, tests in tests/.
-- Python 3.11+ required (CI uses 3.11; local validation on 3.12.3). Node.js 18+ required (CI uses 18).
+- Python 3.12+ required (CI uses 3.12). Node.js 24+ required (CI uses 24).
 - The backend serves the built frontend from static/dist; frontend build output must be present for production-like runs.
 
 ## High-level structure and key files
@@ -112,6 +112,13 @@ Top-level directories (one level down):
 - Prefer frontend changes inside features/<domain>/ and keep API calls in services/.
 - Trust these instructions and only search the repo if something is missing or contradicts these notes.
 
+## Test Data Safety (Mandatory)
+
+- Never read from or write to real user runtime files under `data/config/`, `data/projects/`, or `data/logs/` when running tests.
+- For all automated tests, force the app to use a temporary user data root by setting `AUGQ_USER_DATA_DIR` to a temp directory (for example under `/tmp`).
+- Tests and AI-generated test code must isolate runtime paths via environment variables before importing app modules so default config constants resolve into temp paths.
+- When tests need projects/registry overrides, use temp values for `AUGQ_PROJECTS_ROOT` and `AUGQ_PROJECTS_REGISTRY` inside that same temp root.
+
 ## Branching and Release Policy
 
 The repository uses the following branch layout by default:

.github/dependabot.yml

@@ -0,0 +1,40 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    target-branch: "develop"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "python"
+
+  - package-ecosystem: "npm"
+    directory: "/src/frontend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:15"
+      timezone: "UTC"
+    target-branch: "develop"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "frontend"
+
+  - package-ecosystem: "npm"
+    directory: "/electron"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:30"
+      timezone: "UTC"
+    target-branch: "develop"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "electron"

.github/workflows/build-docker.yml

@@ -2,10 +2,11 @@ name: Build Docker Image
 
 on:
   release:
-    # Run this workflow only when a release is published
-    types: [published]
+    # Run this workflow when a release or pre-release is published
+    types: [published, released, prereleased]
 
 env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
@@ -18,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -34,7 +35,7 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

.github/workflows/code-quality.yml

@@ -10,15 +10,16 @@ jobs:
   backend-checks:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
-        python-version: '3.11'
+        python-version: '3.12'
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install -e .[dev]
+        pip install pip-audit
     - name: Run ruff
       run: ruff check .
     - name: Run black
@@ -29,20 +30,23 @@ jobs:
     - name: Run tests
       run: pytest
 
+    - name: Run pip-audit
+      run: pip-audit --ignore-vuln CVE-2026-4539
+
   frontend-checks:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Set up Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '18'
+        node-version: '24'
         cache: 'npm'
         cache-dependency-path: src/frontend/package-lock.json
     - name: Install dependencies
       run: |
         cd src/frontend
-        npm install
+        npm ci
     - name: Run ESLint
       run: |
         cd src/frontend
@@ -59,3 +63,8 @@ jobs:
       run: |
         cd src/frontend
         npm run build
+
+    - name: Run npm audit
+      run: |
+        cd src/frontend
+        npm audit --audit-level=high

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,38 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    - cron: "0 4 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python", "javascript-typescript"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3