Merge v0.2.9-2

.dockerignore

@@ -25,4 +25,8 @@ teammapper-frontend/node_modules
 teammapper-frontend/npm-debug.log
 teammapper-frontend/README.md
 README.md
-teammapper-backend/benchmark
+teammapper-backend/benchmark
+node_modules
+openspec
+docs
+coverage

.env.default

@@ -41,7 +41,6 @@ POSTGRES_STATEMENT_TIMEOUT=100000
 
 DELETE_AFTER_DAYS=30
 
-YJS_ENABLED=true
 AI_ENABLED=false
 
 DEV_BUILD_CONTEXT=

.github/actions/setup-pnpm/action.yml

@@ -0,0 +1,24 @@
+name: Setup pnpm + Node
+description: Activate Node + pnpm via corepack, restore the pnpm store cache, and run a frozen-lockfile install.
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      with:
+        node-version: '24'
+
+    - shell: bash
+      run: |
+        corepack enable
+        corepack prepare pnpm@10.33.4 --activate
+
+    - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+      with:
+        path: ~/.local/share/pnpm/store
+        key: pnpm-store-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+        restore-keys: |
+          pnpm-store-${{ runner.os }}-
+
+    - shell: bash
+      run: pnpm install --frozen-lockfile

.github/dependabot.yml

@@ -1,27 +1,68 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+# Dependabot config — see docs/pnpm-security.md for the full policy.
+# Reference: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
 
 version: 2
 updates:
-  - package-ecosystem: "npm" # See documentation for possible values
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Europe/Berlin"
     open-pull-requests-limit: 15
+    labels:
+      - "dependencies"
+      - "npm"
+    commit-message:
+      prefix: "chore(deps)"
+      prefix-development: "chore(deps-dev)"
+      include: "scope"
+    # 7-day cooldown mirrors pnpm-workspace.yaml minimumReleaseAge: 10080.
+    # Security updates ignore cooldown (Dependabot rule).
+    cooldown:
+      default-days: 7
     groups:
       production-dependencies:
         dependency-type: "production"
         update-types: ["minor", "patch"]
       development-dependencies:
         dependency-type: "development"
         update-types: ["minor", "patch"]
-  - package-ecosystem: "docker" # See documentation for possible values
-    directory: "/" # Location of package manifests
+
+  - package-ecosystem: "docker"
+    directory: "/"
     schedule:
       interval: "weekly"
-  - package-ecosystem: "github-actions" # See documentation for possible values
-    directory: "/" # Location of package manifests
+      day: "monday"
+      time: "08:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(docker)"
+      include: "scope"
+    cooldown:
+      default-days: 7
+    # Node base image is bumped manually on the Node LTS cycle.
+    ignore:
+      - dependency-name: "node"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(actions)"
+      include: "scope"
+    cooldown:
+      default-days: 7

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: Docker Image CI
+name: CI
 
 on:
   push:
@@ -14,37 +14,18 @@ permissions:
 jobs:
     teammapper-backend-build:
         runs-on: ubuntu-latest
-        permissions:
-          contents: read
-          packages: read
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
-
             - name: Set up Docker Buildx
               uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
-            - name: Login to GitHub Container Registry
-              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
-              with:
-                  registry: ghcr.io
-                  username: ${{ github.repository_owner }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
-
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
-
-            - name: Build and export to Docker
+            - name: Build Docker image (smoke test)
               uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
               with:
                   context: .
+                  target: production
                   tags: |
                       ghcr.io/kitsteam/teammapper:latest
 
@@ -53,47 +34,23 @@ jobs:
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
-
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
-
-            - run: pnpm install --frozen-lockfile
+            - uses: ./.github/actions/setup-pnpm
             - run: pnpm --filter teammapper-backend run lint
 
     teammapper-frontend-lint:
         runs-on: ubuntu-latest
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
-
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
-
-            - run: pnpm install --frozen-lockfile
+            - uses: ./.github/actions/setup-pnpm
             - run: pnpm --filter teammapper-frontend run lint
 
     teammapper-frontend-tsc:
         runs-on: ubuntu-latest
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
-
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
-
-            - run: pnpm install --frozen-lockfile
+            - uses: ./.github/actions/setup-pnpm
             - run: pnpm --filter @teammapper/mermaid-mindmap-parser run build
             - run: pnpm --filter teammapper-frontend run tsc
 
@@ -102,44 +59,26 @@ jobs:
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
-
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
-
-            - run: pnpm install --frozen-lockfile
+            - uses: ./.github/actions/setup-pnpm
             - run: pnpm --filter teammapper-backend run tsc
 
     teammapper-backend-test-e2e:
         runs-on: ubuntu-latest
 
         services:
             postgres:
-                image: postgres:10.8
+                image: postgres:15-alpine
                 env:
                     POSTGRES_USER: teammapper-user
                     POSTGRES_PASSWORD: teammapper-password
                     POSTGRES_DB: teammapper-backend-test
                 ports:
-                    # Will assign a random free host port
                     - 5432/tcp
-                # Needed because the postgres container does not provide a healthcheck
                 options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
 
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
-
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
-
-            - run: pnpm install --frozen-lockfile
+            - uses: ./.github/actions/setup-pnpm
             - run: pnpm --filter teammapper-backend run test
               env:
                   POSTGRES_DATABASE: "teammapper-backend-test"
@@ -158,15 +97,31 @@ jobs:
 
     teammapper-frontend-test:
         runs-on: ubuntu-latest
+
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-              with:
-                node-version: '25'
+            - uses: ./.github/actions/setup-pnpm
+            - run: pnpm --filter @teammapper/mermaid-mindmap-parser run build
+            - run: pnpm --filter teammapper-frontend run test
+
+    teammapper-audit:
+        runs-on: ubuntu-latest
 
-            - run: corepack enable
-            - run: corepack prepare pnpm@9 --activate
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+            - uses: ./.github/actions/setup-pnpm
+            - name: pnpm audit (fail on high/critical production deps)
+              run: pnpm audit --audit-level=high --prod
 
-            - run: pnpm install --frozen-lockfile
-            - run: pnpm --filter @teammapper/mermaid-mindmap-parser run build
-            - run: pnpm --filter teammapper-frontend run test
+    dependency-review:
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+            - name: Dependency Review (PR diff vs base)
+              uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
+              with:
+                  fail-on-severity: high
+                  allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense, BlueOak-1.0.0, Zlib, CC-BY-4.0

.github/workflows/playwright.yml

@@ -1,8 +1,9 @@
 name: Playwright Tests
 permissions:
   contents: read
-  actions: write
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
 jobs:
@@ -11,7 +12,7 @@ jobs:
       DB_PASSWORD: ${{ secrets.CI_POSTGRES_PASSWORD != '' && secrets.CI_POSTGRES_PASSWORD || format('fallback_ci_password_{0}', github.run_number) }}
     services:
       postgres:
-        image: postgres
+        image: postgres:15-alpine
         env:
           POSTGRES_USER: postgres
           POSTGRES_PASSWORD: ${{ env.DB_PASSWORD }}
@@ -21,19 +22,13 @@ jobs:
           --health-interval 10s
           --health-timeout 5s
           --health-retries 5
-        ports: 
+        ports:
           - 5432:5432
-    timeout-minutes: 60
+    timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-      with:
-        node-version: '25'
-    - run: corepack enable
-    - run: corepack prepare pnpm@9 --activate
-    - name: Install dependencies
-      run: pnpm install --frozen-lockfile
+    - uses: ./.github/actions/setup-pnpm
     - name: Build packages
       run: pnpm --filter @teammapper/mermaid-mindmap-parser run build
     - name: Cache Playwright browsers
@@ -65,4 +60,4 @@ jobs:
       with:
         name: playwright
         path: teammapper-frontend/playwright
-        retention-days: 7
+        retention-days: 7