fix(ci): unblock nightly deep assurance workflow

.github/CODEOWNERS

@@ -0,0 +1,8 @@
+* @TensorGymnastic
+
+/codewiki/src/enduser/ @TensorGymnastic
+/codewiki/cli/commands/enduser.py @TensorGymnastic
+/scripts/ @TensorGymnastic
+/examples/ @TensorGymnastic
+/pyproject.toml @TensorGymnastic
+/requirements.txt @TensorGymnastic

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"

.github/workflows/codeql.yml

@@ -0,0 +1,32 @@
+name: codeql
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "0 4 * * 1"
+
+jobs:
+  analyze:
+    name: codeql
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+    steps:
+      - uses: actions/checkout@v5
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/nightly-deep-assurance.yml

@@ -0,0 +1,73 @@
+name: nightly-deep-assurance
+
+on:
+  schedule:
+    - cron: "0 3 * * *"
+  workflow_dispatch:
+
+jobs:
+  mutation_testing:
+    name: mutation_testing
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev,quality]' 'mutmut<3'
+      - run: mkdir -p .tmp-mutmut
+      - run: TMPDIR=$PWD/.tmp-mutmut python -m mutmut run --paths-to-mutate codewiki/src/enduser
+
+  api_fuzz_and_contracts:
+    name: api_fuzz_and_contracts
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev]' schemathesis
+      - run: echo "No OpenAPI contract is currently published; add one to enable schemathesis targets."
+
+  parser_fuzzing:
+    name: parser_fuzzing
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+      - run: python -m pip install atheris pyyaml
+      - run: echo "Add dedicated parser fuzz targets under scripts/fuzz/ to activate atheris."
+
+  image_and_sbom_scan:
+    name: image_and_sbom_scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: aquasecurity/trivy-action@v0.30.0
+        with:
+          scan-type: fs
+          scan-ref: .
+      - uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: nightly-sbom.spdx.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: nightly-sbom
+          path: nightly-sbom.spdx.json
+
+  flaky_test_report:
+    name: flaky_test_report
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev]' pytest-repeat
+      - run: python -m pytest tests/test_enduser_review_e2e.py --count=5 -q

.github/workflows/pr-gates.yml

@@ -0,0 +1,209 @@
+name: pr-gates
+
+on:
+  pull_request:
+  merge_group:
+  push:
+    branches:
+      - main
+
+jobs:
+  detect_changes:
+    name: detect_changes
+    runs-on: ubuntu-latest
+    outputs:
+      python_files: ${{ steps.changed.outputs.python_all_changed_files }}
+      container_changed: ${{ steps.filter.outputs.container }}
+      iac_changed: ${{ steps.filter.outputs.iac }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - id: changed
+        uses: tj-actions/changed-files@v47
+        with:
+          files: |
+            **/*.py
+            pyproject.toml
+            requirements.txt
+            .pre-commit-config.yaml
+            Makefile
+      - id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            container:
+              - '**/Dockerfile'
+              - '**/*.Dockerfile'
+            iac:
+              - 'infra/**'
+              - 'terraform/**'
+              - 'k8s/**'
+              - 'helm/**'
+              - '**/*.tf'
+
+  lint_and_type:
+    name: lint_and_type
+    needs: detect_changes
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev,quality]'
+      - name: Ruff format check
+        if: ${{ needs.detect_changes.outputs.python_files != '' }}
+        run: python -m ruff format --check ${{ needs.detect_changes.outputs.python_files }}
+      - name: Ruff lint
+        if: ${{ needs.detect_changes.outputs.python_files != '' }}
+        run: python -m ruff check ${{ needs.detect_changes.outputs.python_files }}
+      - name: Mypy maintained surfaces
+        run: python scripts/run_mypy.py
+
+  unit_and_integration_tests:
+    name: unit_and_integration_tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev,quality]'
+      - run: python -m pytest -n auto --cov=codewiki --cov-report=xml --cov-report=term-missing
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage-xml
+          path: coverage.xml
+
+  coverage_gate:
+    name: coverage_gate
+    needs: unit_and_integration_tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev,quality]'
+      - run: python -m pytest --cov=codewiki --cov-report=xml --cov-report=term-missing
+      - name: Maintained-surface coverage threshold
+        run: >
+          python -m coverage report
+          --include='codewiki/src/enduser/*,codewiki/cli/commands/enduser.py,codewiki/run_web_app.py'
+          --fail-under=85
+      - name: Diff coverage threshold
+        run: >
+          diff-cover coverage.xml
+          --compare-branch=origin/${{ github.base_ref || 'main' }}
+          --fail-under=90
+
+  security_sast:
+    name: security_sast
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[quality]' semgrep
+      - run: >
+          python -m bandit -c pyproject.toml
+          -r codewiki/src/enduser codewiki/cli/commands/enduser.py codewiki/run_web_app.py
+      - run: >
+          semgrep scan --config auto --error
+          --exclude-rule python.lang.compatibility.python37.python37-compatibility-importlib2
+          codewiki/src/enduser codewiki/cli/commands/enduser.py codewiki/run_web_app.py
+
+  supply_chain:
+    name: supply_chain
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[quality]'
+      - run: python scripts/check_dependency_manifests.py
+      - run: python -m pip_audit -r requirements.txt
+      - uses: google/osv-scanner-action/osv-scanner-action@v2.3.5
+        with:
+          scan-args: |-
+            --lockfile=requirements.txt
+
+  secrets:
+    name: secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2.3.9
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  container_and_iac:
+    name: container_and_iac
+    needs: detect_changes
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Skip message
+        if: ${{ needs.detect_changes.outputs.container_changed != 'true' && needs.detect_changes.outputs.iac_changed != 'true' }}
+        run: echo "No container or IaC changes detected."
+      - name: Hadolint
+        if: ${{ needs.detect_changes.outputs.container_changed == 'true' }}
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          recursive: true
+      - name: Checkov
+        if: ${{ needs.detect_changes.outputs.iac_changed == 'true' }}
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          quiet: true
+      - name: Trivy filesystem scan
+        if: ${{ needs.detect_changes.outputs.container_changed == 'true' || needs.detect_changes.outputs.iac_changed == 'true' }}
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+
+  build_and_package:
+    name: build_and_package
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev,quality]'
+      - run: python -m build
+      - run: python scripts/smoke_install.py
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/*
+
+  docs_and_contracts:
+    name: docs_and_contracts
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev]'
+      - run: python scripts/run_docs_contracts.py

.github/workflows/release-gates.yml

@@ -0,0 +1,52 @@
+name: release-gates
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  release_gates:
+    name: release_gates
+    runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - run: python -m pip install -e '.[dev,quality]'
+      - run: python -m build
+      - uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: spdx-json
+          output-file: release-sbom.spdx.json
+      - uses: aquasecurity/trivy-action@0.30.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: table
+          exit-code: "1"
+          severity: CRITICAL,HIGH
+      - uses: anchore/scan-action@v6
+        with:
+          path: .
+          fail-build: true
+          severity-cutoff: high
+      - uses: actions/upload-artifact@v4
+        with:
+          name: release-artifacts
+          path: |
+            dist/*
+            release-sbom.spdx.json
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            dist/*
+            release-sbom.spdx.json