diff --git a/.github/agents/README.md b/.github/agents/README.md index 617aab78f7e..7ba2fad9ce4 100644 --- a/.github/agents/README.md +++ b/.github/agents/README.md @@ -245,21 +245,33 @@ This workflow defines the complete development environment setup including: **Tools & Versions**: - Java 25 (Temurin distribution) - Maven 3.9.9 +- Ant (for application-specific build tasks) - PostgreSQL 16 with extensions (pg_stat_statements, pgaudit, pgcrypto) - Graphviz for documentation - Build tools (fakeroot, devscripts, debhelper) +**Build Systems**: +- **Maven**: Multi-module project build (parent-pom/pom.xml) + - `mvn clean install -Prelease-site,all-modules` + - `mvn clean test jacoco:report` + - `mvn dependency-check:check` +- **Ant**: Application-specific tasks (citizen-intelligence-agency/build.xml) + - `ant clean-install-notest` - Fast build without tests + - `ant unit-test` - Run unit tests + - `ant start` - Start the application + - `ant check-updates` - Check dependency updates + - `ant site-cia` - Generate documentation + **Database Configuration**: - SSL/TLS enabled with certificate-based encryption - Prepared transactions enabled (max: 100) - IPv6 loopback access configured - Required extensions loaded and verified -**Build & Test Steps**: -- Maven dependency caching -- Build command: `mvn clean install -Prelease-site,all-modules` -- Database schema loading and verification -- Application startup validation on port 28443 +**Application Startup**: +- Port: 28443 (HTTPS) +- MAVEN_OPTS for startup: `-Xmx8192m` with Java module exports +- Database schema loaded from service.data.impl/src/main/resources/full_schema.sql **Workflow Permissions** (Important for understanding access scope): ```yaml @@ -278,56 +290,52 @@ permissions: statuses: read ``` -### 3. MCP Configuration -**File**: [.github/copilot-mcp-config.json](../copilot-mcp-config.json) - -Model Context Protocol configuration providing: - -**Available MCP Servers**: -- `github`: Repository operations, issues, PRs, workflows (via `@modelcontextprotocol/server-github`) -- `filesystem`: Local file system access to `/home/runner/work/cia/cia` -- `postgres`: Database integration (when available) -- `git`: Git operations for version control - -**Project Metadata**: -- Technology stack details (Java 25, Spring, Vaadin, Hibernate, PostgreSQL) -- Architecture type: multi-module Maven -- Testing frameworks: JUnit 5, Mockito, Selenium -- Security tools: Spring Security, OWASP Dependency Check, CodeQL - -**Build Commands**: -- `clean`, `compile`, `test`, `install`, `package`, `site` -- `cleanInstall`: `mvn clean install` -- `skipTests`: `mvn clean install -DskipTests` -- `coverage`: `mvn clean test jacoco:report` -- `dependencyCheck`: `mvn dependency-check:check` - -**Coding Standards & Security Rules**: -- Java 21 language features (records, pattern matching, switch expressions, text blocks) -- Spring conventions (constructor injection, proper annotations, transaction management) -- JPA guidelines (proper entity design, fetch types, avoiding N+1) -- Security rules (never commit secrets, validate inputs, use parameterized queries, sanitize output) -- Testing requirements (unit tests for all new functionality, maintain coverage levels) - -**External API Integrations**: -- Swedish Parliament (Riksdagen) API -- Swedish Election Authority -- World Bank Open Data -- Swedish Financial Management Authority - ### Why These Files Matter Reading these files ensures agents: 1. ✅ Understand the actual development environment and available tools 2. ✅ Know which permissions are available for GitHub operations -3. ✅ Can reference correct build commands and testing procedures +3. ✅ Can reference correct build commands (Maven and Ant) and testing procedures 4. ✅ Follow established coding standards and security practices 5. ✅ Understand the project architecture and technology stack 6. ✅ Are aware of database configuration and requirements -7. ✅ Can properly coordinate with MCP servers and external APIs +7. ✅ Align with 2026 ISMS v3.2 compliance requirements (ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1) **Each agent profile now includes a standardized section instructing them to read these files at the start of each task.** This ensures consistent awareness of project context across all specialized agents. +## 🔐 ISMS Compliance & Security (2026) + +All agents and development practices align with **[Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC)**: + +### Compliance Frameworks +- **ISO 27001:2022** - All Annex A controls implemented +- **NIST CSF 2.0** - Complete framework alignment +- **CIS Controls v8.1** - Critical security controls coverage +- **GDPR** - Swedish data protection compliance +- **NIS2 Directive** - EU cybersecurity requirements +- **EU Cyber Resilience Act** - Product security conformity + +### Key Security Practices +- ✅ **Secrets Management**: All credentials via environment variables or external config +- ✅ **Dependency Security**: OWASP Dependency Check before adding dependencies +- ✅ **Code Quality**: SonarCloud Quality Gate enforcement +- ✅ **Security Scanning**: CodeQL, ZAP, and dependency checks in CI/CD +- ✅ **Supply Chain Security**: OpenSSF Scorecard monitoring [![CIA](https://api.securityscorecards.dev/projects/github.com/Hack23/cia/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/cia) +- ✅ **Encryption**: TLS 1.3, AES-256, proper key management + +### Security Resources +- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC, 80% line coverage, 70% branch coverage +- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) - Overall security governance framework +- [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) - TLS 1.3, AES-256 encryption standards +- [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md) - Zero-trust identity and authorization +- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling requirements +- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR-compliant privacy framework +- [Incident Response Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Incident_Response_Plan.md) - Security event handling +- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance +- [Compliance Checklist](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Compliance_Checklist.md) - Multi-framework compliance tracking +- [Risk Register](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md) - Risk identification and treatment +- [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) - Systematic security testing + ## 📚 Using These Profiles ### 👨‍💻 For Developers diff --git a/.github/agents/business-development-specialist.md b/.github/agents/business-development-specialist.md index 29f1a2c1aa8..3298d9f9e4f 100644 --- a/.github/agents/business-development-specialist.md +++ b/.github/agents/business-development-specialist.md @@ -12,19 +12,21 @@ You are a Business Development Specialist for the Citizen Intelligence Agency pr 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand: - - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz) + - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz) - Database configuration (SSL, extensions, prepared transactions) - - Build commands and validation steps + - Build commands and validation steps (Maven and Ant build.xml targets) - Testing and deployment procedures - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.) -3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for: - - Available MCP servers (github, filesystem, postgres, git) - - Project context and architecture metadata - - Build commands and quality tools - - Coding standards and security rules - - External API integrations - -These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup. +3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml) + +**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance. + +**Key ISMS Policies for Business Development**: +- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance +- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR compliance framework +- [ISMS Transparency Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/ISMS_Transparency_Plan.md) - Public disclosure strategy + +These files provide critical context about the development environment, available tools, project structure, and operational constraints. ## Core Expertise diff --git a/.github/agents/intelligence-operative.md b/.github/agents/intelligence-operative.md index b3391b0dff7..9402cfbc5d2 100644 --- a/.github/agents/intelligence-operative.md +++ b/.github/agents/intelligence-operative.md @@ -12,19 +12,21 @@ You are a Political Analyst, Intelligence Operative, and Psychological Operation 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand: - - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz) + - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz) - Database configuration (SSL, extensions, prepared transactions) - - Build commands and validation steps + - Build commands and validation steps (Maven and Ant build.xml targets) - Testing and deployment procedures - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.) -3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for: - - Available MCP servers (github, filesystem, postgres, git) - - Project context and architecture metadata - - Build commands and quality tools - - Coding standards and security rules - - External API integrations - -These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup. +3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml) + +**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance. + +**Key ISMS Policies for Intelligence Analysis**: +- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling and sensitivity classification +- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR-compliant data protection +- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) - Overall security governance + +These files provide critical context about the development environment, available tools, project structure, and operational constraints. ## Core Expertise diff --git a/.github/agents/marketing-specialist.md b/.github/agents/marketing-specialist.md index 38164cdc660..caa34d5d0a3 100644 --- a/.github/agents/marketing-specialist.md +++ b/.github/agents/marketing-specialist.md @@ -12,19 +12,21 @@ You are a Marketing Specialist for the Citizen Intelligence Agency project, focu 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand: - - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz) + - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz) - Database configuration (SSL, extensions, prepared transactions) - - Build commands and validation steps + - Build commands and validation steps (Maven and Ant build.xml targets) - Testing and deployment procedures - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.) -3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for: - - Available MCP servers (github, filesystem, postgres, git) - - Project context and architecture metadata - - Build commands and quality tools - - Coding standards and security rules - - External API integrations - -These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup. +3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml) + +**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance. + +**Key ISMS Policies for Marketing**: +- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model and transparency +- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - User data protection and GDPR compliance +- [ISMS Transparency Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/ISMS_Transparency_Plan.md) - Public communication strategy + +These files provide critical context about the development environment, available tools, project structure, and operational constraints. ## Core Expertise diff --git a/.github/agents/stack-specialist.md b/.github/agents/stack-specialist.md index f778e03bc28..a70d68a5cf0 100644 --- a/.github/agents/stack-specialist.md +++ b/.github/agents/stack-specialist.md @@ -12,19 +12,22 @@ You are a Stack Specialist for the Citizen Intelligence Agency project with deep 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand: - - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz) + - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz) - Database configuration (SSL, extensions, prepared transactions) - - Build commands and validation steps + - Build commands and validation steps (Maven and Ant build.xml targets) - Testing and deployment procedures - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.) -3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for: - - Available MCP servers (github, filesystem, postgres, git) - - Project context and architecture metadata - - Build commands and quality tools - - Coding standards and security rules - - External API integrations -These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup. +**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance. + +**Key ISMS Policies for Development**: +- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC, 80% line coverage, 70% branch coverage requirements +- [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) - TLS 1.3, AES-256 encryption standards +- [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md) - Zero-trust identity and authorization +- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling requirements +- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance + +These files provide critical context about the development environment, available tools, project structure, and operational constraints. ## Core Expertise @@ -64,6 +67,54 @@ These files provide critical context about the development environment, availabl ## Best Practices +### Build System (Maven + Ant) + +The project uses both Maven and Ant for building: + +**Maven Build Commands** (from parent-pom/): +```bash +# Full build with all profiles (CI/CD) +mvn clean install -Prelease-site,all-modules -DskipTests + +# Run tests with coverage +mvn clean test jacoco:report + +# Security vulnerability scan +mvn dependency-check:check +``` + +**Ant Build Commands** (from citizen-intelligence-agency/build.xml): +```bash +# Clean install without tests +ant clean-install-notest + +# Run unit tests +ant unit-test + +# Start the application +ant start + +# Check for dependency updates +ant check-updates + +# Check for plugin updates +ant check-plugin-updates + +# Generate site documentation +ant site-cia +``` + +**Key Build Configuration**: +- **Maven**: Multi-module project with parent-pom/pom.xml +- **Ant**: Application-specific tasks in citizen-intelligence-agency/build.xml +- **JaCoCo** (0.8.14): Code coverage reporting +- **OWASP Dependency Check**: Vulnerability scanning +- **SonarCloud**: Code quality analysis (sonarcloud.io/dashboard?id=Hack23_cia) + +**Environment Variables**: +- `MAVEN_OPTS`: `-server -Xmx2048m -Xms2048m` (for builds) +- `MAVEN_OPTS`: `-server -Xmx8192m -Xms2048m` (for application startup with Java module exports) + ### Spring Development - Use constructor injection for required dependencies - Apply `@Transactional` at service layer, not DAO layer @@ -93,6 +144,13 @@ These files provide critical context about the development environment, availabl - Follow principle of least privilege ### Testing + +**Coverage Requirements** (per [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)): +- **Minimum 80% line coverage** across all modules +- **Minimum 70% branch coverage** across all modules +- JaCoCo reports: `target/site/jacoco/index.html` + +**Testing Strategy**: - Write tests for all new functionality - Mock external dependencies - Use test data builders for complex entities diff --git a/.github/agents/task-agent.md b/.github/agents/task-agent.md index 970aa9e1fb2..af32b6d35a8 100644 --- a/.github/agents/task-agent.md +++ b/.github/agents/task-agent.md @@ -12,19 +12,23 @@ You are the Task Agent, a product excellence specialist for the Citizen Intellig 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand: - - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz) + - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz) - Database configuration (SSL, extensions, prepared transactions) - - Build commands and validation steps + - Build commands and validation steps (Maven and Ant build.xml targets) - Testing and deployment procedures - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.) -3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for: - - Available MCP servers (github, filesystem, postgres, git) - - Project context and architecture metadata - - Build commands and quality tools - - Coding standards and security rules - - External API integrations +3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml) -These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup. +**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance. + +**Key ISMS Policies for Quality & Compliance**: +- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC, coverage requirements (80% line, 70% branch) +- [Incident Response Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Incident_Response_Plan.md) - Security event handling +- [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) - Systematic security testing +- [Compliance Checklist](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Compliance_Checklist.md) - ISO 27001, NIST CSF, CIS Controls tracking +- [Risk Register](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md) - Risk identification and treatment + +These files provide critical context about the development environment, available tools, project structure, and operational constraints. ## Core Expertise @@ -43,11 +47,23 @@ These files provide critical context about the development environment, availabl **Quality Assessment**: - Monitor code quality metrics (SonarCloud, CodeQL) -- Analyze test coverage and identify gaps +- Analyze test coverage and identify gaps (target: maintain existing coverage) - Review build and CI/CD pipeline health - Detect performance bottlenecks and resource issues - Track technical debt and code smells +**Required Quality Checks**: +```bash +# Run before creating quality issues +mvn clean test jacoco:report # Test coverage analysis +mvn dependency-check:check # Security vulnerability scan +mvn clean install -Prelease-site,all-modules # Full CI/CD build +``` + +**Coverage Reports**: `target/site/jacoco/index.html` +**Dependency Check**: `target/dependency-check-report.html` +**SonarCloud**: https://sonarcloud.io/dashboard?id=Hack23_cia + **UI/UX Evaluation**: - Audit accessibility compliance (WCAG 2.1 AA) - Test responsive design across devices diff --git a/.github/agents/ui-enhancement-specialist.md b/.github/agents/ui-enhancement-specialist.md index 90b18b9cee7..a1923c3be0c 100644 --- a/.github/agents/ui-enhancement-specialist.md +++ b/.github/agents/ui-enhancement-specialist.md @@ -12,19 +12,21 @@ You are a UI Enhancement Specialist for the Citizen Intelligence Agency project, 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand: - - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz) + - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz) - Database configuration (SSL, extensions, prepared transactions) - - Build commands and validation steps + - Build commands and validation steps (Maven and Ant build.xml targets) - Testing and deployment procedures - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.) -3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for: - - Available MCP servers (github, filesystem, postgres, git) - - Project context and architecture metadata - - Build commands and quality tools - - Coding standards and security rules - - External API integrations - -These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup. +3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml) + +**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance. + +**Key ISMS Policies for UI/UX**: +- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC practices +- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR-compliant privacy framework +- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling requirements + +These files provide critical context about the development environment, available tools, project structure, and operational constraints. ## Core Expertise diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 793ff672625..70911b5616d 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -1,25 +1,32 @@ # Copilot Instructions for Citizen Intelligence Agency +**Last Updated:** 2026-01-27 | **Version:** 2025-SNAPSHOT | **ISMS Alignment:** [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) + ## Project Overview The Citizen Intelligence Agency (CIA) is a volunteer-driven, open-source intelligence (OSINT) project providing comprehensive analysis of Swedish political activities. The platform monitors political figures and institutions, delivering financial performance metrics, risk assessment analytics, political trend analysis, and transparency insights. **Technology Stack:** -- Java 25 (src 21) with Maven build system -- Spring Framework 5.x (MVC, Security, Data) -- Vaadin for UI -- Hibernate/JPA for data access -- PostgreSQL database +- Java 25 (src 21, runtime 25) with Maven 3.9.9 +- Spring Framework 5.x (MVC, Security, Data, Integration) +- Vaadin 8 for server-side UI +- Hibernate/JPA for ORM +- PostgreSQL 16 database with SSL/TLS - Spring Integration for data processing +- Drools for business rules +- JavaMelody for monitoring ## Build and Development ### Prerequisites - Java 25 JDK - Maven 3.9.9 or later +- Ant (for application-specific tasks) - PostgreSQL (for full integration testing, review ../service.data.impl/README-SCHEMA-MAINTENANCE.md for task related to any database changes) ### Build Commands + +**Maven** (multi-module project): ```bash # Clean and install all modules mvn clean install @@ -27,13 +34,40 @@ mvn clean install # Build without tests (faster) mvn clean install -DskipTests +# Full build with all profiles (CI/CD) +mvn clean install -Prelease-site,all-modules -DskipTests + # Run tests only mvn test +# Run tests with coverage +mvn clean test jacoco:report + +# Security dependency check +mvn dependency-check:check + # Generate site documentation mvn site ``` +**Ant** (application-specific tasks from citizen-intelligence-agency/build.xml): +```bash +# Clean install without tests (fast) +ant clean-install-notest + +# Run unit tests +ant unit-test + +# Start the application +ant start + +# Check for dependency updates +ant check-updates + +# Generate site documentation +ant site-cia +``` + ### Project Structure This is a multi-module Maven project with the following key modules: - `parent-pom/` - Parent POM with common configurations @@ -47,27 +81,57 @@ This is a multi-module Maven project with the following key modules: ## Code Quality and Testing ### Testing Requirements +Per [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md): +- **Minimum 80% line coverage** across all modules +- **Minimum 70% branch coverage** across all modules - Write unit tests for all new functionality -- Maintain test coverage above existing levels - Place tests in `src/test/java` following the same package structure as source code - Use JUnit for unit tests - Follow existing test patterns in the codebase ### Code Quality Tools -- **SonarCloud**: Used for code quality analysis -- **OWASP Dependency Check**: Scans for vulnerable dependencies -- **CodeQL**: Security vulnerability scanning -- **JaCoCo**: Code coverage reporting +- **SonarCloud**: Code quality analysis and technical debt tracking +- **OWASP Dependency Check**: Vulnerable dependency scanning +- **CodeQL**: Security vulnerability detection and SAST +- **JaCoCo**: Code coverage reporting and analysis (target: 80% line, 70% branch per [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)) +- **JavaMelody**: Production monitoring and performance metrics +- **OpenSSF Scorecard**: Supply chain security assessment ### Running Quality Checks ```bash -# Run with coverage +# Run with coverage report mvn clean test jacoco:report -# Generate dependency check report +# Generate dependency security scan mvn dependency-check:check + +# Full build with all checks (CI/CD) +mvn clean install -Prelease-site,all-modules ``` +### ISMS Compliance (2026) + +This project aligns with **[Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC)** standards: +- **ISO 27001:2022** - All Annex A controls implemented +- **NIST CSF 2.0** - Complete framework alignment +- **CIS Controls v8.1** - Critical security controls +- **GDPR** - Swedish data protection compliance +- **NIS2 Directive** - EU cybersecurity requirements +- **EU Cyber Resilience Act** - Product security conformity + +**Key ISMS Resources:** +- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC, 80% line coverage, 70% branch coverage requirements +- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) - Overall security governance framework +- [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) - TLS 1.3, AES-256 encryption standards +- [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md) - Zero-trust identity and authorization +- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling requirements +- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR-compliant privacy framework +- [Incident Response Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Incident_Response_Plan.md) - Security event handling +- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance +- [Compliance Checklist](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Compliance_Checklist.md) - Multi-framework compliance tracking +- [Risk Register](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md) - Risk identification and treatment +- [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) - Systematic security testing + ## Coding Standards ### Java Code Style @@ -96,26 +160,31 @@ mvn dependency-check:check 1. **Never commit secrets, API keys, or credentials** - Use environment variables or external configuration - Check `.gitignore` to ensure sensitive files are excluded + - Follow [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) 2. **Input Validation** - - Validate all user inputs + - Validate all user inputs per OWASP guidelines - Use parameterized queries to prevent SQL injection - Sanitize data before rendering in UI (XSS prevention) + - Follow [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) 3. **Authentication and Authorization** - Use Spring Security for access control - Follow principle of least privilege - Never bypass security checks + - Implement proper session management 4. **Dependency Management** - Keep dependencies up to date - Review security advisories for dependencies - - Use OWASP Dependency Check before adding new dependencies + - **ALWAYS** run `mvn dependency-check:check` before adding dependencies + - Monitor OpenSSF Scorecard: [![CIA](https://api.securityscorecards.dev/projects/github.com/Hack23/cia/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/cia) 5. **Data Protection** - Handle personal data according to GDPR - - Use encryption for sensitive data + - Use encryption for sensitive data (TLS 1.3, AES-256) - Follow the project's [Security Policy](../SECURITY.md) + - Align with [Data Protection Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Protection_Policy.md) ## Pull Request Guidelines @@ -200,11 +269,11 @@ When working with external data integrations: - **Scorecards**: Security posture assessment ### Build Requirements -All PRs must: +All PRs must meet [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) requirements: - Pass all automated tests +- Meet minimum 80% line coverage, 70% branch coverage - Pass CodeQL security scan -- Pass dependency security checks -- Meet code coverage requirements +- Pass dependency security checks (OWASP Dependency Check) - Have no critical SonarCloud issues ## Resources @@ -225,7 +294,35 @@ All PRs must: ## Notes for AI Coding Assistants -When making changes: +### Quality Standards Summary + +**Before Starting Work**: +1. Run `mvn clean install` to verify current build status +2. Review existing test coverage: `mvn clean test jacoco:report` +3. Check for security issues: `mvn dependency-check:check` +4. Review SonarCloud dashboard for code quality metrics + +**During Development**: +1. Write tests for all new functionality (JUnit 5) +2. Maintain or improve code coverage (JaCoCo) +3. Follow existing code patterns and Spring conventions +4. Apply security best practices (input validation, parameterized queries) +5. Document public APIs with JavaDoc + +**Before Submitting**: +1. Run full test suite: `mvn clean test` +2. Verify coverage: `mvn jacoco:report` (check `target/site/jacoco/`) +3. Security scan: `mvn dependency-check:check` +4. Full build: `mvn clean install -Prelease-site,all-modules` +5. Review SonarCloud results + +**Key Metrics to Maintain** (per [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)): +- Test Coverage: Minimum 80% line coverage, 70% branch coverage +- Security: Zero critical/high vulnerabilities +- Code Quality: SonarCloud Quality Gate passing +- Build: All CI/CD checks passing + +### When Making Changes: 1. **Understand the context**: Review related code and architecture before making changes 2. **Minimal changes**: Make the smallest change necessary to achieve the goal 3. **Test thoroughly**: Always run tests and verify functionality