add entire codebase

.env.example

@@ -0,0 +1,57 @@
+# ============================================================
+# MediVault AI — Environment Configuration
+# ============================================================
+# Copy this file to .env and fill in your values.
+# All inference is fully air-gapped — zero cloud dependencies.
+
+# ============================================================
+# Flowise — AI Orchestration (Docker service — auto-starts)
+# ============================================================
+# First-time setup (one-time):
+#   1. Open http://localhost:3001
+#   2. Complete the "Setup Account" form (any username/password)
+#   3. Log in → avatar (top-right) → API Keys → Add New Key
+#   4. Paste the key below and restart: docker compose restart medivault-api
+FLOWISE_ENDPOINT=http://medivault-flowise:3001
+FLOWISE_API_KEY=
+
+# ============================================================
+# Ollama — Sole LLM + Embeddings Provider (runs on host)
+# ============================================================
+# Install: https://ollama.com/download
+# macOS:   brew install ollama  (or download the .app from ollama.com)
+# Then pull the required models (one-time, ~5.0 GB total):
+#   ollama pull llama3.1:8b       # chat model  (~4.7 GB)
+#   ollama pull nomic-embed-text  # embeddings  (~274 MB)
+#
+# Ollama serves on host:11434 — Docker reaches it via host.docker.internal.
+OLLAMA_BASE_URL=http://host.docker.internal:11434
+OLLAMA_MODEL=llama3.1:8b
+OLLAMA_EMBED_MODEL=nomic-embed-text
+
+# ============================================================
+# ChromaDB — Vector Store (Docker service — auto-managed)
+# ============================================================
+# No setup needed — starts automatically with docker compose up.
+CHROMA_HOST=medivault-chromadb
+CHROMA_PORT=8000
+
+# ============================================================
+# Whisper — Speech-to-Text (Docker service — fully automatic)
+# ============================================================
+# No installation needed — model downloads automatically on first run.
+# Model sizes: tiny (75MB) | base (145MB) | small (460MB) | medium (1.5GB)
+
+WHISPER_ENDPOINT=http://medivault-whisper:9000
+WHISPER_MODEL=small
+
+# ============================================================
+# File Size Limits
+# ============================================================
+MAX_AUDIO_SIZE=26214400
+MAX_FILE_SIZE=10485760
+
+# ============================================================
+# Server
+# ============================================================
+BACKEND_PORT=5001

.github/pull_request_template.md

@@ -0,0 +1,39 @@
+## Summary
+
+<!-- What does this PR do? Keep it to 1-3 bullet points. -->
+
+-
+
+## Type of Change
+
+<!-- Check the one that applies. -->
+
+- [ ] Bug fix
+- [ ] New feature / enhancement
+- [ ] Documentation update
+- [ ] Refactor (no behavior change)
+- [ ] Chore (dependencies, CI, tooling)
+
+## Changes Made
+
+<!-- Briefly describe the key changes. Link to relevant issues if applicable. -->
+
+Resolves #<!-- issue number -->
+
+## How to Test
+
+<!-- Steps a reviewer can follow to verify the changes. -->
+
+1.
+
+## Checklist
+
+- [ ] I have read the [Contributing Guide](../CONTRIBUTING.md)
+- [ ] My branch is up to date with `main`
+- [ ] New environment variables (if any) are documented in `.env.example` and the README
+- [ ] No secrets, API keys, or credentials are included in this PR
+- [ ] I have tested my changes locally
+
+## Screenshots (if applicable)
+
+<!-- Add screenshots for UI changes. Delete this section if not applicable. -->

.github/workflows/code-scans.yaml

@@ -0,0 +1,104 @@
+name: SDLE Scans
+
+on:
+  workflow_dispatch:
+    inputs:
+      PR_number:
+        description: 'Pull request number'
+        required: true
+  push:
+    branches: [ main ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: sdle-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+# -----------------------------
+# 1) Trivy Scan
+# -----------------------------
+  trivy_scan:
+    name: Trivy Vulnerability Scan
+    runs-on: ubuntu-latest
+    env:
+      TRIVY_REPORT_FORMAT: table
+      TRIVY_SCAN_TYPE: fs
+      TRIVY_SCAN_PATH: .
+      TRIVY_EXIT_CODE: '1'
+      TRIVY_VULN_TYPE: os,library
+      TRIVY_SEVERITY: CRITICAL,HIGH
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create report directory
+        run: mkdir -p trivy-reports
+
+      - name: Run Trivy FS Scan
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,misconfig,secret,license'
+          ignore-unfixed: true
+          format: 'table'
+          exit-code: '1'
+          output: 'trivy-reports/trivy_scan_report.txt'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-reports/trivy_scan_report.txt
+
+      - name: Show Trivy Report in Logs
+        if: failure()
+        run: |
+          echo "========= TRIVY FINDINGS ========="
+          cat trivy-reports/trivy_scan_report.txt
+          echo "================================="
+
+# -----------------------------
+# 2) Bandit Scan
+# -----------------------------
+  bandit_scan:
+    name: Bandit security scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: Install Bandit
+        run: pip install bandit
+
+      - name: Create Bandit configuration
+        shell: bash
+        run: |
+          cat > .bandit << 'EOF'
+          [bandit]
+          exclude_dirs = tests,test,venv,.venv,node_modules
+          skips = B101
+          EOF
+
+      - name: Run Bandit scan
+        run: |
+          bandit -r . -ll -iii -f screen
+          bandit -r . -ll -iii -f html -o bandit-report.html
+
+      - name: Upload Bandit Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: bandit-report
+          path: bandit-report.html
+          retention-days: 30

.gitignore

@@ -0,0 +1,86 @@
+# ============================================
+# ENVIRONMENT & SECRETS
+# ============================================
+.env
+.env.*
+!.env.example
+
+# ============================================
+# PYTHON
+# ============================================
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+
+venv/
+env/
+ENV/
+.venv/
+
+.idea/
+.vscode/
+*.swp
+*.swo
+
+.pytest_cache/
+.coverage
+htmlcov/
+
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+*.egg-info/
+dist/
+build/
+
+# ============================================
+# NODE.JS / REACT
+# ============================================
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+ui/dist/
+ui/build/
+
+.env.development.local
+.env.test.local
+.env.production.local
+
+# ============================================
+# VECTOR DATABASE
+# ============================================
+chroma/
+*.sqlite3
+*.sqlite
+
+# ============================================
+# TEST ASSETS & SAMPLE DATA
+# ============================================
+docs/test-assets/
+*.wav
+*.mp3
+
+# ============================================
+# BUILD & RUNTIME ARTIFACTS
+# ============================================
+*.log
+logs/
+
+# ============================================
+# TEMPORARY FILES
+# ============================================
+tmp/
+temp/
+api/tmp/
+api/temp/
+
+# ============================================
+# OS FILES
+# ============================================
+.DS_Store
+Thumbs.db
+desktop.ini