test: add contract event emission tests for all state-changing functions

.github/PULL_REQUEST_TEMPLATE.md

@@ -14,5 +14,6 @@ Closes #
 - [ ] Tests pass
 - [ ] No new lint warnings
 - [ ] Docs updated if needed
+- [ ] CHANGELOG.md updated
 - [ ] PR targets `develop`
 - [ ] Supabase queries audited for SQL injection (no raw SQL, parameterized methods used)

.github/dependabot.yml

@@ -39,3 +39,17 @@ updates:
       # Flag major version bumps for manual review
       - dependency-name: "*"
         update-types: [version-update:semver-major]
+
+  # GitHub Actions — monthly to reduce noise
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+    ignore:
+      # Flag major version bumps for manual review
+      - dependency-name: "*"
+        update-types: [version-update:semver-major]

.github/workflows/audit.yml

@@ -11,6 +11,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  issues: write
 
 jobs:
   npm-audit:
@@ -42,6 +43,20 @@ jobs:
               repo: context.repo.repo,
               body: `### ${status} pnpm audit\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``
             });
+      - name: Create Issue on failure (Scheduled)
+        if: github.event_name == 'schedule' && steps.npm_audit.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const output = fs.readFileSync('/tmp/npm-audit.txt', 'utf8');
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: '🚨 Weekly pnpm audit failed: High-severity vulnerabilities detected',
+              body: `The weekly pnpm audit found high-severity vulnerabilities in JS dependencies.\n\n### Audit Output:\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``,
+              labels: ['security', 'devops']
+            });
       - name: Fail if audit found high/critical issues
         if: steps.npm_audit.outcome == 'failure'
         run: exit 1
@@ -54,7 +69,7 @@ jobs:
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: "1.85.0"
+          toolchain: "1.88.0"
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: apps/contracts
@@ -79,6 +94,20 @@ jobs:
               repo: context.repo.repo,
               body: `### ${status} cargo audit\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``
             });
+      - name: Create Issue on failure (Scheduled)
+        if: github.event_name == 'schedule' && steps.cargo_audit.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const output = fs.readFileSync('/tmp/cargo-audit.txt', 'utf8');
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: '🚨 Weekly cargo audit failed: Vulnerabilities detected',
+              body: `The weekly cargo audit found vulnerabilities in Rust dependencies.\n\n### Audit Output:\n\`\`\`\n${output.slice(0, 6000)}\n\`\`\``,
+              labels: ['security', 'devops']
+            });
       - name: Fail if audit found vulnerabilities
         if: steps.cargo_audit.outcome == 'failure'
         run: exit 1

.github/workflows/ci.yml

@@ -51,17 +51,26 @@ jobs:
           TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
       - run: pnpm test
         working-directory: apps/web
+      - name: Run tests with coverage
+        run: pnpm vitest run --coverage
+        working-directory: apps/web
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          files: apps/web/coverage/lcov.info
+          flags: web
+          fail_ci_if_error: false
       - run: pnpm build
         working-directory: apps/web
         env:
-          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL || 'https://placeholder.supabase.co' }}
-          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY || 'placeholder' }}
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
           NEXT_PUBLIC_STELLAR_NETWORK: testnet
           NEXT_PUBLIC_ENERGY_TOKEN_ID: placeholder
           NEXT_PUBLIC_AUDIT_REGISTRY_ID: placeholder
           NEXT_PUBLIC_COMMUNITY_GOVERNANCE_ID: placeholder
-          SUPABASE_SERVICE_ROLE_KEY: placeholder
-          MINTER_SECRET_KEY: SAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+          SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
+          MINTER_SECRET_KEY: ${{ secrets.MINTER_SECRET_KEY }}
           TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
           TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
@@ -104,6 +113,21 @@ jobs:
       - name: Validate openapi.yaml
         run: npx --yes @redocly/cli@1 lint openapi.yaml --format=github-actions
 
+  license-compliance:
+    name: License compliance check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: npx license-checker --onlyAllow "$(node -e "const c=require('./.license-checker.json');console.log(c.allowedLicenses.join(';'))")" --excludePrivatePackages
+
   contracts:
     name: Contracts (fmt + clippy + test)
     runs-on: ubuntu-latest
@@ -128,14 +152,23 @@ jobs:
       - name: fmt
         run: cargo fmt --all -- --check
         working-directory: apps/contracts
+        env:
+          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
       - name: clippy
         run: cargo clippy --all-targets --all-features -- -D warnings
         working-directory: apps/contracts
+        env:
+          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
       - name: test
         run: cargo test --all
         working-directory: apps/contracts
+        env:
+          TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+          TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
   proptest:
     name: Property-based tests (proptest)
@@ -177,3 +210,44 @@ jobs:
       - name: fuzz_vote (30 s)
         run: cargo fuzz run fuzz_vote -- -max_total_time=30 corpus/fuzz_vote
         working-directory: apps/contracts/fuzz
+
+  image-scan:
+    name: Docker image vulnerability scan (Trivy)
+    runs-on: ubuntu-latest
+    needs: web
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          docker build \
+            --file apps/web/Dockerfile \
+            --tag solarproof/web:${{ github.sha }} \
+            .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: solarproof/web:${{ github.sha }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+          exit-code: '1'
+          ignore-unfixed: true
+
+      - name: Upload Trivy SARIF results as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-scan-results
+          path: trivy-results.sarif
+          retention-days: 30
+
+      - name: Upload SARIF to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

.github/workflows/contracts-ci.yml

@@ -0,0 +1,48 @@
+name: Contracts CI
+
+on:
+  pull_request:
+    branches: [main, develop]
+    paths:
+      - "apps/contracts/**"
+      - ".github/workflows/contracts-ci.yml"
+  push:
+    branches: [main, develop]
+    paths:
+      - "apps/contracts/**"
+      - ".github/workflows/contracts-ci.yml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Rust contracts (fmt + clippy + test)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: "1.85.0"
+          targets: wasm32-unknown-unknown
+          components: rustfmt, clippy
+
+      - name: Cache Rust build artifacts
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: apps/contracts
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+        working-directory: apps/contracts
+
+      - name: Clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+        working-directory: apps/contracts
+
+      - name: Run tests
+        run: cargo test --all
+        working-directory: apps/contracts

.github/workflows/deploy-production.yml

@@ -0,0 +1,49 @@
+name: Deploy Production
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  ci:
+    name: CI gate
+    uses: ./.github/workflows/ci.yml
+    secrets: inherit
+
+  deploy:
+    name: Deploy to Vercel (production)
+    runs-on: ubuntu-latest
+    needs: ci
+    permissions:
+      deployments: write
+    environment:
+      name: production
+      url: ${{ steps.promote.outputs.url }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Vercel CLI
+        run: npm install -g vercel@latest
+
+      - name: Build & deploy preview (green)
+        id: deploy
+        env:
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+        run: |
+          url=$(vercel deploy --token "$VERCEL_TOKEN" --yes 2>&1 | tail -1)
+          echo "url=$url" >> "$GITHUB_OUTPUT"
+
+      - name: Promote to production
+        id: promote
+        env:
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+        run: |
+          vercel promote "${{ steps.deploy.outputs.url }}" \
+            --token "$VERCEL_TOKEN" --scope "$VERCEL_ORG_ID"
+          echo "url=${{ steps.deploy.outputs.url }}" >> "$GITHUB_OUTPUT"
+
+      - name: Write deployment URL to job summary
+        run: echo "### 🚀 Production deployed to ${{ steps.promote.outputs.url }}" >> "$GITHUB_STEP_SUMMARY"

.github/workflows/mutation-testing.yml

@@ -0,0 +1,85 @@
+name: Mutation Testing
+
+on:
+  schedule:
+    # Every Sunday at 02:00 UTC
+    - cron: '0 2 * * 0'
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Which target to run (all | rust | typescript)'
+        required: false
+        default: 'all'
+
+concurrency:
+  group: mutation-testing
+  cancel-in-progress: true
+
+jobs:
+  rust-mutations:
+    name: Rust (cargo-mutants)
+    if: ${{ github.event_name == 'schedule' || github.event.inputs.target == 'all' || github.event.inputs.target == 'rust' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: '1.85.0'
+          targets: wasm32-unknown-unknown
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: apps/contracts
+
+      - name: Install cargo-mutants
+        run: cargo install cargo-mutants --locked --version 24.11.0
+
+      - name: Run cargo-mutants
+        working-directory: apps/contracts
+        run: |
+          cargo mutants \
+            --package audit_registry \
+            --package energy_token \
+            --output mutants-out \
+            --timeout 120 \
+            --jobs 2
+
+      - name: Upload mutation report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: cargo-mutants-report
+          path: apps/contracts/mutants-out/
+          retention-days: 30
+
+  typescript-mutations:
+    name: TypeScript (Stryker)
+    if: ${{ github.event_name == 'schedule' || github.event.inputs.target == 'all' || github.event.inputs.target == 'typescript' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Run Stryker
+        working-directory: packages/stellar
+        run: pnpm test:mutation
+
+      - name: Upload Stryker report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: stryker-report
+          path: packages/stellar/reports/mutation/
+          retention-days: 30