Aryan1718 · Aryan1718 · Jun 9, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
diff --git a/.env.example b/.env.example
@@ -29,6 +29,8 @@ DAILY_TOKEN_LIMIT=100000
 LOG_EACH_QUERY=false
 RESERVATION_TTL_SECONDS=600
 EMBEDDING_MODEL=text-embedding-3-small
+MAX_QUERY_DOCUMENTS=10
+MAX_QUERY_TOTAL_PAGES=100
 
 # ===== Ingestion Limits =====
 MAX_FILE_SIZE_BYTES=10485760
@@ -39,6 +41,9 @@ EMBEDDING_BATCH_SIZE=32
 OPENAI_EMBEDDING_TIMEOUT_SECONDS=300
 INGEST_EXTRACT_JOB_TIMEOUT_SECONDS=900
 INGEST_INDEX_JOB_TIMEOUT_SECONDS=1800
+INGEST_STALE_UPLOADED_SECONDS=3600
+INGEST_STALE_EXTRACTING_SECONDS=1800
+INGEST_STALE_INDEXING_SECONDS=3600
 
 # ===== Client (React) =====
 VITE_API_URL=http://localhost:8000

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/.github/trivy"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Los_Angeles"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "security"
+      - "trivy"
+    open-pull-requests-limit: 5
diff --git a/.github/trivy/Dockerfile b/.github/trivy/Dockerfile
@@ -0,0 +1 @@
+FROM aquasec/trivy:0.70.0
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -23,32 +23,28 @@ jobs:
   trivy_scan:
     name: Trivy Vulnerability Scan
     runs-on: ubuntu-latest
-    env:
-      TRIVY_REPORT_FORMAT: table
-      TRIVY_SCAN_TYPE: fs
-      TRIVY_SCAN_PATH: .
-      TRIVY_EXIT_CODE: '1'
-      TRIVY_VULN_TYPE: os,library
-      TRIVY_SEVERITY: CRITICAL,HIGH
     steps:
       - uses: actions/checkout@v4
 
       - name: Create report directory
         run: mkdir -p trivy-reports
-
+
+      - name: Build pinned Trivy runner
+        run: docker build -t local-trivy -f .github/trivy/Dockerfile .github/trivy
+
       - name: Run Trivy FS Scan
-        uses: aquasecurity/trivy-action@v0.36.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          version: 'v0.70.0'
-          scanners: 'vuln,misconfig,secret,license'
-          ignore-unfixed: true
-          format: 'table'
-          exit-code: '1'
-          output: 'trivy-reports/trivy_scan_report.txt'
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: |
+          docker run --rm \
+            -v "${{ github.workspace }}:/workspace" \
+            -w /workspace \
+            local-trivy fs . \
+            --scanners vuln,misconfig,secret,license \
+            --ignore-unfixed \
+            --format table \
+            --exit-code 1 \
+            --output trivy-reports/trivy_scan_report.txt \
+            --vuln-type os,library \
+            --severity CRITICAL,HIGH
 
       - name: Upload Trivy Report
         uses: actions/upload-artifact@v4

diff --git a/artifacts/ingestion-load/ingestion-load-valid-10-20260608T081032Z.json b/artifacts/ingestion-load/ingestion-load-valid-10-20260608T081032Z.json
diff --git a/artifacts/ingestion-load/ingestion-load-valid-25-20260608T081409Z.json b/artifacts/ingestion-load/ingestion-load-valid-25-20260608T081409Z.json
diff --git a/artifacts/ingestion-load/ingestion-load-valid-50-20260608T083216Z.json b/artifacts/ingestion-load/ingestion-load-valid-50-20260608T083216Z.json