feat: initial AppSecOne implementation

Signed-off-by: Damian Skrzyński <polprog.tech@gmail.com>

Author: polprog-dev

.env.example

@@ -0,0 +1,28 @@
+# =============================================================================
+# AppSecOne — Environment Variables
+# =============================================================================
+# Copy this file to .env and fill in the values for your environment.
+# All variables are optional unless noted otherwise.
+
+# --- Fortify SSC Integration ---
+# Auth token for Fortify SSC API (required for sync to work).
+# The variable name can be customized in appsecone.json → fortify.token_env_var
+FORTIFY_SSC_TOKEN=
+
+# --- API Security ---
+# When set, all state-changing API requests (POST/PUT/DELETE) require this key
+# in the X-API-Key header. GET requests and health endpoints are always public.
+# Uses timing-safe HMAC comparison to prevent timing attacks.
+APPSECONE_API_KEY=
+
+# --- CORS (Cross-Origin Resource Sharing) ---
+# Comma-separated list of allowed origins for cross-origin requests.
+# If not set, CORS will reject all cross-origin requests.
+# Example: https://dashboard.example.com,https://staging.example.com
+APPSECONE_CORS_ORIGINS=
+
+# --- Framing / Embedding ---
+# Set to "true" to allow the dashboard to be embedded in iframes.
+# When enabled, frame-ancestors is set to 'self' + CORS origins.
+# Default: false (X-Frame-Options: DENY)
+APPSECONE_ALLOW_FRAMING=false

.github/workflows/ci.yml

@@ -0,0 +1,41 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install dependencies
+        run: pip install --quiet -e ".[dev]"
+      - name: Lint
+        run: python -m ruff check src/ tests/
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install --quiet -e ".[dev]"
+      - name: Run tests
+        run: python -m pytest --tb=short -q --junitxml=results.xml
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-results-${{ matrix.python-version }}
+          path: results.xml

.gitignore

@@ -0,0 +1,56 @@
+# ── Byte-compiled / optimized / DLL files ──────────────────────────────────
+__pycache__/
+*.py[cod]
+*$py.class
+*.pyo
+
+# ── Distribution / packaging ───────────────────────────────────────────────
+dist/
+build/
+*.egg-info/
+*.egg
+.eggs/
+
+# ── Virtual environments ───────────────────────────────────────────────────
+.venv/
+venv/
+env/
+
+# ── IDE / Editor ───────────────────────────────────────────────────────────
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# ── Testing ────────────────────────────────────────────────────────────────
+.coverage
+htmlcov/
+.pytest_cache/
+.ruff_cache/
+
+# ── Generated output ──────────────────────────────────────────────────────
+output/
+*.html
+!src/appsecone/presentation/templates/*.html.j2
+
+# ── OS files ───────────────────────────────────────────────────────────────
+.DS_Store
+Thumbs.db
+
+# ── Environment / secrets ──────────────────────────────────────────────────
+.env
+.env.local
+*.pem
+*.key
+
+# ── Database ───────────────────────────────────────────────────────────────
+*.db
+*.sqlite3
+
+# ── User config ────────────────────────────────────────────────────────────
+appsecone.json
+appsecone.json.bak
+data/*.db
+data/*.db-shm
+data/*.db-wal

.gitlab-ci.yml

@@ -0,0 +1,37 @@
+stages:
+  - lint
+  - test
+
+variables:
+  PYTHONDONTWRITEBYTECODE: "1"
+  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.pip-cache"
+  PYTHONPATH: "src"
+
+default:
+  cache:
+    key: pip-${CI_COMMIT_REF_SLUG}
+    paths:
+      - .pip-cache/
+
+lint:
+  stage: lint
+  image: python:3.13-slim
+  before_script:
+    - pip install --quiet -e ".[dev]"
+  script:
+    - python -m ruff check src/ tests/
+
+test:
+  stage: test
+  image: python:${PYTHON_VERSION}-slim
+  parallel:
+    matrix:
+      - PYTHON_VERSION: ["3.12", "3.13"]
+  before_script:
+    - pip install --quiet -e ".[dev]"
+  script:
+    - pytest --tb=short -q --junitxml=results.xml
+  artifacts:
+    reports:
+      junit: results.xml
+    expire_in: 7 days

CHANGELOG.md

@@ -0,0 +1,26 @@
+# Changelog
+
+All notable changes to AppSecOne will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] — 2026-03-28
+
+### Added
+- **Portfolio Dashboard** — aggregated severity breakdown, readiness donut chart, repository cards with status indicators, and trend badges
+- **Findings Explorer** — filterable, sortable, paginated table of all findings across the portfolio with severity badges and export to CSV/JSON
+- **Repository Detail** — deep-dive into a single repository with findings table, policy evaluation, blocker panels, stacked severity bar, and trend chart
+- **Policy & Waivers** — policy rules overview, active waivers with expiry tracking, and waiver creation form with audit trail
+- **Admin & Sync** — system configuration summary, manual sync trigger with real-time SSE progress, sync history log
+- **Setup Wizard** — guided 4-step setup: Fortify connection → project discovery → repository mapping → policy & sync configuration
+- **Fortify SSC integration** — full sync with rate limiting, exponential backoff retry, pagination, and corporate SSL support
+- **Deterministic policy engine** — configurable thresholds for critical/high/medium findings, issue age limits, waiver support
+- **Trend analytics** — historical daily snapshots with 5% threshold direction classification (improving / stable / worsening)
+- **i18n support** — English and Polish locales with pluralization, interpolation, and async-safe context management
+- **Security middleware stack** — CSP with nonce, CSRF protection, rate limiting, API key auth, body size limits, correlation IDs
+- **CLI** — `serve`, `sync`, `evaluate`, `validate`, `version` commands via Typer
+- **REST API** — 15+ endpoints for overview, repositories, findings, readiness, policies, waivers, sync, trends, export, health, i18n
+- **464 tests** — unit, integration, security regression, i18n validation, UI regression
+
+[1.0.0]: https://github.com/polprog-tech/AppSecOne/releases/tag/v1.0.0

CODE_OF_CONDUCT.md

@@ -0,0 +1,39 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior:
+
+* The use of sexualized language or imagery
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+* Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project maintainers. All complaints will be reviewed and
+investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
+version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.

CONTRIBUTING.md

@@ -0,0 +1,115 @@
+# Contributing to AppSecOne
+
+Thank you for your interest in contributing to AppSecOne! This guide will help you get started.
+
+## Development Setup
+
+### Prerequisites
+
+- Python 3.12 or higher
+- Git
+
+### Installation
+
+```bash
+git clone https://github.com/polprog-tech/AppSecOne.git
+cd AppSecOne
+python3 -m venv .venv
+source .venv/bin/activate
+python3 -m pip install -e ".[dev]"
+```
+
+### Running the development server
+
+```bash
+appsecone serve --config appsecone.json --port 8080 --verbose
+```
+
+### Running tests
+
+```bash
+# Full suite (464 tests)
+python3 -m pytest tests/ -q
+
+# With coverage
+python3 -m pytest --cov=appsecone --cov-report=term-missing
+```
+
+### Linting & Formatting
+
+```bash
+# Check
+python3 -m ruff check src/ tests/
+
+# Auto-fix
+python3 -m ruff check --fix src/ tests/
+
+# Format
+python3 -m ruff format src/ tests/
+```
+
+## Project Structure
+
+```
+src/appsecone/
+├── domain/          # Pure domain models and enums (zero I/O)
+├── config/          # Configuration loading and validation
+├── fortify/         # Fortify SSC integration client
+│   ├── client/      # HTTP client, auth, endpoints
+│   └── mappers/     # DTO → domain model mapping
+├── persistence/     # Database layer (SQLite)
+├── application/     # Sync and query services (async)
+├── analysis/        # Trend analytics & historical snapshots
+├── presentation/    # Jinja2 renderer, view models, templates
+│   └── templates/   # HTML templates with design system
+├── web/             # FastAPI server, middleware, routes
+├── cli/             # Typer CLI commands
+├── i18n/            # Internationalization catalogs (EN, PL)
+│   └── locales/     # JSON translation files
+└── shared/          # Logging, networking, type aliases
+```
+
+## Code Style
+
+- **Python 3.12+** features encouraged (`StrEnum`, type unions, f-strings)
+- **Ruff** for linting and formatting (config in `pyproject.toml`)
+- **Frozen dataclasses** for domain models — immutability by default
+- **Type hints** everywhere — no untyped public APIs
+- **Async** for all I/O operations (database, network, file system)
+- **CSS custom properties** for all design tokens — no hardcoded colors or spacing in templates
+- **No inline styles** — all visual styling via CSS classes
+- **CSP-safe JavaScript** — all scripts use nonce attributes, no inline event handlers
+
+## Making Changes
+
+1. Create a feature branch: `git checkout -b feature/your-feature`
+2. Make your changes
+3. Run tests: `python3 -m pytest tests/ -q`
+4. Run linter: `python3 -m ruff check src/ tests/`
+5. Verify no regressions in UX/UI: `python3 -m pytest tests/unit/presentation/ -q`
+6. Commit with a descriptive message
+7. Open a pull request
+
+## Architecture Principles
+
+- **Domain layer has zero I/O** — pure functions and frozen dataclasses only
+- **Application layer is async** — all database and network calls are awaited
+- **Presentation layer builds view models** — no business logic in templates
+- **Web layer is thin** — routes delegate to services, never contain business logic
+- **Config-driven policy** — release readiness rules live in JSON, not code
+- **Security by default** — CSP headers, CSRF protection, rate limiting, API key auth
+
+## Internationalization
+
+AppSecOne supports multiple languages. Translation catalogs live in `src/appsecone/i18n/locales/`.
+
+- Use `t('key.name')` in Jinja2 templates
+- Use `t('key', count=N)` for pluralization (keys: `.one`, `.other`, `.few` for Polish)
+- Always add keys to **both** `en.json` and `pl.json`
+
+## Reporting Issues
+
+- Use GitHub Issues for bug reports and feature requests
+- Include reproduction steps for bugs
+- Include expected vs actual behavior
+- For UI issues, include the browser, theme, and language used