CLI-1445:Security Hardening

[the-krafty-koder]

1. Split CI into dedicated jobs (quality, test, e2e, build, codeql) and added dependency audit plus explicit Playwright browser install.
2. Hardened scripts/generate-openapi-types.mjs so insecure TLS is opt-in via OPENAPI_ALLOW_INSECURE_TLS.
3. Added .env.example documenting OpenAPI, API base/proxy, TLS, and query-history TTL environment variables.
4. Added SECURITY.md with private vulnerability reporting and response expectations.
5. Introduced shared API base config (src/config/api-base.ts) and switched Dashboard + Query Explorer clients to use it.
6. Added query history storage config (src/config/query-history-storage.ts) with TTL pruning and storage mode helpers.
7. Extended Query Explorer store with historyStorageMode (local/session/off) and persistence behavior per mode.
8. Updated History panel UI to let users choose storage mode and show mode-specific retention messaging.
9. Tightened Vite proxy TLS handling (secure now depends on HTTPS target + VITE_PROXY_ALLOW_INSECURE_TLS).

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

This PR focuses on security hardening and configuration improvements across CI, OpenAPI type generation, API base configuration, and query history persistence controls (including TTL pruning and selectable storage mode).

Changes:

• Hardened TLS behavior by making insecure TLS opt-in for OpenAPI type generation and Vite proxying, and added security reporting docs.
• Introduced shared API base resolution and updated dashboard/query-explorer clients to use it.
• Added query history storage configuration (mode + TTL pruning), wired it into the Query Explorer store, and updated the History UI + tests.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
vite.config.ts	Makes Vite proxy TLS verification default-secure, with an explicit opt-out flag for dev.
src/vite-env.d.ts	Adds typing for VITE_QUERY_HISTORY_TTL_MS.
src/store/types.ts	Updates history entry doc comment to reflect multiple storage modes.
src/store/slices/query-explorer.ts	Adds history storage mode + TTL pruning and persistence/migration logic.
src/store/slices/query-explorer.test.ts	Extends tests for TTL pruning and storage-mode persistence/migration.
src/store/index.ts	Re-exports HistoryStorageMode for UI consumption.
src/features/query-explorer/query-client.ts	Uses shared API base resolver for generated client.
src/features/query-explorer/components/history-panel.tsx	Adds UI to choose history storage mode and shows retention messaging.
src/features/dashboard/index.tsx	Uses shared API base resolver for generated client.
src/config/query-history-storage.ts	Introduces storage-mode + TTL parsing/pruning helpers and constants.
src/config/api-base.ts	Adds environment-aware API base resolution (dev default vs prod same-origin).
SECURITY.md	Adds private vulnerability reporting guidance and response expectations.
scripts/generate-openapi-types.mjs	Makes insecure TLS opt-in via OPENAPI_ALLOW_INSECURE_TLS.
package.json	Adds a dedicated generate-openapi-types script entry.
.github/workflows/ci.yml	Splits CI into multiple jobs and adds dependency audit + CodeQL.
.env.example	Documents env vars for OpenAPI generation, API base/proxy, TLS, and history TTL.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[danias]

GitHub Actions: runs-on: ubuntu-latest
Backend url: Get it from the browser's URL