denmark0128
diff --git a/‎.env.example‎
Lines changed: 14 additions & 0 deletions b/‎.env.example‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 64 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 57 additions & 0 deletions b/‎.gitignore‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎DOCKER.md‎
Lines changed: 31 additions & 0 deletions b/‎DOCKER.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 27 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎backend/.dockerignore‎
Lines changed: 13 additions & 0 deletions b/‎backend/.dockerignore‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎backend/.env.example‎
Lines changed: 19 additions & 0 deletions b/‎backend/.env.example‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎backend/.pytest_all.log‎
Lines changed: 38 additions & 0 deletions b/‎backend/.pytest_all.log‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎backend/.pytest_employee_seed.log‎
Lines changed: 38 additions & 0 deletions b/‎backend/.pytest_employee_seed.log‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎backend/Dockerfile‎
Lines changed: 26 additions & 0 deletions b/‎backend/Dockerfile‎
Lines changed: 26 additions & 0 deletions
@@ -0,0 +1,14 @@
+# Docker compose environment
+APP_ENV=development
+DATABASE_URL=sqlite:////app/data/dev.sqlite3
+JWT_SECRET_KEY=replace-with-strong-random-secret-min-32-chars
+BIOMETRIC_INGEST_API_KEY=replace-with-strong-random-api-key
+
+DEFAULT_ADMIN_EMAIL=admin@company.com
+DEFAULT_ADMIN_PASSWORD=replace-admin-password
+DEFAULT_ADMIN_NAME=System Admin
+DEFAULT_HR_EMAIL=hr@company.com
+DEFAULT_HR_PASSWORD=replace-hr-password
+DEFAULT_HR_NAME=HR Manager
+
+CORS_ORIGINS=http://localhost:8080
@@ -0,0 +1,64 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  backend-tests:
+    name: Backend Tests (Python 3.12)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: backend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: backend/requirements.txt
+
+      - name: Install backend dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run backend tests
+        run: python -m pytest -q
+
+  frontend-build:
+    name: Frontend Build (Bun)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: "1.2.23"
+
+      - name: Install frontend dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build frontend
+        run: bun run build
@@ -0,0 +1,57 @@
+# Python
+venv/
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.Python
+*.egg-info/
+dist/
+build/
+.env
+
+# FastAPI / Alembic
+alembic/versions/*.pyc
+
+# Node / Bun
+node_modules/
+dist/
+.bun
+bun.lockb
+
+# Vite
+*.local
+vite.config.ts.timestamp*
+
+# TypeScript
+*.tsbuildinfo
+
+# Environment
+.env
+.env.local
+.env.development
+.env.production
+
+# Databases / local state
+*.sqlite3
+*.db
+
+# Secrets / credentials
+*.pem
+*.key
+*.p12
+*.crt
+*.secrets
+secrets/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# IDE
+.vscode/
+.idea/
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
@@ -0,0 +1,31 @@
+# Docker Quick Start
+
+## Prerequisites
+- Docker Desktop
+
+## 1) Prepare environment files
+- Copy templates and set real values:
+  - `copy .env.example .env`
+  - `copy backend\.env.example backend\.env`
+  - `copy frontend\.env.example frontend\.env`
+
+## 2) Build and run
+From project root:
+
+```powershell
+docker compose up --build -d
+```
+
+## 3) Access apps
+- Frontend: `http://localhost:8080`
+- Backend API (via frontend proxy): `http://localhost:8080/api/v1`
+
+## 4) Logs and stop
+```powershell
+docker compose logs -f
+docker compose down
+```
+
+## Notes
+- SQLite data is persisted in Docker volume `backend-data`.
+- For production, set `APP_ENV=production` and provide strong non-default secrets/passwords.
@@ -0,0 +1,27 @@
+# Security and GitHub Commit Checklist
+
+## 1) Environment and secrets
+- Never commit real `.env` files.
+- Keep only `.env.example` templates in git.
+- Generate strong secrets before production use:
+  - `JWT_SECRET_KEY` at least 32 characters.
+  - `BIOMETRIC_INGEST_API_KEY` at least 16 characters.
+- In production (`APP_ENV=production`), backend startup now rejects weak default secrets/passwords.
+
+## 2) GitHub repository safety
+- Ensure repository is private if it contains internal business logic.
+- Enable branch protection on `main` (required PR + status checks).
+- Enable GitHub Dependabot alerts and secret scanning.
+- Add repository secrets (for CI/CD), never plaintext in workflow files.
+
+## 3) Docker runtime safety
+- Backend container runs as non-root user.
+- Frontend is served by Nginx with API reverse proxy.
+- Do not expose backend port publicly unless required by your deployment topology.
+- Use HTTPS termination in production (reverse proxy/load balancer).
+
+## 4) Before pushing to remote
+1. Verify `git status` has no real credentials.
+2. Confirm no local DB dumps or key files are staged.
+3. Keep only template values in `.env.example` files.
+4. Rotate any secret that may have been previously committed.
@@ -0,0 +1,13 @@
+venv/
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+*.sqlite3
+.pytest_cache/
+.coverage
+.git
+.gitignore
+.env
+.env.*
+Dockerfile*
@@ -0,0 +1,19 @@
+APP_NAME=HR Management API
+APP_ENV=development
+APP_PORT=8000
+
+DATABASE_URL=sqlite:///./dev.sqlite3
+
+JWT_SECRET_KEY=replace-with-strong-random-secret-min-32-chars
+JWT_ALGORITHM=HS256
+JWT_EXPIRE_MINUTES=60
+
+DEFAULT_ADMIN_EMAIL=admin@company.com
+DEFAULT_ADMIN_PASSWORD=replace-admin-password
+DEFAULT_ADMIN_NAME=System Admin
+DEFAULT_HR_EMAIL=hr@company.com
+DEFAULT_HR_PASSWORD=replace-hr-password
+DEFAULT_HR_NAME=HR Manager
+
+CORS_ORIGINS=http://localhost:5173,http://127.0.0.1:5173,http://localhost:8080
+BIOMETRIC_INGEST_API_KEY=replace-with-strong-random-api-key
@@ -0,0 +1,38 @@
+........                                                                 [100%]
+============================== warnings summary ===============================
+venv\Lib\site-packages\fastapi\routing.py:234: 43 warnings
+  C:\Projects\fastreact\backend\venv\Lib\site-packages\fastapi\routing.py:234: DeprecationWarning: 'asyncio.iscoroutinefunction' is deprecated and slated for removal in Python 3.16; use inspect.iscoroutinefunction() instead
+    is_coroutine = asyncio.iscoroutinefunction(dependant.call)
+
+app\employees\schemas.py:43
+  C:\Projects\fastreact\backend\app\employees\schemas.py:43: PydanticDeprecatedSince20: Support for class-based `config` is deprecated, use ConfigDict instead. Deprecated in Pydantic V2.0 to be removed in V3.0. See Pydantic V2 Migration Guide at https://errors.pydantic.dev/2.12/migration/
+    class EmployeeResponse(EmployeeBase):
+
+app\settings\schemas.py:10
+  C:\Projects\fastreact\backend\app\settings\schemas.py:10: PydanticDeprecatedSince20: Support for class-based `config` is deprecated, use ConfigDict instead. Deprecated in Pydantic V2.0 to be removed in V3.0. See Pydantic V2 Migration Guide at https://errors.pydantic.dev/2.12/migration/
+    class DepartmentResponse(BaseModel):
+
+app\settings\schemas.py:28
+  C:\Projects\fastreact\backend\app\settings\schemas.py:28: PydanticDeprecatedSince20: Support for class-based `config` is deprecated, use ConfigDict instead. Deprecated in Pydantic V2.0 to be removed in V3.0. See Pydantic V2 Migration Guide at https://errors.pydantic.dev/2.12/migration/
+    class CompanyProfileResponse(BaseModel):
+
+app\main.py:40
+  C:\Projects\fastreact\backend\app\main.py:40: DeprecationWarning: 
+          on_event is deprecated, use lifespan event handlers instead.
+  
+          Read more about it in the
+          [FastAPI docs for Lifespan Events](https://fastapi.tiangolo.com/advanced/events/).
+          
+    @app.on_event("startup")
+
+venv\Lib\site-packages\fastapi\applications.py:4495
+  C:\Projects\fastreact\backend\venv\Lib\site-packages\fastapi\applications.py:4495: DeprecationWarning: 
+          on_event is deprecated, use lifespan event handlers instead.
+  
+          Read more about it in the
+          [FastAPI docs for Lifespan Events](https://fastapi.tiangolo.com/advanced/events/).
+          
+    return self.router.on_event(event_type)
+
+-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
+8 passed, 48 warnings in 2.42s
@@ -0,0 +1,38 @@
+.                                                                        [100%]
+============================== warnings summary ===============================
+venv\Lib\site-packages\fastapi\routing.py:234: 43 warnings
+  C:\Projects\fastreact\backend\venv\Lib\site-packages\fastapi\routing.py:234: DeprecationWarning: 'asyncio.iscoroutinefunction' is deprecated and slated for removal in Python 3.16; use inspect.iscoroutinefunction() instead
+    is_coroutine = asyncio.iscoroutinefunction(dependant.call)
+
+app\employees\schemas.py:43
+  C:\Projects\fastreact\backend\app\employees\schemas.py:43: PydanticDeprecatedSince20: Support for class-based `config` is deprecated, use ConfigDict instead. Deprecated in Pydantic V2.0 to be removed in V3.0. See Pydantic V2 Migration Guide at https://errors.pydantic.dev/2.12/migration/
+    class EmployeeResponse(EmployeeBase):
+
+app\settings\schemas.py:10
+  C:\Projects\fastreact\backend\app\settings\schemas.py:10: PydanticDeprecatedSince20: Support for class-based `config` is deprecated, use ConfigDict instead. Deprecated in Pydantic V2.0 to be removed in V3.0. See Pydantic V2 Migration Guide at https://errors.pydantic.dev/2.12/migration/
+    class DepartmentResponse(BaseModel):
+
+app\settings\schemas.py:28
+  C:\Projects\fastreact\backend\app\settings\schemas.py:28: PydanticDeprecatedSince20: Support for class-based `config` is deprecated, use ConfigDict instead. Deprecated in Pydantic V2.0 to be removed in V3.0. See Pydantic V2 Migration Guide at https://errors.pydantic.dev/2.12/migration/
+    class CompanyProfileResponse(BaseModel):
+
+app\main.py:40
+  C:\Projects\fastreact\backend\app\main.py:40: DeprecationWarning: 
+          on_event is deprecated, use lifespan event handlers instead.
+  
+          Read more about it in the
+          [FastAPI docs for Lifespan Events](https://fastapi.tiangolo.com/advanced/events/).
+          
+    @app.on_event("startup")
+
+venv\Lib\site-packages\fastapi\applications.py:4495
+  C:\Projects\fastreact\backend\venv\Lib\site-packages\fastapi\applications.py:4495: DeprecationWarning: 
+          on_event is deprecated, use lifespan event handlers instead.
+  
+          Read more about it in the
+          [FastAPI docs for Lifespan Events](https://fastapi.tiangolo.com/advanced/events/).
+          
+    return self.router.on_event(event_type)
+
+-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
+1 passed, 48 warnings in 0.30s
@@ -0,0 +1,26 @@
+FROM python:3.12-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+RUN apt-get update \
+    ; apt-get install -y --no-install-recommends build-essential \
+    ; rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt ./
+RUN pip install --no-cache-dir --upgrade pip \
+    && pip install --no-cache-dir -r requirements.txt
+
+COPY app ./app
+COPY alembic ./alembic
+COPY alembic.ini ./alembic.ini
+
+RUN useradd --create-home --shell /usr/sbin/nologin appuser \
+    && chown -R appuser:appuser /app
+USER appuser
+
+EXPOSE 8000
+
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]