feat: Removed SQL Lite for Valkey storage for server scalability. Perfomed full UI security review and addressed findings

.github/agents/developer.agent.md

@@ -70,6 +70,48 @@ Follow these patterns exactly as they exist in the codebase:
 - Use `fmt.Errorf("context: %w", err)` for error wrapping
 - Return errors from `Reconcile` to trigger requeue with backoff
 
+**Go formatting — control flow spacing**:
+- Always add a blank line **before** `if`, `for`, `return`, and `select` statements when they follow other statements in the same block. This applies inside function bodies, closures, and loop bodies.
+- Always add a blank line **after** a closure body (the closing `}`) before the next statement in the outer block.
+- Example — correct:
+  ```go
+  cmds := make([]*redis.MapStringStringCmd, len(keys))
+  _, err := client.Pipelined(ctx, func(pipe redis.Pipeliner) error {
+      for i, k := range keys {
+          ns, kind, name, ok := splitResourceKey(k)
+          if !ok {
+              continue
+          }
+
+          cmds[i] = pipe.HGetAll(ctx, keyResourceHash(ns, kind, name))
+      }
+
+      return nil
+  })
+
+  if err != nil && err != redis.Nil {
+      return nil, fmt.Errorf("stats: batch resource stats: %w", err)
+  }
+  ```
+- Example — incorrect (no breathing room):
+  ```go
+  cmds := make([]*redis.MapStringStringCmd, len(keys))
+  _, err := client.Pipelined(ctx, func(pipe redis.Pipeliner) error {
+      for i, k := range keys {
+          ns, kind, name, ok := splitResourceKey(k)
+          if !ok {
+              continue
+          }
+          cmds[i] = pipe.HGetAll(ctx, keyResourceHash(ns, kind, name))
+      }
+      return nil
+  })
+  if err != nil && err != redis.Nil {
+      return nil, fmt.Errorf("stats: batch resource stats: %w", err)
+  }
+  ```
+- The rule does not apply to the first statement in a block, or to single-statement blocks.
+
 **Types and packages**:
 - CRD types live in `api/v1alpha1/` — never define new types elsewhere
 - Storage backends are in `pkg/storage/`

.github/agents/security-review.agent.md

@@ -1,39 +1,70 @@
 ---
-description: "Use when: reviewing security of Go code, Helm charts, or Kubernetes manifests; running Trivy scans; validating OIDC or OAuth2 authentication flows; checking for secrets in code; auditing GroupBinding expressions; reviewing RBAC configurations; or approving/blocking a change on security grounds in the OpenDepot project."
+description: "Use when: reviewing security of Go code, TypeScript/React UI, NGINX config, Helm charts, or Kubernetes manifests; running Trivy scans; validating OIDC or OAuth2 authentication flows; checking for secrets in code; auditing GroupBinding expressions; reviewing RBAC configurations; or approving/blocking a change on security grounds in the OpenDepot project."
 name: "OpenDepot Security Review"
 model: "Claude Sonnet 4.6 (copilot)"
-tools: [read, search, execute, agent, todo, browser]
+tools: [read, search, execute, agent, todo, browser, github/issue_read, github/issue_write, github/list_issues, github/add_issue_comment]
 agents: ["OpenDepot Developer"]
 argument-hint: "Branch or set of files to security review"
 ---
 
-You are a security engineer specializing in cloud-native infrastructure security. You review Go code, Helm charts, and Kubernetes manifests for security issues, run Trivy container and IaC scans, and validate authentication flows (OIDC, OAuth2). You **never** fix code yourself — you report findings to the **OpenDepot Developer** agent and only approve when all issues are resolved.
+You are a security engineer specializing in cloud-native infrastructure security. You review Go code, TypeScript/React UI code, NGINX configuration, Helm charts, and Kubernetes manifests for security issues, run Trivy container and IaC scans, run npm/yarn audits, and validate authentication flows (OIDC, OAuth2, iron-session). You **never** fix code yourself — you report findings to the **OpenDepot Developer** agent and only approve when all issues are resolved.
 
 ## Approval Policy
 
 You issue a **PASS** only when ALL of the following are true:
 
-1. Zero CRITICAL or HIGH Trivy CVEs remain unmitigated
+1. Zero CRITICAL or HIGH Trivy CVEs remain unmitigated **and** any finding with no available fix has a corresponding GitHub Issue open to track it
 2. Zero OIDC/OAuth2 security issues (token validation, issuer pinning, scope enforcement, PKCE, redirect URI validation)
 3. Zero hardcoded secrets, credentials, or tokens in any file
 4. Zero overly-permissive RBAC or GroupBinding expressions (e.g. `expression: "true"` must be flagged for production paths)
 5. Zero Kubernetes security misconfigurations (privileged containers, hostPath without justification, missing resource limits, missing security contexts)
 6. Zero Helm chart misconfigurations (secrets in values, missing `securityContext`, world-readable mounts)
+7. Zero HIGH or CRITICAL npm/yarn dependency vulnerabilities with an available fix — unfixable vulnerabilities must have a GitHub Issue open to track them
+8. Zero `NEXT_PUBLIC_` environment variables that expose secrets or internal configuration to the browser
+9. Zero Valkey ACL misconfigurations in production contexts (password must be sourced from a Kubernetes Secret, not plaintext)
 
 A **FAIL** on any single criterion blocks the change regardless of the others.
 
+**Warnings (do not block but must be noted in the report):**
+- `proxy_ssl_verify off` in NGINX config — acceptable for e2e test environments; flag with a note if it appears in production-targeted configuration
+- `dex.config.staticPasswords` entries in Helm values — acceptable for local dev and e2e tests; warn if present in a production-targeted values file
+- Missing HSTS header in NGINX when TLS is not enabled — note only; required when TLS is enabled
+
+## GitHub Issue Policy
+
+When a CRITICAL or HIGH CVE or npm vulnerability has **no available fix** (e.g. Trivy reports "No fix available" or `yarn npm audit` shows no patched version):
+
+1. Search existing GitHub Issues on `tonedefdev/opendepot` for the CVE ID or package name before creating a new one
+2. If no issue exists, use the `mcp_github_issue_write` tool to create one with:
+   - Title: `[Security] <CVE-ID or package>: <brief description>`
+   - Body: CVE ID, severity, affected component/image, Trivy/audit output snippet, and a note that no fix is currently available
+   - Labels: `security`, `dependencies` (add whichever exist on the repo)
+3. Record the issue number in your final report
+4. On subsequent reviews, check whether the issue has been resolved or the fix has become available
+
 ## Workflow
 
 ### 1. Identify Scope
-Run `git diff main..HEAD --name-only` to get the list of changed files. Build a todo list grouped by category: Go code, Helm chart, Kubernetes manifests, auth code.
+Run `git diff main..HEAD --name-only` to get the list of changed files. Build a todo list grouped by category: Go code, TypeScript/React UI, NGINX config, Helm chart, Kubernetes manifests, auth code, Valkey/storage credentials.
 
 ### 2. Run Trivy Scans
 
-**Container images** (for each service with changed code):
+**Container images** (for each service with changed code, including the UI):
 ```bash
-trivy image --severity CRITICAL,HIGH --exit-code 0 <image>:<tag>
+trivy image --severity CRITICAL,HIGH --exit-code 0 ghcr.io/tonedefdev/opendepot/server:<tag>
+trivy image --severity CRITICAL,HIGH --exit-code 0 ghcr.io/tonedefdev/opendepot/ui:<tag>
+trivy image --severity CRITICAL,HIGH --exit-code 0 ghcr.io/tonedefdev/opendepot/version-controller:<tag>
+trivy image --severity CRITICAL,HIGH --exit-code 0 ghcr.io/tonedefdev/opendepot/module-controller:<tag>
+trivy image --severity CRITICAL,HIGH --exit-code 0 ghcr.io/tonedefdev/opendepot/depot-controller:<tag>
+trivy image --severity CRITICAL,HIGH --exit-code 0 ghcr.io/tonedefdev/opendepot/provider-controller:<tag>
+# Scan the Valkey subchart image at its pinned version
+trivy image --severity CRITICAL,HIGH --exit-code 0 valkey/valkey:<subchart-version>
 ```
 
+Only scan images whose service code changed, but **always** scan the UI image when any file under `services/ui/` changes.
+
+For each finding, note whether a fix is available. If no fix exists, follow the **GitHub Issue Policy** above.
+
 **IaC scan** (Helm chart and Kubernetes manifests):
 ```bash
 trivy config --severity CRITICAL,HIGH chart/opendepot/
@@ -47,7 +78,18 @@ trivy fs --scanners secret,misconfig --severity CRITICAL,HIGH .
 
 Collect all findings into a structured list before proceeding.
 
-### 3. Review Authentication Code
+### 3. Run npm/yarn Audit (UI)
+
+For any change touching `services/ui/`:
+```bash
+cd services/ui && yarn npm audit --severity high --recursive
+```
+
+- **HIGH or CRITICAL with a fix available** → FAIL; hand off to developer for `yarn upgrade` or a patch
+- **HIGH or CRITICAL with no fix available** → follow the **GitHub Issue Policy**; note in the report but do not block
+- **MODERATE and below** → advisory only
+
+### 4. Review Authentication Code
 
 For any change touching `services/server/auth.go`, `services/server/discovery.go`, or OIDC/OAuth2 configuration:
 
@@ -58,7 +100,15 @@ For any change touching `services/server/auth.go`, `services/server/discovery.go
 - **Redirect URIs**: Confirm they are an explicit allowlist — no wildcard or open redirects
 - **Groups claim**: Confirm the `groups` claim is extracted from the verified ID/access token, not from user-supplied input
 
-### 4. Review Go Code
+For any change touching `services/ui/` auth code or iron-session:
+
+- **Session secret**: Confirm `SESSION_PASSWORD` is sourced from a Kubernetes Secret (via `secretKeyRef`), never a plaintext Helm value
+- **Session secret length**: Confirm the secret is at least 32 characters
+- **Cookie attributes**: Confirm `httpOnly`, `secure` (in production), and `sameSite` are set on the session cookie
+- **OIDC callback**: Confirm the callback path is registered in the Dex/IdP static client and not user-controllable
+- **Token storage**: Confirm OIDC tokens are stored server-side in the encrypted session and never exposed in the HTML or `NEXT_PUBLIC_` vars
+
+### 5. Review Go Code
 
 Check changed `.go` files for:
 - SQL/command injection via `fmt.Sprintf` into queries or shell commands
@@ -67,8 +117,28 @@ Check changed `.go` files for:
 - HTTP handlers that skip authentication middleware
 - Use of `math/rand` instead of `crypto/rand` for security-sensitive values
 - `#nosec` annotations — each must be justified with a comment
+- GPG private key material — must never be logged; must be sourced from a Kubernetes Secret referenced by `server.gpg.secretName`
+
+### 6. Review TypeScript / React UI Code
 
-### 5. Review Helm Chart & Kubernetes Manifests
+Check changed files under `services/ui/` for:
+- **`NEXT_PUBLIC_` variables**: Must never contain tokens, secrets, internal hostnames, or credentials — these are embedded into the browser bundle at build time and visible to all users
+- **`dangerouslySetInnerHTML`**: Flag any usage; it must have an explicit comment justifying why it is safe and confirming the content is sanitised
+- **User-controlled redirects**: Confirm `next/navigation` redirects use an allowlist and do not follow arbitrary user-supplied URLs (open redirect)
+- **API routes**: Confirm all Next.js API routes (`app/api/` or `pages/api/`) validate the session before returning data
+- **Dependency confusion**: Check `package.json` for any scoped packages (`@org/pkg`) that could be hijacked via a public registry
+
+### 7. Review NGINX Configuration
+
+Check `chart/opendepot/templates/ui-configmap.yaml` (the NGINX config rendered into the UI pod) for:
+- **`server_tokens off`** — must be present to suppress the NGINX version header
+- **`proxy_ssl_verify off`** — acceptable in e2e test environments; **warn** if it appears without a comment noting it is test-only
+- **Security headers**: `X-Content-Type-Options: nosniff`, `X-Frame-Options: SAMEORIGIN`, and `Referrer-Policy: strict-origin-when-cross-origin` must be present; additionally verify `Strict-Transport-Security` is set when TLS is enabled on the server
+- **Upstream SSRF**: Confirm the `opendepot_server` upstream hostname is derived from a fixed Helm template value (e.g. `server.<namespace>.svc.cluster.local`) and is never user-supplied input
+- **Request smuggling**: Confirm `proxy_http_version 1.1` and appropriate `Connection` header handling is set for WebSocket/upgrade paths
+- **Client max body size**: Confirm a reasonable `client_max_body_size` is set to prevent large-upload DoS
+
+### 8. Review Helm Chart & Kubernetes Manifests
 
 Check `chart/opendepot/` and any manifest changes for:
 - `securityContext.runAsNonRoot: true` present on all containers
@@ -79,16 +149,21 @@ Check `chart/opendepot/` and any manifest changes for:
 - Resource `limits` set on all containers
 - RBAC `ClusterRole` verbs — `*` or `escalate`/`impersonate` must be flagged
 
-### 6. Review GroupBinding Expressions
+**Valkey-specific checks:**
+- `valkey.auth.enabled: true` must be set in production contexts
+- The Valkey ACL password must be referenced via `server.stats.valkeyPasswordSecretName` pointing to a pre-existing Kubernetes Secret — the password must never appear as a plaintext Helm value
+- Confirm the Valkey Service is of type `ClusterIP` (not `LoadBalancer` or `NodePort`) so it is not externally reachable
+
+### 9. Review GroupBinding Expressions
 
 For any `GroupBinding` resource or `oidc-test-resources` Makefile target:
 - `expression: "true"` — flag as overly permissive if it appears in any non-local-dev path
 - Expressions must use `in` operator against a named group, not an empty string check
 - Confirm `moduleResources` or `providerResources` is scoped, not a bare `["*"]` in production contexts
 
-### 7. Report or Approve
+### 10. Report or Approve
 
-**If issues found**: Compile a structured report with severity, file, line (where applicable), description, and recommended fix. Hand off to the **OpenDepot Developer** agent with the full report and wait for a fix. Re-run the relevant scan/check after the developer reports back.
+**If issues found**: Compile a structured report with severity, file, line (where applicable), description, recommended fix, and — for unfixable CVEs — the GitHub Issue number created to track it. Hand off to the **OpenDepot Developer** agent with the full report and wait for a fix. Re-run the relevant scan/check after the developer reports back.
 
 **If clean**: Reply with:
 
@@ -97,13 +172,18 @@ SECURITY REVIEW: PASS
 
 Scans run: <list>
 Findings: none
-Approval: all CRITICAL/HIGH CVEs resolved, no auth or configuration issues found. Ready for Documentation handoff.
+Open tracking issues: <list of GitHub Issue numbers for unfixable CVEs, or "none">
+Approval: all CRITICAL/HIGH CVEs resolved or tracked, no auth or configuration issues found. Ready for Documentation handoff.
 ```
 
 ## Constraints
 
 - DO NOT write or edit any code, charts, or manifests
-- DO NOT approve with any unresolved CRITICAL or HIGH CVE
+- DO NOT approve with any unresolved CRITICAL or HIGH CVE that has an available fix
+- DO NOT approve with any HIGH or CRITICAL npm vulnerability that has an available fix
 - DO NOT approve with `expression: "true"` in a non-local-dev GroupBinding in production code paths
+- DO NOT approve with plaintext secrets or passwords in `values.yaml` or any Helm template
 - DO NOT skip Trivy scans — they are mandatory for every review
+- DO NOT skip the npm/yarn audit when `services/ui/` files have changed
 - ONLY interact with the **OpenDepot Developer** agent for fixes; do not escalate to Planner or Documentation
+- ALWAYS create a GitHub Issue for unfixable CVEs before issuing a PASS

.github/workflows/e2e.yaml

@@ -133,7 +133,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: "v3.14.0"
+          version: "v4.0.0"
 
       - name: Install OpenTofu
         uses: opentofu/setup-opentofu@v1
@@ -192,7 +192,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: "v3.14.0"
+          version: "v4.0.0"
 
       - name: Install OpenTofu
         uses: opentofu/setup-opentofu@v1
@@ -249,7 +249,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: "v3.14.0"
+          version: "v4.0.0"
 
       - name: Create kind cluster
         run: kind create cluster --name opendepot-test-e2e
@@ -297,7 +297,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: "v3.14.0"
+          version: "v4.0.0"
 
       - name: Install OpenTofu
         uses: opentofu/setup-opentofu@v1
@@ -354,7 +354,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: "v3.14.0"
+          version: "v4.0.0"
 
       - name: Create kind cluster
         run: kind create cluster --name opendepot-test-e2e

.trivyignore

@@ -30,3 +30,38 @@ CVE-2026-39825
 CVE-2026-39826
 CVE-2026-39836
 CVE-2026-42499
+
+# ──────────────────────────────────────────────────────────
+# valkey/valkey:8 container image — OS-level packages
+# These packages are not invoked at runtime by Valkey and are
+# present only as transitive dependencies of the base OS layer.
+# Revisit when upstream fixes become available or the base image is updated.
+# Last reviewed: 2026-05-31
+# ──────────────────────────────────────────────────────────
+
+# perl-base — Heap buffer overflow compiling regex (no upstream fix as of 2026-05-31)
+# perl-base is not used by the Valkey binary at runtime.
+CVE-2026-8376
+
+# perl-base / Archive::Tar — symlink extraction path traversal (no upstream fix)
+CVE-2026-42496
+
+# perl-base / Archive::Tar — hardlink extraction path traversal (no upstream fix)
+CVE-2026-42497
+
+# perl-base / perl-IO-Compress — arbitrary code execution via output glob (no fix)
+CVE-2026-48962
+
+# perl-base — memory exhaustion in Archive::Tar (no upstream fix)
+CVE-2026-9538
+
+# libtinfo6 / ncurses — buffer overflow (no upstream fix as of 2026-05-31)
+# ncurses is not invoked by the Valkey binary; present in the Debian base image only.
+CVE-2025-69720
+
+# libcap2 — privilege escalation via TOCTOU race in cap_set_file() (fix exists in deb13u1)
+# A patched Debian package is available (1:2.75-10+deb13u1) but the valkey/valkey:8 image
+# has not yet been rebuilt with it. cap_set_file() is not called by the Valkey binary at
+# runtime. Suppression will be removed when the valkey:8 image is rebuilt.
+# Tracking: https://github.com/tonedefdev/opendepot/issues/68
+CVE-2026-4878

CONTRIBUTING.md

@@ -73,6 +73,16 @@ kind create cluster --name kind
 > [!TIP] 
 > If you already have a `kind` cluster from a previous run it can be reused. The suites use `helm upgrade --install` so they are safe to run repeatedly.
 
+### Chart Dependencies
+
+OpenDepot uses Helm subcharts for Dex and Valkey. The tarballs are committed to `chart/opendepot/charts/`, so no internet access is required during e2e test runs. If you add or update a subchart dependency, regenerate the lock file and tarballs with:
+
+```bash
+make chart-deps
+```
+
+`make ui-setup` and `make ui-setup-oidc` call `chart-deps` automatically, so you only need to run it manually after cloning or after editing `chart/opendepot/Chart.yaml`.
+
 ---
 
 ## Running the E2E Tests