Chore/ci consolidation (#105)

* chore: ignore VSCode workspace file

* cleanup: remove duplicated CI workflows and stabilize pipeline

* fix(security): remove hardcoded bind and rely on env host

* feat(observability): add telemetry and test configuration

* ci(railway): add automated docker build and deployment workflow

* docs: cleanup deployment documentation

* style: fix import order for isort/black

* style: fix import order in app/main.py

* fix(api): align root response with tests and harden settings

* fix(security): remove hardcoded 0.0.0.0 default to satisfy bandit B104

* fix(api): align root endpoint response with tests (add features)

* fix(api): stabilize root endpoint and logging lifecycle

* fix(api): align root endpoint response with tests (add features)

* fix(app): remove arguments from setup_logging (CodeQL)

* fix(app): sort imports and finalize main app lifecycle

* fix(lint): satisfy isort import order

* fix(lint): satisfy isort 7 and CodeQL

* chore(lint): configure isort to align with black

* fix(backoffice): correct APIRouter import and routing

* fix(core): stabilize app lifecycle, routing and logging

* chore(lint): configure isort to align with black

* feat(app): implement lifespan management and health check endpoints

* fix: resolve architectural issues - cyclic imports and CodeQL errors

- Refactor app/config.py to ONLY contain Settings class and get_settings()
  - Remove FastAPI app definition and lifespan (moved to main.py)
  - Remove router imports to break circular dependencies
  - Add pydantic extra='ignore' to handle extra env vars

- Update app/utils/logging.py setup_logging() to accept ZERO arguments
  - Read LOG_LEVEL from environment internally
  - Fixes CodeQL error: 'Wrong number of arguments in call to setup_logging'

- Refactor app/main.py as ONLY place for FastAPI app and lifespan
  - Define lifespan() with lazy settings import
  - Call setup_logging() with no arguments
  - Import routers directly (no circular dependencies)
  - Add timestamp to health check endpoint

- Verify routers (operator, backoffice) don't import config or main

Dependency flow: main.py -> config.py, routers (NEVER reverse)

All tests pass (7/7 ✓)
Black + isort formatting applied
CodeQL circular import issues resolved

* fix(tests): configure environment variables for CI tests

- Add pytest-env configuration in pytest.ini with required vars:
  - API_KEY, SECRET_KEY for authentication tests
  - CORS_ORIGINS as JSON array format for pydantic-settings
  - ENVIRONMENT=testing for test environment

- Update .env.test with proper test values
  - Use JSON format for list values: CORS_ORIGINS=["*"]

Fixes test failure in CI:
  - ValueError: API_KEY environment variable is required
  - Tests now pass with mocked environment variables

All tests pass locally: 7/7 ✓

* fix(ci): configure test environment variables properly

- Move env vars from pytest.ini (unsupported) to CI workflow
- Add environment variables directly in ci.yml test step:
  - API_KEY, SECRET_KEY, CORS_ORIGINS, ENVIRONMENT, etc.

- Create app/tests/conftest.py for local testing:
  - Automatically sets test env vars if not present
  - Ensures consistent behavior between local and CI

- Remove invalid 'env' section from pytest.ini
  - pytest-env plugin not needed anymore

Fixes CI error:
  - "ERROR: Unknown config option: env"
  - Tests now have proper environment in both local and CI

All tests pass: 7/7 ✓

* style: format conftest.py with black

Author: Neiland85

.github/workflows/ci.yml

@@ -1,62 +1,47 @@
-name: CI - Quality Checks
+name: CI – Quality Gate
 
 on:
   pull_request:
-    branches: [main]
+    branches: [ main ]
   push:
-    branches:
-      - "feature/**"
+    branches: [ "feature/**" ]
 
 jobs:
-  quality-checks:
+  quality:
     runs-on: ubuntu-latest
     strategy:
-      fail-fast: false
       matrix:
-        python-version: ["3.11", "3.12"]
+        python-version: ["3.11"]
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
 
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Get pip cache dir
-        id: pip-cache
-        run: |
-          echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT
-
-      - name: Cache dependencies
-        uses: actions/cache@v4
-        with:
-          path: ${{ steps.pip-cache.outputs.dir }}
-          key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('**/requirements.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-${{ matrix.python-version }}-
-            ${{ runner.os }}-pip-
-
-      - name: Install dependencies and tools
+      - name: Install dependencies
         run: |
           pip install --upgrade pip
           pip install -r requirements.txt
-          pip install black isort autoflake bandit safety pytest pytest-asyncio pytest-cov
+          pip install black isort bandit safety pytest pytest-asyncio pytest-cov
 
-      - name: Run linters
+      - name: Lint
         run: |
-          echo "--- Running Black ---"
           black --check app
-          echo "--- Running isort ---"
           isort --check-only app
 
-      - name: Run security scans
+      - name: Security scan
         run: |
-          echo "--- Running Bandit ---"
           bandit -r app -ll
-          echo "--- Running Safety ---"
           safety check -r requirements.txt || true
 
-      - name: Run unit tests
-        run: pytest -q --disable-warnings --maxfail=1
+      - name: Run tests
+        env:
+          API_KEY: test-api-key-12345678
+          SECRET_KEY: test-secret-key-87654321
+          CORS_ORIGINS: '["*"]'
+          ENVIRONMENT: testing
+          DEBUG: false
+          LOG_LEVEL: INFO
+        run: pytest -q --disable-warnings --maxfail=1

.github/workflows/deploy.yml

@@ -1,97 +1,38 @@
-name: CD - NeuroBank Deployment (Karpathy Edition)
+name: CD – NeuroBank Deployment
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
 
 jobs:
   deploy:
-    name: Build & Deploy
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
 
     env:
       IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/neurobank:${{ github.sha }}
-      SERVICE_ID: "REPLACE_ME"     # <- luego pones el tuyo
       RAILWAY_API: https://backboard.railway.app/graphql
 
     steps:
+      - uses: actions/checkout@v4
 
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      # ============================================================
-      # A — BUILD DOCKER IMAGE
-      # ============================================================
-      - name: Log in to GHCR
+      - name: Login to GHCR
         run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io \
-          echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io \
-            -u "${{ github.actor }}" --password-stdin
+          echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Build Docker image
-        run: |
-          echo "➜ Building Docker image: $IMAGE_NAME"
-          docker build -t $IMAGE_NAME .
+        run: docker build -t $IMAGE_NAME .
 
-      - name: Push Docker image to GHCR
-        run: |
-          echo "➜ Pushing image to GHCR..."
-          docker push $IMAGE_NAME
+      - name: Push Docker image
+        run: docker push $IMAGE_NAME
 
-      # ============================================================
-      # B — TRY RAILWAY CLI (NON-BLOCKING)
-      # ============================================================
-      - name: Try installing Railway CLI
-        id: cli_install
+      # Railway CLI (best-effort)
+      - name: Try Railway CLI
         continue-on-error: true
-        run: |
-          echo "➜ Attempting Railway CLI install…"
-          curl -fsSL https://railway.app/install.sh | sh
-          if command -v railway > /dev/null; then
-            echo "cli=true" >> $GITHUB_OUTPUT
-          else
-            echo "cli=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Deploy using Railway CLI
-        if: steps.cli_install.outputs.cli == 'true'
         env:
           RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
-        continue-on-error: true
         run: |
-          echo "➜ Railway CLI OK → Trying deploy…"
-          railway up --ci || echo "⚠️ CLI deploy failed, continuing with API fallback"
-
-      # ============================================================
-      # C — API FALLBACK DEPLOY (INFALIBLE)
-      # ============================================================
-      - name: Trigger Railway deployment via API (fallback)
-        if: steps.cli_install.outputs.cli == 'false'
-        env:
-          RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
-        run: |
-          echo "⚠️ CLI unavailable → Using API fallback mode."
-          echo "➜ Deploying image: $IMAGE_NAME"
-          
-          curl -X POST "$RAILWAY_API" \
-            -H "Content-Type: application/json" \
-            -H "Authorization: Bearer $RAILWAY_TOKEN" \
-            -d "{
-              \"query\": \"mutation { deployService(input: { serviceId: \\\"$SERVICE_ID\\\", image: \\\"$IMAGE_NAME\\\" }) { id } }\"
-            }"
-
-          echo "✔ Deployment requested successfully via Railway API."
-
-      - name: Final status
-        run: |
-          echo ""
-          echo "-------------------------------------------"
-          echo "   KARPATHY DEPLOY PIPELINE COMPLETED"
-          echo "-------------------------------------------"
-          echo "Image: $IMAGE_NAME"
-          echo "Service: $SERVICE_ID"
-          echo "If Railway falla → tú no fallas."
-          echo "-------------------------------------------"
+          curl -fsSL https://railway.app/install.sh | sh
+          railway up || true

.github/workflows/docker-security.yml

@@ -1,34 +1,27 @@
-name: docker-security
+name: Docker Security (Trivy)
 
 on:
   pull_request:
     branches: [ main ]
-  push:
-    branches: [ main ]
   workflow_dispatch:
 
 jobs:
   trivy:
-    name: Trivy Security
     runs-on: ubuntu-latest
-
     permissions:
       contents: read
       security-events: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - name: Run Trivy vulnerability scanner (fs)
-        uses: aquasecurity/[email protected]
+      - uses: aquasecurity/[email protected]
         with:
-          scan-type: "fs"
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
 
-      - name: Upload SARIF results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy-results.sarif

.github/workflows/lint.yml

@@ -1,29 +1,18 @@
-name: CI - Security Scan
+name: CI – Security Scan
 
 on:
   pull_request:
-    branches: [main]
-  push:
-    branches:
-      - "feature/**"
+    branches: [ main ]
 
 jobs:
   security:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
-      - name: Install security tooling
-        run: pip install bandit safety
-
-      - name: Run Bandit
-        run: bandit -r app -ll
-
-      - name: Dependency vulnerability scan
-        run: safety check -r requirements.txt || true
+      - run: pip install bandit safety
+      - run: bandit -r app -ll
+      - run: safety check -r requirements.txt || true

.github/workflows/security.yml

@@ -1 +1 @@
-3.11.8
+3.12.3