chore: merge main into feature/karpathy-lab-init - resolve conflicts

- Accept refactored app/main.py from main
- Include consolidated CI/CD workflows
- Merge architectural improvements and test configurations
- All conflicts resolved

Author: Neiland85

.github/workflows/ci.yml

@@ -0,0 +1,47 @@
+name: CI – Quality Gate
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ "feature/**" ]
+
+jobs:
+  quality:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install black isort bandit safety pytest pytest-asyncio pytest-cov
+
+      - name: Lint
+        run: |
+          black --check app
+          isort --check-only app
+
+      - name: Security scan
+        run: |
+          bandit -r app -ll
+          safety check -r requirements.txt || true
+
+      - name: Run tests
+        env:
+          API_KEY: test-api-key-12345678
+          SECRET_KEY: test-secret-key-87654321
+          CORS_ORIGINS: '["*"]'
+          ENVIRONMENT: testing
+          DEBUG: false
+          LOG_LEVEL: INFO
+        run: pytest -q --disable-warnings --maxfail=1

.github/workflows/deploy.yml

@@ -1,21 +1,38 @@
-name: CD – Deploy to Railway
+name: CD – NeuroBank Deployment
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    env:
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/neurobank:${{ github.sha }}
+      RAILWAY_API: https://backboard.railway.app/graphql
 
     steps:
       - uses: actions/checkout@v4
 
-      - name: Install Railway CLI
+      - name: Login to GHCR
         run: |
-          curl -fsSL https://railway.app/install.sh | sh
+          echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build Docker image
+        run: docker build -t $IMAGE_NAME .
 
-      - name: Deploy to Railway
+      - name: Push Docker image
+        run: docker push $IMAGE_NAME
+
+      # Railway CLI (best-effort)
+      - name: Try Railway CLI
+        continue-on-error: true
         env:
           RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
-        run: railway up --ci
+        run: |
+          curl -fsSL https://railway.app/install.sh | sh
+          railway up || true

.github/workflows/docker-security.yml

@@ -1,34 +1,27 @@
-name: docker-security
+name: Docker Security (Trivy)
 
 on:
   pull_request:
     branches: [ main ]
-  push:
-    branches: [ main ]
   workflow_dispatch:
 
 jobs:
   trivy:
-    name: Trivy Security
     runs-on: ubuntu-latest
-
     permissions:
       contents: read
       security-events: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - name: Run Trivy vulnerability scanner (fs)
-        uses: aquasecurity/[email protected]
+      - uses: aquasecurity/[email protected]
         with:
-          scan-type: "fs"
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
 
-      - name: Upload SARIF results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy-results.sarif

.github/workflows/lint.yml

@@ -2,28 +2,17 @@ name: CI – Security Scan
 
 on:
   pull_request:
-    branches: [main]
-  push:
-    branches:
-      - "feature/**"
+    branches: [ main ]
 
 jobs:
   security:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
-      - name: Install security tooling
-        run: pip install bandit safety
-
-      - name: Run Bandit
-        run: bandit -r app -ll
-
-      - name: Dependency vulnerability scan
-        run: safety check -r requirements.txt || true
+      - run: pip install bandit safety
+      - run: bandit -r app -ll
+      - run: safety check -r requirements.txt || true

.github/workflows/security.yml

@@ -0,0 +1 @@
+3.12.3

.github/workflows/test.yml

@@ -1,50 +1,61 @@
-# NeuroBank FastAPI Toolkit - Production Dockerfile optimized for Railway
-FROM python:3.14-slim
+# ============================================
+# STAGE 1 — BUILDER
+# Compilación limpia, reproducible, sin root
+# ============================================
+FROM python:3.11-slim AS builder
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
 
-# Establecer el directorio de trabajo
 WORKDIR /app
 
-# Instalar dependencias del sistema optimizado para Railway
-RUN apt-get update && apt-get install -y \
-  gcc \
-  curl \
-  && rm -rf /var/lib/apt/lists/* \
-  && apt-get clean
+# Dependencias del sistema mínimas y suficientes
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
 
-# Copiar archivos de dependencias primero para mejor cache de Docker
+# Copiamos dependencias del proyecto
 COPY requirements.txt .
 
-# Instalar dependencias de Python con optimizaciones
-RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
-  pip install --no-cache-dir -r requirements.txt
+# Usamos wheels para maximizar reproducibilidad
+RUN pip install --upgrade pip wheel && \
+    pip wheel --no-cache-dir --no-deps -r requirements.txt -w /wheels
 
-# Copiar el código de la aplicación
-COPY ./app ./app
-COPY lambda_handler.py .
-COPY start.sh .
 
-# Hacer ejecutable el script de inicio
-RUN chmod +x start.sh
+# ============================================
+# STAGE 2 — RUNTIME ULTRALIGHT
+# Cero herramientas innecesarias, zero trust
+# ============================================
+FROM python:3.11-slim AS runtime
 
-# Crear usuario no-root para seguridad y configurar permisos
-RUN groupadd -r appuser && useradd -r -g appuser appuser && \
-  chown -R appuser:appuser /app
-USER appuser
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/home/appuser/.local/bin:${PATH}"
+
+WORKDIR /app
 
-# Exponer el puerto dinámico de Railway
-EXPOSE $PORT
+# Crear usuario no-root y seguro
+RUN useradd -m appuser
 
-# Configurar variables de entorno optimizadas para Railway
-ENV PYTHONPATH=/app
-ENV PYTHONUNBUFFERED=1
-ENV PYTHONDONTWRITEBYTECODE=1
-ENV PORT=8000
-ENV ENVIRONMENT=production
-ENV WORKERS=1
+# Copiar wheels + instalar sin red
+COPY --from=builder /wheels /wheels
+RUN pip install --no-cache-dir /wheels/*
+
+# Copiamos solo el código (sin tests, sin dev)
+COPY app ./app
+
+# Ajustar permisos
+RUN chown -R appuser:appuser /app
+USER appuser
 
-# Health check específico para Railway con puerto dinámico
-HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 \
-  CMD sh -c 'curl -f http://localhost:$PORT/health || exit 1'
+# ============================================
+# EJECUCIÓN — UVICORN KARPATHIAN MODE
+# ============================================
+EXPOSE 8000
 
-# Comando optimizado para Railway con puerto dinámico
-CMD ["sh", "-c", "uvicorn app.main:app --host 0.0.0.0 --port $PORT --workers 1 --loop uvloop --timeout-keep-alive 120 --access-log"]
+# Workers definidos por CPU (Karpathy-approved)
+CMD ["uvicorn", "app.main:app", \
+     "--host", "0.0.0.0", \
+     "--port", "8000", \
+     "--workers", "2"]