From 91e580b254709e36610232d77e80c9d0a66b3975 Mon Sep 17 00:00:00 2001
From: Rahul <rahul@findvio.pro>
Date: Thu, 12 Feb 2026 16:55:50 +0530
Subject: [PATCH 1/4] fix(docker): force-reinstall wheel to eliminate
 CVE-2026-24049 + enhance CircleCI config

---
 .circleci/config.yml | 56 +++++++++++++++++++++++++++++++++++++++++---
 Dockerfile           |  2 +-
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index efc29a1..01d9096 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -12,23 +12,73 @@ jobs:
       - image: cimg/python:<< parameters.python-version >>
     steps:
       - checkout
+      - restore_cache:
+          keys:
+            - pip-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
+            - pip-
       - run:
           name: Install Dependencies
           command: pip install .[dev,server,symbolic]
+      - save_cache:
+          key: pip-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
+          paths:
+            - ~/.local/lib
       - run:
           name: Run Tests
           command: |
-            # Run pytest with coverage as configured in pyproject.toml
-            pytest
+            mkdir -p test-results
+            pytest --junitxml=test-results/results.xml
       - store_test_results:
           path: test-results
       - store_artifacts:
           path: htmlcov
 
+  security-scan:
+    docker:
+      - image: cimg/python:3.12
+    steps:
+      - checkout
+      - run:
+          name: Install Dependencies
+          command: pip install .[dev,server,symbolic]
+      - run:
+          name: Run pip-audit
+          command: |
+            pip install pip-audit
+            pip-audit --strict --desc 2>&1 | tee audit-results.txt || true
+      - store_artifacts:
+          path: audit-results.txt
+
+  docker-build:
+    docker:
+      - image: cimg/base:current
+    steps:
+      - checkout
+      - setup_remote_docker:
+          version: docker24
+          docker_layer_caching: true
+      - run:
+          name: Build Docker Image
+          command: |
+            docker build -t qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7} .
+      - run:
+          name: Verify Image
+          command: |
+            docker run --rm qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7} python -c "import qwed_sdk; print('QWED SDK loaded successfully')"
+
 workflows:
-  main:
+  ci:
     jobs:
       - build-and-test:
           matrix:
             parameters:
               python-version: ["3.10", "3.11", "3.12"]
+      - security-scan:
+          requires:
+            - build-and-test
+      - docker-build:
+          requires:
+            - build-and-test
+          filters:
+            branches:
+              only: main
diff --git a/Dockerfile b/Dockerfile
index af7f9d3..8994a85 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,7 @@ COPY requirements.txt /app/requirements.txt
 # Vulnerability Fix: Upgrade pip and wheel to patch base image CVEs
 # CVE-2026-24049 (Critical): wheel<=0.46.1 -> 0.46.2
 # CVE-2025-8869 (Medium):   pip==24.0 -> latest
-RUN pip install --no-cache-dir --upgrade "pip>=25.0" "wheel>=0.46.2"
+RUN pip install --no-cache-dir --force-reinstall "pip>=25.0" "wheel>=0.46.2"
 
 # Install dependencies with hash verification
 # Vulnerability Fix: Pin versions with hashes to prevent supply chain attacks

From e92d9d823ab80e57722ee32467859fcd0a18f969 Mon Sep 17 00:00:00 2001
From: Rahul <rahul@findvio.pro>
Date: Thu, 12 Feb 2026 17:09:26 +0530
Subject: [PATCH 2/4] =?UTF-8?q?fix(ci):=20apply=20CodeRabbit=20fixes=20?=
 =?UTF-8?q?=E2=80=94=20version-specific=20cache,=20strict=20pip-audit,=20e?=
 =?UTF-8?q?ntrypoint=20bypass?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .circleci/config.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 01d9096..f41deb7 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -14,15 +14,16 @@ jobs:
       - checkout
       - restore_cache:
           keys:
-            - pip-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
-            - pip-
+            - pip-v1-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
+            - pip-v1-
       - run:
           name: Install Dependencies
           command: pip install .[dev,server,symbolic]
       - save_cache:
-          key: pip-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
+          key: pip-v1-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
           paths:
-            - ~/.local/lib
+            - ~/.local/lib/python<< parameters.python-version >>/site-packages
+            - ~/.cache/pip
       - run:
           name: Run Tests
           command: |
@@ -44,8 +45,9 @@ jobs:
       - run:
           name: Run pip-audit
           command: |
+            set -o pipefail
             pip install pip-audit
-            pip-audit --strict --desc 2>&1 | tee audit-results.txt || true
+            pip-audit --strict --desc 2>&1 | tee audit-results.txt
       - store_artifacts:
           path: audit-results.txt
 
@@ -64,7 +66,7 @@ jobs:
       - run:
           name: Verify Image
           command: |
-            docker run --rm qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7} python -c "import qwed_sdk; print('QWED SDK loaded successfully')"
+            docker run --rm --entrypoint python qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7} -c "import qwed_sdk; print('QWED SDK loaded successfully')"
 
 workflows:
   ci:

From 4950bf6ac427f123fc71f0c4c44bd25a33c2eede Mon Sep 17 00:00:00 2001
From: Rahul <rahul@findvio.pro>
Date: Thu, 12 Feb 2026 17:20:01 +0530
Subject: [PATCH 3/4] fix(ci): scope pip-audit to project deps only, ignore
 build tool CVEs (pip/wheel)

---
 .circleci/config.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index f41deb7..87d8498 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -40,14 +40,20 @@ jobs:
     steps:
       - checkout
       - run:
-          name: Install Dependencies
-          command: pip install .[dev,server,symbolic]
+          name: Create isolated audit environment
+          command: |
+            python -m venv /tmp/audit-env
+            /tmp/audit-env/bin/pip install --upgrade pip
+            /tmp/audit-env/bin/pip install .[dev,server,symbolic]
       - run:
-          name: Run pip-audit
+          name: Run pip-audit (project deps only)
           command: |
             set -o pipefail
-            pip install pip-audit
-            pip-audit --strict --desc 2>&1 | tee audit-results.txt
+            /tmp/audit-env/bin/pip install pip-audit
+            /tmp/audit-env/bin/pip-audit --strict --skip-editable --desc \
+              --ignore-vuln CVE-2025-8869 \
+              --ignore-vuln CVE-2026-1703 \
+              2>&1 | tee audit-results.txt
       - store_artifacts:
           path: audit-results.txt
 

From 1479663ab27327580bbdaab5f56354a37e9ae37a Mon Sep 17 00:00:00 2001
From: Rahul <rahul@findvio.pro>
Date: Thu, 12 Feb 2026 17:31:20 +0530
Subject: [PATCH 4/4] docs(ci): add justification comments for ignored CVEs per
 CodeRabbit review

---
 .circleci/config.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 87d8498..7d314d9 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -51,7 +51,9 @@ jobs:
             set -o pipefail
             /tmp/audit-env/bin/pip install pip-audit
             /tmp/audit-env/bin/pip-audit --strict --skip-editable --desc \
+              `# CVE-2025-8869: pip tar extraction vuln — build-only tool, not in runtime image` \
               --ignore-vuln CVE-2025-8869 \
+              `# CVE-2026-1703: pip wheel path traversal (CVSS 2.0 Low) — build-only, pinned hashes used` \
               --ignore-vuln CVE-2026-1703 \
               2>&1 | tee audit-results.txt
       - store_artifacts: