[Sync] Update project files from source repository (1f83ec3)

.github/.env.base

@@ -235,7 +235,7 @@ REDIS_CACHE_FORCE_PULL=false           # Force pull Redis images even when cache
 # 🪄 MAGE-X CONFIGURATION
 # ================================================================================================
 
-MAGE_X_VERSION=v1.11.0                                        # https://github.com/mrz1836/mage-x/releases
+MAGE_X_VERSION=v1.12.2                                        # https://github.com/mrz1836/mage-x/releases
 MAGE_X_USE_LOCAL=false                                        # Use local version for development
 MAGE_X_CI_SKIP_STEP_SUMMARY=true                              # Skip duplicate test results in step summary (already in test validation summary)
 MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true                          # Enable auto-discovery of build tags
@@ -293,6 +293,12 @@ GITLEAKS_CONFIG_FILE=
 # Nancy CVE Exclusions (known acceptable vulnerabilities)
 NANCY_EXCLUDES=CVE-2024-38513,CVE-2023-45142
 
+# Govulncheck/Magex CVE Exclusions (known acceptable vulnerabilities)
+# Format: comma-separated CVE IDs (e.g., CVE-2024-38513,CVE-2023-45142)
+# Used by: magex deps:audit (govulncheck) (env or param)
+# Can also be passed via: magex deps:audit exclude=CVE-2024-38513
+MAGE_X_CVE_EXCLUDES=CVE-2024-38513,CVE-2023-45142
+
 # OSS Index Authentication for Nancy (optional)
 # Username (email) for OSS Index authentication - reduces rate limits and provides better vulnerability data
 # Get your API token from: https://ossindex.sonatype.org/user-token

.github/actions/setup-magex/action.yml

@@ -112,6 +112,8 @@ runs:
     - name: ✅ Download MAGE-X binary (remote mode only)
       if: inputs.use-local != 'true' && steps.magex-cache.outputs.cache-hit != 'true'
       shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: |
         echo "⬇️ Cache miss – downloading MAGE-X binary..."
         echo "📋 Downloading MAGE-X version ${{ inputs.magex-version }}..."
@@ -141,18 +143,22 @@ runs:
         VERSION="${{ inputs.magex-version }}"
         CLEAN_VERSION="${VERSION#v}"
 
-        # Build download URL
-        DOWNLOAD_URL="https://github.com/mrz1836/mage-x/releases/download/$VERSION/mage-x_${CLEAN_VERSION}_${OS}_${ARCH}.tar.gz"
-        echo "📥 Downloading from: $DOWNLOAD_URL"
+        # Build asset name and download using gh CLI
+        ASSET_NAME="mage-x_${CLEAN_VERSION}_${OS}_${ARCH}.tar.gz"
+        echo "📥 Downloading asset: $ASSET_NAME from mrz1836/mage-x@$VERSION"
 
         # Download and extract
         TEMP_DIR=$(mktemp -d)
         cd "$TEMP_DIR"
 
-        if curl -fsSL "$DOWNLOAD_URL" -o mage-x.tar.gz; then
+        if gh release download "$VERSION" \
+            --repo mrz1836/mage-x \
+            --pattern "$ASSET_NAME" \
+            --dir .; then
           echo "✅ Download successful"
+          mv "$ASSET_NAME" mage-x.tar.gz
         else
-          echo "❌ Download failed from $DOWNLOAD_URL"
+          echo "❌ Download failed for $ASSET_NAME from mrz1836/mage-x@$VERSION"
           exit 1
         fi
 

.github/workflows/auto-merge-on-approval.yml

@@ -34,10 +34,8 @@ on:
   pull_request:
     types: [ready_for_review, review_request_removed]
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read # Default read-only access to repository contents
-  pull-requests: read # Default read access to pull requests
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 # --------------------------------------------------------------------
 # Concurrency Control
@@ -58,6 +56,8 @@ jobs:
   load-env:
     name: 🌍 Load Environment Variables
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       env-json: ${{ steps.load-env.outputs.env-json }}
     steps:

.github/workflows/codeql-analysis.yml

@@ -18,9 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   analyze:

.github/workflows/dependabot-auto-merge.yml

@@ -30,9 +30,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 # --------------------------------------------------------------------
 # Concurrency Control

.github/workflows/fortress-benchmarks.yml

@@ -87,9 +87,8 @@ on:
         description: "GitHub token for API access"
         required: true
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -98,6 +97,8 @@ jobs:
   benchmark-go:
     name: 🏃 Benchmark (${{ matrix.name }})
     timeout-minutes: ${{ inputs.benchmark-timeout }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false # Continue running other benchmarks if one fails
       matrix: ${{ fromJSON(inputs.benchmark-matrix) }}

.github/workflows/fortress-code-quality.yml

@@ -53,9 +53,8 @@ on:
         description: "GitHub token for API access"
         required: true
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -65,6 +64,8 @@ jobs:
     name: 📊 Govet (Static Analysis)
     if: ${{ inputs.static-analysis-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -210,6 +211,8 @@ jobs:
     timeout-minutes: 20
     if: ${{ inputs.go-lint-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     outputs:
       golangci-lint-version: ${{ steps.golangci-lint-version.outputs.version }}
     steps:
@@ -430,6 +433,8 @@ jobs:
     name: 📐 YAML/JSON Format Validation
     if: ${{ inputs.yaml-lint-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     outputs:
       yamlfmt-version: ${{ steps.yamlfmt-version.outputs.version }}
     steps:

.github/workflows/fortress-completion-finalize.yml

@@ -40,10 +40,8 @@ on:
         description: "Complete assembled report"
         value: ${{ jobs.finalize-report.outputs.report-content }}
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -53,6 +51,9 @@ jobs:
     name: ✅ Finalize Report
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       report-content: ${{ steps.set-output.outputs.content }}
     steps:

.github/workflows/fortress-completion-report.yml

@@ -96,10 +96,8 @@ on:
         type: string
         default: "full"
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -109,6 +107,9 @@ jobs:
     name: 📊 Initialize Report Data
     runs-on: ${{ inputs.primary-runner }}
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       timing-data: ${{ steps.calculate-timing.outputs.timing-json }}
     steps:
@@ -158,6 +159,9 @@ jobs:
     name: 📊 Process Statistics
     needs: initialize-report
     if: always()
+    permissions:
+      contents: read
+      actions: read
     uses: ./.github/workflows/fortress-completion-statistics.yml
     with:
       timing-metrics: ${{ needs.initialize-report.outputs.timing-data }}
@@ -170,6 +174,9 @@ jobs:
     name: 🧪 Process Test Analysis
     needs: initialize-report
     if: always()
+    permissions:
+      contents: read
+      actions: read
     uses: ./.github/workflows/fortress-completion-tests.yml
     with:
       test-suite-result: ${{ inputs.test-suite-result }}
@@ -182,6 +189,9 @@ jobs:
     name: ✅ Finalize Report
     needs: [initialize-report, process-statistics, process-tests]
     if: always()
+    permissions:
+      contents: read
+      actions: read
     uses: ./.github/workflows/fortress-completion-finalize.yml
     with:
       all-inputs: ${{ toJSON(inputs) }}

.github/workflows/fortress-completion-statistics.yml

@@ -41,10 +41,8 @@ on:
         description: "Coverage metrics"
         value: ${{ jobs.process-statistics.outputs.coverage-data }}
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -54,6 +52,9 @@ jobs:
     name: 📊 Process Statistics
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       statistics-markdown: ${{ steps.set-output.outputs.content }}
       cache-data: ${{ steps.process-cache.outputs.cache-metrics }}

.github/workflows/fortress-completion-tests.yml

@@ -38,10 +38,8 @@ on:
         description: "Test failure analysis metrics"
         value: ${{ jobs.analyze-tests.outputs.failure-data }}
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -51,6 +49,9 @@ jobs:
     name: 🧪 Analyze Test Results
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       tests-markdown: ${{ steps.set-output.outputs.content }}
       test-data: ${{ steps.process-tests.outputs.test-metrics }}

.github/workflows/fortress-coverage.yml

@@ -52,10 +52,8 @@ on:
         description: "Codecov token for uploading coverage (required when coverage-provider is codecov)"
         required: false
 
-# Security: Restrictive default permissions with job-level overrides
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -1011,6 +1009,7 @@ jobs:
                     if curl -L -H "Authorization: Bearer $GITHUB_TOKEN" \
                             -H "Accept: application/vnd.github+json" \
                             --connect-timeout 10 --max-time 30 \
+                            --retry 3 --retry-delay 5 --retry-all-errors \
                             "$COVERAGE_ARTIFACTS" -o "base-coverage-artifact.zip" 2>/dev/null; then
 
                       if [[ -s "base-coverage-artifact.zip" ]]; then

.github/workflows/fortress-pre-commit.yml

@@ -41,9 +41,8 @@ on:
         description: "List of checks that were executed"
         value: ${{ jobs.pre-commit.outputs.checks-executed }}
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -53,6 +52,8 @@ jobs:
     name: 🪝 Pre-commit Checks
     if: ${{ inputs.pre-commit-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     outputs:
       pre-commit-version: ${{ steps.pre-commit-version.outputs.version }}
       checks-executed: ${{ steps.run-checks.outputs.executed }}

.github/workflows/fortress-release.yml

@@ -44,9 +44,8 @@ on:
         description: "Slack webhook URL for notifications"
         required: false
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------