Merge branch 'release/1.2.0' into main

Release 1.2.0 includes:
- Teams and projects API with OpenAPI schemas, handlers, and tests
- Survey response API improvements
- Client credentials grant for machine-to-machine auth
- Unicode validation for international text
- Pre-release label support in version system
- Comprehensive unit and integration test coverage
- Lint cleanup and staticcheck resolution
- Container security improvements with Chainguard Redis
- OWASP-required patterns for teams/projects OpenAPI spec
- include_in_report field for sub-entity types

Author: ericfitz

.golangci.yml

@@ -3,6 +3,7 @@ version: "2"
 
 linters:
   enable:
+    # Existing linters
     - errcheck
     - govet
     - ineffassign
@@ -11,6 +12,22 @@ linters:
     - gosec
     - misspell
     - unconvert
+    # Bug-catching linters
+    - bodyclose        # HTTP response body closure
+    - nilerr           # nil return when err != nil
+    - nilnesserr       # wrong nil error returned
+    - errorlint        # correct error wrapping (errors.Is/As)
+    - forcetypeassert  # unguarded type assertions
+    - durationcheck    # time.Duration arithmetic bugs
+    - sqlclosecheck    # unclosed sql.Rows/Stmt
+    # Code quality linters
+    - goconst          # repeated string literals
+    - gocritic         # broad bug/style/performance checks
+    - predeclared      # shadowing of builtins
+    - musttag          # missing tags on marshaled structs
+    - sloglint         # consistent slog usage
+    - nolintlint       # validates nolint directives
+    - wastedassign     # assignments never read
   disable:
     - lll
     - revive
@@ -29,6 +46,34 @@ linters:
           - gosec
           - misspell
           - unconvert
+          - bodyclose
+          - nilerr
+          - nilnesserr
+          - errorlint
+          - forcetypeassert
+          - durationcheck
+          - sqlclosecheck
+          - goconst
+          - gocritic
+          - predeclared
+          - musttag
+          - sloglint
+          - nolintlint
+          - wastedassign
+      # forcetypeassert: Test files use unguarded assertions for mock returns and JSON parsing
+      - path: "_test\\.go$"
+        linters:
+          - forcetypeassert
+      # G101: Test files legitimately use hardcoded test credentials
+      - path: "_test\\.go$"
+        linters:
+          - gosec
+        text: "G101:"
+      # G115: Integer overflow conversions are safe in context (test helpers)
+      - path: "_test\\.go$"
+        linters:
+          - gosec
+        text: "G115:"
 
 formatters:
   enable:

.version

@@ -1,5 +1,6 @@
 {
   "major": 1,
-  "minor": 1,
-  "patch": 0
+  "minor": 2,
+  "patch": 0,
+  "prerelease": ""
 }

CLAUDE.md

@@ -335,17 +335,10 @@ TMI uses staticcheck for Go code quality analysis. The project has intentionally
   - Manual edits would be overwritten on next OpenAPI regeneration
   - **Expected behavior**: These warnings are acceptable and should be ignored
 
-- **Auth Handler Functions**: 4 unused functions in auth/handlers.go - left for potential future refactoring:
-  - `setUserHintContext` (line 559)
-  - `exchangeCodeAndGetUser` (line 571)
-  - `createOrGetUser` (line 648)
-  - `generateAndReturnTokens` (line 716)
-
 - **Running Staticcheck**:
   - `staticcheck ./...` - Shows all issues (including expected ones)
   - `staticcheck ./... | grep -v "api/api.go"` - Filter out auto-generated code warnings
-  - **Expected count**: 344 total issues (338 in api/api.go + 6 intentionally unused functions)
-  - **Clean hand-written code**: 19 unused code items were removed for 1.0 release
+  - **Expected count**: 338 issues (all in auto-generated api/api.go)
 
 ## Git & Versioning
 

Dockerfile.redis

@@ -1,226 +1,28 @@
-# Multi-stage distroless Redis build
-# Stage 1: Build environment with Redis compilation
-FROM debian:bookworm-slim AS builder
-
-# Install build dependencies
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential \
-        wget \
-        ca-certificates \
-        gcc \
-        libc6-dev \
-        make \
-        pkg-config \
-        tcl \
-        curl && \
-    # Post-installation security patching for build dependencies
-    apt-get upgrade -y --no-install-recommends && \
-    # Install only security updates for critical packages
-    apt-get install -y --only-upgrade \
-        $(apt list --upgradable 2>/dev/null | grep -E "(security|critical)" | cut -d'/' -f1 || true) && \
-    # Clean package cache to reduce image size and attack surface
-    apt-get autoremove -y && \
-    apt-get autoclean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/cache/apt/* && \
-    # Additional security hardening
-    find /var/log -type f -exec truncate -s 0 {} \; 2>/dev/null || true && \
-    # Remove unnecessary files and documentation
-    rm -rf /usr/share/doc/* /usr/share/man/* /usr/share/info/* /usr/share/locale/*/LC_MESSAGES/*.mo 2>/dev/null || true
-
-# Redis version
-ENV REDIS_VERSION=8.4.0
-ENV REDIS_DOWNLOAD_URL=http://download.redis.io/releases/redis-${REDIS_VERSION}.tar.gz
-ENV REDIS_DOWNLOAD_SHA=TBD
-
-# Download and compile Redis from source
-RUN wget -O redis.tar.gz "$REDIS_DOWNLOAD_URL" && \
-    mkdir -p /usr/src/redis && \
-    tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1 && \
-    rm redis.tar.gz && \
-    cd /usr/src/redis && \
-    make && \
-    make install PREFIX=/redis-build
-
-# Create redis user and set up runtime directory structure
-RUN groupadd -r redis --gid=999 && \
-    useradd -r -g redis --uid=999 --home-dir=/var/lib/redis --shell=/bin/sh redis && \
-    mkdir -p /runtime/usr/local/bin && \
-    mkdir -p /runtime/var/lib/redis && \
-    mkdir -p /runtime/var/log/redis && \
-    mkdir -p /runtime/etc && \
-    # Copy Redis binaries
-    cp /redis-build/bin/redis-server /runtime/usr/local/bin/ && \
-    cp /redis-build/bin/redis-cli /runtime/usr/local/bin/ && \
-    cp /redis-build/bin/redis-benchmark /runtime/usr/local/bin/ && \
-    cp /redis-build/bin/redis-check-aof /runtime/usr/local/bin/ && \
-    cp /redis-build/bin/redis-check-rdb /runtime/usr/local/bin/ && \
-    # Copy required shared libraries
-    mkdir -p /runtime/usr/lib/x86_64-linux-gnu && \
-    mkdir -p /runtime/lib/x86_64-linux-gnu && \
-    ldd /redis-build/bin/redis-server | grep "=> /" | awk '{print $3}' | xargs -I '{}' cp -v '{}' /runtime/usr/lib/x86_64-linux-gnu/ || true && \
-    # Copy essential configuration files
-    cp /etc/passwd /runtime/etc/ && \
-    cp /etc/group /runtime/etc/ && \
-    # Create redis user in runtime passwd
-    echo "redis:x:999:999:Redis administrator:/var/lib/redis:/bin/sh" >> /runtime/etc/passwd && \
-    echo "redis:x:999:" >> /runtime/etc/group && \
-    # Set ownership
-    chown -R 999:999 /runtime/var/lib/redis && \
-    chown -R 999:999 /runtime/var/log/redis && \
-    chmod 755 /runtime/var/lib/redis && \
-    # Create the necessary directories in runtime for Redis
-    mkdir -p /runtime/etc/redis && \
-    chown -R 999:999 /runtime/etc/redis
-
-# Create Redis configuration and entrypoint script
-RUN mkdir -p /scripts && cat > /scripts/redis.conf << 'EOF'
-# Redis configuration for TMI
-port 6379
-bind 0.0.0.0
-protected-mode no
-requirepass ""
-
-# Persistence
-save 900 1
-save 300 10
-save 60 10000
-
-# Logging
-loglevel notice
-logfile /var/log/redis/redis-server.log
-
-# Security
-rename-command FLUSHDB ""
-rename-command FLUSHALL ""
-rename-command DEBUG ""
-
-# Memory management
-maxmemory 256mb
-maxmemory-policy allkeys-lru
-
-# Directories
-dir /var/lib/redis
-
-# Security settings that can be overridden by environment variables
-# These will be updated by the entrypoint script based on environment
-EOF
-
-RUN cat > /scripts/docker-entrypoint.sh << 'EOF'
-#!/bin/sh
-set -e
-
-# Redis configuration
-export REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"
-export REDIS_DATA_DIR="${REDIS_DATA_DIR:-/var/lib/redis}"
-export REDIS_LOG_DIR="${REDIS_LOG_DIR:-/var/log/redis}"
-
-# Environment variables for configuration
-export REDIS_PASSWORD="${REDIS_PASSWORD:-${REDIS_PASSWORD}}"
-export REDIS_PORT="${REDIS_PORT:-6379}"
-export REDIS_PROTECTED_MODE="${REDIS_PROTECTED_MODE:-yes}"
-export REDIS_DISABLE_COMMANDS="${REDIS_DISABLE_COMMANDS:-FLUSHDB,FLUSHALL,DEBUG}"
-
-# Create directories if they don't exist
-mkdir -p "$REDIS_DATA_DIR"
-mkdir -p "$REDIS_LOG_DIR"
-mkdir -p "$(dirname "$REDIS_CONF")"
-
-# Ensure proper ownership
-chown -R redis:redis "$REDIS_DATA_DIR"
-chown -R redis:redis "$REDIS_LOG_DIR"
-
-# Generate Redis configuration
-cat > "$REDIS_CONF" << EOREDIS
-# Redis configuration for TMI
-port ${REDIS_PORT}
-bind 0.0.0.0
-protected-mode ${REDIS_PROTECTED_MODE}
-
-# Authentication
-$([ -n "$REDIS_PASSWORD" ] && echo "requirepass $REDIS_PASSWORD" || echo "# No password set")
-
-# Persistence
-save 900 1
-save 300 10
-save 60 10000
-
-# Logging
-loglevel notice
-logfile ${REDIS_LOG_DIR}/redis-server.log
-
-# Disable dangerous commands
-$(echo "$REDIS_DISABLE_COMMANDS" | tr ',' '\n' | while read cmd; do
-    [ -n "$cmd" ] && echo "rename-command $cmd \"\""
-done)
-
-# Memory management
-maxmemory 256mb
-maxmemory-policy allkeys-lru
-
-# Directories
-dir ${REDIS_DATA_DIR}
-
-# Additional security
-tcp-keepalive 300
-timeout 0
-tcp-backlog 511
-databases 16
-
-# Slow log
-slowlog-log-slower-than 10000
-slowlog-max-len 128
-
-# Client output buffer limits
-client-output-buffer-limit normal 0 0 0
-client-output-buffer-limit replica 256mb 64mb 60
-client-output-buffer-limit pubsub 32mb 8mb 60
-
-EOREDIS
-
-# Set proper permissions
-chmod 644 "$REDIS_CONF"
-
-# Switch to redis user and start Redis
-echo "Starting Redis with configuration: $REDIS_CONF"
-exec /usr/local/bin/redis-server "$REDIS_CONF"
-EOF
-
-RUN chmod +x /scripts/docker-entrypoint.sh && \
-    chmod +x /scripts/redis.conf
-
-# Stage 2: Distroless runtime with C++ support (required for Redis 8.x)
-FROM gcr.io/distroless/cc-debian12
+# Chainguard Redis build
+FROM cgr.dev/chainguard/redis:latest
 
 # Metadata for tracking
-LABEL security.distroless="true"
+LABEL security.base="chainguard"
 LABEL security.scan-date="AUTO_GENERATED"
 LABEL security.patch-level="minimal-attack-surface"
 LABEL maintainer="TMI Security Team"
-LABEL org.opencontainers.image.title="TMI Redis Distroless"
-LABEL org.opencontainers.image.description="Redis 8.4.0 on distroless base"
-
-# Copy Redis runtime from builder
-COPY --from=builder /runtime/ /
-# Copy configuration and entrypoint
-COPY --from=builder /scripts/docker-entrypoint.sh /docker-entrypoint.sh
-COPY --from=builder /scripts/redis.conf /etc/redis/redis.conf
-
-# Environment variables for Redis
-ENV PATH="/usr/local/bin:$PATH"
-ENV REDIS_VERSION=8.4.0
-
-# Note: Directories are created in the builder stage and copied over
+LABEL org.opencontainers.image.title="TMI Redis Chainguard"
+LABEL org.opencontainers.image.description="Redis on Chainguard secure base"
 
 # Expose Redis port
 EXPOSE 6379
 
 # Health check
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD ["/usr/local/bin/redis-cli", "ping"]
-
-# Use redis user
-USER 999:999
-
-# Set the entrypoint to Redis directly for distroless compatibility
-ENTRYPOINT ["/usr/local/bin/redis-server", "/etc/redis/redis.conf"]
+    CMD ["redis-cli", "ping"]
+
+# Use redis user (Chainguard images already have proper user setup)
+USER redis
+
+# Chainguard Redis images come with built-in entrypoint
+# Pass TMI-specific configuration flags as CMD
+CMD ["--appendonly", "yes", \
+     "--maxmemory", "256mb", \
+     "--maxmemory-policy", "allkeys-lru", \
+     "--bind", "0.0.0.0", \
+     "--protected-mode", "no"]

Dockerfile.server

@@ -24,7 +24,7 @@ COPY . .
 # Note: Oracle support is excluded (requires CGO). To include Oracle, use -tags oracle with CGO_ENABLED=1
 # Chainguard Go image includes git, so git commands will work
 RUN CGO_ENABLED=0 GOOS=linux go build \
-    -ldflags "-s -w -X github.com/ericfitz/tmi/api.VersionMajor=0 -X github.com/ericfitz/tmi/api.VersionMinor=9 -X github.com/ericfitz/tmi/api.VersionPatch=0 -X github.com/ericfitz/tmi/api.GitCommit=$(git rev-parse --short HEAD 2>/dev/null || echo 'development') -X github.com/ericfitz/tmi/api.BuildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+    -ldflags "-s -w -X github.com/ericfitz/tmi/api.VersionMajor=0 -X github.com/ericfitz/tmi/api.VersionMinor=9 -X github.com/ericfitz/tmi/api.VersionPatch=0 -X github.com/ericfitz/tmi/api.VersionPreRelease= -X github.com/ericfitz/tmi/api.GitCommit=$(git rev-parse --short HEAD 2>/dev/null || echo 'development') -X github.com/ericfitz/tmi/api.BuildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
     -trimpath \
     -buildmode=exe \
     -o tmiserver \

Dockerfile.server-oracle

@@ -30,6 +30,7 @@ ARG GIT_COMMIT
 ARG VERSION_MAJOR=1
 ARG VERSION_MINOR=0
 ARG VERSION_PATCH=0
+ARG VERSION_PRERELEASE=""
 
 # Install security patches and required packages
 # This updates all packages to latest patched versions
@@ -100,6 +101,7 @@ RUN CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} go build \
         -X github.com/ericfitz/tmi/api.VersionMajor=${VERSION_MAJOR} \
         -X github.com/ericfitz/tmi/api.VersionMinor=${VERSION_MINOR} \
         -X github.com/ericfitz/tmi/api.VersionPatch=${VERSION_PATCH} \
+        -X github.com/ericfitz/tmi/api.VersionPreRelease=${VERSION_PRERELEASE} \
         -X github.com/ericfitz/tmi/api.GitCommit=${GIT_COMMIT:-development} \
         -X github.com/ericfitz/tmi/api.BuildDate=${BUILD_DATE:-unknown}" \
     -trimpath \