Merge pull request #300 from DeutscheModelUnitedNations/claude/enhance-country-code-input-rQX7L

Author: Strehk

.github/workflows/build_image.yml

@@ -1,11 +1,14 @@
-name: Build and publish container images
+name: Build and publish container image
 
 on:
-  release:
-    types: [published]
   push:
     branches:
-      - main
+      - 'main'
+    tags:
+      - '*'
+  pull_request:
+    branches:
+      - 'main'
 
 jobs:
   build:
@@ -18,8 +21,29 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Set up bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun i --frozen-lockfile
+
+      - name: Run Trivy scanner on fs
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: 1
+          format: 'table'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          trivyignores: .trivyignore
+          # don't scan for secrets in PRs
+          scanners: ${{ github.event_name == 'pull_request' && 'vuln,license' || 'vuln,secret,misconfig,license'}}
+
+      # TODO: enable if we also plan on building for ARM natively
+      # - name: Set up QEMU
+      #   uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -44,29 +68,69 @@ jobs:
           flavor: |
             latest=false
           images: |
+            ghcr.io/${{ github.repository }}
             deutschemodelunitednations/chase
-            ghcr.io/${{ github.repository_owner }}/${{ github.repository }}
           tags: |
-            type=raw,value=${{ github.sha }},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+            type=ref,event=branch,suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+            type=ref,event=pr,suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+            type=semver,pattern={{version}},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+            type=semver,pattern={{major}}.{{minor}},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+            type=semver,pattern={{major}},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+            type=raw,value=latest,enable=${{ github.ref_type == 'tag' && matrix.runtime == 'bun' }}
 
-            type=semver,pattern={{version}},value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' }},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        id: build
+        with:
+          context: .
+          load: true
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: ./Dockerfile.${{ matrix.runtime }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            SHA=${{ github.sha }}
 
-            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
-            type=semver,pattern={{major}},value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' && !github.event.release.prerelease }},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' && !github.event.release.prerelease }},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+      - name: Get first built image ref
+        id: split-tags
+        run: echo "fragment=$(echo "${DOCKER_METADATA_OUTPUT_TAGS}" | head -n 1)" >> $GITHUB_OUTPUT
 
-            type=raw,value=prerelease,enable=${{ github.event_name == 'release' && github.event.release.prerelease }},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
-            type=raw,value=nightly,enable=${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }},suffix=${{ matrix.runtime != 'bun' && format('-{0}', matrix.runtime) || '' }}
+      - name: Run Trivy vulnerability scanner on the built image
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ${{ steps.split-tags.outputs.fragment }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          skip-setup-trivy: true
+          trivyignores: .trivyignore
+          scanners: ${{ github.event_name == 'pull_request' && 'vuln' || 'vuln,secret,misconfig'}}
 
-      - name: Build and push Docker image
+      - name: Publish docker image
+        if: github.event_name != 'pull_request'
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
+          # TODO: enable if we also plan on building for ARM natively
           # platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           file: ./Dockerfile.${{ matrix.runtime }}
+          cache-from: type=gha
           build-args: |
-            VERSION=${{ github.event.release.tag_name }}
+            VERSION=${{ github.ref_name }}
             SHA=${{ github.sha }}
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        if: github.ref_type == 'tag' && matrix.runtime == 'bun'
+        with:
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build_run.yml

@@ -0,0 +1,28 @@
+name: i18n Check
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  i18n-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun i --frozen-lockfile
+
+      - name: i18n Check
+        run: bun run i18n:check
+
+      - name: i18n Validate Configuration
+        run: bun run i18n:validate

.github/workflows/i18n.yml

@@ -1,4 +1,4 @@
-name: Lint
+name: Test
 
 on:
   pull_request:
@@ -11,4 +11,5 @@ jobs:
         uses: actions/checkout@v4
       - uses: oven-sh/setup-bun@v2
       - run: bun install
+      - run: bunx svelte-kit sync
       - run: bun run lint

.github/workflows/lint.yml .github/workflows/test.yml.github/workflows/lint.yml renamed to .github/workflows/test.yml

@@ -24,3 +24,6 @@ vite.config.ts.timestamp-*
 
 
 .houdini
+.claude
+
+.lazyi18n

.gitignore

@@ -2,4 +2,6 @@
 package-lock.json
 pnpm-lock.yaml
 yarn.lock
-schema.graphql
+schema.graphql
+.claude/**
+drizzle/meta/**

.prettierignore

@@ -1,15 +1,16 @@
 {
-	"useTabs": true,
-	"singleQuote": true,
-	"trailingComma": "none",
-	"printWidth": 100,
-	"plugins": ["prettier-plugin-svelte", "prettier-plugin-tailwindcss"],
+	"jsonRecursiveSort": true,
 	"overrides": [
 		{
 			"files": "*.svelte",
 			"options": {
 				"parser": "svelte"
 			}
 		}
-	]
+	],
+	"plugins": ["prettier-plugin-tailwindcss", "prettier-plugin-svelte", "prettier-plugin-sort-json"],
+	"printWidth": 100,
+	"singleQuote": true,
+	"trailingComma": "none",
+	"useTabs": true
 }

.prettierrc

@@ -0,0 +1,50 @@
+# Trivy ignore file
+# Add CVE IDs to ignore specific vulnerabilities
+
+# esbuild Go stdlib vulnerabilities (build-time tool only)
+# esbuild is a JS/TS bundler that doesn't use these Go stdlib features
+
+# net/netip: IPv4-mapped IPv6 address parsing - esbuild doesn't do network ops
+CVE-2024-24790
+
+# net/http, x/net/http2: HTTP/2 DoS vulnerabilities - esbuild doesn't serve HTTP
+CVE-2023-39325
+CVE-2023-45288
+
+# filepath: Windows \??\ path prefix - Linux containers only
+CVE-2023-45283
+
+# encoding/gob: nested struct decoding - esbuild doesn't use gob
+CVE-2024-34156
+
+# database/sql: Postgres race condition - esbuild doesn't use databases
+CVE-2025-47907
+
+# archive/tar: GNU sparse map allocation - esbuild doesn't parse tar files
+CVE-2025-58183
+
+# crypto/x509: certificate error string DoS - esbuild doesn't validate certs
+CVE-2025-61729
+
+# Debian system packages - not used by Node.js runtime
+
+# libgnutls30: GnuTLS SAN export - Node.js uses OpenSSL, not GnuTLS
+CVE-2025-32988
+
+# libgnutls30: GnuTLS certtool parsing - certtool not used at runtime
+CVE-2025-32990
+
+# perl-base: CPAN TLS verification - CPAN module installer not used at runtime
+CVE-2023-31484
+
+# TODO: Remove these ignores once fixed
+
+# TODO: glob command injection - Already fixed in bun.lock (10.5.0+)
+# Check: Rebuild Docker image and re-run Trivy scan to confirm fix
+# Remove this ignore once scan passes without it
+CVE-2025-64756
+
+# TODO: glibc setuid/dlopen vulnerability
+# Check: Update base image when Debian 12.12 is released (fixes libc 2.36-9+deb12u11)
+# Remove this ignore once base image is updated
+CVE-2025-4802

.trivyignore

@@ -0,0 +1,97 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+MUNify CHASE (CHAiring SoftwarE) is a conference management application for Model United Nations debates. Built by Deutsche Model United Nations (DMUN) e.V., it provides speakers lists, digital voting, resolution editing, committee status tracking, and roll-call management.
+
+**Tech Stack**: SvelteKit + TypeScript, PostgreSQL + Drizzle ORM, GraphQL (Yoga + Houdini), Tailwind CSS + DaisyUI, Paraglide i18n
+
+**GraphQL Generation**: Uses [Rumble](https://github.com/m1212e/rumble) (`@m1212e/rumble`), a custom glue package that generates GraphQL schemas and resolvers directly from Drizzle ORM definitions with built-in ability-based access control.
+
+## Common Commands
+
+```bash
+# Development
+bun run dev              # Start dev server + Docker containers (database, mock OIDC)
+bun run dev:server       # Dev server only (requires running containers)
+bun run dev:docker       # Docker containers only (add -d for detached)
+
+# Code Quality
+bun run lint             # Prettier check + ESLint
+bun run format           # Auto-format with Prettier
+bun run check            # Svelte type checking
+bun run typecheck        # TypeScript type checking
+
+# Database
+bun run db:push          # Push schema changes to database
+bun run db:migrate       # Run migrations
+bun run db:seed:dev      # Seed test data
+bun run db:studio        # Open Drizzle Studio GUI
+bun run db:reset         # Reset database
+
+# Build
+bun run build            # Production build
+bun run preview          # Preview production build
+```
+
+## Architecture
+
+### API Layer (`src/api/`)
+
+- **`db/schema.ts`**: Drizzle table definitions (source of truth for database)
+- **`db/relations.ts`**: Table relationships for Drizzle queries
+- **`handlers/*.ts`**: GraphQL resolvers using Rumble DSL with ability-based access control
+- **`context.ts`**: Request context with auth and permissions
+- **`services/`**: Business logic (OIDC integration, email validation)
+
+**Handler pattern**: Each handler file defines GraphQL types, access control rules, queries, mutations, and subscriptions for an entity using the Rumble DSL.
+
+### Frontend (`src/lib/`)
+
+- **`components/`**: Svelte 5 components using runes (not stores)
+- **`state/`**: Client-side state (theme, server time sync)
+- **`data/`**: Static data (country names, flags)
+- **`paraglide/`**: Auto-generated i18n code (do not edit)
+
+### Routes (`src/routes/`)
+
+- **`(pages)/`**: Public landing pages
+- **`app/[conferenceId]/`**: Protected conference routes (require auth)
+- **`api/graphql/`**: GraphQL endpoint
+
+### Key Generated Files (do not edit manually)
+
+- `schema.graphql` - Generated GraphQL schema
+- `src/lib/paraglide/` - Generated i18n code
+- `.houdini/` - Generated GraphQL client code
+- `drizzle/` - Generated database migrations
+
+## Conventions
+
+- **IDs**: nanoid with 30 characters, no lookalike chars (see `src/lib/helpers/nanoid.ts`)
+- **Database columns**: snake_case (configured in Drizzle)
+- **i18n**: Messages in `messages/de.json` and `messages/en.json`, auto-translated via `bun run machine-translate`
+- **Styling**: Tailwind CSS with DaisyUI components, DMUN corporate identity package
+
+## Authentication
+
+OIDC-only authentication (no built-in auth). Local development uses mock OIDC server. Configure via:
+
+- `PUBLIC_OIDC_AUTHORITY`: OIDC provider URL
+- `PUBLIC_OIDC_CLIENT_ID`: Application client ID
+- `ADMIN_EMAIL_WHITELIST` / `ADMIN_DOMAIN_WHITELIST`: Admin access control
+
+## Development Setup
+
+Requirements: Docker, Bun, Node.js
+
+```bash
+bun i                    # Install dependencies
+cp .env.example .env     # Configure environment
+bun run dev              # Start everything
+```
+
+Database: `localhost:5432` (postgres/postgres)
+Mock OIDC: `localhost:8080`