sync: upstream convergence 2026-03-02

.env.example

@@ -18,29 +18,24 @@ API_PORT=8000
 LOG_LEVEL=info
 APP_ENV=dev
 JWT_SECRET_KEY=change-me-generate-with-openssl-rand-hex-32
-AUTH_COOKIE_NAME=bracc_session
-AUTH_COOKIE_SECURE=false
-AUTH_COOKIE_SAMESITE=lax
-TRUST_PROXY_HEADERS=false
 INVITE_CODE=
 CORS_ORIGINS=http://localhost:3000
 PRODUCT_TIER=community
 PATTERNS_ENABLED=false
-PUBLIC_MODE=true
+PUBLIC_MODE=false
 PUBLIC_ALLOW_PERSON=false
 PUBLIC_ALLOW_ENTITY_LOOKUP=false
 PUBLIC_ALLOW_INVESTIGATIONS=false
 PATTERN_SPLIT_THRESHOLD_VALUE=80000
 PATTERN_SPLIT_MIN_COUNT=3
-PATTERN_SHARE_THRESHOLD=0.60
+PATTERN_SHARE_THRESHOLD=0.6
 PATTERN_SRP_MIN_ORGS=5
 PATTERN_INEXIG_MIN_RECURRENCE=3
 PATTERN_MAX_EVIDENCE_REFS=50
-SHARE_TOKEN_TTL_HOURS=168
 
 # Frontend (dev only — production uses Caddy reverse proxy with relative paths)
 VITE_API_URL=http://localhost:8000
-VITE_PUBLIC_MODE=true
+VITE_PUBLIC_MODE=false
 VITE_PATTERNS_ENABLED=false
 
 # Optional: Google Cloud (for Base dos Dados / TSE BigQuery)

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
   - name: Security vulnerability report
-    url: https://github.com/World-Open-Graph/br-acc/security/advisories/new
+    url: https://github.com/brunoclz/world-transparency-graph/security/advisories/new
     about: Use GitHub Security Advisories for private vulnerability disclosure.

.github/claude-automerge-policy.json

@@ -10,8 +10,8 @@
     "README.md",
     "CONTRIBUTING.md",
     "frontend/src/**",
-    "api/src/icarus/queries/**",
-    "api/src/icarus/models/**",
+    "api/src/bracc/queries/**",
+    "api/src/bracc/models/**",
     "api/tests/**",
     "etl/tests/**",
     "frontend/src/**/*.test.*"

.github/workflows/publish-release.yml

@@ -23,26 +23,6 @@ on:
         description: "Release title (EN)"
         required: true
         type: string
-      highlights_pt:
-        description: "PT highlights (separate bullets with |)"
-        required: true
-        type: string
-      highlights_en:
-        description: "EN highlights (separate bullets with |)"
-        required: true
-        type: string
-      patterns_included:
-        description: "Comma-separated pattern IDs included in this release (use 'none' if not applicable)"
-        required: true
-        type: string
-      technical_changes_pt:
-        description: "PT technical changes (separate bullets with |)"
-        required: true
-        type: string
-      technical_changes_en:
-        description: "EN technical changes (separate bullets with |)"
-        required: true
-        type: string
 
 permissions:
   contents: write
@@ -124,116 +104,63 @@ jobs:
           COMPARE_URL: ${{ steps.validate.outputs.compare_url }}
           TITLE_PT: ${{ inputs.title_pt }}
           TITLE_EN: ${{ inputs.title_en }}
-          HIGHLIGHTS_PT: ${{ inputs.highlights_pt }}
-          HIGHLIGHTS_EN: ${{ inputs.highlights_en }}
-          PATTERNS_INCLUDED: ${{ inputs.patterns_included }}
-          TECHNICAL_CHANGES_PT: ${{ inputs.technical_changes_pt }}
-          TECHNICAL_CHANGES_EN: ${{ inputs.technical_changes_en }}
         run: |
           set -euo pipefail
           DATE_UTC="$(date -u +"%Y-%m-%d")"
           export DATE_UTC
 
-          python - <<'PY'
-          import json
-          import os
-          from textwrap import dedent
-
-          def split_pipe(raw: str) -> list[str]:
-              normalized = raw.replace("\r\n", "\n").replace("\n", "|")
-              return [item.strip(" -\t") for item in normalized.split("|") if item.strip()]
+          cat > release_notes.md <<NOTES
+          ## PT-BR
 
-          def split_csv(raw: str) -> list[str]:
-              value = raw.strip()
-              if value.lower() in {"none", "n/a", "na", "-"}:
-                  return []
-              return [item.strip() for item in value.split(",") if item.strip()]
+          ${TITLE_PT}
 
-          def bullets(items: list[str], fallback: str) -> str:
-              if not items:
-                  return f"- {fallback}"
-              return "\n".join(f"- {item}" for item in items)
+          ### Escopo
+          - Release publicada por marco.
+          - Mudanças detalhadas por categorias no histórico desta versão.
 
-          highlights_pt = split_pipe(os.environ["HIGHLIGHTS_PT"])
-          highlights_en = split_pipe(os.environ["HIGHLIGHTS_EN"])
-          technical_changes_pt = split_pipe(os.environ["TECHNICAL_CHANGES_PT"])
-          technical_changes_en = split_pipe(os.environ["TECHNICAL_CHANGES_EN"])
-          patterns = split_csv(os.environ["PATTERNS_INCLUDED"])
+          ### Integridade pública
+          Os sinais e padrões refletem coocorrências em bases públicas e não constituem prova legal.
 
-          release_notes = dedent(
-              f"""
-              ## PT-BR
+          ## EN
 
-              {os.environ["TITLE_PT"]}
+          ${TITLE_EN}
 
-              ### Escopo
-              - Release publicada por marco.
-              - Mudanças listadas de forma específica para facilitar auditoria pública.
+          ### Scope
+          - Milestone-based release publication.
+          - Detailed changes grouped by category in this version history.
 
-              ### Destaques
-              {bullets(highlights_pt, "Sem destaques declarados.")}
+          ### Public integrity
+          Signals and patterns reflect co-occurrence in public records and are not legal proof.
 
-              ### Padrões incluídos
-              {bullets(patterns, "Sem novos padrões nesta release.")}
+          ## Compatibility
 
-              ### Mudanças técnicas
-              {bullets(technical_changes_pt, "Sem mudanças técnicas declaradas.")}
+          - Breaking changes: declare explicitly when applicable.
+          - Migration required: declare explicitly when applicable.
 
-              ### Integridade pública
-              Os sinais e padrões refletem coocorrências em bases públicas e não constituem prova legal.
+          ## Compare
 
-              ## EN
+          ${COMPARE_URL}
 
-              {os.environ["TITLE_EN"]}
+          ## Metadata
 
-              ### Scope
-              - Milestone-based release publication.
-              - Changes are listed explicitly for public traceability.
+          - Version: ${VERSION}
+          - Target SHA: ${TARGET_SHA}
+          - Previous tag: ${PREVIOUS_TAG}
+          - Date (UTC): ${DATE_UTC}
+          NOTES
 
-              ### Highlights
-              {bullets(highlights_en, "No highlights declared.")}
-
-              ### Included patterns
-              {bullets(patterns, "No new patterns in this release.")}
-
-              ### Technical changes
-              {bullets(technical_changes_en, "No technical changes declared.")}
-
-              ### Public integrity
-              Signals and patterns reflect co-occurrence in public records and are not legal proof.
-
-              ## Compatibility
-
-              - Breaking changes: none declared.
-              - Migration required: no.
-
-              ## Compare
-
-              {os.environ.get("COMPARE_URL", "")}
-
-              ## Metadata
-
-              - Version: {os.environ["VERSION"]}
-              - Target SHA: {os.environ["TARGET_SHA"]}
-              - Previous tag: {os.environ["PREVIOUS_TAG"]}
-              - Date (UTC): {os.environ.get("DATE_UTC", "")}
-              """
-          ).strip() + "\n"
-
-          with open("release_notes.md", "w", encoding="utf-8") as fh:
-              fh.write(release_notes)
+          python - <<'PY'
+          import json
+          import os
 
           payload = {
               "version": os.environ["VERSION"],
               "date": os.environ.get("DATE_UTC", ""),
-              "highlights_pt": highlights_pt,
-              "highlights_en": highlights_en,
+              "highlights_pt": [os.environ["TITLE_PT"]],
+              "highlights_en": [os.environ["TITLE_EN"]],
               "api_changes": [],
               "data_changes": [],
               "privacy_compliance_changes": [],
-              "patterns_included": patterns,
-              "technical_changes_pt": technical_changes_pt,
-              "technical_changes_en": technical_changes_en,
               "breaking_changes": False,
               "migration_required": False,
               "compare_url": os.environ.get("COMPARE_URL", ""),

.github/workflows/security.yml

@@ -6,18 +6,10 @@ on:
   pull_request:
     branches: [main]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-
 jobs:
   gitleaks:
     name: Gitleaks
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
         with:
@@ -37,7 +29,6 @@ jobs:
   bandit:
     name: Bandit (Python)
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
 
@@ -57,7 +48,6 @@ jobs:
   pip-audit:
     name: Pip Audit (Python deps)
     runs-on: ubuntu-latest
-    timeout-minutes: 20
     steps:
       - uses: actions/checkout@v4
 
@@ -69,14 +59,6 @@ jobs:
         with:
           python-version: "3.12"
 
-      - name: Cache uv
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/uv
-          key: ${{ runner.os }}-uv-security-${{ hashFiles('api/uv.lock', 'etl/uv.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-uv-security-
-
       - name: Export lock-compatible requirement sets
         run: |
           cd api
@@ -93,7 +75,6 @@ jobs:
   public-privacy-gate:
     name: Public Privacy Gate
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
 
@@ -107,7 +88,6 @@ jobs:
   compliance-pack-gate:
     name: Compliance Pack Gate
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
 
@@ -120,9 +100,8 @@ jobs:
 
   public-boundary-gate:
     name: Public Boundary Gate
-    if: vars.PUBLIC_BOUNDARY_GATE_ENABLED == 'true'
+    if: github.repository == 'brunoclz/world-transparency-graph'
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
 
@@ -136,7 +115,6 @@ jobs:
   internal-instruction-boundary:
     name: Internal Instruction Boundary
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
 

.gitignore

@@ -75,7 +75,6 @@ scripts/audit-prompts/
 # Local report artifacts in repository root
 /*.pdf
 /*.html
-gitleaks-report*.json
 
 # Playwright MCP cache
 .playwright-mcp/
@@ -91,7 +90,7 @@ data/tse/
 # Local MCP runtime config (keep example only)
 .mcp.json
 
-# Internal assistant instructions (must never be published)
+# Internal assistant instruction files (must never be published)
 CLAUDE.md
 AGENTS.md
 AGENTS*.md