Add comprehensive .gitignore and security workflows

.github/WORKFLOWS_BEST_PRACTICES.md

@@ -101,6 +101,18 @@ All workflows follow a consistent structure:
 - **Triggers:** Manual dispatch and weekday schedule
 - **Timeout:** 20 minutes
 
+### dependency-review.yml - Dependency Review
+- **Purpose:** Reviews dependency changes in pull requests for vulnerabilities
+- **Triggers:** Pull requests to master
+- **Timeout:** 10 minutes
+- **Features:** Fails on high/critical vulnerabilities, checks licenses, comments on PR
+
+### codeql.yml - CodeQL Security Analysis
+- **Purpose:** Performs comprehensive security analysis using CodeQL
+- **Triggers:** Push, pull requests, weekly schedule, and manual dispatch
+- **Timeout:** 30 minutes
+- **Features:** Uses security-and-quality queries, automated vulnerability detection
+
 ## Guidelines for Creating New Workflows
 
 When creating a new workflow, ensure you:

.github/workflows/codeql.yml

@@ -0,0 +1,54 @@
+# CodeQL Security Analysis
+# This workflow performs automated security analysis using CodeQL
+name: CodeQL Analysis
+
+on:
+  push:
+    branches: ['master']
+  pull_request:
+    branches: ['master']
+  schedule:
+    # Run at 3:00 AM UTC every Monday
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  analyze:
+    name: Analyze Code
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL supports JavaScript/TypeScript analysis
+        language: ['javascript-typescript']
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Use default queries plus security-extended for comprehensive scanning
+          queries: security-and-quality
+
+      # Autobuild attempts to build any compiled languages
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,33 @@
+# Dependency Review Workflow
+# This workflow checks pull requests for dependency changes and alerts on vulnerabilities
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: ['master']
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # Fail the build on critical and high vulnerabilities
+          fail-on-severity: high
+          # Allow licenses that are commonly used in open source
+          allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD
+          # Add a comment to the PR with the review results
+          comment-summary-in-pr: on-failure

.gitignore

@@ -143,4 +143,140 @@ Thumbs.db
 
 # Test coverage
 **/coverage/
-.nyc_output/
+.nyc_output/
+
+# Playwright test artifacts
+test-results/
+playwright-report/
+playwright/.cache/
+**/test-results/
+**/playwright-report/
+
+# Build system caches
+.turbo/
+.swc/
+.eslintcache
+.tsbuildinfo
+*.tsbuildinfo
+
+# Next.js specific
+.next/
+out/
+.vercel/
+
+# Yarn Berry specific (already partially covered)
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+# Package manager locks (keep yarn.lock but ignore others)
+package-lock.json
+pnpm-lock.yaml
+
+# Storybook
+storybook-static/
+.storybook-out/
+
+# Webpack
+.webpack/
+webpack-stats.json
+
+# Vite
+.vite/
+
+# Parcel
+.parcel-cache/
+
+# Million Lint (from app-specific gitignore)
+.million/
+
+# Editor backups and temp files
+*.bak
+*.tmp
+*.temp
+*~
+.#*
+\#*\#
+.*.sw[a-z]
+*.un~
+Session.vim
+.netrwhist
+
+# macOS
+.AppleDouble
+.LSOverride
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# Windows
+Desktop.ini
+ehthumbs.db
+ehthumbs_vista.db
+*.stackdump
+$RECYCLE.BIN/
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+*.lnk
+
+# Linux
+.directory
+.Trash-*
+.nfs*
+
+# Logs
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids/
+*.pid
+*.seed
+*.pid.lock
+
+# Optional npm cache directory
+.npm/
+
+# Optional stylelint cache
+.stylelintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# dotenv environment variable files (explicit entries for clarity)
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# Optional Nx cache
+.nx/cache/
+
+# Sentry
+.sentryclirc
+
+# Debug
+debug.log
+debug.*.log