rebase (#34)

* fix: solve canvas drag issues

* feat: implement backfill job

* fix: solve  risk assessment issue

* feat: implement allowed host 4 images

* feat: implement aditional sec tests suites

* chore: fix security lab workflow run

* chore: update security workflow run

* chore: update security workflow run

* chore: update database 4 workflow run

* docs: update readme and  cookbooks

* fix: solve sidekiq organization permission issue

* chore: update ruby version for workflow run

* docs: auto-update architecture diagram [skip ci]

* fix: solve diagram workflow run setup

* chore: fix diagram workflow run

* fix: solve diagram router issues

* fix: solve diaigram layer issues

* docs: update deployment section with diagram

* docs: update deployment setup and guideline

* fix: update k6 load tests run

* chore: update files reference

* fix: update docker build context

* fix: correct docker build contexts for Coolify

* fix: update docker location for tests

* Add FOSSA status badge to README

* feat: implement aditional players stats

* feat(db): add aditional feature  labels

* feat: implement retry after throttle

* feat: implement codeql analysis

* feat: implement aditional security tests

* fix: solve sarif workflow run

* fix: solve null bytes errors + backtrace

* fix: solve invalid statement rescue issue

* feat: implement aditional test scenarios

* Fix repository URLs in CONTRIBUTING.md

Updated GitHub repository URLs in contributing guidelines.

* fix: solve multi-tenant issue

* fix: solve scouting target player policy

fix scouting target and bulk sync issues

* feat: implement aditional SQLI tests

* fix: solve semgrep false positive

* fix: solve semgrep inline suppress

* chore:Update Sidekiq descriptions in README.md

* feat: implement aditional sec tests

* Delete .pentest/reports/security-audit-2026-03-18.md

* chore: update gitignore

* choere: update cookbooks

* chore: fix production build

* feat: add ai intelligence module

* fix: correct bugs found during test coverage expansion

* test: expand rspec coverage across all modules

* feat: implement internal messenger

* feat: implement mailer contact form

* fix: make mailer conditional

* fix: solve mail logger warning

* feat: implement feedback area

* chore: rubocop linter fix

* feat: implement ticket validation

* feat: implement ticket/support

* fix: solve register issues

* fix: solve regex sem

* chore: brakeman ignore adjust

* feat: implement hire from scouting

* fix: solve dependency issue

* feat(db): implement scrims and inhouse

* feat: implement scrims and inhouse

* fix: solve rails dependency issue

* feat: implement aditional active storage test

* feat: implement inhouse

* feat: add scrims feature to production

* fix: solve zeitwerk scrims issues

* fix: solve lobby serializer issue

* chore: reduce code complexity and fix code style

* fix: solve shell issues

* fix: solve remaining linter issues

* chore: improve linter and code coverage

* chore: improve sec. test coverage

* fix: solve remaining linter issues

* fix: solve permission deny issue

* fix: solve nginx conflict

* fix: lobby 404, search indexing in sidekiq, nginx unprivileged

* feat: implement inhouse integration

* fix: solve RIOT ID string parsing

* feat: improve inhouse  features

* chore: add custom inflection 2 zeitwerk

* fix: solve traefik issue into compose

* chore: adjust status page and safe list

* feat: implement realtime scrims chat

* feat: implement result report

* feat: implement scrims live chat popup

* feat: add logo upload 4 organizations

* feat:  add devops management scripts

* fix: solve minors roster mismatchs

* fix: adjust team logo serializer

* feat: implement feedback template

* feat: implement arenaBR free agents register

* fix: solve arenaBR CORS issues

* fix: adjust arenaBR CORS

* fix: solve codacy warnings

* feat: improve security lab tests coverage

* fix: solve scrims public lobby display

fix lobby for https://scrims.lol

* chore: adjust dependencies

fix:

Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret.

This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0.

The vulnerability is more exploitable on MRI Ruby < 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns

* feat: implement schedule audit

* feat: implement tournments module

* docs: auto-update architecture diagram [skip ci]

* fix: solve snyk issue

* fix: solve hash id issue

* fix: remove unused dependencies

* fix: solve pro matches issue

* fix: solve tournment bracket issues

* feat: add team tag to organizations

* fix: solve nightly workflow run issue

* fix: solve bundler mismatch

* fix: solve tournment bracket rules

* fix: solve remainig nightly workflow issues

* chore: adjust bracket generator rule

 mudança no gerador de bracket

Razões técnicas:
  1. Bracket management sequencial, admin libera uma rodada de cada vez, sem paralelo
  2. Menos janela para atraso acumular
  3. Times sabem exatamente quando vão jogar (sem "você pode jogar sexta E sábado dependendo de
  resultado")
  4. O código suporta os dois, mas Modelo 2 é mais fácil de operar no MVP

* feat: improve connection pooling

* Remove duplicate badges in README.md

Removed duplicate badges for Codacy and FOSSA.

* feat: implement database test

* feat: implement tier thresholds

* chore: bump version to ruby 3.4.9

* chore: bump version to ruby 3.4.8

* feat: implement target season history

* chore: Update database description

* feat: implement CircuitBreaker + cache layer

* docs: auto-update architecture diagram [skip ci]

* chore: adjust api call to load test scenario

* chore: use local database instead serverless

* chore: adjust database conection

* fix: solve sidekiq major outage

* feat: implement go riot proxy

* fix: solve mismatch into sync matchs

* fix: solve zeitwrk issue into import matches

* fix: solve heartbeat issue

* feat: add discord duplicated warning

* feat: implement gateway into api workflow

* fix: solve matches scope mismatch

* fix: solve internal schema issue

* fix: solve migrations issue

* fix: adjust schema idempotency

* chore: improve code style

fix minors codacy issues

* chore: adjust rack attack by ip address

* feat: implement mailing and templates

* chore: adjust license and cookbooks

* feat: implement pandascore

* chore: adjust gateway integration

* chore: improve build cache

* feat: implement aud into payload

O gateway valida jwt.WithAudience("prostaff-riot-gateway") no source Go,  sem o aud no payload, rejeita sempre
  com 401 independente do secret estar correto

* feat: implement multi roster

* fix: solve migrations entrypoint

* fix: solve sidekiq healthcheck

* refactor: solve team comparison gaps

* fix: solve period issue into comparison

* fix: solve unscoped player issue

* fix: adjust player policy

* fix: solve org unscoped minor issue

 validações de unicidade (player_email, riot_puuid, riot_summoner_id) também rodam sem o scope,

  eliminando os 3x [SECURITY] falsos positivos, o CurrentAttributes é thread-safe e resetado
  automaticamente ao fim do request

* fix: solve database port mapping

* chore: improve match details

* fix: solve import to roster issue

método de classe privado só pode ser chamado sem receptor

* fix: solve player import to roster issue

o index mostra targets globais sem excluir signed por padrão. Após o import, o
  watchlist da org é destruído e o status vira signed, mas o endpoint continua retornando o player

* refactor: extract MatchFilterQuery, cache invalidation, and security audit fixes

  - Extract match filters/sorting to MatchFilterQuery (app/queries/)
  - Add invalidate_cache helper to Cacheable concern
  - Add after_action cache invalidation on update/destroy in matches, players, tournaments controllers
  - Move paginate inside cache block in MatchesController to avoid unnecessary query on cache hit
  - Fix ScoutingPlayersController N+1: replace global includes with scoped org query after pagination
  - Standardize 6 analytics controllers with before_action :set_player
  - Decompose CompetitiveController#build_role_performance into 3 helpers, remove rubocop:disable
  - Move PERFORMANCE_ROLES constant before private section
  - Fix Semgrep nosemgrep placement in 3 email templates (password_reset x2, welcome)
  - Update README and PRD with 2026-04-21 security audit results (Brakeman 0, Semgrep 0, pentest 0 real
  findings

* chore: improve api docs page

improve to have a readme.io look and feel

* fix: solve smtp issue and dead jobs

  1. Healthcheck do Sidekiq (serviço sidekiq, antes do depends_on)
  2. SMTP vars nos dois serviços (api e sidekiq)

* fix: solve scraper match index issue

* fix: solve healthcheck minor issue

* fix: solve semgrep issues

* feat: implement prostaff events

phoenix/elixir  - real-time Event Bus & WebSocket Hub

* fix: solve req and telemetry issues

* feat: implement pro match details

painel completo de análise pré/pós jogo

* docs: auto-update architecture diagram [skip ci]

* docs: improve readability

Removed redundant architecture section and consolidated module information in README.

* docs: update architecture and dataflow

* fix: solve scouting waitlist issue

O ScoutingWatchlist já tinha belongs_to :organization   só estava faltando o outro lado da associação no Organization. Uma

causando

System Error

undefined method 'scouting_watchlists' for an instance of Organization

* docs: auto-update architecture diagram [skip ci]

* feat: implement observability

* docs: update changelog

* fix: solve filebeat issue

* fix: solve single-query no vector builder.

* fix: solve exact match mismatch

* chore: adjust allowed host

* fix: solve sidekiq admin minor issue

* fix: sidekiq session issue

O Rack::Session::Cookie precisa vir antes do mount para que o  Sidekiq::Web tenha sessão disponível quando renderizar as paginas   sem isso o   login passa pelo Basic Auth mas o CSRF trava tudo logo em seguida

* fix: solve rack session issue

* chore: adjust sidekiq bypass

O bypass é seguro porque o /sidekiq ja e protegido pelo Rack::Auth::Basic e ninguem chega nos assets sem autenticar primeiro. O default-src 'none' e correto  para os endpoints JSON da API, mas nao faz sentido para uma UI web

* fix: solve sidekiq allowed content

* fix: solve aditional sidekiq csp

* fix: solve CSP mismatch for sidekiq

o Sidekiq já injeta seu próprio CSP permissivo com nonce — só precisamos não sobrescrever com o restritivo

* fix: solve atomic conflict

* fix: solve setlocal mismatch and upsert

SET LOCAL só vale dentro de uma transação explícita, fora dela o Postgres ignora silenciosamente, SET sem LOCAL altera o timeout para toda a conexão (que volta ao pool depois do job, mas connections do Sidekiq são dedicadas, então o efeito é o esperado)

* docs: update service links and add observability details

Updated service links in the README to point to GitHub and added details for observability and monitoring.

* fix: solve pro matches card issues

* docs: Refactor architecture section in README

Updated architecture section to use details summary format and removed redundant text.

* docs: enhance deployment architecture

Added internal JWT connections  for Router and Sidekiq.

* docs: revise competitive module details and formatting

Updated competitive module references to include Grid.gg and improved formatting in the README.

* feat: implement ProStaff ML

Atualmente na ProStaff tenho um modelo próprio treinado de AI para recomendações do tipo "X é melhor que Y nesse
  contexto:
  - XGBoost  para classificação binária (win/loss dado o draft + contexto) com dados tabulares, treina rápido em CPU
  - Matrix Factorization para sinergias implícitas (similar ao que o Netflix usa para recomendação) e descobre relações latentes entre campeões que o win rate bruto não captura
  - Embeddings de campeão treinados no seu próprio histórico (Word2Vec sobre sequências de picks), representação vetorial própria, mais rica que os vetores atuais baseados só em stats médios

* docs: auto-update architecture diagram [skip ci]

* docs: update to insert ML service

* fix: solve map ML suggestions issue

* docs: add Scraper API and related components 

Added new components for the Scraper API and its associated daemons, including health checks and data enrichment processes.

* docs: Update enrichment descriptions

* docs: update README with Mermaid Live Editor link

* Update README.md

* fix: solve BackfillJob issue

* docs: auto-update architecture diagram [skip ci]

* feat: add competitive name into org

* chore(deps): bump erb from 6.0.2 to 6.0.4 (#31)

Bumps [erb](https://github.com/ruby/erb) from 6.0.2 to 6.0.4.
- [Release notes](https://github.com/ruby/erb/releases)
- [Changelog](https://github.com/ruby/erb/blob/master/NEWS.md)
- [Commits](ruby/erb@v6.0.2...v6.0.4)

---
updated-dependencies:
- dependency-name: erb
  dependency-version: 6.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: Update service links in README.md

* docs:  remove duplicated module architecture details

Removed detailed module descriptions from the README.

* docs: Fix formatting of project entries

* feat: implement team chat

* docs: auto-update architecture diagram [skip ci]

* chore: add FK to avoid conflict

* fix: solve database mismatch

* fix: solve FK issue

* chore: adjust test scheme

* fix: solve team chat websocket issue

* fix: solve messaging channel

* docs: simplify architecture section

Removed detailed module descriptions from the architecture section.

* fix: solve promatches paginations issue

* docs: auto-update architecture diagram [skip ci]

* docs: simplify architecture section  

Removed detailed module descriptions from the architecture section.

* fix: solve promatches search issue

* docs: auto-update architecture diagram [skip ci]

* fix: solve promatches search issue

* Refactor README to eliminate redundancy

Removed duplicate architecture section and cleaned up module list.

* feat: implement draft simulator

* docs: auto-update architecture diagram [skip ci]

* fix: solve semgrep inline issues

* fix: solve semgrep deploy alert

* fix: solve Zeitwerk module nesting

* fix: solve array render into draft

* docs: Refactor architecture section in README.md

* fix: solve scrims lobby issue

* refactor: remove fantasy feature

* feat: implement monitoring sources

* feat: implement payment gateway

* fix: solve dependency issue

* fix: solve analytics dashboard issues

* fix: solve linter issues

* fix: solve stack trace audit

* fix: update hostname whitelist

* fix: solve dropdown override into docs

* feat: implement monitoring templates

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Michael D. <michael.silva@plathanus.com.br>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 4 people

.brakeman.ignore

@@ -1,5 +1,25 @@
 {
   "ignored_warnings": [
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "f2fd7351c85e531b66f6444ab8a89071e039b96befcdd5a6f897d3f55bb2d9dd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/players/controllers/players_controller.rb",
+      "line": 368,
+      "note": "':role' is a player in-game position (top/jungle/mid/adc/support), not a user access role. riot_puuid and riot_summoner_id were intentionally removed from this permit list."
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "a53e36aea1309fb0af3b08b9d5403838087ed98264a2a158a98adde5f6d496d3",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/meta_intelligence/controllers/builds_controller.rb",
+      "line": 128,
+      "note": "Explicit permit list — items/runes/item_build_order are game data arrays, not auth/role fields"
+    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,
@@ -29,8 +49,48 @@
       "file": "Gemfile.lock",
       "line": 224,
       "note": "Rails 7.1.x is still secure, will upgrade to 7.2/8.0 in next sprint"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "82553a8da70acefb77b22bab7fb95616b808a9604a23dff455508e0ad77e3107",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/modules/analytics/services/database_metadata_cache_service.rb",
+      "line": 213,
+      "note": "False positive — uses parameterized query with $1/$2 placeholders and a separate bindings array"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "8bf697cde545723f2f3d339a8fc87f1cbb80dccb7cc50ea42243ebde2c0d7883",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/modules/search/services/search_service.rb",
+      "line": 53,
+      "note": "False positive — IDs from Meilisearch are individually escaped with connection.quote() before interpolation"
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "8273a221da2916071e72130e8e4a184b37aa96df641daff5c11d7069740e2c81",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/scouting/controllers/players_controller.rb",
+      "line": 295,
+      "note": "':role' is a player in-game position (Top/Mid/ADC/etc), not a user access role"
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "88173572797556fd8d8d2da622fdb463673c0793a9ec10126b1803fc39f04f06",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/scouting/controllers/players_controller.rb",
+      "line": 322,
+      "note": "':role' is a player in-game position (Top/Mid/ADC/etc), not a user access role"
     }
   ],
-  "updated": "2025-10-08 00:00:00 +0000",
-  "brakeman_version": "7.1.0"
+  "updated": "2026-03-23 00:00:00 +0000",
+  "brakeman_version": "8.0.4"
 }

.codacy.yml

@@ -0,0 +1,23 @@
+---
+# Codacy analysis configuration
+# https://docs.codacy.com/repositories-configure/codacy-configuration-file/
+
+exclude_paths:
+  # Generated files — cannot be changed by hand
+  - "Gemfile.lock"
+  - "db/schema.rb"
+
+  # Data migrations — long up/down methods are unavoidable
+  - "db/migrate/**"
+
+  # Load-test scripts — k6 JS syntax (group() callbacks) is valid k6 idiom,
+  # not a lone-block code smell
+  - "load_tests/**"
+
+  # Architecture diagram generator — standalone maintenance script, not production
+  - "scripts/update_architecture_diagram.rb"
+
+  # Pentest scripts — ShellCheck SC2016 (single-quote expansion) is intentional;
+  # payloads like '$MONGO_GT' and '`id`' must NOT expand. SC2034 (BASE_URL) is used
+  # further down in the same script.
+  - ".pentest/**"

.env.example

@@ -81,6 +81,44 @@ PANDASCORE_API_KEY=your_pandascore_api_key_here
 PANDASCORE_BASE_URL=https://api.pandascore.co
 PANDASCORE_CACHE_TTL=3600
 
+# ===========================================
+# ProStaff Scraper Integration
+# ===========================================
+# Microservice that collects professional match data from LoL Esports + Leaguepedia
+# See: https://scraper.prostaff.gg/docs
+
+# Base URL of the scraper API
+SCRAPER_API_URL=https://scraper.prostaff.gg
+
+# API key for protected scraper endpoints (sync, enrich status)
+# Must match SCRAPER_API_KEY configured on the scraper service
+SCRAPER_API_KEY=
+
+# ===========================================
+# prostaff-events Integration (Phoenix event bus)
+# ===========================================
+# Real-time WebSocket hub and event bus. Rails publishes domain events to Redis
+# pub/sub (channel: prostaff:events:<org_id>), Phoenix subscribes and broadcasts
+# to connected frontend clients.
+#
+# Leave blank to disable event publishing (events are silently dropped).
+# When set, Events::EventPublisher will publish to Redis on every domain event.
+#
+# Internal JWT secret shared with prostaff-events for service-to-service auth.
+# Must match INTERNAL_JWT_SECRET configured in prostaff-events.
+PHOENIX_EVENTS_ENABLED=false
+PHOENIX_EVENTS_URL=http://localhost:4000
+INTERNAL_JWT_SECRET=
+
+# ===========================================
+# Sidekiq Web UI (production access)
+# ===========================================
+# Credentials for /sidekiq dashboard (HTTP Basic Auth).
+# Both must be set — UI stays inaccessible if either is blank (safe default).
+# Generate password: openssl rand -hex 32
+SIDEKIQ_WEB_USER=
+SIDEKIQ_WEB_PASSWORD=
+
 # ===========================================
 # HashID Configuration (for public URL obfuscation)
 # ===========================================

.gitattributes

@@ -0,0 +1,21 @@
+# GitHub linguist configuration
+# Hide certain directories from language statistics
+
+# Documentation
+/DOCS/** linguist-documentation
+/docs-page/** linguist-documentation
+/status-page/** linguist-documentation
+
+# Testing
+/load_tests/** linguist-documentation
+/security_tests/** linguist-documentation
+/coverage/** linguist-generated
+
+# Deployment configs
+/deploy/** linguist-documentation
+/docker/** linguist-documentation
+
+# Generated files
+brakeman-report.json linguist-generated
+codacyissues.md linguist-generated
+diagram.mmd linguist-generated

.github/codeql/codeql-config.yml

@@ -0,0 +1,22 @@
+name: ProStaff API — CodeQL Config
+
+# Queries beyond the default security suite
+# security-extended adds: path traversal, SSRF, code injection, regex DoS
+queries:
+  - uses: security-extended
+  - uses: security-and-quality
+
+# Focus analysis on application code only
+paths-ignore:
+  - vendor/**
+  - node_modules/**
+  - load_tests/**
+  - security_tests/**
+  - .pentest/**
+  - db/migrate/**
+  - db/schema.rb
+  - db/seeds.rb
+  - scripts/**
+  - '**/*.min.js'
+  - '**/*_spec.rb'
+  - spec/**