rebase

.brakeman.ignore

@@ -1,5 +1,25 @@
 {
   "ignored_warnings": [
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "f2fd7351c85e531b66f6444ab8a89071e039b96befcdd5a6f897d3f55bb2d9dd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/players/controllers/players_controller.rb",
+      "line": 368,
+      "note": "':role' is a player in-game position (top/jungle/mid/adc/support), not a user access role. riot_puuid and riot_summoner_id were intentionally removed from this permit list."
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "a53e36aea1309fb0af3b08b9d5403838087ed98264a2a158a98adde5f6d496d3",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/meta_intelligence/controllers/builds_controller.rb",
+      "line": 128,
+      "note": "Explicit permit list — items/runes/item_build_order are game data arrays, not auth/role fields"
+    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,
@@ -29,8 +49,48 @@
       "file": "Gemfile.lock",
       "line": 224,
       "note": "Rails 7.1.x is still secure, will upgrade to 7.2/8.0 in next sprint"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "82553a8da70acefb77b22bab7fb95616b808a9604a23dff455508e0ad77e3107",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/modules/analytics/services/database_metadata_cache_service.rb",
+      "line": 213,
+      "note": "False positive — uses parameterized query with $1/$2 placeholders and a separate bindings array"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "8bf697cde545723f2f3d339a8fc87f1cbb80dccb7cc50ea42243ebde2c0d7883",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/modules/search/services/search_service.rb",
+      "line": 53,
+      "note": "False positive — IDs from Meilisearch are individually escaped with connection.quote() before interpolation"
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "8273a221da2916071e72130e8e4a184b37aa96df641daff5c11d7069740e2c81",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/scouting/controllers/players_controller.rb",
+      "line": 295,
+      "note": "':role' is a player in-game position (Top/Mid/ADC/etc), not a user access role"
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "88173572797556fd8d8d2da622fdb463673c0793a9ec10126b1803fc39f04f06",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/modules/scouting/controllers/players_controller.rb",
+      "line": 322,
+      "note": "':role' is a player in-game position (Top/Mid/ADC/etc), not a user access role"
     }
   ],
-  "updated": "2025-10-08 00:00:00 +0000",
-  "brakeman_version": "7.1.0"
+  "updated": "2026-03-23 00:00:00 +0000",
+  "brakeman_version": "8.0.4"
 }

.codacy.yml

@@ -0,0 +1,23 @@
+---
+# Codacy analysis configuration
+# https://docs.codacy.com/repositories-configure/codacy-configuration-file/
+
+exclude_paths:
+  # Generated files — cannot be changed by hand
+  - "Gemfile.lock"
+  - "db/schema.rb"
+
+  # Data migrations — long up/down methods are unavoidable
+  - "db/migrate/**"
+
+  # Load-test scripts — k6 JS syntax (group() callbacks) is valid k6 idiom,
+  # not a lone-block code smell
+  - "load_tests/**"
+
+  # Architecture diagram generator — standalone maintenance script, not production
+  - "scripts/update_architecture_diagram.rb"
+
+  # Pentest scripts — ShellCheck SC2016 (single-quote expansion) is intentional;
+  # payloads like '$MONGO_GT' and '`id`' must NOT expand. SC2034 (BASE_URL) is used
+  # further down in the same script.
+  - ".pentest/**"

.env.example

@@ -81,6 +81,44 @@ PANDASCORE_API_KEY=your_pandascore_api_key_here
 PANDASCORE_BASE_URL=https://api.pandascore.co
 PANDASCORE_CACHE_TTL=3600
 
+# ===========================================
+# ProStaff Scraper Integration
+# ===========================================
+# Microservice that collects professional match data from LoL Esports + Leaguepedia
+# See: https://scraper.prostaff.gg/docs
+
+# Base URL of the scraper API
+SCRAPER_API_URL=https://scraper.prostaff.gg
+
+# API key for protected scraper endpoints (sync, enrich status)
+# Must match SCRAPER_API_KEY configured on the scraper service
+SCRAPER_API_KEY=
+
+# ===========================================
+# prostaff-events Integration (Phoenix event bus)
+# ===========================================
+# Real-time WebSocket hub and event bus. Rails publishes domain events to Redis
+# pub/sub (channel: prostaff:events:<org_id>), Phoenix subscribes and broadcasts
+# to connected frontend clients.
+#
+# Leave blank to disable event publishing (events are silently dropped).
+# When set, Events::EventPublisher will publish to Redis on every domain event.
+#
+# Internal JWT secret shared with prostaff-events for service-to-service auth.
+# Must match INTERNAL_JWT_SECRET configured in prostaff-events.
+PHOENIX_EVENTS_ENABLED=false
+PHOENIX_EVENTS_URL=http://localhost:4000
+INTERNAL_JWT_SECRET=
+
+# ===========================================
+# Sidekiq Web UI (production access)
+# ===========================================
+# Credentials for /sidekiq dashboard (HTTP Basic Auth).
+# Both must be set — UI stays inaccessible if either is blank (safe default).
+# Generate password: openssl rand -hex 32
+SIDEKIQ_WEB_USER=
+SIDEKIQ_WEB_PASSWORD=
+
 # ===========================================
 # HashID Configuration (for public URL obfuscation)
 # ===========================================

.gitattributes

@@ -0,0 +1,21 @@
+# GitHub linguist configuration
+# Hide certain directories from language statistics
+
+# Documentation
+/DOCS/** linguist-documentation
+/docs-page/** linguist-documentation
+/status-page/** linguist-documentation
+
+# Testing
+/load_tests/** linguist-documentation
+/security_tests/** linguist-documentation
+/coverage/** linguist-generated
+
+# Deployment configs
+/deploy/** linguist-documentation
+/docker/** linguist-documentation
+
+# Generated files
+brakeman-report.json linguist-generated
+codacyissues.md linguist-generated
+diagram.mmd linguist-generated

.github/codeql/codeql-config.yml

@@ -0,0 +1,22 @@
+name: ProStaff API — CodeQL Config
+
+# Queries beyond the default security suite
+# security-extended adds: path traversal, SSRF, code injection, regex DoS
+queries:
+  - uses: security-extended
+  - uses: security-and-quality
+
+# Focus analysis on application code only
+paths-ignore:
+  - vendor/**
+  - node_modules/**
+  - load_tests/**
+  - security_tests/**
+  - .pentest/**
+  - db/migrate/**
+  - db/schema.rb
+  - db/seeds.rb
+  - scripts/**
+  - '**/*.min.js'
+  - '**/*_spec.rb'
+  - spec/**