fix(ci): resolve Docker build, coverage deps, and perf script

Author: swadhinbiswas

.env.backup-2026-02-20

@@ -0,0 +1,72 @@
+# OpenCodeHub Configuration Backup Template (Sanitized)
+# This file intentionally contains NO real secrets.
+# If this file existed with credentials in git history, rotate all exposed keys immediately.
+
+HOST=0.0.0.0
+PORT=3000
+SITE_URL=http://localhost:3000
+APP_NAME=OpenCodeHub
+
+# Database
+DATABASE_DRIVER=postgres
+DATABASE_URL=<set-in-runtime>
+
+# Auth
+JWT_SECRET=<generate-with-openssl-rand-base64-32>
+SESSION_SECRET=<generate-with-openssl-rand-base64-32>
+INTERNAL_HOOK_SECRET=<generate-with-openssl-rand-hex-32>
+
+# OAuth
+OAUTH_GOOGLE_CLIENT_ID=
+OAUTH_GOOGLE_CLIENT_SECRET=
+OAUTH_GITHUB_CLIENT_ID=
+OAUTH_GITHUB_CLIENT_SECRET=
+
+# Git
+GIT_REPOS_PATH=./data/repositories
+GIT_SSH_PORT=2222
+GIT_SSH_HOST_KEY=./data/ssh/host_key
+GIT_SSH_URL=ssh://git@localhost:2222
+
+# Storage
+STORAGE_TYPE=local
+STORAGE_PATH=./data/storage
+STORAGE_BUCKET=
+STORAGE_REGION=
+STORAGE_ENDPOINT=
+STORAGE_ACCESS_KEY_ID=
+STORAGE_SECRET_ACCESS_KEY=
+
+# Email
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASSWORD=
+SMTP_FROM=noreply@example.com
+
+# Redis
+REDIS_URL=<set-in-runtime>
+REDIS_CACHE_TTL=3600
+
+# AI
+AI_PROVIDER=openai
+OPENAI_API_KEY=
+ANTHROPIC_API_KEY=
+
+# Logging / Security
+LOG_LEVEL=info
+RATE_LIMIT_ENABLED=true
+RATE_LIMIT_AUTH=5
+RATE_LIMIT_API=100
+RATE_LIMIT_GIT=200
+RATE_LIMIT_GENERAL=60
+RATE_LIMIT_SKIP_DEV=false
+CSRF_SKIP_DEV=false
+
+# Features
+ENABLE_REGISTRATION=true
+ENABLE_WIKI=true
+ENABLE_ISSUES=true
+ENABLE_ACTIONS=true
+ENABLE_PACKAGES=false
+ENABLE_AI_ASSISTANT=true

.githooks/pre-push

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+SCAN_SCRIPT="$ROOT_DIR/scripts/security/pre-push-secret-scan.sh"
+
+if [[ ! -f "$SCAN_SCRIPT" ]]; then
+  echo "[pre-push] secret scan script not found: $SCAN_SCRIPT"
+  echo "[pre-push] blocking push until security hook is restored."
+  exit 1
+fi
+
+RANGES=()
+while read -r local_ref local_sha remote_ref remote_sha; do
+  [[ -z "${local_sha:-}" ]] && continue
+
+  if [[ "$local_sha" =~ ^0+$ ]]; then
+    continue
+  fi
+
+  if [[ "$remote_sha" =~ ^0+$ ]]; then
+    # New branch push: scan a recent commit window ending at local SHA.
+    local_base="${local_sha}~20"
+    if git rev-parse --verify "$local_base" >/dev/null 2>&1; then
+      RANGES+=("${local_base}..${local_sha}")
+    else
+      RANGES+=("${local_sha}")
+    fi
+  else
+    RANGES+=("${remote_sha}..${local_sha}")
+  fi
+done
+
+if [[ ${#RANGES[@]} -eq 0 ]]; then
+  RANGES=("HEAD~20..HEAD")
+fi
+
+bash "$SCAN_SCRIPT" "${RANGES[@]}"

Dockerfile

@@ -3,6 +3,7 @@ WORKDIR /app
 
 # Install dependencies
 FROM base AS deps
+RUN apt-get update && apt-get install -y python3 make g++ gcc libc6-dev && rm -rf /var/lib/apt/lists/*
 COPY package.json bun.lock ./
 RUN bun install --frozen-lockfile