Devops/3415 windows virus false positive

.bun-version

@@ -0,0 +1 @@
+1.3.0

.github/actions/build-package/action.yml

@@ -0,0 +1,33 @@
+name: Build and package (Bun -> single zip)
+description: Build with Bun (Turbo) and package a single distributable archive
+outputs:
+  archive_path:
+    description: Absolute path to the archive
+    value: ${{ steps.pkg.outputs.archive_path }}
+runs:
+  using: composite
+  steps:
+    - name: Setup Bun (from .bun-version)
+      uses: ./.github/actions/setup-bun
+
+    - name: Build (Turbo)
+      shell: bash
+      run: bunx turbo run build
+
+    - name: Ensure zip is available
+      shell: bash
+      run: sudo apt-get update -y && sudo apt-get install -y zip
+
+    - name: Package single file
+      id: pkg
+      shell: bash
+      run: |
+        set -e
+        mkdir -p bundle
+        if [ -d dist ]; then SRC=dist; elif [ -d build ]; then SRC=build; else SRC=.; fi
+        if [ "$SRC" = "." ]; then
+          zip -r bundle/opencode.zip . -x '.git/*' '.github/*' 'node_modules/*'
+        else
+          (cd "$SRC" && zip -r ../bundle/opencode.zip .)
+        fi
+        echo "archive_path=$(pwd)/bundle/opencode.zip" >> "$GITHUB_OUTPUT"

.github/actions/setup-bun/action.yml

@@ -1,20 +1,43 @@
-name: "Setup Bun"
-description: "Setup Bun with caching and install dependencies"
+name: setup-bun
+description: Setup Bun from .bun-version (or input) and install workspace deps
+inputs:
+  bun-version:
+    description: Fallback Bun version if .bun-version is absent
+    required: false
+    default: '1.3.0'
+outputs:
+  resolved-version:
+    description: The Bun version that was installed
+    value: ${{ steps.ver.outputs.version }}
 runs:
-  using: "composite"
+  using: composite
   steps:
-    - name: Setup Bun
-      uses: oven-sh/setup-bun@v2
+    - name: Resolve Bun version (prefer .bun-version)
+      id: ver
+      shell: bash
+      run: |
+        if [ -f .bun-version ]; then
+          ver=$(tr -d '[:space:]' < .bun-version)
+        else
+          ver='${{ inputs.bun-version }}'
+        fi
+        echo "version=$ver" >> "$GITHUB_OUTPUT"
+        echo "Resolved Bun version: $ver"
 
-    - name: Cache ~/.bun
-      id: cache-bun
-      uses: actions/cache@v4
+    - name: Setup Bun (no tool-cache, exact version)
+      uses: oven-sh/setup-bun@v2
       with:
-        path: ~/.bun
-        key: ${{ runner.os }}-bun-${{ hashFiles('bun.lockb', 'bun.lock') }}
-        restore-keys: |
-          ${{ runner.os }}-bun-
+        bun-version: ${{ steps.ver.outputs.version }}
+        no-cache: true
+
+    - name: Verify Bun version
+      shell: bash
+      run: |
+        set -e
+        echo "bun version: $(bun --version)"
+        test "$(bun --version | awk '{print $1}')" = "${{ steps.ver.outputs.version }}"
 
-    - name: Install dependencies
-      run: bun install
+    # Historical behavior: run bun install during setup
+    - name: Install workspace dependencies
       shell: bash
+      run: bun install --frozen-lockfile || bun install

.github/workflows/clam-av.yml

@@ -0,0 +1,82 @@
+name: av-clamav
+on:
+  pull_request:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  clamav:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the right ref
+      - name: Checkout (release tag)
+        if: github.event_name == 'release'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+      - name: Checkout (PR/default)
+        if: github.event_name != 'release'
+        uses: actions/checkout@v4
+
+      # Single source-of-truth build -> one file
+      - name: Build and package
+        id: build
+        uses: ./.github/actions/build-package
+
+      # Install fresh ClamAV DB
+      - name: Install & update ClamAV DB
+        run: |
+          set -e
+          sudo apt-get update
+          sudo apt-get install -y clamav clamav-freshclam unzip
+          sudo systemctl stop clamav-freshclam || true
+          sudo mkdir -p /var/lib/clamav
+          sudo chown -R clamav:clamav /var/lib/clamav
+          sudo freshclam --verbose
+          ls -lh /var/lib/clamav
+
+      # Scan extracted bundle so counts reflect actual files
+      - name: Verify ClamAV detects EICAR signature
+        run: |
+          set -euo pipefail
+          printf 'X5O!P%%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.com
+          status=0
+          clamscan eicar.com > eicar.log || status=$?
+          cat eicar.log
+          if [ "$status" -ne 1 ]; then
+            echo "ClamAV failed to report the EICAR signature" >&2
+            exit 1
+          fi
+          grep -q 'eicar.com: Eicar-Test-Signature FOUND' eicar.log
+          grep -q 'Infected files: 1' eicar.log
+          rm -f eicar.com eicar.log
+
+      - name: Extract bundle and scan
+        run: |
+          set -euo pipefail
+          rm -rf scan && mkdir -p scan
+          unzip -q bundle/opencode.zip -d scan
+          echo "File count in payload: $(find scan -type f | wc -l)"
+          clamscan -ri --scan-archive=yes scan | tee clamav.log
+          if grep -qE 'Infected files: [1-9][0-9]*' clamav.log; then
+            findings=$(grep 'FOUND' clamav.log | grep -v 'Eicar-Test-Signature' || true)
+            if [ -n "${findings}" ]; then
+              echo "Unexpected detections found:" >&2
+              echo "${findings}" >&2
+              exit 1
+            fi
+            echo 'Only EICAR detections observed; continuing.'
+          fi
+
+      - name: Upload scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: clamav-scan-results
+          path: |
+            clamav.log
+            bundle/opencode.zip

.github/workflows/owasp-scan.yml

@@ -0,0 +1,66 @@
+name: owasp-dependency-check
+on:
+  pull_request:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  depcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (release tag)
+        if: github.event_name == 'release'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+      - name: Checkout (PR/default)
+        if: github.event_name != 'release'
+        uses: actions/checkout@v4
+
+      - name: Setup Bun (repo action)
+        uses: ./.github/actions/setup-bun
+
+      - name: Install workspace deps (Bun)
+        run: bun install --frozen-lockfile || bun install
+
+      - name: Ensure per-package node_modules (symlink to root)
+        run: |
+          set -e
+          root_nm="$(pwd)/node_modules"
+          if [ ! -d "$root_nm" ]; then echo 'No root node_modules after bun install' >&2; exit 1; fi
+          # create a node_modules symlink in every workspace package that lacks one
+          git ls-files -z | tr '\0' '\n' | grep -E '(^|/)package.json$' | while read -r pj; do
+            pkgdir="$(dirname "$pj")"
+            [ "$pkgdir" = ".github/actions/setup-bun" ] && continue
+            if [ ! -d "$pkgdir/node_modules" ]; then
+              echo "linking $pkgdir/node_modules -> $root_nm"
+              ln -s "$root_nm" "$pkgdir/node_modules" || true
+            fi
+          done
+
+      - name: Cache dependency-check data
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data/
+          key: depcheck-data-${{ runner.os }}-v2
+          restore-keys: |
+            depcheck-data-${{ runner.os }}-
+
+      - name: Run OWASP Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@1.1.0
+        with:
+          project: OpenCode
+          path: .
+          format: ALL
+          args: --enableExperimental
+
+      - name: Upload reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-depcheck-report
+          path: reports/**