feat: automated upload of .gitea/workflows/ci.yml

### Explanation

_No response_

### Issue

_No response_

### Attestations

- [ ] I have read and agree to the [Code of Conduct](https://docs.nhcarrigan.com/community/coc/)
- [ ] I have read and agree to the [Community Guidelines](https://docs.nhcarrigan.com/community/guide/).
- [ ] My contribution complies with the [Contributor Covenant](https://docs.nhcarrigan.com/dev/covenant/).

### Dependencies

- [ ] I have pinned the dependencies to a specific patch version.

### Style

- [ ] I have run the linter and resolved any errors.
- [ ] My pull request uses an appropriate title, matching the conventional commit standards.
- [ ] My scope of feat/fix/chore/etc. correctly matches the nature of changes in my pull request.

### Tests

- [ ] My contribution adds new code, and I have added tests to cover it.
- [ ] My contribution modifies existing code, and I have updated the tests to reflect these changes.
- [ ] All new and existing tests pass locally with my changes.
- [ ] Code coverage remains at or above the configured threshold.

### Documentation

_No response_

### Versioning

_No response_

Reviewed-on: nhcarrigan/maylin-taryne#2
Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com>
Co-committed-by: Naomi Carrigan <commits@nhcarrigan.com>

.gitea/workflows/ci.yml

@@ -8,23 +8,32 @@ on:
       - main
 
 jobs:
-  lint:
-    name: Lint and Test
+  ci:
+    name: CI
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@v4
 
-      - name: Use Node.js v22
+      - name: Use Node.js v24
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 24
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v2
         with:
           version: 10
 
+      - name: Ensure Dependencies are Pinned
+        uses: naomi-lgbt/dependency-pin-check@main
+        with:
+          language: javascript
+          dev-dependencies: true
+          peer-dependencies: true
+          optional-dependencies: true
+
       - name: Install Dependencies
         run: pnpm install
 

.gitea/workflows/security.yml

@@ -0,0 +1,177 @@
+name: Security Scan and Upload
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security-audit:
+    name: Security & DefectDojo Upload
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # --- AUTO-SETUP PROJECT ---
+      - name: Ensure DefectDojo Product Exists
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+          PRODUCT_NAME: ${{ github.repository }} 
+          PRODUCT_TYPE_ID: 1 
+        run: |
+          sudo apt-get install jq -y > /dev/null
+          
+          echo "Checking connection to $DD_URL..."
+          
+          # Check if product exists - capture HTTP code to debug connection issues
+          RESPONSE=$(curl --write-out "%{http_code}" --silent --output /tmp/response.json \
+            -H "Authorization: Token $DD_TOKEN" \
+            "$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
+          
+          # If response is not 200, print error
+          if [ "$RESPONSE" != "200" ]; then
+            echo "::error::Failed to query DefectDojo. HTTP Code: $RESPONSE"
+            cat /tmp/response.json
+            exit 1
+          fi
+
+          COUNT=$(cat /tmp/response.json | jq -r '.count')
+          
+          if [ "$COUNT" = "0" ]; then
+            echo "Creating product '$PRODUCT_NAME'..."
+            curl -s -X POST "$DD_URL/api/v2/products/" \
+              -H "Authorization: Token $DD_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d '{ "name": "'"$PRODUCT_NAME"'", "description": "Auto-created by Gitea Actions", "prod_type": '$PRODUCT_TYPE_ID' }'
+          else
+            echo "Product '$PRODUCT_NAME' already exists."
+          fi
+
+      # --- 1. TRIVY (Dependencies & Misconfig) ---
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update && sudo apt-get install trivy -y
+
+      - name: Run Trivy (FS Scan)
+        run: |
+          trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0
+
+      - name: Upload Trivy to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Trivy results..."
+          # Generate today's date in YYYY-MM-DD format
+          TODAY=$(date +%Y-%m-%d)
+          
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Trivy Scan" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@trivy-results.json")
+          
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+            echo "::error::Upload Failed with HTTP $HTTP_CODE"
+            echo "--- SERVER RESPONSE ---"
+            cat response.txt
+            echo "-----------------------"
+            exit 1
+          else
+            echo "Upload Success!"
+          fi
+
+      # --- 2. GITLEAKS (Secrets) ---
+      - name: Install Gitleaks
+        run: |
+          wget -qO gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
+          tar -xzf gitleaks.tar.gz
+          sudo mv gitleaks /usr/local/bin/ && chmod +x /usr/local/bin/gitleaks
+
+      - name: Run Gitleaks
+        run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true
+
+      - name: Upload Gitleaks to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Gitleaks results..."  
+          TODAY=$(date +%Y-%m-%d)
+
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Gitleaks Scan" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@gitleaks-results.json")
+
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+             echo "::error::Upload Failed with HTTP $HTTP_CODE"
+             echo "--- SERVER RESPONSE ---"
+             cat response.txt
+             echo "-----------------------"
+             exit 1
+          else
+             echo "Upload Success!"
+          fi
+
+      # --- 3. SEMGREP (SAST) ---
+      - name: Install Semgrep (via pipx)
+        run: |
+          sudo apt-get install pipx -y
+          pipx install semgrep
+          # Add pipx binary path to GITHUB_PATH so next steps can see 'semgrep'
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run Semgrep
+        run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true
+
+      - name: Upload Semgrep to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Semgrep results..."
+          TODAY=$(date +%Y-%m-%d)
+          
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Semgrep JSON Report" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@semgrep-results.json")
+
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+             echo "::error::Upload Failed with HTTP $HTTP_CODE"
+             echo "--- SERVER RESPONSE ---"
+             cat response.txt
+             echo "-----------------------"
+             exit 1
+          else
+             echo "Upload Success!"
+          fi

.npmrc

@@ -0,0 +1,25 @@
+# Package Manager Configuration
+# Force pnpm usage - breaks npm/yarn intentionally
+node-linker=pnpm
+
+# Security: Disable all lifecycle scripts
+ignore-scripts=true
+enable-pre-post-scripts=false
+
+# Security: Require packages to be 10+ days old before installation
+minimum-release-age=14400
+
+# Security: Verify package integrity hashes
+verify-store-integrity=true
+
+# Security: Enforce strict trust policies
+trust-policy=strict
+
+# Security: Strict peer dependency resolution
+strict-peer-dependencies=true
+
+# Performance: Use symlinks for node_modules
+symlink=true
+
+# Lockfile: Ensure lockfile is not modified during install
+frozen-lockfile=false

package.json

@@ -14,18 +14,18 @@
   "author": "Naomi Carrigan",
   "license": "See license in LICENSE.md",
   "devDependencies": {
-    "@nhcarrigan/eslint-config": "5.1.0",
+    "@nhcarrigan/eslint-config": "5.2.0",
     "@nhcarrigan/typescript-config": "4.0.0",
-    "@types/node": "22.13.1",
-    "@vitest/coverage-istanbul": "3.0.5",
-    "eslint": "9.20.0",
-    "typescript": "5.7.3",
-    "vitest": "3.0.5"
+    "@types/node": "22.15.21",
+    "@vitest/coverage-istanbul": "3.1.4",
+    "eslint": "9.27.0",
+    "typescript": "5.8.3",
+    "vitest": "3.1.4"
   },
   "dependencies": {
-    "@anthropic-ai/sdk": "0.36.3",
+    "@anthropic-ai/sdk": "0.52.0",
     "@nhcarrigan/logger": "1.0.0",
-    "discord.js": "14.18.0",
-    "fastify": "5.2.1"
+    "discord.js": "14.19.3",
+    "fastify": "5.3.3"
   }
 }

src/commands/clear.ts

@@ -0,0 +1,24 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import {
+  ApplicationIntegrationType,
+  SlashCommandBuilder,
+  InteractionContextType,
+} from "discord.js";
+
+const command = new SlashCommandBuilder().
+  setContexts(
+    InteractionContextType.BotDM,
+    InteractionContextType.Guild,
+    InteractionContextType.PrivateChannel,
+  ).
+  setIntegrationTypes(ApplicationIntegrationType.UserInstall).
+  setName("clear").
+  setDescription("Clear your current conversation so you can start a new one!");
+
+// eslint-disable-next-line no-console -- We don't need our logger here as this never runs in production.
+console.log(JSON.stringify(command.toJSON()));

src/events/message.ts

@@ -14,13 +14,14 @@ import { personality } from "../config/personality.js";
 import { ai } from "../utils/ai.js";
 import { calculateCost } from "../utils/calculateCost.js";
 import { isSubscribedMessage } from "../utils/isSubscribed.js";
+import { logger } from "../utils/logger.js";
 import type { MessageParam } from "@anthropic-ai/sdk/resources/index.js";
 
 /**
  * Handles the Discord message event.
  * @param message - The message payload from Discord.
  */
-// eslint-disable-next-line max-lines-per-function -- We're off by one bloody line.
+// eslint-disable-next-line max-lines-per-function, max-statements -- We're off by one bloody line.
 export const onMessage = async(message: Message): Promise<void> => {
   try {
     if (message.channel.type !== ChannelType.DM) {
@@ -33,22 +34,34 @@ export const onMessage = async(message: Message): Promise<void> => {
     if (!subbed) {
       return;
     }
-    const history = await message.channel.messages.fetch({ limit: 6 });
-    const context: Array<MessageParam>
-    = history.reverse().map((messageInner) => {
-      return {
-        content: messageInner.content,
-        role:
-          messageInner.author.id === message.client.user.id
-            ? "assistant"
-            : "user",
-      };
+    const historyRequest = await message.channel.messages.fetch({ limit: 20 });
+    const history = [ ...historyRequest.values() ];
+    const clearMessageIndex = history.findIndex((messageInner) => {
+      return (
+        messageInner.content === "<Clear History>"
+        && messageInner.author.id === message.client.user.id
+      );
     });
+    if (clearMessageIndex !== -1) {
+      // Remove the clear message and everything sent before it, which means everything after in the array because the array is backwards
+      history.splice(clearMessageIndex, history.length - clearMessageIndex);
+    }
+    const context: Array<MessageParam> = history.
+      reverse().
+      map((messageInner) => {
+        return {
+          content: messageInner.content,
+          role:
+            messageInner.author.id === message.client.user.id
+              ? "assistant"
+              : "user",
+        };
+      });
     const messages = await ai.messages.create({
       // eslint-disable-next-line @typescript-eslint/naming-convention -- Required key format for SDK.
       max_tokens:  3000,
       messages:    context,
-      model:       "claude-3-5-sonnet-latest",
+      model:       "claude-sonnet-4-20250514",
       system:      `${personality} The user's name is ${message.author.displayName}`,
       temperature: 1,
     });
@@ -61,8 +74,13 @@ export const onMessage = async(message: Message): Promise<void> => {
       response?.text ?? "There was an error. Please try again later.",
     );
 
+    if (!response) {
+      await logger.log("info", `No response from AI, here's the payload: ${JSON.stringify(messages)}`);
+    }
+
     await calculateCost(messages.usage, message.author.username);
   } catch (error) {
+    await logger.error("message event", error as Error);
     const button = new ButtonBuilder().
       setLabel("Need help?").
       setStyle(ButtonStyle.Link).

src/index.ts

@@ -6,6 +6,7 @@
 import { Client, Events, GatewayIntentBits, Partials } from "discord.js";
 import { onMessage } from "./events/message.js";
 import { about } from "./modules/about.js";
+import { clear } from "./modules/clear.js";
 import { instantiateServer } from "./server/serve.js";
 import { logger } from "./utils/logger.js";
 
@@ -45,6 +46,9 @@ client.on(Events.InteractionCreate, (interaction) => {
           ephemeral: true,
         });
         break;
+      case "clear":
+        void clear(interaction);
+        break;
       default:
         void interaction.reply({
           content:   `I'm sorry, I don't know the ${interaction.commandName} command.`,

src/modules/clear.ts

@@ -0,0 +1,47 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import {
+  MessageFlags,
+  type ChatInputCommandInteraction,
+} from "discord.js";
+import { isSubscribedInteraction } from "../utils/isSubscribed.js";
+import { logger } from "../utils/logger.js";
+import { replyToError } from "../utils/replyToError.js";
+
+/**
+ * Sends a clear message in the DMs.
+ * @param interaction -- The interaction payload from Discord.
+ */
+export const clear = async(
+  interaction: ChatInputCommandInteraction,
+): Promise<void> => {
+  try {
+    await interaction.deferReply({ flags: [ MessageFlags.Ephemeral ] });
+
+    const subbed = await isSubscribedInteraction(interaction);
+    if (!subbed) {
+      return;
+    }
+    const sent = await interaction.user.send({
+      content: "<Clear History>",
+    }).catch(() => {
+      return null;
+    });
+
+    await interaction.editReply({
+      content: sent
+        ? "I have added a clear history marker to your DMs."
+        // eslint-disable-next-line stylistic/max-len -- This is a long string.
+        : "I was unable to send you a DM. Please ensure your privacy settings allow direct messages.",
+    });
+  } catch (error) {
+    await replyToError(interaction);
+    if (error instanceof Error) {
+      await logger.error("about command", error);
+    }
+  }
+};

src/server/serve.ts

@@ -19,8 +19,12 @@ const html = `<!DOCTYPE html>
   <body>
     <main>
     <h1>Maylin Taryne</h1>
+    <img src="https://cdn.nhcarrigan.com/new-avatars/maylin-full.png" width="250" alt="Maylin" />
     <section>
       <p>An AI powered companion to help you through your darkest moments.</p>
+      <a href="https://discord.com/oauth2/authorize?client_id=1343370633916059668" class="social-button discord-button" style="display: inline-block; background-color: #5865F2; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px; margin: 5px;">
+        <i class="fab fa-discord"></i> Add to Discord
+      </a>
     </section>
     <section>
         <h2>Links</h2>