feat: monorepo workspaces, repo layout, basic CI

[Copilot]

Summary

Converts the repository to an npm workspaces monorepo structure with standardized layout and minimal CI workflow. This establishes the foundation for future modularization without moving existing code.

What Changed

Monorepo Structure

Established standard monorepo layout with dedicated directories:

• apps/ - User-facing applications (prepared for web app in PR ci: bump actions/setup-node from 4 to 5 #2)
• services/ - Backend microservices
• packages/ - Shared libraries and utilities
• infra/ - Infrastructure as code
• docs/ - Centralized documentation

Each workspace directory includes a README.md explaining its purpose and future structure.

Root Configuration

Updated package.json with workspace support:

{
  "name": "ai-security-monitoring-app",
  "private": true,
  "workspaces": ["apps/*", "services/*", "packages/*"]
}

Modified scripts to support both root and workspace execution:

• npm run build - Builds root project, then all workspace packages
• npm run test - Runs root tests, then all workspace tests
• npm run lint - Lints root and all workspaces
• Commands use --if-present flag to gracefully handle empty workspaces

CI/CD Pipeline

Created .github/workflows/ci.yml with:

• Node.js 20.x for modern JavaScript features
• Cached npm dependencies for faster builds
• Type checking via TypeScript compiler
• Linting with ESLint
• Testing with Vitest
• Security audit via npm audit
• Explicit permissions (contents: read) for GITHUB_TOKEN security

Documentation

Added comprehensive documentation in /docs:

ARCHITECTURE.md - System design overview:

• Monorepo structure explanation
• Technology stack reference
• Core component descriptions
• Security considerations
• Future enhancement roadmap

SECURITY.md - Security guidelines:

• Secrets management best practices
• Dependency security protocols
• Code security standards
• Cloud security configuration
• Incident response procedures

DEPLOY.md - Deployment guide:

• Local development setup
• Production build process
• Deployment options (Vercel, Netlify, Azure)
• Database configuration
• Environment variable reference
• Troubleshooting guide

Verification

All checks passing:

• ✅ Build successful (TypeScript + Vite)
• ✅ Tests passing (5/5)
• ✅ Type check passing
• ✅ Lint passing
• ✅ CodeQL security scan (0 alerts)
• ✅ No secrets committed

Next Steps

As outlined in the plan:

1. Merge this PR to establish monorepo foundation
2. PR ci: bump actions/setup-node from 4 to 5 #2 will migrate existing app to apps/web/
3. Future PRs will extract shared packages

This approach minimizes risk by separating infrastructure changes from code migration.

Breaking Changes

None. The existing application continues to build and run exactly as before. Workspace infrastructure is additive.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkpoint.prisma.io
  • Triggering command: /usr/local/bin/node /home/REDACTED/work/ai-security-monitoring-app/ai-security-monitoring-app/node_modules/prisma/build/child {"product":"prisma","version":"6.17.1","cli_install_type":"local","information":"","local_timestamp":"2025-10-15T04:37:48Z","project_hash":"09f815c9","cli_path":"/home/REDACTED/work/ai-security-monitoring-app/ai-security-monitoring-app/node_modules/.bin/prisma","cli_path_hash":"0cad3ab3","endpoint":"REDACTED","disable":false,"arch":"x64","os":"linux","node_version":"v20.19.5","ci":true,"ci_name":"GitHub Actions","command":"generate --postinstall \"UNABLE_TO_FIND_POSTINSTALL_TRIGGER__ENVAR_MISSING\"","schema_providers":["sqlite"],"schema_preview_features":[],"schema_generators_providers":["prisma-client-js"],"cache_file":"/home/REDACTED/.cache/checkpoint-nodejs/prisma-0cad3ab3","cache_duration":43200000,"remind_duration":172800000,"force":false,"timeout":5000,"unref":true,"child_path":"/home/REDACTED/work/ai-security-monitoring-app/ai-security-monitoring-app/node_modules/prisma/build/child","client_event_id":"","previous_client_event_id":"","check_if_update_available":true} (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

PR #1 description (paste into GitHub)

Title: feat: monorepo workspaces, repo layout, basic CI

Summary
• Convert repo to npm workspaces.
• Establish standard layout: apps/, services/, packages/, infra/, docs/.
• Add minimal CI workflow (build/test matrix via workspaces).
• Seed architecture/security/deploy docs.

What changed
• Root package.json with "workspaces": ["apps/","services/","packages/*"].
• .github/workflows/ci.yml with Node 20, cached installs, -ws builds.
• New docs in /docs: ARCHITECTURE.md, SECURITY.md, DEPLOY.md.

Next steps
• Move current app into apps/web/.
• Merge, then open PR #2 to extract shared packages.

Checklist
• CI green
• No secrets committed
• Lint/test scripts run --if-present to avoid breakage

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[aurelianware]

Overall: Great foundation for the monorepo + CI. A few small fixes will make this rock-solid and future-proof.
✅ What’s good
Clear intent: move to npm workspaces and standard layout.
CI uses Node 20 and least-privileged permissions.
❗ Required before merge
Make CI workspace-aware (so scripts run across apps/, services/, packages/).

.github/workflows/ci.yml (replace job steps)

• name: Install deps
  run: npm ci
• name: Type check
  run: npm run -ws type-check --if-present
• name: Lint
  run: npm run -ws lint --if-present
• name: Build
  run: npm run -ws build --if-present
• name: Test
  run: npm run -ws test --if-present
• name: Audit (non-blocking)
  run: npm audit --audit-level=high || true
  Root dispatcher scripts (prevents CI 404s while workspaces are empty).
  // package.json (root)
  {
  "name": "ai-security-monitoring-app",
  "private": true,
  "workspaces": ["apps/", "services/", "packages/*"],
  "scripts": {
  "build": "npm run -ws build --if-present",
  "test": "npm run -ws test --if-present",
  "lint": "npm run -ws lint --if-present",
  "type-check": "npm run -ws type-check --if-present",
  "security:audit": "npm audit --audit-level=high || true"
  },
  "engines": { "node": ">=20" }
  }
  Docs should match current state (mark future components as planned so contributors aren’t confused).
  Replace the “Technology Stack” section with:

Planned Technology Stack (roadmap)

These components land in later PRs. This PR only establishes the monorepo layout + CI.

• Auth: NextAuth (OIDC/Entra ID)
• DB/ORM: Prisma (EMR API)
• Client ML demos: TensorFlow.js (COCO-SSD)
• PWA: Workbox
• XR helper app: Electron
  👍 Nice to have (can be a follow-up PR)
  Add CodeQL so we actually have a security check:

.github/workflows/codeql.yml

name: codeql
on:
push: { branches: [ "main" ] }
pull_request: { branches: [ "main" ] }
schedule: [{ cron: '26 3 * * 3' }]
jobs:
analyze:
permissions: { actions: read, contents: read, security-events: write }
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with: { languages: javascript }
- uses: github/codeql-action/analyze@v3
Add .nvmrc or "engines" (included above) to pin Node 20 for contributors.
💬 Rationale (answers reviewers’ likely questions)
Why -ws? Ensures build/test/lint/type-check execute in every workspace as they’re added, preventing silent CI gaps.
Why drop --legacy-peer-deps? It can hide real dependency issues; only add it if we document a specific conflict.
Why dispatcher scripts at root? Keeps CI stable when some packages don’t define a given script yet.
Why mark stack as “planned”? Avoids misleading contributors until those pieces actually land.
✅ Merge checklist
CI updated to use -ws and passes on a clean clone
Root package.json dispatcher scripts present
Architecture doc updated to “Planned Technology Stack (roadmap)”
(Optional) CodeQL workflow added
Once these land, this PR is GTM from my side.

[aurelianware]

Closing: This PR attempts to convert the security monitoring app to a monorepo with clinic features, which doesn't match the current codebase architecture. The repository is actually a single-app security monitoring system using React/TensorFlow.js for real-time object detection.