login error message and helper text styling

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+# This file defines required reviewers for all PRs
+# Last updated: Dec 2025
+
+# Default reviewer(s) for everything
+# For T3 2025 the list is primarily du-dhartley and romil-bijarnia. Any repository or organisation admins can also review and merge, even if not explicitly listed.
+# Additional contributors can be easily added here.
+*    @du-dhartley @romil-bijarnia
+
+# You can add more specific rules later, e.g.:
+# /docs/    @docs-reviewer

.github/workflows/workflow-cleanup.yml

@@ -0,0 +1,66 @@
+name: "Cleanup Old Workflow Runs"
+
+on:
+  schedule:
+    - cron: "0 0 * * 0"   # Every Sunday at midnight UTC
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "If true, only print what would be deleted"
+        required: true
+        type: boolean
+        default: true
+      confirm:
+        description: "Type DELETE to confirm deletion when dry_run=false"
+        required: false
+        default: ""
+
+permissions:
+  contents: read
+  actions: write
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+
+      - name: Install dependencies
+        working-directory: tools/workflow-cleanup
+        run: npm ci
+
+      - name: Run cleanup script (scheduled dry run)
+        if: github.event_name == 'schedule'
+        working-directory: tools/workflow-cleanup
+        run: node cleanup-workflows.js --dryRun=true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+
+      - name: Run cleanup script (manual)
+        if: github.event_name == 'workflow_dispatch'
+        working-directory: tools/workflow-cleanup
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+        run: |
+          if [ "${{ inputs.dry_run }}" = "true" ]; then
+            node cleanup-workflows.js --dryRun=true
+            exit 0
+          fi
+
+          if [ "${{ inputs.confirm }}" != "DELETE" ]; then
+            echo "Refusing to delete workflow runs."
+            echo "Re-run this workflow with dry_run=false and confirm=DELETE."
+            exit 1
+          fi
+
+          node cleanup-workflows.js

.gitignore

@@ -5,5 +5,32 @@ env/
 **/.venv/
 **/venv/
 **/env/
-README.md
 .DS_Store
+
+# Python caches
+**/__pycache__/
+**/*.py[codz]
+**/.pytest_cache/
+**/.ruff_cache/
+**/.mypy_cache/
+
+# Node / frontend artifacts
+**/node_modules/
+**/build/
+**/dist/
+**/coverage/
+
+# Editor / OS
+.idea/
+.vscode/
+
+# Environment files (keep examples)
+.env
+.env.*
+!.env.example
+**/.env
+**/.env.*
+!**/.env.example
+
+# Engine legacy generated outputs
+engine/legacy/engine/autoaudit_reports.json

README.md

@@ -3,12 +3,20 @@
 ## Project Overview
 AutoAudit is a M365 compliance automation platform built by several specialist teams. This monorepo centralizes all codebases—including backend services, APIs, compliance scanners, and frontends—enabling unified CI/CD, streamlined development, and rapid automated deployments to the cloud.
 
+## Documentation
+
+- [Getting Started](docs/GETTING_STARTED.md) - Set up your development environment
+- [Contributing Guide](docs/CONTRIBUTING.md) - Find where to contribute based on your skills
+
 ## Repository Structure
 The repo follows the established modular structure:  
 - `/backend-api`  
 - `/security`  
 - `/frontend`  
 - `/engine`  
+- `/infrastructure`  
+- `/tools`  
+- `/docs`  
 - `/.github/workflows`
 
 Full commit history and traceability from team forks are preserved.

backend-api/.env.example

@@ -1,14 +1,23 @@
-APP_ENV=dev
-API_PREFIX=/api/v1
+# Local development settings
+# Copy this file to .env and adjust as needed
 
 # Database
 DATABASE_URL=postgresql+asyncpg://autoaudit:autoaudit_dev_password@localhost:5432/autoaudit
 
-# Authentication
-# SECRET_KEY: Used for signing JWT tokens. MUST be changed in production.
-# Generate a secure random key with one of these commands:
-#   python -c "import secrets; print(secrets.token_urlsafe(32))"
-#   openssl rand -hex 32
-SECRET_KEY=change-this-to-a-secure-random-string-in-production
-ALGORITHM=HS256
-ACCESS_TOKEN_EXPIRE_MINUTES=30
+# Redis (Celery broker)
+REDIS_URL=redis://localhost:6379
+
+# OPA (Open Policy Agent)
+OPA_URL=http://localhost:8181
+
+# JWT signing key (MUST change in production)
+SECRET_KEY=dev-secret-key-change-in-production
+
+# Fernet encryption key for M365 credentials at rest
+# Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+# Must match docker-compose.yml ENCRYPTION_KEY for worker compatibility
+# This is a randomly generated key and is not for production use
+ENCRYPTION_KEY=Ps-HiS3ww5QzQPc_Mdu5-JyA_jCNbdFHMdiwWSlAfgM=
+
+# Policies directory (use relative path for local dev, /app/policies in Docker)
+POLICIES_DIR=../engine/policies

backend-api/Dockerfile

@@ -3,25 +3,30 @@ FROM python:3.11-slim
 
 WORKDIR /app
 
-# Install system dependencies
+# Install system dependencies (incl. Tesseract for evidence OCR)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
+    tesseract-ocr \
+    libtesseract-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Install uv
 RUN pip install uv
 
 # Copy dependency files
-COPY pyproject.toml uv.lock ./
+COPY backend-api/pyproject.toml backend-api/uv.lock ./
 
-# Install dependencies
-RUN uv sync --frozen --no-dev
+# Install dependencies (include evidence extra so OCR/reporting stack is present)
+RUN uv sync --frozen --no-dev --extra evidence
 
 # Copy application code
-COPY app ./app
-COPY alembic ./alembic
-COPY alembic.ini ./
-COPY entrypoint.sh ./
+COPY backend-api/app ./app
+COPY backend-api/alembic ./alembic
+COPY backend-api/alembic.ini ./
+COPY backend-api/entrypoint.sh ./
+
+# Copy evidence scanner assets/logic
+COPY security ./security
 
 # Make entrypoint executable
 RUN chmod +x entrypoint.sh

backend-api/alembic/env.py

@@ -10,7 +10,15 @@
 # Import models for autogenerate support
 from app.db.base import Base
 from app.models.user import User  # noqa
-from app.models.compliance import Tenant, Rule, Scan, Issue  # noqa
+from app.models.oauth_account import OAuthAccount  # noqa
+from app.models.m365_connection import M365Connection  # noqa
+from app.models.platform import Platform  # noqa
+from app.models.compliance import Scan  # noqa
+from app.models.scan_result import ScanResult  # noqa
+from app.models.evidence_validation import EvidenceValidation  # noqa
+from app.models.azure_connection import AzureConnection  # noqa
+from app.models.gcp_connection import GCPConnection  # noqa
+from app.models.aws_connection import AWSConnection  # noqa
 from app.core.config import get_settings
 
 # this is the Alembic Config object, which provides