Add deployment pipeline and production assets

[ChrisAdamsdevelopment]

Adds CI/CD and staging workflows, Docker/dev scripts, pipeline docs, production public assets, smoke test files, and updates the app shell/docs.

Summary by Sourcery

Introduce an automated Docker-based CI/CD pipeline with staging and production deployments, along with UX and SEO improvements for the web app.

New Features:

• Add an in-app processing status banner and richer file status indicators while uploads are being analyzed and cleansed.
• Provide production-ready SEO metadata, social cards, sitemap, robots rules, and web manifest for the marketing site.

Enhancements:

• Dim and disable main configuration controls while a file is being processed to prevent conflicting edits.
• Update public pricing references to reflect the new Studio plan rate.

Build:

• Add Docker Compose configuration and helper scripts for local development with hot reload and production-like test runs.
• Introduce GitHub Actions workflows for unified CI/CD, Docker image builds, and staging environment deployments.
• Document the end-to-end deployment pipeline, environments, and operational runbooks in a dedicated PIPELINE.md.

Deployment:

• Configure staging and production deployment hooks to Hyperlift via CI, including health checks and rollback-friendly image tagging.

Documentation:

• Expand HTML head metadata with detailed Open Graph, Twitter Card, and structured data markup for better search and share previews.
• Clarify README deployment/runtime guidance and adjust plan pricing documentation.

Tests:

• Add sample audio files for automated smoke tests of the processing pipeline.

Chores:

• Add empty placeholder files for Docker ignore patterns and robots configuration to support production hosting needs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spectracleanseai	Ready	Preview, Comment, Open in v0	May 24, 2026 9:56am

[sourcery-ai]

Reviewer's Guide

Adds a full CI/CD pipeline with Docker-based local dev and staging/production deployments, introduces production-ready public/SEO assets, and enhances the in-app processing UX with status banners and clearer item states.

File-Level Changes

Change	Details	Files
Add processing status banner and interactive state handling in the main app UI.	Introduce PROCESSING_STEPS mapping and ProcessingStatusBanner React component to render analyzing/processing overlay with animation and file info. Color-code item status text and humanize labels for analyzing/processing states in the uploads list. Render the new banner when the active item is analyzing or processing and dim/disable the underlying SEO/analysis controls while processing is in progress.	app.tsx
Replace minimal HTML shell with production SEO, social, and schema metadata.	Update page title and meta description to SEO-focused marketing copy. Add keywords, robots, canonical, theme-color, author, Open Graph, and Twitter card tags targeting spectracleanse.com. Embed JSON-LD SoftwareApplication and FAQPage schema to describe the product, pricing tiers, and common FAQs for rich search results.	index.html
Align documentation and pricing copy with new Studio plan price.	Update README pricing badge to reflect the new Studio plan price. Adjust README text describing free/paid tiers to match the updated Studio price. Minor cleanup of README section spacing around the deployment runtime notes.	README.md
Document the end-to-end deployment pipeline and environments.	Add PIPELINE.md describing local dev via Docker Compose, CI/CD stages, staging flow, Hyperlift deployment, required secrets, and troubleshooting. Include diagrams, environment variable tables, and operational guidance for monitoring, rollback, and performance tuning. Summarize the roles of new pipeline-related files and workflows for quick onboarding.	PIPELINE.md
Introduce unified CI/CD workflow for security, testing, Docker build, and Hyperlift deploy.	Create ci-cd.yml GitHub Actions workflow that runs security scans, backend/frontend type checks, frontend build, and server smoke test on pushes/PRs to main/develop. Configure Docker Buildx with metadata-driven tagging and conditional push to Docker Hub on main, using repository secrets for credentials. Trigger Hyperlift deployment via webhook on successful main builds, passing commit metadata for traceability.	.github/workflows/ci-cd.yml
Add staging workflow that builds, pushes, and validates a staging image after CI passes on develop.	Define staging.yml to run on successful CI/CD workflow_run events for the develop branch. Build and push staging-tagged Docker images to Docker Hub and optionally call a staging deploy webhook. Run basic smoke tests against STAGING_URL/api/health with retry logic after staging deployment.	.github/workflows/staging.yml
Provide Docker Compose-based local development environment with persistent storage and health checks.	Add docker-compose.yml defining app and db services, including environment defaults, volume-mounted SQLite storage, and a healthcheck against /api/health. Configure develop.watch sync rules for src and server.js to enable hot reload without full rebuilds, and rebuild on package changes. Introduce a minimal db service that owns the shared data volume used by the app container.	docker-compose.yml
Add helper scripts to run dev stack and smoke-test the production image locally.	Create dev.sh to load .env (or sane defaults) and start Docker Compose with watch/build for local development. Add test-prod.sh that builds the production image, runs it with realistic env vars, and polls /api/health to validate startup, dumping logs on failure.	dev.sh test-prod.sh
Ship production web assets for SEO, PWA metadata, and testing fixtures.	Add sitemap.xml, robots.txt, and site.webmanifest under public/ to support basic SEO indexing and PWA configuration. Introduce empty .dockerignore (placeholder to be populated) for optimizing Docker build context. Include dummy MP3/WAV files under smoke-files/ for use in automated or manual smoke tests of upload/processing flows.	public/sitemap.xml public/robots.txt public/site.webmanifest .dockerignore smoke-files/dummy.mp3 smoke-files/dummy.wav

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 4 issues, and left some high level feedback:

• The dev.sh script’s export $(grep -v '^#' .env | xargs) parsing will break on values containing spaces or #; consider switching to a more robust loader (e.g., set -a; . ./.env; set +a or a small parser) to avoid subtle env bugs.
• In docker-compose.yml, app both mounts ./src and server.js as read-only volumes and uses develop.watch on the same paths; simplifying to a single mechanism (either bind mounts or develop.watch) would reduce duplication and potential confusion about which source is authoritative.
• The CI pipeline runs npx tsc --noEmit in both the backend and frontend jobs; if they share the same tsconfig, consider running the type-check once or splitting configs so each job only checks what it needs to cut CI time and redundant work.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `dev.sh` script’s `export $(grep -v '^#' .env | xargs)` parsing will break on values containing spaces or `#`; consider switching to a more robust loader (e.g., `set -a; . ./.env; set +a` or a small parser) to avoid subtle env bugs.
- In `docker-compose.yml`, `app` both mounts `./src` and `server.js` as read-only volumes and uses `develop.watch` on the same paths; simplifying to a single mechanism (either bind mounts or `develop.watch`) would reduce duplication and potential confusion about which source is authoritative.
- The CI pipeline runs `npx tsc --noEmit` in both the `backend` and `frontend` jobs; if they share the same tsconfig, consider running the type-check once or splitting configs so each job only checks what it needs to cut CI time and redundant work.

## Individual Comments

### Comment 1
<location path="public/sitemap.xml" line_range="3-8" />
<code_context>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+  <url>
+    <loc>https://spectracleanse.com/</loc>
+    <lastmod>2026-05-24</lastmod>
+    <changefreq>weekly</changefreq>
+    <priority>1.0</priority>
</code_context>
<issue_to_address>
**suggestion:** Avoid hard-coding a fixed lastmod date in the sitemap.

Using a fixed `<lastmod>` date will quickly become inaccurate and can mislead crawlers. Prefer either omitting `lastmod` or generating it dynamically during build/deploy so it reflects the real content update time.

```suggestion
  <url>
    <loc>https://spectracleanse.com/</loc>
    <changefreq>weekly</changefreq>
    <priority>1.0</priority>
  </url>
```
</issue_to_address>

### Comment 2
<location path=".github/workflows/ci-cd.yml" line_range="38-44" />
<code_context>
+      - name: Run npm audit (info level allowed)
+        run: npm audit --audit-level=moderate || true
+
+      - name: Scan for secrets with TruffleHog
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin the TruffleHog action to a version or commit instead of using @main.

Referencing `trufflesecurity/trufflehog@main` means the workflow may change or break as the main branch evolves. For stability and supply-chain security, pin this action to a specific version tag or commit SHA (e.g. `@v3` or `@<sha>`).

```suggestion
      - name: Scan for secrets with TruffleHog
        uses: trufflesecurity/trufflehog@v3
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD
          extra_args: --debug
```
</issue_to_address>

### Comment 3
<location path=".github/workflows/staging.yml" line_range="35-36" />
<code_context>
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix={{branch}}-
</code_context>
<issue_to_address>
**issue (bug_risk):** Use `workflow_run.head_sha` instead of `head_commit.sha` for more robust tagging.

`github.event.workflow_run.head_commit` can be `null` (e.g., for some `workflow_run` events or deleted branches), so `head_commit.sha` isn’t always available. Using `github.event.workflow_run.head_sha` gives a reliable commit reference; please use that for both the image tag and the deployment payload.
</issue_to_address>

### Comment 4
<location path="dev.sh" line_range="8-12" />
<code_context>
+echo "🚀 Starting SpectraCleanse AI in development mode..."
+
+# Load .env if it exists, otherwise use defaults
+if [ -f .env ]; then
+  echo "📝 Loading .env"
+  export $(grep -v '^#' .env | xargs)
+else
+  echo "⚠️  .env not found. Using defaults. Copy .env.example to .env for custom settings."
</code_context>
<issue_to_address>
**suggestion (bug_risk):** The .env loader can break with values containing spaces or special characters.

This pattern will mis-parse values containing spaces, `#`, or extra `=` and can introduce malformed environment variables. Prefer a safer shell approach like `set -a; . ./.env; set +a` / `set +a`, or rely on Docker/Compose `env_file` support instead.

```suggestion
# Load .env if it exists, otherwise use defaults
if [ -f .env ]; then
  echo "📝 Loading .env"
  set -a
  # shellcheck disable=SC1091
  . ./.env
  set +a
else
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Avoid hard-coding a fixed lastmod date in the sitemap.

Using a fixed <lastmod> date will quickly become inaccurate and can mislead crawlers. Prefer either omitting lastmod or generating it dynamically during build/deploy so it reflects the real content update time.

Suggested change

	<url>
	<loc>https://spectracleanse.com/</loc>
	<lastmod>2026-05-24</lastmod>
	<changefreq>weekly</changefreq>
	<priority>1.0</priority>
	</url>
	<url>
	<loc>https://spectracleanse.com/</loc>
	<changefreq>weekly</changefreq>
	<priority>1.0</priority>
	</url>

[sourcery-ai]

🚨 suggestion (security): Pin the TruffleHog action to a version or commit instead of using @main.

Referencing trufflesecurity/trufflehog@main means the workflow may change or break as the main branch evolves. For stability and supply-chain security, pin this action to a specific version tag or commit SHA (e.g. @v3 or @<sha>).

Suggested change

	- name: Scan for secrets with TruffleHog
	uses: trufflesecurity/trufflehog@main
	with:
	path: ./
	base: ${{ github.event.repository.default_branch }}
	head: HEAD
	extra_args: --debug
	- name: Scan for secrets with TruffleHog
	uses: trufflesecurity/trufflehog@v3
	with:
	path: ./
	base: ${{ github.event.repository.default_branch }}
	head: HEAD
	extra_args: --debug

[sourcery-ai]

issue (bug_risk): Use workflow_run.head_sha instead of head_commit.sha for more robust tagging.

github.event.workflow_run.head_commit can be null (e.g., for some workflow_run events or deleted branches), so head_commit.sha isn’t always available. Using github.event.workflow_run.head_sha gives a reliable commit reference; please use that for both the image tag and the deployment payload.

[sourcery-ai]

suggestion (bug_risk): The .env loader can break with values containing spaces or special characters.

This pattern will mis-parse values containing spaces, #, or extra = and can introduce malformed environment variables. Prefer a safer shell approach like set -a; . ./.env; set +a / set +a, or rely on Docker/Compose env_file support instead.

Suggested change

	# Load .env if it exists, otherwise use defaults
	if [ -f .env ]; then
	echo "📝 Loading .env"
	export $(grep -v '^#' .env | xargs)
	else
	# Load .env if it exists, otherwise use defaults
	if [ -f .env ]; then
	echo "📝 Loading .env"
	set -a
	# shellcheck disable=SC1091
	. ./.env
	set +a
	else