Upload folder using huggingface_hub

.docker/postgres/init-db.sql

@@ -0,0 +1,5 @@
+CREATE USER blurts WITH ENCRYPTED PASSWORD 'blurts';
+CREATE DATABASE blurts WITH OWNER 'blurts';
+CREATE DATABASE "test-blurts" WITH OWNER 'blurts';
+
+ALTER DEFAULT privileges IN SCHEMA public GRANT ALL ON tables to blurts;

.docker/pubsub/setup_pubsub.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Ensure the emulator host is set
+PUBSUB_HOST=$1
+PUBSUB_PORT=$2
+PROJECT_ID=$3
+
+PUBSUB_EMULATOR_HOST="${PUBSUB_HOST}:${PUBSUB_PORT}"
+
+# Start PubSub emulator in the background
+gcloud beta emulators pubsub start --host-port=0.0.0.0:${PUBSUB_PORT} --project=${PROJECT_ID} &
+echo "Waiting for Pub/Sub emulator to be ready..."
+until curl -s "http://${PUBSUB_EMULATOR_HOST}/v1/projects/${PROJECT_ID}/schemas" > /dev/null; do
+    echo "Pub/Sub emulator not ready yet..."
+    sleep 2
+done
+echo "Pub/Sub emulator is ready!"
+echo "Initializing Pub/Sub emulator..."
+
+create_topic_and_subscription  () {
+    if [ $# -ne 2 ]; then 
+        echo "create_topic_and_subscription takes 2 arguments"
+        exit 1
+    fi
+    if [ -z "$1" ]; then
+        echo "create_topic_and_subscription requires non-empty topic"
+        exit 1
+    fi
+    if [ -z "$2" ]; then 
+        echo "create_topic_and_subscription requires non-empty subscription"
+        exit 1
+    fi
+
+    topic=$1
+    subscription=$2
+    echo "Creating topic '$topic' with subscription '$subscription'..."
+
+    # Create the topic using REST API instead of gcloud
+    curl -s -X PUT "${PUBSUB_EMULATOR_HOST}/v1/projects/${PROJECT_ID}/topics/${topic}"
+
+    # Create the subscription using REST API instead of gcloud
+    curl -s -X PUT "${PUBSUB_EMULATOR_HOST}/v1/projects/${PROJECT_ID}/subscriptions/${subscription}" \
+        -H "Content-Type: application/json" \
+        -d "{\"topic\": \"projects/${PROJECT_ID}/topics/${topic}\"}"
+}
+
+create_topic_and_subscription hibp-breaches hibp-cron
+
+echo "Pub/Sub initialization completed."
+touch /tmp/startup.done
+
+# Keep emulator running
+wait

.github/dependabot.yml

@@ -0,0 +1,96 @@
+# See the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+    open-pull-requests-limit: 10
+    groups:
+      eslint:
+        patterns:
+          - "@typescript-eslint/*"
+          - "eslint"
+          - "eslint-*"
+        exclude-patterns:
+          - "eslint-config-next"
+          - "eslint-plugin-storybook"
+      jest:
+        patterns:
+          - "babel-jest"
+          - "jest"
+          - "jest-environment-jsdom"
+      testing-library:
+        patterns:
+          - "@testing-library/dom"
+          - "@testing-library/react"
+          - "@testing-library/user-event"
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "react-test-renderer"
+      sentry:
+        patterns:
+          - "@sentry/*"
+      aws-sdk:
+        patterns:
+          - "@aws-sdk/*"
+      storybook:
+        patterns:
+          - "storybook"
+          - "@storybook/*"
+          - "eslint-plugin-storybook"
+        exclude-patterns:
+          - "eslint-config-next"
+      fluent:
+        patterns:
+          - "@fluent/*"
+      nextjs:
+        patterns:
+          - "eslint-config-next"
+          - "next"
+          - "@next/*"
+      react-aria:
+        patterns:
+          - "react-aria"
+          - "react-stately"
+      stylelint:
+        patterns:
+          - "stylelint"
+          - "stylelint-scss"
+          - "stylelint-config-recommended-scss"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 8
+    allow:
+      - dependency-type: "all"
+    ignore:
+      - dependency-name: "node"
+        # Odd-numbered versions are unstable releases, so skip those.
+        # This is using Ruby's version range syntax, specifically, the "twiddle-wakka"
+        # to indicate any matching version until the next major one..
+        # See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versions-ignore
+        # and https://guides.rubygems.org/patterns/#pessimistic-version-constraint
+        versions: ["~> 23", "<= 24.10", "~> 25", "~> 27", "~> 29"]
+        # The newest major version of faker is ESM-only which is difficult
+        # to support with jest
+        # Since faker is a zero-dependency library, ignore major version
+        # upgrades (can consider the work to update if/when we need any
+        # functionality from the new version)
+        # See https://github.com/faker-js/faker/issues/3606#issuecomment-3233612736
+      - dependency-name: "@faker-js/faker"
+        update-types: ["version-update:semver-major"]

.github/linter_config.yml

@@ -0,0 +1,59 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# ID checks
+# ID01: check that identifiers only use lowercase and hyphens
+# ID02: check that identifiers have a minimum length
+#
+# Syntax checks
+#
+# Specify if syntax features are disabled. If the config is missing, it
+# will considered as enabled.
+#
+# Example:
+# SY01:
+#     disabled: true
+#
+# SY01: terms
+# SY02: message references
+# SY03: term references
+# SY04: variants
+# SY05: attributes
+
+---
+ID01:
+    enabled: false
+    exclusions:
+        messages: []
+        files: []
+ID02:
+    enabled: false
+    min_length: 6
+    exclusions:
+        messages: []
+        files: []
+CO01:
+    enabled: true
+    brands:
+        - Firefox
+        - Mozilla
+        - Relay
+        - Monitor
+        - "{ -brand-mozilla } account"
+    exclusions:
+        messages:
+            - breach-checklist-ssn-header
+            - fxa-what-to-do-blurb-3
+            - monitor-several-emails
+            - rec-bank-acc-subhead
+            - rec-cc-subhead
+            - dashboard-top-banner-monitor-more-cta
+            - announcement-add-up-to-20-emails-plus-title
+        files: []
+# Variable comments
+VC:
+    disabled: false
+# Placeables style
+PS01:
+    disabled: false

.github/pull_request_template.md

@@ -0,0 +1,29 @@
+<!-- The following is intended to be helpful to you. Feel free to remove anything that is not. -->
+
+# References:
+
+Jira: MNTOR-
+Figma:
+
+<!-- When adding a new feature: -->
+
+# Description
+
+# Screenshot (if applicable)
+
+Not applicable.
+
+# How to test
+
+# Checklist (Definition of Done)
+
+- [ ] Localization strings (if needed) have been added.
+- [ ] Commits in this PR are minimal and [have descriptive commit messages](https://chris.beams.io/posts/git-commit/).
+- [ ] I've added or updated the relevant sections in readme and/or code comments
+- [ ] I've added a unit test to test for potential regressions of this bug.
+- [ ] If this PR implements a feature flag or experimentation, I've checked that it still works with the flag both on, and with the flag off.
+- [ ] If this PR implements a feature flag or experimentation, the Ship Behind Feature Flag status in Jira has been set
+- [ ] Product Owner accepted the User Story (demo of functionality completed) or waived the privilege.
+- [ ] All acceptance criteria are met.
+- [ ] Jira ticket has been updated (if needed) to match changes made during the development process.
+- [ ] Jira ticket has been updated (if needed) with suggestions for QA when this PR is deployed to stage.

.github/requirements.txt

@@ -0,0 +1 @@
+moz-fluent-linter==0.4.*

.github/workflows/build.yaml

@@ -0,0 +1,27 @@
+name: Build
+
+permissions: {}
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  npm-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "20.19.x"
+      - run: npm ci
+      - run: npm run build-glean
+      # Verify that the build (incl. type-checking) succeeds
+      # Upload sourcemaps to Sentry
+      - run: npm run build
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/conflicts.yml

@@ -0,0 +1,22 @@
+name: No unresolved conflicts
+
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ main, localization ]
+
+jobs:
+  detect-unresolved-conflicts:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: List files with merge conflict markers
+        # Encode conflict markers so this file does not trigger git's conflict detection.
+        run: git --no-pager grep "$(echo 'PDw8PDw8PAo=' | base64 -d)" ":(exclude).github/" || true
+      - name: Fail or succeed job if any files with merge conflict markers have been checked in
+        # Find lines containing conflict markers then count the number of lines.
+        # 0 matching lines results in exit code 0, i.e. success.
+        run: exit $(git grep "$(echo 'PDw8PDw8PAo=' | base64 -d)" ":(exclude).github/" | wc --lines)

.github/workflows/docker_build_deploy.yml

@@ -0,0 +1,66 @@
+name: Build Docker image and publish
+
+permissions: {}
+
+on:
+  push:
+    branches: [ main ]
+jobs:
+  push_to_registry:
+    name: Push Docker image to Docker Hub
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: mozilla/blurts-server
+          tags: |
+            type=semver,pattern={{raw}}
+            type=raw,value={{sha}},event=tag
+
+      - name: Create version.json
+        run: |
+          echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json
+
+      - name: Check Docker Version
+        run: docker --version
+      - name: Install Latest Docker
+        run: |
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+          sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
+          sudo apt-get update
+          sudo apt-get install docker-ce
+
+      - name: Build Docker image
+        env:
+          UPLOAD_SENTRY_SOURCEMAPS: true
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_RELEASE: ${{ github.ref_name }}
+          NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+        run: |
+          docker build --tag blurts-server \
+            --build-arg SENTRY_RELEASE="$SENTRY_RELEASE" \
+            --build-arg NEXT_PUBLIC_SENTRY_DSN="$NEXT_PUBLIC_SENTRY_DSN" \
+            --secret id=SENTRY_AUTH_TOKEN \
+            .
+
+      - name: Deploy to Dockerhub
+        env:
+          DOCKERHUB_REPO: ${{ env.DOCKERHUB_REPO }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          # deploy main
+          docker tag blurts-server $TAGS
+          docker push $TAGS

.github/workflows/docker_build_deploy_v2.yml

@@ -0,0 +1,95 @@
+name: Build Docker image and publish to GAR
+
+permissions: {}
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+
+jobs:
+  build_and_push_to_gar:
+    # Define permissions at the job level
+    permissions:
+      contents: "read" # Needed for checkout
+      id-token: "write" # Needed for GCP auth
+      packages: "none" # Explicitly disable package permissions
+    name: Build and Push Docker image to GAR
+    runs-on: ubuntu-latest
+    environment: build
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} # Base name for GAR image
+      GAR_REGISTRY: us-docker.pkg.dev
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Authenticate to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
+
+      - name: Login to Artifact Registry
+        id: gar-login
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GAR_REGISTRY }}
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # Only generate the image name for GAR
+          images: ${{ env.GAR_IMAGE_BASE }}
+          tags: |
+            # Generate tag based on short commit SHA
+            type=sha,format=short,prefix=
+
+      - name: Create version.json
+        run: |
+          # Use full sha here for version.json content
+          echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image to GAR
+        id: build-and-push
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          # Push is true to push to GAR after build
+          push: true
+          # Tags generated by the metadata action (only GAR tag)
+          tags: ${{ env.TAGS }}
+          # Pass build arguments
+          build-args: |
+            SENTRY_RELEASE=${{ github.sha }}
+            NEXT_PUBLIC_SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+          # Pass secrets securely to the build
+          secrets: |
+            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
+          # Enable build cache for faster builds (optional but recommended)
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Print Image URI
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          echo "Pushed GAR image: $TAGS"

.github/workflows/docker_check.yml

@@ -0,0 +1,28 @@
+name: Build Docker image check
+
+permissions: {}
+
+on:
+  pull_request:
+jobs:
+  docker_build:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Docker Version
+        run: docker --version
+
+      - name: Install Latest Docker
+        run: |
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+          sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
+          sudo apt-get update
+          sudo apt-get install docker-ce
+
+      - name: Check out the repo
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Build Docker image
+        run: docker build .

.github/workflows/functional_tests_cron.yml

@@ -0,0 +1,135 @@
+name: Functional Test Suite (cron)
+
+permissions: {}
+
+on:
+  schedule:
+    - cron: '0 8 * * *'
+  workflow_dispatch:
+    inputs:
+      test_env:
+        description: 'Environment to run the functional test suite against'
+        required: false
+        default: ''
+        type: choice
+        options:
+          - ''
+          - stage
+          - production
+jobs:
+  functional-tests:
+    name: Functional tests (${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}) [${{ github.event_name }}]
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test_env: ${{ github.event_name == 'schedule' && fromJson('["stage","production"]') || fromJson('["unset"]') }}
+    steps:
+      - name: Fail manual run if environment is missing
+        if: github.event_name == 'workflow_dispatch' && inputs.test_env == ''
+        run: |
+          echo "Please select an environment for manual runs"
+          exit 1
+
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20.19.x
+
+      - name: Install dependencies
+        run: npm ci
+      - name: Store Playwright’s Version
+        run: |
+          # Get the current Playwright version listed in package.json
+          PLAYWRIGHT_VERSION=$(npx playwright --version | sed 's/Version //')
+          echo "Playwright Version: $PLAYWRIGHT_VERSION"
+          echo "PLAYWRIGHT_VERSION=$PLAYWRIGHT_VERSION" >> $GITHUB_ENV
+
+      - name: Cache Playwright Browsers for Playwright's Version
+        id: cache-playwright-browsers
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-browsers-${{ env.PLAYWRIGHT_VERSION }}
+
+      - name: Setup Playwright Browser
+        if: steps.cache-playwright-browsers.outputs.cache-hit != 'true'
+        run: npx playwright install --with-deps
+
+      - name: Run Playwright tests - ${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}
+        if: github.event.pull_request.user.login != 'dependabot[bot]'
+        run: npm run functional-tests
+        timeout-minutes: 40
+        env:
+          E2E_TEST_ENV: ${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}
+          E2E_TEST_SECRET: ${{ secrets.E2E_TEST_SECRET }}
+          E2E_TEST_ACCOUNT_BASE_EMAIL: ${{ secrets.E2E_TEST_ACCOUNT_BASE_EMAIL }}
+          E2E_TEST_ACCOUNT_BASE_PASSWORD: ${{ secrets.E2E_TEST_ACCOUNT_BASE_PASSWORD }}
+      - uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: playwright-report-${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}
+          path: playwright-report/
+          retention-days: 30
+      - uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: test-results-${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}
+          path: src/functional-tests/test-results/
+          retention-days: 30
+
+      - name: Send GitHub Action trigger data to Slack workflow
+        id: slack
+        uses: slackapi/slack-github-action@v2.1.1
+        if: failure() && github.ref == 'refs/heads/main'
+        with:
+          webhook: ${{ secrets.SLACK_GHA_FAILURES_WEBHOOK }}
+          webhook-type: webhook-trigger
+          # For posting a message using Block Kit
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*Link to job:* *<https://github.com/mozilla/blurts-server/actions/runs/${{ github.run_id }}|Functional tests>*"
+                  }
+                },
+                {
+                  "type": "divider"
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Workflow:* \n ${{ github.workflow }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Environment:* \n ${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Status:* \n ${{ job.status }}"
+                    }
+                  ]
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Ref:*\n ${{ github.ref }}  "
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Triggered by:*\n ${{ github.triggering_actor }}"
+                    }
+                  ]
+                }
+              ]
+            }

.github/workflows/functional_tests_pr.yml

@@ -0,0 +1,100 @@
+name: Functional Test Suite (PR)
+
+permissions: {}
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+jobs:
+  functional-tests:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    # Service containers to run with `container-job`
+    services:
+      # Label used to access the service container
+      postgres:
+        # Docker Hub image
+        image: postgres
+        # Provide the password for postgres
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: blurts
+        # Set health checks to wait until postgres has started
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+        - 5432:5432
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20.19.x
+
+      - name: Install dependencies
+        run: npm ci
+      - name: Setting up postgres
+        run: npm run db:migrate
+        env:
+          DATABASE_URL: postgres://postgres:postgres@localhost:5432/blurts
+      - name: Store Playwright’s Version
+        run: |
+          # Get the current Playwright version listed in package.json
+          PLAYWRIGHT_VERSION=$(npx playwright --version | sed 's/Version //')
+          echo "Playwright Version: $PLAYWRIGHT_VERSION"
+          echo "PLAYWRIGHT_VERSION=$PLAYWRIGHT_VERSION" >> $GITHUB_ENV
+      - name: Cache Playwright Browsers for Playwright's Version
+        id: cache-playwright-browsers
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-browsers-${{ env.PLAYWRIGHT_VERSION }}
+
+      - name: Setup Playwright Browser
+        if: steps.cache-playwright-browsers.outputs.cache-hit != 'true'
+        run: npx playwright install --with-deps
+
+      - name: Run Playwright tests
+        if: github.event.pull_request.user.login != 'dependabot[bot]'
+        run: npm run functional-tests
+        timeout-minutes: 20
+        env:
+          ADMINS: ${{ secrets.ADMINS }}
+          DATABASE_URL: postgres://postgres:postgres@localhost:5432/blurts
+          E2E_TEST_SECRET: ${{ secrets.E2E_TEST_SECRET }}
+          E2E_TEST_ACCOUNT_BASE_EMAIL: ${{ secrets.E2E_TEST_ACCOUNT_BASE_EMAIL }}
+          E2E_TEST_ACCOUNT_BASE_PASSWORD: ${{ secrets.E2E_TEST_ACCOUNT_BASE_PASSWORD }}
+          E2E_TEST_ENV: local
+          HIBP_API_TOKEN: ${{ secrets.HIBP_API_TOKEN }}
+          HIBP_KANON_API_ROOT: "http://localhost:6060/api/mock/hibp"
+          HIBP_KANON_API_TOKEN: ${{ secrets.HIBP_KANON_API_TOKEN }}
+          NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }}
+          NEXTAUTH_URL: ${{ secrets.NEXTAUTH_URL }}
+          OAUTH_ACCOUNT_URI: ${{ secrets.OAUTH_ACCOUNT_URI }}
+          OAUTH_CLIENT_SECRET: ${{ secrets.OAUTH_CLIENT_SECRET_LOCAL }}
+          ONEREP_API_BASE: "http://localhost:6060/api/mock/onerep/"
+          ONEREP_API_KEY: ${{ secrets.ONEREP_API_KEY }}
+          PREMIUM_PLAN_ID_MONTHLY_US: ${{ secrets.STAGE_PREMIUM_PLAN_ID_MONTHLY_US }}
+          PREMIUM_PLAN_ID_YEARLY_US: ${{ secrets.STAGE_PREMIUM_PLAN_ID_YEARLY_US }}
+          PREMIUM_PRODUCT_ID: ${{ secrets.STAGE_PREMIUM_PRODUCT_ID }}
+          REDIS_URL: "redis://redis.mock"
+      - uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 30
+      - uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: test-results
+          path: src/functional-tests/test-results/
+          retention-days: 30

.github/workflows/glean-probe-scraper.yml

@@ -0,0 +1,16 @@
+name: Glean probe-scraper
+
+permissions: {}
+
+on:
+  push:
+    paths:
+      - src/telemetry/metrics.yaml
+      - src/telemetry/backend-metrics.yaml
+  pull_request:
+    paths:
+      - src/telemetry/metrics.yaml
+      - src/telemetry/backend-metrics.yaml
+jobs:
+  glean-probe-scraper:
+    uses: mozilla/probe-scraper/.github/workflows/glean.yaml@main

.github/workflows/lighthouse_cron.yml

@@ -0,0 +1,54 @@
+name: Lighthouse Report Cron
+
+permissions: {}
+
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to run LHCI against'
+        required: false
+        default: 'stage'
+        type: choice
+        options:
+          - stage
+          - prod
+jobs:
+  lhci:
+    name: Lighthouse Report  - ${{ inputs.environment != null && inputs.environment || 'stage' }}
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment != null && inputs.environment || 'stage' }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Use Node.js 20.19.x
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.19.x
+      - name: Run Lighthouse CI
+        run: |
+          npm install -g @lhci/cli@0.14.x
+          npm run lighthouse
+        env:
+          LIGHTHOUSE_COLLECT_URL: ${{ secrets.LIGHTHOUSE_COLLECT_URL }}
+      - name: Build cronjobs
+        run: |
+          npm ci
+          npm run build-cronjobs
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ secrets.GC_LIGHTHOUSE_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GC_LIGHTHOUSE_SERVICE_ACCOUNT }}
+      - name: Report results
+        run: npm run cron:report-lighthouse-results
+        env:
+          BQ_LIGHTHOUSE_PROJECT: ${{ secrets.BQ_LIGHTHOUSE_PROJECT }}
+          BQ_LIGHTHOUSE_DATASET: ${{ secrets.BQ_LIGHTHOUSE_DATASET }}
+          BQ_LIGHTHOUSE_TABLE: ${{ secrets.BQ_LIGHTHOUSE_TABLE }}

.github/workflows/lint.yaml

@@ -0,0 +1,28 @@
+name: Lint
+
+permissions: {}
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  npm-lint:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.19.x'
+      - run: npm ci
+      - run: npm run build-glean
+      - run: npm run build-nimbus
+      # Mirror old linter from CircleCI, verifies that linter succeeds
+      - run: npm run lint
+      - run: node src/scripts/build/checkNodeVersionAlignment.js
+      - run: node src/scripts/build/checkGithubActionsBestPractices.js

.github/workflows/production_deploy.yml

@@ -0,0 +1,81 @@
+name: Monitor 1-click Deployment
+
+permissions: {}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy to'
+        required: true
+        default: 'prod'
+        type: choice
+        options:
+          - stage
+          - prod
+          - dev
+      originalImageTag:
+        description: 'The original image tag that has been deployed'
+        required: true
+        type: string
+        pattern: '^[a-f0-9]{7,12}$'
+jobs:
+  pull_retag_push:
+    name: Pull, Retag, and Push Images
+    runs-on: ubuntu-latest
+    environment: build
+    permissions:
+      contents: "read" # Needed for checkout
+      id-token: "write" # Needed for GCP auth
+      packages: "none" # Explicitly disable package permissions
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
+      GAR_REGISTRY: us-docker.pkg.dev # Define GAR registry hostname
+      DOCKERHUB_IMAGE: mozilla/blurts-server # Define Docker Hub image name
+      SAFE_IMAGE_TAG: ${{ inputs.originalImageTag }}
+      SAFE_ENVIRONMENT: ${{ inputs.environment }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      
+      - name: Authenticate to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
+
+      - name: Login to Artifact Registry
+        id: gar-login
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GAR_REGISTRY }}
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
+
+      - name: Pull Docker Hub image
+        run: docker pull "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG"
+
+      - name: Retag Docker Hub image
+        run: docker tag "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG" "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
+
+      - name: Push Docker Hub image
+        run: docker push "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
+
+      - name: Pull GAR image
+        run: docker pull "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG"
+
+      - name: Retag GAR image
+        run: docker tag "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG" "$GAR_IMAGE_BASE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
+
+      - name: Push GAR image
+        run: docker push "$GAR_IMAGE_BASE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"

.github/workflows/reference_linter.yaml

@@ -0,0 +1,31 @@
+name: Lint Reference Files
+
+permissions: {}
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+jobs:
+  l10n-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Set up Python 3
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+      - name: Install Python dependencies
+        run: |
+          pip install -r .github/requirements.txt
+      - name: Lint reference strings
+        run: |
+          moz-fluent-lint ./locales/en/ --config .github/linter_config.yml
+      - name: Lint pending strings
+        if: always() # This step should run even if the previous one fails
+        run: |
+          moz-fluent-lint ./locales-pending/ --config .github/linter_config.yml

.github/workflows/release_cron_daily.yml

@@ -0,0 +1,105 @@
+name: Daily Pre-release
+
+permissions: {}
+
+on:
+  schedule:
+    - cron: '0 0 * * 1-5' # Runs Mon-Fri at midnight UTC
+  workflow_dispatch: # Allows manual trigger if needed
+
+jobs:
+  create-pre-release:
+    permissions:
+      contents: write
+      id-token: write
+    runs-on: ubuntu-latest
+    environment: build
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
+      GAR_REGISTRY: us-docker.pkg.dev
+      DOCKERHUB_IMAGE: mozilla/blurts-server # Define Docker Hub image name
+
+    steps:
+    - name: Checkout main branch
+      uses: actions/checkout@v6
+      with:
+        ref: main
+        persist-credentials: false
+
+    - name: Get current date
+      run: |
+        echo "CURRENT_DATE=$(date +%Y.%m.%d)" >> $GITHUB_ENV
+        echo "tag_name: $(date +%Y.%m.%d)"
+
+    - name: Create Pre-release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        curl -X POST \
+          -H "Authorization: token $GITHUB_TOKEN" \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${{ github.repository }}/releases \
+          -d '{
+            "tag_name": "${{ env.CURRENT_DATE }}",
+            "target_commitish": "main",
+            "name": "${{ env.CURRENT_DATE }}",
+            "body": "Daily pre-release for ${{ env.CURRENT_DATE }}.",
+            "prerelease": true,
+            "draft": false,
+            "generate_release_notes": true
+          }'
+
+    # We cannot rely on the release_retag.yaml workflow because of the
+    # auth scope of the default github token. It's a good security practice
+    # to prevent a github action being triggered by another.
+    # So we will deliberately push to dockerhub below
+    - name: Log in to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+
+    - name: Authenticate to Google Cloud
+      id: gcp-auth
+      uses: google-github-actions/auth@v3
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
+
+    - name: Login to Artifact Registry
+      id: gar-login
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.GAR_REGISTRY }}
+        username: oauth2accesstoken
+        password: ${{ steps.gcp-auth.outputs.access_token }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.DOCKERHUB_IMAGE }}
+        tags: type=sha,format=short,prefix=
+
+    - name: Pull Docker image from GAR with commit tag
+      env:
+        VERSION: ${{ steps.meta.outputs.version }}
+      run: docker pull ${{ env.GAR_IMAGE_BASE }}:$VERSION
+
+    - name: Tag Docker image for Docker Hub with release tag
+      env:
+        VERSION: ${{ steps.meta.outputs.version }}
+      run: docker tag ${{ env.GAR_IMAGE_BASE }}:$VERSION ${{ env.DOCKERHUB_IMAGE }}:${{ env.CURRENT_DATE }}
+
+    - name: Push Docker image to Docker Hub with release tag
+      run: docker push ${{ env.DOCKERHUB_IMAGE }}:${{ env.CURRENT_DATE }}
+
+    - name: Tag Docker image for GAR with release tag
+      env:
+        VERSION: ${{ steps.meta.outputs.version }}
+      run: docker tag ${{ env.GAR_IMAGE_BASE }}:$VERSION ${{ env.GAR_IMAGE_BASE }}:${{ env.CURRENT_DATE }}
+
+    - name: Push Docker image to GAR with release tag
+      run: docker push ${{ env.GAR_IMAGE_BASE }}:${{ env.CURRENT_DATE }}

.github/workflows/release_retag.yaml

@@ -0,0 +1,45 @@
+name: Retag and Push Docker Image on Release
+
+permissions: {}
+
+# GH release should always create a tag automatically
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  retag-and-push:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
+
+    - name: Log in to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: mozilla/blurts-server
+        tags: type=sha,format=short,prefix=
+
+    - name: Pull Docker image with commit tag
+      env:
+        TAGS: ${{ steps.meta.outputs.tags }}
+      run: docker pull $TAGS
+
+    - name: Tag Docker image with release tag
+      env:
+        TAGS: ${{ steps.meta.outputs.tags }}
+      run: docker tag $TAGS mozilla/blurts-server:${{ github.ref_name }}
+
+    - name: Push Docker image with release tag
+      run: docker push mozilla/blurts-server:${{ github.ref_name }}

.github/workflows/release_retag_v2.yaml

@@ -0,0 +1,83 @@
+name: Retag and Push GAR Image on Release v2
+
+permissions: {}
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  retag-and-push-gar:
+    permissions:
+      contents: "read" # Needed for checkout
+      id-token: "write" # Needed for GCP auth
+      packages: "none" # Explicitly disable package permissions
+    name: Retag and Push GAR image
+    runs-on: ubuntu-latest
+    environment: build
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false # Not strictly needed for retagging, but good practice
+
+    - name: Authenticate to Google Cloud
+      id: gcp-auth
+      uses: google-github-actions/auth@v3
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
+
+    - name: Login to Artifact Registry
+      id: gar-login
+      uses: docker/login-action@v3
+      with:
+        registry: us-docker.pkg.dev
+        username: oauth2accesstoken
+        password: ${{ steps.gcp-auth.outputs.access_token }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        # Use the GAR image base
+        images: ${{ env.GAR_IMAGE_BASE }}
+        tags: |
+          # Only generate the tag based on short commit SHA
+          type=sha,format=short,prefix=
+
+    - name: Determine Release-tagged image name
+      id: release_tag_info
+      run: echo "name=${{ env.GAR_IMAGE_BASE }}:${{ github.ref_name }}" >> $GITHUB_OUTPUT
+
+    - name: Pull Docker image with commit tag from GAR
+      env:
+        TAGS: ${{ steps.meta.outputs.tags }}
+      run: |
+        echo "Pulling $TAGS"
+        docker pull $TAGS
+
+    - name: Tag Docker image with release tag
+      env:
+        TAGS: ${{ steps.meta.outputs.tags }}
+        NAME: ${{ steps.release_tag_info.outputs.name }}
+      run: |
+        echo "Tagging $TAGS as $NAME"
+        docker tag $TAGS $NAME
+
+    - name: Push Docker image with release tag to GAR
+      env:
+        NAME: ${{ steps.release_tag_info.outputs.name }}
+      run: |
+        echo "Pushing $NAME"
+        docker push $NAME
+
+    - name: Print Image URI
+      env:
+        NAME: ${{ steps.release_tag_info.outputs.name }}
+      run: |
+        echo "Retagged and pushed GAR image: $NAME"

.github/workflows/test_integrations.yml

@@ -0,0 +1,52 @@
+name: "Test Integrations"
+permissions: {}
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test-integrations:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      # Log into Docker Hub to avoid getting rate-limited
+      - name: Login to Docker Hub
+        # Not giving dependabot secrets access, so continue if login fails
+        # and accept rate limit possibility
+        continue-on-error: true
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      # Kick off starting docker compose first, since it can take a bit and can run in the background
+      - name: Start Docker Compose services
+        run: docker compose --env-file=./.env.ci up -d
+
+      # While we wait for docker compose to be healthy we install node and needed packages for this service
+      - name: Set up node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20.19.x
+
+      - name: Install dependencies
+        run: npm ci
+      
+      # Wait for the docker services we started earlier to all be healthy
+      - name: Wait for services to be healthy
+        run: docker compose --env-file=./.env.ci up --wait
+      
+      - name: Set up postgres
+        run: npm run db:migrate
+        env:
+          DATABASE_URL: postgres://blurts:blurts@localhost:5432/test-blurts
+
+      # Let's run those integration tests!
+      - name: Run service integration tests
+        run: npm run test-integrations

.github/workflows/unittests.yaml

@@ -0,0 +1,41 @@
+name: Unit Tests
+
+permissions: {}
+
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: '0 8 * * *'
+
+jobs:
+  unit-tests:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.19.x'
+      - run: npm ci
+      - run: npm run build-glean
+      # Run the regular tests on push
+      - run: npm test
+        if: github.event_name != 'schedule'
+      # But measure coverage without ignore markers in the nighly job
+      - name: Remove `c8 ignore` markers to output full unit test coverage if on the `report-coverage` branch
+        run: find src/ -type f -name "*.js" -or -name "*.ts" -or -name "*.jsx" -or -name "*.tsx" -exec sed --in-place --expression='s/c8 ignore/c8 TEMPORARILY DO NOT ignore/g' {} \;
+        if: github.event_name == 'schedule'
+      # (and set an arbitrary coverage threshold for that "true" coverage):
+      - run: npm test -- --coverageThreshold='{"global":{"branches":80,"functions":80,"lines":80,"statements":80}}'
+        if: github.event_name == 'schedule'
+      - uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: coverage-report
+          path: coverage/
+          retention-days: 30

.gitignore

@@ -0,0 +1,80 @@
+node_modules
+.node-version
+coverage
+.coveralls.yml
+.DS_Store
+breach_hashsets
+version.json
+loadtests/__pycache__
+loadtests/venv
+.tmp
+public/dist
+dist
+public/logo_cache/
+src/client/images/logo_cache
+
+# Playwright
+**/test-results/
+**/playwright-report/
+**/playwright/.cache/
+**/blob-report/
+**/functional-test-cache/
+**/traces/
+**/*-snapshots/
+
+# Storybook
+*/storybook.log
+storybook-static/
+
+# The rest of this file was generated by create-next-app:
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.js
+
+# testing
+/coverage
+
+# load testing
+/src/scripts/loadtest/reports/
+
+# next.js
+/.next/
+/out/
+
+# production
+/build
+
+# misc
+.DS_Store
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# local env files
+.env*.local
+
+# vercel
+.vercel
+
+# typescript
+*.tsbuildinfo
+next-env.d.ts
+
+# Sentry Auth Token
+.sentryclirc
+
+# Glean
+.venv
+/src/telemetry/generated/
+
+# Lighthouse CI
+.lighthouseci
+
+# vscode debugger
+.vscode/launch.json

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

.storybook/NextImage.tsx

@@ -0,0 +1,17 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { StaticImageData } from "next/image";
+
+const NextImage = ({
+  src,
+  alt,
+  ...props
+}: {
+  src: StaticImageData;
+  alt: string;
+  // eslint-disable-next-line @next/next/no-img-element
+}) => <img src={`/${src.src}`} alt={alt} {...props} />;
+
+export default NextImage;

.storybook/main.ts

@@ -0,0 +1,56 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import type { StorybookConfig } from "@storybook/nextjs";
+const config: StorybookConfig = {
+  stories: ["../src/**/*.mdx", "../src/**/*.stories.@(js|jsx|ts|tsx)"],
+
+  addons: [
+    "@storybook/addon-a11y",
+    "@storybook/addon-links",
+    "@storybook/addon-docs",
+  ],
+
+  framework: {
+    name: "@storybook/nextjs",
+    options: {},
+  },
+
+  docs: {},
+
+  staticDirs: [
+    // See https://github.com/storybookjs/storybook/tree/4f0c895bc53116272ef598f19e8d869213be49a9/code/frameworks/nextjs#nextfontlocal
+    {
+      from: "../src/app/fonts",
+      to: "src/app/fonts",
+    },
+  ],
+
+  async webpackFinal(config) {
+    config.module ??= {};
+    config.module.rules ??= [];
+    config.module.rules.push({
+      test: /\.ftl/,
+      type: "asset/source",
+    });
+
+    // There is an issue with serving static assests in Storybook 8.4. The fix
+    // will be included in version 8.6.0:
+    // https://github.com/storybookjs/storybook/issues/29576
+    config.resolve = {
+      ...(config.resolve ?? {}),
+      alias: {
+        ...(config.resolve?.alias ?? {}),
+        "next/image": require.resolve("./NextImage.tsx"),
+      },
+    };
+
+    return config;
+  },
+
+  typescript: {
+    reactDocgen: "react-docgen-typescript",
+  },
+};
+export default config;

.storybook/preview-head.html

@@ -0,0 +1,29 @@
+<!--
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -->
+<style>
+  body {
+    /*
+      The <AppDecorator> in preview.tsx should properly set the Inter font as
+      the default font using next/font, but some components are rendered outside
+      of the decorator by being appended to the <body> using a React Portal.
+      Specifically, React Aria does this for modal elements like the <AppPicker>
+      popover. Thus, this is a manual workaround to apply the Inter font there
+      too. On the actual website, outside of Storybook, this should not be a
+      problem, as the font is applied directly to the <body> using next/font in
+      the root layout (src/app/layout.tsx).
+     */
+    font-family: Inter;
+  }
+  /*
+    Make sure that stories set to render fullscreen (see
+    https://storybook.js.org/docs/react/configure/story-layout) also take up the
+    full height of the page. This is especially relevant for stories that
+    demonstrate full pages.
+   */
+  .sb-main-fullscreen #storybook-root {
+    height: 100%;
+  }
+</style>

.storybook/preview.tsx

@@ -0,0 +1,218 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import React, { useEffect } from "react";
+import { Inter } from "next/font/google";
+import type { Preview } from "@storybook/nextjs";
+import { action } from "storybook/actions";
+import { linkTo } from "@storybook/addon-links";
+import { sb } from "storybook/test";
+import "../src/app/globals.css";
+import { metropolis } from "../src/app/fonts/Metropolis/metropolis";
+import { TestComponentWrapper } from "../src/TestComponentWrapper";
+
+const inter = Inter({ subsets: ["latin"], variable: "--font-inter" });
+
+const AppDecorator: Preview["decorators"] = (storyFn) => {
+  useEffect(() => {
+    // We have to add these classes to the body, rather than simply wrapping the
+    // storyFn in a container, because some components (most notably, the ones
+    // that use useModalOverlay()) append elements to the end of the body using
+    // a React Portal, thus breaking out of a container element.
+    document.body.classList.add(inter.className);
+    document.body.classList.add(inter.variable);
+    document.body.classList.add(metropolis.variable);
+  }, []);
+
+  return <TestComponentWrapper>{storyFn()}</TestComponentWrapper>;
+};
+
+sb.mock("../src/app/hooks/locationSuggestions.ts");
+
+// Arguments to the `storySort` callback, left as documentation.
+type _SortData = {
+  type: "story";
+  id: string;
+  name: string;
+  title: string;
+  importPath: string;
+  tags: Array<"story" | string>;
+};
+
+const preview: Preview = {
+  parameters: {
+    controls: {
+      matchers: {
+        color: /(background|color)$/i,
+        date: /Date$/,
+      },
+    },
+    // https://storybook.js.org/docs/react/configure/story-layout
+    layout: "fullscreen",
+    options: {
+      // https://storybook.js.org/docs/react/writing-stories/naming-components-and-hierarchy#sorting-stories
+      // @ts-ignore Storybook appears to not parse this as TypeScript, so we can't
+      //            add `SortData` type annotations. See
+      //            https://github.com/storybookjs/storybook/issues/21702#issuecomment-1517154204
+      storySort: (a, b) =>
+        a.title.localeCompare(b.title, undefined, { numeric: true }),
+    },
+    nextjs: {
+      // See https://storybook.js.org/blog/integrate-nextjs-and-storybook-automatically/#nextnavigation
+      appDirectory: true,
+      navigation: {
+        push(path: string, ...otherArgs: unknown[]) {
+          action("nextNavigation.push")(path, ...otherArgs);
+
+          if (path === "/") {
+            linkTo("Pages/Public/Landing page", "US visitors")();
+          }
+
+          if (path === "/breaches") {
+            linkTo("Pages/Public/Breach index")();
+          }
+
+          if (path.startsWith("/breach-details/")) {
+            linkTo("Pages/Public/Breach listing")();
+          }
+
+          if (path === "/terms/expiration-offer") {
+            linkTo("Pages/Public/Terms/Plus expiration offer")();
+          }
+
+          if (path === "/user/dashboard") {
+            linkTo(
+              "Pages/Logged in/Dashboard",
+              "US user, without Premium, with unresolved scan results, with unresolved breaches",
+            )();
+          }
+
+          if (
+            path === "/user/dashboard/fix/data-broker-profiles/start-free-scan"
+          ) {
+            linkTo("Pages/Logged in/Guided resolution/1a. Free scan")();
+          }
+
+          if (
+            path ===
+            "/user/dashboard/fix/data-broker-profiles/view-data-brokers"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/1b. Scan results",
+              "With a few unresolved scan results (free)",
+            )();
+          }
+
+          if (
+            path === "/user/dashboard/fix/data-broker-profiles/manual-remove"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/1c. Manually resolve brokers",
+            )();
+          }
+
+          if (
+            path ===
+            "/user/dashboard/fix/high-risk-data-breaches/social-security-number"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/2. High-risk data breaches",
+              "2a. Social Security Number",
+            )();
+          }
+
+          if (
+            path === "/user/dashboard/fix/high-risk-data-breaches/credit-card"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/2. High-risk data breaches",
+              "2b. Credit card",
+            )();
+          }
+
+          if (
+            path === "/user/dashboard/fix/high-risk-data-breaches/bank-account"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/2. High-risk data breaches",
+              "2c. Bank account",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/high-risk-data-breaches/pin") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/2. High-risk data breaches",
+              "2d. PIN",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/high-risk-data-breaches/done") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/2. High-risk data breaches",
+              "2e. Done",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/leaked-passwords/passwords") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/3. Leaked passwords",
+              "3a. Passwords",
+            )();
+          }
+
+          if (
+            path === "/user/dashboard/fix/leaked-passwords/security-questions"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/3. Leaked passwords",
+              "3b. Security questions",
+            )();
+          }
+
+          if (
+            path === "/user/dashboard/fix/leaked-passwords/passwords-done" ||
+            path ===
+              "/user/dashboard/fix/leaked-passwords/security-questions-done"
+          ) {
+            linkTo(
+              "Pages/Logged in/Guided resolution/3. Leaked passwords",
+              "3c. Done",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/security-recommendations/phone") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/4. Security recommendations",
+              "4a. Phone number",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/security-recommendations/email") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/4. Security recommendations",
+              "4b. Email address",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/security-recommendations/ip") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/4. Security recommendations",
+              "4c. IP address",
+            )();
+          }
+
+          if (path === "/user/dashboard/fix/security-recommendations/done") {
+            linkTo(
+              "Pages/Logged in/Guided resolution/4. Security recommendations",
+              "4d. Done",
+            )();
+          }
+        },
+      },
+    },
+  },
+  decorators: [AppDecorator],
+};
+
+export default preview;

.vscode/extensions.json

@@ -0,0 +1,16 @@
+{
+	// See https://go.microsoft.com/fwlink/?LinkId=827846 to learn about workspace recommendations.
+	// Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
+
+	// List of extensions which should be recommended for users of this workspace.
+	"recommendations": [
+		"dbaeumer.vscode-eslint",
+		"stylelint.vscode-stylelint",
+		"esbenp.prettier-vscode",
+		"eamodio.gitlens",
+		"Orta.vscode-jest",
+		"macabeus.vscode-fluent",
+	],
+	// List of extensions recommended by VS Code that should not be recommended for users of this workspace.
+	"unwantedRecommendations": []
+}

.vscode/settings.json

@@ -0,0 +1,30 @@
+{
+    "eslint.enable": true,
+    "eslint.format.enable": true,
+    "editor.tabSize": 2,
+    "editor.formatOnSave": false,
+    "editor.formatOnSaveMode": "modificationsIfAvailable",
+    "eslint.validate": [
+        "javascript"
+    ],
+    "gitlens.advanced.blame.customArguments": [
+        "--ignore-revs-file",
+        ".git-blame-ignore-revs"
+    ],
+    "[css][scss]": {
+        "editor.codeActionsOnSave": {
+            "source.fixAll.stylelint": "explicit"
+        }
+    },
+    "[javascript][typescript][typescriptreact]": {
+        "editor.codeActionsOnSave": {
+            "source.fixAll.eslint": "explicit"
+        }
+    },
+    "[javascript][typescript][typescriptreact][markdown][html][css][scss]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode",
+    },
+  "[fluent]": {
+    "files.trimTrailingWhitespace": true
+  },
+}

CNAME

@@ -0,0 +1 @@
+abdulelathmanhgwaith.link

CODE_OF_CONDUCT.md

@@ -0,0 +1,15 @@
+# Community Participation Guidelines
+
+This repository is governed by Mozilla's code of conduct and etiquette guidelines. 
+For more details, please read the
+[Mozilla Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/). 
+
+## How to Report
+For more information on how to report violations of the Community Participation Guidelines, please read our '[How to Report](https://www.mozilla.org/about/governance/policies/participation/reporting/)' page.
+
+<!--
+## Project Specific Etiquette
+
+In some cases, there will be additional project etiquette i.e.: (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html).
+Please update for your project.
+-->

LICENSE

@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in 
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

README.md

@@ -0,0 +1,323 @@
+# Firefox Monitor Server
+
+[![Functional Test Suite](https://github.com/mozilla/blurts-server/actions/workflows/functional_tests_cron.yml/badge.svg)](https://github.com/mozilla/blurts-server/actions/workflows/functional_tests_cron.yml)
+
+## Summary
+
+Firefox Monitor notifies users when their credentials have been compromised in a data breach.
+
+This code is for the monitor.mozilla.org service & website.
+
+Breach data is powered by [haveibeenpwned.com](https://haveibeenpwned.com/).
+
+See the [Have I Been Pwned about page](https://haveibeenpwned.com/About) for
+the "what" and "why" of data breach alerts.
+
+## Architecture
+
+![Image of Monitor architecture](docs/monitor-architecture.png "Firefox Monitor")
+
+## Development
+
+### Requirements
+
+- [Volta](https://volta.sh/) (installs the correct version of Node and npm)
+- [Postgres](https://www.postgresql.org/) | Note: On a Mac, we recommend downloading the [Postgres.app](https://postgresapp.com/) instead.
+- [Python](https://www.python.org/downloads/) | [With Homebrew](https://docs.brew.sh/Homebrew-and-Python)
+- [k6](https://grafana.com/docs/k6/latest/set-up/install-k6/) | k6 load testing tool
+
+### Code style
+
+Linting and formatting is enforced via [ESLint](https://eslint.org/) and [Stylelint](https://stylelint.io/) for JS and CSS. Both are installed as dev-dependencies and can be run with `npm run lint`. A push to origin will also trigger linting.
+
+ESLint rules are based on [eslint-config-standard](https://github.com/standard/eslint-config-standard). To fix all auto-fixable problems, run `npx eslint . --fix`
+
+Stylelint rules are based on [stylelint-config-standard](https://github.com/stylelint/stylelint-config-standard). To fix all auto-fixable problems, run `npx stylelint public/css/ --fix`
+
+### GIT
+
+We track commits that are largely style/formatting via `.git-blame-ignore-revs`. This allows Git Blame to ignore the format commit author and show the original code author. In order to enable this in GitLens, add the following to VS Code `settings.json`:
+
+```
+"gitlens.advanced.blame.customArguments": [
+   "--ignore-revs-file",
+   ".git-blame-ignore-revs"
+],
+```
+
+### Database
+
+To create the database tables you have two options: manually, or using docker-compose
+
+#### Manual setup
+
+1. Create the `blurts` database:
+
+   ```sh
+   createdb blurts
+   createdb test-blurts # for tests
+   ```
+
+2. Update the `DATABASE_URL` value in your `.env.local` (see step 3 under
+   "Install") file with your local db credentials:
+
+   ```
+   DATABASE_URL="postgres://<username>:<password>@localhost:<port>/blurts"
+   ```
+
+3. Run the migrations:
+
+   ```
+   npm run db:migrate
+   ```
+
+#### Via docker-compose
+
+This will automatically provision the databases 'blurts' and 'test-blurts', and a user 'blurts' with password 'blurts'. The connection string in your .env.local file should be: "postgres://blurts:blurts@localhost:5432/blurts"
+
+1. Ensure that you have an up-to-date .env.local file.
+
+   ```$sh
+   cp .env.local.example .env.local
+   ```
+
+2. Start docker containers (this will stand up all services defined, including pubsub)
+
+   ```sh
+   docker compose --env-file .env.local up -d
+   ```
+
+3. To tear down (this will delete stored data):
+
+   ```sh
+   docker compose --env-file .env.local down
+   ```
+
+### Install
+
+1. Clone and change to the directory:
+
+   ```sh
+   git clone https://github.com/mozilla/blurts-server.git
+   cd blurts-server
+   ```
+
+2. Install dependencies:
+
+   ```sh
+   npm install
+   ```
+
+3. Copy the `.env.local.example` file to `.env.local`:
+
+   ```sh
+   cp .env.local.example .env.local
+   ```
+
+4. Install fluent linter (requires Python)
+
+   ```sh
+   pip install -r .github/requirements.txt
+
+   OR
+
+   pip3 install -r .github/requirements.txt
+   ```
+
+5. Generate required Glean files (needs re-ran anytime Glean `.yaml` files are updated):
+
+   ```sh
+   npm run build-glean
+   ```
+
+6. Generate required Nimbus files (needs re-ran anytime Nimbus' `config/nimbus.yaml` file is updated):
+
+   ```sh
+   npm run build-nimbus
+   ```
+
+7. Create location data: Running the script manually is only needed for local development. The location data is being used in the onboarding exposures scan for autocompleting the “City and state” input.
+
+   ```sh
+   npm run create-location-data
+   ```
+
+8. Ensure that you have the right `env` variables/keys set in your `.env.local` file. You can retrieve the variables from the Firefox Monitor 1Password Vault, or through [Magic-Wormhole](https://magic-wormhole.readthedocs.io/en/latest/), by asking one of the our engineers.
+
+### Run
+
+1. To run the server similar to production using a build phase, which includes minified and bundled assets:
+
+   ```sh
+   npm start
+   ```
+
+   **_OR_**
+
+   Run in "dev mode" with:
+
+   ```sh
+   npm run dev
+   ```
+
+2. You may receive the error `Required environment variable was not set`. If this is the case, get the required env var(s) from another team member or ask in #fx-monitor-engineering. Otherwise, if the server started successfully, navigate to [localhost:6060](http://localhost:6060/)
+
+### PubSub
+
+Monitor uses GCP PubSub for processing incoming breach data, this can be tested locally using an emulator: <https://cloud.google.com/pubsub/docs/emulator>
+
+You can run the emulator manually or via docker-compose.
+
+#### Manual Setup
+
+##### Run the GCP PubSub emulator
+
+```sh
+gcloud beta emulators pubsub start --project=your-project-name
+```
+
+(Set `your-project-name` as the value for `GCP_PUBSUB_PROJECT_ID` in your `.env.local`.)
+
+#### Docker Compose Setup
+
+This will automatically provision a pubsub topic named 'hibp-breaches' with a subscription named 'hibp-cron'.
+
+1. Ensure that you have an up-to-date .env.local file.
+
+   ```$sh
+   cp .env.local.example .env.local
+   ```
+
+2. Start docker containers (this will stand up all services defined, including postgres)
+
+   ```sh
+   docker compose --env-file .env.local up -d
+   ```
+
+### In a different shell, set the environment to point at the emulator and run Monitor in dev mode
+
+```sh
+$(gcloud beta emulators pubsub env-init)
+npm run dev
+```
+
+### Incoming WebHook requests from HIBP will be of the form
+
+```sh
+curl -d '{ "breachName": "000webhost", "hashPrefix": "test", "hashSuffixes": ["test"] }' \
+  -H "Authorization: Bearer unsafe-default-token-for-dev" \
+  http://localhost:6060/api/v1/hibp/notify
+```
+
+This emulates HIBP notifying our API that a new breach was found. Our API will
+then add it to the (emulated) pubsub queue.
+
+You can also use this request with staging credentials and endpoint to manually trigger alerts in the staging environment. For instructions on how to generate the hashPrefix and hashSuffix values, see [instructions below](#testing-the-breach-alerts-cron-job-locally).
+
+### This pubsub queue will be consumed by this cron job, which is responsible for looking up and emailing impacted users
+
+```sh
+NODE_ENV="development" npm run dev:cron:breach-alerts
+```
+
+### Emails
+
+Monitor generates multiple emails that get sent to subscribers. To preview or test-send these emails see documentation [here](docs/monitor-emails.md).
+
+### Mozilla accounts ("FxA", formerly known as Firefox accounts)
+
+The repo comes with a development FxA oauth app pre-configured in `.env`, which
+should work fine running the app on <http://localhost:6060>. You'll need to get
+the `OAUTH_CLIENT_SECRET` value from a team member or someone in #fxmonitor-engineering.
+
+## Testing
+
+The unit test suite can be run via `npm test`.
+
+At the beginning of a test suite run, the `test-blurts` database will be populated with test tables and seed data found in `src/db/seeds/`
+
+At the end of a test suite, coverage info will be sent to [Coveralls](https://coveralls.io/) to assess coverage changes and provide a neat badge. To upload coverage locally, you need a root `.coveralls.yml` which contains a token – get this from another member of the Monitor team.
+
+The [functional tests](https://github.com/mozilla/blurts-server/src/functional-tests) use Playwright and can be run via `npm run functional-tests`.
+
+#### Test Firefox Integration
+
+_**TODO:** the following functionality is disabled but the instructions are left here for posterity._
+
+Firefox's internal about:protections page ("Protections Dashboard") fetches and
+displays breach stats for Firefox users who are signed into their FXA.
+
+To test this part of Monitor:
+
+1. [Set a Firefox profile to use the staging Firefox Accounts
+   server.](https://mozilla.github.io/ecosystem-platform/docs/process/using-the-staging-environment#working-with-staging-firefox-accounts)
+2. In the same profile, go to about:config and replace [all
+   `https://monitor.firefox.com`
+   values](https://searchfox.org/mozilla-central/search?q=monitor.firefox.com&path=browser/app/profile/firefox.js) with `http://localhost:6060`
+3. Restart Firefox with that profile.
+4. Go to `about:protections`
+5. Everything should be using your localhost instance of Monitor.
+
+#### Load testing
+
+k6 is used for load testing.
+
+See <https://grafana.com/docs/k6/latest/get-started/running-k6/> for more information.
+
+##### HIBP breach alerts
+
+To test the HIBP breach alerts endpoint, use:
+
+```sh
+export SERVER_URL=...
+export HIBP_NOTIFY_TOKEN=...
+npm run loadtest:hibp-webhook
+```
+
+You can customise the number of requests to send in parallel ("virtual users") by setting the
+[`K6_VUS`](https://grafana.com/docs/k6/latest/using-k6/k6-options/reference/#vus) environment
+variable (default 1000), and for how long to send those requests by setting the
+[`K6_DURATION`](https://grafana.com/docs/k6/latest/using-k6/k6-options/reference/#duration)
+environment variable (default 30s).
+
+You can also enforce the alert being sent for a specific email address via the
+`LOADTEST_BREACHED_EMAIL` environment variable.
+
+#### Testing the Breach Alerts cron job locally
+
+1. Ensure SMTP_URL environment variable is unset; this will log to JSON instead of attempting to send an email
+1. Follow instructions to start blurts server locally, including the database and emulated GCP PubSub topic
+1. Create a new account, and note the email address you used for the next step
+1. Update the email address below and paste into your terminal
+
+```sh
+# Replace with whatever email address you used above, or omit and
+# export env var first to persist between runs
+# `export HIBP_TEST_EAMIL=replace-me-email@example.com`
+HIBP_TEST_EMAIL="replace-me-email@example.com"; \
+HASH=$(echo -n "$HIBP_TEST_EMAIL" | sha1sum | awk '{print $1}'); \
+PREFIX=${HASH:0:7}; \
+SUFFIX=${HASH:7}; \
+curl -d "{\"breachName\": \"000webhost\", \"hashPrefix\": \"$PREFIX\", \"hashSuffixes\": [\"$SUFFIX\"]}" \
+  -H "Authorization: Bearer unsafe-default-token-for-dev" \
+  -H "Content-Type: application/json" \
+  http://localhost:6060/api/v1/hibp/notify
+```
+
+Note that the database must be seeded with breaches or else this request will not trigger emails due to validation error. The breachName must match the name of a breach in the database. Query the `breaches` table in the database for additional breach names to test more than once for the same email address (a user will be notified for a breach only once). Alternatively you can delete the record that was created in the `email_notifications` table to retest.
+
+## Localization
+
+All text that is visible to the user is defined in [Fluent](https://projectfluent.org/) files inside `/locales/en/` and `/locales-pending/`. After strings get added to files in the former directory on our `main` branch, they will be made available to our volunteer localizers via Pontoon, Mozilla's localization platform. Be sure to reference the [localization documentation](https://mozilla-l10n.github.io/documentation/localization/dev_best_practices.html) for best practices. It's best to only move the strings to `/locales/en/` when they are more-or-less final and ready for localization. Your PR should be automatically tagged with a reviewer from the [Mozilla L10n team](https://wiki.mozilla.org/L10n:Mozilla_Team) to approve your request.
+
+You can check translation status via the [Pontoon site](https://pontoon.mozilla.org/projects/firefox-monitor-website/). After strings have been localized, [a pull request](https://github.com/mozilla/blurts-server/pulls?q=is%3Apr+label%3Al10n+) with the updated strings is automatically opened against our repository. Please be mindful that Mozilla localizers are volunteers, and translations come from different locales at different times – usually after a week or more.
+
+To use the strings in code, you need to obtain a `ReactLocalization` instance, which selects the right version of your desired string for the user. How to do that depends on where your code runs: in tests, in a cron job, in a server component, or on the client-side. Generally, you will import a `getL10n` function from one of the modules in `/src/app/functions/l10n/`, except for [Client Components](https://nextjs.org/docs/app/building-your-application/rendering/client-components), which use [the `useL10n` hook](./src/app/hooks/l10n.ts). Look at existing code for inspiration.
+
+## Preview Deployment
+
+We use GCP Cloudrun for dev review – official stage and production apps are built by the Dockerfile and Github Actions. Everything that is merged into `main` will deploy automatically to stage. The ADR for preview deployment can be found [here](https://github.com/mozilla/blurts-server/blob/main/docs/adr/0008-preview-deployment.md)
+
+_**TODO:** add full deploy process similar to Relay_
+
+_**TODO:** consider whether we can re-enable Heroku Review Apps_

google3c147320b7d46152.html

@@ -0,0 +1 @@
+google-site-verification: google3c147320b7d46152.html