Merge branch 'main' into sbel/correct_jira_id_label

Author: sbelhaik

.github/copilot-instructions.md

@@ -55,6 +55,32 @@ Skills are detected and loaded based on file type, task keywords, and context si
 - Avoid duplicating policy/checklist text across this file and skills.
 - If overlap is found, retain one canonical source and replace duplicates with a short pointer.
 
+## Security Defaults (Always-On)
+
+Apply secure-by-default behavior across all code generation, changes, and reviews, regardless of language or component.
+
+- Prefer least privilege across code, services, identities, file permissions, APIs, containers, and workflows; avoid insecure defaults.
+- Treat all external input as untrusted and validate format, type, range, and length at trust boundaries.
+- Never hard-code or introduce secrets, credentials, keys, tokens, or passwords in source, tests, configs, or templates; use environment variables or approved secret-management mechanisms.
+- Avoid exposing sensitive data in logs, traces, errors, metrics, or test artifacts.
+- Prevent injection vulnerabilities by avoiding unsafe string construction and using safe, context-appropriate APIs.
+- Prefer trusted, actively maintained dependencies and images; verify sources and pin versions where feasible.
+- Avoid deprecated, unmaintained, or ambiguous packages.
+- Do not suggest bypassing or weakening existing security checks or validations.
+- Keep authorization checks server-side and close to protected resources.
+- Avoid unsafe dynamic execution patterns (`eval`, `exec`, untrusted command construction).
+- Do not assume trusted inputs, networks, or environments.
+- Be explicit about assumptions and limitations.
+- Fail safely and visibly.
+
+## AI Output Trust Model
+
+Treat AI-generated output as **untrusted draft code** until reviewed and tested.
+Reject suggestions that bypass security controls for convenience or introduce unsafe defaults.
+
+For detailed security review guidance, follow:
+`.github/skills/security.md`.
+
 ## Architecture Overview
 
 **Core Components:**

.github/skills/security.md

@@ -0,0 +1,149 @@
+# Security Review Skill (On-Demand)
+
+## Purpose
+
+This document defines on-demand security review guidance for code and configuration changes.
+It complements the always-on secure-by-default rules defined in `.github/copilot-instructions.md`.
+
+This skill applies only at development and authoring time.
+Runtime, host, cluster, or organizational security controls are explicitly out of scope.
+
+---
+
+## Security Review Trigger Points
+
+Load this security review skill when changes involve:
+
+- Authentication, session, or token logic
+- Authorization or resource ownership checks
+- Input parsing, validation, normalization, or canonicalization
+- File handling, deserialization, template rendering, or process execution
+- Logging, telemetry, secrets handling, or sensitive data paths
+- Dependency upgrades, lockfile changes, or CVE-related updates
+- Dockerfile or container base image changes
+- Docker Compose, Helm charts, or Kubernetes-related configuration
+- CI/CD workflow changes affecting build, test, release, or scanning
+- Privilege elevation, root execution, host mounts, or new Linux capabilities
+
+---
+
+## AI-Generated Code Guardrails
+
+When reviewing AI-generated changes:
+
+- Treat AI output as untrusted draft code until reviewed and tested
+- Verify package names, APIs, images, and tools exist and originate from trusted sources
+- Reject suggestions that bypass or disable security controls for convenience
+- Require pinned versions and lockfiles for generated dependencies; prefer integrity-verified installs when supported
+- Never accept generated code or configs that inject secrets via source files, Dockerfile `ARG`/`ENV`, or committed templates
+- Reject generated install scripts that use unchecked remote execution patterns (e.g., `curl | sh`) without checksum or signature verification
+- Reject generated build commands that disable TLS, certificate verification, or security checks to make builds pass
+- Apply RCI pattern: ask the AI to review its own output for security issues, then improve; repeat 1-2 iterations
+
+---
+
+## Secure Code Review (OSS Context)
+
+Apply when reviewing application logic, services, APIs, or libraries.
+
+### Input handling
+
+- Validate input at trust boundaries (format, type, range, length)
+- Avoid unsafe deserialization
+- Do not propagate unvalidated input across trust boundaries
+- Avoid command, query, or expression construction via string concatenation
+- Use parameterized queries for all database access
+
+### Authorization
+
+- **Keep authorization checks server-side and close to protected actions or resources**
+- Do not rely on client-side enforcement for access control
+
+### Error handling
+
+- Errors must not expose sensitive internal details
+- Avoid ignored return values or silent failures
+
+### Memory & resource safety (where applicable)
+
+- Avoid unchecked allocations and unbounded resource use
+- Ensure files, sockets, and handles are closed deterministically
+
+### Logging & telemetry
+
+- Do not log credentials, tokens, secrets, or PII
+- Logs should be actionable without exposing sensitive data
+
+### Dynamic execution
+
+- **Avoid unsafe dynamic execution patterns (`eval`, `exec`, reflection, or untrusted code execution).**
+
+### Dependency usage
+
+- Avoid shelling out when native APIs or libraries exist
+- Flag outdated, unmaintained, or suspicious dependencies
+- Prefer latest stable versions; specify exact or range-locked versions
+
+### OSS-specific review checks
+
+- Is externally observable **security-relevant behavior** documented?
+- Are assumptions and limitations stated explicitly for users?
+
+If uncertainty exists, flag it clearly rather than guessing or assuming safety.
+
+---
+
+## Container Artifact Review (Development-Time)
+
+Apply when generating or reviewing:
+
+- Dockerfiles / Containerfiles
+- docker-compose.yml
+- Helm charts (templates and values)
+
+### Dockerfile
+
+- Avoid `latest` or floating tags; pin versions or digests
+- Prefer minimal base images
+- Ensure containers do not run as root
+- Avoid setuid or setgid binaries
+- Use multi-stage builds and remove build tools, package caches, and temp files from final image
+- Prefer `COPY` over `ADD`
+- Never embed secrets in `ARG`, `ENV`, or filesystem layers
+
+### Docker Compose
+
+- Avoid `privileged: true` and host networking unless explicitly justified
+- Do not mount the Docker socket
+- Restrict host filesystem mounts
+- Limit exposed ports and networks; prefer internal networks
+
+Concerns that depend on deployment or runtime policy should be flagged as:
+**"Deployment-time responsibility."**
+
+---
+
+## Helm / Kubernetes Review (Development-Time)
+
+- Default to `runAsNonRoot: true`
+- Set `allowPrivilegeEscalation: false`
+- Prefer read-only root filesystem where feasible
+- Drop unnecessary Linux capabilities
+- Do not template secrets directly into charts
+- Document required runtime security assumptions
+
+Do not enforce cluster-wide, node-level, or runtime security controls.
+
+---
+
+## Review Output Expectations
+
+- Identify which section applies (Code / Container / Helm)
+- Classify findings as:
+  - Fix in artifact
+  - Deployment/runtime responsibility
+- Explicitly state assumptions or uncertainty
+- Use severity levels: Critical / High / Medium / Low with confidence: High / Medium / Low
+- Include specific file/function references and recommended fixes
+
+Security review is advisory; final decisions belong to maintainers.

.github/workflows/auto-update-labeled.yml

@@ -0,0 +1,123 @@
+---
+# SPDX-FileCopyrightText: (C) 2025 - 2026 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: "[CI/CD] Auto-Update Pull Requests"
+run-name: "[CI/CD] Auto-Update PRs based on ${{ github.ref_name }}"
+
+on: # yamllint disable-line rule:truthy
+  push:
+  pull_request:
+    types:
+      - auto_merge_enabled
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  update-pull-requests:
+    name: "Update pull requests targeting this branch"
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    env:
+      # Only PRs carrying this label are updated (drafts included).
+      UPDATE_LABEL: "auto-update"
+
+    steps:
+      - name: "Find and update pull requests"
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+          BASE_BRANCH: ${{ github.ref_name }}
+        run: |
+          echo "Searching for open PRs targeting '${BASE_BRANCH}'"
+
+          if ! pr_list_output=$(gh pr list \
+            --repo "$GITHUB_REPOSITORY" \
+            --base "$BASE_BRANCH" \
+            --label "$UPDATE_LABEL" \
+            --state open \
+            --json number,isDraft,headRefName,title \
+            --jq '.[] | @json'); then
+            echo "ERROR: gh pr list failed — check API access and token permissions."
+            exit 1
+          fi
+
+          mapfile -t prs <<< "$pr_list_output"
+          # When output is empty, mapfile produces one empty element — normalize it.
+          if [[ ${#prs[@]} -eq 1 && -z "${prs[0]}" ]]; then
+            prs=()
+          fi
+
+          if [[ ${#prs[@]} -eq 0 ]]; then
+            echo "No open PRs with label '${UPDATE_LABEL}' targeting '${BASE_BRANCH}' — nothing to do."
+            exit 0
+          fi
+
+          echo "Found ${#prs[@]} candidate PR(s)."
+
+          failed=0
+          for pr_json in "${prs[@]}"; do
+            pr_number=$(echo "$pr_json" | jq -r '.number')
+            is_draft=$(echo  "$pr_json" | jq -r '.isDraft')
+            head_ref=$(echo  "$pr_json" | jq -r '.headRefName')
+            title=$(echo     "$pr_json" | jq -r '.title')
+
+            echo "→ PR #${pr_number}: '${title}' (head: ${head_ref}, draft: ${is_draft})"
+
+            if gh pr update-branch "$pr_number" --repo "$GITHUB_REPOSITORY"; then
+              echo "  ✓ PR #${pr_number} updated successfully."
+            else
+              echo "  ✗ PR #${pr_number} could not be updated (may already be up to date or have a merge conflict)."
+              failed=$((failed + 1))
+            fi
+          done
+
+          echo "Done. Failed: ${failed}."
+          if [[ $failed -gt 0 ]]; then
+            echo "Warning: ${failed} PR(s) could not be updated — review the logs above."
+          fi
+
+  remove-label-on-automerge:
+    name: "Remove auto-update label when auto-merge is enabled"
+    if: github.event_name == 'pull_request' && github.event.action == 'auto_merge_enabled'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
+    env:
+      UPDATE_LABEL: "auto-update"
+
+    steps:
+      - name: "Remove '${{ env.UPDATE_LABEL }}' label from PR"
+        env:
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Query labels first and fail explicitly if the GitHub CLI request fails.
+          if ! pr_labels=$(gh pr view "$PR_NUMBER" \
+            --repo "$GITHUB_REPOSITORY" \
+            --json labels \
+            --jq '.labels[].name'); then
+            echo "Failed to read labels for PR #${PR_NUMBER}."
+            exit 1
+          fi
+
+          # Treat a missing label as a normal no-op, but do not mask query failures.
+          if ! printf '%s\n' "$pr_labels" | grep -Fxq -- "$UPDATE_LABEL"; then
+            echo "PR #${PR_NUMBER} does not have the '${UPDATE_LABEL}' label — nothing to do."
+            exit 0
+          fi
+
+          echo "Removing '${UPDATE_LABEL}' label from PR #${PR_NUMBER} (auto-merge enabled)."
+          gh pr edit "$PR_NUMBER" \
+            --repo "$GITHUB_REPOSITORY" \
+            --remove-label "$UPDATE_LABEL"
+          echo "Label removed."

controller/src/controller/detections_builder.py

@@ -88,17 +88,18 @@ def prepareObjDict(scene, obj, update_visibility, include_sensors=False,
       if key != 'reid':
         obj_dict['metadata'][key] = value
 
-  # Output reid in metadata structure
+  # Output reid in metadata structure.
+  # embedding_vector is always a (1, N) ndarray after decodeReIDEmbeddingVector.
   if aobj.reid and 'embedding_vector' in aobj.reid:
     reid_embedding = aobj.reid['embedding_vector']
     if reid_embedding is not None:
       if 'metadata' not in obj_dict:
         obj_dict['metadata'] = {}
-      if isinstance(reid_embedding, np.ndarray):
-        obj_dict['metadata']['reid'] = {'embedding_vector': reid_embedding.tolist()}
-      else:
-        obj_dict['metadata']['reid'] = {'embedding_vector': reid_embedding}
-      # Add model_name if available
+      reid_vec = np.asarray(reid_embedding, dtype=np.float32)
+      obj_dict['metadata']['reid'] = {
+        'embedding_vector': reid_vec.tolist(),
+        'embedding_dimensions': int(reid_vec.reshape(-1).shape[0]),
+      }
       if 'model_name' in aobj.reid:
         obj_dict['metadata']['reid']['model_name'] = aobj.reid['model_name']