update

2026-01-17 21:57:04 +01:00
parent 831eed8dbc
commit abef368a68
19 changed files with 677 additions and 757 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -136,7 +136,6 @@ jobs:
          GUARDDEN_AI_PROVIDER: "none"
          GUARDDEN_LOG_LEVEL: "DEBUG"
        run: |
          # Run database migrations for tests
          python -c "
          import os
          os.environ['GUARDDEN_DISCORD_TOKEN'] = 'test_token_12345678901234567890123456789012345'
@@ -153,15 +152,6 @@ jobs:
        run: |
          pytest --cov=src/guardden --cov-report=xml --cov-report=html --cov-report=term-missing
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v3
        if: matrix.python-version == '3.11'
        with:
          file: ./coverage.xml
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: false
      - name: Upload coverage reports
        uses: actions/upload-artifact@v3
        if: matrix.python-version == '3.11'
@@ -207,64 +197,3 @@ jobs:
      - name: Test Docker image
        run: |
          docker run --rm guardden:${{ github.sha }} python -m guardden --help
  deploy-staging:
    name: Deploy to Staging
    runs-on: ubuntu-latest
    needs: [code-quality, test, build-docker]
    if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
    environment: staging
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Deploy to staging
        run: |
          echo "Deploying to staging environment..."
          echo "This would typically involve:"
          echo "- Pushing Docker image to registry"
          echo "- Updating Kubernetes/Docker Compose configs"
          echo "- Running database migrations"
          echo "- Performing health checks"
  deploy-production:
    name: Deploy to Production
    runs-on: ubuntu-latest
    needs: [code-quality, test, build-docker]
    if: github.event_name == 'release'
    environment: production
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Deploy to production
        run: |
          echo "Deploying to production environment..."
          echo "This would typically involve:"
          echo "- Pushing Docker image to registry with version tag"
          echo "- Blue/green deployment or rolling update"
          echo "- Running database migrations"
          echo "- Performing comprehensive health checks"
          echo "- Monitoring deployment success"
  notification:
    name: Notification
    runs-on: ubuntu-latest
    needs: [code-quality, test, build-docker]
    if: always()
    steps:
      - name: Notify on failure
        if: contains(needs.*.result, 'failure')
        run: |
          echo "Pipeline failed. In a real environment, this would:"
          echo "- Send notifications to Discord/Slack"
          echo "- Create GitHub issue for investigation"
          echo "- Alert the development team"
      - name: Notify on success
        if: needs.code-quality.result == 'success' && needs.test.result == 'success' && needs.build-docker.result == 'success'
        run: |
          echo "Pipeline succeeded! In a real environment, this would:"
          echo "- Send success notification"
          echo "- Update deployment status"
          echo "- Trigger downstream processes"
--- a/.gitea/workflows/dependency-updates.yml
+++ b/.gitea/workflows/dependency-updates.yml
@@ -0,0 +1,44 @@
 name: Dependency Updates
 on:
  schedule:
    - cron: '0 9 * * 1'
  workflow_dispatch:
 jobs:
  update-dependencies:
    name: Update Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.11"
      - name: Install pip-tools
        run: |
          python -m pip install --upgrade pip
          pip install pip-tools
      - name: Update dependencies
        run: |
          pip-compile --upgrade pyproject.toml --output-file requirements.txt
          pip-compile --upgrade --extra dev pyproject.toml --output-file requirements-dev.txt
      - name: Check for security vulnerabilities
        run: |
          pip install safety
          safety check --file requirements.txt --json --output vulnerability-report.json || true
          safety check --file requirements-dev.txt --json --output vulnerability-dev-report.json || true
      - name: Upload vulnerability reports
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: vulnerability-reports
          path: |
            vulnerability-report.json
            vulnerability-dev-report.json
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -1,75 +0,0 @@
 name: Dependency Updates
 on:
  schedule:
    # Run weekly on Mondays at 9 AM UTC
    - cron: '0 9 * * 1'
  workflow_dispatch: # Allow manual triggering
 jobs:
  update-dependencies:
    name: Update Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.11"
      - name: Install pip-tools
        run: |
          python -m pip install --upgrade pip
          pip install pip-tools
      - name: Update dependencies
        run: |
          # Generate requirements files from pyproject.toml
          pip-compile --upgrade pyproject.toml --output-file requirements.txt
          pip-compile --upgrade --extra dev pyproject.toml --output-file requirements-dev.txt
      - name: Check for security vulnerabilities
        run: |
          pip install safety
          safety check --file requirements.txt --json --output vulnerability-report.json || true
          safety check --file requirements-dev.txt --json --output vulnerability-dev-report.json || true
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: 'chore: update dependencies'
          title: 'Automated dependency updates'
          body: |
            ## Automated Dependency Updates
            This PR contains automated dependency updates generated by the dependency update workflow.
            ### Changes
            - Updated all dependencies to latest compatible versions
            - Checked for security vulnerabilities
            ### Security Scan Results
            Please review the uploaded security scan artifacts for any vulnerabilities.
            ### Testing
            - [ ] All tests pass
            - [ ] No breaking changes introduced
            - [ ] Security scan results reviewed
            **Note**: This is an automated PR. Please review all changes carefully before merging.
          branch: automated/dependency-updates
          delete-branch: true
      - name: Upload vulnerability reports
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: vulnerability-reports
          path: |
            vulnerability-report.json
            vulnerability-dev-report.json
--- a/IMPLEMENTATION_PLAN.md
+++ b/IMPLEMENTATION_PLAN.md
@@ -1,400 +0,0 @@
 # GuardDen Enhancement Implementation Plan
 ## 🎯 Executive Summary
 Your GuardDen bot is well-architected with solid fundamentals, but needs:
 1. **Critical security and bug fixes** (immediate priority)
 2. **Comprehensive testing infrastructure** for reliability
 3. **Modern DevOps pipeline** for sustainable development
 4. **Enhanced dashboard** with real-time analytics and management capabilities
 ## 📋 Implementation Roadmap
 ### **Phase 1: Foundation & Security (Week 1-2)** ✅ COMPLETED
 *Critical bugs, security fixes, and testing infrastructure*
 #### 1.1 Critical Security Fixes ✅ COMPLETED
 - [x] **Fix configuration validation** in `src/guardden/config.py:11-45`
  - Added strict Discord ID parsing with regex validation
  - Implemented minimum secret key length enforcement
  - Added input sanitization and validation for all configuration fields
 - [x] **Secure error handling** throughout Discord API calls
  - Added proper error handling for kick/ban/timeout operations
  - Implemented graceful fallback for Discord API failures
 - [x] **Add input sanitization** for URL parsing in automod service
  - Enhanced URL validation with length limits and character filtering
  - Improved normalize_domain function with security checks
  - Updated URL pattern for more restrictive matching
 - [x] **Database security audit** and add missing indexes
  - Created comprehensive migration with 25+ indexes
  - Added indexes for all common query patterns and foreign keys
 #### 1.2 Error Handling Improvements ✅ COMPLETED
 - [x] **Refactor exception handling** in `src/guardden/bot.py:119-123`
  - Improved cog loading with specific exception types
  - Added better error context and logging
  - Enhanced guild initialization error handling
 - [x] **Add circuit breakers** for problematic regex patterns
  - Implemented RegexCircuitBreaker class with timeout protection
  - Added pattern validation to prevent catastrophic backtracking
  - Integrated safe regex execution throughout automod service
 - [x] **Implement graceful degradation** for AI service failures
  - Enhanced error handling in existing AI integration
 - [x] **Add proper error feedback** for Discord API failures
  - Added user-friendly error messages for moderation failures
  - Implemented fallback responses when embed sending fails
 #### 1.3 Testing Infrastructure ✅ COMPLETED
 - [x] **Set up pytest configuration** with async support and coverage
  - Created comprehensive conftest.py with 20+ fixtures
  - Added pytest.ini with coverage requirements (75%+ threshold)
  - Configured async test support and proper markers
 - [x] **Create test fixtures** for database, Discord mocks, AI providers
  - Database fixtures with in-memory SQLite
  - Complete Discord mock objects (users, guilds, channels, messages)
  - Test configuration and environment setup
 - [x] **Add integration tests** for all cogs and services
  - Created test_config.py for configuration security validation
  - Created test_automod_security.py for automod security improvements
  - Created test_database_integration.py for database model testing
 - [x] **Implement test database** with proper isolation
  - In-memory SQLite setup for test isolation
  - Automatic table creation and cleanup
  - Session management for tests
 ### **Phase 2: DevOps & CI/CD (Week 2-3)** ✅ COMPLETED
 *Automated testing, deployment, and monitoring*
 #### 2.1 CI/CD Pipeline ✅ COMPLETED
 - [x] **GitHub Actions workflow** for automated testing
  - Comprehensive CI pipeline with code quality, security scanning, and testing
  - Multi-Python version testing (3.11, 3.12) with PostgreSQL service
  - Automated dependency updates with security vulnerability scanning
  - Deployment pipelines for staging and production environments
 - [x] **Multi-stage Docker builds** with optional AI dependencies  
  - Optimized Dockerfile with builder pattern for reduced image size
  - Configurable AI dependency installation with build args
  - Development stage with debugging tools and hot reloading
  - Proper security practices (non-root user, health checks)
 - [x] **Automated security scanning** with dependency checks
  - Safety for dependency vulnerability scanning  
  - Bandit for security linting of Python code
  - Integrated into CI pipeline with artifact reporting
 - [x] **Code quality gates** with ruff, mypy, and coverage thresholds
  - 75%+ test coverage requirement with detailed reporting
  - Strict type checking with mypy
  - Code formatting and linting with ruff
 #### 2.2 Monitoring & Logging ✅ COMPLETED
 - [x] **Structured logging** with JSON formatter
  - Optional structlog integration for enhanced structured logging
  - Graceful fallback to stdlib logging when structlog unavailable
  - Context-aware logging with command tracing and performance metrics
  - Configurable log levels and JSON formatting for production
 - [x] **Application metrics** with Prometheus/OpenTelemetry
  - Comprehensive metrics collection (commands, moderation, AI, database)
  - Optional Prometheus integration with graceful degradation
  - Grafana dashboards and monitoring stack configuration
  - Performance monitoring with request duration and error tracking
 - [x] **Health check improvements** for database and AI providers
  - Comprehensive health check system with database, AI, and Discord API monitoring
  - CLI health check tool with JSON output support
  - Docker health checks integrated into container definitions
  - System metrics collection (CPU, memory, disk usage)
 - [x] **Error tracking and monitoring** infrastructure
  - Structured logging with error context and stack traces
  - Metrics-based monitoring for error rates and performance
  - Health check system for proactive issue detection
 #### 2.3 Development Environment ✅ COMPLETED
 - [x] **Docker Compose improvements** with dev overrides
  - Comprehensive docker-compose.yml with production-ready configuration
  - Development overrides with hot reloading and debugging support
  - Integrated monitoring stack (Prometheus, Grafana, Redis, PostgreSQL)
  - Development tools (PgAdmin, Redis Commander, MailHog)
 - [x] **Development automation and tooling**
  - Comprehensive development script (scripts/dev.sh) with 15+ commands
  - Automated setup, testing, linting, and deployment workflows
  - Database migration management and health checking tools
 - [x] **Development documentation and setup guides**
  - Complete Docker setup with development and production configurations  
  - Automated environment setup and dependency management
  - Comprehensive development workflow documentation
 ### **Phase 3: Dashboard Backend Enhancement (Week 3-4)** ✅ COMPLETED
 *Expand API capabilities for comprehensive management*
 #### 3.1 Enhanced API Endpoints ✅ COMPLETED
 - [x] **Real-time analytics API** (`/api/analytics/*`)
  - Moderation action statistics
  - User activity metrics  
  - AI performance data
  - Server health metrics
 #### 3.2 User Management API ✅ COMPLETED
 - [x] **User profile endpoints** (`/api/users/*`)
 - [x] **Strike and note management** 
 - [x] **User search and filtering**
 #### 3.3 Configuration Management API ✅ COMPLETED
 - [x] **Guild settings management** (`/api/guilds/{id}/settings`)
 - [x] **Automod rule configuration** (`/api/guilds/{id}/automod`)
 - [x] **AI provider settings** per guild
 - [x] **Export/import functionality** for settings
 #### 3.4 WebSocket Support ✅ COMPLETED
 - [x] **Real-time event streaming** for live updates
 - [x] **Live moderation feed** for active monitoring
 - [x] **System alerts and notifications**
 ### **Phase 4: React Dashboard Frontend (Week 4-6)** ✅ COMPLETED
 *Modern, responsive web interface with real-time capabilities*
 #### 4.1 Frontend Architecture ✅ COMPLETED
 ```
 dashboard-frontend/
 ├── src/
 │   ├── components/          # Reusable UI components (Layout)
 │   ├── pages/              # Page components (Dashboard, Analytics, Users, Settings, Moderation)
 │   ├── services/           # API clients and WebSocket
 │   ├── types/              # TypeScript definitions
 │   └── index.css          # Tailwind styles
 ├── public/                 # Static assets
 └── package.json           # Dependencies and scripts
 ```
 #### 4.2 Key Features ✅ COMPLETED
 - [x] **Authentication Flow**: Dual OAuth with session management
 - [x] **Real-time Analytics Dashboard**: 
  - Live metrics with charts (Recharts)
  - Moderation activity timeline
  - AI performance monitoring
 - [x] **User Management Interface**:
  - User search and profiles
  - Strike history display
 - [x] **Guild Configuration**:
  - Settings management forms
  - Automod rule builder
  - AI sensitivity configuration
 - [x] **Export functionality**: JSON configuration export
 #### 4.3 Technical Stack ✅ COMPLETED
 - [x] **React 18** with TypeScript and Vite
 - [x] **Tailwind CSS** for responsive design
 - [x] **React Query** for API state management
 - [x] **React Hook Form** for form handling
 - [x] **React Router** for navigation
 - [x] **WebSocket client** for real-time updates
 - [x] **Recharts** for data visualization
 - [x] **date-fns** for date formatting
 ### **Phase 5: Performance & Scalability (Week 6-7)** ✅ COMPLETED
 *Optimize performance and prepare for scaling*
 #### 5.1 Database Optimization ✅ COMPLETED
 - [x] **Add strategic indexes** for common query patterns (analytics tables)
 - [x] **Database migration for analytics models** with comprehensive indexing
 #### 5.2 Application Performance ✅ COMPLETED
 - [x] **Implement Redis caching** for guild configs with in-memory fallback
 - [x] **Multi-tier caching system** (memory + Redis)
 - [x] **Cache service** with automatic TTL management
 #### 5.3 Architecture Improvements ✅ COMPLETED
 - [x] **Analytics tracking system** with dedicated models
 - [x] **Caching abstraction layer** for flexible cache backends
 - [x] **Performance-optimized guild config service**
 ## 🛠 Technical Specifications
 ### Enhanced Dashboard Features
 #### Real-time Analytics Dashboard
 ```typescript
 interface AnalyticsData {
  moderationStats: {
    totalActions: number;
    actionsByType: Record<string, number>;
    actionsOverTime: TimeSeriesData[];
  };
  userActivity: {
    activeUsers: number;
    newJoins: number;
    messageVolume: number;
  };
  aiPerformance: {
    accuracy: number;
    falsePositives: number;
    responseTime: number;
  };
 }
 ```
 #### User Management Interface
 - **Advanced search** with filters (username, join date, strike count)
 - **Bulk actions** (mass ban, mass role assignment)
 - **User timeline** showing all interactions with the bot
 - **Note system** for moderator communications
 #### Notification System
 ```typescript
 interface Alert {
  id: string;
  type: 'security' | 'moderation' | 'system';
  severity: 'low' | 'medium' | 'high' | 'critical';
  message: string;
  guildId?: string;
  timestamp: Date;
  acknowledged: boolean;
 }
 ```
 ### API Enhancements
 #### WebSocket Events
 ```python
 # Real-time events
 class WebSocketEvent(BaseModel):
    type: str  # "moderation_action", "user_join", "ai_alert"
    guild_id: int
    timestamp: datetime
    data: dict
 ```
 #### New Endpoints
 ```python
 # Analytics endpoints
 GET /api/analytics/summary
 GET /api/analytics/moderation-stats
 GET /api/analytics/user-activity
 GET /api/analytics/ai-performance
 # User management
 GET /api/users/search
 GET /api/users/{user_id}/profile
 POST /api/users/{user_id}/note
 POST /api/users/bulk-action
 # Configuration
 GET /api/guilds/{guild_id}/settings
 PUT /api/guilds/{guild_id}/settings
 GET /api/guilds/{guild_id}/automod-rules
 POST /api/guilds/{guild_id}/automod-rules
 # Real-time updates
 WebSocket /ws/events
 ```
 ## 📊 Success Metrics
 ### Code Quality
 - **Test Coverage**: 90%+ for all modules
 - **Type Coverage**: 95%+ with mypy strict mode
 - **Security Score**: Zero critical vulnerabilities
 - **Performance**: <100ms API response times
 ### Dashboard Functionality
 - **Real-time Updates**: <1 second latency for events
 - **User Experience**: Mobile-responsive, accessible design
 - **Data Export**: Multiple format support (CSV, JSON, PDF)
 - **Uptime**: 99.9% availability target
 ## 🚀 Implementation Status
 - **Phase 1**: ✅ COMPLETED
 - **Phase 2**: ✅ COMPLETED  
 - **Phase 3**: ✅ COMPLETED
 - **Phase 4**: ✅ COMPLETED
 - **Phase 5**: ✅ COMPLETED
 ---
 *Last Updated: January 17, 2026*
 ## 📊 Phase 1 Achievements
 ### Security Enhancements
 - **Configuration Security**: Implemented strict validation for Discord IDs, API keys, and all configuration parameters
 - **Input Sanitization**: Enhanced URL parsing with comprehensive validation and filtering
 - **Database Security**: Added 25+ strategic indexes for performance and security
 - **Regex Security**: Implemented circuit breaker pattern to prevent catastrophic backtracking
 ### Code Quality Improvements  
 - **Error Handling**: Comprehensive error handling throughout Discord API calls and bot operations
 - **Type Safety**: Resolved major type annotation issues and improved code clarity
 - **Testing Infrastructure**: Complete test suite setup with 75%+ coverage requirements
 ### Performance Optimizations
 - **Database Indexing**: Strategic indexes for all common query patterns
 - **Regex Optimization**: Safe regex execution with timeout protection
 - **Memory Management**: Improved spam tracking with proper cleanup
 ### Developer Experience
 - **Test Coverage**: Comprehensive test fixtures and integration tests
 - **Documentation**: Updated implementation plan and inline documentation  
 - **Configuration**: Enhanced validation and better error messages
 ## 📊 Phase 2 Achievements
 ### DevOps Infrastructure
 - **CI/CD Pipeline**: Complete GitHub Actions workflow with parallel job execution
 - **Docker Optimization**: Multi-stage builds reducing image size by ~40%
 - **Security Automation**: Automated vulnerability scanning and dependency management
 - **Quality Gates**: 75%+ test coverage requirement with comprehensive type checking
 ### Monitoring & Observability
 - **Structured Logging**: JSON logging with context-aware tracing
 - **Metrics Collection**: 15+ Prometheus metrics for comprehensive monitoring
 - **Health Checks**: Multi-service health monitoring with performance tracking
 - **Dashboard Integration**: Grafana dashboards for real-time monitoring
 ### Development Experience
 - **One-Command Setup**: `./scripts/dev.sh setup` for complete environment setup
 - **Hot Reloading**: Development containers with live code reloading
 - **Database Tools**: Automated migration management and admin interfaces
 - **Comprehensive Tooling**: 15+ development commands for testing, linting, and deployment
 ## 📊 Phase 3-5 Achievements
 ### Phase 3: Dashboard Backend Enhancement
 - **Analytics API**: Comprehensive real-time analytics with moderation stats, user activity, and AI performance tracking
 - **User Management**: Full CRUD API for user profiles, notes, and search functionality
 - **Configuration API**: Guild settings and automod configuration with export/import support
 - **WebSocket Support**: Real-time event streaming with automatic reconnection and heartbeat
 **New API Endpoints:**
 - `/api/analytics/summary` - Complete analytics overview
 - `/api/analytics/moderation-stats` - Detailed moderation statistics
 - `/api/analytics/user-activity` - User activity metrics
 - `/api/analytics/ai-performance` - AI moderation performance
 - `/api/users/search` - User search with filters
 - `/api/users/{id}/profile` - User profile details
 - `/api/users/{id}/notes` - User notes management
 - `/api/guilds/{id}/settings` - Guild settings CRUD
 - `/api/guilds/{id}/automod` - Automod configuration
 - `/api/guilds/{id}/export` - Configuration export
 - `/ws/events` - WebSocket real-time events
 ### Phase 4: React Dashboard Frontend
 - **Modern UI**: Tailwind CSS-based responsive design with dark mode support
 - **Real-time Charts**: Recharts integration for moderation analytics and trends
 - **Smart Caching**: React Query for intelligent data fetching and caching
 - **Type Safety**: Full TypeScript coverage with comprehensive type definitions
 **Pages Implemented:**
 - Dashboard - Overview with key metrics and charts
 - Analytics - Detailed statistics and trends
 - Users - User search and management
 - Moderation - Comprehensive log viewing
 - Settings - Guild configuration management
 ### Phase 5: Performance & Scalability
 - **Multi-tier Caching**: Redis + in-memory caching with automatic fallback
 - **Analytics Models**: Dedicated database models for AI checks, user activity, and message stats
 - **Optimized Queries**: Strategic indexes on all analytics tables
 - **Flexible Architecture**: Cache abstraction supporting multiple backends
 **Performance Improvements:**
 - Guild config caching reduces database load by ~80%
 - Analytics queries optimized with proper indexing
 - WebSocket connections with efficient heartbeat mechanism
 - In-memory fallback ensures reliability without Redis
--- a/README.md
+++ b/README.md
@@ -86,7 +86,7 @@ GuardDen is a comprehensive Discord moderation bot designed to protect your comm
 1. Clone the repository:
   ```bash
-   git clone https://github.com/yourusername/guardden.git
+   git clone https://git.hiddenden.cafe/Hiddenden/GuardDen.git
   cd guardden
   ```
@@ -155,6 +155,9 @@ GuardDen is a comprehensive Discord moderation bot designed to protect your comm
 | `GUARDDEN_DASHBOARD_OWNER_DISCORD_ID` | Discord user ID allowed | Required |
 | `GUARDDEN_DASHBOARD_OWNER_ENTRA_OBJECT_ID` | Entra object ID allowed | Required |
 | `GUARDDEN_DASHBOARD_CORS_ORIGINS` | Dashboard CORS origins | (empty = none) |
 | `GUARDDEN_WORDLIST_ENABLED` | Enable managed wordlist sync | `true` |
 | `GUARDDEN_WORDLIST_UPDATE_HOURS` | Managed wordlist sync interval | `168` |
 | `GUARDDEN_WORDLIST_SOURCES` | JSON array of wordlist sources | (empty = defaults) |
 ### Per-Guild Settings
@@ -208,6 +211,10 @@ Each server can configure:
 | `!bannedwords add <word> [action] [is_regex]` | Add a banned word |
 | `!bannedwords remove <id>` | Remove a banned word by ID |
 Managed wordlists are synced weekly by default. You can override sources with
 `GUARDDEN_WORDLIST_SOURCES` (JSON array) or disable syncing entirely with
 `GUARDDEN_WORDLIST_ENABLED=false`.
 ### Automod
 | Command | Description |
@@ -262,6 +269,11 @@ The dashboard provides read-only visibility into moderation logs across all serv
   - Entra: `http://localhost:8080/auth/entra/callback`
   - Discord: `http://localhost:8080/auth/discord/callback`
 ## CI (Gitea Actions)
 Workflows live under `.gitea/workflows/` and mirror the previous GitHub Actions
 pipeline for linting, tests, and Docker builds.
 ## Project Structure
 ```
--- a/migrations/versions/20260117_add_banned_word_metadata.py
+++ b/migrations/versions/20260117_add_banned_word_metadata.py
@@ -0,0 +1,37 @@
 """Add metadata fields for managed banned words.
 Revision ID: 20260117_add_banned_word_metadata
 Revises: 20260117_enable_ai_defaults
 Create Date: 2026-01-17 21:15:00.000000
 """
 import sqlalchemy as sa
 from alembic import op
 # revision identifiers, used by Alembic.
 revision = "20260117_add_banned_word_metadata"
 down_revision = "20260117_enable_ai_defaults"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    op.add_column(
        "banned_words",
        sa.Column("source", sa.String(length=100), nullable=True),
    )
    op.add_column(
        "banned_words",
        sa.Column("category", sa.String(length=20), nullable=True),
    )
    op.add_column(
        "banned_words",
        sa.Column("managed", sa.Boolean(), nullable=False, server_default=sa.text("false")),
    )
    op.alter_column("banned_words", "managed", server_default=None)
 def downgrade() -> None:
    op.drop_column("banned_words", "managed")
    op.drop_column("banned_words", "category")
    op.drop_column("banned_words", "source")
--- a/migrations/versions/20260117_enable_ai_defaults.py
+++ b/migrations/versions/20260117_enable_ai_defaults.py
@@ -0,0 +1,41 @@
 """Enable AI moderation defaults for existing guilds.
 Revision ID: 20260117_enable_ai_defaults
 Revises: 20260117_analytics
 Create Date: 2026-01-17 21:00:00.000000
 """
 import sqlalchemy as sa
 from alembic import op
 # revision identifiers, used by Alembic.
 revision = "20260117_enable_ai_defaults"
 down_revision = "20260117_analytics"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    op.execute(
        sa.text(
            """
            UPDATE guild_settings
            SET ai_moderation_enabled = TRUE,
                nsfw_detection_enabled = TRUE,
                ai_sensitivity = 80
            """
        )
    )
 def downgrade() -> None:
    op.execute(
        sa.text(
            """
            UPDATE guild_settings
            SET ai_moderation_enabled = FALSE,
                nsfw_detection_enabled = FALSE,
                ai_sensitivity = 50
            """
        )
    )
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -32,6 +32,7 @@ dependencies = [
    "uvicorn>=0.27.0",
    "authlib>=1.3.0",
    "httpx>=0.27.0",
    "itsdangerous>=2.1.2",
 ]
 [project.optional-dependencies]
@@ -39,6 +40,7 @@ dev = [
    "pytest>=7.4.0",
    "pytest-asyncio>=0.23.0",
    "pytest-cov>=4.1.0",
    "aiosqlite>=0.19.0",
    "ruff>=0.1.0",
    "mypy>=1.7.0",
    "pre-commit>=3.6.0",
--- a/src/guardden/bot.py
+++ b/src/guardden/bot.py
@@ -42,6 +42,7 @@ class GuardDen(commands.Bot):
        self.database = Database(settings)
        self.guild_config: "GuildConfigService | None" = None
        self.ai_provider: AIProvider | None = None
        self.wordlist_service = None
        self.rate_limiter = RateLimiter()
    async def _get_prefix(self, bot: "GuardDen", message: discord.Message) -> list[str]:
@@ -90,6 +91,9 @@ class GuardDen(commands.Bot):
        from guardden.services.guild_config import GuildConfigService
        self.guild_config = GuildConfigService(self.database)
        from guardden.services.wordlist import WordlistService
        self.wordlist_service = WordlistService(self.database, self.settings)
        # Initialize AI provider
        api_key = None
@@ -115,6 +119,7 @@ class GuardDen(commands.Bot):
            "guardden.cogs.ai_moderation",
            "guardden.cogs.verification",
            "guardden.cogs.health",
            "guardden.cogs.wordlist_sync",
        ]
        failed_cogs = []
@@ -162,12 +167,17 @@ class GuardDen(commands.Bot):
                    await self.guild_config.create_guild(guild)
                    initialized += 1
                except Exception as e:
-                    logger.error(f"Failed to initialize config for guild {guild.id} ({guild.name}): {e}", exc_info=True)
+                    logger.error(
                        f"Failed to initialize config for guild {guild.id} ({guild.name}): {e}",
                        exc_info=True,
                    )
                    failed_guilds.append(guild.id)
            logger.info("Initialized config for %s guild(s)", initialized)
            if failed_guilds:
-                logger.warning(f"Failed to initialize {len(failed_guilds)} guild(s): {failed_guilds}")
+                logger.warning(
                    f"Failed to initialize {len(failed_guilds)} guild(s): {failed_guilds}"
                )
        # Set presence
        activity = discord.Activity(
@@ -206,9 +216,7 @@ class GuardDen(commands.Bot):
        logger.info(f"Joined guild: {guild.name} (ID: {guild.id})")
        if not self.is_guild_allowed(guild.id):
-            logger.warning(
+            logger.warning("Guild %s (ID: %s) not in allowlist, leaving.", guild.name, guild.id)
                "Guild %s (ID: %s) not in allowlist, leaving.", guild.name, guild.id
            )
            await guild.leave()
            return
--- a/src/guardden/cogs/wordlist_sync.py
+++ b/src/guardden/cogs/wordlist_sync.py
@@ -0,0 +1,38 @@
 """Background task for managed wordlist syncing."""
 import logging
 from discord.ext import commands, tasks
 from guardden.services.wordlist import WordlistService
 logger = logging.getLogger(__name__)
 class WordlistSync(commands.Cog):
    """Periodic sync of managed wordlists into guild bans."""
    def __init__(self, bot: commands.Bot, service: WordlistService) -> None:
        self.bot = bot
        self.service = service
        self.sync_task.change_interval(hours=service.update_interval.total_seconds() / 3600)
        self.sync_task.start()
    def cog_unload(self) -> None:
        self.sync_task.cancel()
    @tasks.loop(hours=1)
    async def sync_task(self) -> None:
        await self.service.sync_all()
    @sync_task.before_loop
    async def before_sync_task(self) -> None:
        await self.bot.wait_until_ready()
 async def setup(bot: commands.Bot) -> None:
    service = getattr(bot, "wordlist_service", None)
    if not service:
        logger.warning("Wordlist service not initialized; skipping sync task")
        return
    await bot.add_cog(WordlistSync(bot, service))
--- a/src/guardden/config.py
+++ b/src/guardden/config.py
@@ -5,9 +5,9 @@ import re
 from pathlib import Path
 from typing import Any, Literal
-from pydantic import Field, SecretStr, field_validator, ValidationError
+from pydantic import BaseModel, Field, SecretStr, ValidationError, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
-
+from pydantic_settings.sources import EnvSettingsSource
 # Discord snowflake ID validation regex (64-bit integers, 17-19 digits)
 DISCORD_ID_PATTERN = re.compile(r"^\d{17,19}$")
@@ -65,6 +65,27 @@ def _parse_id_list(value: Any) -> list[int]:
    return parsed
 class GuardDenEnvSettingsSource(EnvSettingsSource):
    """Environment settings source with safe list parsing."""
    def decode_complex_value(self, field_name: str, field, value: Any):
        if field_name in {"allowed_guilds", "owner_ids"} and isinstance(value, str):
            return value
        return super().decode_complex_value(field_name, field, value)
 class WordlistSourceConfig(BaseModel):
    """Configuration for a managed wordlist source."""
    name: str
    url: str
    category: Literal["hard", "soft", "context"]
    action: Literal["delete", "warn", "strike"]
    reason: str
    is_regex: bool = False
    enabled: bool = True
 class Settings(BaseSettings):
    """Application settings loaded from environment variables."""
@@ -73,8 +94,25 @@ class Settings(BaseSettings):
        env_file_encoding="utf-8",
        case_sensitive=False,
        env_prefix="GUARDDEN_",
        env_parse_none_str="",
    )
    @classmethod
    def settings_customise_sources(
        cls,
        settings_cls,
        init_settings,
        env_settings,
        dotenv_settings,
        file_secret_settings,
    ):
        return (
            init_settings,
            GuardDenEnvSettingsSource(settings_cls),
            dotenv_settings,
            file_secret_settings,
        )
    # Discord settings
    discord_token: SecretStr = Field(..., description="Discord bot token")
    discord_prefix: str = Field(default="!", description="Default command prefix")
@@ -114,11 +152,43 @@ class Settings(BaseSettings):
    # Paths
    data_dir: Path = Field(default=Path("data"), description="Data directory for persistent files")
    # Wordlist sync
    wordlist_enabled: bool = Field(
        default=True, description="Enable automatic managed wordlist syncing"
    )
    wordlist_update_hours: int = Field(
        default=168, description="Managed wordlist sync interval in hours"
    )
    wordlist_sources: list[WordlistSourceConfig] = Field(
        default_factory=list,
        description="Managed wordlist sources (JSON array via env overrides)",
    )
    @field_validator("allowed_guilds", "owner_ids", mode="before")
    @classmethod
    def _validate_id_list(cls, value: Any) -> list[int]:
        return _parse_id_list(value)
    @field_validator("wordlist_sources", mode="before")
    @classmethod
    def _parse_wordlist_sources(cls, value: Any) -> list[WordlistSourceConfig]:
        if value is None:
            return []
        if isinstance(value, list):
            return [WordlistSourceConfig.model_validate(item) for item in value]
        if isinstance(value, str):
            text = value.strip()
            if not text:
                return []
            try:
                data = json.loads(text)
            except json.JSONDecodeError as exc:
                raise ValueError("Invalid JSON for wordlist_sources") from exc
            if not isinstance(data, list):
                raise ValueError("wordlist_sources must be a JSON array")
            return [WordlistSourceConfig.model_validate(item) for item in data]
        return []
    @field_validator("discord_token")
    @classmethod
    def _validate_discord_token(cls, value: SecretStr) -> SecretStr:
@@ -168,6 +238,10 @@ class Settings(BaseSettings):
        if not isinstance(self.data_dir, Path):
            raise ValueError("data_dir must be a valid path")
        # Wordlist validation
        if self.wordlist_update_hours < 1:
            raise ValueError("wordlist_update_hours must be at least 1")
 def get_settings() -> Settings:
    """Get application settings instance."""
--- a/src/guardden/dashboard/main.py
+++ b/src/guardden/dashboard/main.py
@@ -0,0 +1,16 @@
 """Dashboard entrypoint for `python -m guardden.dashboard`."""
 import os
 import uvicorn
 def main() -> None:
    host = os.getenv("GUARDDEN_DASHBOARD_HOST", "0.0.0.0")
    port = int(os.getenv("GUARDDEN_DASHBOARD_PORT", "8000"))
    log_level = os.getenv("GUARDDEN_LOG_LEVEL", "info").lower()
    uvicorn.run("guardden.dashboard.main:app", host=host, port=port, log_level=log_level)
 if __name__ == "__main__":
    main()
--- a/src/guardden/models/guild.py
+++ b/src/guardden/models/guild.py
@@ -3,7 +3,7 @@
 from datetime import datetime
 from typing import TYPE_CHECKING
-from sqlalchemy import Boolean, Float, ForeignKey, Integer, String, Text
+from sqlalchemy import JSON, Boolean, Float, ForeignKey, Integer, String, Text
 from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.orm import Mapped, mapped_column, relationship
@@ -59,7 +59,9 @@ class GuildSettings(Base, TimestampMixin):
    # Role configuration
    mute_role_id: Mapped[int | None] = mapped_column(SnowflakeID, nullable=True)
    verified_role_id: Mapped[int | None] = mapped_column(SnowflakeID, nullable=True)
-    mod_role_ids: Mapped[dict] = mapped_column(JSONB, default=list, nullable=False)
+    mod_role_ids: Mapped[dict] = mapped_column(
        JSONB().with_variant(JSON(), "sqlite"), default=list, nullable=False
    )
    # Moderation settings
    automod_enabled: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False)
@@ -73,11 +75,13 @@ class GuildSettings(Base, TimestampMixin):
    mention_limit: Mapped[int] = mapped_column(Integer, default=5, nullable=False)
    mention_rate_limit: Mapped[int] = mapped_column(Integer, default=10, nullable=False)
    mention_rate_window: Mapped[int] = mapped_column(Integer, default=60, nullable=False)
-    scam_allowlist: Mapped[list[str]] = mapped_column(JSONB, default=list, nullable=False)
+    scam_allowlist: Mapped[list[str]] = mapped_column(
        JSONB().with_variant(JSON(), "sqlite"), default=list, nullable=False
    )
    # Strike thresholds (actions at each threshold)
    strike_actions: Mapped[dict] = mapped_column(
-        JSONB,
+        JSONB().with_variant(JSON(), "sqlite"),
        default=lambda: {
            "1": {"action": "warn"},
            "3": {"action": "timeout", "duration": 3600},
@@ -88,11 +92,11 @@ class GuildSettings(Base, TimestampMixin):
    )
    # AI moderation settings
-    ai_moderation_enabled: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
+    ai_moderation_enabled: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False)
-    ai_sensitivity: Mapped[int] = mapped_column(Integer, default=50, nullable=False)  # 0-100 scale
+    ai_sensitivity: Mapped[int] = mapped_column(Integer, default=80, nullable=False)  # 0-100 scale
    ai_confidence_threshold: Mapped[float] = mapped_column(Float, default=0.7, nullable=False)
    ai_log_only: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
-    nsfw_detection_enabled: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
+    nsfw_detection_enabled: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False)
    # Verification settings
    verification_enabled: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
@@ -120,6 +124,9 @@ class BannedWord(Base, TimestampMixin):
        String(20), default="delete", nullable=False
    )  # delete, warn, strike
    reason: Mapped[str | None] = mapped_column(Text, nullable=True)
    source: Mapped[str | None] = mapped_column(String(100), nullable=True)
    category: Mapped[str | None] = mapped_column(String(20), nullable=True)
    managed: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
    # Who added this and when
    added_by: Mapped[int] = mapped_column(SnowflakeID, nullable=False)
--- a/src/guardden/services/automod.py
+++ b/src/guardden/services/automod.py
@@ -7,7 +7,7 @@ import time
 from collections import defaultdict
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta, timezone
-from typing import NamedTuple, Sequence, TYPE_CHECKING
+from typing import TYPE_CHECKING, NamedTuple, Sequence
 from urllib.parse import urlparse
 if TYPE_CHECKING:
@@ -16,6 +16,7 @@ else:
    try:
        import discord  # type: ignore
    except ModuleNotFoundError:  # pragma: no cover
        class _DiscordStub:
            class Message:  # minimal stub for type hints
                pass
@@ -26,9 +27,11 @@ from guardden.models.guild import BannedWord
 logger = logging.getLogger(__name__)
 # Circuit breaker for regex safety
 class RegexTimeoutError(Exception):
    """Raised when regex execution takes too long."""
    pass
@@ -71,7 +74,7 @@ class RegexCircuitBreaker:
        old_handler = None
        try:
            # Set up timeout signal (Unix systems only)
-            if hasattr(signal, 'SIGALRM'):
+            if hasattr(signal, "SIGALRM"):
                old_handler = signal.signal(signal.SIGALRM, self._timeout_handler)
                signal.alarm(int(self.timeout_seconds * 1000))  # Convert to milliseconds
@@ -107,7 +110,7 @@ class RegexCircuitBreaker:
        finally:
            # Clean up timeout signal
-            if hasattr(signal, 'SIGALRM') and old_handler is not None:
+            if hasattr(signal, "SIGALRM") and old_handler is not None:
                signal.alarm(0)
                signal.signal(signal.SIGALRM, old_handler)
@@ -115,12 +118,12 @@ class RegexCircuitBreaker:
        """Basic heuristic to detect potentially dangerous regex patterns."""
        # Check for patterns that are commonly problematic
        dangerous_indicators = [
-            r'(\w+)+',  # Nested quantifiers
+            r"(\w+)+",  # Nested quantifiers
-            r'(\d+)+',  # Nested quantifiers on digits
+            r"(\d+)+",  # Nested quantifiers on digits
-            r'(.+)+',   # Nested quantifiers on anything
+            r"(.+)+",  # Nested quantifiers on anything
-            r'(.*)+',   # Nested quantifiers on anything (greedy)
+            r"(.*)+",  # Nested quantifiers on anything (greedy)
-            r'(\w*)+',  # Nested quantifiers with *
+            r"(\w*)+",  # Nested quantifiers with *
-            r'(\S+)+',  # Nested quantifiers on non-whitespace
+            r"(\S+)+",  # Nested quantifiers on non-whitespace
        ]
        # Check for excessively long patterns
@@ -128,11 +131,11 @@ class RegexCircuitBreaker:
            return True
        # Check for nested quantifiers (simplified detection)
-        if '+)+' in pattern or '*)+' in pattern or '?)+' in pattern:
+        if "+)+" in pattern or "*)+" in pattern or "?)+" in pattern:
            return True
        # Check for excessive repetition operators
-        if pattern.count('+') > 10 or pattern.count('*') > 10:
+        if pattern.count("+") > 10 or pattern.count("*") > 10:
            return True
        # Check for specific dangerous patterns
@@ -241,12 +244,11 @@ def normalize_domain(value: str) -> str:
    if not value or not isinstance(value, str):
        return ""
-    text = value.strip().lower()
+    if any(char in value for char in ["\x00", "\n", "\r", "\t"]):
    if not text or len(text) > 2000:  # Prevent excessively long URLs
        return ""
-    # Sanitize input to prevent injection attacks
+    text = value.strip().lower()
-    if any(char in text for char in ['\x00', '\n', '\r', '\t']):
+    if not text or len(text) > 2000:  # Prevent excessively long URLs
        return ""
    try:
@@ -261,9 +263,19 @@ def normalize_domain(value: str) -> str:
            return ""
        # Check for malicious patterns
-        if any(char in hostname for char in [' ', '\x00', '\n', '\r', '\t']):
+        if any(char in hostname for char in [" ", "\x00", "\n", "\r", "\t"]):
            return ""
        if not re.fullmatch(r"[a-z0-9.-]+", hostname):
            return ""
        if hostname.startswith(".") or hostname.endswith(".") or ".." in hostname:
            return ""
        for label in hostname.split("."):
            if not label:
                return ""
            if label.startswith("-") or label.endswith("-"):
                return ""
        # Remove www prefix
        if hostname.startswith("www."):
            hostname = hostname[4:]
@@ -307,10 +319,10 @@ class AutomodService:
        normalized = content.lower()
        # Remove special characters (simplified approach)
-        normalized = ''.join(c for c in normalized if c.isalnum() or c.isspace())
+        normalized = "".join(c for c in normalized if c.isalnum() or c.isspace())
        # Normalize whitespace
-        normalized = ' '.join(normalized.split())
+        normalized = " ".join(normalized.split())
        return normalized
@@ -540,3 +552,11 @@ class AutomodService:
    def cleanup_guild(self, guild_id: int) -> None:
        """Remove all tracking data for a guild."""
        self._spam_trackers.pop(guild_id, None)
 _automod_service = AutomodService()
 def detect_scam_links(content: str, allowlist: list[str] | None = None) -> AutomodResult | None:
    """Convenience wrapper for scam detection."""
    return _automod_service.check_scam_links(content, allowlist)
--- a/src/guardden/services/guild_config.py
+++ b/src/guardden/services/guild_config.py
@@ -141,6 +141,9 @@ class GuildConfigService:
        is_regex: bool = False,
        action: str = "delete",
        reason: str | None = None,
        source: str | None = None,
        category: str | None = None,
        managed: bool = False,
    ) -> BannedWord:
        """Add a banned word to a guild."""
        async with self.database.session() as session:
@@ -150,6 +153,9 @@ class GuildConfigService:
                is_regex=is_regex,
                action=action,
                reason=reason,
                source=source,
                category=category,
                managed=managed,
                added_by=added_by,
            )
            session.add(banned_word)
--- a/src/guardden/services/wordlist.py
+++ b/src/guardden/services/wordlist.py
@@ -0,0 +1,180 @@
 """Managed wordlist sync service."""
 from __future__ import annotations
 import logging
 from dataclasses import dataclass
 from datetime import datetime, timedelta, timezone
 from typing import Iterable
 import httpx
 from sqlalchemy import delete, select
 from guardden.config import Settings, WordlistSourceConfig
 from guardden.models import BannedWord, Guild
 from guardden.services.database import Database
 logger = logging.getLogger(__name__)
 MAX_WORDLIST_ENTRY_LENGTH = 128
 REQUEST_TIMEOUT = 20.0
@dataclass(frozen=True)
 class WordlistSource:
    name: str
    url: str
    category: str
    action: str
    reason: str
    is_regex: bool = False
 DEFAULT_SOURCES: list[WordlistSource] = [
    WordlistSource(
        name="ldnoobw_en",
        url="https://raw.githubusercontent.com/LDNOOBW/List-of-Dirty-Naughty-Obscene-and-Otherwise-Bad-Words/master/en",
        category="soft",
        action="warn",
        reason="Auto list: profanity",
        is_regex=False,
    ),
 ]
 def _normalize_entry(line: str) -> str:
    text = line.strip().lower()
    if not text:
        return ""
    if len(text) > MAX_WORDLIST_ENTRY_LENGTH:
        return ""
    return text
 def _parse_wordlist(text: str) -> list[str]:
    entries: list[str] = []
    seen: set[str] = set()
    for raw in text.splitlines():
        line = raw.strip()
        if not line:
            continue
        if line.startswith("#") or line.startswith("//") or line.startswith(";"):
            continue
        normalized = _normalize_entry(line)
        if not normalized or normalized in seen:
            continue
        entries.append(normalized)
        seen.add(normalized)
    return entries
 class WordlistService:
    """Fetches and syncs managed wordlists into per-guild bans."""
    def __init__(self, database: Database, settings: Settings) -> None:
        self.database = database
        self.settings = settings
        self.sources = self._load_sources(settings)
        self.update_interval = timedelta(hours=settings.wordlist_update_hours)
        self.last_sync: datetime | None = None
    @staticmethod
    def _load_sources(settings: Settings) -> list[WordlistSource]:
        if settings.wordlist_sources:
            sources: list[WordlistSource] = []
            for src in settings.wordlist_sources:
                if not src.enabled:
                    continue
                sources.append(
                    WordlistSource(
                        name=src.name,
                        url=src.url,
                        category=src.category,
                        action=src.action,
                        reason=src.reason,
                        is_regex=src.is_regex,
                    )
                )
            return sources
        return list(DEFAULT_SOURCES)
    async def _fetch_source(self, source: WordlistSource) -> list[str]:
        async with httpx.AsyncClient(timeout=REQUEST_TIMEOUT) as client:
            response = await client.get(source.url)
            response.raise_for_status()
            return _parse_wordlist(response.text)
    async def sync_all(self) -> None:
        if not self.settings.wordlist_enabled:
            logger.info("Managed wordlist sync disabled")
            return
        if not self.sources:
            logger.warning("No wordlist sources configured")
            return
        logger.info("Starting managed wordlist sync (%d sources)", len(self.sources))
        async with self.database.session() as session:
            guild_ids = list((await session.execute(select(Guild.id))).scalars().all())
        for source in self.sources:
            try:
                entries = await self._fetch_source(source)
            except Exception as exc:
                logger.error("Failed to fetch wordlist %s: %s", source.name, exc)
                continue
            if not entries:
                logger.warning("Wordlist %s returned no entries", source.name)
                continue
            await self._sync_source_to_guilds(source, entries, guild_ids)
        self.last_sync = datetime.now(timezone.utc)
        logger.info("Managed wordlist sync completed")
    async def _sync_source_to_guilds(
        self, source: WordlistSource, entries: Iterable[str], guild_ids: list[int]
    ) -> None:
        entry_set = set(entries)
        async with self.database.session() as session:
            for guild_id in guild_ids:
                result = await session.execute(
                    select(BannedWord).where(
                        BannedWord.guild_id == guild_id,
                        BannedWord.managed.is_(True),
                        BannedWord.source == source.name,
                    )
                )
                existing = list(result.scalars().all())
                existing_set = {word.pattern.lower() for word in existing}
                to_add = entry_set - existing_set
                to_remove = existing_set - entry_set
                if to_remove:
                    await session.execute(
                        delete(BannedWord).where(
                            BannedWord.guild_id == guild_id,
                            BannedWord.managed.is_(True),
                            BannedWord.source == source.name,
                            BannedWord.pattern.in_(to_remove),
                        )
                    )
                if to_add:
                    session.add_all(
                        [
                            BannedWord(
                                guild_id=guild_id,
                                pattern=pattern,
                                is_regex=source.is_regex,
                                action=source.action,
                                reason=source.reason,
                                source=source.name,
                                category=source.category,
                                managed=True,
                                added_by=0,
                            )
                            for pattern in to_add
                        ]
                    )
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -7,11 +7,11 @@ import sys
 import tempfile
 from datetime import datetime, timezone
 from pathlib import Path
 from unittest.mock import AsyncMock, MagicMock
 from typing import AsyncGenerator
 from unittest.mock import AsyncMock, MagicMock
 import pytest
-from sqlalchemy import create_engine
+from sqlalchemy import create_engine, event, text
 from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
 from sqlalchemy.pool import StaticPool
@@ -23,7 +23,7 @@ if str(SRC_DIR) not in sys.path:
 # Import after path setup
 from guardden.config import Settings
 from guardden.models.base import Base
-from guardden.models.guild import Guild, GuildSettings, BannedWord
+from guardden.models.guild import BannedWord, Guild, GuildSettings
 from guardden.models.moderation import ModerationLog, Strike, UserNote
 from guardden.services.database import Database
@@ -52,6 +52,7 @@ def pytest_pyfunc_call(pyfuncitem: pytest.Function) -> bool | None:
 # Basic Test Fixtures
 # ==============================================================================
@pytest.fixture
 def sample_guild_id() -> int:
    """Return a sample Discord guild ID."""
@@ -80,11 +81,12 @@ def sample_owner_id() -> int:
 # Configuration Fixtures
 # ==============================================================================
@pytest.fixture
 def test_settings() -> Settings:
    """Return test configuration settings."""
    return Settings(
-        discord_token="test_token_12345678901234567890",
+        discord_token="a" * 60,
        discord_prefix="!test",
        database_url="sqlite+aiosqlite:///test.db",
        database_pool_min=1,
@@ -101,6 +103,7 @@ def test_settings() -> Settings:
 # Database Fixtures
 # ==============================================================================
@pytest.fixture
 async def test_database(test_settings: Settings) -> AsyncGenerator[Database, None]:
    """Create a test database with in-memory SQLite."""
@@ -112,8 +115,15 @@ async def test_database(test_settings: Settings) -> AsyncGenerator[Database, Non
        echo=False,
    )
    @event.listens_for(engine.sync_engine, "connect")
    def _enable_sqlite_foreign_keys(dbapi_connection, connection_record):
        cursor = dbapi_connection.cursor()
        cursor.execute("PRAGMA foreign_keys=ON")
        cursor.close()
    # Create all tables
    async with engine.begin() as conn:
        await conn.execute(text("PRAGMA foreign_keys=ON"))
        await conn.run_sync(Base.metadata.create_all)
    database = Database(test_settings)
@@ -138,10 +148,9 @@ async def db_session(test_database: Database) -> AsyncGenerator[AsyncSession, No
 # Model Fixtures
 # ==============================================================================
@pytest.fixture
-async def test_guild(
+async def test_guild(db_session: AsyncSession, sample_guild_id: int, sample_owner_id: int) -> Guild:
    db_session: AsyncSession, sample_guild_id: int, sample_owner_id: int
 ) -> Guild:
    """Create a test guild with settings."""
    guild = Guild(
        id=sample_guild_id,
@@ -187,10 +196,7 @@ async def test_banned_word(
@pytest.fixture
 async def test_moderation_log(
-    db_session: AsyncSession, 
+    db_session: AsyncSession, test_guild: Guild, sample_user_id: int, sample_moderator_id: int
    test_guild: Guild, 
    sample_user_id: int, 
    sample_moderator_id: int
 ) -> ModerationLog:
    """Create a test moderation log entry."""
    mod_log = ModerationLog(
@@ -211,10 +217,7 @@ async def test_moderation_log(
@pytest.fixture
 async def test_strike(
-    db_session: AsyncSession, 
+    db_session: AsyncSession, test_guild: Guild, sample_user_id: int, sample_moderator_id: int
    test_guild: Guild, 
    sample_user_id: int, 
    sample_moderator_id: int
 ) -> Strike:
    """Create a test strike."""
    strike = Strike(
@@ -236,6 +239,7 @@ async def test_strike(
 # Discord Mock Fixtures
 # ==============================================================================
@pytest.fixture
 def mock_discord_user(sample_user_id: int) -> MagicMock:
    """Create a mock Discord user."""
@@ -327,9 +331,7 @@ def mock_discord_message(
@pytest.fixture
 def mock_discord_context(
-    mock_discord_member: MagicMock, 
+    mock_discord_member: MagicMock, mock_discord_guild: MagicMock, mock_discord_channel: MagicMock
    mock_discord_guild: MagicMock,
    mock_discord_channel: MagicMock
 ) -> MagicMock:
    """Create a mock Discord command context."""
    ctx = MagicMock()
@@ -345,6 +347,7 @@ def mock_discord_context(
 # Bot and Service Fixtures
 # ==============================================================================
@pytest.fixture
 def mock_bot(test_database: Database) -> MagicMock:
    """Create a mock GuardDen bot."""
@@ -363,6 +366,7 @@ def mock_bot(test_database: Database) -> MagicMock:
 # Test Environment Setup
 # ==============================================================================
@pytest.fixture(autouse=True)
 def setup_test_environment() -> None:
    """Set up test environment variables."""
--- a/tests/test_config.py
+++ b/tests/test_config.py
@@ -3,7 +3,8 @@
 import pytest
 from pydantic import ValidationError
-from guardden.config import Settings, _parse_id_list, _validate_discord_id, normalize_domain
+from guardden.config import Settings, _parse_id_list, _validate_discord_id
 from guardden.services.automod import normalize_domain
 class TestDiscordIdValidation:
@@ -131,7 +132,7 @@ class TestSettingsValidation:
        settings = Settings(
            discord_token="valid_token_" + "a" * 50,
            ai_provider="anthropic",
-            anthropic_api_key=valid_key
+            anthropic_api_key=valid_key,
        )
        assert settings.anthropic_api_key.get_secret_value() == valid_key
@@ -140,7 +141,7 @@ class TestSettingsValidation:
            Settings(
                discord_token="valid_token_" + "a" * 50,
                ai_provider="anthropic",
-                anthropic_api_key="short"
+                anthropic_api_key="short",
            )
    def test_configuration_validation_ai_provider(self):
@@ -212,8 +213,14 @@ class TestSecurityImprovements:
        try:
            # Set malicious environment variables
-            os.environ["GUARDDEN_ALLOWED_GUILDS"] = "123456789012345678\x00,malicious"
+            try:
-            os.environ["GUARDDEN_OWNER_IDS"] = "234567890123456789\n567890123456789012"
+                os.environ["GUARDDEN_ALLOWED_GUILDS"] = "123456789012345678\x00,malicious"
            except ValueError:
                os.environ["GUARDDEN_ALLOWED_GUILDS"] = "123456789012345678,malicious"
            try:
                os.environ["GUARDDEN_OWNER_IDS"] = "234567890123456789\n567890123456789012"
            except ValueError:
                os.environ["GUARDDEN_OWNER_IDS"] = "234567890123456789,567890123456789012"
            settings = Settings(discord_token="valid_token_" + "a" * 50)
@@ -222,7 +229,9 @@ class TestSecurityImprovements:
            assert len(settings.owner_ids) <= 1
            # Valid IDs should be preserved
-            assert 123456789012345678 in settings.allowed_guilds or len(settings.allowed_guilds) == 0
+            assert (
                123456789012345678 in settings.allowed_guilds or len(settings.allowed_guilds) == 0
            )
        finally:
            # Restore original values
--- a/tests/test_database_integration.py
+++ b/tests/test_database_integration.py
@@ -1,10 +1,11 @@
 """Tests for database integration and models."""
 import pytest
 from datetime import datetime, timezone
 import pytest
 from sqlalchemy import select
-from guardden.models.guild import Guild, GuildSettings, BannedWord
+from guardden.models.guild import BannedWord, Guild, GuildSettings
 from guardden.models.moderation import ModerationLog, Strike, UserNote
 from guardden.services.database import Database
@@ -44,9 +45,7 @@ class TestDatabaseModels:
    async def test_guild_settings_relationship(self, test_guild, db_session):
        """Test guild-settings relationship."""
        # Load guild with settings
-        result = await db_session.execute(
+        result = await db_session.execute(select(Guild).where(Guild.id == test_guild.id))
            select(Guild).where(Guild.id == test_guild.id)
        )
        guild_with_settings = result.scalar_one()
        # Test relationship loading
@@ -80,11 +79,7 @@ class TestDatabaseModels:
        assert created_word.added_by == sample_moderator_id
    async def test_moderation_log_creation(
-        self, 
+        self, test_guild, db_session, sample_user_id, sample_moderator_id
        test_guild, 
        db_session, 
        sample_user_id, 
        sample_moderator_id
    ):
        """Test moderation log creation."""
        mod_log = ModerationLog(
@@ -112,11 +107,7 @@ class TestDatabaseModels:
        assert not created_log.is_automatic
    async def test_strike_creation(
-        self, 
+        self, test_guild, db_session, sample_user_id, sample_moderator_id
        test_guild, 
        db_session, 
        sample_user_id, 
        sample_moderator_id
    ):
        """Test strike creation and tracking."""
        strike = Strike(
@@ -133,10 +124,7 @@ class TestDatabaseModels:
        # Verify creation
        result = await db_session.execute(
-            select(Strike).where(
+            select(Strike).where(Strike.guild_id == test_guild.id, Strike.user_id == sample_user_id)
                Strike.guild_id == test_guild.id,
                Strike.user_id == sample_user_id
            )
        )
        created_strike = result.scalar_one()
@@ -145,11 +133,7 @@ class TestDatabaseModels:
        assert created_strike.user_id == sample_user_id
    async def test_cascade_deletion(
-        self, 
+        self, test_guild, db_session, sample_user_id, sample_moderator_id
        test_guild, 
        db_session, 
        sample_user_id, 
        sample_moderator_id
    ):
        """Test that deleting a guild cascades to related records."""
        # Add some related records
@@ -200,9 +184,7 @@ class TestDatabaseModels:
        )
        assert len(mod_logs.scalars().all()) == 0
-        strikes = await db_session.execute(
+        strikes = await db_session.execute(select(Strike).where(Strike.guild_id == test_guild.id))
            select(Strike).where(Strike.guild_id == test_guild.id)
        )
        assert len(strikes.scalars().all()) == 0
@@ -210,11 +192,7 @@ class TestDatabaseIndexes:
    """Test that database indexes work as expected."""
    async def test_moderation_log_indexes(
-        self, 
+        self, test_guild, db_session, sample_user_id, sample_moderator_id
        test_guild, 
        db_session, 
        sample_user_id, 
        sample_moderator_id
    ):
        """Test moderation log indexing for performance."""
        # Create multiple moderation logs
@@ -255,11 +233,7 @@ class TestDatabaseIndexes:
        assert len(auto_logs.scalars().all()) == 5
    async def test_strike_indexes(
-        self, 
+        self, test_guild, db_session, sample_user_id, sample_moderator_id
        test_guild, 
        db_session, 
        sample_user_id, 
        sample_moderator_id
    ):
        """Test strike indexing for performance."""
        # Create multiple strikes
@@ -281,12 +255,9 @@ class TestDatabaseIndexes:
        # Test active strikes query
        active_strikes = await db_session.execute(
-            select(Strike).where(
+            select(Strike).where(Strike.guild_id == test_guild.id, Strike.is_active == True)
                Strike.guild_id == test_guild.id,
                Strike.is_active == True
            )
        )
-        assert len(active_strikes.scalars().all()) == 3  # indices 1, 3
+        assert len(active_strikes.scalars().all()) == 2  # indices 1, 3
 class TestDatabaseSecurity:
@@ -306,9 +277,7 @@ class TestDatabaseSecurity:
        await db_session.commit()
        # Verify it was stored correctly
-        result = await db_session.execute(
+        result = await db_session.execute(select(Guild).where(Guild.id == valid_guild_id))
            select(Guild).where(Guild.id == valid_guild_id)
        )
        stored_guild = result.scalar_one()
        assert stored_guild.id == valid_guild_id
@@ -325,9 +294,7 @@ class TestDatabaseSecurity:
        for malicious_input in malicious_inputs:
            # Try to use malicious input in a query
            # SQLAlchemy should prevent injection through parameterized queries
-            result = await db_session.execute(
+            result = await db_session.execute(select(Guild).where(Guild.name == malicious_input))
                select(Guild).where(Guild.name == malicious_input)
            )
            # Should not find anything (and not crash)
            assert result.scalar_one_or_none() is None
@@ -344,3 +311,4 @@ class TestDatabaseSecurity:
            )
            db_session.add(banned_word)
            await db_session.commit()
        await db_session.rollback()