LerianStudio · alexgarzao · Mar 23, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
@@ -7,19 +7,24 @@ on:
 
 jobs:
   build:
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/build.yml@v1.15.0
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/build.yml@v1.18.1
     with:
       runner_type: "blacksmith-4vcpu-ubuntu-2404"
       enable_dockerhub: true
       enable_ghcr: true
       dockerhub_org: lerianstudio
       enable_gitops_artifacts: true
+      shared_paths: |
+        go.mod
+        go.sum
+        pkg/
+        Makefile
     secrets: inherit
 
   update_gitops:
     needs: [build]
-    if: needs.build.result == 'success'
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/gitops-update.yml@v1.17.0
+    if: needs.build.result == 'success' && needs.build.outputs.has_builds == 'true'
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/gitops-update.yml@v1.18.1
     with:
       runner_type: "firmino-lxc-runners"
       artifact_pattern: "gitops-tags-tracer"

@@ -25,7 +25,7 @@ on:
 jobs:
   go-analysis:
     name: Go Analysis
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-analysis.yml@v1.17.0
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-analysis.yml@v1.18.1
     with:
       runner_type: "blacksmith-4vcpu-ubuntu-2404"
       app_name_prefix: "tracer"

@@ -23,7 +23,7 @@ jobs:
   changelog:
     # Run if: manual trigger OR Release workflow succeeded
     if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/gptchangelog.yml@v1.17.0
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/gptchangelog.yml@v1.18.1
     with:
       runner_type: "blacksmith-4vcpu-ubuntu-2404"
       # No filter_paths = single app mode (non-monorepo)

@@ -24,8 +24,13 @@ on:
 
 jobs:
   security-scan:
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-security-scan.yml@v1.17.0
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-security-scan.yml@v1.18.1
     with:
       runner_type: "blacksmith-4vcpu-ubuntu-2404"
       dockerhub_org: "lerianstudio"
+      shared_paths: |
+        go.mod
+        go.sum
+        pkg/
+        Makefile
     secrets: inherit
@@ -12,7 +12,7 @@ permissions:
 
 jobs:
   validate:
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-validation.yml@v1.13.1
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-validation.yml@v1.18.1
     with:
       runner_type: "blacksmith-4vcpu-ubuntu-2404"
       pr_title_types: |

@@ -15,7 +15,7 @@ permissions:
 jobs:
   release:
     name: Create Release
-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/release.yml@v1.17.0
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/release.yml@v1.18.1
     with:
       runner_type: "blacksmith-4vcpu-ubuntu-2404"
     secrets: inherit
@@ -34,7 +34,8 @@ WORKDIR /app
 COPY --from=builder /app/tracer /app/tracer
 COPY --from=builder /tracer/migrations /app/migrations
 
-# distroless:nonroot already runs as non-root user (uid 65532)
+# Explicitly set non-root user for Docker Hub health score compliance
+USER nonroot:nonroot
 
 EXPOSE 8080 7001
 

@@ -2660,7 +2660,7 @@ const docTemplate = `{
                     "type": "string"
                 },
                 "scope": {
-                    "description": "Scope is a human-readable string representation of the limit's scope\n(e.g., \"account:uuid\" or \"segment:uuid\" or \"global\").\nPer section 4.1.1.",
+                    "description": "Scope is a human-readable string representation of the limit's scope\n(e.g., \"account:uuid\" or \"segment:uuid\" or \"global\").",
                     "type": "string"
                 },
                 "skipReason": {

@@ -2399,7 +2399,6 @@ components:
           description: |-
             Scope is a human-readable string representation of the limit's scope
             (e.g., "account:uuid" or "segment:uuid" or "global").
-            Per section 4.1.1.
           type: string
         skipReason:
           description: |-

@@ -2658,7 +2658,7 @@
                     "type": "string"
                 },
                 "scope": {
-                    "description": "Scope is a human-readable string representation of the limit's scope\n(e.g., \"account:uuid\" or \"segment:uuid\" or \"global\").\nPer section 4.1.1.",
+                    "description": "Scope is a human-readable string representation of the limit's scope\n(e.g., \"account:uuid\" or \"segment:uuid\" or \"global\").",
                     "type": "string"
                 },
                 "skipReason": {

@@ -494,7 +494,6 @@ definitions:
         description: |-
           Scope is a human-readable string representation of the limit's scope
           (e.g., "account:uuid" or "segment:uuid" or "global").
-          Per section 4.1.1.
         type: string
       skipReason:
         description: |-

@@ -3174,6 +3174,7 @@ otel.SetTracerProvider(tp)  // Set global provider for lib-commons
 13. **Priority-based rule evaluation** - All rules evaluated, DENY precedence
 14. **Direct OTel attribute/codes imports** - Use lib-commons wrappers (SetSpanAttributesFromStruct, HandleSpanError)
 15. **Unstructured logging** - Use `WithFields` instead of `Infof`/`Errorf` with string interpolation (see [Structured Logging](#structured-logging))
+16. **Task/ticket IDs in code** - Never reference task IDs (T-001, JIRA-123, etc.) in source code, comments, or test names. Code must be self-explanatory without project management context. Use descriptive names instead.
 
 ---
 
@@ -3185,3 +3186,4 @@ otel.SetTracerProvider(tp)  // Set global provider for lib-commons
 2. **NEVER run `git push` without explicit user approval**
 3. **NEVER modify files outside the scope of the requested task**
 4. **Always ask for confirmation before destructive operations**
+5. **NEVER include test execution results in commit messages** - Do not mention test counts, pass/fail status, or coverage numbers. Commit messages describe *what* changed and *why*, not verification results.
@@ -18,6 +18,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"go.opentelemetry.io/otel/trace"
 
+	"tracer/internal/services"
 	"tracer/pkg/clock"
 	"tracer/pkg/constant"
 	"tracer/pkg/logging"
@@ -31,7 +32,7 @@ const maxPayloadSize = 100 * 1024
 // ValidationService defines the interface for validation operations.
 // Interface defined locally per Ring pattern.
 type ValidationService interface {
-	Validate(ctx context.Context, request *model.ValidationRequest) (*model.ValidationResponse, error)
+	Validate(ctx context.Context, request *model.ValidationRequest) (*services.ValidateResult, error)
 }
 
 // ValidationHandler handles HTTP requests for transaction validation.
@@ -147,19 +148,25 @@ func (h *ValidationHandler) Validate(c *fiber.Ctx) error {
 	}
 
 	// Call validation service
-	response, err := h.service.Validate(ctx, &request)
+	result, err := h.service.Validate(ctx, &request)
 	if err != nil {
 		return h.handleValidationError(c, &span, err)
 	}
 
 	logger.WithFields(
 		"operation", "handler.validations.validate",
 		"request.id", request.RequestID.String(),
-		"decision", string(response.Decision),
-		"processing_time_ms", response.ProcessingTimeMs,
+		"decision", string(result.Response.Decision),
+		"processing_time_ms", result.Response.ProcessingTimeMs,
+		"is_duplicate", result.IsDuplicate,
 	).Info("Validation completed")
 
-	return libHTTP.OK(c, response)
+	// Return HTTP 201 for new requests, HTTP 200 for duplicate (idempotent) requests (DD-9)
+	if result.IsDuplicate {
+		return libHTTP.OK(c, result.Response)
+	}
+
+	return libHTTP.Created(c, result.Response)
 }
 
 // validationErrorMapping maps validation errors to their specific error codes and messages.