Add test user seed, password validation, and pre-commit security hook

- backend/scripts/seed.py: creates test@example.com on dev startup
- backend/scripts/start_dev.sh: runs migrations + seed + uvicorn --reload
- backend/app/schemas/user.py: password validator (length, case, digit, special char, forbidden words)
- scripts/security_check.py: Docker-based scanner for secrets, dangerous patterns, weak crypto, bandit
- .githooks/pre-commit: runs security_check.py in python:3.12-slim on every commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/schemas/user.py

@@ -1,4 +1,43 @@
-from pydantic import BaseModel, EmailStr
+import re
+
+from pydantic import BaseModel, EmailStr, field_validator
+
+# Common words that must not appear as whole words inside a password.
+# Checked case-insensitively with word boundaries.
+_FORBIDDEN_WORDS = {
+    "password", "passwort", "secret", "welcome", "admin", "administrator",
+    "login", "user", "test", "guest", "master", "dragon", "monkey", "shadow",
+    "sunshine", "princess", "letmein", "football", "baseball", "soccer",
+    "hockey", "abc", "qwerty", "keyboard", "computer", "internet", "access",
+    "hello", "summer", "winter", "spring", "autumn", "flower", "mustang",
+    "batman", "superman", "donald", "michael", "jessica", "charlie",
+}
+
+
+def _validate_password(v: str) -> str:
+    errors = []
+
+    if len(v) < 8:
+        errors.append("at least 8 characters")
+    if not re.search(r"[A-Z]", v):
+        errors.append("at least one uppercase letter")
+    if not re.search(r"[a-z]", v):
+        errors.append("at least one lowercase letter")
+    if not re.search(r"\d", v):
+        errors.append("at least one digit")
+    if not re.search(r'[!@#$%^&*()\-_=+\[\]{};:\'",.<>?/\\|`~]', v):
+        errors.append("at least one special character")
+
+    lower = v.lower()
+    for word in _FORBIDDEN_WORDS:
+        # Match the word as a standalone token (surrounded by non-alpha or string boundary)
+        if re.search(rf"(?<![a-z]){re.escape(word)}(?![a-z])", lower):
+            errors.append(f'must not contain the word "{word}"')
+            break
+
+    if errors:
+        raise ValueError("; ".join(errors))
+    return v
 
 
 class UserCreate(BaseModel):
@@ -6,6 +45,11 @@ class UserCreate(BaseModel):
     password: str
     full_name: str | None = None
 
+    @field_validator("password")
+    @classmethod
+    def password_strength(cls, v: str) -> str:
+        return _validate_password(v)
+
 
 class UserOut(BaseModel):
     id: str

backend/scripts/seed.py

@@ -0,0 +1,34 @@
+"""Create a test user for the dev environment if it doesn't exist yet."""
+
+import asyncio
+
+from sqlalchemy import select
+
+from app.core.security import hash_password
+from app.database import AsyncSessionLocal
+from app.models.user import User
+
+TEST_EMAIL = "test@example.com"
+TEST_PASSWORD = "Test123!"
+TEST_NAME = "Test User"
+
+
+async def seed() -> None:
+    async with AsyncSessionLocal() as db:
+        result = await db.execute(select(User).where(User.email == TEST_EMAIL))
+        if result.scalar_one_or_none():
+            print(f"[seed] test user already exists: {TEST_EMAIL}")
+            return
+
+        user = User(
+            email=TEST_EMAIL,
+            hashed_password=hash_password(TEST_PASSWORD),
+            full_name=TEST_NAME,
+        )
+        db.add(user)
+        await db.commit()
+        print(f"[seed] created test user — email: {TEST_EMAIL}  pwd: {TEST_PASSWORD}")
+
+
+if __name__ == "__main__":
+    asyncio.run(seed())

backend/scripts/start_dev.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+echo "[start] running migrations..."
+alembic upgrade head
+
+echo "[start] seeding dev data..."
+python scripts/seed.py
+
+echo "[start] starting uvicorn..."
+exec uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload