Skip to content

Commit f7cc38b

Browse files
BrunoAFKBrunoAFK
committed
Feat/open core split (#2)
* docs: add user authentication system design spec * docs: add user authentication implementation plan * feat: open-core architecture with pluggable server and component exports Remove authentication from the open-source codebase to prepare for an open-core business model. Auth, admin panel, and user management move to a separate proprietary repository. - Make buildServer() accept plugins and routes options for extensibility - Create API exports barrel (exports.ts) for external consumers - Create web component library exports (exports.ts) for pro frontend - Add userMenu slot prop to Nav for pro to inject auth UI - Remove all auth code: pages, hooks, guards, routes, config, DB tables - Remove auth dependencies (bcryptjs, jsonwebtoken) - Fix PageSpeed handler: add https:// prefix, use BEST-PRACTICES category - Redesign BuiltWith renderer with summary chips and detail modal - Improve QualityRenderer layout (one row per category) - Fix CSS @import order warning - Fix DELETE request Content-Type error - Clean .env.example (remove auth sections) * update vite and basic-ftp to patch security vulnerabilities * add gitleaks pre-commit hook via husky for secret scanning * skip husky in production builds
1 parent e8911c0 commit f7cc38b

50 files changed

Lines changed: 4949 additions & 664 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.env.example

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
# ── Docker Compose ─────────────────────────────────────────
2+
# Ports exposed on the host (docker-compose.yml / docker-compose.remote.yml)
3+
# API_PORT=3000
4+
# WEB_PORT=8080
5+
6+
# Override image registry/tag for docker-compose.remote.yml
7+
# REGISTRY=ghcr.io/brunoafk/recon-web
8+
# TAG=latest
9+
110
# ── Server ────────────────────────────────────────────────
211
PORT=3000
312
HOST=0.0.0.0
@@ -9,9 +18,20 @@ API_TIMEOUT_LIMIT=30000
918
# CORS origin (use * for any, or specific domain)
1019
API_CORS_ORIGIN=*
1120

21+
# Rate limit: max requests per IP per time window (default: 100 / 10 minutes)
22+
# RATE_LIMIT_MAX=100
23+
# RATE_LIMIT_WINDOW=10 minutes
24+
1225
# Maximum concurrent handlers per scan (default: 8)
1326
# MAX_CONCURRENCY=8
1427

28+
# Maximum concurrent scans server-wide (default: 3)
29+
# Extra scans queue and wait. Prevents memory exhaustion on small VMs.
30+
# MAX_CONCURRENT_SCANS=3
31+
32+
# Enable Swagger API docs at /docs (default: false)
33+
# SWAGGER_ENABLED=true
34+
1535
# Path to Chromium binary (auto-detected in Docker)
1636
# CHROME_PATH=/usr/bin/chromium
1737

@@ -22,10 +42,9 @@ API_CORS_ORIGIN=*
2242
# SQLite database path (auto-created)
2343
# DB_PATH=./data/recon-web.db
2444

25-
# ── Authentication ───────────────────────────────────────
26-
# Enable bearer token authentication for API endpoints
27-
# AUTH_ENABLED=true
28-
# AUTH_TOKEN=your-secret-token-here
45+
# ── Demo ───────────────────────────────────────────────────
46+
# URL for demo scan (shown on /demo page)
47+
# DEMO_SCAN_URL=https://example.com
2948

3049
# ── Scheduled Scans ─────────────────────────────────────
3150
# Enable automated scheduled scanning

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,9 @@ Thumbs.db
4040
@internal/
4141
docs/superpowers/
4242

43+
# Infrastructure
44+
infra/
45+
4346
# SQLite databases
4447
*.db
4548
*.db-journal

.gitleaksignore

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
3ba15210b191e8a325df35f9256b5c5c9d89ac05:@internal/AUTH-SETUP.md:curl-auth-header:85
2+
3ba15210b191e8a325df35f9256b5c5c9d89ac05:@internal/AUTH-SETUP.md:curl-auth-header:384
3+
abf03987e2574d92614c2af2717e69908552fff0:packages/api/src/auth/auth.test.ts:generic-api-key:60
4+
abf03987e2574d92614c2af2717e69908552fff0:packages/api/src/auth/auth.test.ts:generic-api-key:159
5+
346dd51d2d32252ab1710b30cab1000fb77e7728:docs/src/content/docs/guides/rest-api.mdx:curl-auth-header:122
6+
7bd2fa7b6e03b148493382b5b2ba84ab95eb9420:docs/src/content/docs/guides/rest-api.mdx:curl-auth-header:122
7+
a8393590d20499515efeb13d2b5bcb0b80be1b7a:docs/superpowers/plans/2026-04-07-user-authentication.md:generic-api-key:3143

.husky/pre-commit

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
if command -v gitleaks &>/dev/null; then
2+
gitleaks git --pre-commit --staged
3+
fi

docker-compose.remote.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@ services:
3939
cli:
4040
image: ${REGISTRY:-ghcr.io/brunoafk/recon-web}/cli:${TAG:-latest}
4141
env_file: .env
42+
volumes:
43+
- scan-data:/app/data
4244
profiles: ["cli"]
4345

4446
volumes:

docker-compose.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ services:
3636
context: .
3737
dockerfile: packages/cli/Dockerfile
3838
env_file: .env
39+
volumes:
40+
- scan-data:/app/data
3941
profiles: ["cli"]
4042

4143
volumes:

docs/package-lock.json

Lines changed: 5 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)