httplib and some documented adjustments.

Signed-off-by: Aaron Layfield <aaron.layfield@gmail.com>

Author: DandyDeveloper

README.md

@@ -1,23 +1,28 @@
 # Dandy Dashboard
 
-A personal, modular dashboard built with a Go backend and Svelte frontend. Drop in the widgets you want — adding a new one is three files.
+A personal, modular dashboard built with a Go backend and Svelte frontend. Drop in the widgets you want — adding a new one is a few files each side.
+
+Right now, this is entirely codified as opposed to pluggable within the browser.
+
+This was made in conjunction with an AI Agent and purely being done as a way to refresh and relearn newer frameworks in conjunction with understanding the current agent model capabilities.
 
 ![Dashboard screenshot placeholder](docs/screenshot.png)
 
 ## Widgets
 
 | Widget | Description |
 |---|---|
-| **Word of the Day** | Daily Japanese vocabulary with reading, JLPT level, meanings, and example sentences (via [Jotoba](https://jotoba.de)) |
-| **Upcoming Events** | Next 7 days from Google Calendar |
-| **Claude AI** | Streaming chat with Claude, your personal assistant |
+| **Word of the Day** | Daily Japanese vocabulary pulled from your WaniKani Apprentice/Guru items, with readings, meanings, and example sentences |
+| **Upcoming Events** | Next events from Google Calendar via a service account |
+| **Claude AI** | Streaming chat with Claude Opus 4.6, with server-side conversation history and adaptive thinking |
 
 ## Tech Stack
 
-- **Backend** — Go 1.25 + [Echo](https://echo.labstack.com/)
+- **Backend** — Go 1.25, stdlib `net/http` (no framework)
 - **Frontend** — [Svelte 5](https://svelte.dev/) + TypeScript + Vite + Tailwind CSS
-- **AI** — [Anthropic API](https://docs.anthropic.com/) (Claude 3.5 Sonnet, streaming SSE)
-- **Calendar** — Google Calendar API (service account or OAuth2)
+- **AI** — [Anthropic API](https://docs.anthropic.com/) (Claude Opus 4.6, streaming SSE)
+- **Calendar** — Google Calendar API (service account)
+- **Persistence** — [bbolt](https://github.com/etcd-io/bbolt) embedded KV (default) or Redis
 
 ## Getting Started
 
@@ -27,7 +32,7 @@ A personal, modular dashboard built with a Go backend and Svelte frontend. Drop
 git clone https://github.com/dandydeveloper/dandy-dashboard
 cd dandy-dashboard
 cp .env.example .env
-# Edit .env and add your ANTHROPIC_API_KEY at minimum
+# Edit .env — ANTHROPIC_API_KEY is required at minimum
 ```
 
 ### 2. Run in development
@@ -44,42 +49,52 @@ make dev-frontend
 
 Open [http://localhost:5173](http://localhost:5173).
 
-### 3. Production build
-
-```bash
-make build
-./bin/server
-```
+### 3. Production with Docker
 
-Or with Docker:
 ```bash
 docker compose up --build
 ```
 
+Frontend is served by Nginx on port 80. The backend API is internal — Nginx proxies `/api/*` to it.
+
 ## Configuration
 
-| Variable | Required | Description |
-|---|---|---|
-| `ANTHROPIC_API_KEY` | Yes | From [console.anthropic.com](https://console.anthropic.com/keys) |
-| `GOOGLE_CREDENTIALS_JSON` | No | Path to service account JSON, or raw JSON string |
-| `GOOGLE_CALENDAR_ID` | No | Calendar ID (default: `primary`) |
-| `PORT` | No | Server port (default: `8080`) |
-| `ALLOWED_ORIGINS` | No | CORS origins (default: `http://localhost:5173`) |
-| `DASHBOARD_KEY` | No | Shared secret for `X-Dashboard-Key` header auth |
+All configuration is via environment variables (`.env` file locally, secrets manager in production).
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `ANTHROPIC_API_KEY` | Yes | — | From [console.anthropic.com](https://console.anthropic.com/keys) |
+| `WANIKANI_API_TOKEN` | No | — | From [wanikani.com/settings/personal_access_tokens](https://www.wanikani.com/settings/personal_access_tokens) — enables WaniKani word source |
+| `GOOGLE_CREDENTIALS_JSON` | No | — | Path to service account JSON file, or raw JSON string |
+| `GOOGLE_CALENDAR_ID` | No | `primary` | Calendar ID from Google Calendar settings |
+| `PORT` | No | `8080` | Backend listen port |
+| `ALLOWED_ORIGINS` | No | `http://localhost:5173` | Comma-separated CORS origins |
+| `DASHBOARD_KEY` | No | — | Shared secret for `X-Dashboard-Key` header — **set this in production** |
+| `DATA_DIR` | No | `./data` | Directory for the embedded bbolt database |
+| `STORE_URL` | No | — | Redis URL (e.g. `redis://localhost:6379`) — overrides bbolt |
+
+### Google Calendar setup
+
+1. Create a project in [Google Cloud Console](https://console.cloud.google.com)
+2. Enable the **Google Calendar API**
+3. Create a **Service Account** — no IAM role needed
+4. Download the JSON key → set as `GOOGLE_CREDENTIALS_JSON`
+5. In Google Calendar, share your calendar with the service account email → **"See all event details"**
 
 ## Adding a Widget
 
-The plugin system is explicit — no magic. Three steps each side.
+The plugin system is explicit — no magic. A few files each side.
 
 **Backend** — create `internal/widgets/mywidget/`:
 ```go
 // widget.go — implement the Widget interface
 func (w *Widget) Slug() string { return "mywidget" }
-func (w *Widget) RegisterRoutes(g *echo.Group) {
-    g.GET("/data", w.handler.Data)
+
+func (w *Widget) RegisterRoutes(mux *http.ServeMux) {
+    mux.HandleFunc("GET /data", w.handler.Data)
 }
 ```
-Then add one line to `cmd/server/main.go`:
+Then register in `cmd/server/main.go`:
 ```go
 registry.Register(mywidget.New(cfg))
 ```
@@ -91,42 +106,59 @@ export const myWidget: WidgetDescriptor = {
   id: 'mywidget',
   title: 'My Widget',
   description: '...',
-  component: MyWidget,   // Svelte component
+  component: MyWidgetComponent,
   defaultSize: 'md',
 }
 ```
 Then add one line to `web/src/widgets/registry.ts`:
 ```typescript
-import { myWidget } from './mywidget'
-export const widgetRegistry = [..., myWidget]
+export const widgetRegistry = [japaneseWidget, calendarWidget, myWidget]
 ```
 
-Done — the widget appears in the grid automatically.
+The widget appears in the resizable grid automatically.
 
 ## Project Structure
 
 ```
 dandy-dashboard/
-├── cmd/server/main.go              # Entry point — wires config, registry, Echo
+├── cmd/server/main.go              # Entry point — wires config, registry, server
 ├── internal/
 │   ├── config/                     # Env-based configuration
+│   ├── httputil/                   # JSON response helpers
+│   ├── middleware/                 # Logger, recover, request ID, CORS, API key
+│   ├── store/                      # bbolt / Redis abstraction
 │   ├── widget/                     # Widget interface + registry
 │   └── widgets/
-│       ├── claude/                 # Claude AI chat (streaming SSE)
-│       ├── japanese/               # Word of the day (Jotoba API + embedded wordlist)
+│       ├── claude/                 # Claude AI chat (streaming SSE, session management)
+│       ├── japanese/               # Word of the day (WaniKani + Jotoba)
 │       └── calendar/               # Google Calendar events
+├── docker/
+│   ├── backend.Dockerfile
+│   ├── frontend.Dockerfile
+│   └── nginx.conf                  # Serves static files, proxies /api/* to backend
 └── web/src/
     ├── widgets/
     │   ├── types.ts                # WidgetDescriptor interface
-    │   ├── registry.ts             # All widgets registered here
+    │   ├── registry.ts             # All active widgets registered here
     │   ├── claude/
     │   ├── japanese/
     │   └── calendar/
-    └── components/
-        ├── WidgetCard.svelte       # Shared card shell (header + body)
-        └── App.svelte              # Dashboard grid layout
+    ├── components/
+    │   ├── DashboardGrid.svelte    # Resizable 12-column grid (layout persisted to localStorage)
+    │   └── WidgetCard.svelte       # Shared card shell
+    └── stores/
+        └── layout.ts               # Grid layout state + localStorage persistence
 ```
 
+## Security
+
+- API endpoints are optionally protected by a shared `X-Dashboard-Key` header (`DASHBOARD_KEY` env var) — **enable this if the dashboard is publicly reachable**
+- CORS is restricted to `ALLOWED_ORIGINS`
+- Request bodies are capped at 512 KB; messages at 32 KB
+- Chat sessions expire after 24 hours of inactivity
+- Containers run as non-root
+- Raw errors from external APIs are never forwarded to the client
+
 ## License
 
 MIT

cmd/server/main.go

@@ -2,21 +2,24 @@ package main
 
 import (
 	"log"
+	"log/slog"
 	"net/http"
 	"os"
 	"strings"
 
 	"github.com/dandydeveloper/dandy-dashboard/internal/config"
+	"github.com/dandydeveloper/dandy-dashboard/internal/httputil"
+	"github.com/dandydeveloper/dandy-dashboard/internal/middleware"
 	"github.com/dandydeveloper/dandy-dashboard/internal/store"
 	"github.com/dandydeveloper/dandy-dashboard/internal/widget"
 	"github.com/dandydeveloper/dandy-dashboard/internal/widgets/calendar"
 	"github.com/dandydeveloper/dandy-dashboard/internal/widgets/claude"
 	"github.com/dandydeveloper/dandy-dashboard/internal/widgets/japanese"
-	"github.com/labstack/echo/v4"
-	"github.com/labstack/echo/v4/middleware"
 )
 
 func main() {
+	logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
+
 	cfg, err := config.Load()
 	if err != nil {
 		log.Fatalf("config: %v", err)
@@ -25,12 +28,11 @@ func main() {
 	kv := mustOpenStore(cfg)
 	defer kv.Close()
 
-	registry := buildRegistry(cfg, kv)
-
-	e := buildServer(cfg, registry)
+	registry := buildRegistry(cfg, kv, logger)
+	srv := buildServer(cfg, registry, logger)
 
-	log.Printf("Dandy Dashboard running on :%s", cfg.Port)
-	if err := e.Start(":" + cfg.Port); err != nil && err != http.ErrServerClosed {
+	logger.Info("server starting", "port", cfg.Port)
+	if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 		log.Fatalf("server: %v", err)
 	}
 }
@@ -48,10 +50,10 @@ func mustOpenStore(cfg *config.Config) store.Store {
 	return kv
 }
 
-func buildRegistry(cfg *config.Config, kv store.Store) *widget.Registry {
+func buildRegistry(cfg *config.Config, kv store.Store, logger *slog.Logger) *widget.Registry {
 	registry := &widget.Registry{}
 
-	registry.Register(claude.New(cfg.AnthropicAPIKey))
+	registry.Register(claude.New(cfg.AnthropicAPIKey, logger))
 
 	japaneseWidget, err := japanese.New(kv, cfg.WaniKaniToken)
 	if err != nil {
@@ -68,40 +70,25 @@ func buildRegistry(cfg *config.Config, kv store.Store) *widget.Registry {
 	return registry
 }
 
-func buildServer(cfg *config.Config, registry *widget.Registry) *echo.Echo {
-	e := echo.New()
-	e.HideBanner = true
-
-	e.Use(middleware.Logger())
-	e.Use(middleware.Recover())
-	e.Use(middleware.RequestID())
-	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
-		AllowOrigins: strings.Split(cfg.AllowedOrigins, ","),
-		AllowMethods: []string{http.MethodGet, http.MethodPost, http.MethodOptions},
-		AllowHeaders: []string{echo.HeaderContentType, "X-Dashboard-Key"},
-	}))
-
-	if cfg.DashboardKey != "" {
-		e.Use(apiKeyMiddleware(cfg.DashboardKey))
-	}
+func buildServer(cfg *config.Config, registry *widget.Registry, logger *slog.Logger) *http.Server {
+	mux := http.NewServeMux()
 
-	registry.Mount(e)
+	registry.Mount(mux)
 
-	e.GET("/api/widgets", func(c echo.Context) error {
-		return c.JSON(http.StatusOK, map[string]interface{}{"widgets": registry.Slugs()})
+	mux.HandleFunc("GET /api/widgets", func(w http.ResponseWriter, r *http.Request) {
+		httputil.WriteJSON(w, http.StatusOK, map[string]any{"widgets": registry.Slugs()})
 	})
 
-	return e
-}
-
-func apiKeyMiddleware(key string) echo.MiddlewareFunc {
-	return func(next echo.HandlerFunc) echo.HandlerFunc {
-		return func(c echo.Context) error {
-			if strings.HasPrefix(c.Request().URL.Path, "/api/") &&
-				c.Request().Header.Get("X-Dashboard-Key") != key {
-				return echo.ErrUnauthorized
-			}
-			return next(c)
-		}
+	handler := middleware.Chain(mux,
+		middleware.Recover(logger),
+		middleware.RequestID(),
+		middleware.Logger(logger),
+		middleware.CORS(strings.Split(cfg.AllowedOrigins, ",")),
+		middleware.APIKey(cfg.DashboardKey),
+	)
+
+	return &http.Server{
+		Addr:    ":" + cfg.Port,
+		Handler: handler,
 	}
 }

docker/backend.Dockerfile

@@ -10,12 +10,15 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server
 
 # Stage 2 — Runtime
 FROM alpine:3.20
-RUN apk add --no-cache ca-certificates tzdata
+RUN apk add --no-cache ca-certificates tzdata \
+ && addgroup -S app && adduser -S -G app app
 WORKDIR /app
 COPY --from=builder /server .
+RUN chown app:app /app/server
 
 # /data is where dashboard.db lives when using the embedded bolt backend.
 VOLUME ["/data"]
 
+USER app
 EXPOSE 8080
 ENTRYPOINT ["/app/server"]

docker/frontend.Dockerfile

@@ -1,16 +1,19 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1 — Build
-FROM node:24-alpine AS builder
+FROM node:24.14.0-alpine AS builder
 WORKDIR /app
 COPY web/package*.json ./
 RUN npm ci
 COPY web/ .
 RUN npm run build
 
 # Stage 2 — Runtime (Nginx)
-FROM nginx:1.27-alpine
+FROM nginx:1.29-alpine
 COPY --from=builder /app/dist /usr/share/nginx/html
 COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
+RUN chown -R nginx:nginx /usr/share/nginx/html /var/cache/nginx /var/log/nginx \
+ && chmod -R 755 /usr/share/nginx/html
 
+USER nginx
 EXPOSE 80

docs/screenshot.png

@@ -5,7 +5,6 @@ go 1.25.0
 require (
 	github.com/anthropics/anthropic-sdk-go v1.26.0
 	github.com/joho/godotenv v1.5.1
-	github.com/labstack/echo/v4 v4.15.1
 	github.com/redis/go-redis/v9 v9.18.0
 	go.etcd.io/bbolt v1.4.3
 	golang.org/x/oauth2 v0.36.0
@@ -25,15 +24,10 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
-	github.com/labstack/gommon v0.4.2 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
-	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasttemplate v1.2.2 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.39.0 // indirect
@@ -45,7 +39,6 @@ require (
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/time v0.15.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/grpc v1.79.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect