Skip to content

Commit f4ddfa3

Browse files
authored
feat: u72ecu7acbu9875u52a8u6001u5bfcu822au3001u540eu53f0u4fa7u680fu56fau5b9au3001u79fbu52a8u7aefu4ee3u7801u5757u4f18u5316u3001u6807u7b7eu6298u53e0 (#40)
* fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * feat(privacy): add cookie consent banner, privacy policy page, and GDPR notice - Add CookieConsent component: bottom banner with accept/reject, stores consent in localStorage, fires 'cookie-consent-accepted' event for third-party script injection gating - Add /privacy route with full privacy policy page (bilingual) - Gate custom_header/footer script injection behind cookie consent: scripts only load after user accepts; non-script HTML injects immediately as before - Add GDPR warning in admin settings 'Extensions & Injection' tab - Add PRIVACY.md to repo root - Add privacy page link in cookie consent banner * fix: 修复移动端代码块横向滚动崩坏问题 - code-block-wrapper 增加 -webkit-overflow-scrolling: touch(iOS 惯性滚动) - pre 和 code 元素增加 white-space: pre 强制不换行,内容真实撑开 wrapper - 移动端 pre 增加 width: max-content + min-width: 100% 确保可超出容器宽度 - code-line 从 display: inline-block 改为 display: block,避免 min-width: 100% 在移动端按父容器宽度错误计算导致代码不撑开横向滚动区域 - 兜底 pre:not(.hljs) 同步修复 * fix: 修复代码块布局坍塌(移除循环宽度依赖) code-line 改回 display: inline-block,移除 width: max-content 和 min-width: calc(100%+8px) 的循环依赖写法(该写法导致移动端代码 内容完全消失)。pre 的 white-space: pre 已足够阻止换行, wrapper 的 overflow-x: auto 负责横向滚动。 * feat: 独立页动态导航、后台侧栏固定、移动端代码块优化、标签折叠 - navbar: 从 /api/pages 获取 showInNav=true 的页面动态注入导航栏 - footer: 底部新增独立页面链接 - admin-layout: 侧栏改用 fixed 定位,彻底脱离文档流 - dashboard: 标签区折叠展开,默认显示2行+展开按钮 - globals.css: 移动端代码块优化(行号flex布局、顶栏sticky、尺寸缩减) - .gitignore: 重写并清理不存在的条目 - 清理 .kilo 和 .playwright-mcp 残留 - 新增 AGENTS.md 和 opencode.json 项目配置 --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
1 parent 3aaa008 commit f4ddfa3

14 files changed

Lines changed: 347 additions & 238 deletions

.gitignore

Lines changed: 35 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,32 +1,55 @@
1-
# 依赖
1+
# ============================================================
2+
# Monolith .gitignore — 什么该推送,什么不该推送
3+
# ============================================================
4+
5+
# ────────────────────── 依赖目录(不推送)──────────────────────
26
node_modules/
3-
.next/
47

5-
# 构建产出
8+
# ────────────────────── 构建产出(不推送)──────────────────────
69
dist/
710
.wrangler/
8-
.turbo/
911

10-
# 环境变量
12+
# ────────────────────── 环境变量与密钥(绝不推送)──────────────────
13+
# 所有 .env 文件都可能含密钥,禁止推送
1114
.env
1215
.env.local
13-
.env.*
16+
.env.*.local
17+
.env.production
1418
!.env.example
19+
20+
# Wrangler 本地密钥(含 ADMIN_PASSWORD / JWT_SECRET 等)
1521
.dev.vars
1622

17-
# 系统文件
23+
# ────────────────────── 系统与编辑器临时文件(不推送)──────────────
1824
.DS_Store
25+
Thumbs.db
1926
*.swp
2027
*.swo
28+
*~
2129

22-
# IDE
30+
# IDE 配置
2331
.idea/
32+
.vscode/
2433
*.code-workspace
2534

26-
# Wrangler 本地数据
27-
.wrangler/
28-
29-
# AI 助手记忆库(含私人配置、密码等,禁止推送)
35+
# ────────────────────── AI 工具私有数据(绝不推送)──────────────────
36+
# 记忆库含密码、PAT、私人偏好等敏感信息
3037
.agents/
38+
39+
# 编辑器/AI 全局配置(Antigravity、Gemini、OpenCode 等)
3140
GEMINI.md
3241

42+
# ────────────────────── 日志与调试产物(不推送)──────────────────
43+
*.log
44+
npm-debug.log*
45+
46+
# ────────────────────── 必须推送的重要文件 ──────────────────────
47+
# 以下文件虽然常被误加 gitignore,但必须跟踪:
48+
# ✅ package-lock.json — 锁定依赖版本,CI 的 npm ci 依赖它
49+
# ✅ client/functions/ — Pages Functions 反向代理,漏掉则 /api/* 回退为首页 HTML
50+
# ✅ scripts/ — 部署脚本 (deploy-cloudflare.mjs)
51+
# ✅ AGENTS.md — OpenCode 项目规则(不含密钥)
52+
# ✅ opencode.json — OpenCode 项目配置(含 MCP 远程服务,不含本地密钥)
53+
# ✅ .github/ — CI/CD workflows、Issue/PR 模板、分支保护
54+
# ✅ SECURITY.md — 安全政策
55+
# ✅ PRIVACY.md — 隐私政策

.kilo/package-lock.json

Lines changed: 0 additions & 115 deletions
This file was deleted.

.playwright-mcp/console-2026-04-19T04-35-34-885Z.log

Lines changed: 0 additions & 2 deletions
This file was deleted.

.playwright-mcp/page-2026-04-19T04-35-40-096Z.yml

Lines changed: 0 additions & 1 deletion
This file was deleted.

.playwright-mcp/page-2026-04-19T04-35-49-532Z.yml

Lines changed: 0 additions & 8 deletions
This file was deleted.
-12.3 KB
Binary file not shown.

AGENTS.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Monolith 项目规则
2+
3+
## 项目概览
4+
Monolith 是基于 Cloudflare 边缘计算的全栈博客系统。
5+
- 前端:Vite 6 + React 19 + Tailwind CSS v4 + shadcn/ui + wouter
6+
- 后端:Hono Workers + Drizzle ORM
7+
- 代理层:Pages Functions(反向代理 /api/* /cdn/* /rss.xml)
8+
- 存储:D1 (SQLite) + R2 (对象存储),支持 Turso/PostgreSQL/S3 切换
9+
- 主题:OKLCH 色彩空间双主题系统(暗色 Slate & Cyan / 亮色模式)
10+
11+
## 架构要点
12+
- 存储层采用适配器模式:路由只依赖 `IDatabase` / `IObjectStorage` 接口,通过 `DB_PROVIDER` / `STORAGE_PROVIDER` 环境变量切换适配器
13+
- Pages Functions 代理层拦截 `/api/*``/cdn/*``/rss.xml`,转发到 Workers
14+
- Pages Functions 的 `tsconfig.json` 独立引入 `@cloudflare/workers-types`,避免与主项目 DOM 类型冲突
15+
- DOMPurify 净化 Markdown 渲染输出,白名单允许 iframe/video 嵌入
16+
- `searchPosts()` 只搜索 `title + excerpt`,不扫描 `content` 大字段
17+
18+
## 工作区路径
19+
- 项目根目录:`/home/easy/001/Monolith`
20+
- 客户端:`/home/easy/001/Monolith/client`
21+
- 服务端:`/home/easy/001/Monolith/server`
22+
23+
## 分支管理
24+
- 生产分支:`main`(Cloudflare Pages 自动部署绑定)
25+
- 开发分支:`dev`
26+
- 工作流:dev 开发 → commit → push → PR → squash merge 到 main → 部署
27+
- 严禁直接向 main 推送
28+
29+
## 常用命令
30+
- `npm run dev` — 同时启动前后端(client :5173, server :8787)
31+
- `npm run dev:client` / `npm run dev:server` — 单独启动
32+
- `npm run build` — 构建前端
33+
- `npm run deploy:cloudflare` — 一键部署(迁移 + Workers + Pages)
34+
- `npm run db:migrate:local` / `db:migrate:remote` — 数据库迁移
35+
- Node.js 需要 `source $HOME/.nvm/nvm.sh` 后才可用
36+
37+
## 部署铁律
38+
- 使用 `npm run deploy:cloudflare` 一键部署,禁止手动 `wrangler pages deploy`
39+
- 必须从 `client/` 目录部署 `dist`,否则 Pages Functions 会被遗漏
40+
- `package-lock.json` 绝不能放入 `.gitignore`
41+
- CI "Sync Worker secrets" 步骤通过 `wrangler secret put` 注入 ADMIN_PASSWORD / JWT_SECRET
42+
43+
## 踩坑记录(项目特有)
44+
- D1 迁移标记不同步时需手动 `INSERT INTO d1_migrations`
45+
- Cloudflare CDN 有短暂缓存,验证时用部署唯一 URL
46+
- 本地 `client/functions/api/` 目录的 tsconfig 独立,不与主项目混用
47+
- Hono v4 `verify()` 需要 3 个参数:`verify(token, secret, "HS256")`
48+
49+
## 记忆库
50+
项目记忆库路径:`.agents/memory_bank/`
51+
- `README.md` — 索引入口
52+
- `monolith_architecture.md` — 完整架构手册
53+
- `monolith_roadmap.md` — 功能路线图
54+
- `monolith_v1_status.md` — V1 状态报告
55+
- `system_config.md` — 系统配置与凭据
56+
- `ui_design_parameters.md` — UI 排版设计规范
57+
- `typecho_dev_guide.md` — Typecho 开发指南(已弃用项目)
58+
59+
## CI 与安全
60+
- 仓库:`https://github.com/one-ea/Monolith`
61+
- GitHub PAT:已配置在 system_config.md
62+
- 后台密码:`monolith2026`
63+
- 分支保护:main 需要 1 人审批 + 线性历史 + 状态检查

0 commit comments

Comments
 (0)