feat: sdk migration in progress

2026-02-13 12:50:05 +01:00 · 2025-11-02 13:19:30 +00:00
commit 0d10d42442
492 changed files with 71067 additions and 0 deletions
--- a/internal/api/mw_security.go
+++ b/internal/api/mw_security.go
@@ -0,0 +1,63 @@
+package api
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/glueops/autoglue/internal/config"
+)
+
+func SecurityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// HSTS (enable only over TLS/behind HTTPS)
+		// HSTS only when not in dev and over TLS/behind a proxy that terminates TLS
+		if !config.IsDev() {
+			w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
+		}
+
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=(), interest-cohort=()")
+
+		if config.IsDev() {
+			// --- Relaxed CSP for Vite dev server & Google Fonts ---
+			// Allows inline/eval for React Refresh preamble, HMR websocket, and fonts.
+			// Tighten these as you move to prod or self-host fonts.
+			w.Header().Set("Content-Security-Policy", strings.Join([]string{
+				"default-src 'self'",
+				"base-uri 'self'",
+				"form-action 'self'",
+				// Vite dev & inline preamble/eval:
+				"script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:5173",
+				// allow dev style + Google Fonts
+				"style-src 'self' 'unsafe-inline' http://localhost:5173 https://fonts.googleapis.com",
+				"img-src 'self' data: blob:",
+				// Google font files
+				"font-src 'self' data: https://fonts.gstatic.com",
+				// HMR connections
+				"connect-src 'self' http://localhost:5173 ws://localhost:5173 ws://localhost:8080",
+				"frame-ancestors 'none'",
+			}, "; "))
+		} else {
+			// --- Strict CSP for production ---
+			// If you keep using Google Fonts in prod, add:
+			//   style-src ... https://fonts.googleapis.com
+			//   font-src  ... https://fonts.gstatic.com
+			// Recommended: self-host fonts in prod and keep these tight.
+			w.Header().Set("Content-Security-Policy", strings.Join([]string{
+				"default-src 'self'",
+				"base-uri 'self'",
+				"form-action 'self'",
+				"script-src 'self'",
+				"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+				"img-src 'self' data: blob:",
+				"font-src 'self' data: https://fonts.gstatic.com",
+				"connect-src 'self'",
+				"frame-ancestors 'none'",
+			}, "; "))
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}