senke/veza - Talas Project: Beyond coding. We Forge.

senke/veza

Fork 0

Commit graph

Author	SHA1	Message	Date
senke	113210734c	chore(infra): J6 — mark 3 dormant docker-compose files as deprecated Audit cross-checked against active composes shows three dormant compose files that duplicate functionality already covered by the canonical docker-compose.{,dev,prod,staging,test}.yml at the repo root. None are referenced from Make targets, scripts, or CI workflows. They have diverged from the active set (different ports, older Postgres version, no shared volume names, etc.) and are a footgun for new contributors. Files marked DEPRECATED with a header pointing at the canonical compose to use instead: veza-stream-server/docker-compose.yml Standalone stream-server compose. Same service is provided by the root docker-compose.yml under the `docker-dev` profile. infra/docker-compose.lab.yml Lab Postgres on default port 5432. Conflicts with a host Postgres on most setups; root docker-compose.dev.yml uses non-default ports for a reason. config/docker/docker-compose.local.yml Local Postgres 15 variant on port 5433. Redundant with root docker-compose.dev.yml (Postgres 16, project-wide port mapping). Not in this commit (intentionally limited J6 scope, per audit plan "verify, don't refactor"): - No `extends:` consolidation across the active composes — that is a 1-2 day refactor on its own and not a v1.0.4 concern. - The five active composes were syntactically validated locally (docker compose config); production and staging both require operator-injected env vars (DB_PASS, S3_*, RABBITMQ_PASS, etc.) which is the intended behavior, not a bug. - Cross-compose audit confirms zero references to the removed chat-server or any other dead service / image. Only one residual deprecation warning across all active composes: the obsolete `version:` field on docker-compose.{prod,test,test}.yml — cosmetic, not blocking. - Test suite verification (Go / Rust / Vitest) deferred to Forgejo CI rather than re-running locally. The pre-push hook + remote pipeline will gate the next push. Follow-up candidates (not blocking v1.0.4): - Delete the three deprecated files once a 2-month grace period confirms no local dev workflow references them. - Drop the obsolete `version:` field across the active composes. Refs: AUDIT_REPORT.md §6.1, §10 P7	2026-04-15 12:58:39 +02:00
senke	2d3cb18b7c	fix(security): restrict CORS origins in stream-server - Change default ALLOWED_ORIGINS from wildcard () to localhost:5173 in veza-stream-server/docker-compose.yml - Also fixed local .env (untracked) to use specific dev domains Previously, the stream-server docker-compose defaulted to ALLOWED_ORIGINS= which would allow any origin to access the streaming API. Addresses audit finding: A05 (Security Misconfiguration) — HIGH. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-11 22:42:04 +01:00
okinrev	a01d7a25ac	adding initial stream server (Rust)	2025-12-03 20:36:56 +01:00

Author

SHA1

Message

Date

senke

113210734c

chore(infra): J6 — mark 3 dormant docker-compose files as deprecated

Audit cross-checked against active composes shows three dormant compose
files that duplicate functionality already covered by the canonical
docker-compose.{,dev,prod,staging,test}.yml at the repo root. None are
referenced from Make targets, scripts, or CI workflows. They have
diverged from the active set (different ports, older Postgres version,
no shared volume names, etc.) and are a footgun for new contributors.

Files marked DEPRECATED with a header pointing at the canonical compose
to use instead:

  veza-stream-server/docker-compose.yml
    Standalone stream-server compose. Same service is provided by the
    root docker-compose.yml under the `docker-dev` profile.

  infra/docker-compose.lab.yml
    Lab Postgres on default port 5432. Conflicts with a host Postgres on
    most setups; root docker-compose.dev.yml uses non-default ports for
    a reason.

  config/docker/docker-compose.local.yml
    Local Postgres 15 variant on port 5433. Redundant with root
    docker-compose.dev.yml (Postgres 16, project-wide port mapping).

Not in this commit (intentionally limited J6 scope, per audit plan
"verify, don't refactor"):

  - No `extends:` consolidation across the active composes — that is a
    1-2 day refactor on its own and not a v1.0.4 concern.
  - The five active composes were syntactically validated locally
    (docker compose config); production and staging both require
    operator-injected env vars (DB_PASS, S3_*, RABBITMQ_PASS, etc.)
    which is the intended behavior, not a bug.
  - Cross-compose audit confirms zero references to the removed
    chat-server or any other dead service / image. Only one residual
    deprecation warning across all active composes: the obsolete
    `version:` field on docker-compose.{prod,test,test}.yml — cosmetic,
    not blocking.
  - Test suite verification (Go / Rust / Vitest) deferred to Forgejo CI
    rather than re-running locally. The pre-push hook + remote pipeline
    will gate the next push.

Follow-up candidates (not blocking v1.0.4):
  - Delete the three deprecated files once a 2-month grace period
    confirms no local dev workflow references them.
  - Drop the obsolete `version:` field across the active composes.

Refs: AUDIT_REPORT.md §6.1, §10 P7

2026-04-15 12:58:39 +02:00

senke

2d3cb18b7c

fix(security): restrict CORS origins in stream-server

- Change default ALLOWED_ORIGINS from wildcard (*) to localhost:5173
  in veza-stream-server/docker-compose.yml
- Also fixed local .env (untracked) to use specific dev domains

Previously, the stream-server docker-compose defaulted to ALLOWED_ORIGINS=*
which would allow any origin to access the streaming API.

Addresses audit finding: A05 (Security Misconfiguration) — HIGH.

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-11 22:42:04 +01:00

okinrev

a01d7a25ac

adding initial stream server (Rust)

2025-12-03 20:36:56 +01:00

3 commits