security: harden gitignore and add config example files [v1.3.7]
- Expanded .gitignore: root venv, npx_cache, AI metadata (.remember, .claude), data/ (SQLite DB), frontend/config/, frontend/public/icons/, certificates, docker-compose.override.yml - Removed backend/config/ldap_config.json from git tracking (contains real IPs/credentials) - Added backend/config/ldap_config.json.example with placeholder template - Updated backend/.env.example: added JWT_SECRET_KEY, ALLOWED_ORIGINS, DATA_DIR, LOGS_DIR
This commit is contained in:
81
.gitignore
vendored
81
.gitignore
vendored
@@ -1,11 +1,80 @@
|
|||||||
|
# ============================================================
|
||||||
|
# TFM aInventory — .gitignore
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
# ── Python environments ──────────────────────────────────────
|
||||||
|
.venv/
|
||||||
backend/venv/
|
backend/venv/
|
||||||
|
**/__pycache__/
|
||||||
|
*.pyc
|
||||||
|
*.pyo
|
||||||
|
*.pyd
|
||||||
|
*.egg-info/
|
||||||
|
dist/
|
||||||
|
build/
|
||||||
|
|
||||||
|
# ── Runtime data (databases, configs w/ secrets) ─────────────
|
||||||
|
data/
|
||||||
backend/data/
|
backend/data/
|
||||||
backend/logs/
|
backend/logs/
|
||||||
frontend/logs/
|
# LDAP config contains real server IPs and credentials — never commit
|
||||||
__pycache__/
|
# The active config is: backend/config/ldap_config.json (read by the app)
|
||||||
*.pyc
|
# Duplicate/orphan copies are also excluded:
|
||||||
|
backend/ldap_config.json
|
||||||
|
backend/config/ldap_config.json
|
||||||
|
backend/data/ldap_config.json
|
||||||
|
# Keep example files tracked:
|
||||||
|
!backend/config/ldap_config.json.example
|
||||||
|
|
||||||
|
# ── Environment files (secrets) ──────────────────────────────
|
||||||
.env
|
.env
|
||||||
.DS_Store
|
.env.*
|
||||||
aInventory-PROD*
|
!.env.example
|
||||||
aInventory-PROD*.zip
|
backend/.env
|
||||||
|
backend/.env.*
|
||||||
|
!backend/.env.example
|
||||||
|
# Docker environment override file
|
||||||
|
docker-compose.override.yml
|
||||||
|
.env.docker
|
||||||
|
|
||||||
|
# ── Application logs ─────────────────────────────────────────
|
||||||
logs/
|
logs/
|
||||||
|
frontend/logs/
|
||||||
|
|
||||||
|
# ── Frontend build artifacts ──────────────────────────────────
|
||||||
|
frontend/.next/
|
||||||
|
frontend/out/
|
||||||
|
frontend/build/
|
||||||
|
frontend/node_modules/
|
||||||
|
|
||||||
|
# ── Frontend generated/runtime assets ────────────────────────
|
||||||
|
# SSL certs and runtime configs (generated by start_server.sh)
|
||||||
|
frontend/config/
|
||||||
|
# PWA icons generated at build time
|
||||||
|
frontend/public/icons/
|
||||||
|
|
||||||
|
# ── npm / npx caches ─────────────────────────────────────────
|
||||||
|
.npx_cache/
|
||||||
|
scratch/npm_cache/
|
||||||
|
*.log
|
||||||
|
npm-debug.log*
|
||||||
|
yarn-debug.log*
|
||||||
|
yarn-error.log*
|
||||||
|
|
||||||
|
# ── Production bundles (generated by export_prod.sh) ─────────
|
||||||
|
aInventory-PROD*/
|
||||||
|
aInventory-PROD*.zip
|
||||||
|
|
||||||
|
# ── AI / IDE metadata ─────────────────────────────────────────
|
||||||
|
.remember/
|
||||||
|
.claude/
|
||||||
|
|
||||||
|
# ── macOS system files ────────────────────────────────────────
|
||||||
|
.DS_Store
|
||||||
|
**/.DS_Store
|
||||||
|
|
||||||
|
# ── Certificates & keys ──────────────────────────────────────
|
||||||
|
*.pem
|
||||||
|
*.key
|
||||||
|
*.crt
|
||||||
|
*.cert
|
||||||
|
|||||||
12
VERSION.json
12
VERSION.json
@@ -1,10 +1,10 @@
|
|||||||
{
|
{
|
||||||
"version": "1.3.6",
|
"version": "1.3.7",
|
||||||
"last_build": "2026-04-11-1714",
|
"last_build": "2026-04-11-1936",
|
||||||
"commit": "ccc69d92",
|
"commit": "pending",
|
||||||
"changelog": [
|
"changelog": [
|
||||||
"v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)",
|
"v1.3.7: Security hardening — expanded .gitignore (venv, caches, ldap configs, AI metadata), removed backend/config/ldap_config.json from git tracking, added ldap_config.json.example and updated .env.example",
|
||||||
"v1.3.4: Created USER_GUIDE.md for end-users and integrated into export bundle",
|
"v1.3.6: Scanner UI redesign (autonomous OCR, countdown), Item Type datalist, save-version automation",
|
||||||
"v1.3.3: Added comprehensive project README.md documenting all operational modes"
|
"v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -1,5 +1,25 @@
|
|||||||
# Google Gemini API Key
|
# ============================================================
|
||||||
GEMINI_API_KEY=your_gemini_key_here
|
# TFM aInventory — Backend Environment Variables
|
||||||
|
# Copy this file to .env and fill in real values.
|
||||||
|
# NEVER commit the real .env file to Git!
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
# Anthropic Claude API Key
|
# --- AI API Keys ---
|
||||||
CLAUDE_API_KEY=your_claude_key_here
|
# Google Gemini API Key (required for AI label OCR onboarding)
|
||||||
|
GEMINI_API_KEY=your_gemini_api_key_here
|
||||||
|
|
||||||
|
# --- Security ---
|
||||||
|
# JWT secret key — generate a strong random value for production:
|
||||||
|
# python3 -c "import secrets; print(secrets.token_urlsafe(64))"
|
||||||
|
# If not set, an ephemeral key is generated per-run (tokens invalidated on restart).
|
||||||
|
JWT_SECRET_KEY=change-me-generate-a-secure-random-value
|
||||||
|
|
||||||
|
# --- CORS ---
|
||||||
|
# Comma-separated list of allowed frontend origins
|
||||||
|
# Example for LAN deployment:
|
||||||
|
# ALLOWED_ORIGINS=http://192.168.1.100:3000,https://192.168.1.100:3003
|
||||||
|
ALLOWED_ORIGINS=http://localhost:3000,https://localhost:3003
|
||||||
|
|
||||||
|
# --- Data Paths (overridden by start_server.sh / docker-compose) ---
|
||||||
|
# DATA_DIR=/absolute/path/to/data
|
||||||
|
# LOGS_DIR=/absolute/path/to/logs
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
{"ldap_enabled": true, "server_uri": "ldap://192.168.84.107:3890", "base_dn": "dc=example,dc=com", "user_template": "cn={username},ou=people,dc=example,dc=com", "groups_dn": "ou=groups", "use_tls": false, "role_mappings": [{"group": "inventory_admins", "role": "admin"}, {"group": "inventory_users", "role": "user"}]}
|
|
||||||
19
backend/config/ldap_config.json.example
Normal file
19
backend/config/ldap_config.json.example
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
{
|
||||||
|
"_comment": "Copy this file to ldap_config.json and fill in real values. NEVER commit ldap_config.json to Git.",
|
||||||
|
"ldap_enabled": false,
|
||||||
|
"server_uri": "ldap://YOUR_LDAP_SERVER_IP:389",
|
||||||
|
"base_dn": "dc=yourdomain,dc=com",
|
||||||
|
"user_template": "cn={username},ou=people,dc=yourdomain,dc=com",
|
||||||
|
"groups_dn": "ou=groups",
|
||||||
|
"use_tls": false,
|
||||||
|
"role_mappings": [
|
||||||
|
{
|
||||||
|
"group": "inventory_admins",
|
||||||
|
"role": "admin"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"group": "inventory_users",
|
||||||
|
"role": "user"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user