azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-22 06:21:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes
ci/woodpecker/push/build-arm Pipeline failed
Details

Browse Source 
Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 05:31:11 +03:00
parent b016fd8207
commit f7dd6c98d8
32 changed files with 1833 additions and 502 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mission-planner/.env.example
+12 -4
View File
@@ -5,10 +5,13 @@
# style so devs can keep both roots in sync.
#
# Every variable is OPTIONAL. When unset, the app falls back to:
# - VITE_OWM_API_KEY : undefined → getWeatherData returns null (no fetch)
# - VITE_OWM_BASE_URL : https://api.openweathermap.org/data/2.5
# - VITE_SATELLITE_TILE_URL : Esri ArcGIS World Imagery (legacy default; will
# be migrated in a future cycle to mirror AZ-498)
# - VITE_OWM_API_KEY : undefined → getWeatherData returns null (no fetch)
# - VITE_OWM_BASE_URL : https://api.openweathermap.org/data/2.5
# - VITE_SATELLITE_TILE_URL : Esri ArcGIS World Imagery (legacy default; will
# be migrated in a future cycle to mirror AZ-498)
# - VITE_GOOGLE_GEOCODE_KEY : undefined → geocodeAddress logs a warn and
# returns null (LeftBoard's address box becomes
# a no-op for non-coordinate inputs)
# OpenWeatherMap API key. Required for the wind-effect overlay. Leave unset for
# CI / dry runs — `getWeatherData` returns `null` and the overlay hides itself.
@@ -23,3 +26,8 @@ VITE_OWM_BASE_URL=
# (different vite root). Today defaults to Esri; AZ-498's swap to the suite's
# own satellite-provider only covers the main SPA.
VITE_SATELLITE_TILE_URL=https://server.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/{z}/{y}/{x}
# Google Geocode API key. Required by LeftBoard's address-search box (AZ-501).
# Leave unset for CI / dry runs — `geocodeAddress` returns `null` and logs a
# single warning. Coordinate-form input ("lat, lng") still works without a key.
VITE_GOOGLE_GEOCODE_KEY=<your-google-geocode-api-key>