mirror of
https://github.com/azaion/ui.git
synced 2026-06-21 08:11:10 +00:00
Oleksandr Bezdieniezhnykh
b016fd8207
AZ-498 — self-hosted satellite tiles + drop classic/satellite toggle: - Single TILE_URL via getTileUrl() (mirrors getOwmBaseUrl/getApiBase pattern from AZ-449/AZ-450); env-var VITE_SATELLITE_TILE_URL with dev default http://localhost:5100/tiles/{z}/{x}/{y}. - FlightMap + MiniMap render one TileLayer with crossOrigin="use-credentials" so Leaflet's <img> tile fetcher attaches the same-origin satellite-provider auth cookie. - ImportMetaEnv + .env.example collapse the prior OSM/Esri pair into one var. The flights.planner.satellite i18n key is removed in lockstep across en.json + ua.json (parity preserved). - E2E harness wired end-to-end: compose passes the new var to azaion-ui; tile-stub serves /tiles/{z}/{x}/{y} with Content-Type=image/jpeg + Cache-Control + ETag matching the contract; infrastructure.e2e.ts AC-2 asserts the new path; dead OSM defenses removed from EXTERNAL_HOSTS route guard. - Fast-profile MSW handlers rewritten for the cookie-auth path shape. - 8 colocated fast tests under src/features/flights/__tests__/. AZ-499 — mission-planner OWM env-var hardening + AZ-482 source-scan gap close: - WeatherService.ts reads VITE_OWM_API_KEY + VITE_OWM_BASE_URL; fail-soft null when key unset (mirrors AZ-448 main-SPA contract). Public signature getWeatherData(lat, lon) preserved. - mission-planner/.env.example + vite-env.d.ts declare both vars. - New owm_key_in_source banned-deps kind scans src/ AND mission-planner/ for the rotated literal; STC-SEC1C row added to scripts/run-tests.sh; check-banned-deps.mjs dispatch extended. - 7 fast tests under tests/mission_planner_weather.test.ts cover AC-1..AC-4 + trailing-slash + happy path + network-error fail-soft. Spec drift (recorded in batch_11_report.md, user-approved Choose B on 2026-05-12): - AZ-498 AC-8 dropped (named tile_split_zoom* files belong to AZ-474 image-annotation surface, not map tiles). - 4 missing files added in-scope (msw tiles handler, tile-stub server, compose env, dead VITE_TILE_BASE_URL replaced). - AZ-499 STC-S6 ID conflict resolved by using STC-SEC1C. Pending USER ACTION (BLOCKING for AZ-499 close): - Revoke OpenWeatherMap key 335799082893fad97fa36118b131f919 at home.openweathermap.org/api_keys; capture evidence on AZ-499. Cross-workspace deploy gate (handled at autodev Step 16, not a Step-10 blocker for AZ-498): - satellite-provider cookie-auth on GET /tiles/{z}/{x}/{y} (separate AZAION ticket on the satellite-provider workspace). Reports: _docs/03_implementation/batch_11_report.md and _docs/03_implementation/reviews/batch_11_review.md (verdict PASS_WITH_WARNINGS — 1 Low, pre-existing trim-trailing-slash duplication across vite roots). Static gates: STC-ARCH-01, STC-ARCH-02, STC-T1, STC-FP22, STC-FP23, STC-SEC1C all PASS post-refactor. +15 fast tests; +1 STC-SEC1C row. Co-authored-by: Cursor <cursoragent@cursor.com>
127 lines
4.5 KiB
JSON
127 lines
4.5 KiB
JSON
{
|
|
"$comment": "Single source of truth for static deny-lists exercised by scripts/run-tests.sh static profile. Adding/removing entries here is the gate code-review enforces (per AZ-482 constraint: 'deny-list lives in tests/security/banned-deps.json so additions are visible in code review'). Each section names the AC it traces to and is consumed by scripts/check-banned-deps.mjs.",
|
|
"ml_libs": {
|
|
"ac": "NFT-SEC-10",
|
|
"scope": "package.json (dependencies + devDependencies)",
|
|
"match": "regex-on-name",
|
|
"patterns": [
|
|
"onnxruntime",
|
|
"tensorflow",
|
|
"tflite",
|
|
"coreml",
|
|
"tfjs",
|
|
"@tensorflow/",
|
|
"@huggingface/",
|
|
"transformers\\.js"
|
|
]
|
|
},
|
|
"signature_libs": {
|
|
"ac": "NFT-SEC-11",
|
|
"scope": "package.json (dependencies + devDependencies)",
|
|
"match": "regex-on-name",
|
|
"patterns": [
|
|
"jsrsasign",
|
|
"tweetnacl",
|
|
"@noble/",
|
|
"^jose$",
|
|
"^jsonwebtoken$",
|
|
"^node-forge$"
|
|
]
|
|
},
|
|
"persistence_libs": {
|
|
"ac": "O2 (NFR) — no client-side persistence library",
|
|
"scope": "package.json (dependencies + devDependencies)",
|
|
"match": "regex-on-name",
|
|
"patterns": [
|
|
"^localforage$",
|
|
"^idb$",
|
|
"^dexie$"
|
|
]
|
|
},
|
|
"ws_graphql_ssr_libs": {
|
|
"ac": "O11 (NFR) — no SSR/WS/GraphQL",
|
|
"scope": "package.json (dependencies + devDependencies)",
|
|
"match": "regex-on-name",
|
|
"patterns": [
|
|
"^ws$",
|
|
"^socket\\.io$",
|
|
"^graphql$",
|
|
"^apollo$",
|
|
"@apollo/",
|
|
"^grpc-web$",
|
|
"^react-dom/server$"
|
|
]
|
|
},
|
|
"legacy_integrations": {
|
|
"ac": "NFT-SEC-13 — dropped legacy integrations not present in source",
|
|
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
|
|
"match": "ripgrep-pattern",
|
|
"patterns": [
|
|
"WhatsApp",
|
|
"TelegramBot",
|
|
"D-Bus",
|
|
"libsignal"
|
|
]
|
|
},
|
|
"concurrent_edit_patterns": {
|
|
"ac": "NFT-SEC-14 (AC-N1 anti-criterion) — no concurrent-edit reconciliation surface",
|
|
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
|
|
"match": "ripgrep-pattern",
|
|
"patterns": [
|
|
"concurrent.edit",
|
|
"operational.transform",
|
|
"crdt",
|
|
"y-?websocket"
|
|
]
|
|
},
|
|
"owm_key_in_dist": {
|
|
"ac": "NFT-SEC-09 (AC-1, dist/ portion) — OpenWeatherMap key not shipped in built bundle",
|
|
"scope": "dist/ (post-`bun run build` artifacts)",
|
|
"match": "literal",
|
|
"patterns": [
|
|
"335799082893fad97fa36118b131f919"
|
|
]
|
|
},
|
|
"owm_key_in_source": {
|
|
"ac": "NFT-SEC-09 (AC-1, source portion) — OpenWeatherMap key not present in source tree",
|
|
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
|
|
"match": "literal",
|
|
"patterns": [
|
|
"335799082893fad97fa36118b131f919"
|
|
]
|
|
},
|
|
"alert_calls": {
|
|
"ac": "NFT-SEC-07 (AZ-466 AC-5) — no alert() in production source",
|
|
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
|
|
"match": "ripgrep-pattern",
|
|
"patterns": [
|
|
"\\balert\\s*\\("
|
|
],
|
|
"$allowlist_comment": "Snapshot of currently-allowed alert() locations. Phase B feature tasks should drain this list one entry at a time. New alerts are blocked by the static check; removing an entry is a code-review-visible improvement.",
|
|
"allowlist": [
|
|
"src/features/annotations/MediaList.tsx",
|
|
"src/features/flights/FlightsPage.tsx",
|
|
"mission-planner/src/flightPlanning/JsonEditorDialog.tsx",
|
|
"mission-planner/src/flightPlanning/flightPlan.tsx"
|
|
]
|
|
},
|
|
"destructive_surfaces": {
|
|
"ac": "NFT-SEC-08 (AZ-466 AC-4) — every destructive surface is reviewed and either gated by ConfirmDialog or recorded as a known drift",
|
|
"scope": "src/ files that call api.delete( or destructive api.patch(",
|
|
"match": "file-level: a file containing a destructive call MUST be listed below; new destructive surfaces FAIL the check",
|
|
"patterns": [
|
|
"api\\.delete\\(",
|
|
"api\\.patch\\([^,]+,\\s*\\{\\s*isActive\\s*:"
|
|
],
|
|
"$gated_comment": "Files that perform destructive mutations AND wire ConfirmDialog around them. Code review checks the wiring per file.",
|
|
"gated": [
|
|
"src/features/annotations/MediaList.tsx",
|
|
"src/features/flights/FlightsPage.tsx"
|
|
],
|
|
"$drift_comment": "Files that perform destructive mutations WITHOUT a ConfirmDialog gate today. Phase B follow-up tasks land the gate and move each entry to `gated`. Adding a new entry here requires a code-review reason.",
|
|
"drift": [
|
|
"src/features/admin/AdminPage.tsx"
|
|
]
|
|
}
|
|
}
|