diff --git a/.env.wallet.example b/.env.wallet.example index c38bd906817565d3e479f50227d8b351a999a49e..aebc5136dbb79a0b8ac970a12c6ff3421d637995 100644 --- a/.env.wallet.example +++ b/.env.wallet.example @@ -1,8 +1,7 @@ # Denser Wallet Environment Configuration # Copy to ~/.denser/.env.wallet and fill in secrets # -# IMPORTANT: Secrets (SECRET_COOKIE_PASSWORD, OIDC_COOKIES_KEYS) should be -# different from blog for defense in depth. Generate unique values for each. +# IMPORTANT: Secrets should be different from blog for defense in depth. # ============================================================================= # App Identity (MUST differ between blog and wallet) @@ -42,23 +41,6 @@ DENSER_SERVER_API_CORS_ALLOW_ORIGIN="false" # Must be unique - do not share with blog DENSER_SERVER_SECRET_COOKIE_PASSWORD="CHANGE_ME_GENERATE_UNIQUE_SECRET" -# ============================================================================= -# OIDC (OpenID Connect) -# ============================================================================= -DENSER_SERVER_OIDC_ENABLED="yes" - -# REQUIRED: Generate with: openssl rand -base64 32 -# Must be unique - do not share with blog -DENSER_SERVER_OIDC_COOKIES_KEYS="CHANGE_ME_GENERATE_UNIQUE_SECRET" - -# ============================================================================= -# OpenHive Chat Integration -# ============================================================================= -# Chat is intentionally disabled for wallet - minimizes attack surface -# for active key operations. Enable only if specifically needed. -REACT_APP_OPENHIVE_CHAT_IFRAME_INTEGRATION_ENABLE="no" -REACT_APP_OPENHIVE_CHAT_IFRAME_VISIBLE="no" - # ============================================================================= # Logging & Debugging # ============================================================================= diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index f5a788bc125f47644507634e458895c7de59a6fe..65777b9e6ecb9eb18f156635f6e1de76ad853d8e 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -1,12 +1,14 @@ -name: 'denser' - services: denser-blog: image: registry.gitlab.syncad.com/hive/denser/blog:${VERSION:?VERSION required} ports: - - '3000:3000' + - target: 3000 + published: 3000 + mode: host environment: PORT: 3000 + # HOSTNAME must be set via command because Docker overrides env var with container ID + command: ["sh", "-c", "HOSTNAME=0.0.0.0 node ./apps/blog/server.js"] volumes: - ${BLOG_ENV_FILE:?BLOG_ENV_FILE must be set}:/app/apps/.env:ro deploy: @@ -17,18 +19,22 @@ services: rollback_config: order: start-first healthcheck: - test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3000/trending'] - interval: 10s - timeout: 5s + test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/"] + interval: 30s + timeout: 10s retries: 3 start_period: 60s denser-wallet: image: registry.gitlab.syncad.com/hive/denser/wallet:${VERSION:?VERSION required} ports: - - '4000:3000' + - target: 3000 + published: 4000 + mode: host environment: PORT: 3000 + # HOSTNAME must be set via command because Docker overrides env var with container ID + command: ["sh", "-c", "HOSTNAME=0.0.0.0 node ./apps/wallet/server.js"] volumes: - ${WALLET_ENV_FILE:?WALLET_ENV_FILE must be set}:/app/apps/.env:ro deploy: @@ -39,8 +45,8 @@ services: rollback_config: order: start-first healthcheck: - test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3000/'] - interval: 10s - timeout: 5s + test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/"] + interval: 30s + timeout: 10s retries: 3 start_period: 60s diff --git a/packages/renderer/src/security/LinkSanitizer.ts b/packages/renderer/src/security/LinkSanitizer.ts index 937eebf36725f6eaeab5262d3fc233385a095652..a84fd4ba11c569862f4f10e72c0d9b5a4d2610cd 100644 --- a/packages/renderer/src/security/LinkSanitizer.ts +++ b/packages/renderer/src/security/LinkSanitizer.ts @@ -25,7 +25,8 @@ export class LinkSanitizer { public sanitizeLink(url: string, urlTitle: string): string | false { url = this.prependUnknownProtocolLink(url); - Log.log().debug('LinkSanitizer#sanitizeLink', {url, urlTitle}); + // Commented out: broken log that doesn't display url/urlTitle, just noise + // Log.log().debug('LinkSanitizer#sanitizeLink', {url, urlTitle}); if (Phishing.looksPhishy(url)) { Log.log().debug('LinkSanitizer#sanitizeLink', 'phishing link detected', 'phishing list', url, { diff --git a/scripts/deploy-swarm.sh b/scripts/deploy-swarm.sh index 8080e43e04d86877e561b6dd6aad666e8f036c1d..e1470bb67acc67227814b2fa2b7ad03336bb039a 100755 --- a/scripts/deploy-swarm.sh +++ b/scripts/deploy-swarm.sh @@ -87,6 +87,13 @@ fi SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" COMPOSE_FILE="$SCRIPT_DIR/../docker/docker-compose.yml" +# Initialize swarm if not already active (single-node, localhost only) +SWARM_STATE=$(docker info --format '{{.Swarm.LocalNodeState}}' 2>/dev/null || echo "unknown") +if [ "$SWARM_STATE" != "active" ]; then + echo "Initializing Docker Swarm (single-node, localhost only)..." + docker swarm init --advertise-addr 127.0.0.1 --listen-addr 127.0.0.1:2377 +fi + echo "Deploying version: $VERSION" echo "Blog env: $BLOG_ENV_FILE" echo "Wallet env: $WALLET_ENV_FILE" @@ -99,4 +106,10 @@ export BLOG_ENV_FILE export WALLET_ENV_FILE docker stack deploy -c "$COMPOSE_FILE" denser +# Force service update to ensure config changes are applied +# (Docker Swarm sometimes caches service spec when image is unchanged) +echo "Forcing service update..." +docker service update --force denser_denser-blog +docker service update --force denser_denser-wallet + echo "Done. Check status: docker service ls"