Security:
- CORS restricted to explicit methods/headers, configurable via CORS_ORIGINS env
- Auth added to /reports/{rid}/html and /compliance-report endpoints
- Ownership check on report downloads
- Rate limiting on login (10 attempts/5min per IP with threading.Lock)
- Non-root container user (agent via gosu entrypoint)
- Nginx security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy)
- .gitignore and .dockerignore for secret leak prevention
- .env.example with documentation
Performance:
- 16 SQLite indexes on foreign keys and frequently queried columns
- Pagination on chat messages (100), reports (50), audit log (100)
- subprocess.run wrapped in run_in_executor (3 async handlers)
- asyncio.wait_for timeouts on GenAI calls (300s) and Chromium PDF (120s)
- Thread pool reduced to 10 workers
- Code splitting with React.lazy (bundle: 1.3MB -> ~550KB initial)
- React.memo on TreeItem (recursive compartment tree)
Error handling:
- 13 bare except clauses replaced with logged Exception handlers
- Graceful shutdown handler (terminates subprocesses + executor)
- File upload validation (50MB max, extension whitelist per endpoint)
- Health check expanded (version, uptime, db_ok)
- Cache-Control on /api/genai/models (1h)
- Auto-cleanup audit_log > 30 days
Dead code removed:
- DownloadsPage.tsx, StubPage.tsx, MfaPage.tsx (moved to UsersPage)
- Legacy frontend/ directory
- 19 unused i18n keys, dist/ removed from git tracking
UX & i18n:
- 8 alert() calls replaced with styled error states (TerraformPage)
- 50+ hardcoded Portuguese strings localized to i18n (pt/en) across 11 files
- aria-label on all icon-only buttons (Chat, Explorer, Sidebar)
- focus-visible CSS for keyboard navigation
- Responsive grid fix (360px -> 280px for mobile)
- aria-hidden on decorative SVGs
Deployment:
- Docker resource limits (backend 4G, frontend 512M)
- Log rotation (json-file, 10MB x 3)
- Terraform version parameterized via ARG
63 lines
1.4 KiB
YAML
63 lines
1.4 KiB
YAML
services:
|
|
backend:
|
|
build:
|
|
context: ./backend
|
|
dockerfile: Dockerfile
|
|
container_name: oci-agent-backend
|
|
restart: unless-stopped
|
|
environment:
|
|
- APP_SECRET=${APP_SECRET:-change-me-in-production-use-a-long-random-string}
|
|
- JWT_EXPIRY_HOURS=${JWT_EXPIRY_HOURS:-12}
|
|
- DATA_DIR=/data
|
|
- CORS_ORIGINS=${CORS_ORIGINS:-}
|
|
- OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
|
|
volumes:
|
|
- agent-data:/data
|
|
networks:
|
|
- agent-net
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:8000/api/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 4G
|
|
|
|
frontend:
|
|
image: nginx:alpine
|
|
container_name: oci-agent-frontend
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ./frontend-react/dist:/usr/share/nginx/html/app:ro
|
|
- ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
|
|
ports:
|
|
- "${PORT:-8080}:80"
|
|
depends_on:
|
|
- backend
|
|
networks:
|
|
- agent-net
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
|
|
volumes:
|
|
agent-data:
|
|
driver: local
|
|
|
|
networks:
|
|
agent-net:
|
|
driver: bridge
|