Skip to content

Production hardening: security, UI, docs, logging, deployment#1

Merged
HeadyMe merged 1 commit intomainfrom
audit/production-hardening
Mar 24, 2026
Merged

Production hardening: security, UI, docs, logging, deployment#1
HeadyMe merged 1 commit intomainfrom
audit/production-hardening

Conversation

@HeadyMe
Copy link
Copy Markdown
Collaborator

@HeadyMe HeadyMe commented Mar 10, 2026

Summary

  • Localhost contamination removed — startup logging no longer prints localhost URLs; uses structured JSON logging with configured BASE_URL
  • Security headers added — X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, HSTS (production)
  • CORS hardened — env-driven ALLOWED_ORIGINS replaces open-by-default behavior
  • Landing page rebuilt — full production page with navigation, features grid, ecosystem links, call-to-action buttons
  • Routes added/docs (full documentation with config, architecture, API, deployment, troubleshooting), /services (ecosystem directory), styled 404 handler
  • Structured logging — JSON output in production, human-readable in development
  • Graceful shutdown — SIGTERM/SIGINT handling with 10s timeout for container orchestrators
  • Port mismatch fixed — default aligned to 8080 (was 3000 in code vs 8080 in Dockerfile)
  • Dockerfile improved — multi-stage build for smaller images + HEALTHCHECK instruction
  • CI enhanced — PR trigger added, route verification step tests all 4 endpoints
  • README overhauled — config table, routes table, architecture, deployment, ecosystem map, troubleshooting

Test plan

  • npm test passes
  • GET /health returns 200 with JSON status
  • GET / returns full landing page with nav, features, ecosystem
  • GET /docs returns documentation page
  • GET /services returns ecosystem service directory
  • GET /nonexistent returns 404 styled page
  • All 5 security headers present on responses
  • Graceful shutdown on SIGTERM works correctly
  • Docker build and run (requires Docker)
  • Cloud Run deployment (requires GCP credentials)

🤖 Generated with Claude Code

@claude
Production hardening: security headers, structured logging, full UI, …
2a8d6ff 
…docs, 404

- Remove localhost contamination from startup logging
- Add security headers (X-Content-Type-Options, X-Frame-Options, XSS, Referrer-Policy, Permissions-Policy, HSTS)
- Add env-driven CORS configuration (ALLOWED_ORIGINS)
- Rebuild landing page with navigation, features grid, ecosystem links
- Add /docs route with full documentation (config, architecture, API, deployment, troubleshooting)
- Add /services route with Heady ecosystem service directory
- Add styled 404 handler
- Replace console.log with structured logging (JSON in production)
- Add graceful SIGTERM/SIGINT shutdown for container orchestrators
- Fix default port mismatch (3000 -> 8080)
- Dockerfile: multi-stage build, HEALTHCHECK instruction
- CI: add PR trigger and route verification step
- README: config table, routes, architecture, deployment, ecosystem, troubleshooting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@HeadyMe HeadyMe merged commit 952691a into main Mar 24, 2026
1 check failed
@HeadyMe HeadyMe deleted the audit/production-hardening branch March 24, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HeadyMe @claude