Skip to content

Dev#168

Merged
koishi510 merged 5 commits into
mainfrom
dev
Mar 15, 2026
Merged

Dev#168
koishi510 merged 5 commits into
mainfrom
dev

Conversation

@koishi510
Copy link
Copy Markdown
Owner

@koishi510 koishi510 commented Mar 15, 2026

Related Issue

Summary

Change Type

  • New Feature (feat)
  • Bug Fix (fix)
  • Refactoring (refactor)
  • Documentation (docs)
  • Dependency / Configuration (chore)

Self-Check Checklist

Backend (Go):

  • go build ./... passes
  • go vet ./... passes
  • gofmt produces no diff

Frontend (Vue):

  • npm run lint passes
  • npm run typecheck passes

General:

  • Removed all temporary debug output
  • No sensitive data in the code

Test Steps

  1. Pull branch and install dependencies: 
    cd backend && go mod download
cd ../frontend && npm install
  2. Start the application: 
    make dev-backend    # Terminal 1
make dev-frontend   # Terminal 2
  3. Verification steps:
    • ...

@4rthurCai @koishi510
refactor(backend): fix SonarCloud reliability and maintainability issues
187a2d4 
- S8209: group consecutive params of same type in chat.go, task.go, user.go
- S1192: extract constants for duplicated literals in community.go, auth.go, echo.go, router.go, user.go
- S3776: reduce cognitive complexity by extracting helpers in community.go, chat.go, task_ai.go, user.go
- S107: create Handlers struct in router.go to reduce Setup() params from 16 to 4
- S1135: replace TODO with descriptive comment in auth.go
- S4144: extract shared toggleLike() in interaction.go
- S8239: use available ctx param instead of context.Background() in chat.go
@4rthurCai @koishi510
refactor(frontend): fix SonarCloud reliability and maintainability is…
7ee3e03 
…sues

- S7764: prefer globalThis over window across composables and PearlShell
- S7767: use Math.trunc instead of bitwise |0 in random.ts, BarPage, PearlShell
- S7748: remove zero fractions in seagulls.ts, reflections.ts, PearlShell
- S3863: merge duplicate imports in App.vue, ChatPanel.vue
- S3358: replace nested ternaries with if/else in CarPage, SpritesLayer, useParallax
- S7773: use Number.parseFloat/Number.isNaN in spriteOffset.ts
- S7746: prefer throw over Promise.reject in apiClient.ts
- S7786: use TypeError for type checks in auth.ts
- S4325: remove unnecessary type assertions in useTutorial, apiClient
- S7769: use Math.hypot in PearlShell
- S7762: use childNode.remove() in PearlShell
- S6759: mark props readonly in PearlShell
- S7778: combine multiple push calls in CarPage
- S7758: use codePointAt over charCodeAt in BarPage
- S3735: remove void operator in NavBar
- S7735: flip negated condition in useTutorial
- S7785: use top-level await in main.ts
- S2004/S3776: reduce nesting and complexity in PearlShell
- css:S7924: improve text contrast across 8+ overlay components
- Web:ImgWithoutAltCheck: add alt attributes to images
- Web:S6851: remove redundant alt words in CarPage
- Web:S6853: add form label accessibility in CarPage
@4rthurCai @koishi510
fix(backend): security hardening and PR #167 review fixes
9b53756 
- CORS: disable credentials when origins is wildcard (#1)
- Token blacklist: evict expired entries before dropping new tokens (#3)
- Static files: add security headers, block dangerous file types (#5)
- HSTS: add Strict-Transport-Security header (#6)
- HTML sanitization: escape user content in community service (#10)
- Security logging: log auth failures, admin ops, JWT errors (#12)
- Guest sessions: HMAC-sign session IDs to prevent spoofing (#15)
- AI credentials: read from env vars instead of hardcoding (#16)
- Cache-Control: add no-store for API responses (#17)
- URL validation: reject non-HTTP(S) URLs in chat search (#19)
- Like endpoints: split POST/DELETE into idempotent AddLike/RemoveLike (PR #167)
@4rthurCai @koishi510
fix(frontend): security hardening and PR #167 review fixes
69e0d48 
- CSP: add Content-Security-Policy meta tag (#18)
- Source maps: disable in production builds (#13)
- Remove redundant X-Access-Token headers from auth API calls
- PRNG: restore int32 wraparound with `| 0` instead of Math.trunc (PR #167)
- auth.ts: use Error instead of TypeError for API errors (PR #167)
- useParallax: use ReturnType<typeof setTimeout> for timer type (PR #167)
- apiClient: guard against undefined error.config (PR #167)
@4rthurCai @koishi510
fix(backend): remove hardcoded AI user password (S2068)
5b71f47 
Replace hardcoded default password with crypto/rand generated random
hex string. The AI service user never logs in interactively, so a
random password on each startup is sufficient. Also add AI_USER_*
env vars to .env.example.
@koishi510 koishi510 requested a review from 4rthurCai as a code owner March 15, 2026 04:07
@koishi510 koishi510 merged commit 9a9f1c8 into main Mar 15, 2026
11 checks passed
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 15, 2026

Quality Gate Passed Quality Gate passed

Issues
14 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@4rthurCai 4rthurCai Awaiting requested review from 4rthurCai 4rthurCai is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@koishi510 @4rthurCai