davidherran
3a94e7c003
Security (critical):
- SESSION_SECRET fail-fast: refuse to boot without a 32+ char secret
(src/lib/session.ts, src/app/actions/clientAuth.ts)
- Rate limit with pluggable backend: in-memory by default, auto-promotes
to Upstash Redis when REDIS_URL is set (src/lib/rateLimit.ts)
- CSRF (double-submit HMAC) + Zod validation on /api/consultation;
new /api/csrf endpoint mints tokens (src/lib/csrf.ts)
- escapeHtml + safeMailto helpers; consultation email template now
fully escapes user-controlled fields (src/lib/escapeHtml.ts)
- Magic-byte validation for /api/public-upload — rejects HTML/JS
payloads renamed to .png/.mp4 (src/lib/fileType.ts)
- Nginx: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy,
Permissions-Policy + 5r/m upload zone for /api/public-upload and
/api/assets (nginx/conf.d/flux.conf)
Quality:
- Delete GlobalOperations_old.tsx dead code (310 LOC)
- NavBar: replace 2s session polling with CustomEvent("flux:session-
changed") + visibilitychange listener (no more interval leaks)
- Type-safe CMS shapes via src/types/cms.ts (replaces any[] in
ApplicationsDashboard + GlobalOperations)
- /api/health now pings Postgres; docker-compose healthcheck added
- Structured JSON logger (src/lib/logger.ts) — drop-in replacement
for console.error across API routes
- Prisma indices on isActive/category/nodeType filters
FluxAI persistence + analytics:
- New models AiConversation + AiEvent with funnel stage detection
(DISCOVERY -> QUALIFY -> RECOMMEND -> HANDOFF) and OperationsSignal
back-ref so converted chats link to their consultation ticket
- /api/chat persists every user msg, ai msg, tool call, tool result;
IP is sha256-hashed with SESSION_SECRET salt; promptCacheKey wired
for when @ai-sdk/openai lands the feature
- New HQ dashboard at /hq-command/dashboard/conversations: 4 KPIs
(total, conversion rate, avg messages, avg tools), funnel + industry
breakdowns, last-50 table, per-id transcript with tool timeline
- SilentObserver sends sessionId/locale/pageUrl in transport body so
the route can stitch messages into the same conversation
- src/lib/aiSessionId.ts: localStorage UUID with sessionStorage +
in-memory fallbacks for privacy mode
- Golden tests via node --test (13 cases, no new deps);
npm run test:ai
Migration:
- prisma/migrations/20260526180000_add_indexes_and_ai_telemetry —
additive only, IF NOT EXISTS guards, safe for migrate deploy
env template hardened: SESSION_SECRET documented as required + how
to generate; REDIS_URL/REDIS_TOKEN documented as opt-in for multi-
instance deploys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
30 lines
1.4 KiB
Plaintext
30 lines
1.4 KiB
Plaintext
# Conexión local a SQLite
|
|
#DATABASE_URL="file:./dev.db"
|
|
|
|
# POSTGRES SQL CONEXION
|
|
#:xDATABASE_URL="postgresql://flux_user:STRONG_PASSWORD@postgres:5432/flux_db?schema=public"
|
|
DATABASE_URL="postgresql://flux_user:dev_password@localhost:5432/flux_db?schema=public"
|
|
|
|
# SESSION_SECRET (REQUIRED, min 32 chars).
|
|
# Used to sign 7-day admin JWTs in src/lib/session.ts and CSRF tokens in
|
|
# src/lib/csrf.ts. The app refuses to boot without it. Generate with:
|
|
# openssl rand -base64 48
|
|
SESSION_SECRET="CHANGE_ME_openssl_rand_base64_48_min_32_chars"
|
|
|
|
# Optional: multi-instance rate limiting via Upstash Redis REST API.
|
|
# Leave both unset to use the in-memory bucket store (fine for single VPS).
|
|
#REDIS_URL="https://xxx.upstash.io"
|
|
#REDIS_TOKEN="xxxxx"
|
|
|
|
# OPEN AI KEY
|
|
OPENAI_API_KEY=sk-proj-dsdsdsds-kaDAHhZXPYsK6-4uw0UWJZ0YuLnQfVoEA
|
|
|
|
NEXT_PUBLIC_APP_URL=http://localhost:3000 # En producción será https://www.rf-flux.com
|
|
|
|
#email Config
|
|
SMTP_HOST=smtp.gmail.com # (or smtp.office365.com, mail.fluxsrl.com, etc.)
|
|
SMTP_PORT=587 #(587 for TLS, 465 for SSL)
|
|
SMTP_USER=davidherran@dreamhousestudios.co
|
|
SMTP_PASS=syzybrtcidrkzehp #(Gmail: use App Password, not regular password)
|
|
SMTP_FROM=FLUX Operations <davidherran@dreamhousestudios.co>
|
|
SMTP_SECURE=false # (true for port 465, false for 587 with STARTTLS) |