docs: refresh deployment and security guidance

2026-05-15 00:26:31 +02:00
parent 3fdbad7bdf
commit 23253c2277
2 changed files with 74 additions and 1950 deletions
@@ -9,23 +9,53 @@ Built for La Fabrik Durable's internal use, but open-sourced for anyone looking
 ## Stack
- [**Next.js 16** (App Router)](https://nextjs.org/docs/app/getting-started/installation) + [React 19](https://react.dev/learn/creating-a-react-app) + [TypeScript](https://www.typescriptlang.org/docs/)
+- [**Next.js 16.2.5** (App Router)](https://nextjs.org/docs/app/getting-started/installation) + [React 19](https://react.dev/learn/creating-a-react-app) + [TypeScript](https://www.typescriptlang.org/docs/)
 - [**Three.js**](https://threejs.org/docs/#manual/en/introduction/Creating-a-scene) ([React Three Fiber](https://r3f.docs.pmnd.rs/getting-started/introduction) + [Drei](https://drei.docs.pmnd.rs/getting-started/introduction)) for 3D preview
 - [**Tailwind CSS**](https://v3.tailwindcss.com/docs/installation) for styling
 - [**Octokit**](https://github.com/octokit/rest.js/#readme) for pushing via the GitHub API
 - [**Nextcloud WebDAV**](https://docs.nextcloud.com/server/latest/developer_manual/client_apis/WebDAV/index.html) for Drive archiving with automatic versioning
 - [**Sharp**](https://sharp.pixelplumbing.com/install/) for server-side texture compression
- [**Coolify** (Docker)](https://coolify.io/docs/applications/build-packs/dockerfile) for hosting
+- [**npm lockfile + Coolify** (Docker)](https://coolify.io/docs/applications/build-packs/dockerfile) for hosting
 ## Usage
 ### Development
 ```bash
 npm ci
 npm run dev
 ```
 The app runs on `http://localhost:3000` with hot reload. The upload API routes are available under `http://localhost:3000/api/upload/*`
 Use npm for this repo. `package-lock.json` is the source of truth for local installs and Coolify builds; no pnpm/yarn lockfile should be committed here.
 ### Dependency and security policy
 The project pins `next` to `16.2.5` to include the May 2026 WebSocket SSRF fix (`CVE-2026-44578` / `GHSA-c4j6-fc7j-m34r`). Do not loosen this back to `^16.2.4` or any range that can resolve below `16.2.5`.
 This repo also keeps install-time package scripts disabled by default through `.npmrc` and Docker:
 ```bash
 npm ci --ignore-scripts --no-audit --no-fund
 ```
 When a dependency update is needed, prefer a lockfile-only update in a clean environment with no `.env`, no GitHub token, and no cloud credentials:
 ```bash
 mkdir -p /tmp/npm-clean-home /tmp/npm-clean-cache
 env -i \
  HOME=/tmp/npm-clean-home \
  PATH="$PATH" \
  npm_config_userconfig=/tmp/npm-clean-home/.npmrc \
  npm_config_cache=/tmp/npm-clean-cache \
  npm_config_ignore_scripts=true \
  npm_config_audit=false \
  npm_config_fund=false \
  npm install <package>@<version> --package-lock-only --ignore-scripts --no-audit --no-fund --save-exact
 ```
 The May 2026 TanStack incident affected malicious package versions published to npm, not the npm CLI itself. This repo does not depend on `@tanstack/*`, but other projects should be checked for `@tanstack/setup`, `github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c`, `router_init.js`, `tanstack_runner.js`, and the fake unscoped package `tanstack@2.0.4` through `2.0.7`.
 ## How it works
 1. The user enters their access key
@@ -198,7 +228,7 @@ docker-entrypoint.sh       # Upload temp setup + Blender availability check
 ```bash
 git clone https://github.com/La-Fabrik-Durable/upload-GLTF.git
 cd upload-GLTF
-npm install
+npm ci
 ```
 ## Configuration
@@ -234,6 +264,16 @@ NEXTCLOUD_BASE_PATH=Models
 ### Production (Coolify / Docker)
 Coolify must build this repository with the included `Dockerfile`. The dependency stage copies `.npmrc` and runs `npm ci --ignore-scripts --no-audit --no-fund`, so the deployed dependency tree comes from `package-lock.json`.
 After a security patch:
 1. Push the commit to both remotes.
 2. In Coolify, trigger a rebuild with cache disabled when possible.
 3. Confirm the build logs show `npm ci --ignore-scripts --no-audit --no-fund`.
 4. Confirm the app starts and the upload flow still reaches staging, Drive, and Git.
 5. Rotate secrets in Coolify, then redeploy once more with the new values.
 ```bash
 docker build -t upload-gltf .
 docker run -p 3000:3000 \
@@ -247,6 +287,37 @@ docker run -p 3000:3000 \
 The Docker image runs the Next.js app, Blender Draco compression, and server-side asset preparation in a single container. The `docker-entrypoint.sh` script creates the upload temp directory and reports Blender availability before launching the app.
 ### Secret rotation
 Rotate secrets after patching if the previous deployment exposed a vulnerable Next.js version, if a suspicious dependency install happened on a machine with credentials, or if you cannot prove the install host was clean.
 Recommended order:
 1. Generate a new fine-grained `GITHUB_TOKEN` limited to the target model repository with `Contents: Read and write`.
 2. Generate a new long random `UPLOAD_SECRET_KEY`.
 3. Regenerate the Nextcloud public share token or password when possible.
 4. Update the variables in Coolify.
 5. Redeploy the patched image.
 6. Revoke the old GitHub token and old Nextcloud share credentials after the new deployment is healthy.
 Do not commit real `.env` files. `.dockerignore` excludes `.env` and `.env.*`, while keeping `.env.example` as documentation.
 ### Publishing to remotes
 This repo is mirrored to GitHub and Gitea:
 ```bash
 git remote -v
 git push origin main
 git push gitea main
 ```
 If your local git config has the `pushall` alias, it should be equivalent to:
 ```bash
 git push origin main && git push gitea main
 ```
 ## Supported Formats
 | Type | Extensions |