Dev setup improvements #45

rlorenzo · 2025-07-26T03:29:14Z

Fixed missing folder error when creating certificate for the first time.
Created README.md and LICENSE files.
Created several useful scripts:
- linting for backend/frontend/staged files
- auto-fixing for backend/frontend/staged files
- single command to run project
Added pre-commit hook to run linting and auto-fixing on staged files.

- Enhanced ViteProxyHelpers with SSRF protection, URL validation, and path traversal prevention - Added comprehensive test coverage for proxy routing and security scenarios - Fixed pre-commit hook to handle removed files gracefully - Removed debug logging from production code

Copilot

Pull Request Overview

This PR implements comprehensive development setup improvements, enhancing the developer experience through streamlined workflows, automated code quality checks, and hot reload capabilities for both frontend and backend development.

Key Changes:

Fixed certificate generation by ensuring directory exists before creating SSL certificates
Added comprehensive scripts for linting, auto-fixing, and running both backend and frontend development servers
Implemented pre-commit hooks with dual-mode linting (strict for manual runs, non-blocking for commits except security issues)
Integrated SonarAnalyzer for enhanced C# code quality and security analysis

Reviewed Changes

Copilot reviewed 32 out of 35 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
web/dotnet-watch.json	Configures .NET hot reload with optimized file watching patterns
web/ViteProxyHelpers.cs	Adds comprehensive Vite development server proxy with security validations
web/Program.cs	Integrates Vite proxy middleware and updates CSP for development/production
VueApp/vite.config.ts	Fixes certificate directory creation and adds HMR configuration
scripts/*.js	Implements dual-mode linting scripts for C#, Vue.js, and HTML files
package.json	Adds project-level scripts for development workflow
.lintstagedrc.json	Configures pre-commit hook file processing
README.md	Provides comprehensive development setup and troubleshooting guide

Files not reviewed (1)

VueApp/package-lock.json: Language not supported

Comments suppressed due to low confidence (1)

web/ViteProxyHelpers.cs:227

This line appears to be in the wrong method context. The epochTime calculation seems to belong to authentication logic but is placed in the CreateProxyRequest method where it's not used.

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

web/ViteProxyHelpers.cs

VueApp/src/layouts/LeftNav.vue

scripts/lint-staged-vue.js

Copilot · 2025-08-15T07:49:36Z

web/Areas/RAPS/Services/UinformService.cs

@@ -270,7 +274,10 @@ private static string GetAuthSignature(HttpMethod method, string publicKey, int
            if (!string.IsNullOrEmpty(publicKey) && !string.IsNullOrEmpty(privateKey))
            {
                string toSign = method.Method.ToUpper() + ":" + epochTime.ToString() + ":" + publicKey;
+                // Legacy API requires HMACSHA1 - third-party system constraint


While the comment explains this is for legacy API compatibility, consider documenting a migration plan or timeline to move away from SHA1. HMACSHA1 is vulnerable to collision attacks.

Suggested change

// Legacy API requires HMACSHA1 - third-party system constraint

// WARNING: The use of HMACSHA1 is required for compatibility with the legacy uInform API.

// HMACSHA1 is considered cryptographically weak and is vulnerable to collision attacks.

// Migration Plan:

// - Monitor the uInform API for support of stronger algorithms (e.g., HMACSHA256).

// - When support is available, update this code to use HMACSHA256 or better.

// - Document and communicate with the API provider about the need for stronger security.

// TODO: Remove HMACSHA1 usage and migrate to a stronger algorithm as soon as the API allows.

@bsedwards Do you have more background on this service? I assume we cannot just change encryption type easily.

web/Areas/Directory/Services/VMACSService.cs

Add comprehensive security analysis tools and standardized linting workflows for the entire codebase including Vue.js frontend, C# backend, test, and build scripts. - Security: Added .globalconfig with security rules enforced as build-blocking errors - Security: Enhanced ESLint with security plugin and XSS protection for Vue components - Security: Added SonarQube integration for static analysis of C# code - Tests: Linting now includes --fix flag for automated code formatting

- Added Volta instructions to have developers use the same Node version as production - Updated npm packages with security issues

- Added Prettier for VS Code and Visual Studio - Updated EditorConfig settings - Added WCAG 2.1 AA compliance checks - Added `lint` npm script to scan any given file or directory for linting issues without having to stage files

* Put port definition overrides in a .env.local so multiple instances can run on different ports.

- Supports changing editor via .env.local. VS code is default, but Visual Studio is supported, however it does not support jumping to a specific line number in a file.

- Added debugging configurations for Chrome and .NET - Added recommended extensions for VS Code - Added `dev:fullstack` script that launches front-end and back-end services with Chrome in debugging mode

- Web interface: View captured emails at http://localhost:8025 during development - Automated management: npm run dev:backend and npm run dev:fullstack now start Mailpit automatically - Manual controls: Use npm run mailpit:start/stop/status for manual Mailpit management - Dependency cleanup: Removed unused 'watch' package

- Replace ESLint with Oxlint for JS/TS files (14.7x faster - 2.4s vs 35s) - Added Prettier to lint-stage workflow to automatically fix formatting - Added additional security rules in .globalconfig for .NET - Add build cache support to speed up .NET linting - Removed duplicate Sonar linting script

checking and improve error filtering - Set noEmit to true in TypeScript configs to prevent file generation - Add TypeScript error filtering to show only relevant file errors - Remove redundant LINT_BLOCK_ON_WARNINGS override in lint-any.js - Clean up Windows long path prefixes in Oxlint output display

…e and infrastructure improvements - Migrate ESLint to flat config with @typescript-eslint/parser integration - Upgrade TypeScript from 5.4 to 5.9 and fix compatibility issues across Vue components - Update major dependencies: VueUse 11.1→13.8, Pinia 2.1→3.0, Vite 6.3.4→6.3.5, vue-tsc 2.0→3.0 - Fix linting errors in CTS components (AssessmentBubble, AssessmentEpa, AssessmentList, etc.) - Enhance build scripts with structured logging, improved caching logic, and security warnings

web/Program.cs

…iming - Add build verification system that checks TypeScript and .NET compilation before commits - Fix browser launch to wait for backend build completion in dev:build mode - Resolve TypeScript errors in MyAssessmentCharts.vue with proper key fallbacks causing build issues - Apply DRY principles by using shared DEFAULT_ENV_VARS across scripts

…build errors - Fixed browser launch script - Removed cshtml from prettier - Fixed CodeQL error flagged in Program.cs

- Linting should already have been done prior and we should only block on build failures for merge commits

rlorenzo requested review from bsedwards and Copilot July 26, 2025 03:29