chore: shorten verbose block comments across SaaS branch

This commit is contained in:
Anthony Stirling
2026-06-08 18:38:00 +01:00
parent 8b2baaf0a0
commit 1d5ce8a1d2
12 changed files with 24 additions and 159 deletions
+1 -6
View File
@@ -185,11 +185,7 @@ subprojects {
allowInsecureProtocol = true allowInsecureProtocol = true
} }
} }
// Maven Central first: it hosts the vast majority of artifacts, so Gradle // Maven Central first; mirrors below are fallbacks for niche artifacts.
// never has to consult the slower/less-reliable mirrors below for them.
// shibboleth + jboss remain as fallbacks for the few artifacts only they
// serve (Gradle falls through on a 404). Keeping them ahead of Central
// meant a jboss outage (503) aborted resolution of common deps.
mavenCentral() mavenCentral()
maven { url = "https://build.shibboleth.net/maven/releases" } maven { url = "https://build.shibboleth.net/maven/releases" }
maven { url = "https://repository.jboss.org/" } maven { url = "https://repository.jboss.org/" }
@@ -588,7 +584,6 @@ repositories {
allowInsecureProtocol = true allowInsecureProtocol = true
} }
} }
// Maven Central first (see note in the subprojects repositories block above).
mavenCentral() mavenCentral()
maven { url = "https://build.shibboleth.net/maven/releases" } maven { url = "https://build.shibboleth.net/maven/releases" }
} }
+2 -13
View File
@@ -1,14 +1,4 @@
# Stirling-PDF - Backend-only version (no embedded frontend) # Stirling-PDF backend-only image — JAR built with -PbuildWithFrontend=false, UI ships separately.
#
# Identical to docker/embedded/Dockerfile except the JAR is built with
# -PbuildWithFrontend=false, so the React UI is NOT baked in. The gradle build
# then swaps in the lightweight API landing page (see app/core/build.gradle
# copyApiLandingPage). Use this for the split frontend/backend deployments
# (e.g. SaaS) where the UI ships as its own image (docker/frontend/Dockerfile).
#
# Because no frontend is built, the Node.js + go-task tooling that the embedded
# image installs is intentionally omitted here — the only frontend gradle tasks
# (npmInstall / npmBuild) are gated on buildWithFrontend and stay disabled.
ARG BASE_VERSION=1.0.2 ARG BASE_VERSION=1.0.2
ARG BASE_IMAGE=stirlingtools/stirling-pdf-base:${BASE_VERSION} ARG BASE_IMAGE=stirlingtools/stirling-pdf-base:${BASE_VERSION}
@@ -89,8 +79,7 @@ RUN set -eux; \
chmod 750 /tmp/stirling-pdf/heap_dumps; \ chmod 750 /tmp/stirling-pdf/heap_dumps; \
fc-cache -f fc-cache -f
# Write version to a file so it is readable by scripts without env-var inheritance. # Version file for scripts (init-without-ocr.sh reads /etc/stirling_version).
# init-without-ocr.sh reads /etc/stirling_version for the AOT cache fingerprint.
RUN echo "${VERSION_TAG:-dev}" > /etc/stirling_version RUN echo "${VERSION_TAG:-dev}" > /etc/stirling_version
# Environment variables # Environment variables
+7 -37
View File
@@ -1,74 +1,44 @@
# check=skip=SecretsUsedInArgOrEnv # check=skip=SecretsUsedInArgOrEnv
# The only ARG the SecretsUsedInArgOrEnv rule flags here is the Supabase # Supabase publishable ARG is client-safe by design, not a real secret.
# PUBLISHABLE key — a client-safe value embedded in the bundle by design, not a
# secret. No real secrets are passed via ARG/ENV in this image.
# Frontend Dockerfile - React/Vite application # Stage 1: build
FROM node:25-alpine@sha256:e80397b81fa93888b5f855e8bef37d9b18d3c5eb38b8731fc23d6d878647340f AS build FROM node:25-alpine@sha256:e80397b81fa93888b5f855e8bef37d9b18d3c5eb38b8731fc23d6d878647340f AS build
WORKDIR /app WORKDIR /app
# Copy package files
COPY frontend/package.json frontend/package-lock.json ./ COPY frontend/package.json frontend/package-lock.json ./
# Install dependencies
RUN npm ci RUN npm ci
# Copy source code
COPY frontend . COPY frontend .
# Generate the material-symbols icon subset that LocalIcon.tsx imports at build # Generate material-symbols icon subset (normally done by task prepare:icons).
# time. Normally produced by `task frontend:build:<mode>` via its prepare:icons
# dependency; since this Dockerfile invokes vite directly, run it explicitly.
# Fully offline — reads the @iconify-json/material-symbols dev dependency.
RUN node editor/scripts/generate-icons.js RUN node editor/scripts/generate-icons.js
# ---- Build configuration (backward compatible) ---- # Defaults match prior behaviour. Supabase values are client-publishable build args.
# STIRLING_FLAVOR selects the editor tsconfig + source set (see
# frontend/editor/vite.config.ts). VITE_BUILD_MODE selects which .env.<mode>
# files vite loads and is passed to `vite build --mode`. The defaults below
# reproduce the previous behaviour exactly: proprietary flavor, production mode
# (vite's implicit default for `vite build`).
#
# VITE_SUPABASE_URL + VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY are CLIENT-SAFE
# publishable values, NOT secrets. They are intentionally empty here so the OSS
# repo ships no injected config; a downstream pipeline (e.g. SaaS) passes the
# target project's publishable values as build args. Note: .env* is excluded by
# .dockerignore, so these args are the only way Supabase config reaches the
# bundle in a Docker build. vite's loadEnv merges (and prioritises) VITE_-
# prefixed process env vars, so exporting them before `vite build` is enough.
ARG STIRLING_FLAVOR=proprietary ARG STIRLING_FLAVOR=proprietary
ARG VITE_BUILD_MODE=production ARG VITE_BUILD_MODE=production
ARG VITE_SUPABASE_URL="" ARG VITE_SUPABASE_URL=""
# pragma: allowlist secret — Supabase publishable key (safe for client) # pragma: allowlist secret
ARG VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY="" ARG VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY=""
# Build the application (vite root is editor/, output lands in editor/dist/). # Build vite from editor/, output lands in editor/dist/.
# Only export the Supabase overrides when provided so unset stays unset.
RUN set -eu; \ RUN set -eu; \
export STIRLING_FLAVOR="${STIRLING_FLAVOR}"; \ export STIRLING_FLAVOR="${STIRLING_FLAVOR}"; \
if [ -n "${VITE_SUPABASE_URL}" ]; then export VITE_SUPABASE_URL="${VITE_SUPABASE_URL}"; fi; \ if [ -n "${VITE_SUPABASE_URL}" ]; then export VITE_SUPABASE_URL="${VITE_SUPABASE_URL}"; fi; \
if [ -n "${VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY}" ]; then export VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY="${VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY}"; fi; \ if [ -n "${VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY}" ]; then export VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY="${VITE_SUPABASE_PUBLISHABLE_DEFAULT_KEY}"; fi; \
npx vite build editor --mode "${VITE_BUILD_MODE}" npx vite build editor --mode "${VITE_BUILD_MODE}"
# Production stage # Stage 2: nginx
FROM nginx:alpine@sha256:b0f7830b6bfaa1258f45d94c240ab668ced1b3651c8a222aefe6683447c7bf55 FROM nginx:alpine@sha256:b0f7830b6bfaa1258f45d94c240ab668ced1b3651c8a222aefe6683447c7bf55
# Copy built files from build stage
COPY --from=build /app/editor/dist /usr/share/nginx/html COPY --from=build /app/editor/dist /usr/share/nginx/html
# Copy nginx configuration and entrypoint
COPY docker/frontend/nginx.conf /etc/nginx/nginx.conf COPY docker/frontend/nginx.conf /etc/nginx/nginx.conf
COPY docker/frontend/entrypoint.sh /entrypoint.sh COPY docker/frontend/entrypoint.sh /entrypoint.sh
# Make entrypoint executable
RUN chmod +x /entrypoint.sh RUN chmod +x /entrypoint.sh
# Expose port 80 (standard HTTP port)
EXPOSE 80 EXPOSE 80
# Environment variables for flexibility
ENV VITE_API_BASE_URL=http://backend:8080 ENV VITE_API_BASE_URL=http://backend:8080
# Use custom entrypoint
ENTRYPOINT ["/entrypoint.sh"] ENTRYPOINT ["/entrypoint.sh"]
+1 -20
View File
@@ -10,23 +10,7 @@ RUN apt-get update \
&& rm /tmp/task.deb \ && rm /tmp/task.deb \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# The OSS repo's root Taskfile.yml expects engine tasks to run from ./engine/ # Source under /app/engine/ to match root Taskfile's `includes.engine.dir: engine`.
# (configured via `includes.engine.dir: engine`). The OSS-clone-build workflow
# copies the root Taskfile.yml + .taskfiles/ into the engine build context, then
# this Dockerfile copies them into the image. To match the Taskfile's expectations
# at runtime, engine source must live at /app/engine/ — not flattened to /app/ —
# so `task engine:run` can chdir there successfully and uv resolves
# scripts/setup_env.py to /app/engine/scripts/setup_env.py.
#
# Layout:
# /app/Taskfile.yml ← workflow-copied root Taskfile
# /app/.taskfiles/ ← workflow-copied .taskfiles
# /app/engine/pyproject.toml
# /app/engine/uv.lock
# /app/engine/.env
# /app/engine/scripts/ ← scripts/setup_env.py here
# /app/engine/src/ ← uvicorn entrypoint dir
# /app/engine/.venv/ ← uv-managed venv
WORKDIR /app/engine WORKDIR /app/engine
COPY pyproject.toml uv.lock .env ./ COPY pyproject.toml uv.lock .env ./
@@ -36,9 +20,6 @@ RUN --mount=type=cache,target=/root/.cache/uv \
COPY src/ ./src/ COPY src/ ./src/
# Task definitions live at /app/ — root Taskfile + included .taskfiles — because
# the root Taskfile's `includes.engine.dir: engine` is resolved relative to the
# Taskfile's own location, so it must sit one level above engine/.
WORKDIR /app WORKDIR /app
COPY Taskfile.yml ./ COPY Taskfile.yml ./
COPY .taskfiles/ ./.taskfiles/ COPY .taskfiles/ ./.taskfiles/
+1 -3
View File
@@ -8,7 +8,5 @@
# Userback feedback widget — leave blank to disable # Userback feedback widget — leave blank to disable
VITE_USERBACK_TOKEN= VITE_USERBACK_TOKEN=
# Development-only auth bypass — allows unauthenticated access on localhost in dev mode # Dev-only auth bypass for localhost. Subpath comes from RUN_SUBPATH (build-time).
# The URL subpath prefix is read from BASE_PATH at runtime, sourced from the
# top-level RUN_SUBPATH env var which Vite consumes at build time.
VITE_DEV_BYPASS_AUTH=false VITE_DEV_BYPASS_AUTH=false
+1 -4
View File
@@ -39,10 +39,7 @@ export const absoluteWithBasePath = (path: string): string => {
return `${window.location.origin}${BASE_PATH}${clean}`; return `${window.location.origin}${BASE_PATH}${clean}`;
}; };
/** /** Strip BASE_PATH prefix so route comparisons work under any subpath deploy. */
* Remove the BASE_PATH prefix from a pathname so comparisons against
* bare app routes ("/login", "/files", …) work under any subpath deploy.
*/
export const stripBasePath = (pathname: string): string => { export const stripBasePath = (pathname: string): string => {
if (!BASE_PATH) return pathname; if (!BASE_PATH) return pathname;
if (pathname === BASE_PATH) return "/"; if (pathname === BASE_PATH) return "/";
@@ -13,11 +13,7 @@ export function setupApiInterceptors(client: AxiosInstance): void {
); );
} }
/** /** Auth headers for raw fetch() calls — empty in core; proprietary/SaaS override. */
* Auth headers for raw fetch() calls (SSE streams, etc.).
* Proprietary overrides with stored JWT + XSRF; SaaS overrides with the live
* Supabase access token. Async because SaaS has to consult the auth client.
*/
export async function getAuthHeaders(): Promise<Record<string, string>> { export async function getAuthHeaders(): Promise<Record<string, string>> {
return {}; return {};
} }
@@ -1,53 +1,21 @@
import { NavKey } from "@app/components/shared/config/types"; import { NavKey } from "@app/components/shared/config/types";
import { stripBasePath, withBasePath } from "@app/constants/app"; import { stripBasePath, withBasePath } from "@app/constants/app";
/** /** Push the URL for a settings section and notify listeners. */
* Navigate to a specific settings section
*
* @param section - The settings section key to navigate to
*
* @example
* // Navigate to People section
* navigateToSettings('people');
*
* // Navigate to Admin Premium section
* navigateToSettings('adminPremium');
*/
export function navigateToSettings(section: NavKey) { export function navigateToSettings(section: NavKey) {
const newPath = withBasePath(`/settings/${section}`); const newPath = withBasePath(`/settings/${section}`);
window.history.pushState({}, "", newPath); window.history.pushState({}, "", newPath);
// Trigger a popstate event to notify components
window.dispatchEvent(new PopStateEvent("popstate")); window.dispatchEvent(new PopStateEvent("popstate"));
} }
/** /** URL for a settings section (subpath-aware). */
* Get the URL path for a settings section
* Useful for creating links
*
* @param section - The settings section key
* @returns The URL path for the settings section
*
* @example
* <a href={getSettingsUrl('people')}>Go to People Settings</a>
* // Returns: "/settings/people" (or "/bpp/settings/people" under subpath)
*/
export function getSettingsUrl(section: NavKey): string { export function getSettingsUrl(section: NavKey): string {
return withBasePath(`/settings/${section}`); return withBasePath(`/settings/${section}`);
} }
/** /** Whether the current URL is in /settings (optionally a specific section). */
* Check if currently viewing a settings section
*
* @param section - Optional section key to check for specific section
* @returns True if in settings (and matching specific section if provided)
*/
export function isInSettings(section?: NavKey): boolean { export function isInSettings(section?: NavKey): boolean {
const pathname = stripBasePath(window.location.pathname); const pathname = stripBasePath(window.location.pathname);
if (!section) return pathname.startsWith("/settings");
if (!section) {
return pathname.startsWith("/settings");
}
return pathname === `/settings/${section}`; return pathname === `/settings/${section}`;
} }
@@ -390,12 +390,7 @@ self.addEventListener(
let compDoc: PDFDocumentProxy | null = null; let compDoc: PDFDocumentProxy | null = null;
try { try {
// `CanvasFactory`/`FilterFactory` are supported at runtime but not declared on legacy types. // Resolve pdfjs CMap/standard-font URLs against the worker's origin + subpath.
// pdfjs-dist 5.x renamed the option to `CanvasFactory` (capital C); without a FilterFactory
// the default DOMFilterFactory crashes in a worker calling document.createElementNS.
// Resolve CMap/standard-font URLs against the worker's own origin. Vite copies these
// directories from pdfjs-dist at build time via viteStaticCopy (see vite.config.ts).
// import.meta.env.BASE_URL ends with a slash and includes any subpath prefix.
const assetsBase = new URL( const assetsBase = new URL(
`${import.meta.env.BASE_URL}pdfjs/`, `${import.meta.env.BASE_URL}pdfjs/`,
self.location.origin, self.location.origin,
@@ -100,10 +100,7 @@ async function refreshAuthToken(client: AxiosInstance): Promise<string> {
} }
} }
/** /** Auth headers for raw fetch() calls (SSE streams). Async to match SaaS override. */
* Auth headers for raw fetch() calls (SSE streams, etc.).
* Async to match the SaaS override, which has to await the Supabase session.
*/
export async function getAuthHeaders(): Promise<Record<string, string>> { export async function getAuthHeaders(): Promise<Record<string, string>> {
const headers: Record<string, string> = {}; const headers: Record<string, string> = {};
const jwt = getJwtTokenFromStorage(); const jwt = getJwtTokenFromStorage();
@@ -1,20 +1,7 @@
import type { AxiosInstance } from "axios"; import type { AxiosInstance } from "axios";
import { supabase } from "@app/auth/supabase"; import { supabase } from "@app/auth/supabase";
/** /** SaaS auth headers for raw fetch() calls — Supabase access token from current session. */
* SaaS auth headers for raw fetch() calls (e.g. AI chat streaming).
*
* Pulls the live Supabase access token. Required because the SaaS apiClient's
* axios interceptor attaches this header to every axios call, but raw fetch()
* calls bypass that path and end up with no Authorization header → backend
* returns 401. The chat streaming endpoint uses fetch() (not axios) because
* axios doesn't stream SSE responses well, so this override exists to give
* it the same bearer token the axios calls already get.
*
* supabase.auth.getSession() reads from in-memory cache when possible; only
* issues a network request if the session needs refreshing. Adds an Accept
* header so the backend negotiates JSON correctly.
*/
export async function getAuthHeaders(): Promise<Record<string, string>> { export async function getAuthHeaders(): Promise<Record<string, string>> {
const headers: Record<string, string> = {}; const headers: Record<string, string> = {};
try { try {
@@ -30,12 +17,5 @@ export async function getAuthHeaders(): Promise<Record<string, string>> {
return headers; return headers;
} }
/** /** No-op: SaaS apiClient wires its own interceptors (see saas/services/apiClient.ts). */
* SaaS apiClient wires up its own interceptors inline (see saas/services/apiClient.ts). export function setupApiInterceptors(_client: AxiosInstance): void {}
* This re-export exists so the cascade through @app/services/apiClientSetup
* remains consistent for callers that import setupApiInterceptors — currently
* none in SaaS mode, but keeps the shape uniform.
*/
export function setupApiInterceptors(_client: AxiosInstance): void {
// No-op: SaaS apiClient handles its own interceptors with the Supabase session.
}
+1 -2
View File
@@ -1,8 +1,7 @@
import { URL_TO_TOOL_MAP } from "@app/utils/urlMapping"; import { URL_TO_TOOL_MAP } from "@app/utils/urlMapping";
import { BASE_PATH } from "@app/constants/app"; import { BASE_PATH } from "@app/constants/app";
// BASE_PATH is "/bpp" or "" (no trailing slash). Strip the leading slash // "bpp" or "" — BASE_PATH without leading slash.
// to match the legacy SUBPATH shape used below ("bpp" or "").
const SUBPATH = BASE_PATH.replace(/^\//, ""); const SUBPATH = BASE_PATH.replace(/^\//, "");
/** /**