mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-17 11:42:40 -06:00
33eaef826c
Self-review follow-ups, kept as a separate commit so the review trail is honest. - Spec drift: POST /widgets/preview was documented scope 'read' but the method-based tokenScopeGate enforces 'write' for any POST, so a read-token integrator following the published docs would hit a surprise 403. The code is right; fix the SPEC to match it. - Guard it forever: test/openapi-contract.test.js cross-checks every spec operation's x-required-scope against the enforcement rule, and that every documented path is a public (token-reachable) router - both derived from the same config/api-surface.js. Adds js-yaml (devDep) to parse the spec. Spec/enforcement drift now fails CI. - Vendored Redoc: add frontend/vendor/README.md (library, version 2.3.9, source, update steps) and drop the dangling //# sourceMappingURL line so /docs doesn't 404 in devtools. Remaining (non-security) test-coverage gaps tracked in #92. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
843 B
843 B
Vendored front-end libraries
Third-party libraries committed directly to the repo (not fetched from a CDN or built from npm) so self-hosted / air-gapped instances work with no external dependency and no build step.
redoc.standalone.js
- Library: Redoc — renders the OpenAPI reference served at
/docs. - Version: 2.3.9
- Source: https://cdn.redoc.ly/redoc/v2.3.9/bundles/redoc.standalone.js
- Why committed: the API reference must render on offline instances — no CDN, no build step.
- Regenerate / update:
curl -sL https://cdn.redoc.ly/redoc/v2.3.9/bundles/redoc.standalone.js \ -o frontend/vendor/redoc.standalone.js # drop the trailing sourcemap comment (the .map is intentionally not vendored) sed -i '/sourceMappingURL=redoc.standalone.js.map/d' frontend/vendor/redoc.standalone.js