Skip to content

OSS publish polish: server hardening, observability, client measurement fixes#2

Merged
anfocic merged 3 commits into
masterfrom
chore/oss-publish-polish
May 9, 2026
Merged

OSS publish polish: server hardening, observability, client measurement fixes#2
anfocic merged 3 commits into
masterfrom
chore/oss-publish-polish

Conversation

@anfocic
Copy link
Copy Markdown
Owner

@anfocic anfocic commented May 9, 2026

Summary

Pre-publish hardening pass across server, CI, and client. Branch is the consolidation of the OSS-readiness work tracked in TOMORROW.md.

Server

  • /collect input validation; ignore inert sqlx-mysql RUSTSEC advisory.
  • Rate limiting, scoped CORS, security headers, graceful shutdown.
  • Integration tests, CSP, request-id propagation.
  • Structured JSON logs + load-test harness.
  • Prometheus /metrics endpoint for production observability.

CI / docs

  • cargo audit job (with documented --ignore RUSTSEC-2023-0071 for the rsa transitive that never links).
  • SECURITY.md: contact endpoint abuse note, body caps, advisory rationale.
  • deploy/gen-dashboard-creds.sh to generate argon2id admin creds + session secret.

Client (measurement quality)

  • Same-path 500ms dedup window — collapses framework replaceState spam.
  • Skip initial pageview while document.prerendering; fire on prerenderingchange so speculation-rules prerender does not inflate counts for URLs the user never lands on.
  • Global singleton guard — warns and disables a second Analytics instance on the same page (duplicated snippet, SPA hot-reload).

Test plan

  • cd client && npm run build && npm test (49/49 passing)
  • CI: rust build + clippy + tests + cargo audit green
  • CI: client vitest green
  • Manual: load demo page twice in same tab — second new Analytics() warns and stays inert.
  • Manual: trigger SPA replaceState to same path twice within 500ms — only one pageview emitted.

anfocic added 3 commits May 9, 2026 15:28
@anfocic
chore: cargo audit CI job, hardening notes, dashboard creds script
62466e5
@anfocic
feat(client): reduce duplicate pageviews
2cb6215 
- Same-path 500ms dedup window collapses framework replaceState spam
  and rapid double-fires on the same URL.
- Skip the initial pageview while document.prerendering is true; fire
  on prerenderingchange so speculation-rules prerender doesn't inflate
  views for URLs the user never lands on.
- Global singleton flag warns and disables a second Analytics instance
  on the same page (snippet pasted twice, SPA hot-reload re-eval).
@anfocic
style: cargo fmt
d9472d0
@anfocic anfocic merged commit 94472ea into master May 9, 2026
4 checks passed
@anfocic anfocic deleted the chore/oss-publish-polish branch May 9, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anfocic