小鱼开发
95e55293c6
后端安全: - DEBUG 默认 True → False - 彻底移除 AUTH_BYPASS 认证绕过 - 验证码不再明文打印到日志 - 上传接口增加大小限制(500MB/20MB/100MB)与魔数校验 - python-jose → PyJWT, 更新 requirements.lock/uv.lock - Bandit 恢复关键规则(B104/B301/B305/B314/B324/B603/B607) - 修复 5 处 try_except_pass, 15 处加 nosec 注释 - 启用 Bandit pre-commit 钩子 前端安全: - 配置完整 CSP 策略 - 收紧 Capabilities(fs:allow-read-file → $RESOURCE/**) - 移除硬编码 devToken - 清理前端 TODO(美家卡智影命名统一) 部署修复: - docker-compose.prod 增加 alembic 迁移步骤 - api + scheduler 增加 Redis 心跳健康检查 - Nginx 添加安全响应头 - Nginx client_max_body_size 100M → 500M - .env.example 补充 UPLOAD_MAX_* 配置与安全注释 其他: - /voice/upload 合并到 /upload/audio - Rust 上传增加文件大小检查 - 清理 Rust 19 处 println! + 前端 21 处 console.info - 修复 VideoCompose.tsx toast 未导入(已有bug)
44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
# 美家卡智影 - Git 钩子配置
|
|
# 安装: pre-commit install
|
|
# 手动运行: pre-commit run --all-files
|
|
|
|
repos:
|
|
# 代码格式化
|
|
- repo: https://github.com/psf/black
|
|
rev: 24.10.0
|
|
hooks:
|
|
- id: black
|
|
language_version: python3.13
|
|
|
|
# 代码检查
|
|
- repo: https://github.com/astral-sh/ruff-pre-commit
|
|
rev: v0.8.0
|
|
hooks:
|
|
- id: ruff
|
|
args: [--fix]
|
|
|
|
# 类型检查(暂时禁用:326 个历史遗留类型错误待修复)
|
|
# - repo: https://github.com/pre-commit/mirrors-mypy
|
|
# rev: v1.14.0
|
|
# hooks:
|
|
# - id: mypy
|
|
# additional_dependencies: [types-PyYAML]
|
|
|
|
# 安全扫描
|
|
- repo: https://github.com/PyCQA/bandit
|
|
rev: 1.8.0
|
|
hooks:
|
|
- id: bandit
|
|
args: ["-c", "pyproject.toml"]
|
|
additional_dependencies: ["bandit[toml]"]
|
|
|
|
# 依赖锁定文件同步检查
|
|
- repo: local
|
|
hooks:
|
|
- id: uv-lock-check
|
|
name: Check uv lock file is up-to-date
|
|
entry: bash -c 'uv pip compile pyproject.toml -o requirements.lock --locked'
|
|
language: system
|
|
files: ^(pyproject\.toml|requirements\.lock)$
|
|
pass_filenames: false
|