fix: harden security and fix small bugs

Author: FrkAk

.dockerignore

@@ -0,0 +1,14 @@
+.git
+.env
+.env.*
+!.env.example
+node_modules
+.next
+data
+data-archive
+db
+research
+obelisk_backup
+.claude
+.github
+.mypy_cache

.env.example

@@ -1,11 +1,10 @@
 # Obelisk — copy to .env and fill in your values.
-# Required: NEXT_PUBLIC_MAPBOX_TOKEN. Everything else has dev defaults.
+# Required: NEXT_PUBLIC_MAPBOX_TOKEN, MAPBOX_SERVER_TOKEN. Everything else has dev defaults.
 
 # ─── Mapbox ───
 NEXT_PUBLIC_MAPBOX_TOKEN=pk.your_token_here
 
-# Server-side Mapbox token (optional — restricts geocoding to a scoped secret token)
-# If not set, falls back to NEXT_PUBLIC_MAPBOX_TOKEN
+# Server-side Mapbox token (optional — falls back to NEXT_PUBLIC_MAPBOX_TOKEN)
 # MAPBOX_SERVER_TOKEN=sk.your_server_token_here
 
 # Custom Mapbox styles (optional — defaults to Mapbox streets/dark if not set)
@@ -31,6 +30,17 @@ POSTGRES_PASSWORD=obelisk_dev
 # ─── Search ───
 TYPESENSE_API_KEY=obelisk_typesense_dev
 
+# ─── Proxy ───
+# Set to "cloudflare", "nginx", or "proxy" if behind a reverse proxy.
+# Controls which forwarded headers are trusted for rate limiting.
+# TRUST_PROXY=
+
+# ─── Distributed Enrichment ───
+# Shared secret for coordinator <-> worker auth (auto-generated if not set)
+# COORDINATOR_SECRET=
+# Coordinator bind address (default 127.0.0.1 — set to 0.0.0.0 for LAN access)
+# COORDINATOR_HOST=127.0.0.1
+
 # ─── Seeding ───
 # Radius in meters from city center (-1 = all POIs in PBF extract)
 SEED_RADIUS=-1

.github/workflows/dependabot-lockfile.yml

@@ -13,22 +13,26 @@ jobs:
     if: github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
+      # Checkout base branch (NOT the PR head) to avoid executing untrusted code
       - uses: actions/checkout@v6
-        with:
-          ref: ${{ github.head_ref }}
       - uses: oven-sh/setup-bun@v2
+      - name: Fetch PR package.json
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api "repos/${{ github.repository }}/contents/package.json?ref=${{ github.event.pull_request.head.sha }}" \
+            --jq '.content' | base64 -d > package.json
       - run: bun install
       - name: Commit updated lockfile
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}
-          BRANCH: ${{ github.head_ref }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           if git diff --quiet bun.lock; then
             echo "bun.lock unchanged, skipping"
             exit 0
           fi
-          HEAD_SHA=$(gh api "repos/${REPO}/git/refs/heads/${BRANCH}" --jq '.object.sha')
           BASE_TREE=$(gh api "repos/${REPO}/git/commits/${HEAD_SHA}" --jq '.tree.sha')
           BLOB=$(base64 -w0 bun.lock | jq -Rs '{"content": ., "encoding": "base64"}' | \
             gh api "repos/${REPO}/git/blobs" --input - --jq '.sha')
@@ -38,4 +42,4 @@ jobs:
           COMMIT=$(jq -n --arg t "$TREE" --arg p "$HEAD_SHA" --arg m "chore: update bun.lock" \
             '{message: $m, tree: $t, parents: [$p]}' | \
             gh api "repos/${REPO}/git/commits" --input - --jq '.sha')
-          gh api "repos/${REPO}/git/refs/heads/${BRANCH}" -X PATCH -f sha="$COMMIT"
+          gh api "repos/${REPO}/git/refs/heads/${{ github.head_ref }}" -X PATCH -f sha="$COMMIT"

.gitignore

@@ -29,8 +29,8 @@ yarn-error.log*
 .pnpm-debug.log*
 
 # env files
-.env
-.env.local
+.env*
+!.env.example
 
 # vercel
 .vercel
@@ -57,9 +57,6 @@ drizzle/*.sql
 # Removed services (Docker-owned leftovers)
 /searxng/
 
-# Env
-!.env.example
-
 # Backup (internal docs, not for public repo)
 /obelisk_backup/
 

Dockerfile

@@ -9,3 +9,4 @@ COPY . .
 RUN mkdir -p .next data
 
 EXPOSE 3000
+CMD ["bun", "run", "dev"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help setup setup-quick finish-setup run run-local stop logs rebuild destroy download-pbf download-datasets build-taxonomy build-brands seed-regions seed-cuisines seed-tags seed-pois seed-all seed-city enrich-taxonomy-only enrich-pois enrich-distributed enrich-worker fetch-wikipedia fetch-websites fetch-mapillary sync-search generate-embeddings search-setup db-dump db-restore
+.PHONY: help setup setup-quick finish-setup run stop logs rebuild destroy download-pbf download-datasets build-taxonomy build-brands seed-regions seed-cuisines seed-tags seed-pois seed-all seed-city enrich-taxonomy-only enrich-pois enrich-distributed enrich-worker fetch-wikipedia fetch-websites fetch-mapillary sync-search generate-embeddings search-setup db-dump db-restore
 CYAN := \033[36m
 GREEN := \033[32m
 YELLOW := \033[33m
@@ -33,8 +33,7 @@ help:
 	@printf "  $(CYAN)setup$(RESET)          First-time setup (seed + taxonomy + search). Resume: make setup FROM=6\n"
 	@printf "  $(CYAN)setup-quick$(RESET)    Quick setup from db/dump.sql (skip seed + enrich)\n"
 	@printf "  $(CYAN)finish-setup$(RESET)   Sync search index + generate embeddings\n"
-	@printf "  $(CYAN)run$(RESET)            Start on localhost:3000\n"
-	@printf "  $(CYAN)run-local$(RESET)      Start exposed to local network (same WiFi)\n"
+	@printf "  $(CYAN)run$(RESET)            Start on localhost:3000 (also accessible on local network)\n"
 
 	@printf "  $(CYAN)stop$(RESET)       Stop services (keeps data)\n"
 	@printf "  $(CYAN)logs$(RESET)       View database logs\n"
@@ -185,18 +184,9 @@ setup-quick:
 	@printf "$(GREEN)Quick setup complete!$(RESET) Run 'make run' to start\n"
 
 run:
-	@printf "$(GREEN)Starting Obelisk...$(RESET)\n"
-	@printf "\n"
-	@printf "$(GREEN)App starting at http://localhost:3000$(RESET)\n"
-	@printf "Press Ctrl+C to stop\n"
-	@printf "\n"
-	$(COMPOSE) up
-
-run-local:
-	@printf "$(GREEN)Starting Obelisk for local network...$(RESET)\n"
 	@LOCAL_IP=$$(hostname -I | awk '{print $$1}'); \
+	printf "$(GREEN)Starting Obelisk...$(RESET)\n"; \
 	printf "\n"; \
-	printf "$(GREEN)App starting:$(RESET)\n"; \
 	printf "  Local:   http://localhost:3000\n"; \
 	printf "  Network: http://$$LOCAL_IP:3000\n"; \
 	printf "\n"; \
@@ -280,7 +270,7 @@ enrich-distributed:
 	@printf "$(GREEN)Ollama healthy$(RESET)\n"
 	@printf "\n"
 	@LOCAL_IP=$$(hostname -I | awk '{print $$1}'); \
-	PG_PASS=$$(grep -oP 'POSTGRES_PASSWORD=\K.*' .env 2>/dev/null || echo 'obelisk_dev'); \
+	COORD_SECRET=$$(grep -oP 'COORDINATOR_SECRET=\K.*' .env 2>/dev/null || echo ''); \
 	printf "$(CYAN)[2/4]$(RESET) Printing worker instructions...\n"; \
 	printf "\n"; \
 	printf "═══════════════════════════════════════════════════\n"; \
@@ -297,15 +287,17 @@ enrich-distributed:
 	printf "  3. Pull the Ollama model:\n"; \
 	printf "     ollama pull $(OLLAMA_MODEL)\n"; \
 	printf "\n"; \
-	printf "  4. Start enrichment:\n"; \
-	printf "     DATABASE_URL=\"postgresql://obelisk:$$PG_PASS@$$LOCAL_IP:5432/obelisk\" \\\\\n"; \
+	printf "  4. Copy DATABASE_URL and COORDINATOR_SECRET from coordinator .env\n"; \
+	printf "     Then start enrichment:\n"; \
+	printf "     DATABASE_URL=\"<from coordinator .env>\" \\\\\n"; \
 	printf "     ENRICH_COORDINATOR_URL=\"http://$$LOCAL_IP:3939\" \\\\\n"; \
+	printf "     COORDINATOR_SECRET=\"<from coordinator .env>\" \\\\\n"; \
 	printf "     make enrich-worker\n"; \
 	printf "\n"; \
 	printf "  Monitor: curl http://$$LOCAL_IP:3939/status | jq\n"; \
 	printf "═══════════════════════════════════════════════════\n"; \
 	printf "\n"
-	@printf "$(CYAN)[3/5]$(RESET) Tuning Ollama for parallel inference...\n"
+	@printf "$(CYAN)[3/4]$(RESET) Tuning Ollama for parallel inference...\n"
 	@CURRENT=$$(curl -sf $(OLLAMA_URL)/api/ps 2>/dev/null | python3 -c "import sys,json; print(json.load(sys.stdin).get('models',[{}])[0].get('context_length',0))" 2>/dev/null || echo 0); \
 	VRAM_FREE=$$(nvidia-smi --query-gpu=memory.free --format=csv,noheader,nounits 2>/dev/null | head -1 || echo 0); \
 	NUM_PAR=$${OLLAMA_NUM_PARALLEL:-4}; \
@@ -321,12 +313,11 @@ enrich-distributed:
 		printf "  OLLAMA_NUM_PARALLEL=$$NUM_PAR ollama serve\n"; \
 	fi; \
 	printf "\n"
-	@printf "$(CYAN)[4/5]$(RESET) Starting coordinator...\n"
+	@printf "$(CYAN)[4/4]$(RESET) Starting coordinator + local worker...\n"
 	@$(COMPOSE) exec -d -T app bun scripts/enrich-coordinator.ts
 	@sleep 2
 	@printf "$(GREEN)Coordinator running on :3939$(RESET)\n"
 	@printf "\n"
-	@printf "$(CYAN)[5/5]$(RESET) Starting local enrichment worker...\n"
 	$(COMPOSE) exec -e ENRICH_COORDINATOR_URL=http://localhost:3939 -e ENRICH_CONCURRENCY=6 app bun scripts/enrich-pois.ts
 
 enrich-worker:

docker-compose.yml

@@ -28,7 +28,7 @@ services:
       POSTGRES_USER: ${POSTGRES_USER:-obelisk}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
     ports:
-      - "5432:5432"
+      - "127.0.0.1:5432:5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck:
@@ -40,7 +40,7 @@ services:
   typesense:
     image: typesense/typesense:30.1
     ports:
-      - "8108:8108"
+      - "127.0.0.1:8108:8108"
     volumes:
       - typesense_data:/data
     environment:

drizzle.config.ts

@@ -5,7 +5,12 @@ export default defineConfig({
   out: "./drizzle",
   dialect: "postgresql",
   dbCredentials: {
-    url: process.env.DATABASE_URL || "postgresql://obelisk:obelisk_dev@localhost:5432/obelisk",
+    url: (() => {
+      if (!process.env.DATABASE_URL) {
+        throw new Error("DATABASE_URL is required. Copy .env.example to .env and configure it.");
+      }
+      return process.env.DATABASE_URL;
+    })(),
   },
   tablesFilter: [
     "regions",

next.config.ts

@@ -1,40 +1,59 @@
 import type { NextConfig } from "next";
+import { networkInterfaces } from "os";
+
+const isProd = process.env.NODE_ENV === "production";
+
+/**
+ * Collects non-loopback IPv4 addresses from all network interfaces
+ * so Next.js allows dev access from the local network.
+ *
+ * @returns Array of local IPv4 address strings.
+ */
+function getLocalIps(): string[] {
+  const ips: string[] = [];
+  for (const addrs of Object.values(networkInterfaces())) {
+    if (!addrs) continue;
+    for (const addr of addrs) {
+      if (addr.family === "IPv4" && !addr.internal) ips.push(addr.address);
+    }
+  }
+  return ips;
+}
+
+const securityHeaders = [
+  { key: "X-Content-Type-Options", value: "nosniff" },
+  { key: "X-Frame-Options", value: "DENY" },
+  { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
+  { key: "X-DNS-Prefetch-Control", value: "on" },
+  {
+    key: "Permissions-Policy",
+    value: "camera=(), microphone=(), geolocation=(self)",
+  },
+  {
+    key: "Content-Security-Policy",
+    value: [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+      "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+      "font-src 'self' https://fonts.gstatic.com",
+      "img-src 'self' data: blob: https://*.mapbox.com https://*.mapillary.com https://*.fbcdn.net https://*.wikipedia.org https://*.wikimedia.org",
+      "connect-src 'self' https://*.mapbox.com https://*.mapillary.com https://*.fbcdn.net https://nominatim.openstreetmap.org",
+      "worker-src 'self' blob:",
+      "frame-src 'none'",
+    ].join("; "),
+  },
+];
 
 const nextConfig: NextConfig = {
+  allowedDevOrigins: isProd ? [] : getLocalIps(),
   experimental: {
     serverActions: {
       bodySizeLimit: "2mb",
     },
   },
   async headers() {
-    return [
-      {
-        source: "/(.*)",
-        headers: [
-          { key: "X-Content-Type-Options", value: "nosniff" },
-          { key: "X-Frame-Options", value: "DENY" },
-          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
-          { key: "X-DNS-Prefetch-Control", value: "on" },
-          {
-            key: "Permissions-Policy",
-            value: "camera=(), microphone=(), geolocation=(self)",
-          },
-          {
-            key: "Content-Security-Policy",
-            value: [
-              "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
-              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
-              "font-src 'self' https://fonts.gstatic.com",
-              "img-src 'self' data: blob: https://*.mapbox.com https://*.mapillary.com https://*.fbcdn.net https://*.wikipedia.org https://*.wikimedia.org",
-              "connect-src 'self' https://*.mapbox.com https://*.mapillary.com https://*.fbcdn.net https://nominatim.openstreetmap.org",
-              "worker-src 'self' blob:",
-              "frame-src 'none'",
-            ].join("; "),
-          },
-        ],
-      },
-    ];
+    if (!isProd) return [];
+    return [{ source: "/(.*)", headers: securityHeaders }];
   },
 };
 

scripts/enrich-coordinator.ts

@@ -6,11 +6,24 @@ import { createLogger } from "../src/lib/logger";
 const log = createLogger("enrich-coordinator");
 
 const PORT = parseInt(process.env.COORDINATOR_PORT || "3939", 10);
+const HOST = process.env.COORDINATOR_HOST || "127.0.0.1";
+const COORDINATOR_SECRET = process.env.COORDINATOR_SECRET || crypto.randomUUID();
 const BATCH_SIZE = parseInt(process.env.ENRICH_BATCH_SIZE || "10", 10);
 const BATCH_TIMEOUT_MS = 5 * 60 * 1000;
 const RECOVERY_INTERVAL_MS = 60 * 1000;
 const FORCE = process.argv.includes("--force");
 
+/**
+ * Validates the Authorization header against the coordinator secret.
+ *
+ * @param req - Incoming request.
+ * @returns True if the request is authorized.
+ */
+function checkAuth(req: Request): boolean {
+  const auth = req.headers.get("authorization");
+  return auth === `Bearer ${COORDINATOR_SECRET}`;
+}
+
 interface BatchInfo {
   poiIds: string[];
   workerId: string;
@@ -178,12 +191,17 @@ async function main(): Promise<void> {
   }
 
   Bun.serve({
+    hostname: HOST,
     port: PORT,
     async fetch(req: Request): Promise<Response> {
       const url = new URL(req.url);
       const path = url.pathname;
       const method = req.method;
 
+      if (path !== "/status" && !checkAuth(req)) {
+        return Response.json({ error: "unauthorized" }, { status: 401 });
+      }
+
       if (method === "POST" && path === "/register") {
         const body = await req.json() as { name?: string };
         const workerId = `w${nextWorkerId++}`;
@@ -245,7 +263,12 @@ async function main(): Promise<void> {
     },
   });
 
-  log.info(`Coordinator listening on http://0.0.0.0:${PORT}`);
+  log.info(`Coordinator listening on http://${HOST}:${PORT}`);
+  if (!process.env.COORDINATOR_SECRET) {
+    log.info(`Auto-generated coordinator secret: ${COORDINATOR_SECRET}`);
+  } else {
+    log.info("Using COORDINATOR_SECRET from environment");
+  }
 
   setInterval(recoverTimedOutBatches, RECOVERY_INTERVAL_MS);