docs: enterprise refactor plan with ralph specs

2026-03-04 16:17:03 -05:00
parent 4c92712d20
commit f8191133c8
204 changed files with 32722 additions and 422 deletions
--- a/.ralph/specs/legacy/api-security.md
+++ b/.ralph/specs/legacy/api-security.md
@@ -0,0 +1,59 @@
+# ABE — API Security Specification
+
+## Authentication: API Key
+
+All API endpoints require an API key passed in the header:
+`X-ABE-API-Key: <key>`
+
+If missing or invalid → 401 Unauthorized.
+
+## Configuration
+
+API key is set via environment variable: `ABE_API_KEY`
+If not set, server logs a warning and runs without auth (dev mode only).
+
+## Implementation
+
+Create `src/server/middleware/auth.ts`:
+```typescript
+export function apiKeyAuth(req, res, next) {
+  const apiKey = process.env.ABE_API_KEY;
+  if (!apiKey) return next(); // dev mode: no auth
+  const provided = req.headers['x-abe-api-key'];
+  if (!provided || provided !== apiKey) {
+    return res.status(401).json({ error: 'Invalid or missing API key' });
+  }
+  next();
+}
+```
+
+Apply this middleware to ALL routes EXCEPT:
+- GET /health
+- GET /ready
+
+## CORS
+
+Only allow requests from the frontend origin.
+Configure via environment variable: `ABE_CORS_ORIGIN` (default: `http://localhost:5173`)
+
+## Rate Limiting
+
+Add `express-rate-limit`:
+- Max 20 POST /api/sessions per hour per IP
+- Max 200 requests per minute per IP for other endpoints
+
+## Environment Variables (full list for .env)
+```
+ABE_API_KEY=change-me-in-production
+ABE_CORS_ORIGIN=http://localhost:5173
+ABE_PORT=3001
+ABE_DB_PATH=./data/abe.db
+ABE_REPORTS_DIR=./reports
+ABE_LOGS_DIR=./logs
+NODE_ENV=production
+```
+
+## docker-compose update
+
+Add .env file support and environment variables to docker-compose.yml.
+Add a volumes entry for `data/` directory for SQLite persistence.