BrunoAFK · BrunoAFK · Apr 9, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 8, 2026
diff --git a/.env.example b/.env.example
@@ -1,3 +1,12 @@
+# ── Docker Compose ─────────────────────────────────────────
+# Ports exposed on the host (docker-compose.yml / docker-compose.remote.yml)
+# API_PORT=3000
+# WEB_PORT=8080
+
+# Override image registry/tag for docker-compose.remote.yml
+# REGISTRY=ghcr.io/brunoafk/recon-web
+# TAG=latest
+
 # ── Server ────────────────────────────────────────────────
 PORT=3000
 HOST=0.0.0.0
@@ -9,9 +18,20 @@ API_TIMEOUT_LIMIT=30000
 # CORS origin (use * for any, or specific domain)
 API_CORS_ORIGIN=*
 
+# Rate limit: max requests per IP per time window (default: 100 / 10 minutes)
+# RATE_LIMIT_MAX=100
+# RATE_LIMIT_WINDOW=10 minutes
+
 # Maximum concurrent handlers per scan (default: 8)
 # MAX_CONCURRENCY=8
 
+# Maximum concurrent scans server-wide (default: 3)
+# Extra scans queue and wait. Prevents memory exhaustion on small VMs.
+# MAX_CONCURRENT_SCANS=3
+
+# Enable Swagger API docs at /docs (default: false)
+# SWAGGER_ENABLED=true
+
 # Path to Chromium binary (auto-detected in Docker)
 # CHROME_PATH=/usr/bin/chromium
 
@@ -22,10 +42,9 @@ API_CORS_ORIGIN=*
 # SQLite database path (auto-created)
 # DB_PATH=./data/recon-web.db
 
-# ── Authentication ───────────────────────────────────────
-# Enable bearer token authentication for API endpoints
-# AUTH_ENABLED=true
-# AUTH_TOKEN=your-secret-token-here
+# ── Demo ───────────────────────────────────────────────────
+# URL for demo scan (shown on /demo page)
+# DEMO_SCAN_URL=https://example.com
 
 # ── Scheduled Scans ─────────────────────────────────────
 # Enable automated scheduled scanning

diff --git a/.gitignore b/.gitignore
@@ -40,6 +40,9 @@ Thumbs.db
 @internal/
 docs/superpowers/
 
+# Infrastructure
+infra/
+
 # SQLite databases
 *.db
 *.db-journal

diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,7 @@
+3ba15210b191e8a325df35f9256b5c5c9d89ac05:@internal/AUTH-SETUP.md:curl-auth-header:85
+3ba15210b191e8a325df35f9256b5c5c9d89ac05:@internal/AUTH-SETUP.md:curl-auth-header:384
+abf03987e2574d92614c2af2717e69908552fff0:packages/api/src/auth/auth.test.ts:generic-api-key:60
+abf03987e2574d92614c2af2717e69908552fff0:packages/api/src/auth/auth.test.ts:generic-api-key:159
+346dd51d2d32252ab1710b30cab1000fb77e7728:docs/src/content/docs/guides/rest-api.mdx:curl-auth-header:122
+7bd2fa7b6e03b148493382b5b2ba84ab95eb9420:docs/src/content/docs/guides/rest-api.mdx:curl-auth-header:122
+a8393590d20499515efeb13d2b5bcb0b80be1b7a:docs/superpowers/plans/2026-04-07-user-authentication.md:generic-api-key:3143
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1,3 @@
+if command -v gitleaks &>/dev/null; then
+  gitleaks git --pre-commit --staged
+fi
diff --git a/docker-compose.remote.yml b/docker-compose.remote.yml
@@ -39,6 +39,8 @@ services:
   cli:
     image: ${REGISTRY:-ghcr.io/brunoafk/recon-web}/cli:${TAG:-latest}
     env_file: .env
+    volumes:
+      - scan-data:/app/data
     profiles: ["cli"]
 
 volumes:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -36,6 +36,8 @@ services:
       context: .
       dockerfile: packages/cli/Dockerfile
     env_file: .env
+    volumes:
+      - scan-data:/app/data
     profiles: ["cli"]
 
 volumes:

diff --git a/docs/package-lock.json b/docs/package-lock.json