refactor: updating for release, minor clean up

.cursor/rules/coding-principles.mdc

@@ -0,0 +1,22 @@
+---
+description: Follow DRY and SOLID programming principles in all code changes
+alwaysApply: true
+---
+
+# Coding Principles
+
+Follow DRY and SOLID principles in all code changes.
+
+## DRY — Don't Repeat Yourself
+
+- Extract repeated logic into shared functions or utilities.
+- If you copy-paste code, stop and refactor it into a single reusable piece.
+- Constants and config values belong in one place, not scattered across files.
+
+## SOLID
+
+- **Single Responsibility**: Each module, class, or function does one thing. If a function is growing large, split it.
+- **Open/Closed**: Extend behavior through new code (new functions, subclasses, config) rather than modifying existing working code.
+- **Liskov Substitution**: Subtypes must be usable wherever their parent type is expected without breaking behavior.
+- **Interface Segregation**: Don't force callers to depend on methods they don't use. Keep interfaces small and focused.
+- **Dependency Inversion**: Depend on abstractions, not concrete implementations. Pass dependencies in rather than hard-coding them.

.cursor/rules/verify-before-done.mdc

@@ -0,0 +1,23 @@
+---
+description: Require CI-equivalent checks to pass before marking work as completed
+alwaysApply: true
+---
+
+# Verify Before Done
+
+Before declaring any task complete, run the relevant CI checks locally and confirm they pass.
+
+## CI checks (from `.github/workflows/ci.yml`)
+
+| Check | Command | When to run |
+|-------|---------|-------------|
+| Python lint | `ruff check api/` | After editing any `api/**/*.py` file |
+| Backend tests | `cd api && pytest` | After editing any `api/**/*.py` file |
+| TypeScript type check | `cd app && npx tsc --noEmit` | After editing any `app/**/*.{ts,tsx}` file |
+| Frontend tests | `cd app && npm run test` | After editing any `app/**/*.{ts,tsx}` file |
+
+## Rules
+
+- Run **all** checks that apply to the files you changed — not just one.
+- If a check fails, fix the issue before marking the task complete.
+- Do not skip checks to save time. A failing CI pipeline is worse than a slow response.

.github/workflows/ci.yml

@@ -48,6 +48,10 @@ jobs:
         run: |
           pip install -r api/requirements.txt
           pip install -r api/requirements-dev.txt
+      - name: Audit Python dependencies
+        run: pip install pip-audit && pip-audit -r api/requirements.txt
+      - name: Audit Python dependencies
+        run: pip install pip-audit && pip-audit -r api/requirements.txt
       - name: Run tests with coverage
         run: cd api && pytest --cov=. --cov-report=xml --cov-report=term-missing
         env:
@@ -72,6 +76,8 @@ jobs:
           cache-dependency-path: app/package-lock.json
       - name: Install dependencies
         run: cd app && npm ci
+      - name: Audit npm dependencies
+        run: cd app && npm audit --omit=dev
       - name: Run tests
         run: cd app && npm run test
 

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in PrintQue, **please do not open a public GitHub issue.**
+
+Instead, report it privately through our Discord server so we can address it before it becomes public:
+
+**Discord:** https://discord.gg/sm3FyFht
+
+When reporting, please include:
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- The potential impact
+
+We will acknowledge your report within 48 hours and work with you on a fix.

api/app.py

@@ -79,8 +79,7 @@
 allowed_origins = [
     "http://localhost:3000", "http://127.0.0.1:3000",
     "http://localhost:5173", "http://127.0.0.1:5173",
-    "http://localhost:5000", "http://127.0.0.1:5000",  # Same-origin for packaged builds
-    "*"  # Allow all for packaged single-executable builds
+    "http://localhost:5000", "http://127.0.0.1:5000",
 ]
 
 CORS(app, resources={
@@ -94,7 +93,16 @@
     }
 })
 
-socketio = SocketIO(app, async_mode='eventlet', cors_allowed_origins="*")
+socketio = SocketIO(app, async_mode='eventlet', cors_allowed_origins=allowed_origins)
+
+
+@app.after_request
+def set_security_headers(response):
+    """Add security headers to every response."""
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+    return response
 
 # Initialize state
 initialize_state()

api/requirements.txt

@@ -25,7 +25,6 @@ paho-mqtt>=1.6.1
 
 # System utilities
 psutil>=5.9.5
-python-dotenv>=1.0.0
 
 # Security
 cryptography>=40.0.1

api/routes/__init__.py

@@ -8,7 +8,6 @@
 from .printers import register_printer_routes
 from .orders import register_order_routes
 from .system import register_misc_routes
-from .support import register_support_routes
 from .history import register_history_routes
 from .ejection_codes import register_ejection_codes_routes
 from services.state import (
@@ -28,7 +27,6 @@
     'register_printer_routes',
     'register_order_routes',
     'register_misc_routes',
-    'register_support_routes',
     'register_history_routes',
     'register_ejection_codes_routes',
 ]
@@ -37,7 +35,6 @@ def register_routes(app, socketio):
     register_printer_routes(app, socketio)
     register_order_routes(app, socketio)
     register_misc_routes(app, socketio)
-    register_support_routes(app, socketio)
     register_history_routes(app, socketio)
     register_ejection_codes_routes(app, socketio)