♻️ Rewrite server from TypeScript/Express to Go/Echo

- Replace Bun+Express stack with Go+Echo framework
- Add standard Go project layout (cmd/, pkg/)
- Add /health endpoint with version and runtime info
- Multi-stage Docker build (golang:1.24-alpine → alpine:3.21)
- Add Makefile for build, run, dev, docker, clean, lint
- Preserve all existing API endpoints and behavior

Author: rayshoo

.dockerignore

@@ -1,15 +1,11 @@
-# Include any files or directories that you don't want to be copied to your
-# container here (e.g., local build artifacts, temporary files, etc.).
-# For more help, visit the .dockerignore file reference guide at
-# https://docs.docker.com/go/build-context-dockerignore/
-
-node_modules
+bin/
 Dockerfile*
 docker-compose*
 .dockerignore
 .git
 .gitignore
+.github
+.claude
+.vscode
 README.md
 LICENSE
-.vscode
-.editorconfig

.github/copilot-instructions.md

@@ -2,26 +2,31 @@
 
 ## Overview
 
-- Purpose: Dockerized ALTCHA challenge/verify microservice using Bun + Express. Provides `/challenge` and `/verify` used by the ALTCHA widget. Optional demo UI.
-- Key libs: `altcha`, `altcha-lib`, `express@5`, `helmet`, `cors`, `dotenv`.
-- Entrypoint: `src/index.ts` → transpiled to `build/index.js`.
+- Purpose: Dockerized ALTCHA challenge/verify microservice using Go + Echo. Provides `/challenge` and `/verify` used by the ALTCHA widget. Optional demo UI.
+- Key libs: `github.com/altcha-org/altcha-lib-go`, `github.com/labstack/echo/v4`, `github.com/joho/godotenv`.
+- Entrypoint: `cmd/server/main.go`.
 
 ## Repo layout
 
-- `src/index.ts`: Express server with two roles:
-  - API (always): `/`, `/challenge`, `/verify` on `PORT` (default 3000)
-  - Demo (when `DEMO=true`): simple site on port 8080 (`src/demo/index.html`)
-- `Dockerfile`: multi-stage Bun build; copies `.env` and demo html into image; runs `bun start`.
-- `compose.yaml`: exposes 3000 (API) and 8080 (demo); sets `SECRET` (default is placeholder), `NODE_ENV=production`.
-- `package.json` scripts: `build` (tsc via Bun), `dev` (watch), `start` (run built server).
+- `cmd/server/main.go`: Entrypoint; loads .env, parses config, starts API and optional demo server.
+- `pkg/config/config.go`: Config struct and env-var parsing with defaults.
+- `pkg/handler/challenge.go`: `GET /challenge` handler.
+- `pkg/handler/verify.go`: `GET /verify` handler with in-memory record cache.
+- `pkg/handler/demo.go`: Demo page serving and proxy handlers.
+- `pkg/middleware/security.go`: CSP header middleware for demo server.
+- `pkg/server/server.go`: Echo server creation and route registration.
+- `web/demo/index.html`: Demo UI page.
+- `Dockerfile`: multi-stage Go build; copies `.env` and `web/` into image.
+- `compose.yaml`: exposes 3000 (API) and 8080 (demo); sets `SECRET` (default is placeholder).
+- `Makefile`: `build`, `run`, `dev`, `docker-build`, `docker-up`, `clean`, `lint`.
 
 ## Build & run
 
-- Local (Bun):
-  - PowerShell: `bun install; bun run build; bun start`
-  - Unix/macOS: `bun install && bun run build && bun start`
+- Local (Go):
+  - `make build && make run`
+  - Development: `make dev`
 - Docker Compose: `docker compose up --build`
-  - Override secret once:
+  - Override secret:
     - PowerShell: `$env:SECRET = "<long-random>"; docker compose up --build`
     - Unix: `SECRET="<long-random>" docker compose up --build`
 
@@ -30,24 +35,27 @@
 - `SECRET` (required): HMAC key for ALTCHA. Default `$ecret.key` is unsafe; code logs a warning if used.
 - `PORT`: API port (default 3000).
 - `EXPIREMINUTES`: challenge expiry minutes (default 10).
+- `MAXNUMBER`: max number for PoW difficulty (default 1000000).
 - `MAXRECORDS`: in-memory single-use token cache size (default 1000).
-- `DEMO`: when `true`, serve demo on 8080 with CSP via Helmet.
-- `.env` is loaded by `dotenv` at runtime; Dockerfile also copies `.env` into image.
+- `CORS_ORIGIN`: comma-separated allowed origins; defaults to `*` if unset.
+- `DEMO`: when `true`, serve demo on 8080 with CSP middleware.
+- `.env` is loaded by `godotenv` at runtime; Dockerfile also copies `.env` into image.
 
 ## API contracts (keep stable)
 
 - `GET /` → `204 No Content` (liveness).
-- `GET /challenge` → `200 OK` JSON from `altcha-lib#createChallenge({ hmacKey: SECRET, expires })`.
+- `GET /health` → `200 OK` JSON with status, version, go runtime.
+- `GET /challenge` → `200 OK` JSON from `altcha.CreateChallenge()`.
 - `GET /verify?altcha=<payload>` → `202 Accepted` on success, `417 Expectation Failed` on invalid or reused token.
 - Reuse prevention uses an in-memory `recordCache` (size = `MAXRECORDS`); cache clears on restart/scaling.
-- CORS is `*` for simplicity; demo sets strict CSP.
+- CORS defaults to `*`; configurable via `CORS_ORIGIN`. Demo uses strict CSP.
 
 ## Patterns & conventions
 
-- TypeScript strict mode; output in `build/` (`tsconfig.json` → `outDir`=`build`).
-- Express 5 style middleware; minimal error handling by design (status-only API).
+- Standard Go project layout: `cmd/`, `pkg/`.
+- Echo framework for HTTP; minimal error handling by design (status-only API).
 - Keep endpoints and status codes as-is to preserve client integrations and docs.
-- When adding env vars or endpoints, update `README.md` and `.env.example`.
+- When adding env vars or endpoints, update `README.md`, `.env.example`, and this file.
 
 ## CI/CD
 

.gitignore

@@ -1,4 +1,2 @@
-.yarn/sdks
-.yarn/unplugged
-build/
-node_modules/
+bin/
+.env

.vscode/extensions.json

@@ -1,28 +1,15 @@
-# syntax=docker/dockerfile:1
-
-FROM oven/bun:1 AS base
-
-WORKDIR /usr/src/app
-
-FROM base AS build
-
-RUN --mount=type=bind,source=package.json,target=package.json \
-    --mount=type=bind,source=bun.lock,target=bun.lock \
-    bun i --frozen-lockfile
-
+FROM golang:1.24-alpine AS build
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
 COPY . .
-RUN bun run build
-
-FROM base AS final
-
-ENV NODE_ENV=production
-USER bun
-COPY package.json .
-COPY .env .
-COPY src/demo/index.html ./build/demo/index.html
-COPY --from=build /usr/src/app/node_modules ./node_modules
-COPY --from=build /usr/src/app/build ./build
-
+ARG VERSION=dev
+RUN CGO_ENABLED=0 go build -ldflags "-X altcha/pkg/handler.Version=${VERSION}" -o /server ./cmd/server
+
+FROM alpine:3.21
+RUN apk add --no-cache ca-certificates
+COPY --from=build /server /server
+COPY .env .env
+COPY web/ web/
 EXPOSE 3000
-
-CMD ["bun", "start"]
+CMD ["/server"]

Dockerfile

@@ -0,0 +1,24 @@
+VERSION ?= dev
+
+.PHONY: build run dev docker-build docker-up clean lint
+
+build:
+	go build -ldflags "-X altcha/pkg/handler.Version=$(VERSION)" -o bin/server ./cmd/server
+
+run: build
+	./bin/server
+
+dev:
+	go run ./cmd/server
+
+docker-build:
+	docker compose build
+
+docker-up:
+	docker compose up --build
+
+clean:
+	rm -rf bin/
+
+lint:
+	golangci-lint run ./...