fix: add missing frontend/src/api/client.ts and unbreak Docker build

Dathan Vance Pattishall · claude · Dathan Vance Pattishall · commit 36372530a5d4 · 2026-04-07T15:38:57.000-07:00
The bare `api` rule in .gitignore was matching frontend/src/api/, causing
client.ts to be excluded from the repo. The Docker build failed because
AuthContext, Admin, AgentChat, Login, and Payment all import from ../api/client.

- Root-anchor the gitignore rules (/api, /bin) so only top-level dirs are excluded
- Commit frontend/src/api/client.ts so the frontend build has the file it needs
- Add .github/dependabot.yml, security.yml, and SECURITY.md

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,47 @@
+version: 2
+updates:
+  # Go modules
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "dathan"
+    labels:
+      - "dependencies"
+      - "go"
+
+  # npm (frontend)
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "dathan"
+    labels:
+      - "dependencies"
+      - "npm"
+
+  # Docker base images
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "dathan"
+    labels:
+      - "dependencies"
+      - "docker"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "dathan"
+    labels:
+      - "dependencies"
+      - "github-actions"
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,104 @@
+name: Security
+
+on:
+  # Fires when a GitHub Security Advisory is published for this repo
+  # (includes privately reported vulnerabilities once triaged).
+  repository_vulnerability_alert:
+    types: [create]
+
+  # Fires when Dependabot opens or updates a PR.
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write        # needed to merge Dependabot PRs
+  issues: write          # needed to open issues
+  pull-requests: write   # needed to approve / merge PRs
+
+jobs:
+  # ── Open a tracking issue when a new vulnerability alert is created ──────────
+  open-security-issue:
+    if: github.event_name == 'repository_vulnerability_alert'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create tracking issue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const alert = context.payload.alert;
+            const pkg   = alert.affected_package_name || 'unknown package';
+            const sev   = alert.severity              || 'unknown severity';
+            const url   = alert.html_url              || '';
+
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo:  context.repo.repo,
+              title: `[Security] Vulnerability in ${pkg} (${sev})`,
+              body: [
+                `## Vulnerability Alert`,
+                ``,
+                `**Package:** ${pkg}`,
+                `**Severity:** ${sev}`,
+                `**Advisory:** ${url}`,
+                ``,
+                `Dependabot will open a pull request to patch this dependency automatically.`,
+                `This issue will be closed once the fix is merged.`,
+              ].join('\n'),
+              labels: ['security', 'dependencies'],
+              assignees: ['dathan'],
+            });
+
+      - name: Notify via GitHub (assign + watch already triggers email)
+        run: echo "Issue created — GitHub will notify assigned users via email/web."
+
+  # ── Auto-merge Dependabot PRs that pass CI ───────────────────────────────────
+  auto-merge-dependabot:
+    if: |
+      github.event_name == 'pull_request' &&
+      github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve the PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge (squash)
+        # Auto-merge triggers once all required status checks pass.
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Notify owner of Dependabot PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr   = context.payload.pull_request;
+            const meta = {
+              name:    '${{ steps.meta.outputs.dependency-names }}',
+              from:    '${{ steps.meta.outputs.previous-version }}',
+              to:      '${{ steps.meta.outputs.new-version }}',
+              type:    '${{ steps.meta.outputs.update-type }}',
+            };
+            await github.rest.issues.createComment({
+              owner:      context.repo.owner,
+              repo:       context.repo.repo,
+              issue_number: pr.number,
+              body: [
+                `@dathan — Dependabot opened this PR:`,
+                ``,
+                `| | |`,
+                `|---|---|`,
+                `| **Package** | ${meta.name} |`,
+                `| **Update** | ${meta.from} → ${meta.to} (${meta.type}) |`,
+                `| **Status** | Auto-merge enabled — will merge once CI passes |`,
+              ].join('\n'),
+            });
diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,6 @@
 # Project Dependencies
 vendor
 
-# Ignore api dir
-api
-bin
+# Ignore top-level api and bin dirs (root-anchored so frontend/src/api/ is not affected)
+/api
+/bin
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,34 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| latest (`master`) | :white_check_mark: |
+| older tags | :x: |
+
+## Reporting a Vulnerability
+
+You may report a vulnerability either publicly or privately:
+
+- **Public issue** — [Open an issue](../../issues/new) if you are comfortable disclosing the details publicly. Use the `security` label.
+- **Private advisory** — Use GitHub's [private vulnerability reporting](../../security/advisories/new) if the vulnerability is sensitive and you prefer coordinated disclosure before it is publicly visible.
+
+Include in your report:
+- A description of the vulnerability and its potential impact
+- Steps to reproduce or a proof-of-concept
+- Affected versions
+- Any suggested mitigations, if known
+
+You can expect:
+- **Acknowledgement** within 2 business days
+- **Status update** within 7 days (confirmed, declined, or needs more info)
+- **Patch and disclosure** coordinated with you once a fix is ready
+
+When the vulnerability is fixed, a GitHub Security Advisory will be published and a CVE will be requested if warranted.
+
+## Automated Security
+
+- **Dependabot** is enabled and will automatically open pull requests to upgrade vulnerable dependencies (Go modules, npm packages, Docker base images).
+- Dependabot PRs that pass CI are **automatically merged**.
+- The repository owner is notified by GitHub whenever a security advisory is published or a Dependabot PR is opened.
diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts
@@ -0,0 +1,100 @@
+// Typed API client. All fetch calls go through here so auth headers and
+// base URL are applied consistently.
+
+const BASE = import.meta.env.VITE_API_URL ?? "";
+
+export interface User {
+  id: string;
+  email: string;
+  name: string;
+  avatar_url: string;
+  provider: string;
+  role: string;
+  paid_at: string | null;
+  created_at: string;
+}
+
+export interface PaymentIntentResponse {
+  client_secret: string;
+  payment_id: string;
+}
+
+export interface UserListResponse {
+  users: User[];
+  total: number;
+}
+
+export interface AssumeResponse {
+  token: string;
+  target_user: User;
+}
+
+// ── Token Management ──────────────────────────────────────────────────────────
+
+const TOKEN_KEY = "jwt";
+
+export const getToken = (): string | null => localStorage.getItem(TOKEN_KEY);
+export const setToken = (t: string) => localStorage.setItem(TOKEN_KEY, t);
+export const clearToken = () => localStorage.removeItem(TOKEN_KEY);
+
+// ── Core Fetch ────────────────────────────────────────────────────────────────
+
+async function request<T>(
+  path: string,
+  options: RequestInit = {}
+): Promise<T> {
+  const token = getToken();
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    ...(options.headers as Record<string, string>),
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+
+  const res = await fetch(`${BASE}${path}`, { ...options, headers, credentials: "include" });
+
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({ error: res.statusText }));
+    throw new Error(err.error ?? `HTTP ${res.status}`);
+  }
+
+  if (res.status === 204) return undefined as unknown as T;
+  return res.json();
+}
+
+// ── Auth ──────────────────────────────────────────────────────────────────────
+
+export const getMe = () => request<User>("/api/v1/me");
+
+export const logout = () =>
+  request<void>("/auth/logout", { method: "POST" }).then(clearToken);
+
+export const oauthURL = (provider: string) => `${BASE}/auth/${provider}`;
+
+// ── Admin ─────────────────────────────────────────────────────────────────────
+
+export const listUsers = (limit = 50, offset = 0) =>
+  request<UserListResponse>(`/api/v1/admin/users?limit=${limit}&offset=${offset}`);
+
+export const assumeUser = (id: string) =>
+  request<AssumeResponse>(`/api/v1/admin/users/${id}/assume`, { method: "POST" });
+
+// ── Payments ──────────────────────────────────────────────────────────────────
+
+export const createPaymentIntent = (amount: number, currency = "usd") =>
+  request<PaymentIntentResponse>("/api/v1/payments/intent", {
+    method: "POST",
+    body: JSON.stringify({ amount, currency }),
+  });
+
+// ── Agent ─────────────────────────────────────────────────────────────────────
+
+export const sendPrompt = (prompt: string) =>
+  request<{ response: string }>("/api/v1/agent/prompt", {
+    method: "POST",
+    body: JSON.stringify({ prompt }),
+  });
+
+export const streamURL = (prompt: string) =>
+  `${BASE}/api/v1/agent/stream?prompt=${encodeURIComponent(prompt)}`;
