refactor: streaming, security hardening, and MCP removal

Major overhaul of server architecture and security posture: - Streaming: Unified all I/O through PIPESIZE (8192-byte) buffers. POST bodies stream via MpscReader through the save pipeline. GET content streams from disk via decompression to client. Removed save_item_with_reader, get_item_content_info, ChannelReader. 413 responses keep partial items (nonfatal by design). - Security: XSS protection in all HTML pages via html_escape crate. Security headers middleware (nosniff, frame deny, referrer policy). CORS tightened to explicit headers. Input validation for tags (256 chars), metadata (128/4096), pagination (10k cap). Config file reads use from_utf8_lossy. Generic error messages in HTML. Diff endpoint has 10 MB per-item cap. max_body_size config option. - Panics eliminated: Path unwraps → proper error propagation. Mutex unwraps → map_err (registries) / expect with message (local). - MCP removed: Deleted all MCP code, rmcp dependency, mcp feature. - Docs: Updated README, DESIGN, AGENTS to reflect all changes.
2026-03-14 00:03:42 -03:00
parent 560ba6e20c
commit 17be6abaab
51 changed files with 876 additions and 1309 deletions
--- a/2
+++ b/2
@@ -23,7 +23,7 @@ RUN cargo fetch --target x86_64-unknown-linux-musl
 # magic feature excluded (requires shared libmagic; fallback uses `file` command)
 COPY src/ src/
 RUN cargo build --release --target x86_64-unknown-linux-musl \
-    --no-default-features --features lz4,gzip,server,mcp,swagger,client,tls \
+    --no-default-features --features lz4,gzip,server,swagger,client,tls \
    && strip target/x86_64-unknown-linux-musl/release/keep

 # Runtime stage - scratch since binary is fully static