Release: v0.4 — Architectural Baseline

.env.example

@@ -1,3 +1,26 @@
+# Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+#   __  __                        ____
+#  / /_/ /  ___   _  _____ ___ __/ / /_
+# / __/ _ \/ -_) | |/ / _ `/ // / / __/
+# \__/_//_/\__/  |___/\_,_/\_,_/_/\__/
+#
+# .env.example — Environment variable template
+# 2026-04-17
+#
+# Template for the runtime env vars consumed by the Vue app.
+# Copy to .env and fill in your values, VITE_ prefix is required.
+#
+#   VITE_OBS_WS_HOST   WebSocket host
+#   VITE_OBS_WS_PORT   WebSocket port
+#   VITE_OBS_WS_PASS   WebSocket password
+#   VITE_OBS_WS_LAN    LAN address
+#
+# Cristian D. Moreno (Kyonax)
+# kyonax.corp@gmail.com
+
 VITE_OBS_WS_HOST=127.0.0.1
 VITE_OBS_WS_PORT=4455
 VITE_OBS_WS_PASS=

.gitattributes

@@ -1,3 +1,25 @@
+# Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+#   __  __         __     __
+#  / /_/ /  ___   / /__ _/ /
+# / __/ _ \/ -_) / / _ `/ _ \
+# \__/_//_/\__/ /_/\_,_/_.__/
+#
+# .gitattributes — Git file handling rules
+# 2026-04-17
+#
+# Controls how Git handles specific files on checkout and commit.
+# The logo.txt rule prevents Windows CRLF from corrupting the
+# Unicode box-drawing glyphs in the ASCII logo.
+#
+# logo.txt: UTF-8 + LF enforcement
+# Default: auto-normalize text to LF
+#
+# Cristian D. Moreno (Kyonax)
+# kyonax.corp@gmail.com
+
 # Preserve box-drawing characters and line endings in the brand logo.
 # Windows clones would otherwise apply CRLF conversion and potentially
 # corrupt the Unicode frame glyphs.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,3 +1,23 @@
+<!--
+  Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+   __  __                          ____
+  / /_/ /  ___   ___ ___________  / / /
+ / __/ _ \/ -_) (_-</ __/ __/ _ \/ / /
+ \__/_//_/\__/ /___/\__/_/  \___/_/_/
+
+  PULL_REQUEST_TEMPLATE.md — PR body scaffold
+  2026-04-17
+
+  Self-documenting template with 13 embedded format rules.
+  Every populated PR carries the rules with it.
+
+  Cristian D. Moreno (Kyonax)
+  kyonax.corp@gmail.com
+-->
+
 <!--
   ─────────────────────────────────────────────────────────────
    RECKIT Pull Request Template

.github/SECURITY.org

@@ -1,16 +1,102 @@
+# Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+#   __  __             __   _     __   __
+#  / /_/ /  ___   ___ / /  (_)__ / /__/ /
+# / __/ _ \/ -_) (_-</ _ \/ / -_) / _  /
+# \__/_//_/\__/ /___/_//_/_/\__/_/\_,_/
+#
+# SECURITY.org — Banned patterns, enforcement, and contributor guidelines
+# 2026-04-17
+#
+# What is never allowed, how it is enforced, and what
+# contributors must check before opening a PR.
+#
+#   Banned Code Patterns
+#   Banned File Patterns
+#   Enforcement
+#   Environment Variables
+#   For Contributors
+#
+# Cristian D. Moreno (Kyonax)
+# kyonax.corp@gmail.com
+
 #+TITLE: RECKIT Security Rules
 #+AUTHOR: [[https://orcid.org/0009-0006-4459-5538][Cristian D. Moreno - Kyonax]]
+#+EMAIL: kyonax.corp@gmail.com
+#+DATE: Apr 17, 2026
+#+FILETAGS: :KYO:RECKIT:SECURITY:
+#+LAST_UPDATE: Apr 17, 2026
+#+OPTIONS: toc:nil num:nil H:3
+
+* Banned Code Patterns
+
+| Pattern                                   | Reason             | ESLint rule                  |
+|-------------------------------------------+--------------------+------------------------------|
+| =eval()=, =Function()=                        | Code injection     | =no-eval=, =no-new-func=         |
+| =innerHTML= assignment                      | XSS vector         | =no-restricted-syntax=         |
+| =document.write=                            | XSS vector         | =no-restricted-properties=     |
+| =setTimeout= / =setInterval= with string args | Implicit eval      | =no-implied-eval=              |
+| =v-html= in Vue templates                   | XSS vector         | code review                  |
+| Hardcoded tokens, secrets, API keys       | Credential leak    | CI security scan             |
+| =http://= URLs (except localhost)           | Insecure transport | CI security scan             |
+| Unsafe regex (catastrophic backtracking)  | ReDoS              | =security/detect-unsafe-regex= |
+
+* Banned File Patterns
+These must never be committed. Enforced by =.gitignore=.
+
+| Pattern                | Covers                            |
+|------------------------+-----------------------------------|
+| =.env=, =.env.*=           | Runtime environment variables     |
+| =*.pem=, =*.key=, =*.crt=    | TLS certificates and private keys |
+| =*.gpg=                  | GPG-encrypted files               |
+| =id_rsa*=, =id_ed25519*=   | SSH keys                          |
+| =*.token=, =*.secret=      | Generic secret files              |
+| =.npmrc=, =.yarnrc=        | Package manager auth tokens       |
+| =auth.json=              | Authentication credentials        |
+| =*.sqlite=, =*.db=, =*.sql=  | Database files and dumps          |
+| =secrets/=, =credentials/= | Secret directories                |
+
+* Enforcement
+Two layers run on every pull request:
+
+** ESLint (=eslint.config.mjs=)
+
+- =no-eval=, =no-implied-eval=, =no-new-func=, =no-script-url= (all =error=)
+- =eslint-plugin-security= rules: =detect-eval-with-expression=, =detect-unsafe-regex=, =detect-buffer-noassert=, =detect-new-buffer=, =detect-no-csrf-before-method-override=
+- =no-restricted-syntax= blocks =innerHTML= assignment
+- =no-restricted-properties= blocks =document.write=
+
+** CI Security Scan (=.github/workflows/ci.yml=)
+Greps the entire codebase for patterns ESLint cannot catch:
+
+- Dangerous function calls (=eval=, =Function=, =innerHTML=, =document.write=)
+- String-based timers (=setTimeout("...")=, =setInterval("...")=)
+- Hardcoded secrets (=token=, =secret=, =api_key=, =password= with quoted values)
+- Insecure HTTP URLs (=http://= excluding localhost)
+- Emits =::error= annotations on matching lines
+
+Excludes =eslint.config.mjs= (rule strings match patterns literally), =node_modules/=, =dist/=, =.cache/=.
+
+** CI License Headers (=.github/workflows/ci.yml=)
+Every =*.js=, =*.mjs=, =*.html=, =*.css=, =*.vue=, =*.scss= file must contain =Cristian D. Moreno= in the first 5 lines.
+
+** Pre-Check Failed Label
+The =Pre-Check Label= CI job aggregates all gate results. If any gate fails, the =Pre-Check Failed= label is applied to the PR.
+
+* Environment Variables
+Runtime config uses =VITE_*= env vars loaded from =.env= (gitignored). The tracked template is =.env.example= with empty placeholder values. Contributors copy it to =.env= and fill in their own values.
+
+Never hardcode credentials in source files. Always use =import.meta.env.VITE_*=.
+
+* For Contributors
+
+Before opening a PR, verify:
 
-* Banned patterns
-| Pattern                                   | Reason             |
-|-------------------------------------------+--------------------|
-| =eval()=, =Function()=                        | Code injection     |
-| =innerHTML= assignment                      | XSS vector         |
-| =document.write=                            | XSS vector         |
-| =setTimeout= / =setInterval= with string args | Implicit eval      |
-| Hardcoded tokens, secrets, API keys       | Credential leak    |
-| =http://= URLs                              | Insecure transport |
-
-* Enforced by
-- =eslint.config.mjs= — =no-eval=, =no-implied-eval=, =no-new-func=, =eslint-plugin-security=, =no-restricted-syntax= (innerHTML, document.write)
-- =.github/workflows/ci.yml= — security scan job greps for all banned patterns on every PR
+1. =npm run lint= reports 0 errors
+2. No =.env=, =*.key=, =*.pem=, or secret files are staged (=git status=)
+3. New source files have the MPL-2.0 license header
+4. No =http://= URLs (use =https://= or =ws://localhost=)
+5. No =eval=, =innerHTML=, =document.write=, or string-based timers
+6. No hardcoded passwords, tokens, or API keys

.github/workflows/ci.yml

@@ -1,18 +1,34 @@
-# ---------------------------------------------------------------
-# RECKIT CI -- Lint, Security Scan, License & Protected-File Gates
-# ---------------------------------------------------------------
-# Triggers:
-#   - pull_request: ANY target branch. A PR from `sub-feature`
-#     to `feat-cam-person` runs the same gates as a PR to
-#     `dev` or `master`. This is intentional — every merge in
-#     the chain must meet the pre-check bar before reaching
-#     dev / master.
-#   - push: feature branches only (`feat-*`, `feat/*`,
-#     `feature/*`, `fix-*`, `fix/*`). Gives developers
-#     feedback before they open a PR. master / dev are skipped
-#     here because they're protected and only receive commits
-#     via PRs (which fire the pull_request trigger above).
-# ---------------------------------------------------------------
+# Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+#   __  __                     __      __   __
+#  / /_/ /  ___   _    _____ _/ /_____/ /  / /____ _    _____ ____
+# / __/ _ \/ -_) | |/|/ / _ `/ __/ __/ _ \/ __/ _ \ |/|/ / -_) __/
+# \__/_//_/\__/  |__,__/\_,_/\__/\__/_//_/\__/\___/__,__/\__/_/
+#
+# ci.yml — CI gate suite
+# 2026-04-17
+#
+# Runs every gate on all pull_request targets and feat/fix push
+# branches. Concurrency group dedups push-vs-PR double runs.
+# Pre-Check Label aggregates all results into one label.
+#
+#   ESLint
+#   Security Scan
+#   License Headers
+#   Protected Files
+#   Unit Tests
+#   Pre-Check Label (aggregator)
+#
+# Guidelines:
+#   New jobs must be added to Pre-Check Label needs list
+#   Security Scan excludes eslint.config.mjs (rule strings match patterns)
+#   License Headers checks first 5 lines for Cristian D. Moreno
+#   Protected Files is advisory only, never blocks
+#
+# Cristian D. Moreno (Kyonax)
+# kyonax.corp@gmail.com
 
 name: CI
 

.github/workflows/release.yml

@@ -1,9 +1,24 @@
-# ---------------------------------------------------------------
-# RECKIT Release Gate -- Enforced on dev -> master PRs
-# ---------------------------------------------------------------
-# Ensures CHANGELOG.org and README.org version are updated before
-# any code lands on master.
-# ---------------------------------------------------------------
+# Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+#   __  __             __           __              _      __
+#  / /_/ /  ___   ____/ /  ___ ____/ /__ ___  ___  (_)__  / /_
+# / __/ _ \/ -_) / __/ _ \/ -_) __/  '_// _ \/ _ \/ / _ \/ __/
+# \__/_//_/\__/  \__/_//_/\__/\__/_/\_\/ .__/\___/_/_//_/\__/
+#                                      /_/
+#
+# release.yml — Release gate for dev to master PRs
+# 2026-04-17
+#
+# Blocks merges to master unless the CHANGELOG and README
+# version have been updated. Only runs on PRs from dev.
+#
+#   CHANGELOG.org updated
+#   README.org version bumped
+#
+# Cristian D. Moreno (Kyonax)
+# kyonax.corp@gmail.com
 
 name: Release Gate
 

.gitignore

@@ -1,10 +1,34 @@
-# ─────────────────────────────────────────────────────────────
-#  RECKIT — .gitignore
-# ─────────────────────────────────────────────────────────────
-#  Organized by concern. Keep this file the single source of
-#  truth for what gets ignored. When in doubt, prefer ignoring.
-#  Cross-reference: .github/SECURITY.org
-# ─────────────────────────────────────────────────────────────
+# Copyright (c) 2026 Cristian D. Moreno — @Kyonax
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. See LICENSE or https://mozilla.org/MPL/2.0/
+
+#   __  __                   _    __
+#  / /_/ /  ___   _  _____  (_)__/ /
+# / __/ _ \/ -_) | |/ / _ \/ / _  /
+# \__/_//_/\__/  |___/\___/_/\_,_/
+#
+# .gitignore — Ignored files and directories
+# 2026-04-17
+#
+# Single source of truth for everything Git should never track.
+# Organized by concern so new patterns land in the right section.
+#
+#   Node / Vue / Vite
+#   Build / cache
+#   Logs
+#   Test / coverage
+#   Environment / secrets
+#   Editors / IDEs
+#   OS junk
+#   Temp / backup
+#   Local-only contributor files
+#
+# Requirements:
+# package-lock.json is tracked on purpose (npm ci needs it)
+# .env.example is the only tracked env file
+#
+# Cristian D. Moreno (Kyonax)
+# kyonax.corp@gmail.com
 
 # ── Node / Vue / Vite ────────────────────────────────────────
 node_modules/
@@ -13,10 +37,6 @@ dist-ssr/
 .vite/
 *.local
 
-# package-lock.json is COMMITTED — required by the CI workflow
-# (`npm ci`) and gives reproducible installs + supply-chain
-# defense. Do NOT re-add it to this ignore list.
-
 # ── Build / cache ────────────────────────────────────────────
 .cache/
 .parcel-cache/
@@ -44,17 +64,11 @@ coverage/
 *.lcov
 
 # ── Environment / secrets ────────────────────────────────────
-# Real values live only on the contributor's machine.
 .env
 .env.local
 .env.*.local
 .env.*
-# But the template IS meant to be committed.
 !.env.example
-
-# Hard ban on common secret-file extensions — never commit
-# these even accidentally. Add a specific pattern here if you
-# ever need to intentionally commit an encrypted variant.
 *.pem
 *.key
 *.crt
@@ -74,11 +88,20 @@ credentials/
 .aws/
 .gcloud/
 auth.json
-
-# RECKIT-specific: GPG-encrypted runtime config kept LOCAL by
-# choice. Decrypt with `gpg --decrypt .rc.gpg`.
 .rc
 .rc.gpg
+*.gpg
+*.jks
+*.keystore
+*.token
+*.secret
+.htpasswd
+.npmrc
+.yarnrc
+*.sqlite
+*.db
+*.sql
+.ssh/
 
 # ── Editors / IDEs ───────────────────────────────────────────
 .vscode/
@@ -118,13 +141,8 @@ $RECYCLE.BIN/
 tmp/
 temp/
 
-# ── Local-only RECKIT contributor files ──────────────────────
-# Setup notes / scratchpad docs that live on the contributor's
-# machine only.
+# ── Local-only contributor files ─────────────────────────────
 .github/BRANCHES.org
-
-# Clipboard buffer for the most recent generated commit / PR
-# text. Overwritten in place every time new text is produced.
-# Local only — never committed.
+CLAUDE.md
 COMMIT.org
 PR.org