Add API, harden build scripts

[stonegray]

No description provided.

[Copilot]

Pull request overview

This pull request adds a comprehensive REST API for monitoring the Magic Proxy application, replacing the minimal placeholder API. The new implementation includes authentication, rate limiting, input validation, error sanitization, and dynamic route registration via a message broker pattern. Additionally, it introduces a configuration file watcher for hot-reloading and hardens the build process.

Changes:

• Implemented a full-featured REST API with security middleware (authentication, rate limiting, input validation, Helmet security headers)
• Added dynamic route registration via apiMessageBroker pattern for controlled data exposure
• Introduced configuration file hot-reloading via configWatcher module
• Enhanced Docker provider file watching with host path resolution for Docker-in-Docker scenarios

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/unit/api/api-security.test.ts	Comprehensive security and validation tests for the new API
src/types/config.d.ts	Extracted APIConfig interface and updated config types
src/api/server.ts	Express server setup with middleware chain and route handlers
src/api/middleware/*.ts	Authentication, rate limiting, validation, logging, and error handling middleware
src/apiMessageBroker.ts	Secure message broker for controlled API data exposure
src/configWatcher.ts	File watcher for hot-reloading configuration changes
src/index.ts	Updated app initialization to support API lifecycle and config watching
src/providers/docker/provider.ts	Enhanced file watching with host path resolution
src/providers/docker/compose.ts	Exported resolveHostPath utility function
src/api.ts	Removed old placeholder API implementation
package.json	Added helmet, express-rate-limit, and type definitions
docs/API.md	Comprehensive API documentation with examples
config/magic-proxy.yml	Enhanced API configuration with security options
.github/workflows/ci.yml	Added build step and pull request trigger

Comments suppressed due to low confidence (1)

src/api/middleware/logging.ts:54

• The X-Forwarded-For header can be easily spoofed by clients and should only be trusted when the API is behind a known proxy. Using this header for authentication decisions or rate limiting (if per-IP limiting is added) could allow attackers to bypass restrictions. Consider adding configuration to specify whether to trust proxy headers, and validate that the request actually came from a trusted proxy before using X-Forwarded-For.

function getClientIP(req: Request): string {
    const forwarded = req.headers['x-forwarded-for'];
    if (typeof forwarded === 'string') {
        return forwarded.split(',')[0].trim();
    }
    return req.socket.remoteAddress || 'unknown';

[Copilot]

The error response always returns a generic message "An error occurred processing your request" regardless of the error type. While this prevents information leakage, it makes the API difficult to use because clients cannot distinguish between different error types (e.g., validation errors vs. server errors vs. not found). Consider categorizing common error types and returning more specific error messages for 400-level errors while keeping 500-level errors generic. For example, validation errors could return "Invalid request parameters" while keeping internal server errors generic.

[Copilot]

The comment indicates this is a duplicate build step and acknowledges it's redundant. Having duplicate build steps increases CI time and resource usage unnecessarily. Consider implementing the suggested solution of ensuring the build-and-push job only runs after successful test/lint steps, or add a dedicated build job that both test and build-and-push depend on. The TODO should be resolved rather than leaving duplicate steps in production.