cyclecad 3.0.0 → 3.1.0

package/nginx.conf

@@ -0,0 +1,237 @@
+# cycleCAD Production Nginx Configuration
+# Optimized for performance, security, and cross-origin support
+#
+# Key features:
+# - Gzip compression on all text-like formats
+# - CORS headers for all origins
+# - COOP/COEP headers for SharedArrayBuffer (Web Workers)
+# - Aggressive caching for static assets (1 year for immutable content)
+# - Security headers (CSP, X-Frame-Options, etc.)
+# - SPA routing (all non-API routes fall through to index.html)
+# - Max upload size: 500MB (for STEP files)
+# - Proper WASM MIME type + cache headers
+# - Gzip on responses to reduce bandwidth
+
+upstream cyclecad_upstream {
+    server cyclecad:80;
+}
+
+upstream converter_upstream {
+    server converter:8787;
+}
+
+upstream signaling_upstream {
+    server signaling:8788;
+}
+
+server {
+    listen 80 default_server;
+    server_name _;
+
+    # Root directory for all static files
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Max upload size (for STEP file imports)
+    client_max_body_size 500M;
+
+    # ========== GZIP COMPRESSION ==========
+    # Enable gzip with aggressive settings
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 500;
+    gzip_types
+        text/plain
+        text/css
+        text/javascript
+        text/xml
+        text/x-component
+        text/x-cross-domain-policy
+        application/javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/atom+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        application/octet-stream
+        image/svg+xml
+        model/gltf-binary
+        model/gltf+json
+        image/x-icon;
+    gzip_disable "msie6";
+    gzip_comp_level 6;
+    gzip_proxied any;
+
+    # ========== CROSS-ORIGIN HEADERS ==========
+    # Allow CORS for all origins
+    add_header Access-Control-Allow-Origin "*" always;
+    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE, PATCH" always;
+    add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, X-API-Key" always;
+
+    # Cross-Origin headers for SharedArrayBuffer (Web Workers)
+    # COOP (Cross-Origin-Opener-Policy) isolates browsing context
+    # COEP (Cross-Origin-Embedder-Policy) requires opt-in for cross-origin resources
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+
+    # ========== SECURITY HEADERS ==========
+    # Prevent MIME type sniffing
+    add_header X-Content-Type-Options "nosniff" always;
+
+    # Prevent clickjacking (allow embedding only from same origin)
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    # XSS protection (legacy)
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Content Security Policy (permissive for AI features + external APIs)
+    add_header Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://ai.google.dev; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: https:; font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com; connect-src 'self' https: wss: ws:; worker-src 'self' blob:; manifest-src 'self';" always;
+
+    # Referrer policy
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # ========== CACHING STRATEGY ==========
+
+    # Immutable assets (versioned/hashed filenames) — cache forever
+    location ~* \.(js|css|ico|png|jpg|jpeg|gif|svg|webp|ttf|woff|woff2|eot|otf)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        add_header X-Cache-Status "HIT";
+    }
+
+    # WASM files — cache aggressively (immutable after compilation)
+    location ~* \.wasm$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        add_header Content-Type "application/wasm";
+        add_header X-Content-Type-Options "nosniff";
+    }
+
+    # 3D model files — cache for 7 days (reasonable for non-versioned assets)
+    location ~* \.(glb|gltf|stl|obj|mtl)$ {
+        expires 7d;
+        add_header Cache-Control "public, must-revalidate";
+    }
+
+    # Presentation files — cache for 7 days
+    location ~* \.(pptx|docx|xlsx|pdf)$ {
+        expires 7d;
+        add_header Cache-Control "public, must-revalidate";
+    }
+
+    # HTML files (SPA entry points) — no cache, always validate
+    location ~* \.html$ {
+        expires -1;
+        add_header Cache-Control "public, must-revalidate, max-age=0";
+    }
+
+    # JSON manifest files — short cache (5 minutes)
+    location ~* \.json$ {
+        expires 5m;
+        add_header Cache-Control "public, must-revalidate";
+    }
+
+    # Service worker — no cache
+    location /sw.js {
+        expires -1;
+        add_header Cache-Control "public, must-revalidate, max-age=0";
+    }
+
+    # ========== ROUTING ==========
+
+    # Health check endpoint (always accessible)
+    location = /health {
+        access_log off;
+        return 200 '{"status":"ok","app":"cyclecad","version":"0.8.6","timestamp":"'$(date -u +%s)'"}';
+        add_header Content-Type "application/json";
+    }
+
+    # API endpoints (pass through to upstream services, no caching)
+    location /api/ {
+        proxy_pass http://converter_upstream;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+
+    # Converter service (for STEP → GLB conversion)
+    location /converter/ {
+        proxy_pass http://converter_upstream/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
+        proxy_buffering off;
+    }
+
+    # Signaling service (for real-time collaboration)
+    location /signal/ {
+        proxy_pass http://signaling_upstream/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 3600s;
+    }
+
+    # WebSocket upgrade for real-time features
+    location /ws/ {
+        proxy_pass http://signaling_upstream/ws/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_read_timeout 3600s;
+    }
+
+    # CAD app — SPA routing (all routes fall through to index.html)
+    location /app/ {
+        try_files $uri $uri/ /app/index.html;
+    }
+
+    # Root — SPA routing (landing page is also an SPA)
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Deny access to hidden files/directories
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+}
+
+# Redirect HTTP to HTTPS in production (use with Let's Encrypt)
+# Uncomment this section when HTTPS is enabled:
+#
+# server {
+#     listen 80 default_server;
+#     server_name _;
+#     return 301 https://$host$request_uri;
+# }
+#
+# server {
+#     listen 443 ssl http2 default_server;
+#     server_name _;
+#
+#     ssl_certificate /etc/letsencrypt/live/cyclecad.com/fullchain.pem;
+#     ssl_certificate_key /etc/letsencrypt/live/cyclecad.com/privkey.pem;
+#
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers HIGH:!aNULL:!MD5;
+#     ssl_prefer_server_ciphers on;
+#
+#     # ... rest of server config ...
+# }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cyclecad",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "Browser-based parametric 3D CAD modeler with AI-powered tools, native Inventor file parsing, and smart assembly management. No install required.",
   "main": "index.html",
   "bin": {

package/server/Dockerfile.converter

@@ -0,0 +1,51 @@
+# cycleCAD STEP → GLB Converter Service
+# FastAPI server for server-side STEP/IGES import
+#
+# Build:   docker build -f server/Dockerfile.converter -t cyclecad-converter:latest .
+# Run:     docker run -p 8787:8787 --memory 4g cyclecad-converter:latest
+# Health:  curl http://localhost:8787/health
+#
+# Handles:
+# - STEP (.step, .stp) file import via CadQuery
+# - IGES (.iges, .igs) file import
+# - GLB/glTF 2.0 export
+# - Metadata extraction (parts, assemblies, properties)
+# - Large file processing (up to 500MB)
+# - Adaptive mesh deflection for performance
+
+FROM python:3.11-slim
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    libgl1 \
+    libglu1-mesa \
+    libxrender1 \
+    libxkbcommon0 \
+    curl \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set working directory
+WORKDIR /app
+
+# Copy requirements and install Python dependencies
+COPY server/requirements-converter.txt .
+RUN pip install --no-cache-dir -r requirements-converter.txt
+
+# Copy converter script
+COPY server/converter.py .
+
+# Create non-root user for security
+RUN useradd -m -u 1000 converter && chown -R converter:converter /app
+USER converter
+
+# Expose port
+EXPOSE 8787
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+    CMD curl -f http://localhost:8787/health || exit 1
+
+# Start FastAPI server
+CMD ["uvicorn", "converter:app", "--host", "0.0.0.0", "--port", "8787", "--workers", "2"]

package/server/Dockerfile.signaling

@@ -0,0 +1,28 @@
+FROM node:20-alpine
+
+LABEL maintainer="vvlars <vvlars@googlemail.com>"
+LABEL description="cycleCAD WebSocket Signaling Server for real-time collaboration"
+
+WORKDIR /app
+
+# Install dependencies
+RUN apk add --no-cache curl
+
+# Copy package files
+COPY package.json ./
+
+# Install Node dependencies
+RUN npm ci --only=production
+
+# Copy signaling server
+COPY signaling-server.js ./
+
+# Expose WebSocket and HTTP ports
+EXPOSE 8788
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:8788/health || exit 1
+
+# Run signaling server
+CMD ["node", "signaling-server.js"]