docs: add agent-readable CLAUDE.md and SPEC.md#1206
docs: add agent-readable CLAUDE.md and SPEC.md#1206howar31 wants to merge 2 commits intomirror-media:mainfrom
Conversation
Add project-level CLAUDE.md for Claude Code guidance, update root SPEC.md with per-package links, and add package-level SPEC.md for mirrormedia, mirrortv, mirrordaily, readr, and mesh. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces comprehensive documentation for the Lilith CMS monorepo, including a CLAUDE.md guide for AI agents and detailed SPEC.md files for the root and individual CMS packages (mesh, mirrordaily, mirrormedia, mirrortv, and readr). The review feedback identifies a critical security vulnerability where mirrordaily and mirrortv specify an 8GB JSON body parser limit, which poses a significant risk of Denial of Service (DoS) via memory exhaustion. Additionally, the reviewer noted inconsistencies in port mapping between the root and package-level specifications and recommended consistent documentation of the 'restricted' access control strategy across all environment variable tables.
| - `PopularTag`:熱門標籤追蹤 | ||
|
|
||
| ### Large Payload Support | ||
| JSON body parser 上限設為 **8 GB**,支援大型影音檔案上傳。 |
There was a problem hiding this comment.
Setting the JSON body parser limit to 8 GB is extremely dangerous as it exposes the server to Denial of Service (DoS) attacks via memory exhaustion. Large file uploads (like video) should be handled via streaming (e.g., multipart/form-data) rather than being parsed as a JSON body. Please verify if this is a documentation error or if the underlying code needs to be restricted to a much lower limit (typically < 1MB for JSON).
| 透過 `YOUTUBE_API_KEY` 整合 YouTube Data API,供影片資料同步使用。 | ||
|
|
||
| ### Large Payload Support | ||
| JSON body parser 上限設為 **8 GB**,支援大型影音檔案上傳。 |
There was a problem hiding this comment.
Setting the JSON body parser limit to 8 GB is extremely dangerous as it exposes the server to Denial of Service (DoS) attacks via memory exhaustion. Large file uploads (like video) should be handled via streaming (e.g., multipart/form-data) rather than being parsed as a JSON body. Please verify if this is a documentation error or if the underlying code needs to be restricted to a much lower limit (typically < 1MB for JSON).
| | `readr` | CMS App | — | Readr CMS | [SPEC](packages/readr/SPEC.md) | | ||
| | `mesh` | CMS App | — | Mesh CMS | [SPEC](packages/mesh/SPEC.md) | |
There was a problem hiding this comment.
The ports for readr and mesh are marked as — here, but their respective package-level SPEC.md files define them as 3000. This creates a conflict with mirrormedia which also uses port 3000. Please synchronize the port assignments in this table to reflect the actual configuration and resolve the port collisions to ensure a smooth local development experience.
| | Strategy | Behavior | | ||
| | --- | --- | | ||
| | `cms` | Standard role-based access. Preview mini-app enabled. | | ||
| | `gql` | Public read (for frontend APIs); published items only | | ||
| | `preview` | All items readable (for preview servers) | | ||
| | `restricted` | Blocks User list queries/updates/deletes by default | |
There was a problem hiding this comment.
The restricted access control strategy is documented here and in CLAUDE.md, but it is missing from the ACCESS_CONTROL_STRATEGY environment variable tables in all individual package specs (e.g., mirrormedia, mirrordaily, mirrortv, readr, mesh). If this strategy is a core feature available to all packages, it should be consistently documented in the package-level specs as well.
|
|
||
| | Variable | Default | Purpose | | ||
| | --- | --- | --- | | ||
| | `ACCESS_CONTROL_STRATEGY` | `cms` | `cms` / `gql` / `preview` | |
There was a problem hiding this comment.
The restricted strategy is mentioned in the root SPEC.md and CLAUDE.md but is missing from this package's environment variable documentation. Please include it for consistency.
| | `ACCESS_CONTROL_STRATEGY` | `cms` | `cms` / `gql` / `preview` | | |
| | ACCESS_CONTROL_STRATEGY | cms | cms / gql / preview / restricted | |
…ge SPECs - Update readr and mesh port from — to 3000 in root SPEC.md - Add restricted to ACCESS_CONTROL_STRATEGY docs in all 5 package SPECs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 participant
Summary
CLAUDE.mdfor Claude Code guidance (run commands, architecture, conventions)SPEC.mdwith full monorepo architecture spec and per-package linksSPEC.mdformirrormedia,mirrortv,mirrordaily,readr,mesh— each documents lists, storage, mini-apps, env vars, and unique featuresTest plan
🤖 Generated with Claude Code