chipster/shrouded-tools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
261 commits 2 branches 6 tags 212 MiB
  • TypeScript 41.5%
  • Astro 30.6%
  • Python 21.8%
  • CSS 3%
  • HTML 2.4%
  • Other 0.6%
Find a file
Exact
Timothy 0016c92383
Some checks failed
build-images / images (push) Successful in 6m7s
Details
deploy / deploy (push) Successful in 6m4s
Details
lint-test / backend (push) Failing after 27s
Details
lint-test / frontend (push) Failing after 1m27s
Details
chore(release): v0.6.5 
- feat(map): contraste markers gatherables (skillpoint plant + co.) sur basemap parchemin
- chore(map): catégorie "Gisements / Ore deposits" en WIP (couche cachée le temps de fiabiliser la data voxel)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 11:37:36 +02:00
.forgejo/workflows ci: nightly Playwright e2e against the deployed instance 2026-05-09 15:49:04 +02:00
.husky build(husky): commit-msg hook Conventional Commits 2026-05-12 19:53:24 +02:00
backend fix(api): paramètre response: Response requis par slowapi 2026-05-16 22:01:21 +02:00
docs chore(docs): supprime spec + plan map tileset (chantier abandonné) 2026-05-17 12:46:25 +02:00
frontend chore(release): v0.6.5 2026-05-30 11:37:36 +02:00
shared docs(shared): build-validation spec and table-driven cases 2026-05-09 15:10:32 +02:00
tools/scraper Remove tools/import_rossicler/ — no longer used 2026-05-09 21:19:39 +02:00
.env.example chore: scaffold top-level repo files 2026-05-09 12:24:32 +02:00
.gitignore build(deps): sync pnpm-lock.yaml avec husky devDep + gitignore pnpm-store 2026-05-12 19:58:35 +02:00
CONTRIBUTING.md chore: scaffold top-level repo files 2026-05-09 12:24:32 +02:00
docker-compose.yml chore: scaffold top-level repo files 2026-05-09 12:24:32 +02:00
LICENSE chore: scaffold top-level repo files 2026-05-09 12:24:32 +02:00
Makefile chore: scaffold top-level repo files 2026-05-09 12:24:32 +02:00
NOTICE.md Replace vendored skill icons with game-extracted PNGs 2026-05-09 23:25:11 +02:00
README.md docs+chore: README sécurité, ROADMAP-security.md, bump v0.5.0 2026-05-12 14:11:54 +02:00
REPORT-2026-05-10.md docs: night-of-2026-05-10 autonomy report 2026-05-10 05:50:38 +02:00

README.md

ShroudedTools

Bilingual (FR/EN) community website for the game Enshrouded. Open-source under AGPL-3.0.

Live: https://shrouded.tools

Tools

  • Build Planner — skill tree + 9-slot gear loadout, multi-save localStorage, share via short URL or ?gear= hash.
  • Calculator — damage simulator with gear loadout + skill build import, weapon/target cross-link to wiki.
  • Carte / Map — Leaflet image map with 1300+ markers, GeoIP filters, day/night themes.
  • Wiki — 8 entity types with cross-refs (items, recipes, bestiary, npcs, perks, quests, lore, chests).
  • Admin — audience analytics (anonymous, no cookie/tracker), feedback inbox, revisions queue.

Local development

make dev      # start the full stack (pg + redis + backend + frontend)
make test     # run all tests
make migrate  # apply DB migrations

See docs/architecture.md for the design and docs/contributing.md to contribute.

Security

Operating modes adopted across phases 16 of the 2026-05-12 security audit:

  • Rate limiting : slowapi + redis storage on /auth/login (5/15min), /auth/setup (3/h), /feedback (30/h); nginx limit_req_zone as the first line of defence (cf. app/core/rate_limit.py).
  • HTML sanitization : every game-data i18n string (description_i18n, name_i18n) goes through nh3 at write time (backend/app/core/sanitize.py); the frontend <SafeHtml> component (frontend/src/lib/safe-html.tsx) renders only an allowlisted tag set (<b>, <i>, <em>, <strong>, <br>, <p>, <color>, <npc>).
  • Constant-time auth : login always runs an Argon2 verify, even when the email lookup misses (defeats timing-based user enumeration).
  • Role split : require_admin (admin only — tokens, scraper, analytics) vs require_editor (admin or editor — catalog/feedback/revisions). Don't mix the two when adding new admin endpoints.
  • Schemas with extra=forbid : every catalog *In schema rejects unknown keys; prevents mass-assignment via setattr in revisions.
  • Anonymous analytics : nginx access logs → backend SQLite (/data/analytics.sqlite). IP+UA hashed with ANALYTICS_SALT_SECRET (dedicated, NOT SESSION_SECRET) + UTC date, rotated daily. No cookie, no JS tracker.
  • Security headers : SecurityHeadersMiddleware sets CSP / XFO / Referrer-Policy / Permissions-Policy / HSTS on every response (independent of nginx). See backend/app/core/security_headers.py.
  • Container hardening : prod compose runs frontend + backend with read_only: true, cap_drop: [ALL], no-new-privileges, tmpfs: for /tmp only. Postgres + Redis pinned by digest.
  • /.well-known/security.txt : RFC 9116 contact + expiry. Update before 2027-05-12.

Disclosure: timothy@greil.fr (PGP TBD).

License

AGPL-3.0 — see LICENSE.