Repo cleanup and updates

apps/link/Dockerfile

@@ -2,22 +2,28 @@ FROM node:22-bookworm-slim AS base
 
 FROM base AS builder
 ARG APP_DIR=/opt/link
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
 RUN mkdir -p ${APP_DIR}/
-RUN npm i -g turbo
+RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
+RUN pnpm add -g turbo
 WORKDIR ${APP_DIR}
 COPY . .
 RUN turbo prune --scope=@link-stack/link --scope=@link-stack/bridge-migrations --docker
 
 FROM base AS installer
 ARG APP_DIR=/opt/link
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
 WORKDIR ${APP_DIR}
+RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 COPY --from=builder ${APP_DIR}/.gitignore .gitignore
 COPY --from=builder ${APP_DIR}/out/json/ .
-COPY --from=builder ${APP_DIR}/out/package-lock.json ./package-lock.json
-RUN npm ci
+COPY --from=builder ${APP_DIR}/out/pnpm-lock.yaml ./pnpm-lock.yaml
+RUN pnpm install --frozen-lockfile
 
 COPY --from=builder ${APP_DIR}/out/full/ .
-RUN npm i -g turbo
+RUN pnpm add -g turbo
 ENV ZAMMAD_URL http://zammad-nginx:8080
 RUN turbo run build --filter=@link-stack/link --filter=@link-stack/bridge-migrations
 
@@ -30,6 +36,9 @@ LABEL maintainer="Darren Clarke <darren@redaranj.com>"
 LABEL org.label-schema.build-date=$BUILD_DATE
 LABEL org.label-schema.version=$VERSION
 ENV APP_DIR ${APP_DIR}
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     apt-get install -y --no-install-recommends \
     dumb-init

apps/link/README.md

@@ -4,13 +4,12 @@ The main CDR (Center for Digital Resilience) Link application - a streamlined he
 
 ## Overview
 
-CDR Link provides a unified dashboard for managing support tickets, communication channels, and data analytics. It integrates multiple services including Zammad (ticketing), Bridge (multi-channel messaging), Leafcutter (data visualization), and OpenSearch.
+CDR Link provides a unified dashboard for managing support tickets, communication channels, and data analytics. It integrates multiple services including Zammad (ticketing), Bridge (multi-channel messaging), and OpenSearch.
 
 ## Features
 
 - **Simplified Helpdesk Interface**: Streamlined UI for Zammad ticket management
 - **Multi-Channel Communication**: Integration with Signal, WhatsApp, Facebook, and Voice channels
-- **Data Visualization**: Embedded Leafcutter analytics and reporting
 - **User Management**: Role-based access control with Google OAuth
 - **Search**: Integrated OpenSearch for advanced queries
 - **Label Studio Integration**: For data annotation workflows
@@ -69,7 +68,6 @@ Key environment variables required:
 - `/overview/[overview]` - Ticket overview pages
 - `/tickets/[id]` - Individual ticket view/edit
 - `/admin/bridge` - Bridge configuration management
-- `/leafcutter` - Data visualization dashboard
 - `/opensearch` - Search dashboard
 - `/zammad` - Direct Zammad access
 - `/profile` - User profile management
@@ -104,6 +102,5 @@ docker-compose -f docker/compose/link.yml up
 
 - **Zammad**: GraphQL queries for ticket data
 - **Bridge Services**: REST APIs for channel management
-- **Leafcutter**: Embedded iframe integration
 - **OpenSearch**: Direct dashboard embedding
 - **Redis**: Session and cache storage

apps/link/app/(main)/_components/InternalLayout.tsx

@@ -7,13 +7,11 @@ import { SetupModeWarning } from "./SetupModeWarning";
 
 interface InternalLayoutProps extends PropsWithChildren {
   setupModeActive: boolean;
-  leafcutterEnabled: boolean;
 }
 
 export const InternalLayout: FC<InternalLayoutProps> = ({
   children,
   setupModeActive,
-  leafcutterEnabled,
 }) => {
   const [open, setOpen] = useState(true);
 
@@ -24,7 +22,6 @@ export const InternalLayout: FC<InternalLayoutProps> = ({
         <Sidebar
           open={open}
           setOpen={setOpen}
-          leafcutterEnabled={leafcutterEnabled}
         />
         <Grid
           item

apps/link/app/(main)/_components/Sidebar.tsx

@@ -176,13 +176,11 @@ const MenuItem = ({
 interface SidebarProps {
   open: boolean;
   setOpen: (open: boolean) => void;
-  leafcutterEnabled?: boolean;
 }
 
 export const Sidebar: FC<SidebarProps> = ({
   open,
   setOpen,
-  leafcutterEnabled = false,
 }) => {
   const pathname = usePathname();
   const { data: session } = useSession();
@@ -372,11 +370,11 @@ export const Sidebar: FC<SidebarProps> = ({
             }}
           >
             <MenuItem
-              name="Dashboards"
-              href="/dashboards"
+              name="Dashboard"
+              href="/"
               Icon={InsightsIcon}
               iconSize={20}
-              selected={pathname.startsWith("/dashboards")}
+              selected={pathname === "/"}
               open={open}
             />
             <MenuItem

apps/link/app/(main)/docs/_components/DocsWrapper.tsx

@@ -4,6 +4,8 @@ import { FC } from "react";
 import { Grid } from "@mui/material";
 import Iframe from "react-iframe";
 
+const docsUrl = "https://digiresilience.org/docs/link/about/";
+
 export const DocsWrapper: FC = () => (
   <Grid
     container
@@ -17,7 +19,7 @@ export const DocsWrapper: FC = () => (
     >
       <Iframe
         id="docs"
-        url={"https://digiresilience.org/docs/link/about/"}
+        url={docsUrl}
         width="100%"
         height="100%"
         frameBorder={0}

apps/link/app/(main)/layout.tsx

@@ -12,12 +12,10 @@ type LayoutProps = {
 
 export default function Layout({ children }: LayoutProps) {
   const setupModeActive = process.env.SETUP_MODE === "true";
-  const leafcutterEnabled = process.env.LEAFCUTTER_ENABLED === "true";
 
   return (
     <InternalLayout
       setupModeActive={setupModeActive}
-      leafcutterEnabled={leafcutterEnabled}
     >
       {children}
     </InternalLayout>

apps/link/app/(main)/page.tsx

@@ -2,7 +2,7 @@ import { Metadata } from "next";
 import { DefaultDashboard } from "./_components/DefaultDashboard";
 
 export const metadata: Metadata = {
-  title: "CDR Link - Home",
+  title: "CDR Link - Dashboard",
 };
 
 export default async function Page() {

apps/link/app/_lib/authentication.ts

@@ -10,7 +10,6 @@ import {
 import Google from "next-auth/providers/google";
 import Credentials from "next-auth/providers/credentials";
 import Apple from "next-auth/providers/apple";
-import { Redis } from "ioredis";
 import AzureADProvider from "next-auth/providers/azure-ad";
 import { createLogger } from "@link-stack/logger";
 
@@ -30,7 +29,7 @@ const fetchRoles = async () => {
 };
 
 const fetchUser = async (email: string) => {
-  const url = `${process.env.ZAMMAD_URL}/api/v1/users/search?query=login:${email}&limit=1`;
+  const url = `${process.env.ZAMMAD_URL}/api/v1/users/search?query=${encodeURIComponent(`login:${email}`)}&limit=1`;
   const res = await fetch(url, { headers });
   const users = await res.json();
   const user = users?.[0];
@@ -124,9 +123,9 @@ if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
 
 export const authOptions: NextAuthOptions = {
   pages: {
-    signIn: "/link/login",
-    error: "/link/login",
-    signOut: "/link/logout",
+    signIn: "/login",
+    error: "/login",
+    signOut: "/logout",
   },
   providers,
   session: {
@@ -139,11 +138,6 @@ export const authOptions: NextAuthOptions = {
       return roles.includes("admin") || roles.includes("agent");
     },
     session: async ({ session, token }) => {
-      // const redis = new Redis(process.env.REDIS_URL);
-      // const isInvalidated = await redis.get(`invalidated:${token.sub}`);
-      // if (isInvalidated) {
-      //  return null;
-      // }
       // @ts-ignore
       session.user.roles = token.roles ?? [];
       // @ts-ignore

apps/link/app/_lib/utils.ts

@@ -1,40 +0,0 @@
-import { createLogger } from "@link-stack/logger";
-
-const logger = createLogger('link-utils');
-
-export const fetchLeafcutter = async (url: string, options: any) => {
-  /*
-
-    const headers = {
-      'X-Opensearch-Username': process.env.OPENSEARCH_USER!,
-      'X-Opensearch-Password': process.env.OPENSEARCH_PASSWORD!,
-      'X-Leafcutter-User': token.email.toLowerCase()
-    };
-    */
-  const fetchData = async (url: string, options: any) => {
-    try {
-      const res = await fetch(url, options);
-      const json = await res.json();
-      return json;
-    } catch (error) {
-      logger.error({ error }, "Error occurred");
-      return null;
-    }
-  };
-
-  const data = await fetchData(url, options);
-
-  if (!data) {
-    const csrfURL = `${process.env.NEXT_PUBLIC_LEAFCUTTER_URL}/api/auth/csrf`;
-    const csrfData = await fetchData(csrfURL, {});
-    const authURL = `${process.env.NEXT_PUBLIC_LEAFCUTTER_URL}/api/auth/callback/credentials`;
-    const authData = await fetchData(authURL, { method: "POST" });
-    if (!authData) {
-      return null;
-    } else {
-      return await fetchData(url, options);
-    }
-  } else {
-    return data;
-  }
-};

apps/link/app/api/[service]/bots/[token]/receive/route.ts

@@ -1 +1,4 @@
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
+
 export { receiveMessage as POST } from "@link-stack/bridge-ui";

apps/link/app/api/[service]/bots/[token]/relink/route.ts

@@ -1 +1,4 @@
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
+
 export { relinkBot as POST } from "@link-stack/bridge-ui";

apps/link/app/api/[service]/bots/[token]/route.ts

@@ -1 +1,4 @@
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
+
 export { getBot as GET } from "@link-stack/bridge-ui";

apps/link/app/api/[service]/bots/[token]/send/route.ts

@@ -1 +1,4 @@
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
+
 export { sendMessage as POST } from "@link-stack/bridge-ui";

apps/link/app/api/[service]/webhooks/route.ts

@@ -1,3 +1,6 @@
 import { handleWebhook } from "@link-stack/bridge-ui";
 
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
+
 export { handleWebhook as GET, handleWebhook as POST };

apps/link/app/api/auth/[...nextauth]/route.ts

@@ -1,6 +1,9 @@
 import NextAuth from "next-auth";
 import { authOptions } from "@/app/_lib/authentication";
 
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
+
 const handler = NextAuth(authOptions);
 
 export { handler as GET, handler as POST };

apps/link/app/api/formstack/route.ts

@@ -1,11 +1,17 @@
 import { NextRequest, NextResponse } from "next/server";
 import { createLogger } from "@link-stack/logger";
 import { getWorkerUtils } from "@link-stack/bridge-common";
+import { timingSafeEqual } from "crypto";
+
+// Force this route to be dynamic (not statically generated at build time)
+export const dynamic = 'force-dynamic';
 
 const logger = createLogger('formstack-webhook');
 
 export async function POST(req: NextRequest): Promise<NextResponse> {
   try {
+    const clientIp = req.headers.get('x-forwarded-for') || req.headers.get('x-real-ip') || 'unknown';
+
     // Get the shared secret from environment variable
     const expectedSecret = process.env.FORMSTACK_SHARED_SECRET;
 
@@ -21,19 +27,47 @@ export async function POST(req: NextRequest): Promise<NextResponse> {
     const body = await req.json();
     const receivedSecret = body.HandshakeKey;
 
-    // Verify the shared secret
-    if (receivedSecret !== expectedSecret) {
-      logger.warn({ receivedSecret }, 'Invalid shared secret received');
+    // Validate that secret is provided
+    if (!receivedSecret || typeof receivedSecret !== 'string') {
+      logger.warn({ clientIp }, 'Missing or invalid HandshakeKey');
       return NextResponse.json(
         { error: "Unauthorized" },
         { status: 401 }
       );
     }
 
-    // Log the entire webhook payload to see the data structure
+    // Use timing-safe comparison to prevent timing attacks
+    const expectedBuffer = Buffer.from(expectedSecret);
+    const receivedBuffer = Buffer.from(receivedSecret);
+
+    let secretsMatch = false;
+    if (expectedBuffer.length === receivedBuffer.length) {
+      try {
+        secretsMatch = timingSafeEqual(expectedBuffer, receivedBuffer);
+      } catch (e) {
+        secretsMatch = false;
+      }
+    }
+
+    if (!secretsMatch) {
+      logger.warn({
+        secretMatch: false,
+        timestamp: new Date().toISOString(),
+        userAgent: req.headers.get('user-agent'),
+        clientIp
+      }, 'Invalid shared secret received');
+      return NextResponse.json(
+        { error: "Unauthorized" },
+        { status: 401 }
+      );
+    }
+
+    // Log webhook receipt with non-PII metadata only
     logger.info({
-      payload: body,
-      headers: Object.fromEntries(req.headers.entries()),
+      formId: body.FormID,
+      uniqueId: body.UniqueID,
+      timestamp: new Date().toISOString(),
+      fieldCount: Object.keys(body).length
     }, 'Received Formstack webhook');
 
     // Enqueue a bridge-worker task to process this form submission

apps/link/app/api/logout/route.ts

@@ -1,12 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
-import { Redis } from "ioredis";
-import { getToken } from "next-auth/jwt";
 
 export async function POST(request: NextRequest) {
-  const token = await getToken({
-    req: request,
-    secret: process.env.NEXTAUTH_SECRET,
-  });
   const allCookies = request.cookies.getAll();
   const zammadURL = process.env.ZAMMAD_URL ?? "http://zammad-nginx:8080";
   const signOutURL = `${zammadURL}/api/v1/signout`;
@@ -18,7 +12,21 @@ export async function POST(request: NextRequest) {
       .join("; "),
   };
 
-  await fetch(signOutURL, { headers });
+  // Add timeout to prevent hanging requests
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 5000); // 5 second timeout
+
+  try {
+    await fetch(signOutURL, {
+      headers,
+      signal: controller.signal
+    });
+  } catch (error) {
+    // Log but don't fail logout if Zammad signout fails
+    console.error('Zammad signout failed:', error);
+  } finally {
+    clearTimeout(timeout);
+  }
 
   const cookiePrefixesToRemove = ["_zammad"];
   const response = NextResponse.json({ message: "ok" });
@@ -31,8 +39,5 @@ export async function POST(request: NextRequest) {
     }
   }
 
-  const redis = new Redis(process.env.REDIS_URL);
-  await redis.setex(`invalidated:${token.sub}`, 24 * 60 * 60, "1");
-
   return response;
 }

apps/link/docker-entrypoint.sh

@@ -2,6 +2,6 @@
 
 set -e
 echo "running migrations"
-(cd ../bridge-migrations/ && npm run migrate:up:all)
+(cd ../bridge-migrations/ && pnpm run migrate:up:all)
 echo "starting link"
-exec dumb-init npm run start
+exec dumb-init pnpm run start

apps/link/middleware.ts

@@ -52,19 +52,44 @@ const checkRewrites = async (request: NextRequestWithAuth) => {
   };
 
   if (request.nextUrl.pathname.startsWith("/dashboards")) {
-    return rewriteURL(
-      request,
-      `${linkBaseURL}/dashboards`,
-      opensearchBaseURL,
-      headers,
-    );
+    // Extract the path after /dashboards and append to OpenSearch URL
+    let path = request.nextUrl.pathname.slice("/dashboards".length);
+    if (path.startsWith("/")) {
+      path = path.slice(1);
+    }
+    const search = request.nextUrl.search;
+    const destinationURL = `${opensearchBaseURL}/${path}${search}`;
+
+    logger.debug({
+      pathname: request.nextUrl.pathname,
+      path,
+      search,
+      destinationURL
+    }, "OpenSearch proxy");
+
+    const requestHeaders = new Headers(request.headers);
+    requestHeaders.delete("x-forwarded-user");
+    requestHeaders.delete("x-forwarded-roles");
+    requestHeaders.delete("connection");
+
+    for (const [key, value] of Object.entries(headers)) {
+      requestHeaders.set(key, value as string);
+    }
+
+    return NextResponse.rewrite(new URL(destinationURL), {
+      request: { headers: requestHeaders },
+    });
   }
 
   const isDev = process.env.NODE_ENV === "development";
   const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+
+  // Allow digiresilience.org for embedding documentation
+  const frameSrcDirective = `frame-src 'self' https://digiresilience.org;`;
+
   const cspHeader = `
     default-src 'self';
-    frame-src 'self' https://digiresilience.org;
+    ${frameSrcDirective}
     connect-src 'self';
     script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${isDev ? "'unsafe-eval'" : ""};
     style-src 'self' 'unsafe-inline';
@@ -98,6 +123,16 @@ const checkRewrites = async (request: NextRequestWithAuth) => {
     contentSecurityPolicyHeaderValue,
   );
 
+  // Additional security headers
+  response.headers.set("X-Frame-Options", "SAMEORIGIN");
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  response.headers.set("X-XSS-Protection", "1; mode=block");
+  response.headers.set(
+    "Permissions-Policy",
+    "camera=(), microphone=(), geolocation=()"
+  );
+
   return response;
 }
 

apps/link/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-stack/link",
-  "version": "3.2.0b3",
+  "version": "3.3.0-beta.1",
   "type": "module",
   "scripts": {
     "dev": "next dev -H 0.0.0.0",
@@ -16,10 +16,10 @@
     "@emotion/react": "^11.14.0",
     "@emotion/server": "^11.11.0",
     "@emotion/styled": "^11.14.1",
-    "@link-stack/bridge-common": "*",
-    "@link-stack/bridge-ui": "*",
-    "@link-stack/logger": "*",
-    "@link-stack/ui": "*",
+    "@link-stack/bridge-common": "workspace:*",
+    "@link-stack/bridge-ui": "workspace:*",
+    "@link-stack/logger": "workspace:*",
+    "@link-stack/ui": "workspace:*",
     "@mui/icons-material": "^6",
     "@mui/material": "^6",
     "@mui/material-nextjs": "^6",
@@ -41,9 +41,8 @@
     "sharp": "^0.34.4"
   },
   "devDependencies": {
-    "@link-stack/eslint-config": "*",
+    "@link-stack/eslint-config": "workspace:*",
     "@types/node": "^24.7.0",
-    "@types/react": "19.2.2",
-    "@types/uuid": "^11.0.0"
+    "@types/react": "19.2.2"
   }
 }