v1.2.0

Hardens locreport for running as a public web server, plus performance and docs work. No breaking changes to the CLI or report format.

Hardening (running a public instance)

• Bound the on-disk cache with LRU eviction so it can't be filled by requesting many repos (#1)
• Reject oversized repos before cloning, via a GitHub API size check (#2)
• Ignore X-Forwarded-For unless LOCREPORT_TRUST_PROXY is set, closing a rate-limit bypass (#3)
• Per-IP in-flight cap so one client can't take every slot and fill the queue (#4)
• Sandboxed container in docker-compose.yml: read-only rootfs, dropped capabilities, no-new-privileges, and memory/CPU/PID limits (#5)

Performance

• Parallelized the code-age (git blame) phase with a shared concurrency budget (#6)
• Cache-Control + ETag/304 on static assets (#7)
• Report-level cache keyed by repo + params + head SHA — repeat requests served whole (#8)
• Scheduled cache maintenance: age-out sweep of derived files + cheaper prune (#10)

Project

• CI runs typecheck + the full test suite on every PR (#12)
• Docs split into a usage-focused README and a server operations guide (#20)

Running it

New server settings (all optional, documented in the operations guide): LOCREPORT_TRUST_PROXY, LOCREPORT_MAX_PER_IP, LOCREPORT_MAX_CACHE_MB, LOCREPORT_CACHE_MAX_AGE_DAYS, LOCREPORT_CACHE_SWEEP_MS, and GITHUB_TOKEN for the pre-clone size check.

Docker

docker run -p 4317:4317 -v locreport-cache:/cache ghcr.io/silverbucket/locreport:1.2.0