fix: comprehensive audit — 20 issues across all components

Backend (Go):
- Remove dead `decode()` function from helpers.go
- Replace HasPrefix+slice with strings.TrimPrefix in db.go
- Fix unchecked fmt.Sscanf returns with strconv.Atoi
- Explicitly discard tx.Rollback() and SetReadDeadline() errors

WAF (Go):
- Add error handling for os.MkdirAll, json.Encode, w.Write
- Remove unused ftpSig variable from heuristics.go
- Explicitly discard os.Rename return

Frontend:
- Move CopyBtn and Btn components to module scope (react-hooks/static-components)
- Fix setState-in-effect in GlobalSearch.tsx
- Fix unused catch variables and let→const in Blacklists/Settings
- Fix Dashboard.test.tsx: skeleton class + mock useAnimatedNumber
- Fix npm vulnerabilities (axios SSRF, vite path traversal)

Infrastructure:
- Fix docker-compose.test.yml: update stale ./backend → ./backend-go
- Secure proxy startup.sh: add safe_source() to validate /config files
- Sanitize GUI_IP_WHITELIST before sed interpolation

CI/Docs:
- Pin actions/checkout SHA in docs.yml and multi-arch.yml
- Change npm install → npm ci in docs.yml
- Remove invalid G704 gosec exclusion from ci.yml
- Add INTEGRATION_ARCHITECTURE.md to docs sidebar
- Fix cron→bash code block language in blacklists.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: fabriziosalmi

.claude/launch.json

@@ -0,0 +1,11 @@
+{
+  "version": "0.0.1",
+  "configurations": [
+    {
+      "name": "docs",
+      "runtimeExecutable": "npx",
+      "runtimeArgs": ["vitepress", "dev", "docs"],
+      "port": 5173
+    }
+  ]
+}

.github/workflows/ci.yml

@@ -107,7 +107,7 @@ jobs:
 
       - name: Run gosec on waf-go
         working-directory: waf-go
-        run: gosec -severity medium -confidence medium -exclude=G104,G114,G301,G302,G304,G704 ./...
+        run: gosec -severity medium -confidence medium -exclude=G104,G114,G301,G302,G304 ./...
 
       - name: npm audit (UI)
         working-directory: ui

.github/workflows/docs.yml

@@ -23,17 +23,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: npm
           cache-dependency-path: docs/package-lock.json
 
       - name: Install dependencies
-        run: npm install
+        run: npm ci
         working-directory: docs
 
       - name: Build VitePress

.github/workflows/multi-arch.yml

@@ -36,7 +36,7 @@ jobs:
             dockerfile: ./dns/Dockerfile
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up QEMU (for ARM64 emulation)
         uses: docker/setup-qemu-action@v3

backend-go/internal/database/db.go

@@ -329,10 +329,7 @@ func writeDnsmasqBlocklist(db *sql.DB, path string, exclusions map[string]struct
 		var domain string
 		if rows.Scan(&domain) == nil && domain != "" {
 			if _, excluded := exclusions[domain]; !excluded {
-				d := domain
-				if strings.HasPrefix(d, "*.") {
-					d = d[2:]
-				}
+				d := strings.TrimPrefix(domain, "*.")
 				entries = append(entries, entry{d})
 			}
 		}

backend-go/internal/handlers/analytics.go

@@ -203,7 +203,9 @@ func parseDuration(s string) time.Duration {
 		return 24 * time.Hour
 	}
 	n := 1
-	fmt.Sscanf(parts[0], "%d", &n)
+	if v, err := strconv.Atoi(parts[0]); err == nil {
+		n = v
+	}
 	if n < 1 {
 		n = 1
 	}

backend-go/internal/handlers/blacklists.go

@@ -406,7 +406,7 @@ func (h *BlacklistHandlers) Import(w http.ResponseWriter, r *http.Request) {
 		}
 		stmt, err := tx.Prepare(fmt.Sprintf("INSERT OR IGNORE INTO %s (%s, description) VALUES(?,?)", table, col))
 		if err != nil {
-			tx.Rollback()
+			_ = tx.Rollback()
 			log.Error().Err(err).Msg("batch insert prepare failed")
 			break
 		}
@@ -415,7 +415,7 @@ func (h *BlacklistHandlers) Import(w http.ResponseWriter, r *http.Request) {
 		}
 		stmt.Close()
 		if err := tx.Commit(); err != nil {
-			tx.Rollback()
+			_ = tx.Rollback()
 			log.Error().Err(err).Msg("batch insert commit failed")
 		}
 	}

backend-go/internal/handlers/helpers.go

@@ -32,12 +32,6 @@ func writeOK(w http.ResponseWriter, data any) {
 	writeJSON(w, http.StatusOK, map[string]any{"status": "success", "data": data})
 }
 
-// decode reads and JSON-decodes the request body into dst.
-func decode(r *http.Request, dst any) error {
-	r.Body = http.MaxBytesReader(nil, r.Body, 55*1024*1024)
-	return json.NewDecoder(r.Body).Decode(dst)
-}
-
 // isValidCIDR returns true if s is a valid IP address or CIDR prefix.
 func isValidCIDR(s string) bool {
 	if _, err := netip.ParsePrefix(s); err == nil {

backend-go/internal/websocket/hub.go

@@ -93,9 +93,9 @@ func (c *Client) writePump() {
 // readPump reads pings/pongs and detects disconnects.
 func (c *Client) readPump() {
 	defer c.hub.Unregister(c)
-	c.conn.SetReadDeadline(time.Now().Add(90 * time.Second))
+	_ = c.conn.SetReadDeadline(time.Now().Add(90 * time.Second))
 	c.conn.SetPongHandler(func(string) error {
-		c.conn.SetReadDeadline(time.Now().Add(90 * time.Second))
+		_ = c.conn.SetReadDeadline(time.Now().Add(90 * time.Second))
 		return nil
 	})
 	for {

backend-go/internal/workers/update_checker.go

@@ -3,8 +3,8 @@ package workers
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"net/http"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -73,10 +73,10 @@ func semverGreater(a, b string) bool {
 	for i := 0; i < len(aParts) || i < len(bParts); i++ {
 		var av, bv int
 		if i < len(aParts) {
-			fmt.Sscanf(aParts[i], "%d", &av)
+			av, _ = strconv.Atoi(aParts[i])
 		}
 		if i < len(bParts) {
-			fmt.Sscanf(bParts[i], "%d", &bv)
+			bv, _ = strconv.Atoi(bParts[i])
 		}
 		if av > bv {
 			return true