Strip the front end (headless server)#18
Merged
Merged
Conversation
Matte is a headless background-removal API with no user interface, so the starter-kit web front end is unnecessary attack surface. Mirror the headless treatment applied to Hone: remove all Blade views, the Livewire/Flux/Fortify auth + settings UI, the User model + users/passkeys/two-factor migrations and factory, config/fortify.php, and the front-end composer packages (laravel/fortify, livewire/flux, livewire/livewire + transitive auth deps). web.php is now a JSON health endpoint; config/auth.php is emptied; sessions default to the array driver; bootstrap providers/commands drop Fortify and the Flux Pro installer. The API (matte-server) and its routes are unaffected. Adds a smoke test covering the root route, unauthenticated /v1/remove, and the registered matte:* commands. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Strip the front end (headless server)
Matte is a headless background-removal API — it has no user interface, yet cloud-installed instances were serving the starter-kit login/registration/settings UI. That's needless attack surface. This removes it entirely, mirroring the headless treatment applied to Hone.
Removed
resources/views/*— welcome, dashboard, auth, settings, layouts, components, flux).app/Livewire/*,app/Actions/Fortify/*,app/Concerns/*,app/Providers/FortifyServiceProvider.php,config/fortify.php,routes/settings.php, and theInstallFluxProcommand.app/Models/User,UserFactory, and the users / passkeys / two-factor migrations.laravel/fortify,livewire/flux,livewire/livewire(+ transitive passkey/webauthn/2FA deps).Rewired (to hone's headless shape)
routes/web.php→ a JSON health endpoint ({name: "Matte", status: "ok"}).config/auth.phpemptied;.env.exampleSESSION_DRIVER=array(no sessions table needed).bootstrap/providers.php/bootstrap/app.phpdrop Fortify + the Flux Pro installer.AppServiceProviderdrops the password-policy block;DatabaseSeederemptied.MatteSmokeTest: root route boots,/v1/removeis 401 without a token, and thematte:*commands register.The API is untouched —
matte-serverregisters its own routes/commands and thebuilt-for-cloudtoken auth is unchanged.Gate
composer readygreen — pint clean, phpstan 0 errors, pest 3/3, audit clean.Note
Existing prod tables (users/sessions/passkeys) aren't dropped by removing the migrations; they're simply orphaned and harmless. Recommend setting
SESSION_DRIVER=arrayon the deployed env so it no longer depends on the orphaned sessions table.