Coderabit suggestions

.devcontainer/resources/devcontainer-Dockerfile

@@ -5,8 +5,7 @@
 # Prefer to place dev-only setup here; use setup.sh only for runtime fixes.
 
 FROM runner AS netalertx-devcontainer
-ENV INSTALL_DIR=/app 
- 
+ENV INSTALL_DIR=/app
 
 ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
 ENV PATH=/services:${PATH}
@@ -30,4 +29,4 @@ RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) ||
     sed -i -e 's|:/app:|:/workspaces:|' /etc/passwd && \
     python -m pip install -U pytest pytest-cov
 
-ENTRYPOINT  ["/bin/sh","-c","sleep infinity"]
+ENTRYPOINT ["/bin/sh","-c","sleep infinity"]

.devcontainer/scripts/setup.sh

@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/bash
 # Runtime setup for devcontainer (executed after container starts).
 # Prefer building setup into resources/devcontainer-Dockerfile when possible.
 # Use this script for runtime-only adjustments (permissions, sockets, ownership,
@@ -31,7 +31,7 @@ main() {
     sleep 1
     echo "Setting up ${SOURCE_DIR}..."
     sudo chown $(id -u):$(id -g) /workspaces
-    sudo chown 755 /workspaces
+    sudo chmod 755 /workspaces
     configure_source
     
     echo "--- Starting Development Services ---"
@@ -50,7 +50,7 @@ isRamDisk() {
   local fstype
   fstype=$(df -T "$1" | awk 'NR==2 {print $2}')
 
-  if [[ "$fstype" == "tmpfs" || "$fstype" == "ramfs" ]]; then
+  if [ "$fstype" = "tmpfs" ] || [ "$fstype" = "ramfs" ]; then
     return 0 # Success (is a ramdisk)
   else
     return 1 # Failure (is not a ramdisk)
@@ -108,7 +108,7 @@ configure_source() {
 # configure_php: configure PHP-FPM and enable dev debug options
 configure_php() {
     echo "[3/4] Configuring PHP-FPM..."
-    sudo chown netalertx:netalertx  ${SYSTEM_SERVICES_PHP_RUN} 2>/dev/null || true
+    sudo chown -R netalertx:netalertx  ${SYSTEM_SERVICES_RUN} 2>/dev/null || true
 
 }
 

install/production-filesystem/services/check-cap.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
-# check_nmap_caps.sh - Uses a real nmap command to detect missing container
+# check-cap.sh - Uses a real nmap command to detect missing container
 # privileges and warns the user. It is silent on success.
 
 # Run a fast nmap command that requires raw sockets, capturing only stderr.
-ERROR_OUTPUT=$(nmap --privileged -sS -p 20211 127.0.0.1 2>&1 >/dev/null)
+ERROR_OUTPUT=$(nmap --privileged -sS -p 20211 127.0.0.1 2>&1)
 EXIT_CODE=$?
 
 # Flag common capability errors regardless of exact exit code.

install/production-filesystem/services/check-first-run-db.sh

@@ -19,7 +19,7 @@ EOF
 >&2 printf "%s" "${RESET}"
 
 # Write all text to db file until we see "end-of-database-schema"
-cat << end-of-database-schema > ${NETALERTX_DB_FILE}
+cat << end-of-database-schema > "${NETALERTX_DB_FILE}"
 CREATE TABLE sqlite_stat1(tbl,idx,stat);
 CREATE TABLE Events (eve_MAC STRING (50) NOT NULL COLLATE NOCASE, eve_IP STRING (50) NOT NULL COLLATE NOCASE, eve_DateTime DATETIME NOT NULL, eve_EventType STRING (30) NOT NULL COLLATE NOCASE, eve_AdditionalInfo STRING (250) DEFAULT (''), eve_PendingAlertEmail BOOLEAN NOT NULL CHECK (eve_PendingAlertEmail IN (0, 1)) DEFAULT (1), eve_PairEventRowid INTEGER);
 CREATE TABLE Sessions (ses_MAC STRING (50) COLLATE NOCASE, ses_IP STRING (50) COLLATE NOCASE, ses_EventTypeConnection STRING (30) COLLATE NOCASE, ses_DateTimeConnection DATETIME, ses_EventTypeDisconnection STRING (30) COLLATE NOCASE, ses_DateTimeDisconnection DATETIME, ses_StillConnected BOOLEAN, ses_AdditionalInfo STRING (250));
@@ -433,5 +433,10 @@ CREATE TRIGGER "trg_delete_devices"
             END;
 end-of-database-schema
 
+if [ $? -ne 0 ]; then
+  >&2 echo "Error: Failed to write database schema to ${NETALERTX_DB_FILE}"
+  exit 1
+fi
+
 # Import the database schema into the new database file
-sqlite3 ${NETALERTX_DB_FILE} < ${NETALERTX_DB}/db.sql
+sqlite3 "${NETALERTX_DB_FILE}" < "${NETALERTX_DB}/db.sql"

install/production-filesystem/services/config/nginx/conf.active/netalertx.conf

@@ -16,8 +16,8 @@ events {
 http {
 
 	# Mapping of temp paths for various nginx modules.
-    client_body_temp_path /services/run/tmp/client_body;
-    proxy_temp_path /services/run/tmp/proxy;
+	client_body_temp_path /services/run/tmp/client_body;
+	proxy_temp_path /services/run/tmp/proxy;
 	fastcgi_temp_path /services/run/tmp/fastcgi;
 	uwsgi_temp_path /services/run/tmp/uwsgi;
 	scgi_temp_path /services/run/tmp/scgi;
@@ -74,7 +74,7 @@ http {
 
 
 	# Enable gzipping of responses.
-	#gzip on;
+	gzip on;
 
 	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
 	gzip_vary on;
@@ -102,8 +102,11 @@ http {
         root /app/front;
         index index.php;
         add_header X-Forwarded-Prefix "/app" always;
-
-        location ~* \.php$ {
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        location ~ \.php$ {
+            try_files $uri =404;
             # Set Cache-Control header to prevent caching on the first load
             add_header Cache-Control "no-store";
             fastcgi_pass unix:/services/run/php.sock;

install/production-filesystem/services/config/nginx/netalertx.conf.template

@@ -74,7 +74,7 @@ http {
 
 
 	# Enable gzipping of responses.
-	#gzip on;
+	gzip on;
 
 	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
 	gzip_vary on;
@@ -96,7 +96,7 @@ http {
         root /app/front;
         index index.php;
         add_header X-Forwarded-Prefix "/app" always;
-    	proxy_set_header X-Forwarded-Prefix "/app";
+
 
         location ~* \.php$ {
             # Set Cache-Control header to prevent caching on the first load

install/production-filesystem/services/start-nginx.sh

@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-LOG_DIR=${NETALERTX_APP}
+LOG_DIR=${NETALERTX_LOG}
 RUN_DIR=${SYSTEM_SERVICES_RUN}
 TMP_DIR=${SYSTEM_SERVICES_RUN_TMP}
 SYSTEM_NGINX_CONFIG_TEMPLATE="/services/config/nginx/netalertx.conf.template"
@@ -28,17 +28,17 @@ forward_signal() {
 
 
 # When in devcontainer we must kill any existing nginx processes
-while $(ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null); do
+while ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null 2>&1; do
 	killall nginx &>/dev/null || true
 	sleep 0.2
 done
 
 TEMP_CONFIG_FILE=$(mktemp "${TMP_DIR}/netalertx.conf.XXXXXX")
 if envsubst '${LISTEN_ADDR} ${PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
-	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_NGINX_CONFIG_FILE}" 2>/dev/null || true
+	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_NGINX_CONFIG_FILE}" 
 else
 	echo "Note: Unable to write to ${SYSTEM_NGINX_CONFIG_FILE}. Using default configuration."
-	rm -f "${TEMP_CONFIG_FILE}" 2>/dev/null || true
+	rm -f "${TEMP_CONFIG_FILE}" 
 fi
 
 trap cleanup EXIT

install/production-filesystem/services/update_vendors.sh

@@ -15,7 +15,7 @@
 # ----------------------------------------------------------------------
 
 # Download the file using wget to stdout and process it
-wget -q "http://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
+wget -q "https://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
     sed -E 's/ *\(base 16\)//' | \
     awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
     sort | \