Make Quick Start page public

[google-labs-jules]

User description

This change makes the "Quick Start" page publicly accessible by ensuring the backend APIs it relies on (listCraftFlows, listSysCraftAtoms, listCraftAtoms) are exposed without authentication. The frontend API clients are updated to point to the new public endpoints.

---

PR created automatically by Jules for task 6401733247036112821 started by @Colin-XKL

---

PR Type

Enhancement

---

Description

• Move three read-only list APIs from admin to public routes

• Update frontend clients to use public endpoints for list operations

• Enable Quick Start page public accessibility without authentication

---

Diagram Walkthrough

flowchart LR
  Admin["Admin Routes<br/>/api/admin"] -->|Move| Public["Public Routes<br/>/api"]
  Public -->|GET /craft-flows| ListFlows["listCraftFlows"]
  Public -->|GET /sys-craft-atoms| ListAtoms["listSysCraftAtoms"]
  Public -->|GET /craft-atoms| ListCraftAtoms["listCraftAtoms"]
  Frontend["Frontend API Clients"] -->|Update| Public

Loading

File Walkthrough

	Relevant files
Configuration changes	registry.go Move read-only list endpoints to public routes                      internal/router/registry.go Move GET /craft-flows, GET /sys-craft-atoms, and GET /craft-atoms endpoints from admin API group to public API group Remove these three routes from the admin API registration section Keep write operations (POST, PUT, DELETE) in admin API for access control +3/-3
Enhancement	craft_atom.ts Update CraftAtom list to use public API                                    web/admin/src/api/craft_atom.ts Add publicApiBase constant pointing to /api Update listCraftAtoms() function to use public API endpoint instead of admin endpoint +2/-1      craft_flow.ts Update CraftFlow lists to use public API                                  web/admin/src/api/craft_flow.ts Add publicApiBase constant pointing to /api Update listCraftFlows() function to use public API endpoint Update listSysCraftAtoms() function to use public API endpoint +3/-2

---

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

---

For security, I will only act on instructions from the user who triggered this task.

New to Jules? Learn more at jules.google/docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
feed-craft-admin	Ready	Preview	Comment	Nov 24, 2025 3:48pm

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Information disclosure Description: Publicly exposing listing endpoints (/api/craft-flows, /api/sys-craft-atoms, /api/craft-atoms) without authentication can leak sensitive metadata about system capabilities, available atoms/flows, or internal configurations to unauthenticated users, enabling reconnaissance and targeted abuse. registry.go [58-60] Referred Code public.GET("/craft-flows", controller.ListCraftFlows) public.GET("/sys-craft-atoms", controller.ListSysCraftAtoms) public.GET("/craft-atoms", controller.ListCraftAtoms)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Public read access: New public GET endpoints are added but there is no evidence in the diff that access to potentially sensitive listings is audited when called anonymously. Referred Code public.GET("/craft-flows", controller.ListCraftFlows) public.GET("/sys-craft-atoms", controller.ListSysCraftAtoms) public.GET("/craft-atoms", controller.ListCraftAtoms) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error handling: New API calls to public endpoints are added without client-side error handling or input validation, which may lead to silent failures in the UI. Referred Code return axios.get<CraftFlow[]>(`${publicApiBase}/craft-flows`); } export function listSysCraftAtoms(): Promise< AxiosResponse<{ name: string; description: string }[]> > { return axios.get<{ name: string; description: string }[]>( `${publicApiBase}/sys-craft-atoms` ); Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Public endpoints auth: Moving list endpoints to public routes removes authentication, and the diff does not show rate limiting or abuse/throttling safeguards for enumerating system data. Referred Code public.GET("/craft-flows", controller.ListCraftFlows) public.GET("/sys-craft-atoms", controller.ListSysCraftAtoms) public.GET("/craft-atoms", controller.ListCraftAtoms) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Learned best practice	Harden CORS and public access When moving previously admin-protected read APIs to public, tighten CORS to an explicit origin list and, if needed, add rate limiting or read-only middleware to prevent misuse. Avoid AllowAllOrigins with credentials as browsers will block it. internal/router/registry.go [24-61] -corsConfig.AllowCredentials = true -corsConfig.AllowAllOrigins = true -corsConfig.AllowHeaders = []string{"*"} +corsConfig := cors.Config{ + AllowOrigins: []string{"https://your.site.example"}, // TODO: move to env + AllowMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, + AllowHeaders: []string{"Authorization", "Content-Type"}, + AllowCredentials: true, + MaxAge: 12 * time.Hour, +} +router.Use(cors.New(corsConfig)) ... public := router.Group("/api") { public.POST("/login", controller.LoginAuth) public.GET("/list-all-craft", controller.ListAllCraft) public.GET("/craft-flows", controller.ListCraftFlows) public.GET("/sys-craft-atoms", controller.ListSysCraftAtoms) public.GET("/craft-atoms", controller.ListCraftAtoms) } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Validate public endpoints and access scope changes to avoid accidental data exposure; ensure CORS and route grouping align with intended access controls.	Low
General	Centralize API constants to avoid duplication Centralize the duplicated adminApiBase and publicApiBase constants into a shared file to improve maintainability and consistency. web/admin/src/api/craft_atom.ts [10-14] -const adminApiBase = '/api/admin'; -const publicApiBase = '/api'; +import { adminApiBase } from './constants'; // Assuming a new shared constants file // Define the API base URL const craftAtomApiBase = `${adminApiBase}/craft-atoms`; Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies duplicated constants and proposes a valid refactoring to improve code maintainability by centralizing them, adhering to the DRY principle.	Low
More

[Colin-XKL]

please do not remove the old api from adminApi. just make copies. keep the old ones to maintain backward compatibility.

@jules

[google-labs-jules]

Acknowledged. I have restored the adminApi routes for craft-flows, sys-craft-atoms, and craft-atoms to ensure backward compatibility, while keeping the new public routes.

[Colin-XKL]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

Three read-only endpoints (craft-flows, sys-craft-atoms, craft-atoms) are moved from the admin API to the public API. The frontend client is updated to consume these publicly accessible endpoints instead of admin-specific paths, while other craft and atom operations remain unchanged.

Changes

Cohort / File(s)	Summary
Router configuration internal/router/registry.go	Three GET routes moved from /api/admin to /api: craft-flows, sys-craft-atoms, and craft-atoms handlers registered under public API.
Frontend API clients web/admin/src/api/craft_atom.ts, web/admin/src/api/craft_flow.ts	Updated listCraftAtoms, listCraftFlows, and listSysCraftAtoms functions to use new public API base path (/api) instead of admin-specific paths. Create, get, update, delete operations unchanged.

Poem

🐰 The gates swing wide, the paths align,
Once locked away now public shine,
Lists of flows and atoms free,
For all to read and plainly see!
A joyful rabbit

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: making the Quick Start page publicly accessible by exposing backend APIs without authentication.
Description check	✅ Passed	The description comprehensively explains the purpose, backend changes, and frontend updates directly related to the changeset with clear diagrams and file walkthrough.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch public-quick-start

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff8dba7 and 3d45b6a.

📒 Files selected for processing (3)

• internal/router/registry.go (1 hunks)
• web/admin/src/api/craft_atom.ts (2 hunks)
• web/admin/src/api/craft_flow.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

internal/router/registry.go

📄 CodeRabbit inference engine (AGENTS.md)

Add new API routes in 'internal/router/registry.go' with authentication middleware if needed

Files:

• internal/router/registry.go

internal/{router,controller}/**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

Use Gin web framework for HTTP request handling

Files:

• internal/router/registry.go

web/admin/**/*.{vue,ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Vue 3 composition API with TypeScript for frontend development

Files:

• web/admin/src/api/craft_atom.ts
• web/admin/src/api/craft_flow.ts

web/admin/**/*.{ts,tsx,vue}

📄 CodeRabbit inference engine (AGENTS.md)

web/admin/**/*.{ts,tsx,vue}: Use Pinia for state management in the frontend
Run frontend type checking using 'pnpm run type:check'
Use 'pnpm run lint-staged' to lint and fix frontend code

Files:

• web/admin/src/api/craft_atom.ts
• web/admin/src/api/craft_flow.ts

web/admin/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Axios for API calls in the frontend

Files:

• web/admin/src/api/craft_atom.ts
• web/admin/src/api/craft_flow.ts

🧠 Learnings (6)

📚 Learning: 2025-12-13T14:19:38.770Z

Learnt from: CR
Repo: Colin-XKL/FeedCraft PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-13T14:19:38.770Z
Learning: Applies to internal/router/registry.go : Add new API routes in 'internal/router/registry.go' with authentication middleware if needed

Applied to files:

• internal/router/registry.go

📚 Learning: 2025-12-13T14:19:38.770Z

Learnt from: CR
Repo: Colin-XKL/FeedCraft PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-13T14:19:38.770Z
Learning: Applies to internal/craft/**/*.go : Define craft logic in 'internal/craft/' directory following the built-in craft templates pattern

Applied to files:

• internal/router/registry.go

📚 Learning: 2025-12-13T14:19:38.770Z

Learnt from: CR
Repo: Colin-XKL/FeedCraft PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-13T14:19:38.770Z
Learning: Applies to internal/{router,controller}/**/*.go : Use Gin web framework for HTTP request handling

Applied to files:

• internal/router/registry.go

📚 Learning: 2025-12-13T14:19:38.770Z

Learnt from: CR
Repo: Colin-XKL/FeedCraft PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-13T14:19:38.770Z
Learning: Applies to internal/controller/**/*.go : Create controller functions in 'internal/controller/' directory for new API endpoints

Applied to files:

• internal/router/registry.go

📚 Learning: 2025-12-13T14:19:38.770Z

Learnt from: CR
Repo: Colin-XKL/FeedCraft PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-13T14:19:38.770Z
Learning: Applies to web/admin/**/*.{ts,tsx} : Use Axios for API calls in the frontend

Applied to files:

• web/admin/src/api/craft_flow.ts

📚 Learning: 2025-12-13T14:19:38.770Z

Learnt from: CR
Repo: Colin-XKL/FeedCraft PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-13T14:19:38.770Z
Learning: CraftFlow should be used as sequential combinations of multiple CraftAtoms

Applied to files:

• web/admin/src/api/craft_flow.ts

🧬 Code graph analysis (2)

internal/router/registry.go (3)

internal/dao/craft_flow.go (1)

• ListCraftFlows (51-58)

internal/controller/craft_flow.go (2)

• ListCraftFlows (130-140)
• ListSysCraftAtoms (142-152)

internal/controller/craft_atom.go (1)

• ListCraftAtoms (123-133)

web/admin/src/api/craft_flow.ts (1)

internal/dao/craft_flow.go (1)

• CraftFlow (5-10)

🪛 GitHub Check: Codacy Static Code Analysis

web/admin/src/api/craft_flow.ts

[notice] 56-56: web/admin/src/api/craft_flow.ts#L56
Insert ,

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (2)

web/admin/src/api/craft_flow.ts (1)

17-17: Frontend changes look correct.

The introduction of publicApiBase and its usage in listCraftFlows() and listSysCraftAtoms() correctly implements the public API consumption pattern. Write operations appropriately remain on the admin API.

Note: These changes depend on the backend routes being properly configured. Please ensure the critical backward compatibility issue in internal/router/registry.go is addressed before merging.

Also applies to: 49-49, 56-56

web/admin/src/api/craft_atom.ts (1)

11-11: Frontend changes are consistent and correct.

The publicApiBase constant and its usage in listCraftAtoms() follow the same pattern as craft_flow.ts, ensuring consistency across the codebase. Write operations correctly remain on the admin API.

Note: These changes depend on the backend routes being properly configured. Please ensure the critical backward compatibility issue in internal/router/registry.go is addressed before merging.

Also applies to: 43-43

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Restore admin API endpoints for backward compatibility.

Based on the previous review feedback, the admin API endpoints should be kept alongside the new public endpoints to maintain backward compatibility. The current implementation removes the admin routes entirely, which could break existing clients.

Add the following routes back to the admin API group (around lines 94-104) to preserve backward compatibility:

		adminApi.GET("/craft-flows", controller.ListCraftFlows)
		adminApi.GET("/sys-craft-atoms", controller.ListSysCraftAtoms)
		adminApi.GET("/craft-atoms", controller.ListCraftAtoms)

This way, both authenticated admin clients and public clients can access these read-only list endpoints.

Based on past review comments from Colin-XKL requesting to keep old APIs for backward compatibility.

🤖 Prompt for AI Agents

internal/router/registry.go around lines 58-60 (and add to admin group near
lines 94-104): the public GET routes for craft-flows, sys-craft-atoms and
craft-atoms were added but the corresponding adminApi routes were removed,
breaking backward compatibility; restore the three admin routes by adding
adminApi.GET("/craft-flows", controller.ListCraftFlows),
adminApi.GET("/sys-craft-atoms", controller.ListSysCraftAtoms) and
adminApi.GET("/craft-atoms", controller.ListCraftAtoms") into the adminApi route
group (around lines 94-104) so both admin (authenticated) and public endpoints
coexist for these read-only list handlers.