Docker and backend changes to support prod-lite mode (#877)

* Docker and backend changes to support prod-lite mode
* Bump app version to 1.0.0 across all package files

.dockerignore

@@ -0,0 +1,12 @@
+**/node_modules
+**/build/
+**/dist/
+**/test/
+**/jest*
+**/tsconfig.test.json
+**/vitest*
+**/.env*
+**/.eslint*
+**/.prettier*
+**/.stylelint*
+**/*.md

.gitignore

@@ -1,15 +1,9 @@
-# Created by https://www.toptal.com/developers/gitignore/api/react,node
-# Edit at https://www.toptal.com/developers/gitignore?templates=react,node
-
-### Node ###
 # Logs
 logs
 *.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
-lerna-debug.log*
-.pnpm-debug.log*
 
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
@@ -22,139 +16,43 @@ pids
 
 # Directory for instrumented libs generated by jscoverage/JSCover
 lib-cov
-
-# Coverage directory used by tools like istanbul
 coverage
 *.lcov
 
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
 # node-waf configuration
 .lock-wscript
 
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/
-
 # Dependency directories
 node_modules/
-jspm_packages/
 
-# Snowpack dependency directory (https://snowpack.dev/)
-web_modules/
+# Compiled stuff
+build/
+dist/
 
-# TypeScript cache
+# Caches
 *.tsbuildinfo
-
-# Optional npm cache directory
 .npm
-
-# Optional eslint cache
 .eslintcache
-
-# Optional stylelint cache
 .stylelintcache
 
-# Microbundle cache
-.rpt2_cache/
-.rts2_cache_cjs/
-.rts2_cache_es/
-.rts2_cache_umd/
-
 # Optional REPL history
 .node_repl_history
 
 # Output of 'npm pack'
 *.tgz
 
-# Yarn Integrity file
-.yarn-integrity
-
 # dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-.parcel-cache
-
-# Next.js build output
-.next
-out
-
-# Nuxt.js build / generate output
-.nuxt
-dist
-
-# Gatsby files
-.cache/
-# Comment in the public line in if your project uses Gatsby and not Next.js
-# https://nextjs.org/blog/next-9-1#public-directory-support
-# public
-
-# vuepress build output
-.vuepress/dist
+.env*
+!**/.env.example
 
-# vuepress v2.x temp and cache directory
-.temp
-
-# Docusaurus cache and generated files
-.docusaurus
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
-
-# TernJS port file
-.tern-port
-
-# Stores VSCode versions used for testing VSCode extensions
+# IDEs
 .vscode-test
-
-# JetBrains
 .idea
+*.sublime*
 
 # yarn v2
 .yarn/cache
 .yarn/unplugged
 .yarn/build-state.yml
 .yarn/install-state.gz
 .pnp.*
-
-### Node Patch ###
-# Serverless Webpack directories
-.webpack/
-
-# Optional stylelint cache
-
-# SvelteKit build / generate output
-.svelte-kit
-
-### react ###
-.DS_*
-**/*.backup.*
-**/*.back.*
-
-node_modules
-
-*.sublime*
-
-psd
-thumb
-sketch
-
-# End of https://www.toptal.com/developers/gitignore/api/react,node

CONTRIBUTING.md

@@ -2,7 +2,8 @@
 
 Thank you for considering contributing to this open source project!
 
-This guide will ensure that you have all the necessary information needed to be an effective contributor to the prompt-injection project.
+This guide will ensure that you have all the necessary information needed to be an effective contributor to the
+prompt-injection project.
 
 There are many ways you can contribute.
 Feel free to raise issues for bug reports or new feature requests.
@@ -12,8 +13,8 @@ Please do read through our [code of conduct](CODE_OF_CONDUCT.md) before contribu
 
 ## Before you create an issue
 
-- Does the issue already exist? _Remember to check the **open** and **closed** issues._
-- Is this a security issue? _Do **NOT** open an issue. Email gsproston@scottlogic.com instead._
+- Does the issue already exist? _Remember to check **open** and **closed** issues._
+- Is this a security issue? _Do **NOT** open an issue. Email cwilton@scottlogic.com instead._
 
 ## What to include in the issue
 
@@ -37,27 +38,34 @@ Please do read through our [code of conduct](CODE_OF_CONDUCT.md) before contribu
 - Fork the repo.
 - Have you contributed before? _If not, look for issues with the 'good first issue' label._
 - Is it assigned to anyone else? _If so, post a message to see if the assignee is still working on it._
-- Is it assigned to you? _If not, post a message stating your intent so that the maintainers and other contributors know what is being developed._
-- Do you understand the issue fully? _If not, ask on in the issue. We are all here to help you contribute._
+- Is it assigned to you? _If not, post a message stating your intent so that the maintainers and other contributors know
+  what is being developed._
+- Do you understand the issue fully? _If not, ask a question on the issue. We are all here to help you contribute._
 - Check the issue labels. Some of them indicate that you shouldn't start developing yet:
-  - `triage` means that a contributor has created the issue, and a maintainer hasn't looked at it yet. _This means that we might not accept work done for this issue._
-  - `question` means that we need to agree on some points before implementing the issue. _Look in the comments and feel free to get involved in discussion!_
-  - `blocked` means the issue cannot be resolved until a different piece of work is finished. _Look in the comments to see what is blocking it, and make sure it is resolved before starting the current issue._
+  - `triage` means that a contributor has created the issue, and a maintainer hasn't looked at it yet. _This means that
+    we might not accept work done for this issue._
+  - `question` means that we need to agree on some points before implementing the issue. _Look in the comments and feel
+    free to get involved in discussion!_
+  - `blocked` means the issue cannot be resolved until a different piece of work is finished. _Look in the comments to
+    see what is blocking it, and make sure it is resolved before starting the current issue._
   - `ui` means that we are waiting for input from the designer on the maintainer team before implementing the issue.
 
-## When you submit a PR
+## When you submit a Pull Request (PR)
 
 - [Link the issue](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) that the PR addresses.
 - Link any related PRs.
 - Have you added tests?
 - Are all workflow steps passing?
-- Is it ready for review? _If not, create a draft._
+- Is it ready for review? If not, mark the PR as a draft.
 - Include the ticket number in the PR name.
 
 ### Adding tests
 
-Our project has unit tests and integration tests. We expect tests to be written / altered when a PR adds a new feature or modifes existing behaviour. It is generally up to you to judge what depth of testing to go into.
+Our project has unit tests and integration tests. We expect tests to be written / altered when a PR adds a new feature
+or modifes existing behaviour. It is generally up to you to judge what depth of testing to go into.
 
 ### Checking the workflow steps
 
-When a PR is submitted or updated, GitHub automatically runs a [workflow](https://docs.github.com/en/actions/using-workflows) for each of the frontend and backend. To see if those are passing, you must scroll to the bottom of the PR, just above where you can post a new comment.
+When a PR is submitted or updated, GitHub automatically runs checks on affected code via
+[workflow actions](https://docs.github.com/en/actions/using-workflows).
+A PR cannot be merged until all workflow steps have passed.

README.md

@@ -1,70 +1,107 @@
-# prompt-injection
+# ![SpyLogic Avatar](./frontend/src/assets/images/BotAvatarDefault.svg) Welcome to SpyLogic
 
 ## Introduction
 
-Welcome to the Scott Logic prompt injection open source project!
-As generative AI and LLMs become more prevalent, it becomes more important to learn about the dangers of prompt injection.
-This project aims to teach people about prompt injection attacks that can be used on generative AI, and how to defend against such attacks.
+Welcome to the open source Scott Logic prompt injection playground!
 
-This project is presented in two modes:
+As generative AI and LLMs are becoming more prevalent, it is important to learn about the weaknesses inherent to
+generative AI models. We have built an application called **SpyLogic** to teach people in a fun way about prompt
+injection attacks, and how to defend against them.
+
+SpyLogic is presented in two modes:
 
 ### Story mode
 
-Go undercover and use prompt injection attacks on ScottBrewBot, a clever but flawed generative AI bot. Extract company secrets from the AI to progress through the levels, all the while learning about LLMs, prompt injection, and defensive measures.
+Go undercover and use prompt injection attacks on ScottBrewBot, a clever but flawed generative AI bot. Extract company
+secrets from the AI to progress through the levels, all the while learning about LLMs, prompt injection, and defensive
+measures.
 
 ### Sandbox mode
 
-Activate and configure a number of different prompt injection defence measures to create your own security system. Then talk to the AI and try to crack it!
+Activate and configure a number of different prompt injection defence measures to create your own security system. Then
+talk to the AI and try to crack it!
 
 ## Installation
-Ensure you have Node v18+ installed. Clone this repo and run 
+
+Minimum requirement: Node v18
 
 ```bash
 npm ci
 ```
 
-## Setup
+## Setup Local Environment
+
+To run locally, a few environment variables must be defined. We are using [dotenv](https://github.com/motdotla/dotenv)
+to load local `.env` files.
 
-### Environment variables
+_Note: these files are deliberately gitignored, as they will contain secrets! Never commit them._
 
-#### Backend
+### API
 
-1. Copy the example environment file [.env.example](backend/.env.example) in the backend directory and rename it to `.env`.
-1. Replace the `OPENAI_API_KEY` value in the `.env` file with your [OpenAI API key](https://platform.openai.com/account/api-keys).
-1. Replace the `SESSION_SECRET` value with a [random UUID](https://www.uuidgenerator.net/).
+1. In the backend directory, copy file [.env.example](backend/.env.example) and name the copy `.env`, then open for
+   editing
+2. Set value of `OPENAI_API_KEY` to your [OpenAI API key](https://platform.openai.com/account/api-keys)
+3. Set value of `SESSION_SECRET` to a [random UUID](https://www.uuidgenerator.net/)
 
-#### Frontend
+### UI
 
-1. Copy the example environment file [.env.example](frontend/.env.example) in the frontend directory and rename it to `.env`.
-1. If you've changed the default port for running the API, adjust the `VITE_BACKEND_URL` value accordingly.
+1. In the frontend directory, copy file [.env.example](frontend/.env.example) and name the copy `.env`
+2. If you've changed the default port for running the server, modify the value of `VITE_BACKEND_URL` accordingly
 
 ## Run
 
-### Backend
+### Local
+
+It is easiest to host both API and UI through the server. From project root:
 
 ```bash
-npm run start:api
+npm run build
+npm start
 ```
 
-### Frontend
+Alternatively, to run in Docker we have provided a [Compose file](./compose.yaml) and npm scripts for convenience:
 
 ```bash
-npm run start:ui
+# Run container - image will be built first time this is run, so be patient
+npm run docker:start
+
+# Tail the server logs
+npm run docker:logs
+
+# Stop the container
+npm run docker:stop
 ```
 
-Note that this project also includes a VS Code launch file, to allow running API and UI directly from the IDE.
+In either case you will need the `backend/.env` file, as mentioned above.
+
+### Remote
+
+For those wishing to host the application in their own infrastructure, we have provided two Dockerfiles:
+
+1. [Dockerfile](./backend/Dockerfile) in the backend directory will generate an image for running just the API. If you
+   intend to deploy to the cloud, this is the one to use.
+2. [prodlite.Dockerfile](./prodlite.Dockerfile) in the root directory will generate an image hosting UI and API from the
+   same server, for convenience. This will get you up and running as quickly as possible.
+
+In either case, you will need to provide environment vars `OPENAI_API_KEY` and `SESSION_SECRET` (as described in
+[Setup Environment](#setup-local-environment) above).
+
+Please note server-side session storage is currently in-memory, so if you wish to scale the API you will either need to
+enable sticky load-balancing, or, modify the code to use a shared storage solution - refer to
+[Express-Session](https://www.npmjs.com/package/express-session#compatible-session-stores) for the various options.
 
-## Development
+## Develop
 
-For development instructions, see the [frontend](frontend/README.md) and [backend](backend/README.md) READMEs.
+For all the hot reloading and React DevTools comforts, you'll want to run UI and API separately in dev mode.
+See the [frontend](frontend/README.md) and [backend](backend/README.md) READMEs for instructions.
 
 ## Contributing
 
 [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)
 
 Thank you for considering contributing to this open source project!
 
-Please read the our [contributing guide](CONTRIBUTING.md) and our [code of conduct](CODE_OF_CONDUCT.md) before contributing.
+Please read the our [contributing guide](CONTRIBUTING.md) and our [code of conduct](CODE_OF_CONDUCT.md) first.
 
 ## License
 

backend/.env.example

@@ -1,3 +1,12 @@
+# https://platform.openai.com/docs/quickstart?context=node
 OPENAI_API_KEY=YOUR_API_KEY
-SESSION_SECRET=YOUR_SESSION_SECRET
-CORS_ALLOW_ORIGIN=http://localhost:5173
+SESSION_SECRET=CHANGE_ME_FOR_EXAMPLE_GENERATE_A_UUID
+
+COOKIE_NAME=SpyLogicLocal.sid
+SESSION_EXPIRY_HOURS=8
+
+# If running UI and API separately, this value must match your UI URL.
+# Default in development mode is http://localhost:5173, so you don't
+# need to uncomment this unless you change the UI port.
+# In a production deployment that needs CORS, you must provide a value.
+#CORS_ALLOW_ORIGIN=http://localhost:5173