Institutional-grade white-label bitcoin banking platform demo. This repo now includes:
- a static SPA in
app/index.html - a NestJS API in
apps/api - dockerized PostgreSQL + API for local backend scaffolding
app/ # Static SPA
index.html
config.js # Runtime API base config for static hosting
apps/api/ # NestJS backend scaffold
src/main.ts
src/app.controller.ts
src/cors.middleware.ts
docker-compose.yml # Local postgres + api stack
.env.example # Shared env template
codebase.yaml # Minimal service manifest
- Copy env vars:
cp .env.example .env- Start API + Postgres:
docker compose up --build- Verify backend endpoints:
curl http://localhost:7072/api/hello
curl http://localhost:7072/api/healthExpected:
/api/hello→{"message":"Hello from NestJS (dev starter)."}/api/health→{"ok":true}
Only origins in CORS_ALLOWED_ORIGINS are allowed.
curl -i -X OPTIONS http://localhost:7072/api/hello \
-H "Origin: http://localhost:3000" \
-H "Access-Control-Request-Method: GET"Expected for allowed origin:
HTTP/1.1 204 No ContentAccess-Control-Allow-Origin: http://localhost:3000- no wildcard CORS
Serve the SPA with any static server (recommended for browser CORS behavior):
python3 -m http.server 3000 --directory appOpen http://localhost:3000.
app/index.html reads runtime config from app/config.js using this precedence:
NEXT_PUBLIC_API_BASE_URLAPP_API_BASE_URL- fallback
http://localhost:7072
For static deployments, set one of those values in window.__APP_CONFIG__ before app boot.
cd apps/api
npm install
PORT=7072 \
CORS_ALLOWED_ORIGINS=http://localhost:3000 \
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/nexus_financial?schema=public \
npm run start:dev- API framework: NestJS (npm-based setup)
- Security middleware:
helmet - CORS strategy: strict allowlist from
CORS_ALLOWED_ORIGINS(comma-separated)