Avoid hardcoding the product name in scripts and other source files

[brionmario]

Purpose

This pull request focuses on standardizing the use of the product name "Thunder" across documentation, scripts, and build tooling, as well as improving maintainability by parameterizing product references. It also refactors PowerShell bootstrap scripts to use a more generic API invocation function, making the codebase more consistent and easier to update in the future.

Approach

Product Naming Standardization and Build Improvements:

• Updated the Dockerfile and Makefile to use variables for the product and binary names, replacing hardcoded references to "Thunder" with PRODUCT_NAME and BINARY_NAME where appropriate for easier future renaming and consistency. [1] [2] [3] [4] [5]

Documentation Updates:

• Improved the backend/README.md header and description to clearly state the backend's purpose and highlight the product branding.

PowerShell Bootstrap Script Refactor:

• Introduced a $PRODUCT_NAME variable in backend/cmd/server/bootstrap/01-default-resources.ps1 and replaced all hardcoded "Thunder" references with this variable, ensuring easier rebranding and consistent messaging throughout the script. [1] [2] [3]
• Refactored the script to use a generic Invoke-Api function instead of the product-specific Invoke-ThunderApi, making the script more maintainable and decoupled from the product name. This change was applied to all API calls in the script. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]

Related Issues

• Customize & Personalize the Thunder Instance #2465

Related PRs

• N/A

Checklist

• Followed the contribution guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
  • Ran Vale and fixed all errors and warnings
• Tests provided. (Add links if there are any)
  • Unit Tests
  • Integration Tests
• Breaking changes. (Fill if applicable)
  • Breaking changes section filled.
  • breaking change label added.

Security checks

• Followed secure coding standards in WSO2 Secure Coding Guidelines
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Summary by CodeRabbit

• New Features

  • Added gate service client configuration for enhanced authentication flows.

• Documentation

  • Updated backend and frontend README descriptions for clarity.

• Chores

  • Expanded CORS policy to support additional localhost origins for local development.
  • Generalized product naming conventions across configuration and scripts.

[coderabbitai]

Warning

Rate limit exceeded

@brionmario has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 55 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7e943ddc-14ff-426d-b178-05c50b411feb

📥 Commits

Reviewing files that changed from the base of the PR and between ad686f6 and 1fe8883.

📒 Files selected for processing (36)

• .github/workflows/pr-builder.yml
• .github/workflows/windows-build-validation.yml
• Dockerfile
• Makefile
• backend/README.md
• backend/cmd/server/bootstrap/01-default-resources.ps1
• backend/cmd/server/bootstrap/01-default-resources.sh
• backend/cmd/server/bootstrap/02-sample-resources.ps1
• backend/cmd/server/bootstrap/02-sample-resources.sh
• backend/cmd/server/bootstrap/common.ps1
• backend/cmd/server/bootstrap/common.sh
• backend/cmd/server/main_test.go
• backend/internal/system/security/context.go
• backend/internal/system/security/service.go
• backend/internal/system/security/service_test.go
• backend/internal/system/sysauthz/service.go
• backend/internal/system/sysauthz/service_test.go
• build.ps1
• build.sh
• frontend/README.md
• install/helm/templates/thunder-deployment.yaml
• install/helm/values.yaml
• samples/apps/react-api-based-sample/README.md
• setup.ps1
• setup.sh
• start.ps1
• start.sh
• tests/e2e/configs/routes/console-routes.ts
• tests/e2e/tests/accessibility/dashboard-views.a11y.spec.ts
• tests/e2e/tests/accessibility/sign-in-page.a11y.spec.ts
• tests/e2e/tests/sample-app-authentication/.env.example
• tests/e2e/tests/sample-app-authentication/sample-app-mfa-login.spec.ts
• tests/e2e/utils/accessibility/index.ts
• tests/e2e/utils/authentication/console-admin-auth-utils.ts
• tests/e2e/utils/mock-sms-server.ts
• tests/e2e/utils/thunder-setup/mfa-setup.ts

📝 Walkthrough

Walkthrough

This pull request refactors the codebase to generalize Thunder-specific naming and environment variables into configurable, product-agnostic alternatives. It renames API helper functions (e.g., Invoke-ThunderApi → Invoke-Api, thunder_api_call → api_call), replaces environment variables (e.g., THUNDER_API_BASE → API_BASE, THUNDER_SKIP_SECURITY → SKIP_SECURITY), and parameterizes product naming across build, bootstrap, setup, and startup scripts. Additionally, it updates documentation and adds new configuration for CORS and gate client connectivity.

Changes

Cohort / File(s)	Summary
Docker & Build Configuration Dockerfile, Makefile, build.ps1, build.sh	Docker image label and Makefile targets parameterized with PRODUCT_NAME; build scripts updated to use PRODUCT_NAME, PRODUCT_VERSION, and BINARY_NAME instead of hardcoded "Thunder" references; environment variable switches from THUNDER_* to generic names (API_BASE, SKIP_SECURITY).
Bootstrap Scripts - PowerShell backend/cmd/server/bootstrap/common.ps1, 01-default-resources.ps1, 02-sample-resources.ps1	API helper function renamed from Invoke-ThunderApi to Invoke-Api; $PRODUCT_NAME constant added and used in messages; base URL env var changed from THUNDER_API_BASE to API_BASE; all resource creation/flow management calls updated to use renamed API helper.
Bootstrap Scripts - Shell backend/cmd/server/bootstrap/common.sh, 01-default-resources.sh, 02-sample-resources.sh	API helper function renamed from thunder_api_call to api_call; PRODUCT_NAME exported variable added; base URL env var switched from THUNDER_API_BASE to API_BASE; all resource provisioning calls and flow operations updated to use renamed helper.
Setup & Startup Scripts - PowerShell setup.ps1, start.ps1	Product naming variables ($PRODUCT_NAME, $BINARY_NAME) added; Invoke-ThunderApi renamed to Invoke-Api; security control switched from THUNDER_SKIP_SECURITY to SKIP_SECURITY; server executable resolution generalized to use $BINARY_NAME; PID variable renamed from $THUNDER_PID to $SERVER_PID.
Setup & Startup Scripts - Shell setup.sh, start.sh	PRODUCT_NAME and BINARY_NAME variables introduced; thunder_api_call renamed to api_call; THUNDER_PID renamed to SERVER_PID; security toggle changed from THUNDER_SKIP_SECURITY to SKIP_SECURITY; server binary launch updated from ./thunder to ./${BINARY_NAME}.
Configuration backend/cmd/server/repository/conf/deployment.yaml	New top-level gate_client configuration block added with port, scheme, and login path; CORS allowed_origins expanded to include additional localhost entries.
Documentation backend/README.md, frontend/README.md, frontend/pnpm-workspace.yaml, tests/e2e/...	Backend and frontend READMEs updated with "Thunder ⚡" branding; frontend workspace configuration adjusted (commented out apps/*); E2E test documentation and comments generalized from "Thunder" to "server" terminology; JSDoc descriptions refined for broader applicability.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• Remove unwanted Thunder references from source files #2467: Performs the same rebranding and renaming work across overlapping scripts and configuration files, replacing "Thunder" references with parameterized product naming.

Suggested labels

Type/Improvement

Suggested reviewers

• jeradrutnam
• DonOmalVindula

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: parameterizing product name references in scripts and source files instead of hardcoding 'Thunder'.
Description check	✅ Passed	The PR description provides a clear purpose and detailed approach with specific examples of changes, though several checklist items remain unchecked and some template sections are omitted.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

backend/cmd/server/bootstrap/common.sh (1)

23-24: Consider exporting PRODUCT_NAME for external use.

The variable is defined but not exported. Scripts sourcing this file will have access to it in the current shell context, but if any child processes need it, consider adding export:

-PRODUCT_NAME="Thunder"
+export PRODUCT_NAME="Thunder"

This aligns with how API_BASE is expected to be available from the environment (exported by setup.sh).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/cmd/server/bootstrap/common.sh` around lines 23 - 24, The
PRODUCT_NAME variable is set but not exported, so child processes won't see it;
update the assignment of PRODUCT_NAME to be exported (e.g., make PRODUCT_NAME
available to the environment the same way API_BASE is exported by setup.sh) by
exporting PRODUCT_NAME so downstream scripts/processes can access it; target the
PRODUCT_NAME definition in this file (and mirror the export pattern used for
API_BASE in setup.sh).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@backend/cmd/server/repository/conf/deployment.yaml`:
- Around line 54-60: The current origin validation uses substring checks
(strings.Contains) and allows crafted hosts like
"https://localhost:5173.attacker.tld" to pass; update the validator in
serverutil.go (the function handling origin checks, e.g.,
IsOriginAllowed/ValidateOrigin) to parse the incoming origin using url.Parse,
normalize it to "scheme://host[:port]" and compare for exact equality against
the allow-list entries (also normalized) instead of using strings.Contains;
ensure nil/parse errors are rejected and treat default ports consistently when
comparing.

In `@build.ps1`:
- Around line 60-62: PRODUCT_NAME is a UI/display string but you're deriving
PRODUCT_NAME_LOWERCASE from it which can produce invalid slugs; introduce an
explicit BINARY_NAME (a slug) and replace uses of PRODUCT_NAME_LOWERCASE with
BINARY_NAME (including the other occurrences around PRODUCT_NAME at lines
referenced 159-164) so builds and artifacts use the stable slug while
PRODUCT_NAME remains the human-friendly display name.
- Around line 1575-1577: The code temporarily sets $env:SKIP_SECURITY and
possibly API_BASE before calling Run-Backend; wrap that override block in a
try/finally so you always restore $env:SKIP_SECURITY (from
$script:ORIGINAL_SKIP_SECURITY) and any temporary API_BASE value even if
Run-Backend throws or an exit is triggered; locate the override and call to
Run-Backend and move the environment assignments into a try { ... Run-Backend
-ShowFinalOutput $false } finally { restore $env:SKIP_SECURITY =
$script:ORIGINAL_SKIP_SECURITY; restore/clear API_BASE as originally saved } to
ensure no insecure state persists.

In `@build.sh`:
- Around line 96-103: The build uses PRODUCT_NAME and derives BINARY_NAME by
lowercasing PRODUCT_NAME which breaks when the display name contains spaces or
punctuation; introduce an explicit slug variable (e.g., BINARY_SLUG or
PACKAGE_SLUG) and use that for all filesystem/artifact names instead of
PRODUCT_NAME_LOWERCASE or BINARY_NAME, update PRODUCT_FOLDER to use the slug,
and ensure start.sh and setup.sh reference the new slug variable (not
PRODUCT_NAME) so display label and executable/artifact name remain independent
and stable.

---

Nitpick comments:
In `@backend/cmd/server/bootstrap/common.sh`:
- Around line 23-24: The PRODUCT_NAME variable is set but not exported, so child
processes won't see it; update the assignment of PRODUCT_NAME to be exported
(e.g., make PRODUCT_NAME available to the environment the same way API_BASE is
exported by setup.sh) by exporting PRODUCT_NAME so downstream scripts/processes
can access it; target the PRODUCT_NAME definition in this file (and mirror the
export pattern used for API_BASE in setup.sh).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43cc065b-b16e-4112-aa16-e54f47ed1907

📥 Commits

Reviewing files that changed from the base of the PR and between 45eb325 and ad686f6.

📒 Files selected for processing (27)

• Dockerfile
• Makefile
• backend/README.md
• backend/cmd/server/bootstrap/01-default-resources.ps1
• backend/cmd/server/bootstrap/01-default-resources.sh
• backend/cmd/server/bootstrap/02-sample-resources.ps1
• backend/cmd/server/bootstrap/02-sample-resources.sh
• backend/cmd/server/bootstrap/common.ps1
• backend/cmd/server/bootstrap/common.sh
• backend/cmd/server/repository/conf/deployment.yaml
• build.ps1
• build.sh
• frontend/README.md
• frontend/pnpm-workspace.yaml
• setup.ps1
• setup.sh
• start.ps1
• start.sh
• tests/e2e/configs/routes/console-routes.ts
• tests/e2e/tests/accessibility/dashboard-views.a11y.spec.ts
• tests/e2e/tests/accessibility/sign-in-page.a11y.spec.ts
• tests/e2e/tests/sample-app-authentication/.env.example
• tests/e2e/tests/sample-app-authentication/sample-app-mfa-login.spec.ts
• tests/e2e/utils/accessibility/index.ts
• tests/e2e/utils/authentication/console-admin-auth-utils.ts
• tests/e2e/utils/mock-sms-server.ts
• tests/e2e/utils/thunder-setup/mfa-setup.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.79%. Comparing base (0c39187) to head (1fe8883).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2478   +/-   ##
=======================================
  Coverage   88.79%   88.79%           
=======================================
  Files         872      872           
  Lines       60306    60306           
=======================================
  Hits        53550    53550           
  Misses       4944     4944           
  Partials     1812     1812           

Flag	Coverage Δ
backend-integration-postgres	53.32% <100.00%> (ø)
backend-integration-redis	52.89% <100.00%> (ø)
backend-integration-sqlite	53.31% <100.00%> (ø)
backend-unit	82.66% <100.00%> (ø)
frontend-apps-console-unit	89.40% <ø> (ø)
frontend-apps-gate-unit	97.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.