Fase 6: deploy readiness (PWA + invitation rate-limit + JWT rotation)

Closes the deferrals from Fase 4 that gated a public deploy of the MVP.

PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
  SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
  built shell; no runtime caching of Supabase (offline writes stay on the
  existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
  virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
  (apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
  (noted in apps/web/static/icons/README.md).

Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
  Anti-spam on invitation creation is the only rate-limit that survived —
  auth rate-limits were dropped during execution (see plan §6.3): Keycloak
  already provides bruteForceProtected=true on the realm, and stacking a
  Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
  during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
  PostgREST rejects POST to root with PGRST117. Route carries a
  request-transformer plugin that rewrites the URI back.

JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
  48-byte secret via openssl. Prints three values for the operator to
  paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
  and apps/web/.env.development. Existing sessions are invalidated — all
  users must re-login once.
- .env.production.example committed with placeholders + rotation notes.

Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
  lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
  (non-member) and GETs 8 REST endpoints — all must return []. Complements
  the Vitest rls-audit.test.ts suite.

Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
  shared state); run via `just test-rate-limit` which force-recreates Kong
  first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
  rate-limit).

Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-14 04:48:04 +02:00
parent 1f5b34d55d
commit 2db5aaac14
24 changed files with 571 additions and 55 deletions

View File

@@ -0,0 +1,37 @@
#!/usr/bin/env bash
# Generate neutral placeholder PNG icons for the PWA manifest (Fase 6.2).
#
# These are placeholders — replace with real art before public launch. The
# glyph is a single uppercase "C" (Colectivo) centred on the Monolith slate
# background (#0f172a).
#
# Dep: ImageMagick (`convert`).
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
OUT="$ROOT/apps/web/static/icons"
mkdir -p "$OUT"
BG="#0f172a"
FG="#f7f9fb"
render() {
local size="$1"; local out="$2"; local safe="${3:-$size}"
local font_size=$(( safe * 55 / 100 ))
convert -size "${size}x${size}" "xc:${BG}" \
-gravity center \
-pointsize "${font_size}" -fill "${FG}" -font "DejaVu-Sans-Bold" \
-annotate "+0+0" "C" \
-quality 90 "$out"
echo " wrote $out"
}
render 192 "$OUT/icon-192.png"
render 512 "$OUT/icon-512.png"
render 512 "$OUT/icon-512-maskable.png" 410
render 180 "$OUT/icon-180.png"
echo
echo "Done. Placeholder icons written to $OUT."
echo "Replace before public launch — see apps/web/static/icons/README.md."

74
infra/scripts/rls-audit.sh Executable file
View File

@@ -0,0 +1,74 @@
#!/usr/bin/env bash
# RLS isolation audit — manual curl edition.
#
# Mirrors `packages/test-utils/tests/rls-audit.test.ts` (the Vitest version is
# authoritative) but hits the stack via Kong using a real anon key + an
# Eva-signed JWT, which is what a misconfigured RLS policy would actually
# leak data to. Useful as a post-deploy sanity check where Vitest isn't
# available.
#
# Exit non-zero if any endpoint returns rows to Eva (who is NOT a member of
# the seed collective).
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
cd "$ROOT"
source .env
KONG="${PUBLIC_SUPABASE_URL:-http://localhost:8001}"
ANON="$PUBLIC_SUPABASE_ANON_KEY"
SECRET="$SUPABASE_JWT_SECRET"
EVA_ID='55555555-5555-5555-5555-555555555555'
sign_eva() {
local header='{"alg":"HS256","typ":"JWT"}'
local exp=$(( $(date +%s) + 3600 ))
local payload="{\"sub\":\"$EVA_ID\",\"role\":\"authenticated\",\"aud\":\"authenticated\",\"iss\":\"supabase-demo\",\"exp\":$exp}"
local b64h b64p
b64h=$(printf '%s' "$header" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
b64p=$(printf '%s' "$payload" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
local sig
sig=$(printf '%s.%s' "$b64h" "$b64p" \
| openssl dgst -sha256 -hmac "$SECRET" -binary \
| openssl base64 -e -A \
| tr '+/' '-_' | tr -d '=')
printf '%s.%s.%s' "$b64h" "$b64p" "$sig"
}
TOKEN=$(sign_eva)
HDRS=(-H "apikey: $ANON" -H "Authorization: Bearer $TOKEN")
check() {
local label="$1"; local url="$2"
local body
body=$(curl -s -m 5 "${HDRS[@]}" "$KONG$url")
if [ "$body" = "[]" ]; then
printf ' ok %-35s %s\n' "$label" "[]"
else
printf ' FAIL %-35s %s\n' "$label" "$body"
return 1
fi
}
echo "RLS audit — Eva (non-member) should see [] everywhere:"
fail=0
check 'collectives' '/rest/v1/collectives?select=id' || fail=1
check 'shopping_lists' '/rest/v1/shopping_lists?select=id' || fail=1
check 'shopping_items' '/rest/v1/shopping_items?select=id' || fail=1
check 'task_lists' '/rest/v1/task_lists?select=id' || fail=1
check 'tasks' '/rest/v1/tasks?select=id' || fail=1
check 'notes' '/rest/v1/notes?select=id' || fail=1
check 'collective_members' '/rest/v1/collective_members?select=user_id&user_id=neq.'"$EVA_ID" || fail=1
check 'collective_invitations' '/rest/v1/collective_invitations?select=id' || fail=1
if [ "$fail" -eq 0 ]; then
echo
echo "RLS audit passed."
else
echo
echo "RLS audit FAILED — one or more tables returned data to a non-member."
exit 1
fi

50
infra/scripts/rotate-jwt.sh Executable file
View File

@@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Rotate Supabase JWT secrets + re-sign the anon / service-role keys.
#
# Usage:
# infra/scripts/rotate-jwt.sh # generate a fresh secret
# infra/scripts/rotate-jwt.sh <existing-secret> # re-sign with a given secret
#
# Output: three lines printed to stdout. Paste them into .env (dev) or
# .env.production (prod):
# SUPABASE_JWT_SECRET=<secret>
# PUBLIC_SUPABASE_ANON_KEY=<jwt>
# SUPABASE_SERVICE_ROLE_KEY=<jwt>
#
# After replacing in .env, restart the affected containers:
# docker compose -f infra/docker-compose.dev.yml up -d --force-recreate kong auth rest realtime
# and any existing user sessions signed with the old secret are invalidated —
# everyone re-logs once. Document that in the commit when rotating dev.
set -euo pipefail
SECRET="${1:-$(openssl rand -base64 48 | tr -d '\n')}"
sign_jwt() {
local role="$1"
local header='{"alg":"HS256","typ":"JWT"}'
# Long-lived anon/service keys (10 years) — the guardrail is the secret
# itself rotating, not the token expiry.
local exp=$(( $(date +%s) + 10 * 365 * 24 * 3600 ))
local payload="{\"iss\":\"supabase-demo\",\"role\":\"$role\",\"exp\":$exp}"
local b64h b64p
b64h=$(printf '%s' "$header" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
b64p=$(printf '%s' "$payload" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
local sig
sig=$(printf '%s.%s' "$b64h" "$b64p" \
| openssl dgst -sha256 -hmac "$SECRET" -binary \
| openssl base64 -e -A \
| tr '+/' '-_' | tr -d '=')
printf '%s.%s.%s' "$b64h" "$b64p" "$sig"
}
ANON=$(sign_jwt "anon")
SERVICE=$(sign_jwt "service_role")
cat <<EOF
SUPABASE_JWT_SECRET=$SECRET
PUBLIC_SUPABASE_ANON_KEY=$ANON
SUPABASE_SERVICE_ROLE_KEY=$SERVICE
EOF