Closes the deferrals from Fase 4 that gated a public deploy of the MVP.
PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
built shell; no runtime caching of Supabase (offline writes stay on the
existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
(apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
(noted in apps/web/static/icons/README.md).
Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
Anti-spam on invitation creation is the only rate-limit that survived —
auth rate-limits were dropped during execution (see plan §6.3): Keycloak
already provides bruteForceProtected=true on the realm, and stacking a
Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
PostgREST rejects POST to root with PGRST117. Route carries a
request-transformer plugin that rewrites the URI back.
JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
48-byte secret via openssl. Prints three values for the operator to
paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
and apps/web/.env.development. Existing sessions are invalidated — all
users must re-login once.
- .env.production.example committed with placeholders + rotation notes.
Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
(non-member) and GETs 8 REST endpoints — all must return []. Complements
the Vitest rls-audit.test.ts suite.
Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
shared state); run via `just test-rate-limit` which force-recreates Kong
first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
rate-limit).
Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
61 lines
2.0 KiB
TypeScript
61 lines
2.0 KiB
TypeScript
import { defineConfig } from 'vite';
|
|
import { sveltekit } from '@sveltejs/kit/vite';
|
|
import { SvelteKitPWA } from '@vite-pwa/sveltekit';
|
|
import { paraglide } from '@inlang/paraglide-sveltekit/vite';
|
|
|
|
export default defineConfig({
|
|
plugins: [
|
|
paraglide({
|
|
project: './project.inlang',
|
|
outdir: './src/lib/paraglide'
|
|
}),
|
|
sveltekit(),
|
|
SvelteKitPWA({
|
|
// Fase 6.1: custom SW at src/sw.ts (NOT src/service-worker.ts — SvelteKit
|
|
// intercepts that filename and blocks Workbox imports; see gotcha #10
|
|
// in CLAUDE.md). Minimal strategy: precache the built shell, no runtime
|
|
// caching of Supabase. The $lib/sync pending_ops queue already handles
|
|
// offline writes; SyncBanner surfaces offline state to the user.
|
|
strategies: 'injectManifest',
|
|
srcDir: 'src',
|
|
filename: 'sw.ts',
|
|
scope: '/',
|
|
base: '/',
|
|
manifest: {
|
|
name: 'Colectivo',
|
|
short_name: 'Colectivo',
|
|
description: 'Gestión colaborativa del hogar',
|
|
theme_color: '#0f172a',
|
|
background_color: '#f7f9fb',
|
|
display: 'standalone',
|
|
orientation: 'portrait',
|
|
scope: '/',
|
|
start_url: '/',
|
|
icons: [
|
|
{ src: '/icons/icon-192.png', sizes: '192x192', type: 'image/png' },
|
|
{ src: '/icons/icon-512.png', sizes: '512x512', type: 'image/png' },
|
|
{ src: '/icons/icon-512-maskable.png', sizes: '512x512', type: 'image/png', purpose: 'maskable' }
|
|
]
|
|
},
|
|
injectManifest: {
|
|
globPatterns: ['client/**/*.{js,css,ico,png,svg,webp,woff,woff2}']
|
|
},
|
|
devOptions: {
|
|
enabled: true,
|
|
suppressWarnings: true,
|
|
type: 'module',
|
|
navigateFallback: '/'
|
|
}
|
|
})
|
|
],
|
|
server: {
|
|
port: 5173,
|
|
// Bind to all interfaces so the LAN (phone, tablet, other laptops on
|
|
// the same Wi-Fi) can reach the dev server at http://<LAN-IP>:5173.
|
|
// Auth flows will fail from non-laptop clients because Keycloak's
|
|
// issuer URL resolves to `keycloak:8080` only on the laptop's /etc/hosts
|
|
// — use this for layout/CSS visual checks, not for full login tests.
|
|
host: true
|
|
}
|
|
});
|