Files
collective-lists/.env.production.example
Oier Bravo Urtasun 2db5aaac14 Fase 6: deploy readiness (PWA + invitation rate-limit + JWT rotation)
Closes the deferrals from Fase 4 that gated a public deploy of the MVP.

PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
  SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
  built shell; no runtime caching of Supabase (offline writes stay on the
  existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
  virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
  (apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
  (noted in apps/web/static/icons/README.md).

Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
  Anti-spam on invitation creation is the only rate-limit that survived —
  auth rate-limits were dropped during execution (see plan §6.3): Keycloak
  already provides bruteForceProtected=true on the realm, and stacking a
  Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
  during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
  PostgREST rejects POST to root with PGRST117. Route carries a
  request-transformer plugin that rewrites the URI back.

JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
  48-byte secret via openssl. Prints three values for the operator to
  paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
  and apps/web/.env.development. Existing sessions are invalidated — all
  users must re-login once.
- .env.production.example committed with placeholders + rotation notes.

Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
  lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
  (non-member) and GETs 8 REST endpoints — all must return []. Complements
  the Vitest rls-audit.test.ts suite.

Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
  shared state); run via `just test-rate-limit` which force-recreates Kong
  first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
  rate-limit).

Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 04:48:04 +02:00

50 lines
2.9 KiB
Plaintext

# Production environment template for Colectivo.
# Copy to /srv/colectivo/.env on the production host and fill in the secrets.
# NEVER commit the filled version.
# ── Database ──────────────────────────────────────────────────────────────
POSTGRES_PASSWORD=<openssl rand -base64 32>
# ── Supabase signing key ──────────────────────────────────────────────────
# Regenerate every 90 days (or immediately on a suspected leak).
# Use infra/scripts/rotate-jwt.sh to produce the matching anon + service-role
# JWTs; it signs both with the secret below, so they must stay in sync.
SUPABASE_JWT_SECRET=<openssl rand -base64 48 | tr -d '\n'>
# JWTs signed with the secret above. Produced by infra/scripts/rotate-jwt.sh.
# Don't hand-edit these — run the script, copy its output.
PUBLIC_SUPABASE_ANON_KEY=<signed by rotate-jwt.sh>
SUPABASE_SERVICE_ROLE_KEY=<signed by rotate-jwt.sh>
# ── Public URLs (production domain + subdomain) ───────────────────────────
PUBLIC_SUPABASE_URL=https://api.example.com
PUBLIC_KEYCLOAK_URL=https://auth.example.com
PUBLIC_KEYCLOAK_REALM=colectivo
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
PUBLIC_APP_URL=https://app.example.com
# ── Keycloak ──────────────────────────────────────────────────────────────
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=<openssl rand -base64 24>
# Client secret for the confidential OAuth client; must match the Keycloak
# realm export.
KEYCLOAK_CLIENT_SECRET=<openssl rand -base64 32>
# ── Email (Resend) ────────────────────────────────────────────────────────
RESEND_API_KEY=re_...
RESEND_FROM_EMAIL=noreply@example.com
# ── Backup storage (Backblaze B2) ─────────────────────────────────────────
B2_BUCKET_NAME=colectivo-prod-backups
B2_APPLICATION_KEY_ID=<from Backblaze>
B2_APPLICATION_KEY=<from Backblaze>
# ── Supabase Studio ───────────────────────────────────────────────────────
# Basic-auth on the admin UI. Narrow to internal IPs via nginx when possible.
DASHBOARD_USERNAME=<pick>
DASHBOARD_PASSWORD=<openssl rand -base64 24>
# ── Deploy target ─────────────────────────────────────────────────────────
DEPLOY_HOST=deploy@prod.example.com
DEPLOY_PATH=/srv/colectivo