Closes the deferrals from Fase 4 that gated a public deploy of the MVP.
PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
built shell; no runtime caching of Supabase (offline writes stay on the
existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
(apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
(noted in apps/web/static/icons/README.md).
Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
Anti-spam on invitation creation is the only rate-limit that survived —
auth rate-limits were dropped during execution (see plan §6.3): Keycloak
already provides bruteForceProtected=true on the realm, and stacking a
Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
PostgREST rejects POST to root with PGRST117. Route carries a
request-transformer plugin that rewrites the URI back.
JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
48-byte secret via openssl. Prints three values for the operator to
paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
and apps/web/.env.development. Existing sessions are invalidated — all
users must re-login once.
- .env.production.example committed with placeholders + rotation notes.
Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
(non-member) and GETs 8 REST endpoints — all must return []. Complements
the Vitest rls-audit.test.ts suite.
Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
shared state); run via `just test-rate-limit` which force-recreates Kong
first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
rate-limit).
Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
56 lines
1.9 KiB
TypeScript
56 lines
1.9 KiB
TypeScript
/**
|
|
* P-series: PWA install prerequisites (Fase 6.1 + 6.2).
|
|
*
|
|
* Validates that the web manifest is served correctly and a service worker
|
|
* registers after first load. Lighthouse ≥ 90 is manual (see `just lighthouse`).
|
|
*/
|
|
import { test, expect } from '@playwright/test';
|
|
import { USERS } from '../fixtures/users.js';
|
|
import { loginAs } from '../fixtures/login.js';
|
|
|
|
test.describe('PWA install prerequisites', () => {
|
|
test('P-01: /manifest.webmanifest is served with a valid shape', async ({ request }) => {
|
|
const r = await request.get('/manifest.webmanifest');
|
|
expect(r.status()).toBe(200);
|
|
// Either application/manifest+json or application/json is acceptable
|
|
// (Vite dev and the @vite-pwa plugin can disagree on the exact value).
|
|
expect(r.headers()['content-type'] ?? '').toMatch(/manifest\+json|application\/json/);
|
|
|
|
const m = (await r.json()) as {
|
|
name?: string;
|
|
short_name?: string;
|
|
start_url?: string;
|
|
display?: string;
|
|
icons?: Array<{ sizes?: string; type?: string; src?: string }>;
|
|
};
|
|
expect(m.name).toBeTruthy();
|
|
expect(m.short_name).toBeTruthy();
|
|
expect(m.start_url).toBeTruthy();
|
|
expect(m.display).toBe('standalone');
|
|
expect(Array.isArray(m.icons)).toBe(true);
|
|
|
|
const sizes = (m.icons ?? []).map((i) => i.sizes);
|
|
expect(sizes).toContain('192x192');
|
|
expect(sizes).toContain('512x512');
|
|
});
|
|
|
|
test('P-02: service worker registers after first load', async ({ page }) => {
|
|
await loginAs(page, USERS.borja);
|
|
await page.goto('/lists');
|
|
|
|
// SW registration is async and driven by an onMount() dynamic import in
|
|
// the root layout — give it a few seconds to resolve before asserting.
|
|
const reg = await page.waitForFunction(
|
|
async () => {
|
|
const r = await navigator.serviceWorker.getRegistration();
|
|
return r ? { scope: r.scope } : null;
|
|
},
|
|
null,
|
|
{ timeout: 10_000 }
|
|
);
|
|
const state = await reg.jsonValue();
|
|
expect(state).not.toBeNull();
|
|
expect(state?.scope).toMatch(/^https?:\/\//);
|
|
});
|
|
});
|