Closes the deferrals from Fase 4 that gated a public deploy of the MVP.
PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
built shell; no runtime caching of Supabase (offline writes stay on the
existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
(apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
(noted in apps/web/static/icons/README.md).
Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
Anti-spam on invitation creation is the only rate-limit that survived —
auth rate-limits were dropped during execution (see plan §6.3): Keycloak
already provides bruteForceProtected=true on the realm, and stacking a
Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
PostgREST rejects POST to root with PGRST117. Route carries a
request-transformer plugin that rewrites the URI back.
JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
48-byte secret via openssl. Prints three values for the operator to
paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
and apps/web/.env.development. Existing sessions are invalidated — all
users must re-login once.
- .env.production.example committed with placeholders + rotation notes.
Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
(non-member) and GETs 8 REST endpoints — all must return []. Complements
the Vitest rls-audit.test.ts suite.
Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
shared state); run via `just test-rate-limit` which force-recreates Kong
first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
rate-limit).
Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
188 lines
6.7 KiB
Makefile
188 lines
6.7 KiB
Makefile
# Colectivo — task runner
|
|
# Requires: just, docker, pnpm
|
|
|
|
set dotenv-load := true
|
|
|
|
# Alias: docker compose with correct project root so .env is always found
|
|
dc_dev := "docker compose --env-file .env -f infra/docker-compose.dev.yml"
|
|
dc_prod := "docker compose --env-file .env -f infra/docker-compose.prod.yml"
|
|
|
|
# ── Setup ─────────────────────────────────────────────────────────────────────
|
|
|
|
# First-time (and idempotent) local environment setup
|
|
setup:
|
|
bash setup.sh
|
|
|
|
# ── Dev ───────────────────────────────────────────────────────────────────────
|
|
|
|
# Start full local stack (Docker services + SvelteKit dev server)
|
|
dev:
|
|
{{dc_dev}} up -d
|
|
pnpm --filter @colectivo/web dev
|
|
|
|
# Stop all services (Docker stack + SvelteKit dev server)
|
|
stop:
|
|
{{dc_dev}} down
|
|
-pkill -f "vite" 2>/dev/null || true
|
|
|
|
# Stop local Docker stack
|
|
dev-stop:
|
|
{{dc_dev}} down
|
|
|
|
# Stop and remove all volumes (full reset)
|
|
dev-clean:
|
|
{{dc_dev}} down -v
|
|
|
|
# ── Database ──────────────────────────────────────────────────────────────────
|
|
|
|
# Drop, migrate, and seed the dev database
|
|
db-reset:
|
|
supabase db reset
|
|
|
|
# Apply pending migrations
|
|
db-migrate:
|
|
supabase db push
|
|
|
|
# Apply dev seed data
|
|
db-seed:
|
|
docker exec -i colectivo-dev-db-1 psql -U postgres < supabase/seed.sql
|
|
|
|
# Regenerate TypeScript types from Supabase schema
|
|
db-types:
|
|
supabase gen types typescript --local > packages/types/src/database.ts
|
|
echo "Types written to packages/types/src/database.ts"
|
|
|
|
# Open Supabase Studio
|
|
db-open:
|
|
open http://localhost:54323
|
|
|
|
# ── Keycloak ──────────────────────────────────────────────────────────────────
|
|
|
|
# Export Keycloak realm to keycloak/realm-export.json
|
|
kc-export:
|
|
{{dc_dev}} exec keycloak \
|
|
/opt/keycloak/bin/kc.sh export \
|
|
--realm colectivo \
|
|
--users realm_file \
|
|
--file /tmp/realm-export.json
|
|
{{dc_dev}} cp keycloak:/tmp/realm-export.json keycloak/realm-export.json
|
|
echo "Exported to keycloak/realm-export.json"
|
|
|
|
# Open Keycloak Admin Console
|
|
kc-open:
|
|
open http://localhost:8080/admin
|
|
|
|
# ── Build ─────────────────────────────────────────────────────────────────────
|
|
|
|
# Build all packages
|
|
build:
|
|
pnpm turbo run build
|
|
|
|
# Run the production build locally against the dev Docker stack (port 3000)
|
|
serve: build
|
|
{{dc_dev}} up -d
|
|
PORT=3000 node apps/web/build/index.js
|
|
|
|
# Type-check all packages
|
|
check:
|
|
pnpm turbo run check
|
|
|
|
# Lint all packages
|
|
lint:
|
|
pnpm turbo run lint
|
|
|
|
# Run tests
|
|
test:
|
|
pnpm turbo run test
|
|
|
|
# ── Testing ───────────────────────────────────────────────────────────────────
|
|
|
|
# Run every test suite (pgTAP + Vitest integration + apps/web unit + Playwright E2E).
|
|
# Requires `just dev` to already be running — the stack must be healthy.
|
|
test-all: test-db test-integration test-unit test-e2e
|
|
|
|
# Run apps/web Vitest unit tests (browser-env + jsdom + fake-indexeddb).
|
|
# Currently covers the offline sync queue (Fase 2b.2).
|
|
test-unit:
|
|
pnpm --filter @colectivo/web test:unit
|
|
|
|
# Run pgTAP SQL tests directly against the dev database
|
|
# `set dotenv-load` at the top of this file sources .env so POSTGRES_PASSWORD
|
|
# is available — we forward it to psql via PGPASSWORD.
|
|
test-db:
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
for f in supabase/tests/*.sql; do
|
|
PGPASSWORD="$POSTGRES_PASSWORD" psql -U postgres -h localhost -d postgres \
|
|
-v ON_ERROR_STOP=1 -f "$f"
|
|
done
|
|
|
|
# Run Vitest integration tests (RLS + trigger assertions via supabase-js)
|
|
test-integration:
|
|
pnpm --filter @colectivo/test-utils test
|
|
|
|
# Run Playwright E2E tests (headless)
|
|
test-e2e:
|
|
pnpm --filter @colectivo/web exec playwright test
|
|
|
|
# Run Playwright E2E tests in headed mode (for debugging)
|
|
test-e2e-headed:
|
|
pnpm --filter @colectivo/web exec playwright test --headed
|
|
|
|
# Run Kong rate-limit verification tests. Restarts Kong first to ensure a
|
|
# clean counter state (tests burn through the minute + hour quotas). Not
|
|
# part of test-all because the tests share the rate-limit counter with the
|
|
# rest of the integration suite.
|
|
test-rate-limit:
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
{{dc_dev}} up -d --force-recreate kong
|
|
sleep 3
|
|
export RUN_RATE_LIMIT_TESTS=1
|
|
pnpm --filter @colectivo/test-utils test -- rate-limit
|
|
|
|
# Build a prod bundle, serve it on :3000, run Lighthouse against PWA /
|
|
# Accessibility / Best-Practices. Fails if any score drops below 90.
|
|
# Must run while `just dev` (docker stack) is up — Lighthouse loads the
|
|
# real app which hits Supabase via Kong.
|
|
lighthouse:
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
pnpm --filter @colectivo/web build
|
|
PORT=3000 node apps/web/build/index.js &
|
|
SERVER_PID=$!
|
|
trap "kill $SERVER_PID 2>/dev/null || true" EXIT
|
|
for i in 1 2 3 4 5 6 7 8 9 10; do
|
|
if curl -sf http://localhost:3000/ -o /dev/null; then break; fi
|
|
sleep 1
|
|
done
|
|
pnpm --filter @colectivo/web exec lighthouse http://localhost:3000 \
|
|
--only-categories=pwa,accessibility,best-practices \
|
|
--output=html --output-path=./lighthouse-report.html \
|
|
--chrome-flags='--headless --no-sandbox' \
|
|
--quiet
|
|
|
|
# Run the RLS isolation curl audit — complements rls-audit.test.ts.
|
|
rls-audit:
|
|
infra/scripts/rls-audit.sh
|
|
|
|
# ── Backup & Restore ──────────────────────────────────────────────────────────
|
|
|
|
# Take a manual backup of a service (e.g. just backup supabase)
|
|
backup service:
|
|
infra/scripts/backup.sh {{service}}
|
|
|
|
# Restore a backup file (e.g. just restore supabase backups/2024-01-01.dump)
|
|
restore service file:
|
|
infra/scripts/restore.sh {{service}} {{file}}
|
|
|
|
# ── Production ────────────────────────────────────────────────────────────────
|
|
|
|
# Deploy to production via SSH
|
|
deploy:
|
|
infra/scripts/deploy.sh
|
|
|
|
# Stream production Docker logs
|
|
logs:
|
|
{{dc_prod}} logs -f
|