chore(ZMS): optimize devcontainer setup

[Fabinatix97]

Pull Request Checklist (Feature Branch to next):

• Ich habe die neuesten Änderungen aus dem next Branch in meinen Feature-Branch gemergt.
• Das Code-Review wurde abgeschlossen.
• Fachliche Tests wurden durchgeführt und sind abgeschlossen.

Summary by CodeRabbit

• Chores

  • Updated Node.js to v24 in the dev environment.
  • Streamlined dev container setup: editor extensions, a create-time setup sequence, and DB init on startup.
  • Disabled automatic self-signed SSL creation and stopped enabling the default SSL module.
  • Adjusted local API endpoint for the dev container.
  • Changed site root to internally serve the admin path instead of an external redirect.

• New Features

  • Added an example env var to control HTTPS for the admin UI and made HTTPS enforcement conditional.
  • Ignore local admin env files in development.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Devcontainer and admin-frontend updates: Node.js setup bumped to 24.x; SSL enabling, self-signed cert generation, and SSL VirtualHost setup disabled in the Containerfile; devcontainer adds postCreateCommand and VS Code extensions; MariaDB init SQL mounted; admin frontend gets env example, gitignore entries, conditional HTTPS enforcement, API URL update, and a root rewrite change.

Changes

Cohort / File(s)	Summary
Devcontainer build config /.devcontainer/Containerfile	Removed enabling of the ssl Apache module; commented-out/disabled self-signed certificate generation and SSL VirtualHost setup; updated Node.js setup script from setup_18.x to setup_24.x.
Devcontainer runtime & commands /.devcontainer/devcontainer.json	Added top-level postCreateCommand (composer, npm install/build, migrations); extended initializeCommand to copy zmsadmin/.env from zmsadmin/.env.example if missing; added customizations.vscode.extensions; preserved postStartCommand.
Compose / DB init /.devcontainer/docker-compose.yaml	Added read-only volume mount ../.resources/zms.sql:/docker-entrypoint-initdb.d/01-zms.sql:ro to the db service to run SQL on container init.
Admin frontend env & ignore zmsadmin/.env.example, zmsadmin/.gitignore	Added zmsadmin/.env.example with ZMS_ADMIN_FORCE_HTTPS (default false) and comments; added .env, .env.local, and .env.*.local to .gitignore.
Admin frontend runtime zmsadmin/js/index.js	Replaced unconditional forceHttps() call with conditional invocation based on ZMS_ADMIN_FORCE_HTTPS ('false' disables).
Devcontainer env template /.devcontainer/.env.template	Updated ZMS_API_URL from http://localhost/terminvereinbarung/api/2 to http://web/terminvereinbarung/api/2.
Webroot rewrite .htaccess	Changed root rewrite rule to internally serve /terminvereinbarung/admin for REQUEST_URI ^/$, removing the prior external redirect and query-string matching.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudge configs with a curious tap,
Node hops to twenty-four — a lively clap,
SQL seeds settle in a read-only bed,
HTTPS waits for env words to be said,
I bound away, whiskers twitching — changes fed.

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The PR title 'chore(ZMS): optimize devcontainer setup' is generic and doesn't clearly reflect the actual changes, which include significant modifications to SSL configuration, Node.js version, environment variables, and URL routing.	Consider a more specific title that captures the main changes, such as 'chore(ZMS): disable SSL, update Node.js to 24.x, add environment configuration, and update routing' or focus on the primary change if one exists.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.devcontainer/devcontainer.json (1)

22-22: Consider improving error handling in postCreateCommand.

The postCreateCommand chains multiple operations with &&, which means failure in any step silently prevents subsequent steps from executing. This could leave the container in a partially initialized state without clear error messages.

🔎 Proposed refactor with better error handling

-  "postCreateCommand": "bash -c './cli modules loop composer install && ./cli modules loop npm install && ./cli modules loop npm build && cd zmsapi && vendor/bin/migrate --update && cd ../zmscitizenview && npm install'",
+  "postCreateCommand": "bash -c 'set -e; echo \"Running composer install...\"; ./cli modules loop composer install; echo \"Running npm install...\"; ./cli modules loop npm install; echo \"Running npm build...\"; ./cli modules loop npm build; echo \"Running migrations...\"; (cd zmsapi && vendor/bin/migrate --update); echo \"Installing zmscitizenview dependencies...\"; (cd zmscitizenview && npm install); echo \"✓ Post-create setup complete\"'",

This approach:

• Uses set -e to fail fast on errors
• Adds logging for each step to aid debugging
• Uses subshells (cd ...) to avoid leaving the shell in a different directory
• Provides clear success message when complete

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba74401 and b0475f5.

📒 Files selected for processing (3)

• .devcontainer/Containerfile
• .devcontainer/devcontainer.json
• .devcontainer/docker-compose.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (java-kotlin)
• GitHub Check: call-zmsautomation-tests / zmsapiautomation
• GitHub Check: call-php-unit-tests / zmsdb-test

🔇 Additional comments (3)

.devcontainer/devcontainer.json (1)

8-18: LGTM! Appropriate VSCode extensions for the stack.

The selected extensions (PHP Intelephense, GitLens, Twig Language, Vue Volar, and Xdebug) are well-suited for a PHP/Node.js/Vue development environment.

.devcontainer/docker-compose.yaml (1)

28-28: No action needed. The SQL initialization script at .resources/zms.sql exists and contains valid SQL content. The docker-compose.yaml volume mount is correctly configured.

.devcontainer/Containerfile (1)

51-52: Node.js 24.x is a released version and is on track for LTS status; no action needed.

Node.js 24 was released as a Current release in May 2025 and is scheduled to enter Active LTS in October 2025, with long-term support through April 2028. This follows the expected LTS release pattern (even-numbered versions: 18, 20, 22, 24). Using Node.js 24.x in the container is appropriate and will not cause build failures due to version unavailability or instability.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

zmsadmin/js/index.js (1)

146-146: Remove or replace console.log() statement.

According to the coding guidelines, console.log() should be removed or replaced with console.debug() for development purposes. Production code should not contain console.log statements.

🔎 Suggested fix

-// Say hello
-console.log("Welcome to the ZMS admin interface...");
+// Development logging can be added here if needed
+// console.debug("ZMS admin interface initialized");

Or remove the lines entirely if the welcome message isn't necessary.

Based on coding guidelines for JavaScript files.

🧹 Nitpick comments (1)

zmsadmin/js/index.js (1)

72-77: Clarify the environment variable default behavior.

The current opt-out pattern (process.env.ZMS_ADMIN_FORCE_HTTPS !== 'false') defaults to enabled unless explicitly set to the string 'false'. This is intentional for security—HTTPS forcing is the default behavior. However, verify that this matches your security requirements:

• If HTTPS forcing should always be enabled by default (security-first), the current implementation is correct but could be more explicit. Consider documenting that only the string 'false' disables it, and any other value (undefined, '0', 'no') results in HTTPS being forced.
• If HTTPS forcing should be optional by default, switch to opt-in: process.env.ZMS_ADMIN_FORCE_HTTPS === 'true'.

Note: zmsstatistic/js/index.js unconditionally forces HTTPS, suggesting this is a core security requirement. Ensure the zmsadmin behavior aligns with this design.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0475f5 and 4b8df41.

📒 Files selected for processing (6)

• .devcontainer/Containerfile
• .devcontainer/devcontainer.json
• .devcontainer/docker-compose.yaml
• zmsadmin/.env.example
• zmsadmin/.gitignore
• zmsadmin/js/index.js

✅ Files skipped from review due to trivial changes (2)

• zmsadmin/.gitignore
• zmsadmin/.env.example

🚧 Files skipped from review as they are similar to previous changes (1)

• .devcontainer/devcontainer.json

🧰 Additional context used

📓 Path-based instructions (2)

**/*

⚙️ CodeRabbit configuration file

**/*: Apply the following Clean Code guidelines to all files, as summarized by wojteklu's Clean Code gist:

Code is clean if it can be understood easily – by everyone on the team. Clean code can be read and enhanced by a developer other than its original author. With understandability comes readability, changeability, extensibility and maintainability.

General rules

1. Follow standard conventions.
2. Keep it simple stupid. Simpler is always better. Reduce complexity as much as possible.
3. Boy scout rule. Leave the campground cleaner than you found it.
4. Always find root cause. Always look for the root cause of a problem.

Design rules

1. Keep configurable data at high levels.
2. Prefer polymorphism to if/else or switch/case.
3. Separate multi-threading code.
4. Prevent over-configurability.
5. Use dependency injection.
6. Follow Law of Demeter. A class should know only its direct dependencies.

Understandability tips

1. Be consistent. If you do something a certain way, do all similar things in the same way.
2. Use explanatory variables.
3. Encapsulate boundary conditions. Boundary conditions are hard to keep track of. Put the processing for them in one place.
4. Prefer dedicated value objects to primitive type.
5. Avoid logical dependency. Don't write methods which works correctly depending on something else in the same class.
6. Avoid negative conditionals.

Names rules

1. Choose descriptive and unambiguous names.
2. Make meaningful distinction.
3. Use pronounceable names.
4. Use searchable names.
5. Replace magic numbers with named constants.
6. Avoid encodings. Don't append prefixes or type information.

Functions rules

1. Small.
2. Do one thing.
3. Use descriptive names.
4. Prefer fewer arguments.
5. Have no side effects.
6. Don't use flag arguments. Split method into several independent methods that can b...

Files:

• zmsadmin/js/index.js

**/*.{js,jsx,ts,tsx}

⚙️ CodeRabbit configuration file

**/*.{js,jsx,ts,tsx}: Flag any usage of console.log() as it should be replaced with proper logging or removed:

1. For development: console.debug()
2. For production: Remove console.log() statements or use structured logging
3. For errors: Use error console.error()

Example replacement:

// Instead of:
console.log('User data:', userData);

// Use:
console.debug('Processing user data', { userData });
// or for development only:
Remove the console.log entirely

Flag specific logging violations:

1. console.log(), console.debug(), console.warn() usage (except console.error in catch blocks)
2. Any debug output that should use proper logging frameworks

Example replacements:

// Instead of:
console.log('User data:', userData);
console.debug('Processing...');

// Use:
// Remove console.log entirely or use proper logging
// Only console.error in catch blocks is acceptable
try {
  processData(userData);
} catch (error) {
  console.error('Processing failed:', error);
}

Flag JavaScript security and UX issues:

1. alert(), confirm(), prompt() usage (poor UX)
2. eval() usage (security risk)
3. innerHTML with user input (XSS risk)
4. Unfiltered user input in DOM manipulation

Example replacements:

// Instead of:
alert('Error occurred');
eval(userInput);

// Use:
// Use proper error handling and UI components
this.showErrorNotification('Error occurred');
// Avoid eval() entirely

Flag TODO/FIXME comments that indicate technical debt:

1. TODO comments without clear action items
2. FIXME comments indicating broken functionality
3. HACK comments indicating temporary workarounds
4. XXX comments indicating problematic code

These should be converted to proper issues or addressed:

// Instead of:
// TODO: fix this later
// FIXME: this is broken

// Use:
// Create proper issue and reference it
// @see Issue #123: Refactor validation logic

Flag code complexity issues:

1. Functions longer than 50 lines
2. Deep nesting (...

Files:

• zmsadmin/js/index.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: call-php-unit-tests / zmsapi-test
• GitHub Check: call-php-unit-tests / zmsdb-test
• GitHub Check: call-zmsautomation-tests / zmsapiautomation

🔇 Additional comments (3)

.devcontainer/docker-compose.yaml (2)

10-10: Port mapping simplified appropriately.

The port mapping has been updated to expose only HTTP (8091:80), removing the previous HTTPS port (8091:443). This aligns with the SSL removal changes in the Containerfile and the conditional HTTPS forcing in the application code.

---

27-27: SQL initialization script verified successfully.

The SQL file exists at .resources/zms.sql (172K) and contains valid database initialization content with proper schema definitions for MariaDB 10.4.34.

.devcontainer/Containerfile (1)

52-53: Node.js 24.x is the current LTS version and the appropriate choice for this project.

As of January 2026, Node.js 24.x is the Active LTS release (since October 2025) and is recommended for production. The project has no explicit Node.js version constraints in any package.json file, indicating compatibility across a range of versions. This update aligns with adopting the latest stable LTS line.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Remove commented code instead of leaving it in place.

According to clean code principles, commented-out code should be removed entirely rather than left in the codebase. If you need to reference the SSL setup in the future, it's available in version control history.

🔎 Suggested cleanup

-RUN a2enmod rewrite proxy_fcgi alias headers
-# RUN a2enmod rewrite proxy_fcgi alias headers ssl
+RUN a2enmod rewrite proxy_fcgi alias headers

 # —————————————————————————————————————————
-# 4. Generate self-signed SSL certificate
+# 4. Node.js installation (formerly SSL setup - now removed)
 # —————————————————————————————————————————
-# RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-#   -keyout /etc/ssl/private/apache-selfsigned.key \
-#   -out /etc/ssl/certs/apache-selfsigned.crt \
-#   -subj "/C=DE/ST=Dev/L=Dev/O=Dev/OU=Dev/CN=localhost"
-
-# # —————————————————————————————————————————
-# # 5. Copy and enable SSL VirtualHost config
-# # —————————————————————————————————————————
-# COPY apache-ssl.conf /etc/apache2/sites-available/default-ssl.conf
-# RUN a2ensite default-ssl
-
-# —————————————————————————————————————————
-# 6. Install Node.js
-# —————————————————————————————————————————

Then renumber subsequent sections accordingly.

Based on Clean Code guidelines: "Don't comment out code. Just remove."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN a2enmod rewrite proxy_fcgi alias headers
	# RUN a2enmod rewrite proxy_fcgi alias headers ssl
	# —————————————————————————————————————————
	# 4. Generate self-signed SSL certificate
	# —————————————————————————————————————————
	RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
	-keyout /etc/ssl/private/apache-selfsigned.key \
	-out /etc/ssl/certs/apache-selfsigned.crt \
	-subj "/C=DE/ST=Dev/L=Dev/O=Dev/OU=Dev/CN=localhost"
	# RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
	# -keyout /etc/ssl/private/apache-selfsigned.key \
	# -out /etc/ssl/certs/apache-selfsigned.crt \
	# -subj "/C=DE/ST=Dev/L=Dev/O=Dev/OU=Dev/CN=localhost"
	# —————————————————————————————————————————
	# 5. Copy and enable SSL VirtualHost config
	# —————————————————————————————————————————
	COPY apache-ssl.conf /etc/apache2/sites-available/default-ssl.conf
	RUN a2ensite default-ssl
	# # —————————————————————————————————————————
	# # 5. Copy and enable SSL VirtualHost config
	# # —————————————————————————————————————————
	# COPY apache-ssl.conf /etc/apache2/sites-available/default-ssl.conf
	# RUN a2ensite default-ssl
	RUN a2enmod rewrite proxy_fcgi alias headers
	# —————————————————————————————————————————
	# 4. Node.js installation (formerly SSL setup - now removed)
	# —————————————————————————————————————————

🤖 Prompt for AI Agents

.devcontainer/Containerfile around lines 32 to 47: the file contains
commented-out Apache SSL setup and an alternative a2enmod invocation; remove
these commented blocks (the commented openssl command, COPY/RUN for
default-ssl.conf, and the commented a2enmod line) so the Dockerfile contains
only active, necessary instructions; after removal, adjust any section headings
or numbering comments nearby if they reference removed steps to keep the file
consistent.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.htaccess (1)

6-7: Excellent optimization: internal rewrite is more efficient than external redirect.

The change from external redirect (R=302) to internal rewrite eliminates an HTTP round-trip, improving performance—well-aligned with the PR's optimization goal.

However, note the behavior change: the previous rule dropped query strings (via the trailing ?), while the new rule preserves them. Verify this is intended—if a user visits /?foo=bar, they'll now get /terminvereinbarung/admin?foo=bar internally instead of a clean redirect to /terminvereinbarung/admin.

Optional: More specific RewriteRule pattern for clarity

The pattern ^ matches any string, though the condition restricts execution to REQUEST_URI = /. For improved readability, consider:

-RewriteRule ^ /terminvereinbarung/admin [L]
+RewriteRule ^/?$ /terminvereinbarung/admin [L]

This makes the intent clearer without changing behavior.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c165730 and 7ac9f8a.

📒 Files selected for processing (1)

• .htaccess

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Analyze (java-kotlin)
• GitHub Check: call-zmsautomation-tests / zmsapiautomation
• GitHub Check: call-php-unit-tests / zmsdb-test