deploy: 03071803

.github/workflows/ci.yml

@@ -9,13 +9,13 @@ on:
       - 'prisma/**'
       - '.dependency-cruiser.cjs'
       - 'pnpm-lock.yaml'
+      - '.github/workflows/**'
 
 env:
-  # Supabase local development defaults (public, not secrets)
-  # https://supabase.com/docs/guides/local-development/auth#log-in-as-an-existing-user
+  # Supabase local development defaults
+  # Note: SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY are now dynamically generated
+  # by Supabase CLI and will be extracted after `supabase start` in the e2e job
   SUPABASE_URL: http://127.0.0.1:54321
-  SUPABASE_ANON_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0
-  SUPABASE_SERVICE_ROLE_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImV4cCI6MTk4MzgxMjk5Nn0.EGIM96RAZx35lJzdJsyH-qQwv8Hdp7fsn3W0YpN81IU
   # Note: CI uses default Supabase ports (54321 for API, 54322 for DB)
   # Local development may use different ports - check supabase/config.toml
   DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:54322/postgres
@@ -250,47 +250,55 @@ jobs:
       - name: Generate Prisma Client
         run: pnpm db:generate
 
-      - name: Start Supabase and build admin in parallel
+      - name: Start Supabase
         run: |
           # Enable API and use default ports for CI
           sed -i 's/^\[api\]$/[api]/' supabase/config.toml
           sed -i '/^\[api\]$/,/^\[/{s/^enabled = false$/enabled = true/}' supabase/config.toml
           sed -i 's/^port = 54332$/port = 54322/' supabase/config.toml
 
-          # Start Supabase in background
-          supabase start --exclude imgproxy,edge-runtime,vector,studio &
-          SUPABASE_PID=$!
-
-          # Build admin in parallel (admin doesn't need DB)
-          NEXT_PUBLIC_SUPABASE_URL=${{ env.SUPABASE_URL }} \
-          NEXT_PUBLIC_SUPABASE_ANON_KEY=${{ env.SUPABASE_ANON_KEY }} \
-          pnpm build:admin &
-          ADMIN_PID=$!
-
-          # Wait for admin build to complete
-          wait $ADMIN_PID
-
-          # Wait for Supabase to complete
-          wait $SUPABASE_PID
+          # Start Supabase
+          supabase start --exclude imgproxy,edge-runtime,vector,studio
 
           # Wait for Supabase API to be ready
           echo "Waiting for Supabase API..."
           timeout 60 bash -c 'until curl -s http://127.0.0.1:54321/rest/v1/ > /dev/null 2>&1; do sleep 2; done'
           echo "Supabase is ready"
 
+      - name: Get Supabase keys
+        id: supabase-keys
+        run: |
+          # Extract dynamic keys from Supabase CLI
+          SUPABASE_STATUS=$(supabase status --output json)
+          ANON_KEY=$(echo "$SUPABASE_STATUS" | jq -r '.ANON_KEY')
+          SERVICE_ROLE_KEY=$(echo "$SUPABASE_STATUS" | jq -r '.SERVICE_ROLE_KEY')
+
+          echo "SUPABASE_ANON_KEY=$ANON_KEY" >> $GITHUB_OUTPUT
+          echo "SUPABASE_SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY" >> $GITHUB_OUTPUT
+
+          # Also set as environment variables for subsequent steps
+          echo "SUPABASE_ANON_KEY=$ANON_KEY" >> $GITHUB_ENV
+          echo "SUPABASE_SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY" >> $GITHUB_ENV
+
       - name: Run database migrations and seed
         run: |
           pnpm db:migrate:deploy
           pnpm db:seed
 
+      - name: Build admin
+        run: pnpm build:admin
+        env:
+          NEXT_PUBLIC_SUPABASE_URL: ${{ env.SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ steps.supabase-keys.outputs.SUPABASE_ANON_KEY }}
+
       - name: Build webapp
         run: pnpm build:webapp
 
       - name: Run E2E tests for admin
         run: pnpm --filter admin test:e2e
         env:
           NEXT_PUBLIC_SUPABASE_URL: ${{ env.SUPABASE_URL }}
-          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ env.SUPABASE_ANON_KEY }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ steps.supabase-keys.outputs.SUPABASE_ANON_KEY }}
 
       - name: Run E2E tests for webapp
         run: pnpm --filter webapp test:e2e

admin/.env.example

@@ -1,19 +1,19 @@
 # copy to .env.local for development
+
+# === 必須 ===
+DATABASE_URL=postgresql://postgres:postgres@127.0.0.1:54332/postgres
+
 SUPABASE_URL=http://127.0.0.1:54321
 SUPABASE_ANON_KEY="your anon key from supabase status"
 SUPABASE_SERVICE_ROLE_KEY="your service key from supabase status"
 
-# Cache refresh
-DATA_REFRESH_TOKEN="your-secret-refresh-token"
-WEBAPP_URL="http://localhost:3000"
-SITE_URL="http://localhost:3001"
+DATA_REFRESH_TOKEN=your-secret-refresh-token
+WEBAPP_URL=http://localhost:3000
+SITE_URL=http://localhost:3001
 
-# Basic Authentication (optional)
-# If set, enables basic auth for the entire application
-# Value should be SHA256 hash of "id:password" format
-# Example: echo -n "admin:password" | shasum -a 256
-# BASIC_AUTH_SECRET="sha256_hash_of_id_password"
+# === 任意 ===
+# MAINTENANCE_MODE=true
+# MAINTENANCE_MESSAGE=予定時間 22:00-26:00
 
-# Database Configuration
-DATABASE_URL="postgresql://postgres:postgres@127.0.0.1:54332/postgres"
-DIRECT_URL="postgresql://postgres:postgres@127.0.0.1:54332/postgres"
+# ベーシック認証: echo -n "admin:password" | shasum -a 256
+# BASIC_AUTH_SECRET=sha256_hash_of_id_password

admin/src/client/templates/maintenance-html.ts

@@ -0,0 +1,76 @@
+export function getMaintenanceHtml(message?: string): string {
+  const additionalMessage = message
+    ? `<p style="margin-top: 12px; font-size: 13px; color: #6b7280;">${escapeHtml(message)}</p>`
+    : "";
+
+  return `<!DOCTYPE html>
+<html lang="ja">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>メンテナンス中 | 管理画面</title>
+  <style>
+    * {
+      margin: 0;
+      padding: 0;
+      box-sizing: border-box;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Hiragino Sans", "Noto Sans CJK JP", sans-serif;
+      background: #f3f4f6;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .container {
+      background: #ffffff;
+      border: 1px solid #e5e7eb;
+      border-radius: 8px;
+      padding: 32px 24px;
+      max-width: 400px;
+      width: 100%;
+      text-align: center;
+    }
+    h1 {
+      font-size: 18px;
+      font-weight: 600;
+      color: #111827;
+      margin-bottom: 12px;
+    }
+    p {
+      font-size: 14px;
+      color: #4b5563;
+      line-height: 1.5;
+    }
+    .footer {
+      margin-top: 24px;
+      padding-top: 16px;
+      border-top: 1px solid #e5e7eb;
+      font-size: 12px;
+      color: #9ca3af;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>メンテナンス中</h1>
+    <p>現在、システムメンテナンスを実施しております。<br>しばらくお待ちください。</p>
+    ${additionalMessage}
+    <div class="footer">政治資金ダッシュボード管理画面</div>
+  </div>
+</body>
+</html>`;
+}
+
+function escapeHtml(text: string): string {
+  const map: Record<string, string> = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#039;",
+  };
+  return text.replace(/[&<>"']/g, (char) => map[char]);
+}

admin/src/proxy.ts

@@ -1,5 +1,6 @@
 import { createServerClient, type CookieOptions } from "@supabase/ssr";
 import { type NextRequest, NextResponse } from "next/server";
+import { getMaintenanceHtml } from "@/client/templates/maintenance-html";
 
 async function hashCredentials(credentials: string): Promise<string> {
   const encoder = new TextEncoder();
@@ -48,6 +49,21 @@ async function performBasicAuth(request: NextRequest): Promise<NextResponse | nu
 
 // publicパス以外は全て認証を必須とする（セキュアデフォルト）
 export async function proxy(request: NextRequest): Promise<NextResponse> {
+  // メンテナンスモードチェック
+  const isMaintenanceMode = process.env.MAINTENANCE_MODE === "true";
+  if (isMaintenanceMode) {
+    const maintenanceMessage = process.env.MAINTENANCE_MESSAGE;
+    const html = getMaintenanceHtml(maintenanceMessage);
+    return new NextResponse(html, {
+      status: 503,
+      headers: {
+        "Content-Type": "text/html; charset=utf-8",
+        "Retry-After": "3600",
+        "Cache-Control": "no-store, no-cache, must-revalidate",
+      },
+    });
+  }
+
   // PKCEフローでのパスワードリセット: codeパラメータがルートURLに来た場合は/loginにリダイレクト
   const code = request.nextUrl.searchParams.get("code");
   if (code && request.nextUrl.pathname === "/") {

admin/src/server/contexts/auth/domain/models/tenant-role.ts

@@ -0,0 +1,53 @@
+/**
+ * テナントロール（ドメイン層の型定義）
+ *
+ * const配列 + 型ガード パターンで実装
+ * - 新規実装では interface + const パターンを使用するが、
+ *   enumはPrismaスキーマと同期するため特別扱い
+ */
+
+/** テナントロールの値一覧 */
+export const TENANT_ROLES = ["owner", "admin", "editor"] as const;
+
+/** テナントロール型 */
+export type TenantRole = (typeof TENANT_ROLES)[number];
+
+/**
+ * TenantRole のドメインモデル
+ */
+export const TenantRoleModel = {
+  /**
+   * 値がTenantRoleかどうかを検証
+   */
+  isTenantRole(value: unknown): value is TenantRole {
+    return typeof value === "string" && TENANT_ROLES.includes(value as TenantRole);
+  },
+
+  /**
+   * 指定されたロールが必要な権限を持っているか判定
+   * @param currentRole 現在のロール
+   * @param requiredRole 必要なロール
+   */
+  hasPermission(currentRole: TenantRole, requiredRole: TenantRole): boolean {
+    const hierarchy: Record<TenantRole, number> = {
+      owner: 3,
+      admin: 2,
+      editor: 1,
+    };
+    return hierarchy[currentRole] >= hierarchy[requiredRole];
+  },
+
+  /**
+   * owner権限を持っているか判定
+   */
+  isOwner(role: TenantRole): boolean {
+    return role === "owner";
+  },
+
+  /**
+   * admin以上の権限を持っているか判定
+   */
+  isAdminOrAbove(role: TenantRole): boolean {
+    return role === "owner" || role === "admin";
+  },
+} as const;

admin/src/server/contexts/auth/domain/models/tenant.ts

@@ -0,0 +1,43 @@
+import "server-only";
+
+/**
+ * テナント（契約・管理単位）
+ * 政党や個人議員事務所など、利用者の最上位の管理単位
+ */
+export interface Tenant {
+  id: bigint;
+  name: string;
+  slug: string;
+  description: string | null;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+/**
+ * Tenant のドメインモデル
+ */
+export const TenantModel = {
+  /**
+   * slug のバリデーション
+   * - 英小文字、数字、ハイフンのみ
+   * - 3〜50文字
+   */
+  validateSlug(slug: string): { valid: boolean; message?: string } {
+    if (slug.length < 3 || slug.length > 50) {
+      return { valid: false, message: "slugは3〜50文字で指定してください" };
+    }
+    if (!/^[a-z0-9-]+$/.test(slug)) {
+      return {
+        valid: false,
+        message: "slugは英小文字、数字、ハイフンのみ使用できます",
+      };
+    }
+    if (slug.startsWith("-") || slug.endsWith("-")) {
+      return {
+        valid: false,
+        message: "slugの先頭・末尾にハイフンは使用できません",
+      };
+    }
+    return { valid: true };
+  },
+} as const;

admin/src/server/contexts/auth/domain/models/user-tenant-membership.ts

@@ -0,0 +1,24 @@
+import "server-only";
+
+import type { TenantRole } from "@/server/contexts/auth/domain/models/tenant-role";
+
+/**
+ * ユーザーとテナントの関連（メンバーシップ）
+ */
+export interface UserTenantMembership {
+  id: bigint;
+  userId: string;
+  tenantId: bigint;
+  role: TenantRole;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+/**
+ * テナントメンバーシップ情報（テナント詳細を含む）
+ */
+export interface TenantMembershipWithTenant {
+  membership: UserTenantMembership;
+  tenantSlug: string;
+  tenantName: string;
+}

admin/src/server/contexts/auth/domain/repositories/tenant-repository.interface.ts

@@ -0,0 +1,37 @@
+import "server-only";
+
+import type { Tenant } from "@/server/contexts/auth/domain/models/tenant";
+
+/**
+ * テナント作成時の入力
+ */
+export interface CreateTenantInput {
+  name: string;
+  slug: string;
+  description?: string;
+}
+
+/**
+ * テナントリポジトリインターフェース
+ */
+export interface TenantRepository {
+  /**
+   * IDでテナントを取得
+   */
+  findById(id: bigint): Promise<Tenant | null>;
+
+  /**
+   * slugでテナントを取得
+   */
+  findBySlug(slug: string): Promise<Tenant | null>;
+
+  /**
+   * テナントを作成
+   */
+  create(input: CreateTenantInput): Promise<Tenant>;
+
+  /**
+   * テナントを更新
+   */
+  update(id: bigint, input: Partial<CreateTenantInput>): Promise<Tenant>;
+}