Feat/trpc scoped tokens#1
Open
theosteininger wants to merge 13 commits into
Open
Conversation
BREAKING: Apps now run under their own subdomain instead of sub-paths. Removed: - src/lib/nav.tsx (Link/useRouter/usePathname wrappers for sub-path) - src/lib/basePath.ts (BASE_PATH constant and getApiBase()) - start.sh (monolithic bootstrap script) - detach.sh (template detach script) - setup-postgres.sh (standalone PG setup) Changed: - All imports from @/lib/nav replaced with next/link + next/navigation - api.ts: removed BASE_PATH prefix logic, fetch goes directly to /api/... - next.config.ts: removed assetPrefix - layout.tsx: removed PREFIX for favicon - providers.tsx: removed base-path redirect logic - const.ts: removed NEXT_PUBLIC_BASE_PATH from getLoginUrl() Added: - scripts/start-all.sh: idempotent bootstrap (PG install + daemon + migrate + seed + Next.js)
Removed: - dev: No dev mode, only production builds (bot iterates via check+build) - format: Not needed in automated workflow - db:push: Dangerous for production data, only db:generate+db:migrate allowed
…md, DEPLOYMENT.md Removed all references to: - @/lib/nav, basePath.ts, NEXT_PUBLIC_BASE_PATH, assetPrefix - start.sh, detach.sh, setup-postgres.sh - pnpm dev, db:push, pnpm format - Two-app pattern (debug + prod) - Sub-path proxy routing model - nano runner type Updated to reflect new architecture: - Direct next/link + next/navigation - scripts/start-all.sh as sole bootstrap - small runner type - Production-only builds - Unix socket PostgreSQL
… template generic
Migrate the JSON API from Next.js Route Handlers to tRPC 11 (fetch adapter, no Express), mirroring the Lectio app so its scoped-token pattern ports directly. - server/_core: context.ts (cookie / scoped-JWT / super-admin-key auth), trpc.ts (public/protected/admin/superAdmin procedures + checkResourceAccess), apiTokens.ts (generateScopedToken), openapi.ts; cookies/env extended. - server/routers: auth, tenant, payment, superAdmin, system (22 endpoints migrated). - Scoped tokens carry allowedProcedures (endpoint scope) + allowedResourceIds (row-level security via checkResourceAccess); super-admin key + impersonation. - REST/OpenAPI mirror via trpc-to-openapi: /api/rest, /api/openapi.json (+ /scoped), Scalar docs at /api/docs. Kept Route Handlers for webhook/upload/chat/pdf/health. - Client migrated to trpc hooks (providers, useAuth, 11 views); removed src/lib/api.ts. - Tests: server/_core/scopes.test.ts (14 scope/RLS/super-admin cases). - Docs: llm.txt, CONVENTIONS, ARCHITECTURE, README, .env.example, docs/SCOPED_TOKENS.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The main tsconfig excludes **/*.test.ts(x) and vitest (esbuild) only strips types, so test files were never type-checked. Add tsconfig.test.json (own build-info) and a 'pnpm check:test' script covering all *.test.* files. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
check now runs `tsc --noEmit && pnpm check:test`, so the single gate covers both app code and test files. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Restyle the design tokens (src/index.css) to a monochrome, OpenAI-brand look: near-black primary on white, neutral grays, color only on the focus ring, generous radius (0.75rem), light-gray app-shell sidebar. Light + dark. - Fix active sidebar-nav icon to use sidebar-accent-foreground (was sidebar-primary-foreground, invisible on the now-light active state). - Add the documented but missing `dev` script (next dev). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Login/Register headings used a hardcoded "Halerium App"; now render t("app_name") like the rest of the UI. Replace the Brain brand icon with Sparkles in Login, Register and Home.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…pp script layout - `set -o pipefail` in start-all.sh so a failing `pnpm db:migrate | tee` pipeline actually aborts the script instead of being silently swallowed by tee's exit 0 - Replace all `bash start.sh` references in setup.md (file doesn't exist) with the correct `bash scripts/start-db.sh` / `bash scripts/start-all.sh` commands - Rewrite §3 two-app table: DB app (`<app>-db`) + WebApp (`<app>`) replacing the stale Debug/Production HMR split that belonged to an older monolithic start.sh - Update required workflow, log section, runner-size, and forbidden-command docs to match the actual two-app DB + WebApp pattern Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.