Replace symmetric HS256 JWT verification with asymmetric RS256 using JWKS.
Backend now fetches and caches public keys from Supabase's JWKS endpoint
instead of using a shared secret.
- Add cryptography dependency for RS256 support
- Use PyJWKClient to fetch/cache JWKS from {SUPABASE_URL}/.well-known/jwks.json
- Remove SUPABASE_JWT_SECRET from config, docker-compose, deploy workflow, .env
- Update tests to use RS256 tokens with mocked JWKS client
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Instead of relying on a pre-existing .env file on the server, the
deploy workflow now writes POSTGRES_PASSWORD and SUPABASE_JWT_SECRET
from Gitea secrets. This keeps all secret management in one place.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Pass SUPABASE_JWT_SECRET to backend in docker-compose.prod.yml
- Add build args (VITE_API_URL, VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY)
to Dockerfile.prod so Vite inlines them at build time
- Pass build args from secrets in deploy workflow
- Add build section to frontend service in docker-compose.prod.yml
No GoTrue container needed in prod — Supabase Cloud hosts the auth
service. The backend only needs the JWT secret to verify tokens.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Postgres service container is not reachable via localhost from
inside the act runner container. Use the Docker host IP instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The uv-managed Python is externally managed and rejects --system pip
installs. Use uv run --extra dev to handle venv creation, dependency
installation, and test execution in a single step.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The act runner executes steps inside a container where localhost does
not reach the Docker host. Use E2E_API_URL env var (set to the host IP
192.168.1.10:8100 in CI) so both the global setup and Vite proxy can
reach the test API container.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The uv installer places the binary in ~/.local/bin which isn't on
PATH by default in the act runner. Source the env file for the current
step and append to GITHUB_PATH for subsequent steps.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace astral-sh/setup-uv action with direct curl install to avoid
Node.js 18 incompatibility (setup-uv v6+ requires Node 20+). Change
e2e test API host port from 8000 to 8100 to avoid conflict with
existing service on the CI runner.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Lint, formatting, and type checks are already enforced by prek pre-commit
hooks, so CI now focuses on running the actual test suites instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add missing tsconfig strictness flags (noUncheckedIndexedAccess,
exactOptionalPropertyTypes, noImplicitOverride,
noPropertyAccessFromIndexSignature) and fix all resulting type errors
- Replace ESLint/Prettier with oxlint 1.48.0 and oxfmt 0.33.0
- Pin all frontend and backend dependencies to exact versions
- Pin GitHub Actions to SHA hashes with persist-credentials: false
- Fix CI Python version mismatch (3.12 -> 3.14) and ruff target-version
- Add vitest 4.0.18 with jsdom environment for frontend testing
- Add ty 0.0.17 for Python type checking (non-blocking in CI)
- Add actionlint and zizmor CI job for workflow linting and security audit
- Add Dependabot config for npm, pip, and github-actions
- Update CLAUDE.md and pre-commit hooks to reflect new tooling
- Ignore Claude Code sandbox artifacts in gitignore
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Set up pre-commit framework with ruff (backend) and ESLint/Prettier/tsc
(frontend) hooks to catch issues locally before CI. Auto-format all
frontend files with Prettier to comply with the new check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rewrite DEPLOYMENT.md to reflect current state (CI/CD, backups, merge
strategy). Expand CI paths-ignore to skip docs, license, gitignore,
and deploy workflow changes. Add merge strategy to CLAUDE.md.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI runs ruff and eslint/tsc on push to develop and PRs. Deploy
workflow is manual (workflow_dispatch) and builds, pushes, and
deploys images to Unraid via SSH.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
