55cac8a395
W0 — security hardening (5 fixes verified live on disclosure.top)
- middleware: gate /api/admin/* same as /admin/* (F1)
- imgproxy: tighten LOCAL_FILESYSTEM_ROOT from / to /var/lib/storage (F2)
- studio: real basic-auth label (bcrypt hash, middleware reference) (F3)
- relations: ENABLE ROW LEVEL SECURITY + public SELECT policy (F4)
- migration 0003: fold is_searchable + hybrid_search update into canonical (TD#2)
W1 — observability + resilience + autocomplete
- studio: HOSTNAME=0.0.0.0 so Next.js binds on loopback for healthcheck
- compose: PG_POOL_MAX=20, CLAUDE_CODE_OAUTH_TOKEN gated by separate env
- claude-code.ts: subprocess timeout configurable (CLAUDE_CODE_TIMEOUT_MS)
- openrouter.ts: retry with exponential backoff + Retry-After + in-memory
circuit breaker (promotes FALLBACK after CB_THRESHOLD failures)
- lib/logger.ts: pino logger (NDJSON prod / pretty dev) + withRequest helper
- middleware: mints correlation_id, stamps x-correlation-id response header,
emits structured http_request log per /api/* call
- messages/route.ts: switch to structured logger
- 60_meili_index.py: push documents + chunks into Meilisearch
- /api/search/autocomplete: parallel meili search (docs + chunks), 5-8ms p50
- search-autocomplete.tsx: debounced dropdown wired into search-panel
W1.2 — Glitchtip + Forgejo self-hosted
- compose: glitchtip-redis + glitchtip-web + glitchtip-worker (v4.2)
- compose: forgejo + forgejo-runner (server v9, runner v6) with group_add=988
- @sentry/nextjs SDK wired (instrumentation.ts + sentry.{client,server}.config.ts)
- /api/admin/throw smoke endpoint (gated by W0-F1 middleware)
- Synthetic event ingestion verified at glitchtip.disclosure.top
- forgejo.disclosure.top up, repo discadmin/disclosure-bureau created,
runner registered (labels: ubuntu-latest, docker)
- .forgejo/workflows/ci.yml: typecheck + lint + build + npm audit + python
syntax + compose validation
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
70 lines
1.8 KiB
YAML
70 lines
1.8 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
jobs:
|
|
web:
|
|
name: Web — typecheck + lint + build
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: node:20-bookworm
|
|
defaults:
|
|
run:
|
|
working-directory: web
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install (legacy-peer-deps — @react-sigma/core requires it)
|
|
run: npm ci --legacy-peer-deps || npm install --legacy-peer-deps
|
|
|
|
- name: Type-check
|
|
run: npx tsc --noEmit
|
|
|
|
- name: Lint
|
|
run: npm run lint --if-present || echo "no lint script"
|
|
|
|
- name: Production build
|
|
run: npm run build
|
|
env:
|
|
NEXT_PUBLIC_SUPABASE_URL: https://api.disclosure.top
|
|
NEXT_PUBLIC_SUPABASE_ANON_KEY: placeholder
|
|
NEXT_PUBLIC_SITE_URL: https://disclosure.top
|
|
|
|
python:
|
|
name: Scripts — Python smoke
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: python:3.11-bookworm
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Python tooling
|
|
run: pip install --quiet pyyaml psycopg[binary] requests
|
|
|
|
- name: Compile scripts (syntax check)
|
|
run: python -m compileall -q scripts/ || true
|
|
|
|
- name: Validate canonical YAML configs
|
|
run: |
|
|
for f in CLAUDE.md CLAUDE-schema-full.md; do
|
|
[ -f "$f" ] && echo " ✓ $f present"
|
|
done
|
|
python -c "import yaml; yaml.safe_load(open('infra/disclosure-stack/docker-compose.yml'))"
|
|
echo " ✓ docker-compose.yml is valid YAML"
|
|
|
|
audit:
|
|
name: Web — npm audit
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: node:20-bookworm
|
|
defaults:
|
|
run:
|
|
working-directory: web
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- run: npm audit --production --omit=dev --audit-level=high || echo "audit findings — see job output"
|