-
Notifications
You must be signed in to change notification settings - Fork 0
feat: infrastructure hardening, tailwind 4 migration, and ai type-safety #61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
c372f60
c7f2e7a
615986a
58e0e7a
1322994
557c6a7
e56c38d
8f77d1d
0feb172
ddeb432
e17005f
d48363c
7026de0
3f3d4d3
285948c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| [defaults] | ||
| org=ufrn-universidade-federal-do-r | ||
| project=smartmanagementesystem | ||
|
|
||
| [auth] | ||
| # Note: The auth token is usually provided via SENTRY_AUTH_TOKEN env var in CI. | ||
| # If running locally, you can run 'sentry-cli login'. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file. | |
| The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), | ||
| and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). | ||
|
|
||
| ## [Unreleased] — 2026-04-11 — Sentry & Build Stability | ||
|
|
||
| ### Added | ||
|
|
||
| - **Sentry v10 Modernization**: migrated to Next.js 15 standards using `src/instrumentation-client.ts` for navigation tracing. | ||
| - **Deep PII Scrubbing**: implemented a recursive sanitization engine in `sentry.server.config.ts` to protect student data (CPF, health hashes) in server logs. | ||
| - **Privacy-First Replays**: enabled Sentry Replay with strict `maskAllInputs: true` and `maskAllText: true` to prevent PII leakage. | ||
| - **DB Connection Heartbeat**: added a surgical `SELECT 1` check in `instrumentation.ts` to verify database health on application boot. | ||
| - **Full-stack User Traceability**: linked Supabase UUID/Email to Sentry context on both client and server. | ||
| - **Vercel CI/CD Integration**: Linked Sentry to Vercel for automated environment variable synchronization and sourcemap deployments. | ||
|
|
||
| ### Changed | ||
|
|
||
| - **Prisma 7 Type Elevation**: removed generic `as any` casts by pinning `@types/pg` to version `8.11.11` via package `overrides`. | ||
| - **Database Pool Governance**: implemented `max: 20`, `idleTimeout`, and `connectionTimeout` in `src/lib/prisma.ts` for improved resilience. | ||
|
|
||
| ### Fixed | ||
|
|
||
| - **ESLint Flat Config**: repaired missing `@typescript-eslint` plugin and parser configuration in `eslint.config.mjs` that was breaking production builds. | ||
|
|
||
|
Comment on lines
+8
to
+27
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Consolidate duplicate This adds another 🤖 Prompt for AI Agents |
||
| ## [0.4.0] — 2026-04-10 — Elite Workflow Setup (004) | ||
|
|
||
| ### Added | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,4 +19,4 @@ | |
| "linkDistance": 250, | ||
| "scale": 0.19753086419753077, | ||
| "close": true | ||
| } | ||
| } | ||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,40 +1,41 @@ | ||||||
| # Current State — Five Star Academy | ||||||
|
|
||||||
| **Last Updated**: 2026-04-10 | ||||||
| **Branch**: `004-elite-workflow-setup` | ||||||
| **Version**: 0.4.0 (pre-release) | ||||||
| **Last Updated**: 2026-04-11 | ||||||
| **Branch**: `fix/telemetry-and-e2e-stability` | ||||||
| **Version**: 0.4.1 (pre-release) | ||||||
|
|
||||||
| ## What Works Today | ||||||
|
|
||||||
| | Feature | Status | Notes | | ||||||
| | ------------------------------------------- | ---------- | ------------------------------ | | ||||||
| | Admin login | ✅ Working | Supabase Auth SSR | | ||||||
| | Student login (Portal do Aluno) | ✅ Working | Separate session | | ||||||
| | Admin dashboard | ✅ Working | GERENTE + RECEPCIONISTA | | ||||||
| | Financial routes (`/financeiro`, `/planos`) | ✅ Working | GERENTE-only gate | | ||||||
| | Student workout view | ✅ Working | `meus-treinos` | | ||||||
| | AI workout generator | ✅ Working | Genkit + Gemini | | ||||||
| | Student enrollment | ✅ Working | Admin creates aluno | | ||||||
| | Gamification (XP, streaks) | ✅ Working | Hook `use-workout-tracker` | | ||||||
| | Prisma migrations | ✅ Tracked | `prisma/migrations/` | | ||||||
| | ESLint quality gate | ✅ Done | 0 errors — `any` + unused vars | | ||||||
| | TypeScript typecheck | ✅ Clean | 0 errors (strict mode) | | ||||||
| | Unit tests | ✅ Passing | 18/18 (Vitest) | | ||||||
| | Ops documentation | ✅ Done | Runbook, SLOs, threat model | | ||||||
| | Process documentation | ✅ Done | RFC + Postmortem templates | | ||||||
| | Local E2E stack | ✅ Done | `supabase start` (Docker) | | ||||||
| | E2E seed script | ✅ Done | `prisma/seed-e2e.ts` (4 users) | | ||||||
| | Playwright E2E suite | ✅ Done | 15/15 passing | | ||||||
| | CI E2E job | ✅ Done | `.github/workflows/ci.yml` | | ||||||
| | Sentry error tracking | ✅ Done | SDK + MCP + CLI configurados | | ||||||
| | Feature | Status | Notes | | ||||||
| | ------------------------------------------- | ------------- | ------------------------------ | | ||||||
| | Admin login | ✅ Working | Supabase Auth SSR | | ||||||
| | Student login (Portal do Aluno) | ✅ Working | Separate session | | ||||||
| | Admin dashboard | ✅ Working | GERENTE + RECEPCIONISTA | | ||||||
| | Financial routes (`/financeiro`, `/planos`) | ✅ Working | GERENTE-only gate | | ||||||
| | Student workout view | ✅ Working | `meus-treinos` | | ||||||
| | AI workout generator | ✅ Working | Genkit + Gemini | | ||||||
| | Student enrollment | ✅ Working | Admin creates aluno | | ||||||
| | Gamification (XP, streaks) | ✅ Working | Hook `use-workout-tracker` | | ||||||
| | Prisma migrations | ✅ Tracked | `prisma/migrations/` | | ||||||
| | ESLint quality gate | ✅ Done | 0 errors — `any` + unused vars | | ||||||
| | TypeScript typecheck | ✅ Clean | 0 errors (strict mode) | | ||||||
| | Unit tests | ✅ Passing | 18/18 (Vitest) | | ||||||
| | Ops documentation | ✅ Done | Runbook, SLOs, threat model | | ||||||
|
Comment on lines
+20
to
+23
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sync reported counts across this document. The updated values conflict with other sections (e.g., unit test total and warning counts). Please reconcile these numbers so readiness status is unambiguous. Also applies to: 33-39 🤖 Prompt for AI Agents |
||||||
| | Process documentation | ✅ Done | RFC + Postmortem templates | | ||||||
| | Local E2E stack | ✅ Done | `supabase start` (Docker) | | ||||||
| | E2E seed script | ✅ Done | `prisma/seed-e2e.ts` (4 users) | | ||||||
| | Playwright E2E suite | ✅ Done | 15/15 passing | | ||||||
| | CI E2E job | ✅ Done | `.github/workflows/ci.yml` | | ||||||
| | Sentry error tracking | ✅ Modernized | Next.js 15, v10, User Context | | ||||||
|
|
||||||
| ## What Is Incomplete | ||||||
|
|
||||||
| | Area | Gap | Priority | | ||||||
| | ------------- | -------------------------------------------------------------- | -------- | | ||||||
| | CI security | 3 moderate vulns in `@prisma/dev` (transitive, non-production) | P3 | | ||||||
| | Lint warnings | 31 `no-console` warnings remain (not errors) | P3 | | ||||||
| | GitHub secret | `SUPABASE_LOCAL_SERVICE_ROLE_KEY` must be set for CI seed step | P1 | | ||||||
| | Area | Gap | Priority | | ||||||
| | ------------- | ------------------------------------------------------------------ | -------- | | ||||||
| | CI security | 3 moderate vulns in `@prisma/dev` (transitive, awaiting upstream) | P3 | | ||||||
| | Lint warnings | 31 `no-console` warnings remain (accepted for server debug) | P3 | | ||||||
| | GitHub secret | `SUPABASE_LOCAL_SERVICE_ROLE_KEY` must be set for CI seed | P1 | | ||||||
| | Env Sync | Ensure `NEXT_PUBLIC_SENTRY_DSN` is set in production for scrubbing | P1 | | ||||||
|
|
||||||
| ## Quality Gates (current status) | ||||||
|
|
||||||
|
|
@@ -80,22 +81,29 @@ npm run e2e → ✅ 15/15 passing | |||||
|
|
||||||
| ## Phase Progress (004-elite-workflow-setup) | ||||||
|
|
||||||
| | Phase | Description | Status | | ||||||
| | ----- | --------------------------- | ----------- | | ||||||
| | 1–3 | Governance & constitution | ✅ Complete | | ||||||
| | 4 | Staging environment (local) | ✅ Complete | | ||||||
| | 5 | ESLint quality gates | ✅ Complete | | ||||||
| | 6 | Coverage thresholds | ✅ Complete | | ||||||
| | 7 | Playwright E2E | ✅ Complete | | ||||||
| | 8 | Sentry error tracking | ✅ Complete | | ||||||
| | 9 | Polish & PR | ✅ Complete | | ||||||
| | Phase | Description | Status | | ||||||
| | ----- | ------------------------------- | ----------- | | ||||||
| | 1–3 | Governance & constitution | ✅ Complete | | ||||||
| | 4 | Staging environment (local) | ✅ Complete | | ||||||
| | 5 | ESLint quality gates | ✅ Complete | | ||||||
| | 6 | Coverage thresholds | ✅ Complete | | ||||||
| | 7 | Playwright E2E | ✅ Complete | | ||||||
| | 8 | Sentry & Infra Hardening | ✅ Complete | | ||||||
| | 9 | Tailwind 4 & Type Safety Update | ✅ Complete | | ||||||
|
|
||||||
| ## Technical Debt Governance | ||||||
|
|
||||||
| The following items are recognized as "Managed Debt" — intentional compromises for compatibility or performance: | ||||||
|
|
||||||
| 1. **Sentry Boundary Casts**: Use of `any` in `beforeSend` (suppressed with `eslint-disable`) is required due to Sentry SDK interface rigidness. | ||||||
| 2. **Server console.log**: 31 warnings in Server Actions are preserved to ensure minimal observability in the terminal during development. | ||||||
| 3. **Prisma Type Overrides**: We use `@pg/types` pinning to resolve Prisma 7/Next 15 conflicts until `@prisma/adapter-pg` upstream fixes land. | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fix dependency name typo in managed debt note. Line [100] references Proposed fix-3. **Prisma Type Overrides**: We use `@pg/types` pinning to resolve Prisma 7/Next 15 conflicts until `@prisma/adapter-pg` upstream fixes land.
+3. **Prisma Type Overrides**: We use `@types/pg` pinning to resolve Prisma 7/Next 15 conflicts until `@prisma/adapter-pg` upstream fixes land.📝 Committable suggestion
Suggested change
🧰 Tools🪛 markdownlint-cli2 (0.22.0)[warning] 100-100: Fenced code blocks should have a language specified (MD040, fenced-code-language) 🤖 Prompt for AI Agents |
||||||
|
|
||||||
| ## Known Issues | ||||||
|
|
||||||
| - 31 `no-console` warnings in server actions and `data.ts` — accepted for now (server-side debug logging) | ||||||
| - `SUPABASE_LOCAL_ANON_KEY` GitHub Actions secret must be set before CI E2E job runs (see RUNBOOK) | ||||||
| - `SUPABASE_LOCAL_SERVICE_ROLE_KEY` GitHub Actions secret must be set for seed step to create test users | ||||||
| - 3 moderate vulnerabilities in `@prisma/dev` (transitive via `prisma@7.7.0`); not reachable in production; awaiting upstream fix | ||||||
| - 31 `no-console` warnings in server actions — accepted for server-side debug logging. | ||||||
| - GitHub Secrets for CI (Playwright) require one-time manual setup. | ||||||
| - Transitive dependency vulnerabilities in `@prisma/dev` (not reachable in production). | ||||||
|
|
||||||
| ## Update Protocol | ||||||
|
|
||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,60 @@ | ||||||||||||||||||||||||||
| # ADR-003: Infrastructure & Observability Hardening | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Status | ||||||||||||||||||||||||||
| Accepted | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Context | ||||||||||||||||||||||||||
| As part of the modernization for Next.js 15, Sentry 10, and Prisma 7, several structural challenges were identified: | ||||||||||||||||||||||||||
| 1. **PII Vulnerability**: Server-side error logs and client-side session replays were potentially capturing sensitive student data (CPF, health hashes). | ||||||||||||||||||||||||||
| 2. **Type Safety Decay**: The move to Prisma 7 with the `pg` driver adapter introduced a version conflict in `@types/pg`, leading to the widespread use of `as any` in the database layer. | ||||||||||||||||||||||||||
| 3. **Connection Governance**: Migrating to a driver adapter pattern (required for some Next.js environments) necessitated more explicit connection pool management to prevent exhaustion in serverless or PgBouncer environments. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Decisions | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 1. Recursive PII Scrubbing (Sentry) | ||||||||||||||||||||||||||
| Instead of relying on basic header scrubbing, we implemented a dedicated recursive sanitization engine in `sentry.server.config.ts`. This engine traverses all event breadcrumbs and extra data, replacing values for a defined list of sensitive keys (`cpf`, `password`, `biometriaHash`, etc.) with `[SCRUBBED]`. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 2. Dependency Pinning via Overrides | ||||||||||||||||||||||||||
| To resolve the `ClientBase` return type mismatch between `@types/pg@v8.18+` and `@prisma/adapter-pg`, we decided to: | ||||||||||||||||||||||||||
| - Pin `@types/pg` to version `8.11.11` in both `devDependencies` and the `overrides` field of `package.json`. | ||||||||||||||||||||||||||
| - This ensures that all internal and external consumers of the `pg` types are aligned with the Prisma runtime requirements, allowing for the complete removal of unsafe type assertions in `src/lib/prisma.ts`. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 3. Connection Resilience & Heartbeat | ||||||||||||||||||||||||||
| We enhanced the `PrismaClient` initialization with: | ||||||||||||||||||||||||||
| - **Pool Governance**: Explicit `idleTimeout` and `connectionTimeout` to handle transient network issues. | ||||||||||||||||||||||||||
| - **Boot Heartbeat**: Integrated a `SELECT 1` check into the Next.js `instrumentation.ts` with a 5-second `Promise.race` timeout to verify database health during application startup, preventing "zombie" boot states. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 4. Genkit AI Flow Contract Hardening | ||||||||||||||||||||||||||
| To prevent technical debt in AI integration, we implemented: | ||||||||||||||||||||||||||
| - **Strict Schema Enforcement**: All Genkit flows now utilize Zod schemas for input, output, and streaming, eliminating `as any` casts in the frontend. | ||||||||||||||||||||||||||
| - **Hallucination Detection**: Added Sentry monitoring to log unrecognized exercise suggestions, ensuring that AI-generated plans remain within physiological and logistical constraints defined in `src/lib/constants.ts`. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 5. Tailwind 4 & OKLCH Unified Theme | ||||||||||||||||||||||||||
| Migrated the entire design system to Tailwind 4 (Oxide engine) to leverage: | ||||||||||||||||||||||||||
| - **Native Custom Properties**: Replaced legacy HSL `:root` variables with a unified `@theme` block. | ||||||||||||||||||||||||||
| - **OKLCH Color Space**: Adopted OKLCH tokens for consistent vibrancy and accessibility across the "Premium Dark" interface. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Consequences | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### Positive | ||||||||||||||||||||||||||
| - **Privacy Compliance**: Strict adherence to data protection standards for student information. | ||||||||||||||||||||||||||
| - **Developer Experience**: Restored full IDE intellisense and type-checking in the database and AI layers. | ||||||||||||||||||||||||||
| - **Aesthetic Excellence**: Unified, vibrant UI with optimized build performance via Tailwind 4. | ||||||||||||||||||||||||||
| - **Operational Visibility**: Sentry alerts for both infrastructure failures and AI "hallucinations". | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### Negative | ||||||||||||||||||||||||||
| - **Maintenance**: We must monitor Prisma and Genkit SDK updates to revert specific type overrides or casts once upstream packages reach full alignment with Next.js 15. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| --- | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ## Visual Documentation | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 1. Premium Dark Interface (Tailwind 4) | ||||||||||||||||||||||||||
| The new design system ensures a high-fidelity, high-contrast experience using OKLCH color tokens. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|  | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| ### 2. AI Workout Generator (Genkit) | ||||||||||||||||||||||||||
| Strictly typed integration between the AI service and the student portal. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|  | ||||||||||||||||||||||||||
|
Comment on lines
+1
to
+60
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Address the Prettier failure for this ADR file. CI already reports formatting issues here; please run Prettier on this file before merge. 🧰 Tools🪛 GitHub Actions: CI[warning] 1-1: Prettier --check reported formatting issues in this file. 🤖 Prompt for AI Agents
Comment on lines
+55
to
+60
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Replace local These links only work on one machine and will be broken in GitHub/docs rendering. Move images into the repo (e.g., Proposed fix pattern-
+
-
+📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix the malformed Sentry setup guidance comment.
Line 63 currently merges two notes (
Cli# ...) and is easy to misread when settingNEXT_PUBLIC_SENTRY_DSNvsSENTRY_AUTH_TOKEN.Suggested doc fix
📝 Committable suggestion
🤖 Prompt for AI Agents