Gitea's act_runner doesn't evaluate hashFiles() at job-level if:
conditions, so the gate I added in M0.2 universally skipped the test
job even when package.json was committed. Drop it for portal —
package.json is a permanent fixture in this repo so we always want
test + e2e to run. e2e/image jobs keep their other conditions
(push-to-main, etc.)
Refs: M5.1
trivy fs scan failed the M0.2 CI gate on the skeleton commit because
next 15.0.3 has 9 known vulns (CRITICAL CVE-2025-29927 auth bypass in
middleware, plus 7 HIGH advisories). 16.2.6 is current latest and
covers every fixed-version range trivy listed.
Side effects of the major bump:
- next 16 dropped 'next lint' — switched the lint script to call eslint
directly ('eslint . --max-warnings 0').
- eslint-config-next 16 ships flat-config exports natively, so
eslint.config.mjs imports core-web-vitals + typescript directly
(no FlatCompat shim, no @eslint/eslintrc dep).
- Typed vi.fn<typeof fetch>() in tenant-registry.test to satisfy
stricter tuple inference under the new types.
All 4 gates green locally:
pnpm lint / typecheck / test --coverage (100% on src/lib) / build
Refs: M5.1 (skeleton)
Lands the minimum surface so a developer can:
cd platform/orca-platform && make dev-up
cd platform/tenant-registry && make dev
cd platform/portal && make install && make dev
open http://acme.localhost:3000
and complete a real OIDC sign-in against the breakpilot-dev realm.
Layout:
src/middleware.ts host→slug URL rewrite; backstage carve-out
src/auth.ts Auth.js v5 Keycloak provider; passes
tenant_id/slug/org_roles/products/plan/status
claims through to the session
src/app/api/auth/[...nextauth]/ Auth.js handlers (GET, POST)
src/app/layout.tsx root html shell
src/app/page.tsx apex landing
src/app/[slug]/layout.tsx fetches tenant via lib/tenant-registry
src/app/[slug]/page.tsx redirect to /dashboard
src/app/[slug]/dashboard/page.tsx
signed-out → Sign in with Keycloak
signed-in → welcome + Sign out
src/lib/host.ts testable host parser (apex/tenant/backstage)
src/lib/tenant-registry.ts fetch client for the Go service
Tooling:
vitest 13 tests, 100% coverage of src/lib/
Next.js 15 build compiles all routes; output: standalone
ESLint flat config next/core-web-vitals + next/typescript
Real RBAC enforcement, the rest of the customer-area surfaces, and the
backstage shell land per the M5.2 / M10.1 schedule. This is just enough
to be the first thing a developer codes in.
Refs: M5.1 (skeleton)
sharang