portal

platform/portal

Fork 0

Commit Graph

Author	SHA1	Message	Date
sharang	c051ae0626	fix(deps): bump next 15.0.3 → 16.2.6 to clear trivy CVEs ci / shared (pull_request) Successful in 3s Details ci / test (pull_request) Has been skipped Details ci / e2e (pull_request) Has been skipped Details ci / image (pull_request) Has been skipped Details trivy fs scan failed the M0.2 CI gate on the skeleton commit because next 15.0.3 has 9 known vulns (CRITICAL CVE-2025-29927 auth bypass in middleware, plus 7 HIGH advisories). 16.2.6 is current latest and covers every fixed-version range trivy listed. Side effects of the major bump: - next 16 dropped 'next lint' — switched the lint script to call eslint directly ('eslint . --max-warnings 0'). - eslint-config-next 16 ships flat-config exports natively, so eslint.config.mjs imports core-web-vitals + typescript directly (no FlatCompat shim, no @eslint/eslintrc dep). - Typed vi.fn<typeof fetch>() in tenant-registry.test to satisfy stricter tuple inference under the new types. All 4 gates green locally: pnpm lint / typecheck / test --coverage (100% on src/lib) / build Refs: M5.1 (skeleton)	2026-05-18 23:04:05 +02:00
sharang	ac22ccef9b	feat(app): Next.js 15 + Auth.js v5 portal skeleton ci / shared (pull_request) Failing after 4s Details ci / test (pull_request) Has been skipped Details ci / e2e (pull_request) Has been skipped Details ci / image (pull_request) Has been skipped Details Lands the minimum surface so a developer can: cd platform/orca-platform && make dev-up cd platform/tenant-registry && make dev cd platform/portal && make install && make dev open http://acme.localhost:3000 and complete a real OIDC sign-in against the breakpilot-dev realm. Layout: src/middleware.ts host→slug URL rewrite; backstage carve-out src/auth.ts Auth.js v5 Keycloak provider; passes tenant_id/slug/org_roles/products/plan/status claims through to the session src/app/api/auth/[...nextauth]/ Auth.js handlers (GET, POST) src/app/layout.tsx root html shell src/app/page.tsx apex landing src/app/[slug]/layout.tsx fetches tenant via lib/tenant-registry src/app/[slug]/page.tsx redirect to /dashboard src/app/[slug]/dashboard/page.tsx signed-out → Sign in with Keycloak signed-in → welcome + Sign out src/lib/host.ts testable host parser (apex/tenant/backstage) src/lib/tenant-registry.ts fetch client for the Go service Tooling: vitest 13 tests, 100% coverage of src/lib/ Next.js 15 build compiles all routes; output: standalone ESLint flat config next/core-web-vitals + next/typescript Real RBAC enforcement, the rest of the customer-area surfaces, and the backstage shell land per the M5.2 / M10.1 schedule. This is just enough to be the first thing a developer codes in. Refs: M5.1 (skeleton)	2026-05-18 22:54:52 +02:00

Author

SHA1

Message

Date

sharang

c051ae0626

fix(deps): bump next 15.0.3 → 16.2.6 to clear trivy CVEs

ci / shared (pull_request) Successful in 3s

Details

ci / test (pull_request) Has been skipped

Details

ci / e2e (pull_request) Has been skipped

Details

ci / image (pull_request) Has been skipped

Details

trivy fs scan failed the M0.2 CI gate on the skeleton commit because
next 15.0.3 has 9 known vulns (CRITICAL CVE-2025-29927 auth bypass in
middleware, plus 7 HIGH advisories). 16.2.6 is current latest and
covers every fixed-version range trivy listed.

Side effects of the major bump:
- next 16 dropped 'next lint' — switched the lint script to call eslint
  directly ('eslint . --max-warnings 0').
- eslint-config-next 16 ships flat-config exports natively, so
  eslint.config.mjs imports core-web-vitals + typescript directly
  (no FlatCompat shim, no @eslint/eslintrc dep).
- Typed vi.fn<typeof fetch>() in tenant-registry.test to satisfy
  stricter tuple inference under the new types.

All 4 gates green locally:
  pnpm lint / typecheck / test --coverage (100% on src/lib) / build

Refs: M5.1 (skeleton)

2026-05-18 23:04:05 +02:00

sharang

ac22ccef9b

feat(app): Next.js 15 + Auth.js v5 portal skeleton

ci / shared (pull_request) Failing after 4s

Details

ci / test (pull_request) Has been skipped

Details

ci / e2e (pull_request) Has been skipped

Details

ci / image (pull_request) Has been skipped

Details

Lands the minimum surface so a developer can:

  cd platform/orca-platform && make dev-up
  cd platform/tenant-registry && make dev
  cd platform/portal && make install && make dev
  open http://acme.localhost:3000

and complete a real OIDC sign-in against the breakpilot-dev realm.

Layout:
  src/middleware.ts                host→slug URL rewrite; backstage carve-out
  src/auth.ts                      Auth.js v5 Keycloak provider; passes
                                   tenant_id/slug/org_roles/products/plan/status
                                   claims through to the session
  src/app/api/auth/[...nextauth]/  Auth.js handlers (GET, POST)
  src/app/layout.tsx               root html shell
  src/app/page.tsx                 apex landing
  src/app/[slug]/layout.tsx        fetches tenant via lib/tenant-registry
  src/app/[slug]/page.tsx          redirect to /dashboard
  src/app/[slug]/dashboard/page.tsx
                                   signed-out → Sign in with Keycloak
                                   signed-in  → welcome + Sign out
  src/lib/host.ts                  testable host parser (apex/tenant/backstage)
  src/lib/tenant-registry.ts       fetch client for the Go service

Tooling:
  vitest                           13 tests, 100% coverage of src/lib/
  Next.js 15 build                 compiles all routes; output: standalone
  ESLint flat config               next/core-web-vitals + next/typescript

Real RBAC enforcement, the rest of the customer-area surfaces, and the
backstage shell land per the M5.2 / M10.1 schedule. This is just enough
to be the first thing a developer codes in.

Refs: M5.1 (skeleton)

2026-05-18 22:54:52 +02:00

2 Commits