Thoughts

Tat-Tally Session 37-38: Fixed all 5 pre-Norfolk blockers + infrastructure hardening (S18-S22). BLOCKERS RESOLVED: - B1: Auth-gated seed-event Edge Function with admin JWT auth + dynamic CORS (matching create-judge pattern). Previously had zero auth and bypassed all RLS. Deployed v5. - B2: Added Sentry.ErrorBoundary to entrant app (was the only app missing one). Includes fallback with error message + reload button matching judge/mc pattern. - B3: Fixed Dockerfile by adding `cd src/shared && npm install` before app build steps. The @tat-tally/shared package wasn't being installed, risking Docker build failures. - B4: Fixed CI workflow (.github/workflows/ci.yml) by adding shared package install step before each app's npm ci. - B5: Applied dynamic CORS (ALLOWED_ORIGINS + getCorsHeaders) to check-approaching (v4) and send-sms (v3) Edge Functions. These were the last 2 functions still using Access-Control-Allow-Origin: *. Also fixed S2 (strict === equality instead of .includes() for service role key auth) in both functions. INFRASTRUCTURE HARDENING (Session 38, done by follow-up session): - S18: Admin and display ErrorBoundaries switched from custom console.error to Sentry.ErrorBoundary - S19: VITE_APP_VERSION added as Dockerfile build arg (pass git SHA at build time) - S20: Dockerfile now runs as non-root user (addgroup/adduser + USER app) - S21: HEALTHCHECK added to Dockerfile (wget /health endpoint) - S22: Node version aligned to 20 LTS in both CI and Docker All 5 apps pass tsc --noEmit. All Edge Functions deployed to Supabase project ovdtlcpgeydtgjnsxtqk. Norfolk status: GO. Remaining work is should-fix items S1, S8-S17 and multi-tenancy RLS S3-S7.