Thoughts

AllType:decisionideaobservationreferencetaskTime:7d30d90d
2 thoughts about "infrastructure"
taskmcpinfrastructureDockerSentry
3/14/2026

Tat-Tally Session 38 (2026-03-14): Infrastructure Hardening S18-S22 Completed all 5 infrastructure should-fix items from the pre-Norfolk audit: S18: Replaced custom ErrorBoundary class components in admin and display apps with Sentry.ErrorBoundary (matching judge/mc/entrant pattern). Errors now auto-report to Sentry instead of only console.error. S19: Added VITE_APP_VERSION as a Dockerfile build arg (defaults to "unknown"). Added to all 5 .env.example files. Pass git SHA at build time: docker build --build-arg VITE_APP_VERSION=$(git rev-parse --short HEAD) . S20: Added non-root user to Dockerfile production stage (addgroup/adduser + USER app). S21: Added HEALTHCHECK to Dockerfile using wget --spider http://localhost:3000/health with 30s interval and 5s timeout. S22: Changed CI node-version from 22 to 20, aligning with Dockerfile's node:20-alpine. Also in this session: Created GitHub repo (dave-tedder/tat-tally, private) and pushed all work from sessions 34-38 (117 files, 20k+ lines). Previously had no remote configured. Going forward, pushing after each session. Remaining should-fix items: S1 (Twilio signature validation), S8-S17 (error sanitization, DB locks, frontend resilience, safety guards). Multi-tenancy RLS (S3-S7) deferred past Norfolk.

observationmcpblockersinfrastructuredeployment
3/14/2026

Tat-Tally Session 37-38: Fixed all 5 pre-Norfolk blockers + infrastructure hardening (S18-S22). BLOCKERS RESOLVED: - B1: Auth-gated seed-event Edge Function with admin JWT auth + dynamic CORS (matching create-judge pattern). Previously had zero auth and bypassed all RLS. Deployed v5. - B2: Added Sentry.ErrorBoundary to entrant app (was the only app missing one). Includes fallback with error message + reload button matching judge/mc pattern. - B3: Fixed Dockerfile by adding `cd src/shared && npm install` before app build steps. The @tat-tally/shared package wasn't being installed, risking Docker build failures. - B4: Fixed CI workflow (.github/workflows/ci.yml) by adding shared package install step before each app's npm ci. - B5: Applied dynamic CORS (ALLOWED_ORIGINS + getCorsHeaders) to check-approaching (v4) and send-sms (v3) Edge Functions. These were the last 2 functions still using Access-Control-Allow-Origin: *. Also fixed S2 (strict === equality instead of .includes() for service role key auth) in both functions. INFRASTRUCTURE HARDENING (Session 38, done by follow-up session): - S18: Admin and display ErrorBoundaries switched from custom console.error to Sentry.ErrorBoundary - S19: VITE_APP_VERSION added as Dockerfile build arg (pass git SHA at build time) - S20: Dockerfile now runs as non-root user (addgroup/adduser + USER app) - S21: HEALTHCHECK added to Dockerfile (wget /health endpoint) - S22: Node version aligned to 20 LTS in both CI and Docker All 5 apps pass tsc --noEmit. All Edge Functions deployed to Supabase project ovdtlcpgeydtgjnsxtqk. Norfolk status: GO. Remaining work is should-fix items S1, S8-S17 and multi-tenancy RLS S3-S7.