Private
Public Access
1
0
Commit Graph

3 Commits

Author SHA1 Message Date
Catherine Renelle 8f5a931951 Allow dark mode theme script via CSP hash
The inline script in app.html that applies the dark mode class before
paint is not covered by SvelteKit's nonce system. Whitelist it by
its SHA-256 hash instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 08:20:22 -04:00
Catherine Renelle 2d4c3a57da Replace unsafe-inline with CSP nonces for script-src
SvelteKit now handles script-src with automatic nonces via its
built-in CSP support. The hooks handler merges extra directives
(style-src, font-src, img-src, etc.) onto SvelteKit's nonce-based
policy for page responses, and sets a full CSP for API responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 08:16:45 -04:00
Catherine Renelle 2f398711c8 Initial implementation: multi-tenant Kanban board (Phase 1)
Complete Phase 1 foundation with working board, column, and card CRUD:
- SvelteKit + TypeScript + Tailwind CSS v4 + adapter-node
- Full Prisma schema with 18 tables (tenants, users, boards, columns, cards, etc.)
- Multi-tenant architecture with hostname-based tenant resolution
- Email/password auth with bcrypt + session cookies
- Board/Column/Card API routes with full CRUD
- Fractional indexing for drag-and-drop ordering
- Board view with svelte-dnd-action for column and card drag-and-drop
- Card modal with inline editing
- Auth pages (login, register)
- Board listing with create form
- RLS policies SQL script for tenant isolation
- Prisma RLS client extensions (forTenant/bypassRLS)
- Permission helpers (canEditBoard, canManageMembers, etc.)
- Socket.IO server setup (dev Vite plugin + production Express server)
- Client-side socket store for real-time updates
- Docker Compose (app + PostgreSQL 16) + multi-stage Dockerfile
- Database seed script (default tenant + admin user)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 20:58:49 -05:00