Tripletex · christian-andersson · Mar 21, 2025 · Mar 28, 2025 · Mar 28, 2025 · Mar 28, 2025
@@ -9,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to GHCR
-        uses: docker/login-action@v1
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
             registry: ghcr.io
             username: ${{github.actor}}
             password: ${{secrets.GITHUB_TOKEN}}
 
       - name: build tag and push image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: .
           platforms: linux/amd64

@@ -1,9 +1,28 @@
-# build directory
+# build output
 build
+dist
 
 # Dependency directories
 node_modules/
 
-
 # ide directory
-.idea
+.idea
+*.pem
+
+# Environment files (contain secrets)
+.env
+server/.env
+
+# Deno lock file
+deno.lock
+
+# Test scripts
+test-*.sh
+
+# Provisioning (SSH keys and saved config contain secrets)
+provision_key
+provision_key.pub
+saved-config.json
+
+.claude-memory-private
+.claude/settings.local.json
@@ -0,0 +1,75 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Build and Run Commands
+- Server: `cd server && deno task dev` (dev mode with watch), `deno task start` (production)
+- Admin UI dev: `cd server && deno task dev:admin` (Vite dev server on port 3000)
+- Admin UI build: `cd server && deno task build:admin` (outputs to server/dist/)
+- Tests: `cd server && deno task test`
+- Type check: `cd server && deno task check`
+- Database:
+  - Migrations: `cd server && deno task db:migrate`, `deno task db:migrate:down`
+  - Migration files are in `server/migrations/` (uses node-pg-migrate)
+
+## Server Stack
+- **Runtime**: Deno
+- **Framework**: Hono (Express-like API)
+- **ORM**: Drizzle ORM with postgres.js driver
+- **Validation**: Zod
+- **Auth**: WebAuthn via @simplewebauthn/server
+- **Session**: Custom PostgreSQL-backed session middleware
+- **IDs**: UUIDv7 (time-ordered) for all database record IDs
+
+## Admin UI Stack
+- **Framework**: React 18 with TypeScript
+- **Build**: Vite (deps in server/package.json)
+- **Routing**: react-router-dom v6
+- **Source**: `server/admin/` — built to `server/dist/`, served by the Deno server
+- **Dev proxy**: Vite proxies /api to localhost:4000
+
+## Project Structure
+```
+├── server/
+│   ├── deno.json        # Server config (Deno imports, tasks)
+│   ├── package.json     # Admin UI dependencies (React, Vite)
+│   ├── vite.config.ts   # Admin UI build config
+│   ├── index.html       # Vite entry point
+│   ├── src/             # Hono API server
+│   ├── admin/           # React admin UI source
+│   ├── migrations/      # Database migrations
+│   └── dist/            # Built admin UI output
+└── shared/              # Shared TypeScript types
+```
+
+## Database Migrations
+- Project uses node-pg-migrate for explicit, versioned migrations
+- Migration files are in `server/migrations/` directory
+- Each migration includes up (apply) and down (revert) functions
+
+## Code Style Guidelines
+- **Formatting**: 2-space indentation, single quotes, semicolons, trailing commas
+- **Naming**: camelCase for variables/functions, PascalCase for classes/components
+- **Imports**: 3rd-party first, project imports second, grouped by category; use `.ts` extensions for server code
+- **Types**: Use TypeScript interfaces/types, explicit return types on functions
+- **Error Handling**: try/catch blocks, error middleware (handleErrors wrapper), consistent response structure
+- **Architecture**: Follow separation of concerns (controllers, services, repositories)
+- **Components**: Use functional React components with hooks
+- **State Management**: React hooks for local state
+
+## Security Requirements
+- All user input must be validated and sanitized both on the client side and server side
+- Follow secure authentication practices with WebAuthn
+- Implement proper authorization checks for API endpoints
+- Never log sensitive information (credentials, tokens, PII)
+- Use parameterized queries to prevent SQL injection
+- Apply multi-tenant data isolation throughout the application
+- **Session Security**: Use cryptographically secure session secrets (minimum 32 characters)
+  - Generate with: `deno eval "const a=new Uint8Array(32);crypto.getRandomValues(a);console.log(Array.from(a,b=>b.toString(16).padStart(2,'0')).join(''))"`
+  - Never use default/example secrets in production
+- **XSS Protection**: Comprehensive Cross-Site Scripting prevention implemented
+  - Automatic input sanitization and output encoding
+  - Content Security Policy (CSP) headers with per-request nonces
+- **Tenant Authorization**: Comprehensive multi-tenant authorization system
+  - Role-based access control (Owner/Admin/Member roles)
+  - Cached membership validation for performance (5-min TTL)
@@ -1,35 +1,37 @@
-# ---- Base Node ----
-FROM node:lts AS base
-WORKDIR /usr/src/app
-
-# ---- client ----
-FROM base AS clientbuild
-WORKDIR /usr/src/app
-COPY client/ ./client
-COPY shared/ ./shared
-
-WORKDIR /usr/src/app/client
-RUN ls -lrt
-RUN npm ci
-RUN npm run build
-
-# ---- server ----
-FROM base AS serverbuild
-WORKDIR /usr/src/app
-COPY server/ ./server
-COPY shared/ ./shared
-
-WORKDIR /usr/src/app/server
-RUN ls -lrt
-RUN npm ci
-RUN npm run build
-
-# ---- Release ----
-FROM base AS release
+# ---- Admin UI Build ----
+FROM denoland/deno:2 AS adminbuild
+WORKDIR /app
+
+# Install npm dependencies
+COPY server/package.json server/package-lock.json* ./
+COPY server/.npmrc server/deno.json ./
+RUN deno run -A npm:npm ci
+
+# Build admin UI (matches deno task build:admin)
+COPY server/admin/ ./admin/
+COPY server/public/ ./public/
+COPY server/index.html server/vite.config.ts server/tsconfig.json ./
+RUN deno task build:admin
+
+# ---- Server ----
+FROM denoland/deno:2 AS release
 LABEL org.opencontainers.image.source="https://github.com/Tripletex/SimpleDigitalSignageServer"
-COPY --from=clientbuild /usr/src/app/client/build ./client/
-COPY --from=serverbuild /usr/src/app/server/ ./server
-ENV CLIENT_PATH=../../../../client/
-WORKDIR /usr/src/app/server
+WORKDIR /app/server
+
+# Copy server source and config
+COPY server/deno.json server/.npmrc ./
+COPY server/src/ ./src/
+COPY server/migrations/ ./migrations/
+
+# Cache dependencies
+RUN deno cache src/main.ts
+
+# Copy built admin UI
+COPY --from=adminbuild /app/dist ./dist/
+
+# Run as non-root user (deno user is provided by the base image)
+USER deno
+
 EXPOSE 4000
-CMD [ "node", "build/server/src/server.js" ]
+
+CMD ["deno", "task", "start"]
@@ -1,2 +1,89 @@
 # SimpleDigitalSignageServer
-This is the very beginning of the Simple digital Signage Server project, this is the very initial setup, more will come in the future,
+
+A Digital Signage Server for managing devices, playlists, and multi-tenant organizations. Includes an admin UI for management and serves a signage client on Raspberry Pi devices.
+
+## Tech Stack
+
+- **Runtime**: [Deno](https://deno.land/)
+- **Server**: Hono + Drizzle ORM (PostgreSQL)
+- **Admin UI**: React 18 + Vite + TypeScript
+- **Auth**: WebAuthn (passkeys)
+- **Validation**: Zod
+
+## Development Setup
+
+### Prerequisites
+
+- [Deno](https://deno.land/) (latest)
+- Docker and Docker Compose (for PostgreSQL)
+- Node.js (for admin UI dependencies / Vite)
+
+### Quick Start
+
+```bash
+# Start PostgreSQL
+docker-compose up -d
+
+# Install admin UI dependencies
+cd server && npm install
+
+# Copy and configure environment
+cp .env.example .env
+# Edit .env with your settings
+
+# Run database migrations
+deno task db:migrate
+
+# Start the server (port 4000)
+deno task dev
+
+# In another terminal, start the admin UI dev server (port 3000)
+deno task dev:admin
+```
+
+### Available Tasks (run from `server/`)
+
+```bash
+deno task dev          # Start server with auto-reload
+deno task dev:admin    # Start Vite dev server for admin UI
+deno task start        # Start server (production)
+deno task build:admin  # Build admin UI for production
+deno task test         # Run all tests
+deno task check        # Type-check server code
+deno task db:migrate   # Run database migrations
+deno task db:migrate:down  # Revert last migration
+```
+
+### Environment Variables
+
+Copy `server/.env.example` to `server/.env` and configure:
+- `DB_HOST`, `DB_PORT`, `DB_USER`, `DB_PASSWORD`, `DB_NAME` — PostgreSQL connection
+- `SESSION_SECRET` — Cryptographically secure session secret (min 32 chars)
+- `RP_ID`, `ORIGIN` — WebAuthn relying party config
+
+### Project Structure
+
+```
+├── server/
+│   ├── deno.json        # Server config (Deno imports, tasks)
+│   ├── package.json     # Admin UI dependencies (React, Vite)
+│   ├── vite.config.ts   # Admin UI build config
+│   ├── index.html       # Vite entry point
+│   ├── src/             # Hono API server
+│   ├── admin/           # React admin UI source
+│   ├── migrations/      # Database migrations (node-pg-migrate)
+│   └── dist/            # Built admin UI output
+├── shared/              # Shared TypeScript types
+└── docker-compose.yml   # PostgreSQL dev setup
+```
+
+## API Endpoints
+
+- `POST /api/device/register` - Register a new device
+- `GET /api/device/list` - List all registered devices
+- `GET /api/device/:id` - Get a specific device by ID
+
+## Source Code
+
+This project is open source and available on GitHub:
+[SimpleDigitalSignageServer](https://github.com/Tripletex/SimpleDigitalSignageServer)