Production rebuild: Expo SDK 56 app + hardened backend + Next.js web + CI/CD

.editorconfig

@@ -0,0 +1,16 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{png,jpg,jpeg,gif,webp,ttf,otf,woff,woff2,ico,hbc}]
+trim_trailing_whitespace = false
+insert_final_newline = false

.gitattributes

@@ -0,0 +1,28 @@
+# Normalize line endings: store as LF in the repo, check out native on each OS.
+# This kills the "LF will be replaced by CRLF" churn while keeping Windows happy.
+* text=auto
+
+# Source and config are always LF.
+*.ts    text eol=lf
+*.tsx   text eol=lf
+*.js    text eol=lf
+*.jsx   text eol=lf
+*.json  text eol=lf
+*.md    text eol=lf
+*.yml   text eol=lf
+*.yaml  text eol=lf
+*.sql   text eol=lf
+*.sh    text eol=lf
+
+# Binary assets — never touch their bytes.
+*.png   binary
+*.jpg   binary
+*.jpeg  binary
+*.gif   binary
+*.webp  binary
+*.ttf   binary
+*.otf   binary
+*.woff  binary
+*.woff2 binary
+*.ico   binary
+*.hbc   binary

.github/ci/supabase-test-prelude.sql

@@ -0,0 +1,53 @@
+-- CI-only Supabase compatibility shims.
+-- supabase_schema.sql targets a Supabase database, which ships an `auth` schema,
+-- an `auth.uid()` function, the anon/authenticated/service_role roles, and the
+-- `supabase_realtime` publication out of the box. A vanilla Postgres service has
+-- none of those, so we create the minimum surface the schema references before
+-- applying it. This proves the DDL, RLS policies, grants, triggers, and indexes
+-- all apply cleanly - it is not a runtime auth emulation.
+
+create extension if not exists "uuid-ossp";
+create extension if not exists "pgcrypto";
+
+-- auth schema + the slice of auth.users our trigger reads (id, email).
+create schema if not exists auth;
+
+create table if not exists auth.users (
+  id                 uuid primary key default gen_random_uuid(),
+  email              text,
+  raw_user_meta_data jsonb default '{}'::jsonb,
+  created_at         timestamptz default now()
+);
+
+-- auth.uid() - the only auth.* function the policies call. Resolves from a JWT
+-- claim GUC when present, else null (no rows visible), matching Supabase.
+create or replace function auth.uid()
+returns uuid
+language sql
+stable
+as $$
+  select nullif(current_setting('request.jwt.claim.sub', true), '')::uuid
+$$;
+
+-- Roles referenced by GRANT and `to <role>` policy clauses.
+do $$
+begin
+  if not exists (select 1 from pg_roles where rolname = 'anon') then
+    create role anon nologin noinherit;
+  end if;
+  if not exists (select 1 from pg_roles where rolname = 'authenticated') then
+    create role authenticated nologin noinherit;
+  end if;
+  if not exists (select 1 from pg_roles where rolname = 'service_role') then
+    create role service_role nologin noinherit bypassrls;
+  end if;
+end $$;
+
+-- The realtime block in the schema ALTERs this publication to add tables, so it
+-- must already exist (Supabase pre-creates it).
+do $$
+begin
+  if not exists (select 1 from pg_publication where pubname = 'supabase_realtime') then
+    create publication supabase_realtime;
+  end if;
+end $$;

.github/workflows/backend-ci.yml

@@ -0,0 +1,51 @@
+name: backend-ci
+
+# Lint + unit/integration tests for the Express API. The health test boots the
+# full middleware stack via supertest (no port bind, expo-server-sdk stubbed),
+# so this also catches a broken route table or a bad require.
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'backend/**'
+      - '.github/workflows/backend-ci.yml'
+  pull_request:
+    paths:
+      - 'backend/**'
+      - '.github/workflows/backend-ci.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: backend-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: backend
+    env:
+      # Dummy credentials so the admin client init does not process.exit(1).
+      # No test reaches Supabase; /health and the geo units never connect.
+      SUPABASE_URL: http://localhost:54321
+      SUPABASE_SERVICE_ROLE_KEY: ci-test-service-role-key
+      NODE_ENV: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: backend/.nvmrc
+          cache: npm
+          cache-dependency-path: backend/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Tests
+        run: npm run test:ci

.github/workflows/deploy-web-pages.yml

@@ -0,0 +1,68 @@
+name: deploy-web-pages
+
+# Builds the web/ app as a static export and publishes it to GitHub Pages.
+# Set these repository secrets first (Settings -> Secrets and variables -> Actions):
+#   NEXT_PUBLIC_API_URL, NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY
+# And enable Pages with "GitHub Actions" as the source (Settings -> Pages).
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'web/**'
+      - '.github/workflows/deploy-web-pages.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: web
+    env:
+      # Project Pages serve under https://<user>.github.io/<repo>, so the app
+      # needs basePath /BludStack. For a custom domain or a <user>.github.io repo,
+      # set this to an empty string.
+      NEXT_PUBLIC_BASE_PATH: /BludStack
+      NEXT_PUBLIC_API_URL: ${{ secrets.NEXT_PUBLIC_API_URL }}
+      NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: web/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build static export
+        run: npm run build
+
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: web/out
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/eas-build.yml

@@ -0,0 +1,61 @@
+name: eas-build
+
+# Owner-triggered cloud build. Runs on a version tag (v1.2.3) or manual dispatch.
+# Requires the EXPO_TOKEN repository secret (Expo access token). This does not run
+# on every push - device builds cost money and minutes.
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      platform:
+        description: Platform to build
+        type: choice
+        default: all
+        options: [all, android, ios]
+      profile:
+        description: EAS build profile
+        type: choice
+        default: production
+        options: [production, preview, development]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: mobile
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: mobile/.nvmrc
+          cache: npm
+          cache-dependency-path: mobile/package-lock.json
+
+      - name: Setup EAS
+        uses: expo/expo-github-action@v8
+        with:
+          eas-version: latest
+          token: ${{ secrets.EXPO_TOKEN }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Guard EXPO_TOKEN
+        run: |
+          if [ -z "${{ secrets.EXPO_TOKEN }}" ]; then
+            echo "::error::EXPO_TOKEN secret is not set. Add it in repo Settings -> Secrets -> Actions."
+            exit 1
+          fi
+
+      - name: EAS build
+        run: |
+          eas build \
+            --non-interactive \
+            --no-wait \
+            --platform "${{ github.event.inputs.platform || 'all' }}" \
+            --profile "${{ github.event.inputs.profile || 'production' }}"

.github/workflows/mobile-ci.yml

@@ -0,0 +1,54 @@
+name: mobile-ci
+
+# Static verification for the Expo app: install, typecheck, lint, unit tests,
+# Expo health, and a Metro bundle. No device build here - that lives in
+# eas-build.yml and is owner-triggered.
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'mobile/**'
+      - '.github/workflows/mobile-ci.yml'
+  pull_request:
+    paths:
+      - 'mobile/**'
+      - '.github/workflows/mobile-ci.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: mobile-ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: mobile
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: mobile/.nvmrc
+          cache: npm
+          cache-dependency-path: mobile/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Unit tests
+        run: npm run test:ci
+
+      - name: Expo Doctor
+        run: npx expo-doctor
+
+      - name: Metro export (Android)
+        run: npx expo export --platform android --output-dir dist