Operator dashboard PWA: opt-in push notifications / background sync (deferred from #107)

[marcusrbrown]

The PWA (#107) ships installable + offline + prompt-to-update, but push notifications / background sync were deliberately deferred to their own effort. This tracks that follow-up.

Why it's separate

Push is the heaviest, riskiest surface of the PWA:

• Server-side web-push integration + a VAPID keypair (the private key is App-key-grade — must use the readSecret/O_NOFOLLOW pattern, gitignored, never logged).
• A subscription store, which forces a persistence decision for the currently-stateless dashboard.
• A dead-subscription sweeper (push services 404/410 expired subs).
• A notification-frequency policy (per-failure? per-mention? digest?).
• A privacy policy + opt-in consent — the hard rule: any data leaving the device is opt-in, minimum-data, self-hosted where feasible.

Scope when picked up

• Client: SW push + notificationclick handlers; an opt-in consent UI (Notification.requestPermission on user gesture → PushManager.subscribe with the VAPID key); subscribe/unsubscribe endpoints.
• Server: the web-push send path, VAPID keypair provisioning, the subscription store + sweeper, the frequency policy.
• The consent affordance degrades gracefully (off, with explanation) until a compliant push channel exists.

The current SW (web/src/sw.ts) is structured so a push event listener can be added without reworking the existing routing. Suggest a ce:brainstorm → ce:plan pass given the persistence + privacy-policy decisions involved.

[fro-bot]

Triage Summary

This is a valid follow-up feature, not a bug reproduction case. The current PWA baseline has the installable manifest + React SPA shell, but no push/background-sync implementation yet.

What I verified:

• web/public/manifest.webmanifest exists and is linked from web/index.html.
• src/server.ts already pins PWA-relevant CSP directives including worker-src 'self' and manifest-src 'self'.
• /api/monitoring returns a minimized, authenticated, Cache-Control: no-store DTO for the SPA, preserving the no-client-cache/no-sensitive-data posture.
• There is no current service worker source or registration in web/src, no vite-plugin-pwa config in web/vite.config.ts, and no Notification / PushManager / web-push / VAPID code yet.

Verification run:

• pnpm check-types passed.
• pnpm lint passed.
• pnpm test passed: 20 files, 1096 tests.

Recommended Next Steps

1. Run a focused ce:brainstorm pass before implementation. The blocking decisions are product/privacy decisions, not just code shape: notification frequency, exact opt-in copy, what data leaves the device, whether background sync is needed in v1, and whether push should start with pending operator approvals only.
2. Follow with a ce:plan pass that treats this as a high-risk feature because it introduces persistence, browser permission state, VAPID secrets, and a server-initiated outbound channel.
3. Keep the first implementation deliberately narrow: show a consent affordance that remains disabled with an explanation until the compliant server-side push channel and subscription store exist.
4. Preserve the existing PWA security invariants: service worker must cache shell/static assets only, BFF JSON/SSE/auth redirects remain uncached, and any push payload should be minimum-data and non-sensitive.
5. Decide the persistence model explicitly before adding endpoints. The dashboard is otherwise stateless today, so a subscription store plus sweeper is the architectural pivot for this issue.
6. Provision VAPID/private key material through the existing secret-reading pattern (readSecret/O_NOFOLLOW equivalent), gitignore the material, and never log it.
7. Add tests around permission-state UI, subscribe/unsubscribe contracts, expired subscription cleanup on 404/410, no-store/no-sensitive-payload behavior, and disabled/degraded states when push is not configured.

Reproduction Notes

No broken behavior to reproduce. The feature is absent by design: the current branch proves the installable SPA baseline, while push notifications/background sync remain deferred scope.

---

Run Summary

Field	Value
Event	issues
Repository	fro-bot/dashboard
Run ID	28202382465
Cache	hit
Session	ses_0ff427107ffeCtfhd1KhWFX52p