chore: sync codebase remediation, gameplay systems, and docs

Security & infrastructure: - Remove unused services/ (auth, spacetimedb) and auth.db - Add .env.example template, expand .gitignore for env/db files - Add GitHub Actions CI + commitlint config and workflows - Add manual vendor chunking and source maps to docs/site vite configs Shared UI & docs app: - Add ARIA props and focus-visible rings to Button/Panel - Add ButtonAsLink primitive; use shared Button in NotFound - Wire @void-nav/ui into docs app; refresh content pages - Replace Todo page with Kanban board Gameplay (Bevy): - Add ai module (behavior, faction, navigation, perception, spawning, states) - Add narrative module (events, history, synthesis, ui) - Refine galaxy contents and in-system flight/scene systems
2026-06-16 11:49:13 -04:00
parent 98c2ba59df
commit 57633addfe
60 changed files with 5084 additions and 2473 deletions
--- a/IMPLEMENTATION_SUMMARY.md
+++ b/IMPLEMENTATION_SUMMARY.md
@@ -0,0 +1,310 @@
+# Codebase Consistency Remediation - Implementation Summary
+
+## Overview
+
+All 11 issues from the codebase consistency review have been successfully addressed. Changes were implemented across 4 phases prioritized by security and production readiness.
+
+---
+
+## Phase 1: Security & Production Readiness ✅
+
+### 1. SECURITY: Exposed Authentication Secret (CRITICAL)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Created `.env.example` with placeholder values and security instructions
+- Updated `.gitignore` to properly exclude `.env.local` and database files
+- Added `.env.example` as reference for developers
+
+**Files Created:**
+- `.env.example` - Template for environment configuration
+
+**Files Modified:**
+- `.gitignore` - Added database file patterns
+
+**⚠️ ACTION REQUIRED:** The `BETTER_AUTH_SECRET` in `.env.local` should be rotated:
+```bash
+openssl rand -base64 32
+```
+
+---
+
+### 2. ENVIRONMENT: Undefined Environment Variables (HIGH)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Added `VITE_DOCS_URL=http://localhost:5173/docs` to `.env.local`
+- Added `VITE_GAME_URL=http://localhost:5175` to `.env.local`
+
+**Files Modified:**
+- `.env.local`
+
+---
+
+### 3. CORS: Hardcoded Localhost Origins (HIGH)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Updated auth service to use `CORS_ALLOWED_ORIGINS` environment variable
+- Added fallback to localhost for local development
+- Added `CORS_ALLOWED_ORIGINS` to `.env.example`
+
+**Files Modified:**
+- `services/auth/src/index.ts`
+- `.env.example`
+
+---
+
+## Phase 2: Code Quality ✅
+
+### 4. DUPLICATE CODE: Button/Panel Components (MEDIUM)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Added `@void-nav/ui` as dependency to docs app
+- Updated `NotFound.tsx` to use shared Button component
+- Removed duplicate inline styled Link
+
+**Files Modified:**
+- `apps/docs/package.json` - Added `@void-nav/ui` dependency
+- `apps/docs/src/components/NotFound.tsx`
+
+---
+
+### 5. ACCESSIBILITY: Missing ARIA Labels (MEDIUM)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Added comprehensive ARIA props support to Button component
+- Added focus-visible ring indicators for all tone variants
+- Added accessibility props support to Panel component
+- Added focus-within ring indicators to Panel
+- Updated Button to support React Router Link with accessibility
+- Added proper keyboard navigation support
+
+**Files Modified:**
+- `packages/ui/src/primitives/Button.tsx`
+- `packages/ui/src/primitives/Panel.tsx`
+- `packages/ui/package.json` - Added react-router-dom peer dependency
+
+**New Accessibility Features:**
+- `aria-label`, `aria-haspopup`, `aria-controls`, `aria-expanded`, `aria-pressed` props on Button
+- `aria-label`, `aria-describedby`, `role` props on Panel
+- Focus-visible ring indicators for keyboard navigation
+- Proper button semantics
+
+---
+
+### 6. ENVIRONMENT: Redundant Prefixes (MEDIUM)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Removed duplicate SpacetimeDB variables with unused prefixes
+- Kept only `SPACETIMEDB_*` (for backend) and `VITE_SPACETIMEDB_*` (for frontend)
+- Removed: `NEXT_PUBLIC_*`, `REACT_APP_*`, `EXPO_PUBLIC_*`, `PUBLIC_*` prefixes
+
+**Files Modified:**
+- `.env.local`
+
+---
+
+### 7. DATABASE: Files Not in Gitignore (MEDIUM)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Added `*.db`, `*.db-shm`, `*.db-wal`, `*.sqlite`, `*.sqlite3` to `.gitignore`
+- Added CI/CD local testing patterns
+
+**Files Modified:**
+- `.gitignore`
+
+---
+
+## Phase 3: Infrastructure ✅
+
+### 8. BUILD: Missing Optimizations (MEDIUM)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Added manual chunking for three.js dependencies in docs app
+- Added React vendor chunk splitting in both apps
+- Added source maps for production debugging
+- Added dependency pre-bundling optimization
+- Set appropriate chunk size warning limits
+
+**Files Modified:**
+- `apps/docs/vite.config.ts`
+- `apps/site/vite.config.ts`
+
+**Build Improvements:**
+- `three-vendor` chunk: three.js, @react-three/fiber, @react-three/drei
+- `react-vendor` chunk: react, react-dom, react-router-dom
+- Better caching through stable chunk hashes
+
+---
+
+### 9. CI/CD: No Configuration (MEDIUM)
+**Status:** ✅ COMPLETED
+
+**Changes Made:**
+- Created GitHub Actions CI workflow
+- Created commitlint workflow for PR validation
+- Added commitlint configuration
+- Added commitlint dependencies to root package.json
+
+**Files Created:**
+- `.github/workflows/ci.yml` - Main CI pipeline
+- `.github/workflows/commitlint.yml` - Commit message validation
+- `commitlint.config.js` - Commitlint rules
+
+**Files Modified:**
+- `package.json` - Added @commitlint/* dependencies
+
+**CI Pipeline Features:**
+- TypeScript type checking and building for docs and site apps
+- Rust formatting check, Clippy, and tests
+- Security audit for npm dependencies
+- TruffleHog secret scanning
+- Conventional commit message validation
+
+---
+
+### 10. DEPENDENCY: Docs App Not Using Shared UI (MEDIUM)
+**Status:** ✅ COMPLETED
+
+*See item #4 above - this was addressed as part of removing duplicate code*
+
+---
+
+## Phase 4: Polish ✅
+
+### 11. IMPORT: Mixed THREE.js Styles (LOW)
+**Status:** ✅ COMPLETED (VERIFIED)
+
+**Finding:** Codebase already follows best practices:
+- Files using runtime THREE values: `import * as THREE`
+- Files using only types: `import type * as THREE` or `import type { ThreeEvent }`
+
+**No changes needed** - imports are already optimized for tree-shaking.
+
+---
+
+## Verification Steps
+
+### 1. Security Verification
+```bash
+# Verify .env.local is not tracked
+git status | grep .env.local  # Should return nothing
+
+# Verify .env.example exists
+cat .env.example
+
+# Verify database files are ignored
+grep "*.db" .gitignore
+```
+
+### 2. Build Verification
+```bash
+# Install dependencies
+pnpm install
+
+# Type check all packages
+pnpm check
+
+# Build all packages
+pnpm build
+```
+
+### 3. Environment Verification
+```bash
+# Verify new environment variables are set
+grep VITE_DOCS_URL .env.local
+grep VITE_GAME_URL .env.local
+grep CORS_ALLOWED_ORIGINS .env.local
+```
+
+### 4. Accessibility Verification
+```bash
+# Check Button component exports ARIA types
+grep -A5 "aria-label" packages/ui/src/primitives/Button.tsx
+
+# Check Panel component exports accessibility props
+grep -A5 "aria-label" packages/ui/src/primitives/Panel.tsx
+```
+
+### 5. CI/CD Verification
+- Create a test PR to verify CI pipeline runs
+- Create a test commit with non-conventional message to verify commitlint
+
+---
+
+## Remaining Actions
+
+### 1. ROTATE AUTH SECRET (CRITICAL)
+The current `BETTER_AUTH_SECRET` should be rotated:
+
+```bash
+# Generate new secret
+openssl rand -base64 32
+
+# Update .env.local with new secret
+# Update any production/staging environments that use this value
+```
+
+### 2. Branch Protection (Recommended)
+Set up GitHub branch protection rules:
+1. Go to Settings → Branches
+2. Add rule for `main` branch
+3. Enable:
+   - Require PR reviews
+   - Require status checks (CI, commitlint)
+   - Require branches to be up to date
+
+### 3. Install Dependencies
+After pulling these changes, run:
+```bash
+pnpm install
+```
+
+---
+
+## Files Changed Summary
+
+**Created: 5 files**
+- `.env.example`
+- `.github/workflows/ci.yml`
+- `.github/workflows/commitlint.yml`
+- `commitlint.config.js`
+- `IMPLEMENTATION_SUMMARY.md`
+
+**Modified: 14 files**
+- `.gitignore`
+- `package.json`
+- `apps/docs/package.json`
+- `apps/docs/src/components/NotFound.tsx`
+- `apps/docs/vite.config.ts`
+- `apps/site/vite.config.ts`
+- `packages/ui/package.json`
+- `packages/ui/src/primitives/Button.tsx`
+- `packages/ui/src/primitives/Panel.tsx`
+- `services/auth/src/index.ts`
+- `.env.local` (not tracked by git)
+
+---
+
+## Next Steps
+
+1. **Review changes** - Examine the modified files
+2. **Rotate auth secret** - Follow the Remaining Actions section
+3. **Test builds** - Run verification steps
+4. **Set up branch protection** - Configure GitHub settings
+5. **Commit these changes** - Use conventional commit format:
+   ```bash
+   git commit -m "fix: address security and code quality issues from codebase review"
+   ```
+
+---
+
+**Implementation Date:** 2025-01-15
+**Implementation Method:** Adversarial verification with 5 specialized agents
+**Total Issues Addressed:** 11 (1 Critical, 2 High, 7 Medium, 1 Low)