Project codespace compatibility

.cursor/rules/integration-scripts-test-http.mdc

@@ -0,0 +1,12 @@
+---
+description: Integration scripts under scripts/test-*.ts must share HTTP helpers
+globs: scripts/test-*.ts
+---
+
+# Integration test scripts
+
+- **Do not** copy `fetch` blocks, `/api/auth/login` + `/api/login`, or cookie handling into new scripts.
+- **Do** import from [`scripts/test-http.ts`](scripts/test-http.ts): `apiJsonRequest`, `apiRawRequest`, `loginForTests`, `getTestBaseUrl`, `isConnectionRefused`, and extend that module if you need JSON unwrap or retries.
+- **Do not** treat “no rows” as success when the script is meant to exercise APIs — seed or create minimal data first, then assert (see `test-supplier-portal.ts` + `ensureSupplierPurchaseOrder`).
+- **Rate limits**: login scripts may see HTTP 429; warn and exit 0 is acceptable so reruns are not confused with broken auth.
+- CSV/unit tests: assert **structure** (e.g. locate header row by content), not fixed line indices, when generators emit title/metadata before headers.

.cursor/rules/use-async-resource.mdc

@@ -0,0 +1,30 @@
+---
+description: Contract for useAsyncResource to prevent loading/refetch loops
+globs: client/src/**/*.tsx
+---
+
+# useAsyncResource fetcher contract
+
+When using `useAsyncResource` from `@/hooks/use-async-resource`:
+
+1. **Always pass a memoized fetcher** with `useCallback`. Example:
+   ```ts
+   const fetcher = useCallback((): Promise<MyType[]> => fetchMyData(), []);
+   // or with deps when query params change:
+   const fetcher = useCallback(
+     (): Promise<MyType[]> => fetchMyData(status, supplier),
+     [status, supplier],
+   );
+   const { loading, error, data, refetch } = useAsyncResource(fetcher);
+   ```
+   Do **not** pass an inline function (e.g. `() => fetchX()`). An inline fetcher gets a new identity every render, so the effect that depends on `fetcher` re-runs every time and can cause an infinite refetch loop.
+
+2. **DataState list rendering**: When the hook's `data` is an array and you pass it to `DataState`'s children render prop, guard against non-array `data` (e.g. API envelope or error shape):
+   ```ts
+   {(list) => {
+     const safeList = Array.isArray(list) ? list : [];
+     return safeList.map(...);
+   }}
+   ```
+
+Pages that use `useAsyncResource`: home (Control Tower), orders, logistics, exceptions, integrations. Ensure every one uses a `useCallback`-wrapped fetcher and safe array handling where applicable.

.devcontainer.disabled/README.md

@@ -0,0 +1,15 @@
+# Dev container moved to `.devcontainer/`
+
+The active **Docker Compose devcontainer** (Postgres service hostname **`db`**, app + DB for **GitHub Codespaces**) lives in **`/.devcontainer/`** at the repo root.
+
+This folder is kept as a short pointer so older docs and bookmarks still resolve.
+
+## Windows desktop (no Docker)
+
+Use **`docs/WINDOWS-LOCAL-SETUP.md`**, **`npm run dev`**, and **`npm run doctor:win`**.
+
+If **VS Code / Cursor** offers **“Reopen in Container”**, you can choose **Reopen locally** and continue with a normal Windows Postgres install.
+
+## Why this folder used to exist
+
+Previously the devcontainer config was renamed to **`.devcontainer.disabled`** to reduce Dev Container detection on Windows. That broke **GitHub Codespaces** (no `db` host, `ENOTFOUND db`). The repo now ships **`.devcontainer`** again so Codespaces gets Postgres automatically.

.devcontainer/Dockerfile

@@ -0,0 +1,36 @@
+FROM mcr.microsoft.com/devcontainers/javascript-node:20-bookworm
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    python3 \
+    pkg-config \
+    libcairo2-dev \
+    libjpeg-dev \
+    libpango1.0-dev \
+    libgif-dev \
+    librsvg2-dev \
+    libpixman-1-dev \
+    libvips-dev \
+    libsqlite3-dev \
+    postgresql-client \
+  && rm -rf /var/lib/apt/lists/*
+
+# All browsers (Chromium, Firefox, WebKit) — single source of truth; bump @1.x.x when upgrading @playwright/test in package-lock.json.
+RUN npx -y playwright@1.58.2 install-deps \
+  && rm -rf /var/lib/apt/lists/*
+
+# GitHub CLI: `npm run codespaces:ports-public` and codespaces-up port visibility automation.
+# git-lfs: satisfy repo hooks when Git LFS is configured.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    wget \
+    ca-certificates \
+    git-lfs \
+  && mkdir -p -m 755 /etc/apt/keyrings \
+  && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+    | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
+  && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+  && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+    | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+  && apt-get update && apt-get install -y --no-install-recommends gh \
+  && git lfs install --system \
+  && rm -rf /var/lib/apt/lists/*

.devcontainer/devcontainer.json

@@ -0,0 +1,27 @@
+{
+  "name": "inventory-manager-codespace",
+  "dockerComposeFile": "docker-compose.yml",
+  "service": "app",
+  "workspaceFolder": "/workspace",
+  "remoteUser": "node",
+  "shutdownAction": "stopCompose",
+  "forwardPorts": [5000],
+  "portsAttributes": {
+    "5000": {
+      "label": "Inventory Manager",
+      "onAutoForward": "openBrowserOnce",
+      "protocol": "http",
+      "visibility": "public"
+    }
+  },
+  "postCreateCommand": "bash .devcontainer/post-create.sh",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "bradlc.vscode-tailwindcss"
+      ]
+    }
+  }
+}

.devcontainer/docker-compose.yml

@@ -0,0 +1,45 @@
+version: "3.8"
+
+services:
+  app:
+    build:
+      context: ..
+      dockerfile: .devcontainer/Dockerfile
+    volumes:
+      - ..:/workspace:cached
+    command: sleep infinity
+    depends_on:
+      db:
+        condition: service_healthy
+    environment:
+      DATABASE_URL: postgresql://postgres:postgres@db:5432/inventory_dev
+      PGHOST: db
+      PGPORT: "5432"
+      PGDATABASE: inventory_dev
+      PGUSER: postgres
+      PGPASSWORD: postgres
+      NODE_ENV: development
+      CHOKIDAR_USEPOLLING: "true"
+      # Pass through from the Codespaces host so Express trusts X-Forwarded-Proto and sets Secure cookies.
+      CODESPACES: ${CODESPACES:-}
+      CODESPACE_NAME: ${CODESPACE_NAME:-}
+      GITHUB_CODESPACES: ${GITHUB_CODESPACES:-}
+      GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN: ${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN:-}
+
+  db:
+    image: postgres:16-bookworm
+    restart: unless-stopped
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: inventory_dev
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres -d inventory_dev"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+volumes:
+  postgres-data:

.devcontainer/post-create.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd /workspace
+
+if [ ! -f .env ]; then
+  cp .env.example .env
+fi
+
+bash scripts/npm-ci-robust.sh
+
+echo "Waiting for PostgreSQL to become ready..."
+for attempt in {1..30}; do
+  if pg_isready -h "${PGHOST:-db}" -p "${PGPORT:-5432}" -U "${PGUSER:-postgres}" >/dev/null 2>&1; then
+    break
+  fi
+
+  if [ "$attempt" -eq 30 ]; then
+    echo "PostgreSQL did not become ready in time." >&2
+    exit 1
+  fi
+
+  sleep 2
+done
+
+npm run db:push
+
+# System libraries for Chromium, Firefox, and WebKit (matches upstream Playwright; avoid hand-picked apt lib lists).
+echo "Installing Playwright OS dependencies (all browsers)..."
+if command -v sudo >/dev/null 2>&1; then
+  sudo npx playwright install-deps
+else
+  npx playwright install-deps
+fi
+
+echo "Installing Playwright browser binaries..."
+npx playwright install

.env.example

@@ -0,0 +1,32 @@
+# ISS Sourcing — copy to `.env` and adjust. Never commit `.env`.
+# Windows: docs/WINDOWS-LOCAL-SETUP.md
+#
+# GitHub Codespaces (Docker devcontainer): Postgres is on host `db` (see `.devcontainer/docker-compose.yml`).
+# The app loads this file with override=false so Compose-injected DATABASE_URL / PG* are NOT replaced by
+# laptop-local values. If you still see wrong DB host inside Codespaces, remove DATABASE_URL from `.env` there.
+
+# --- PostgreSQL (recommended: PG* vars; db.ts builds DATABASE_URL) ---
+PGHOST=localhost
+PGPORT=5432
+PGDATABASE=iss_sourcing
+PGUSER=postgres
+PGPASSWORD=postgres
+PGSSLMODE=disable
+
+# Or set a single URL (then PG* above are ignored by the app if this is set):
+# DATABASE_URL=postgresql://postgres:postgres@localhost:5432/iss_sourcing?sslmode=disable
+
+# --- App ---
+NODE_ENV=development
+SESSION_SECRET=change-me-to-a-long-random-string-in-production
+
+HOST=127.0.0.1
+PORT=5000
+CLIENT_PORT=5000
+DB_PORT=5432
+
+# Optional: auto-seed when DB is empty (default true in dev, false in production)
+# AUTO_SEED_ON_EMPTY_DB=true
+
+# Optional: PASSWORD_MAX_AGE_DAYS, OPERATIONAL_EXCEPTION_SCAN_INTERVAL_MINUTES
+# Optional: EMAIL_*, TWILIO_*, DISABLE_NOTIFICATION_* — see docs/ENV-CONFIG.md

.gitattributes

@@ -0,0 +1,6 @@
+# Normalize line endings so bash/docs validation and CI stay consistent (Linux runners).
+* text=auto
+*.sh text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+.env.example text eol=lf

.github/dependabot.yml

@@ -0,0 +1,22 @@
+# Weekly dependency bumps (npm + Actions). Alerts still require GitHub "Dependabot alerts" repo setting enabled.
+# Workflow steps now pin immutable SHAs — Dependabot proposes digest bumps weekly (package-ecosystem: github-actions).
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - security
+    open-pull-requests-limit: 15
+    versioning-strategy: increase-if-necessary
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - security
+    open-pull-requests-limit: 5

.github/workflows/artifact-attestation-experimental.yml

@@ -0,0 +1,65 @@
+name: Artifact attestation (experimental)
+
+# Runs after a successful Security supply chain workflow on the default branch, or manually.
+# Non-blocking OIDC attestation step remains continue-on-error — see docs/security/artifact-attestation.md
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Security supply chain"]
+    types: [completed]
+    branches: [main, master]
+
+permissions:
+  contents: read
+  id-token: write
+  attestations: write
+
+jobs:
+  attest-build:
+    if: >-
+      github.event_name == 'workflow_dispatch'
+      || (github.event.workflow_run.conclusion == 'success'
+          && (github.event.workflow_run.head_branch == 'main'
+              || github.event.workflow_run.head_branch == 'master'))
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: "24"
+          cache: npm
+
+      - name: npm ci
+        run: npm ci
+
+      - name: Verify package manifest drift
+        run: npm run verify:package-manifests
+
+      - name: Build production artifact
+        run: npm run build
+
+      - name: Generate CycloneDX SBOM
+        run: npm run security:sbom
+
+      - name: Pack dist artifact
+        shell: bash
+        run: tar -czf invtrack-dist.tgz dist sbom.cdx.json
+
+      - name: Sign attestation for dist artifact
+        uses: actions/attest@v2
+        with:
+          subject-path: invtrack-dist.tgz
+
+      - name: Sign attestation for SBOM file
+        uses: actions/attest@v2
+        with:
+          subject-path: sbom.cdx.json
+          predicate-type: https://cyclonedx.org/schema
+          predicate: "{}"