Fix dev build tooling, auto-migrate on startup, port fallback, and dev admin auth bypass#27
Merged
Merged
Conversation
Tool dependencies (templ, sqlc, goose) are now pinned in go.mod via the `tool` directive and invoked as `go tool <name>` in .air.toml, the Makefile, and CI. This keeps the generator version locked to the runtime version and fixes the build failure caused by drift (a globally-installed templ generator emitting `templ.ResolveAttributeValue`, undefined in the older go.mod runtime). - go.mod: add tool directive (templ v0.3.1020, sqlc v1.31.1, goose v3.27.1); bump module to go 1.26. - .air.toml / Makefile: invoke generators via `go tool`; slim `setup`/`setup-ci` (only air + golangci-lint need global installs); add `make templ-update`. - CI: derive Go version from go.mod (was pinned to 1.23, which couldn't build the 1.26 module), generate via `go tool`, drop the global tool installs, and add dev-tag build/test steps. - Clear pre-existing lint blockers so CI's golangci-lint passes: check deferred Close/Quit errors (smtp.go, admin_api.go) and remove dead functions (cmd/build/main.go). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
internal/database.New now runs all pending goose migrations from an embedded filesystem (migrations/embed.go) on boot, so a fresh or out-of-date database is brought to schema without a separate `make migrate` step. This fixes the "no such table: site_settings" errors that occurred when the DB had never been migrated. `make migrate` remains for manual/CLI use. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
If the configured PORT is in use, the server now binds the next available port (internal/portutil.FindAvailable, mirrored from gopherguides/hype) and logs a warning. It also logs clickable access URLs at startup: localhost and, when TAILSCALE_HOSTNAME is set, the Tailscale magic-DNS host (reachable from any tailnet device). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Under `-tags dev` (which `make dev` builds via .air.toml), register loopback-only GET /auth/dev/login and POST /auth/dev/logout so admin pages can be tested without Clerk. RequireAdminAccess honors the dev session cookie before any Clerk verification. Safety (cannot run in production): - //go:build dev gates auth_dev.go; auth_dev_stub.go (!dev) is a no-op. - make build / build-static omit -tags dev, compiling it out entirely. - Loopback-only: both RemoteAddr and Host must be loopback (defeats X-Forwarded-For spoofing and reverse-proxy bypass). - init() fatals under ENV/ENVIRONMENT=production. - auth_dev_prod_test.go asserts no /auth/dev/* routes in production builds. Documents the workflow in CLAUDE.md and a new AGENTS.md so Claude/Codex know how to test admin/dashboard pages going forward. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
v2.1.6 is built with go1.24 and refuses to lint a module targeting go 1.26
("language version (go1.24) ... lower than targeted (1.26.0)"). v2.10.1 is
built with go1.26.1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restores a working
make devand adds several dev-quality-of-life features, all reused from sibling repos rather than reinvented.go tooltooling (fixes the build):templ,sqlc,gooseare pinned ingo.modvia thetooldirective and invoked asgo tool <name>everywhere. This locks the generator version to the runtime and fixes theundefined: templ.ResolveAttributeValuebuild break caused by version drift. Module bumped to Go 1.26.internal/database.Newapplies embedded goose migrations on boot (migrations/embed.go), fixingno such table: site_settingson un-migrated DBs.PORTis busy (internal/portutil, mirrored fromgopherguides/hype) and logs clickable localhost +TAILSCALE_HOSTNAMEaccess URLs.-tags dev, loopback-onlyGET /auth/dev/login/POST /auth/dev/logoutlet us reach Clerk-gated admin pages for testing. Compiled out of production builds; loopback-gated (RemoteAddr + Host);init()fatals underENV=production. Documented inCLAUDE.md+ newAGENTS.md.go.mod(was pinned to 1.23, couldn't build the 1.26 module — the actual cause of the recent red CI), generate viago tool, add dev-tag build/test steps. Cleared pre-existing lint blockers (deferredClose/Quit, dead funcs) so golangci-lint passes.Test plan
go build ./...andgo build -tags dev ./...both succeedgo test -race ./...andgo test -race -tags dev ./...passgolangci-lint run ./...→ 0 issuesmigrated database to version: 5)/auth/dev/login→ 302,/admin→ 200; spoofedHost→ 403🤖 Generated with Claude Code