docs: codify audit rules in CLAUDE.md + README + audit records
CLAUDE.md: new "2026-06-09 audit" enforced-rules section (mandatory coercion helpers, deterministic id-tiebreak ordering, $queryRaw FOR-UPDATE locking discipline, uniqueness-in-transaction, guard reads, Rules-of-Hooks, seed prod guard), lint/typecheck/format commands, and the app_test/.env.test testing section with the hard-throw guard. README rewritten from the placeholder stub (setup/run/build/test/gates/migrations). REVIEW.md / REVIEW_FINDINGS.md / REVIEW_FIXES.md: the full audit record — 277 files reviewed, ~362 findings, every one fixed and verified. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
73
README.md
Normal file
73
README.md
Normal file
@@ -0,0 +1,73 @@
|
||||
# boha-app-ts
|
||||
|
||||
Internal business-management system for a Czech company (attendance, invoicing,
|
||||
leave/trips, projects, vehicles, warehouse, HR) — a TypeScript/Node.js rewrite
|
||||
of the legacy PHP app. User-facing text is Czech by design.
|
||||
|
||||
> For full architecture, conventions, and gotchas, see **[CLAUDE.md](./CLAUDE.md)**.
|
||||
|
||||
## Stack
|
||||
|
||||
- **Backend:** Fastify 5 · Prisma 6 → MySQL · Zod 4 · JWT (HS256) + TOTP 2FA
|
||||
- **Frontend:** React 18 · Vite · Material UI v7 (Emotion) · TanStack Query — an
|
||||
SPA in `src/admin/`, served by the same Fastify process (Vite middleware in
|
||||
dev, static files in prod)
|
||||
- **Other:** Puppeteer (PDF) · nodemailer · node-cron · `@anthropic-ai/sdk` (the
|
||||
admins-only "Odin" assistant)
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Node.js (LTS) and a MySQL database
|
||||
- Copy `.env.example` → `.env` and fill in the **required** vars (`DATABASE_URL`,
|
||||
`JWT_SECRET`, `TOTP_ENCRYPTION_KEY` — generate the keys with `openssl rand -hex 32`)
|
||||
|
||||
## Setup
|
||||
|
||||
```bash
|
||||
npm install
|
||||
npx prisma generate
|
||||
npx prisma migrate dev # apply migrations to your dev DB
|
||||
npx prisma db seed # optional: dev-only sample data (NEVER on prod)
|
||||
```
|
||||
|
||||
## Develop
|
||||
|
||||
```bash
|
||||
npm run dev:server # API (tsx watch) on http://127.0.0.1:3050
|
||||
npm run dev:client # Vite dev server (manage separately)
|
||||
```
|
||||
|
||||
## Build & run
|
||||
|
||||
```bash
|
||||
npm run build # tsc server → dist/ + vite client → dist-client/
|
||||
npm start # node dist/server.js
|
||||
```
|
||||
|
||||
## Test
|
||||
|
||||
```bash
|
||||
npm test # vitest run — hits a real test DB (.env.test); no Prisma mocks
|
||||
```
|
||||
|
||||
## Quality gates
|
||||
|
||||
Before committing, all of these must pass:
|
||||
|
||||
```bash
|
||||
npx tsc -b --noEmit # typecheck (NOT `tsc -p tsconfig.json`)
|
||||
npm run build
|
||||
npx vitest run
|
||||
npm run lint # ESLint (incl. react-hooks) — see eslint.config.js
|
||||
```
|
||||
|
||||
## Database migrations
|
||||
|
||||
Every schema/data change is a tracked Prisma migration — **never** `prisma db push`
|
||||
or raw SQL on production. Stop the dev server before running `prisma migrate dev`.
|
||||
See CLAUDE.md → _Database Migrations_ for the full workflow and the production
|
||||
deploy/hotfix process.
|
||||
|
||||
## License
|
||||
|
||||
ISC
|
||||
Reference in New Issue
Block a user