Merge pull request #13 from sameboat-platform/pr/12

chore(release): 0.1.1 – consolidate health polling, add env template, dependabot config

Author: ArchILLtect

.env.example

@@ -1,3 +1,20 @@
+VITE_API_BASE_URL=http://localhost:8080
+# Enable verbose auth logs (set to any non-empty value). Recommended to keep blank by default.
+# VITE_DEBUG_AUTH=1
+# Additional bootstrap debug logs (rarely needed now that heartbeat removed)
+# VITE_DEBUG_AUTH_BOOTSTRAP=1
+
+# Health check polling interval (ms). Must be > 1000. Defaults to 30000 if unset or invalid.
+VITE_HEALTH_REFRESH_MS=30000
+
+# Optional build metadata (injected via tooling / CI)
+# VITE_APP_VERSION=0.1.1
+# VITE_COMMIT_HASH=abcdef1
+
+# Feedback / issue reporting URL (shown in footer + debug panel)
+VITE_FEEDBACK_URL=https://github.com/sameboat-platform/frontend/issues/new
+
+# Add any future feature flags below (must start with VITE_ to be exposed to client)
 # (frontend doesn’t talk to Postgres)
 # Place future public config here, e.g. VITE_API_BASE_URL
 VITE_API_BASE_URL=http://localhost:8080

.github/dependabot.yml

@@ -1,27 +1,41 @@
 version: 2
 updates:
-  # Keep npm packages up to date
-  - package-ecosystem: npm
-    directory: "/"           # location of package.json
+  # Single npm config (Dependabot requires unique ecosystem+directory). We use groups to manage cadence.
+  # NOTE: We cannot have separate schedules for security vs tooling without a different target-branch, so we
+  # choose a daily cadence; tooling noise is minimized via grouping.
+  - package-ecosystem: "npm"
+    directory: "/"
     schedule:
-      interval: weekly
-      day: sunday            # optional: choose a day
-      time: "05:00"          # optional: UTC time
-      timezone: "America/Chicago"
-    open-pull-requests-limit: 5
-    groups:                  # optional: group related bumps to reduce PR noise
+      interval: daily
+      time: "06:00"
+    open-pull-requests-limit: 8
+    labels: ["deps"]
+    groups:
+      security-critical:
+        applies-to: security-updates
+        patterns:
+          - "*"
+      dev-tooling:
+        patterns:
+          - "@types/*"
+          - "eslint*"
+          - "vitest"
+          - "@testing-library/*"
+          - "typescript*"
       vite-minors:
         patterns:
           - "vite"
           - "@vitejs/*"
         update-types:
           - "minor"
           - "patch"
-    ignore:                  # optional: avoid sudden breaking major bumps
+    ignore:
+      - dependency-name: "react"
+        update-types: ["version-update:semver-major"]
       - dependency-name: "typescript"
         update-types: ["version-update:semver-major"]
 
-  # Keep your GitHub Actions up to date
+  # GitHub Actions updates (weekly)
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/coverage-badge.yml

@@ -0,0 +1,60 @@
+name: Coverage Badge
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  coverage-badge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install deps
+        run: npm ci
+
+      - name: Run tests with coverage
+        run: |
+          npm test -- --coverage --reporter=default
+
+      - name: Parse coverage percentage
+        id: coverage
+        run: |
+          # Look for line coverage in lcov report or summary
+          PCT=$(grep -E "^Statements" coverage/coverage-summary.json || true)
+          if [ -f coverage/coverage-summary.json ]; then
+            PCT=$(node -e "console.log(require('./coverage/coverage-summary.json').total.statements.pct)")
+          else
+            echo "coverage summary not found" && exit 1
+          fi
+          echo "coverage=$PCT" >> $GITHUB_OUTPUT
+
+      - name: Generate badge
+        run: |
+          PCT=${{ steps.coverage.outputs.coverage }}
+          COLOR=yellow
+          if [ "${PCT%.*}" -ge 80 ]; then COLOR=green; elif [ "${PCT%.*}" -ge 65 ]; then COLOR=yellowgreen; elif [ "${PCT%.*}" -lt 50 ]; then COLOR=red; fi
+          echo "Generating badge for $PCT% -> $COLOR"
+          mkdir -p .github/badges
+          cat <<'SVG' > .github/badges/coverage.svg
+          <svg xmlns='http://www.w3.org/2000/svg' width='120' height='20' role='img' aria-label='coverage: $PCT%'><linearGradient id='s' x2='0' y2='100%'><stop offset='0' stop-color='#bbb' stop-opacity='.1'/><stop offset='1' stop-opacity='.1'/></linearGradient><mask id='m'><rect width='120' height='20' rx='3' fill='#fff'/></mask><g mask='url(#m)'><rect width='62' height='20' fill='#555'/><rect x='62' width='58' height='20' fill='$COLOR'/><rect width='120' height='20' fill='url(#s)'/></g><g fill='#fff' text-anchor='middle' font-family='Verdana,Geneva,DejaVu Sans,sans-serif' text-rendering='geometricPrecision' font-size='11'><text x='31' y='14'>coverage</text><text x='90' y='14'>$PCT%</text></g></svg>
+          SVG
+
+      - name: Commit badge
+        run: |
+          git config user.name 'github-actions'
+          git config user.email 'actions@github.com'
+          git add .github/badges/coverage.svg
+          git commit -m "chore: update coverage badge" || echo "No changes"
+          git push

CHANGELOG.md

@@ -7,19 +7,35 @@ Format loosely follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 ## [Unreleased]
 
 ### Added
-- Nothing yet.
+- SECURITY policy (`SECURITY.md`).
+- MIT license file (`LICENSE`).
+- Coverage badge workflow (`coverage-badge.yml`) generating `coverage.svg` on main pushes.
+- `.env.example` template enumerating supported environment variables.
+- Dependabot configuration skeleton (`.github/dependabot.yml`) grouping security vs tooling updates.
+- Smoke test for `HealthCheckCard` component.
 
 ### Changed
-- Nothing yet.
+- Replaced ad-hoc inline Home page health logic with reusable `<HealthCheckCard />` component.
+- Removed transient auth bootstrap "heartbeat" interval (was only for earlier debugging) to reduce console noise.
+- Stabilized health polling implementation (single interval; eliminated status-driven re-subscribe loop).
 
 ### Fixed
-- Nothing yet.
+- Excessive `/actuator/health` polling spam caused by effect dependency loop and duplicate Home page implementation.
 
 ### Documentation
-- Nothing yet.
+- Added minimal security policy document.
+- README badges (release, coverage, security, license). 
+
+### Security
+- Bump esbuild to 0.25.10 resolving moderate advisory.
+- Upgrade vitest to 3.2.4 (dev dependency; no runtime impact).
 
 ### Internal
-- Nothing yet.
+- Removed legacy .eslintignore by migrating ignore patterns to flat config.
+- Silenced auth debug logs during Vitest via `isVitest` guard.
+- Automated coverage badge generation.
+- Refactored health polling to use stable callback + ref tracking (`statusRef`) preventing rapid interval churn.
+- Consolidated health checks (Home now delegates to `HealthCheckCard`).
 
 ### Notes
 - Nothing yet.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 SameBoat Platform Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,4 +1,9 @@
 [![Frontend CI](https://github.com/sameboat-platform/frontend/actions/workflows/frontend-ci.yml/badge.svg)](https://github.com/sameboat-platform/frontend/actions/workflows/frontend-ci.yml)
+[![Release](https://img.shields.io/github/v/tag/sameboat-platform/frontend?label=release&sort=semver)](https://github.com/sameboat-platform/frontend/releases)
+[![License](https://img.shields.io/github/license/sameboat-platform/frontend.svg)](LICENSE)
+[![Dependencies](https://img.shields.io/github/actions/workflow/status/sameboat-platform/frontend/frontend-ci.yml?label=build)](https://github.com/sameboat-platform/frontend/actions)
+[![Coverage](https://img.shields.io/badge/coverage-≥50%25-informational)](./CHANGELOG.md)
+[![Security Policy](https://img.shields.io/badge/security-policy-blue)](./SECURITY.md)
 
 # SameBoat Frontend (Vite + React + TS)
 
@@ -45,6 +50,33 @@ src/
 public/             # Static assets served at root (/favicon, /vite.svg)
 ```
 
+### Health Monitoring Component
+
+`HealthCheckCard` centralizes backend liveness/health polling with:
+
+-   Configurable interval via prop or `VITE_HEALTH_REFRESH_MS`.
+-   Minimum skeleton duration to reduce UI flicker.
+-   Manual refresh button.
+-   Status + message extraction from Spring Boot Actuator style responses.
+-   Stable polling loop (no re-subscribe on status changes).
+
+Usage:
+
+```tsx
+import HealthCheckCard from './components/HealthCheckCard';
+
+export default function Home() {
+    return (
+        <div>
+            {/* other content */}
+            <HealthCheckCard />
+        </div>
+    );
+}
+```
+
+If you need a one-off health check somewhere else, prefer reusing this component to avoid duplicate intervals.
+
 Add components under `src/components/` and import into pages or `App.tsx`.
 
 ## Development Workflow

SECURITY.md

@@ -0,0 +1,41 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| 0.1.x   | ✅ Active |
+| < 0.1.0 | ❌        |
+
+Pre-1.0 versions may receive security dependency bumps and critical patches only.
+
+## Reporting a Vulnerability
+
+Please open a private advisory via GitHub Security Advisories ("Report a vulnerability" in the repo *Security* tab) **or** email the maintainer listed in `package.json`.
+
+Include (when possible):
+- Affected route or component
+- Reproduction steps / PoC
+- Impact assessment (confidentiality, integrity, availability)
+- Suggested fix or mitigation (if known)
+
+You will receive an acknowledgement within 2 business days. We aim to provide an initial remediation plan within 5 business days.
+
+## Disclosure Process
+1. Receive & validate report.
+2. Assign CVSS-like internal severity (low / moderate / high / critical).
+3. Patch on a protected branch; add tests where feasible.
+4. Release patched version (e.g. `0.1.(n+1)`) and update CHANGELOG under **Security**.
+5. Public disclosure after fix is available (or coordinated timeline for high severity).
+
+## Dependency Vulnerabilities
+Automated tools (e.g., Dependabot) generate PRs for vulnerable packages. These are merged after:
+- Lint + type + test + build gates pass.
+- CHANGELOG updated under **Security**.
+
+## Hardening Roadmap
+- Add CI job to scan for secret leaks.
+- Add CSP & security headers doc section before 0.2.0.
+- Expand automated dependency diff labeling.
+
+If you have suggestions for further hardening, please open an issue tagged `enhancement` + `security`.

TTD.md

@@ -32,6 +32,12 @@
 -   Add a custom CI step that fails if no test files were touched for a PR containing `feat:` or `fix:` commits.
 -   Script/guard to fail if a `feat:` commit lands without any matching diff in `src/__tests__/` (heuristic; allow override via `[skip-test-guard]`).
 -   GitHub Action to auto-assign PR label based on first conventional commit type (feat/fix/docs/chore/refactor/test/perf).
+    
+### Dependency / Security Automation
+
+-   Create Dependabot config groups separating critical/security deps from test/tooling deps (distinct PR labels & visibility).
+-   Add CI job for dependency audit (e.g. `npm audit --audit-level=moderate` or Snyk) highlighting severity delta between main and PR.
+-   Add GitHub Action guard: fail Dependabot PR if it modifies > N (configurable) devDependencies without a CHANGELOG entry under Security or Internal.
 
 ## Notes
 

eslint.config.js

@@ -6,7 +6,8 @@ import tseslint from 'typescript-eslint'
 import { defineConfig, globalIgnores } from 'eslint/config'
 
 export default defineConfig([
-  globalIgnores(['dist']),
+  // Migrate legacy .eslintignore entries here (ESLint flat config)
+  globalIgnores(['dist', 'build', 'coverage', 'node_modules']),
   {
     files: ['**/*.{ts,tsx}'],
     extends: [