merge: PR #81 from sameboat-platform/docs/week-5-prep

This pull request documents the release of frontend v0.3.0, closes out the Week 4 milestone, and sets up planning and issue templates for future work (v0.3.1 and v0.4.0). It adds comprehensive release notes, updates badges and status docs, and introduces detailed implementation plans and issue drafts for upcoming features, including the Stories feed and profile editing. The changes also improve issue templates to support new release targets.

Author: ArchILLtect

.github/ISSUE_TEMPLATE/feature.yml

@@ -38,7 +38,10 @@ body:
     attributes:
       label: Target Release
       options:
-        - 0.2.0
+        - v0.3.1
+        - v0.3.2
+        - v0.3.3
+        - v0.4.0
         - Future
     validations:
       required: false

.github/ISSUE_TEMPLATE/test.yml

@@ -24,5 +24,8 @@ body:
     attributes:
       label: Target Release
       options:
-        - 0.2.0
+        - v0.3.1
+        - v0.3.2
+        - v0.3.3
+        - v0.4.0
         - Future

.github/ISSUE_TEMPLATE/tooling.yml

@@ -24,5 +24,8 @@ body:
     attributes:
       label: Target Release
       options:
-        - 0.2.0
+        - v0.3.1
+        - v0.3.2
+        - v0.3.3
+        - v0.4.0
         - Future

.github/copilot-instructions.md

@@ -4,7 +4,7 @@ Project: Vite + React 19 + TypeScript (strict), using SWC React plugin. Auth sta
 
 Big picture
 
--   SPA bootstrapped by Vite. Entry `src/main.tsx` mounts `src/App.tsx` into `#root` in `index.html`.
+-   SPA bootstrapped by Vite. Entry `src/main.tsx` mounts `src/App.tsx` into `root` in `index.html`.
 -   Build is type-first: `npm run build` executes `tsc -b` before `vite build`. CI fails on any TS errors.
 -   Flat ESLint config with React Hooks and React Refresh rules; focus on `.ts/.tsx` files; `dist/` ignored.
 -   ESM-only repository (`"type": "module"`, TS `moduleResolution: bundler`, `verbatimModuleSyntax: true`). Prefer `import type` for types.

README.md

@@ -1,5 +1,6 @@
 [![Frontend CI](https://github.com/sameboat-platform/frontend/actions/workflows/frontend-ci.yml/badge.svg)](https://github.com/sameboat-platform/frontend/actions/workflows/frontend-ci.yml)
 [![Release](https://img.shields.io/github/v/tag/sameboat-platform/frontend?label=release&sort=semver)](https://github.com/sameboat-platform/frontend/releases)
+[![Changelog 0.3.0](https://img.shields.io/badge/changelog-0.3.0-blue)](CHANGELOG.md#030---2025-10-29)
 [![License](https://img.shields.io/github/license/sameboat-platform/frontend.svg)](LICENSE)
 [![Dependencies](https://img.shields.io/github/actions/workflow/status/sameboat-platform/frontend/frontend-ci.yml?label=build)](https://github.com/sameboat-platform/frontend/actions)
 [![Coverage](./.github/badges/coverage.svg)](https://github.com/sameboat-platform/frontend/actions/workflows/coverage-badge.yml)

docs/status/done-to-date--10-08.md renamed to docs/status/done-to-date.md

@@ -1,6 +1,29 @@
+# SameBoat – Progress Summary (through 10‑30-2025)
+
+This snapshot captures what’s shipped through frontend v0.3.0 and the current backend status; Week 5 focus is stories v1 and minimal profile edit.
+
+## Frontend
+- Releases:
+    - v0.1.0 (2025‑10‑02) – initial auth/pages/health, CI baseline.
+    - v0.2.0 (2025‑10‑04) – health stability, coverage pipeline, security policy.
+    - v0.3.0 (2025‑10‑30) – Zustand auth store + effects, visibility‑based session refresh (30s cooldown), intendedPath preservation, dependency‑audit workflow, bundle analyzer, docs sweep.
+- Health aligned to `/actuator/health`; ProtectedRoute preserves full intended path; tests and build/lint pass on main; security audit 0 vulns at release time.
+
+## Backend (high‑level)
+- Java 21 + Spring Boot 3.5.x; Flyway migrations; Postgres (Neon) in prod.
+- Auth endpoints: `POST /api/auth/{login,register,logout}` and `GET /api/me` for session bootstrap (cookie `SBSESSION`).
+- Users API: `GET /api/users/{id}`, `PATCH /api/users/{id}`; Actuator health at `/actuator/health`.
+- Tests: service + controller; Jacoco ≥ 70%.
+
+## Week 5 focus (next)
+- Frontend: Stories feed `/stories`, create `/stories/new` with spoiler shields; profile edit (name/role/bio) via `PATCH /api/me`.
+- Backend: Stories endpoints (`GET /api/stories`, `POST /api/stories`, `GET /api/stories/{id}`) and extend profile fields.
+
+Links: Frontend release v0.3.0 → https://github.com/sameboat-platform/frontend/releases/tag/v0.3.0; Week 5 plan → `docs/weekly-reports/week-5-frontend-plan.md`.
+
 # SameBoat Backend – Progress Summary
 
-## Completed Work (as of [date])
+## Completed Work (10-08-2025)
 
 ### 1. Project Setup
 - **Tech stack selected:** Java 21, Spring Boot 3.5.x, Maven, PostgreSQL (Neon for prod, H2/Testcontainers for tests).

docs/weekly-reports/exit-reports/week-4-exit-report.md

@@ -0,0 +1,64 @@
+## Overview (Week 4 – Oct 6 – Oct 30)
+
+Milestone focus: Auth store migration to Zustand with stable public API, visibility‑based session refresh, intendedPath polish, CI hardening, and release v0.3.0.
+
+### Highlights
+
+- Shipped release v0.3.0 (tagged) with CHANGELOG and compare links; milestone closed and post‑release triage completed.
+- Migrated auth store from custom Context to Zustand while preserving the `useAuth()` public contract; introduced `AuthEffects` for bootstrap + visibility listeners.
+- Implemented visibility‑driven session refresh with a 30s cooldown via pure helper `shouldRefreshOnVisibility`; replaced brittle integration test with deterministic unit tests.
+- Preserved full `intendedPath` (pathname + search + hash) through login redirects; added tests and fixed edge cases.
+- Standardized auth debug flags (`VITE_DEBUG_AUTH`, `VITE_DEBUG_AUTH_BOOTSTRAP`) and cleaned console noise; added a console hygiene test.
+- CI: added dependency audit workflow (fails on High/Critical) and documented policy; added bundle analysis script and notes.
+
+### What Went Well
+
+- Store migration landed without breaking changes—public `useAuth` remained stable; consumers required no edits.
+- Visibility refresh logic is isolated, testable, and deterministic; fewer flakes and clearer logs gated by flags.
+- Release preparation was smooth: CHANGELOG first, then version bump and tag; PR/CI stayed green.
+
+### What We Struggled With
+
+- Initial attempt at an integration test for visibility events proved flaky; resolved by extracting a pure helper and unit‑testing cooldown semantics.
+- A few React Hooks lint violations in dev‑only debug components required refactoring (early return before any hooks, inner component pattern).
+
+### Completed vs Planned
+
+- Zustand migration + effects: Done.
+- IntendedPath preservation and error mapping: Done.
+- Visibility‑based refresh with cooldown: Done (unit‑tested).
+- Console hygiene and test add‑ons: Done.
+- CI dependency audit and docs: Done.
+- Release 0.3.0: Done; tag pushed; milestone closed; next milestones opened.
+
+Deferred / Next trains
+- Post‑MVP end‑to‑end test for actual visibility + cooldown using a browser runner (Playwright).
+- Minor UI polish (logout affordance surfacing, user summary tweaks) slated for 0.3.1/0.4.0 as needed.
+
+### Notable PRs/Commits
+
+- feat(auth): migrate context store → Zustand; add AuthEffects for bootstrap + visibility
+- feat(auth): preserve intendedPath end‑to‑end; tests
+- chore(ci): dependency audit workflow + docs
+- chore(tooling): bundle analyzer script and docs; soft perf budget
+- docs: RFC for Zustand store; README/architecture updates
+- docs: CHANGELOG 0.3.0; release notes
+
+### Metrics & Quality Gates
+
+- Typecheck: PASS
+- Lint: PASS (React Hooks clean; no unused disables)
+- Tests: PASS (unit + RTL; deterministic visibility tests)
+- Build: PASS (tsc -b && vite build)
+- Security audit: 0 known vulnerabilities after npm audit fix
+
+### Follow‑ups (queued for 0.3.1/0.4.0)
+
+- Playwright E2E for visibility refresh cooldown
+- Small UX polish on Me/UserSummary and debug toggles
+- Optional: auto‑generated release notes via gh, fed by CHANGELOG sections
+
+### Appendix
+
+- Week 4 plan updated with "v0.3.0 shipped" status and links.
+- Opened milestones: v0.3.1 (patches), v0.4.0 (next minor).

docs/weekly-reports/post-mvp/future-issues.md

@@ -0,0 +1,148 @@
+# Post‑MVP – Future Issues Backlog
+
+This file collects pre‑scoped issue drafts you can copy/paste into new GitHub issues. Each draft includes labels, milestone, acceptance criteria, and a small test plan.
+
+---
+
+## Draft: Playwright E2E – Visibility‑based session refresh cooldown
+
+Title
+- E2E(auth): visibility‑based session refresh respected with 30s cooldown
+
+Milestone
+- v0.4.0
+
+Labels
+- area:auth, e2e, type:test, roadmap
+
+Background
+- The app refreshes session state on `visibilitychange` when a tab becomes visible, provided:
+  - no auth request is currently in flight, and
+  - the last successful fetch was ≥ 30 seconds ago.
+- The cooldown logic lives in a pure helper `shouldRefreshOnVisibility(lastFetchedMs: number, nowMs: number, minIntervalMs = 30000)` and is exercised by unit tests. We want a browser‑level E2E to validate the real visibility lifecycle and interaction with the app shell.
+
+Goals
+- Confirm that switching a tab from hidden→visible triggers a session refresh only when past the 30s threshold.
+- Confirm that repeated visibility events within the 30s window do not trigger additional refreshes.
+- Confirm that a refresh is skipped when already in‑flight.
+
+Acceptance Criteria
+- Given an authenticated session and last refresh < 30s ago, when the tab becomes visible, then no network call to `/api/me` is made.
+- Given an authenticated session and last refresh ≥ 30s ago, when the tab becomes visible, then exactly one network call to `/api/me` is made and store `lastFetched` updates.
+- Given `refresh()` is currently in‑flight, when the tab becomes visible, then no additional `/api/me` call is made until the current one completes.
+- Test runs headless and passes in CI (GitHub Actions) with Playwright’s Chrome channel.
+
+Out of scope
+- Backend behavior beyond returning a static user JSON.
+- Full login UI flow; use API seeding or cookie injection for session state.
+
+Implementation Notes
+- Use Playwright test runner with `chromium`.
+- Seed an authenticated state by stubbing `/api/me` with a route handler (Playwright `page.route`) and setting a cookie if needed.
+- Control time via Playwright’s `page.addInitScript(() => { Date.now = () => FIXED; })` or by injecting a time shim. Alternatively, wait using `page.waitForTimeout(30000)` but prefer time control to keep tests fast.
+- Use the document visibility API to flip visibility:
+  - Either open a second tab (Page 2) to cover the current tab, then bring Page 1 to front, or
+  - Programmatically dispatch `visibilitychange` by toggling `document.hidden` via a stub (requires page init script to override the getter) and dispatching the event.
+- Spy on fetch calls by intercepting `/api/me` and counting invocations; assert using expect counters.
+
+Test Plan (Playwright pseudo‑code)
+```ts
+import { test, expect } from '@playwright/test';
+
+const USER = { id: 'u1', email: 'a@b.com' };
+
+function mockMe(page, countRef) {
+  page.route('**/api/me', async route => {
+    countRef.count++;
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify(USER),
+    });
+  });
+}
+
+test.describe('visibility refresh cooldown', () => {
+  test('does not refresh within 30s window; refreshes after 30s', async ({ page }) => {
+    const calls = { count: 0 };
+    await mockMe(page, calls);
+
+    // Start app
+    await page.goto('http://localhost:5173');
+
+    // Bootstrap fires once
+    await expect.poll(() => calls.count).toBe(1);
+
+    // Within cooldown: simulate visible event → no extra call
+    await page.evaluate(() => document.dispatchEvent(new Event('visibilitychange')));
+    await page.waitForTimeout(200); // settle
+    expect(calls.count).toBe(1);
+
+    // Move time forward ≥30s and trigger again
+    await page.addInitScript(() => {
+      const start = Date.now();
+      Date.now = () => start + 31_000;
+    });
+    await page.reload();
+    await expect.poll(() => calls.count).toBeGreaterThanOrEqual(2);
+  });
+});
+```
+
+Risks & Mitigations
+- Dispatching `visibilitychange` in real browsers may be gated—inject a visibility getter shim if needed or use multi‑page focus handoff.
+- Time manipulation must be consistent across app and test; prefer overriding `Date.now()` early via `addInitScript`.
+
+Estimation
+- Small (0.5–1d) including CI wiring.
+
+Definition of Done
+- Playwright test checked in under `e2e/` and passing locally and on CI.
+- Docs updated (testing section) with a short note on the E2E and how to run it.
+- Milestone v0.4.0 linked and labels applied.
+
+---
+
+## Draft: Automate README “Changelog” badge to latest section on release
+
+Title
+- chore(tooling): auto‑update README “Changelog” badge to latest section on release
+
+Milestone
+- v0.3.1 (tooling)
+
+Labels
+- area:tooling, type:chore, docs, release
+
+Background
+- README currently includes a static badge linking directly to the 0.3.0 section of `CHANGELOG.md`. After each release we must update this anchor manually. We can automate this as part of the release flow so the badge always points at the newest version section.
+
+Goals
+- Ensure the README “Changelog” badge link targets the most recent version section in `CHANGELOG.md` immediately after a release is cut/tagged.
+
+Approach (pick one)
+1) Script integration:
+  - Enhance `scripts/release.mjs` to compute the anchor for the new section header `## [x.y.z] - YYYY-MM-DD` using GitHub’s slug rules (lowercase, strip punctuation like brackets/dots, spaces→`-`).
+  - Update or insert the badge link in `README.md` to `CHANGELOG.md#<computed-anchor>` as part of the release commit.
+2) GitHub Action:
+  - On `release` (published), run a tiny Node step that reads `CHANGELOG.md`, finds the latest `## [x.y.z] - YYYY-MM-DD` header, computes the anchor, updates README, and opens a PR (or pushes with a workflow token).
+3) Fallback (if anchor calc is brittle):
+  - Link badge to the Releases page or to `[Unreleased]` and keep the deep link optional. Prefer (1) or (2) for true deep‑linking.
+
+Acceptance Criteria
+- After running the release flow for a new version, README’s “Changelog” badge points to the new section anchor (e.g., `CHANGELOG.md#040---2025-11-15`).
+- No manual edits required post‑release; changes are part of the release commit or an automated PR.
+- If the badge is missing, the automation inserts it below the Release badge.
+
+Test Plan
+- Dry run locally by pretending to cut a test version (e.g., bump to `0.3.1` in a throwaway branch) and confirm README link updates to the computed anchor.
+- Validate anchor by clicking through in GitHub UI.
+
+Risks & Mitigations
+- GitHub slug rules nuance: prefer deriving the anchor by reading the exact header text and applying the same slug transform used for headings (remove `[]()`, replace spaces with `-`, drop punctuation like `.`). Add a small unit test for the slug helper.
+- Workflow token push permissions: if using an Action, use a PAT or set `permissions: contents: write` on the workflow.
+
+Definition of Done
+- Automation implemented via script or Action.
+- README badge reliably targets the latest CHANGELOG section after release.
+- Documented in `docs/developer-workflow-checklist.md` under the Release steps.