8d3bab6a89
Monorepo Turborepo (pnpm workspaces) avec 3 packages :
- apps/web : SPA React 19 + Vite 8 + Tailwind v4 (CSS-first)
• TanStack Router (file-based, auto code-splitting), Query, Form
• Radix primitives bruts + CVA + clsx + tailwind-merge
• MSW pour mocker l'API tant qu'Adonis n'est pas branché
• Polices Bricolage Grotesque + Inter self-hostées via fontsource
• Tokens marque (rubis, cream, ink) exposés via @theme
• Primitives maison : Gem, Brand, Eyebrow, Button, Input, Field
• Route /login full flow : TanStack Form + Zod + mutation Query
- apps/api : Adonis 7 (kit api, scaffold via create-adonisjs)
• Auth access tokens (Bearer) — cf. ADR-017
• Tuyau core déjà câblé pour la génération de types
• Routes /api/v1/auth/{signup,login} + /api/v1/account/{profile,logout}
• Minimal — uniquement le pont front ↔ back
- packages/shared : types TS + schemas Zod + constantes
• Source unique de vérité partagée api ↔ web
• Domaines : User, Org, Auth, Client, Invoice, Plan
Tooling racine : Turbo, ESLint v9 flat, Prettier, husky, lint-staged.
CLAUDE.md et docs/decisions.md mis à jour avec ADR-014 à ADR-018
(stack, monorepo, PG existant, Bearer tokens, MinIO existant)
et le pointeur vers docs/tech/architecture.md.
Logo Rubis déplacé de landing/assets/ vers /assets/ (source unique
réutilisée par la landing et l'app).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
96 lines
1.8 KiB
TypeScript
96 lines
1.8 KiB
TypeScript
import { defineConfig } from '@adonisjs/shield'
|
|
|
|
const shieldConfig = defineConfig({
|
|
/**
|
|
* Configure CSP policies for your app. Refer documentation
|
|
* to learn more.
|
|
*/
|
|
csp: {
|
|
/**
|
|
* Enable the Content-Security-Policy header.
|
|
*/
|
|
enabled: false,
|
|
|
|
/**
|
|
* Per-resource CSP directives.
|
|
*/
|
|
directives: {},
|
|
|
|
/**
|
|
* Report violations without blocking resources.
|
|
*/
|
|
reportOnly: false,
|
|
},
|
|
|
|
/**
|
|
* Configure CSRF protection options. Refer documentation
|
|
* to learn more.
|
|
*/
|
|
csrf: {
|
|
/**
|
|
* Enable CSRF token verification for state-changing requests.
|
|
*/
|
|
enabled: false,
|
|
|
|
/**
|
|
* Route patterns to exclude from CSRF checks.
|
|
* Useful for external webhooks or API endpoints.
|
|
*/
|
|
exceptRoutes: [],
|
|
|
|
/**
|
|
* Expose an encrypted XSRF-TOKEN cookie for frontend HTTP clients.
|
|
*/
|
|
enableXsrfCookie: true,
|
|
|
|
/**
|
|
* HTTP methods protected by CSRF validation.
|
|
*/
|
|
methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
|
|
},
|
|
|
|
/**
|
|
* Control how your website should be embedded inside
|
|
* iframes.
|
|
*/
|
|
xFrame: {
|
|
/**
|
|
* Enable the X-Frame-Options header.
|
|
*/
|
|
enabled: true,
|
|
|
|
/**
|
|
* Block all framing attempts. Default value is DENY.
|
|
*/
|
|
action: 'DENY',
|
|
},
|
|
|
|
/**
|
|
* Force browser to always use HTTPS.
|
|
*/
|
|
hsts: {
|
|
/**
|
|
* Enable the Strict-Transport-Security header.
|
|
*/
|
|
enabled: true,
|
|
|
|
/**
|
|
* HSTS policy duration remembered by browsers.
|
|
*/
|
|
maxAge: '180 days',
|
|
},
|
|
|
|
/**
|
|
* Disable browsers from sniffing content types and rely only
|
|
* on the response content-type header.
|
|
*/
|
|
contentTypeSniffing: {
|
|
/**
|
|
* Enable X-Content-Type-Options: nosniff.
|
|
*/
|
|
enabled: true,
|
|
},
|
|
})
|
|
|
|
export default shieldConfig
|