Add privacy-safe PWA offline shell#702
Conversation
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
Warning Review limit reached
Next review available in: 2 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughIntroduces a privacy-safe installable PWA with constrained service-worker caching, offline fallback, install/update lifecycle UI, public asset headers, theme integration, proxy handling, and Vitest/Playwright verification. ChangesPrivacy-safe PWA
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Browser
participant PwaLifecycle
participant ServiceWorker
participant CacheStorage
Browser->>PwaLifecycle: load application
PwaLifecycle->>ServiceWorker: register /sw.js
ServiceWorker->>CacheStorage: precache offline shell and public assets
Browser->>ServiceWorker: navigate or request public asset
ServiceWorker-->>Browser: network, cached asset, or offline fallback
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
tests/ui-pwa.spec.ts (1)
238-281: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winExercise a successful private response before checking CacheStorage.
This flow only inspects assets loaded naturally, while API requests are aborted. A regression that caches successful API/auth/document responses could therefore pass. Fulfill and fetch a synthetic same-origin private URL, then explicitly assert that URL is absent from every cache.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tests/ui-pwa.spec.ts` around lines 238 - 281, The test around “serves a cold offline fallback…” only validates naturally loaded assets and must exercise a successful private response before inspecting CacheStorage. After the app recovers online, fulfill and fetch a synthetic same-origin private URL covering a sensitive path, then explicitly verify that exact URL is absent from every cache while preserving the existing inventory allowlist assertions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/proxy.ts`:
- Around line 30-33: Add "/icon.svg" to the publicPwaPaths allowlist in
src/proxy.ts, and add "/icon.svg" to the parameterized public-path cases in
tests/proxy-session-refresh.test.ts so the proxy and regression test treat it as
public.
In `@tests/pwa-service-worker.test.ts`:
- Around line 617-619: Remove the Set-Cookie header assertion from the synthetic
new Response test in tests/pwa-service-worker.test.ts. Add the no-cookie
invariant to the origin/proxy test instead, where the worker’s actual
response-header behavior is exercised.
---
Nitpick comments:
In `@tests/ui-pwa.spec.ts`:
- Around line 238-281: The test around “serves a cold offline fallback…” only
validates naturally loaded assets and must exercise a successful private
response before inspecting CacheStorage. After the app recovers online, fulfill
and fetch a synthetic same-origin private URL covering a sensitive path, then
explicitly verify that exact URL is absent from every cache while preserving the
existing inventory allowlist assertions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: b7f17f07-8e47-46d3-b8cc-c22e4c9abe84
📒 Files selected for processing (23)
docs/branch-review-ledger.mddocs/codebase-index.mddocs/pwa.mdnext.config.tspackage.jsonplaywright.config.tspublic/offline.htmlpublic/sw.jssrc/app/globals.csssrc/app/layout.tsxsrc/app/manifest.tssrc/components/clinical-dashboard/use-theme.tssrc/components/pwa-lifecycle.tsxsrc/lib/security-headers.tssrc/lib/theme.tssrc/proxy.tstests/proxy-session-refresh.test.tstests/pwa-lifecycle.dom.test.tsxtests/pwa-manifest.test.tstests/pwa-service-worker.test.tstests/security-headers.test.tstests/theme.test.tstests/ui-pwa.spec.ts
…e-20260717 # Conflicts: # docs/branch-review-ledger.md
…e-20260717 # Conflicts: # docs/branch-review-ledger.md
CI triageCI failed on this PR. Automated classification of the 2 failed job(s):
Heuristic only — a main-side or flake label is a starting point, not a verdict. |
Summary
Verification
npm run verify:pr-local(the dry-run selected format, lint, typecheck, test, and build; those components were run individually because the shared worktree cache/process wrapper exited during host contention)npm run verify:ui(focused Chromium PWA gate run instead: 2/2 passed)npm run verify:release(not run; includes provider-backed gates)npm run eval:retrieval:quality(not applicable: no retrieval/ranking changes)npm run eval:rag -- --limit 15+npm run eval:quality -- --rag-only(not applicable: no answer-generation changes)npm run check:production-readiness(run locally; environment-blocked by the isolated worktree's intentionally absent Supabase/OpenAI variables)npm run check:deployment-readiness(not run; production startup requires credentials and no deployment was requested)Completed local evidence:
Clinical Governance Preflight
Clinical KB Database(sjrfecxgysukkwxsowpy)Notes
docs/branch-review-ledger.md.Summary by CodeRabbit
test:e2e:pwa).