Initiate backend setup

2026-04-04 23:13:04 -06:00
parent be88135a03
commit 331ed40234
5 changed files with 10 additions and 13 deletions
@@ -16,7 +16,7 @@ Use this if you **do not** have SSH or hosting access yet. Most engineering tick

 ### You do **not** need the server admin for

- **Tickets 1–8, 10:** Everything runs on your machine: `docker compose up -d postgres mailhog`, `.env.local`, `npm run dev`, `npx prisma migrate dev`. OTP email can use Mailhog or dev log (no real SMTP).
+- **Tickets 1–8, 10:** Everything runs on your machine: `docker compose up -d postgres mailhog`, `.env`, `npm run dev`, `npx prisma migrate dev`. OTP email can use Mailhog or dev log (no real SMTP).
 - **Verifying APIs:** Use `localhost` and the same Docker Postgres—no production host.

 ### The **first** time you need someone with hosting access
@@ -34,7 +34,7 @@ Ask the admin to provide (or do for you) the items below—**Ticket 12** turns t
 | **DNS for mail**     | Often **SPF/DKIM** so OTP messages are not spam—admin or whoever owns DNS.                                                                                       |
 | **TLS + hostname**   | HTTPS URL for the site; reverse proxy (nginx, Caddy, etc.) in front of Node.                                                                                     |
 | **Health check**     | Load balancer or platform should probe **`GET /api/health`** (or your chosen path).                                                                              |
-| **Secrets storage**  | Env vars or secret manager—never commit `.env.local`.                                                                                                            |
+| **Secrets storage**  | Env vars or secret manager—never commit `.env` with secrets.                                                                                                     |
 | **Backups**          | Postgres backup/restore for production (and ideally staging).                                                                                                    |

 Optional: **Docker image deploy** using the repo [Dockerfile](Dockerfile)—admin builds/pushes/runs the container with the env vars above.
@@ -126,7 +126,7 @@ Match the current API behavior; tighten as product evolves:

 ---

-**Step 1.** Copy `.env.example` to `.env.local`. Set `DATABASE_URL` and secrets (see file comments).
+**Step 1.** Copy `.env.example` to `.env`. Set `DATABASE_URL` and secrets (see file comments).

 **Step 2.** Start Postgres locally:

@@ -162,7 +162,7 @@ npm run dev

 **Step 9.** **Templates** (when ready): seed `RuleTemplate` rows; `GET /api/templates` is implemented.

-**Step 10.** **Frontend sync**: Set `NEXT_PUBLIC_ENABLE_BACKEND_SYNC=true` in `.env.local` for server drafts when logged in; `localStorage` remains fallback when off or anonymous.
+**Step 10.** **Frontend sync**: Set `NEXT_PUBLIC_ENABLE_BACKEND_SYNC=true` in `.env` for server drafts when logged in; `localStorage` remains fallback when off or anonymous.

 **Step 11.** **Web vitals:** Move off `.next` files—**prefer an external analytics or logging pipeline** (see §7). Use Postgres for vitals only as a deliberate ops choice.

@@ -173,7 +173,7 @@ npm run dev
 - **HTTPS** in staging/production; session cookie **Secure**.
 - **Rate-limit** OTP (in-memory OK for one instance; **shared store before multi-instance**—see §5).
 - **Hash** OTP codes and session tokens before storing; short OTP expiry.
- **Secrets** only in env / secret store — never commit `.env.local`.
+- **Secrets** only in env / secret store — never commit `.env` with real values.
 - **CORS:** prefer **same-origin** `/api/*`; if cross-origin, configure CORS and CSRF carefully.

 ---