Add production readiness audit and infrastructure scaffolding#1
Closed
Rajiv-Rago wants to merge 41 commits intomainfrom
Closed
Add production readiness audit and infrastructure scaffolding#1Rajiv-Rago wants to merge 41 commits intomainfrom
Rajiv-Rago wants to merge 41 commits intomainfrom
Conversation
- Add CLAUDE.md with project overview, commands, architecture docs - Fix package.json bug where duplicate scripts keys caused dev/build/start/lint to be overwritten Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add database models: Course, Module, Lesson, Assignment, Submission, AIChatSession, AIGeneratedContent - Enhance User model with bcrypt password hashing and role-based access - Implement JWT authentication with HTTP-only cookies - Create AI provider abstraction supporting OpenAI and Anthropic - Add AI tutor service for contextual Q&A - Add AI content generator for quizzes, summaries, practice problems - Build complete REST API for courses, modules, lessons, assignments - Add enrollment, grading, and gradebook functionality - Create auth pages (login, register) - Create dashboard with role-based views - Build course management UI for teachers - Implement assignment submission and grading workflow - Add AI tutor chat interface - Add AI content generation with approval workflow - Update landing page with feature highlights Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add DatabaseConnectionError class for typed error handling - Add connection timeouts (5s server selection, 10s connect) to fail fast - Reset cached connection on failure to allow retries - Return 503 with specific error message for DB connection issues Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Enable students to create self-study courses using AI: - Add Gemini as new AI provider with @google/generative-ai SDK - Extend Course, Module, Lesson models with AI generation fields - Create SyllabusGeneratorService for course structure generation - Create LessonContentGeneratorService for on-demand content - Add AIGenerationLog model for tracking AI generations - Add API endpoints for syllabus generation, content generation - Update authorization to allow students to create AI courses Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create lib/ai/utils with providerResolver, jsonParser, and promptUtils - Create lib/validation/aiSchemas with shared Zod schemas - Create lib/utils with aiGenerationLogger and moduleStatusUpdater helpers - Fix race condition: module status now recalculates even on errors - Add syllabus status validation before content generation - Add previousLessonsSummary size limit (2000 chars) to prevent prompt bloat - Optimize PATCH endpoint with batch queries instead of N+1 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /courses/new/ai page with form for AI-generated courses - Add topic input, level select, duration, and optional context fields - Include collapsible advanced settings for provider/model override - Add multi-phase progress indicator during course generation - Update dashboard with AI course creation buttons for teachers/students - Update courses page header with AI creation option - Add AI promotion banner to manual course creation page - Use purple-to-blue gradient styling to distinguish AI features Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Extend Assignment model with assignmentType (standard/quiz/project) - Add quiz questions, settings (time limit, shuffle, show answers) - Add project instructions and file upload settings - Extend Submission model with quiz attempts tracking and file uploads - Create quiz API routes for start/submit with auto-grading - Create file upload API routes with validation - Add quiz components (QuestionCard, QuestionBuilder, QuizTimer, QuizResults) - Add project components (FileUploader, FileList, InstructionsViewer) - Update assignments UI with type badges and filter tabs - Update gradebook to show assignment types - Unlimited quiz retakes with best score tracking Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
These providers were referenced in lib/ai/index.ts but not committed, causing build failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove insecure JWT_SECRET fallback — crash if env var is missing - Add Next.js edge middleware with rate limiting (in-memory Map), security headers, and auth redirect for dashboard routes - Add CSRF protection via X-Requested-With header check on mutations - Add X-Requested-With: XMLHttpRequest header to all frontend mutation fetches - Add verifyTokenForRefresh helper for token refresh (Phase 2) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…hase 2) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…cker, and CI - Create lib/env.ts with Zod schema validating all env vars at import time - Create lib/logger.ts with structured logging and captureException (Contract 6) - Add GET /api/health endpoint with version, uptime, and DB connection state - Update lib/db.ts to use env.ts and expose getConnectionStatus() - Add multi-stage Dockerfile, docker-compose.yml (app + MongoDB 7), .dockerignore - Add GitHub Actions CI pipeline (lint, typecheck, test, build) - Replace all console.error calls across 26 API routes with captureException Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…and utilities Set up test foundation with mongodb-memory-server, fixture factories, API request helpers, and mock AI provider. Added unit tests for JWT, provider resolver, JSON parser, and quiz grader. Added integration tests for auth (register, login, me) and courses (CRUD, enrollment). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Makefile with convenience commands for dev workflow (make up, make test, make prod, etc). Switch Dockerfile to Next.js standalone output for smaller production images. Add Docker Compose health checks and dev/prod profiles so `make up` runs only MongoDB while `make prod` containerizes everything. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Critical fixes: - C-1: Wire Session model into login/register/logout/refresh — sessions are now created on login/register, rotated on refresh, deleted on logout - C-2: Fix verifyTokenForRefresh to use jwt.verify with ignoreExpiration instead of jwt.decode (which skips signature verification) - C-3: Add email to reset-password request body and query, preventing cross-user password reset when multiple tokens are active - C-4: Remove plaintext reset token from console.log output High fixes: - H-1: Logout now deletes the session record from DB (token revocation) - H-5: Add requireCsrf() to all routes that call authenticate() directly (login, register, logout, refresh, forgot-password, reset-password, session revoke) Medium fixes: - M-3: Add dummy bcrypt hash on forgot-password "user not found" path to prevent timing-based user enumeration - M-4: Use atomic $inc for lockout counter to prevent TOCTOU race - M-5: Consolidate login/register Zod schemas into authSchemas.ts - M-8: Replace console.error with captureException in password routes - M-9: Extract shared getClientIp into lib/utils/request.ts (DRY) Low fixes: - L-2: Remove restrictive Mongoose enum on AuditLog.action, use TypeScript union type instead for extensibility - L-3: Rename REFRESH_GRACE_PERIOD to REFRESH_GRACE_PERIOD_SECONDS - L-5: Change Session.userAgent default from "" to "unknown" - M-2: Add JSDoc warning to decodeToken about missing signature check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The test helper's buildRequest function now includes the X-Requested-With: XMLHttpRequest header on mutation methods (POST, PUT, PATCH, DELETE) to satisfy the CSRF check added in the auth security hardening. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix captureException context key collision: rename formatError fields to errorName/errorMessage, rename caller key from message to operation across all 57 call sites (H1, M2) - Health endpoint: return 503 when DB disconnected, eagerly call dbConnect(), use process.uptime() instead of module-level timer (H2, H3, L2) - Fix misplaced import in files/route.ts — move to top of file (M1) - CI: add MongoDB healthcheck for service readiness, gate test/build on lint+typecheck with needs: (M3, M4) - Enforce JWT_SECRET minimum 32 characters in env validation (M6) - Add captureException to 3 missed auth routes: logout, sessions, sessions/[id] (L5) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…mode, and accessibility Phase 1: Toast system with auto-dismiss, confirmation dialogs with promise API, error boundaries (root + dashboard) with captureException, and loading skeleton components (card, table, text variants). Phase 2: Notification model with indexes, sendNotification() (Contract 4), notification API routes (list, mark read, SSE stream), NotificationBell UI with polling and unread badge. Triggers on enroll, submit, grade, and AI generate. Phase 3: Dark mode toggle with localStorage persistence and FOUC prevention, accessibility improvements (ARIA labels, semantic HTML, skip-to-content, focus trap, keyboard navigation), replaced native confirm() with async dialog, replaced spinners with skeletons, added toast feedback across all dashboard pages. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix test timeout by increasing default jest timeout to 15s. Add integration tests for assignment CRUD, submissions, and grading. Add model validation tests for User, Assignment, and Submission. Add unit tests for SyllabusGenerator, LessonContentGenerator, and AITutorService with mocked providers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces a 3-tier model selection system (Fast/Balanced/Powerful) as the primary UX for choosing AI models, with advanced override for specific provider+model. Each tier maps to an ordered preference list and resolves to the first provider with a configured API key. - Add tier catalog, resolver, and metadata (tierCatalog.ts) - Expand provider resolver to 6-level priority chain: request > tier > course prefs > user prefs > env vars > fallback - Add aiPreferences subdocument to User model - Add /api/ai/config and /api/users/preferences endpoints - Create reusable ModelSelector component with tier buttons - Add Settings page with AI preferences - Integrate ModelSelector into AI course creation, content generation, and AI tutor pages - Wire tier + user preferences through all AI API routes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…iting Centralizes model definitions in a registry with human-friendly display names (e.g. "GPT 4.1 Mini" instead of "gpt-4.1-mini-2025-04-14") and adds daily per-user rate limits to all AI endpoints to prevent unchecked API token consumption.
This file was created in a prior session but never committed. It's imported by tierCatalog, providerResolver, and the AI config route.
Includes job queue, storage adapters, cache, migrations, seed script, admin trash, user data export/delete, instrumentation, and updated model/route/env changes that were on disk but never committed.
After AI syllabus creation produces a course skeleton, users can now generate lesson content via a dedicated dashboard. Adds a multi-job polling hook, a batch generate-all API endpoint, and a content management page with progress tracking, status badges, and per-module/ lesson generation controls. Course detail page shows AI content banner and status dots. Syllabus creation now redirects to the dashboard.
The dynamic import() of AI handlers was fire-and-forget, creating a race condition where SyncShim.enqueueJob() called getHandler() before handlers were registered. Export handlersReady promise and await it in both SyncShim and worker before looking up handlers.
Remove the separate module detail page and AI content dashboard, consolidating both into the course detail page. Modules are now expandable with inline edit/delete/publish and add-lesson forms. AI generation toolbar with model selector, progress bar, batch selection, and per-item generate buttons lives directly on the course page. Old URLs redirect to preserve bookmarks.
…tions Replace role-based AI rate limiting with subscription tiers (free/plus/admin) and two currencies: questions (AI tutor chat) and credits (content generation). Credits support variable cost — module generation charges 1 credit per lesson.
Support revision requests when regenerating lesson content by passing user feedback and previous content to the LLM. Also expose courseType in the lesson GET response.
Comprehensive audit of 13 categories: legal/compliance pages, security posture, email/transactional, payments, SEO, monitoring, analytics, DevOps, accessibility, performance, account management, admin tools, and static pages. Identifies 24 items across 3 priority tiers. https://claude.ai/code/session_01H4vpUYToUaNfQk38D8cmdR
- Email service (lib/email/) with provider interface and console default; SendGrid, SES, and Resend scaffolds ready for npm install + env config - Rate limit store (lib/rateLimit/) with memory default and Redis scaffold; middleware refactored to use the new async store abstraction - Forgot-password route wired to email service (replaces console.log) - New env vars: EMAIL_PROVIDER, RATE_LIMIT_STORE, APP_URL, APP_NAME - docs/INFRASTRUCTURE_SETUP.md: step-by-step guide for activating both - docs/PAGINATION_PLAN.md: endpoint inventory and migration strategy https://claude.ai/code/session_01H4vpUYToUaNfQk38D8cmdR
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
- Create shared parsePagination/paginationMeta utility (lib/utils/pagination.ts)
- Add pagination to 4 previously-unbounded endpoints:
modules (default 50), lessons (50), admin/trash (20), auth/sessions (50)
- Normalize all 11 list endpoints to consistent { data, pagination } response shape
(gradebook keeps composite shape as exception)
- Update 6 frontend consumers for response key renames
- Update 3 integration test files for new response keys
- All endpoints now enforce max-limit caps
https://claude.ai/code/session_01H4vpUYToUaNfQk38D8cmdR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds comprehensive production readiness documentation and scaffolds two critical infrastructure systems: email notifications and distributed rate limiting. Both systems ship with zero-dependency defaults (console logger / in-memory store) and can be upgraded to production backends via environment variables.
Key Changes
Documentation
Email Service (lib/email/)
EmailProviderinterface,EmailMessage, andSendResulttypessendEmail()entry point with provider resolution and singleton caching@sendgrid/mail)@aws-sdk/client-ses)resend)Rate Limiting (lib/rateLimit/)
RateLimitStoreinterface,RateLimitConfig, andRateLimitCheckResulttypescheckRateLimit()entry point with store resolution, singleton caching, and centralized rule configurationioredis)Integration
checkRateLimit()fromlib/rateLimit; removed 60 lines of inline rate limiting logicsendEmail()to send password reset emails (previously logged to console)EMAIL_PROVIDER,EMAIL_FROM_ADDRESS,SENDGRID_API_KEY,RESEND_API_KEY,AWS_REGION,APP_URL,APP_NAME)Implementation Details
require()so dependencies are only needed when that provider is activeNotes
The audit identifies several production blockers (email service, payment integration, legal pages, analytics) that are now partially addressed by this infrastructure scaffolding. Email service is now functional; payment and legal pages remain out of scope for this PR.
https://claude.ai/code/session_01H4vpUYToUaNfQk38D8cmdR