Files
ttrpg_manager/vite.config.ts
T
NilsBriggen a8cb7d65f4 Phase 18: internet realtime collaboration (GM-authoritative) + server
- Shared Zod wire protocol (src/lib/sync/messages.ts): hosted/joined/snapshot/
  mapImage/error; player-safe projections only (enemy HP masked on the GM before
  broadcast via src/lib/combat/playerProjection.ts).
- wsSync adapter (src/lib/sync/wsSync.ts) behind the existing SyncAdapter seam:
  GM hostSession + debounced snapshot broadcast (useSessionBroadcaster), player
  joinSession into an ephemeral playerSessionStore, exponential-backoff reconnect
  with seamless room resume (GM secret). localSync remains the offline default.
- buildSnapshot (src/lib/sync/snapshot.ts) reuses the same projection as the local
  /play view, guaranteeing parity. Player view refactored into shared PlayerBoards;
  /play?room=CODE = networked read-only mode.
- SessionControl in the header: Host (optional password) → shareable room code/link.
- Server (server/): Fastify + @fastify/websocket + @fastify/static, in-memory
  GM-authoritative rooms (crypto room id/secret hashed, optional join password,
  TTL sweep, players strictly read-only), origin allowlist, per-frame size cap +
  rate limit, Zod validation. esbuild bundle (server/build.mjs), tsconfig.server.json.
- Dockerfile (multi-stage) + deploy/ttrpg.compose.yml (own project on external
  'proxy' net, Traefik labels for ttrpg.briggen.dev, non-root, no-new-privileges).
  CSP connect-src now allows same-origin wss:.

Tests: protocol round-trip, room hub (auth/password/resume/TTL/read-only), enemy
masking, Fastify+ws integration (host→join→snapshot, player push rejected), and a
two-context Playwright realtime spec (separate config) — GM hosts, player device
sees live combat with masked enemy HP.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 10:49:31 +02:00

63 lines
2.2 KiB
TypeScript

import { defineConfig } from 'vite';
import react from '@vitejs/plugin-react';
import tailwindcss from '@tailwindcss/vite';
import { VitePWA } from 'vite-plugin-pwa';
import { fileURLToPath, URL } from 'node:url';
// Strict CSP injected at build time only. In dev, Vite's react-refresh needs
// inline scripts, so we leave the placeholder empty there.
// connect-src allows any HTTPS endpoint plus localhost so the bring-your-own-key
// assistant can reach cloud providers (Anthropic/OpenAI/OpenRouter/…) and local
// models (Ollama/LM Studio). Everything else stays locked to 'self'.
const PROD_CSP =
"default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; " +
"script-src 'self'; connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*; " +
"font-src 'self' data:; worker-src 'self' blob:; " +
"manifest-src 'self'; object-src 'none'; base-uri 'self'";
function cspPlugin() {
return {
name: 'inject-csp',
transformIndexHtml(html: string) {
const tag = `<meta http-equiv="Content-Security-Policy" content="${PROD_CSP}" />`;
return html.replace('<!--CSP-PLACEHOLDER-->', tag);
},
apply: 'build' as const,
};
}
export default defineConfig({
plugins: [
react(),
tailwindcss(),
cspPlugin(),
VitePWA({
registerType: 'prompt',
includeAssets: ['favicon.svg'],
manifest: {
name: 'TTRPG Manager',
short_name: 'TTRPG',
description: 'A local-first manager for D&D 5e and Pathfinder 2e campaigns.',
theme_color: '#0f0f17',
background_color: '#0f0f17',
display: 'standalone',
icons: [
{ src: 'pwa-192x192.png', sizes: '192x192', type: 'image/png' },
{ src: 'pwa-512x512.png', sizes: '512x512', type: 'image/png' },
{ src: 'pwa-512x512.png', sizes: '512x512', type: 'image/png', purpose: 'maskable' },
],
},
workbox: {
globPatterns: ['**/*.{js,css,html,svg,png,woff2}'],
// SRD data chunks can be large; allow them to be precached.
maximumFileSizeToCacheInBytes: 6 * 1024 * 1024,
},
}),
],
resolve: {
alias: {
'@': fileURLToPath(new URL('./src', import.meta.url)),
},
},
});