Skip to content
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -132,3 +132,7 @@ ENABLE_SWAGGER=true

# Enable CORS (for local development)
CORS_ORIGIN=http://localhost:3000

# Admin API key for operational endpoints (/api/queues/*, /api/embeddings/*, tmdb imports)
# Required header: X-Admin-Api-Key. Generate: openssl rand -hex 32
ADMIN_API_KEY=your_admin_api_key_here
12 changes: 8 additions & 4 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,14 @@ node_modules

# Local env files
.env
.env.local
.env.development.local
.env.test.local
.env.production.local
.env.*
!.env.example

# Logs
*.log

# Claude Code local state (worktrees, etc.)
.claude/

# Testing
coverage
Expand Down
42 changes: 42 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# CLAUDE.md — контекст проекта для Claude Code

Этот файл коммитится в git и служит переносимой «памятью» между машинами/сессиями.

## Что это за проект
Movie Recommendr — портфолио-проект: рекомендации фильмов/сериалов с AI (RAG, pgvector embeddings, GPT-чат). Монорепо pnpm + Turbo.

- `apps/api` — NestJS 11 (port 3001), Supabase (PostgreSQL + pgvector), BullMQ + Redis, OpenAI
- `apps/web` — Next.js 14 App Router (port 3002), React Query, next-intl (en/ru/uk), Supabase Auth
- `packages/db` — Supabase клиенты (`supabase` service-key, `supabaseAnon`) + generated types
- `packages/ai` — OpenAI обёртка
- Production: API на Railway, Web на Vercel

## Ключевые документы (читать в этом порядке)
1. `SESSION_RESUME.md` — текущее состояние и следующий шаг (обновлять в конце сессии!)
2. `IMPROVEMENTS.md` — ЕДИНСТВЕННЫЙ живой план (приоритеты P0–P4, разделы 17–19 добавлены при ревизии)
3. `docs/PROJECT_REVIEW_2026-06-11.md` — полное ревью архитектуры и проблем
4. `docs/superpowers/specs/2026-05-01-smart-search-design.md` — спека smart-search (Phase 1 в работе)
5. `WORKFLOW_RULES.md` — процессные правила (новые фичи: сначала показать код, ждать подтверждения; багфиксы и docs — можно сразу)
6. ROADMAP.md, NEW_IMPROVEMENTS_SUMMARY.md — архив, не использовать для планирования

## Команды
```bash
pnpm dev # из apps/api или apps/web (нужен Redis: redis://localhost:6379)
pnpm build # сборка
pnpm test # jest (apps/api)
npx tsc --noEmit # typecheck
```
Env загружается из корневого `.env` (см. `.env.example`; в т.ч. ADMIN_API_KEY).

## Безопасность (внедрено 2026-06-11, ветка security/p0-hardening)
- `/api/queues/*`, `/api/embeddings/*`, import-POST'ы `/api/tmdb/*` — guard `AdminApiKeyGuard` (заголовок `X-Admin-Api-Key` = env `ADMIN_API_KEY`, fail-closed)
- watchlist/chat/recommendations(кроме popular)/users — `SupabaseAuthGuard`: user_id берётся ТОЛЬКО из JWT (`@CurrentUser()`), никогда из query/body
- Rate limiting: глобально 100/мин (env RATE_LIMIT_*), chat 10/мин, search 30/мин
- Глобальный ValidationPipe (whitelist+transform) + DTO в `*/dto/`
- При добавлении новых эндпоинтов СОХРАНЯТЬ эти паттерны

## Известные ловушки
- `apps/api/src/queues/processors/imdb-update.processor.ts` — НЕ компилируется (вызывает несуществующие методы tmdbService.updateMoviesImdbIds/updateTvShowsImdbIds). Это WIP для IMPROVEMENTS §15. Не регистрирован в модуле. Перед `nest build` учитывать.
- Тестов мало (26); TDD обязателен для нового кода (superpowers skill)
- Миграции в репо неполные — БД не воспроизводится с нуля (см. review §2.5)
- KEY_ROTATION_GUIDE.md и SECURITY_AUDIT_REPORT.md упомянуты в IMPROVEMENTS, но в репо отсутствуют; актуальный чеклист: `docs/KEY_ROTATION_CHECKLIST.md`
94 changes: 38 additions & 56 deletions CURRENT_STATUS.md
Original file line number Diff line number Diff line change
@@ -1,79 +1,62 @@
# Movie Recommendr - Current Project Status

**Last Updated:** 2026-01-10
**Last Updated:** 2026-06-11 (ревизия — см. `docs/PROJECT_REVIEW_2026-06-11.md`)

---

## Overall Progress

```
Day 0: ████████████████████ 100% Complete
Day 1: ████████████████████ 100% Complete
Day 2: ████████████████████ 100% Complete
Day 3: ████████████████████ 100% Complete
Day 4: ████████████████████ 100% Complete
Day 5: ████████████████████ 100% Complete
Day 6-7: ████████████████████ 100% Complete
Day 8-10: ████████████████████ 100% Complete ✅
Day 11-12: ████████████████████ 100% Advanced AI Complete! ✅
Day 13-14: ████████████████████ 100% Deployment Complete! ✅
Improvements: ██████████░░░░░░░░░░ 50% In Progress
MVP (Day 0-14): ████████████████████ 100% Complete (deployed)
Localization: ████████████████░░░░ 80% (en/ru готовы; uk/pl UI и backfill переводов — нет)
TV Shows: ████████████████████ 100% (страницы, watchlist, API, infinite scroll)
Import queues: ██████████████████░░ 90% (ротация категорий есть; prod-расписание и алерты — нет)
Smart Search Ph.1: ████░░░░░░░░░░░░░░░░ 20% (types + RRF + 1 тест; extractor/retrieval — нет)
Security hardening: ░░░░░░░░░░░░░░░░░░░░ 0% 🔴 (нет guards/throttler/validation; ключи не ротированы)
CI/CD & Tests: █░░░░░░░░░░░░░░░░░░░ 5% (1 тест-файл, нет GitHub Actions)
Comment on lines +10 to +16

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Security progress claims are stale for this hardening PR.

Lines 15 and 39–44 still state guards/throttling/validation are absent, which conflicts with the current security-hardening changes in this PR. Update this snapshot so status and next steps reflect post-hardening state.

Also applies to: 37-44, 49-52

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CURRENT_STATUS.md` around lines 10 - 16, Update the "Security hardening"
snapshot in CURRENT_STATUS.md to reflect the changes introduced by this PR:
change the progress bar/percentage for "Security hardening" from 0% to the
appropriate completed percent, remove or revise the note "нет
guards/throttler/validation; ключи не ротированы", and replace the old "next
steps" content on the referenced blocks (lines around "Security hardening" and
the sections noted 37–44 and 49–52) with accurate post-hardening status and
remaining action items (e.g., completed guards/throttler/validation, key
rotation status, and any follow-up tasks).

```
Comment on lines 9 to 17

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language identifier to the fenced block.

The fenced block at Line 9 is missing a language tag (MD040).

Suggested patch
-```
+```text
 MVP (Day 0-14):     ████████████████████ 100% Complete (deployed)
 ...
-```
+```
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 9-9: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CURRENT_STATUS.md` around lines 9 - 17, The fenced code block starting with
triple backticks and the lines beginning "MVP (Day 0-14): ..." is missing a
language identifier (MD040); update the opening fence from ``` to ```text (or
another appropriate language tag) so the block is properly annotated, e.g.,
change the line that reads ``` to ```text to satisfy the linter.

Source: Linters/SAST tools


---

## ✅ Search Autocomplete (Complete)

### What's Done:
- ✅ **Backend:** Added `autocomplete` method to `MoviesService` using fast SQL `ILIKE` search.
- ✅ **API Endpoint:** Created `GET /api/movies/autocomplete` (and verified route order priority).
- ✅ **Frontend Client:** Added `autocompleteMovies` to the API client.
- ✅ **React Hook:** Created `useAutocomplete` with debouncing and caching.
- ✅ **UI Component:** Completely overhauled `SearchBar.tsx` with a live suggestions dropdown, posters, and direct navigation.
> Примечание: ранее здесь значилось «Day 13-14 (Testing, CI/CD) — 100% Complete» — это не соответствовало действительности и исправлено при ревизии.

---

## ✅ Massive Data Import (Complete)
## ✅ Что работает (production)

### What's Done:
- ✅ **Years 1990-2024:** Performed a systematic import of the top 40 most popular movies for every year.
- ✅ **Total Database Size:** Successfully scaled the database from ~350 to **1675 movies**.
- ✅ **Embeddings:** All 1675 movies have vector embeddings generated for AI features.
- ✅ **Metadata:** Enriched metadata (cast, crew, keywords) imported for all new records.
- **Backend (Railway):** NestJS — movies, tv-shows, watchlist, recommendations, chat (RAG), embeddings, queues (BullMQ + Redis)
- **Frontend (Vercel):** Next.js 14 App Router — home, discover, movies/[id], tv-shows, tv-shows/[id], watchlist, recommendations, chat, auth; next-intl (en/ru)
- **База:** 1675+ фильмов + сериалы, 100% embeddings, translations JSON (en/ru/uk), import_progress + ротация категорий
- **Language support:** 11/11 API endpoints принимают `language`

---
## 🟡 В работе / частично

## ✅ Localization (Complete)
- **Smart Search Phase 1** — фундамент закоммичен (`apps/api/src/smart-search/`: types, RRF); остальной пайплайн по спеке не реализован
- **IMDb integration (#15)** — `imdb-update.processor.ts` написан, но не закоммичен; план в IMPROVEMENTS.md §15
- **Backfill переводов** — обновлено ~20 фильмов из 1675
- **Production cron-расписание импорта** — endpoints готовы, расписание не включено (см. PRODUCTION-QUICKSTART.md)

### What's Done:
- ✅ **Infrastructure:** Integrated `next-intl` for Next.js i18n support.
- ✅ **Routing:** Implemented locale-prefixed routing (e.g., `/en`, `/ru`) with a dynamic `[locale]` segment.
- ✅ **Middleware:** Unified Supabase auth session management with locale-aware routing.
- ✅ **Translations:** Created comprehensive translation files (`en.json`, `ru.json`) covering all app modules.
- ✅ **UI Components:** Localized global components including `Navbar`, `Navigation`, `MovieCard`, and `WatchlistButton`.
- ✅ **Pages:** Fully translated all core pages: Home, Discover, Movie Details, Watchlist, Recommendations, Chat, and Auth.
- ✅ **Language Switcher:** Added a functional EN/RU toggle in the navigation system.
## 🔴 Критические долги (P0 — см. IMPROVEMENTS.md §17)

---
1. Ротация exposed-ключей — **просрочена с 2026-01-16**
2. `/api/queues/*` (17 write-эндпоинтов) — без авторизации на публичном prod URL
3. User-эндпоинты принимают `user_id` параметром без проверки JWT
4. Нет rate limiting и ValidationPipe
5. Лог-файлы закоммичены в git; production-скрипты НЕ закоммичены

## 🎯 Next Improvements Priorities
---

**1. "Why This Movie?" UI (NEXT FOCUS):**
- Add explanation buttons to movie cards/details.
- Create modal for AI-generated reasoning using the `/api/movies/:id/explain` endpoint.
## 🎯 Next Steps (порядок — по приоритизации IMPROVEMENTS.md)

**2. Search Refinement:**
- Add filters for genres, release years, and ratings to the Discover page.
- Implement sorting options (popularity, rating, date).
1. **P0 Security hardening** (§17): ключи → guards → throttler → validation → гигиена репо
2. **P1 Инженерная база** (§18): GitHub Actions CI, тесты core-сервисов, Node 20 / Redis 6.2+, Sentry, учёт OpenAI-расходов
3. **P2 Продукт:** Smart Search Phase 1 до конца → Movie Explanations UI → backfill переводов

---

## 📊 Current Metrics

**Database:**
- Movies: 1675 (with 100% embedding coverage) ✅
- Tables: 5 (users, movies, user_watchlist, user_profiles, chat_messages)
- SQL Functions: 4 (vector search, profile updates)
**Database (9 таблиц):** movies, tv_shows, tv_seasons, tv_episodes, user_watchlist, user_tv_watchlist, user_profiles, chat_messages, import_progress

**Тесты:** 1 файл (`smart-search/__tests__/rrf.spec.ts`) — требуется расширение (§18.2)

---

Expand All @@ -83,14 +66,13 @@ Improvements: ██████████░░░░░░░░░░ 50% I
# Backend
cd apps/api
export REDIS_URL=redis://localhost:6379
pnpm dev
pnpm dev # port 3001

# Frontend
cd apps/web
pnpm dev
pnpm dev # port 3002
```

---

## ✅ Day 0 - Preparation (Complete)
... (keep existing Day 0-14 logs if needed, but the above is the most relevant for resume)
**Production:**
- API: https://api-production-9141.up.railway.app
- Web: https://m-recommendr-web-ip4u.vercel.app
Loading