@@ -49,8 +49,9 @@ ORM + `postgres.js` on PostgreSQL 18 · Vitest + Playwright · Yivi/IRMA auth.
4949## Config
5050
5151- Read env via ` $env/dynamic/private ` (server) — never hardcode.
52- - ** Feature flags** are ` FF_* ` env vars resolved in ` src/lib/server/feature-flags.ts ` ;
53- in dev they can also be toggled at runtime from the admin settings page.
52+ - ** Feature flags** are ` FF_* ` env vars resolved in ` src/lib/feature-flags.ts `
53+ (imported as ` $lib/feature-flags ` ); in dev they can also be toggled at runtime
54+ from the admin settings page.
5455- Required vars fail fast at startup (e.g. ` DATABASE_URL ` ).
5556
5657## Database & migrations
@@ -74,17 +75,17 @@ ORM + `postgres.js` on PostgreSQL 18 · Vitest + Playwright · Yivi/IRMA auth.
7475- ** Demo vs prod attributes** : ` YIVI_DEMO_ATTRIBUTES=true ` uses the ` irma-demo `
7576 scheme; unset uses the ` pbdf ` production scheme.
7677- ** API keys** are SHA-256-hashed; the plaintext prefix is shown once at creation.
77- - Security headers + a report-only ** CSP** are set in ` hooks.server.ts ` ; CSP
78- violations post to ` /api/csp-report ` .
78+ - Non-CSP security headers (X-Frame-Options, X-Content-Type-Options,
79+ Referrer-Policy, Permissions-Policy) are set in ` hooks.server.ts ` . The
80+ report-only ** CSP** is configured in ` svelte.config.js ` (` kit.csp.reportOnly ` )
81+ and posts violations to ` /api/csp-report ` .
7982- ** Report vulnerabilities privately** — see [ ` SECURITY.md ` ] ( SECURITY.md ) , not public issues.
8083
8184## Testing
8285
8386- Unit tests: ` tests/unit/** ` (and colocated ` *.test.ts ` ), node env. Mock
8487 server deps with ` vi.mock ` + ` vi.hoisted ` (see ` tests/unit/dns-verification.test.ts ` ).
8588- E2E: ` tests/e2e/**/*.e2e.ts ` (Playwright). CI runs both against a real Postgres.
86- - Coverage is gated (` vitest --coverage ` ) over ` src/lib/** ` (migrations excluded);
87- keep it above the floor in ` vite.config.ts ` and ratchet it up when you can.
8889
8990## CI / releases
9091
0 commit comments