Skip to content

Commit ad228e7

Browse files
committed
docs: fix AGENTS.md inaccuracies (feature-flags path, CSP location, coverage)
1 parent c47878a commit ad228e7

1 file changed

Lines changed: 7 additions & 6 deletions

File tree

AGENTS.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,9 @@ ORM + `postgres.js` on PostgreSQL 18 · Vitest + Playwright · Yivi/IRMA auth.
4949
## Config
5050

5151
- Read env via `$env/dynamic/private` (server) — never hardcode.
52-
- **Feature flags** are `FF_*` env vars resolved in `src/lib/server/feature-flags.ts`;
53-
in dev they can also be toggled at runtime from the admin settings page.
52+
- **Feature flags** are `FF_*` env vars resolved in `src/lib/feature-flags.ts`
53+
(imported as `$lib/feature-flags`); in dev they can also be toggled at runtime
54+
from the admin settings page.
5455
- Required vars fail fast at startup (e.g. `DATABASE_URL`).
5556

5657
## Database & migrations
@@ -74,17 +75,17 @@ ORM + `postgres.js` on PostgreSQL 18 · Vitest + Playwright · Yivi/IRMA auth.
7475
- **Demo vs prod attributes**: `YIVI_DEMO_ATTRIBUTES=true` uses the `irma-demo`
7576
scheme; unset uses the `pbdf` production scheme.
7677
- **API keys** are SHA-256-hashed; the plaintext prefix is shown once at creation.
77-
- Security headers + a report-only **CSP** are set in `hooks.server.ts`; CSP
78-
violations post to `/api/csp-report`.
78+
- Non-CSP security headers (X-Frame-Options, X-Content-Type-Options,
79+
Referrer-Policy, Permissions-Policy) are set in `hooks.server.ts`. The
80+
report-only **CSP** is configured in `svelte.config.js` (`kit.csp.reportOnly`)
81+
and posts violations to `/api/csp-report`.
7982
- **Report vulnerabilities privately** — see [`SECURITY.md`](SECURITY.md), not public issues.
8083

8184
## Testing
8285

8386
- Unit tests: `tests/unit/**` (and colocated `*.test.ts`), node env. Mock
8487
server deps with `vi.mock` + `vi.hoisted` (see `tests/unit/dns-verification.test.ts`).
8588
- E2E: `tests/e2e/**/*.e2e.ts` (Playwright). CI runs both against a real Postgres.
86-
- Coverage is gated (`vitest --coverage`) over `src/lib/**` (migrations excluded);
87-
keep it above the floor in `vite.config.ts` and ratchet it up when you can.
8889

8990
## CI / releases
9091

0 commit comments

Comments
 (0)