What's Changed
- fix(ci): skip deployment for npm package releases by @KyleTryon in #66
- fix(ci): support @tuvixrss/tricorder@* tag format for npm publishing by @KyleTryon in #67
- fix(ci): trigger npm publish on GitHub release creation by @KyleTryon in #68
- fix(ci): extract version from tag and update package.json during publish by @KyleTryon in #69
- fix(tricorder): correct repository URL for provenance verification by @KyleTryon in #70
- Dev by @KyleTryon in #73
PR #73: Observability & Docker Infrastructure
Major Features:
🔍 Comprehensive Observability & Monitoring
- Authentication tracking: Added Sentry spans, breadcrumbs, and security audit logging throughout login, signup, password reset, and email verification flows
- Email monitoring: Implemented fire-and-forget span tracking for verification and welcome emails to ensure delivery visibility without blocking user flows
- Batch operations: Added monitoring for mark read/unread operations with performance tracking
- RSS feed resilience: Automatic retry logic for transient failures (502/503/504/429) with exponential backoff
- OPML import tracking: Full transaction monitoring with per-feed success/failure tracking and success rate metrics
- OpenGraph image fetching: Added span tracking with domain-based metrics for error pattern analysis
🐳 Docker Infrastructure Overhaul
- Multi-stage builds: Optimized Docker images with proper workspace support
- Security hardening: All containers run as non-root user (uid 1001)
- Non-privileged ports: Nginx app container uses port 8080 instead of 80
- Health checks: Comprehensive health monitoring with proper timing (API: 30s start period, App: explicit IPv4 checks)
- CI/CD testing: Full Docker build and test workflow with security verification
- Permission handling: Proper SQLite database permissions for containerized deployment
- Environment flexibility: DATABASE_PATH respects environment variables for CI vs local dev
🔐 Security Improvements
- Audit logging fix: Repaired completely non-functional security audit logging (added SQL DEFAULT to fix silent failures)
- Request metadata: Extracted header parsing utility to normalize authentication metadata collection
- Admin dashboard: Added emailVerified field to user management for accurate status tracking
📚 Documentation
- URL updates: Fixed all subscription URLs from old feedsmith.dev to feed.tuvix.app
- Browser extension: Added Tuvix Tricorder Extension section to README
- Claude Code config: Team-wide AI development settings with security guardrails
- Deployment guide: Updated Docker deployment documentation
Technical Improvements:
- Separated fetch errors from parse errors in retry logic (parse errors throw immediately)
- Fixed header extraction to preserve undefined values correctly
- Added explicit type annotations for dynamic imports
- Consolidated security module imports
- Extracted retry constants (MAX_RETRIES, RETRY_DELAY_MS, TRANSIENT_STATUS_CODES)
- Fixed migration statement separators for better-sqlite3 compatibility
Bug Fixes:
- Fixed incorrect security action type for failed password resets
- Fixed admin dashboard showing unverified users as "active"
- Fixed gitignore patterns for wrangler.toml files
- Resolved TypeScript unsafe call errors with proper imports
- Fixed null domain handling in Sentry attributes
- Added TRPCError rethrow guards to prevent parse errors from being retried
Files Changed: 50+ files across authentication, Docker infrastructure, CI/CD, monitoring, and documentation
Impact: This PR establishes production-grade observability and containerized deployment capabilities for TuvixRSS.
Full Changelog: v0.4.1...v0.4.2