Ilia Denisov
69fa6b30e1
Adds tools/local-dev/ with postgres + redis + mailpit + backend + gateway plus a Make wrapper, so `make -C tools/local-dev up` brings the full authenticated stack online and `pnpm -C ui/frontend dev` talks to it directly. The committed `.env.development` already points at the stack and pins the matching gateway response public key from the dev keypair under tools/local-dev/keys/. The backend ships a new opt-in env, BACKEND_AUTH_DEV_FIXED_CODE (`tools/local-dev/.env` defaults it to 123456). When set, ConfirmEmailCode accepts that literal in addition to the real bcrypt-verified code; SendEmailCode still queues a real email so Mailpit captures the issued code at http://localhost:8025/, and both paths coexist. The override is rejected as non-six-digit by config validation and emits a loud warning at backend startup. The local-dev Dockerfiles mirror backend/Dockerfile and gateway/Dockerfile but switch the runtime stage to alpine so docker-compose healthchecks can wget /healthz; the gateway Dockerfile additionally copies ui/core/ into the build context because gateway/go.mod's `replace galaxy/core => ../ui/core` is required to compile the gateway main. Smoke tested: - `make -C tools/local-dev up` boots all five services to healthy. - send-email-code + confirm-email-code with code=123456 returns a device_session_id; a real code in Mailpit also redeems successfully. - `pnpm test` 14/14, `pnpm exec playwright test` 44/44. - `go test ./backend/internal/config/...` green. Docs: tools/local-dev/README.md, tools/local-dev/keys/README.md, new "Local development stack" section in ui/docs/testing.md, and a short pointer in ui/README.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
tools/local-dev/keys/
DEV-ONLY cryptographic material used by the tools/local-dev/ stack.
Never use any key in this directory in a non-local environment.
Files
gateway-response.pem— gateway response-signing private key, PKCS#8 PEM, Ed25519. Mounted into the gateway container at/run/secrets/gateway-response.pemand pointed to viaGATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH.gateway-response.pub— matching raw 32-byte public key, standard base64. Copied verbatim intoui/frontend/.env.developmentasVITE_GATEWAY_RESPONSE_PUBLIC_KEY.
Regenerating
The keypair is committed because it must be deterministic across
developer checkouts (the UI's .env.development ships the exact
base64 of the public half). Rotate only when a leak is suspected; the
keys never reach a non-local environment in normal operation.
To regenerate from a Go one-shot:
cd tools/local-dev/keys
go run ./regenerate.go
The helper writes a fresh PEM, prints the matching public-key base64,
and updates gateway-response.pub. After regeneration, copy the new
VITE_GATEWAY_RESPONSE_PUBLIC_KEY value from gateway-response.pub
into ui/frontend/.env.development and commit both changes together.