Files

T

Ilia Denisov a89048f6c5 docs(ui): finalize MVP plan structure and de-archaeologize topic docs

MVP web client (Phases 1-30) is complete; reorganize planning + living docs around that.

- PLAN.md kept as the staged MVP record (1-30) with a status block + pointers; removed the 31-36 stages, regression scenarios, and deferred-TODO section (moved out); fixed a stale cross-machine plan path.

- ui/PLAN-finalize.md (new): active web-finalization plan in 8 stages (visual system, a11y, i18n, error UX, PWA, build hygiene, docs, owner manual-QA loop); absorbs former Phases 33 and 35.

- ui/ROADMAP.md (new): post-MVP (Wails, Capacitor, realistic projection, acceptance + regression scenarios) and triaged deferred follow-ups.

- ui/docs/README.md (new): grouped topic-doc index.

- De-archaeologized all 20 ui/docs topic docs + ui/README.md + ui/core/README.md: stripped Phase-N build history, rewritten as current-state; deferred work now points at ROADMAP.md / PLAN-finalize.md. Docs-only; no code change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-21 23:17:51 +02:00

4.7 KiB

Raw Blame History

UI events stream (`api/events.svelte.ts`)

This document describes how the SvelteKit frontend consumes the gateway's SubscribeEvents server-streaming RPC. The single authenticated session keeps one stream open through the EventStream singleton declared in src/api/events.svelte.ts; the root layout starts it once the session reaches authenticated and stops it on sign-out.

Why a single consumer

The EventStream singleton consolidates what was previously a separate revocation watcher in lib/revocation-watcher.ts so that:

there is only one SubscribeEvents connection per session (avoids doubling the gateway hub load);
both clean end-of-stream on an authenticated session and an Unauthenticated ConnectError funnel through one session.signOut("revoked") call site;
per-event-type dispatch (turn-ready toasts, lobby/mail/battle notifications) shares the same verification path.

Lifecycle

SessionStore.status = "authenticated"
    ↓ (root layout $effect)
EventStream.start({ core, keypair, deviceSessionId, gatewayResponsePublicKey })
    ↓
loop: open SubscribeEvents → verify each frame → dispatch to handlers
    ↓
EventStream.stop()  (on logout, unmount, or session id change)

start is idempotent for the same session: re-calling while the stream is running is a no-op. The root layout detects a session id flip (re-login on the same tab) by storing the bound id and calling stop() + start() against the fresh credentials.

Frame handling

Every GatewayEvent is verified before dispatch:

core.verifyPayloadHash(payloadBytes, payloadHash) — the SHA-256 digest of payloadBytes must equal payloadHash. A mismatch is treated as a forgery.
core.verifyEvent(gatewayResponsePublicKey, signature, fields) — Ed25519 verification using the canonical signing input defined in ui/core/canon/event.go (mirrored by gateway/authn/event.go).
On success the verified projection (VerifiedEvent) is passed to every handler registered via eventStream.on(eventType, handler).

Any verification failure throws SignatureError, which falls into the same retry path as a transport error: the loop classifies it as transient, tears the stream down, and reconnects with full-jitter exponential backoff (base 1 s, ceiling 30 s, unbounded retries).

Connection status

EventStream.connectionStatus is a Svelte rune with five values:

idle — stream not running.
connecting — subscribeEvents() issued, no frame received yet.
connected — first frame verified and dispatched, attempt counter reset to zero.
reconnecting — transient failure, backoff in flight.
offline — navigator.onLine === false at the moment of failure.

The header connection-state indicator reads this rune; the rune is wired so a future change can add the indicator dot without touching this module.

Revocation semantics

Two paths lead to session.signOut("revoked"):

a ConnectError with code Unauthenticated: the gateway rejected the stream credentials (revoked device session);
a clean end-of-stream while session.status === "authenticated": the gateway's documented session_invalidation signal closes the stream once the device session flips to revoked.

Any other error (network drop, gateway 5xx, transient close, signature failure) keeps the session alive and triggers backoff + reconnect.

Adding a new event type

const off = eventStream.on("mail.received", (event) => {
    // parse event.payloadBytes
});
onDestroy(off);

If the handler reads scoped data (per-game, per-route), register from a layout that owns that scope and pass the gameId via a closure. The handler should filter events whose payload does not match its scope (see routes/games/[id]/+layout.svelte for the game.turn.ready filter).
The payload encoding is owned by the producer side: the game.turn.ready event uses JSON {game_id, turn}. Document the schema next to the producer (e.g. backend/README.md §10).

Tests

Unit (Vitest): tests/events.test.ts mocks the transport via createRouterTransport and covers verified dispatch, type filtering, bad-signature reconnect, Unauthenticated sign-out, clean end-of-stream sign-out, and connection-status transitions.
E2E (Playwright): tests/e2e/turn-ready.spec.ts serves a signed game.turn.ready frame through page.route, asserts the toast surfaces, and verifies manual dismiss without advance. The advance roundtrip (toast → click "view now" → fresh report) is covered by Vitest at the store level because it is sensitive to Playwright-side network ordering.

4.7 KiB Raw Blame History

UI events stream (api/events.svelte.ts)