developer/galaxy-game
1
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
915b4372dd0871014458dfa4e3b31893bbf7cc44
galaxy-game/tools/local-dev/keys/README.md
T
Ilia Denisov 69fa6b30e1 tools/local-dev: docker-compose stack for UI development 
Adds tools/local-dev/ with postgres + redis + mailpit + backend +
gateway plus a Make wrapper, so `make -C tools/local-dev up` brings
the full authenticated stack online and `pnpm -C ui/frontend dev`
talks to it directly. The committed `.env.development` already
points at the stack and pins the matching gateway response public
key from the dev keypair under tools/local-dev/keys/.

The backend ships a new opt-in env, BACKEND_AUTH_DEV_FIXED_CODE
(`tools/local-dev/.env` defaults it to 123456). When set,
ConfirmEmailCode accepts that literal in addition to the real
bcrypt-verified code; SendEmailCode still queues a real email so
Mailpit captures the issued code at http://localhost:8025/, and
both paths coexist. The override is rejected as non-six-digit by
config validation and emits a loud warning at backend startup.

The local-dev Dockerfiles mirror backend/Dockerfile and
gateway/Dockerfile but switch the runtime stage to alpine so
docker-compose healthchecks can wget /healthz; the gateway
Dockerfile additionally copies ui/core/ into the build context
because gateway/go.mod's `replace galaxy/core => ../ui/core` is
required to compile the gateway main.

Smoke tested:
- `make -C tools/local-dev up` boots all five services to healthy.
- send-email-code + confirm-email-code with code=123456 returns a
  device_session_id; a real code in Mailpit also redeems
  successfully.
- `pnpm test` 14/14, `pnpm exec playwright test` 44/44.
- `go test ./backend/internal/config/...` green.

Docs: tools/local-dev/README.md, tools/local-dev/keys/README.md,
new "Local development stack" section in ui/docs/testing.md, and a
short pointer in ui/README.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 09:42:29 +02:00

1.2 KiB
Raw Blame History

tools/local-dev/keys/

DEV-ONLY cryptographic material used by the tools/local-dev/ stack.

Never use any key in this directory in a non-local environment.

Files

  • gateway-response.pem — gateway response-signing private key, PKCS#8 PEM, Ed25519. Mounted into the gateway container at /run/secrets/gateway-response.pem and pointed to via GATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH.
  • gateway-response.pub — matching raw 32-byte public key, standard base64. Copied verbatim into ui/frontend/.env.development as VITE_GATEWAY_RESPONSE_PUBLIC_KEY.

Regenerating

The keypair is committed because it must be deterministic across developer checkouts (the UI's .env.development ships the exact base64 of the public half). Rotate only when a leak is suspected; the keys never reach a non-local environment in normal operation.

To regenerate from a Go one-shot:

cd tools/local-dev/keys
go run ./regenerate.go

The helper writes a fresh PEM, prints the matching public-key base64, and updates gateway-response.pub. After regeneration, copy the new VITE_GATEWAY_RESPONSE_PUBLIC_KEY value from gateway-response.pub into ui/frontend/.env.development and commit both changes together.

Reference in New Issue View Git Blame Copy Permalink