build(ui): drop sourcemaps from prod bundle #153
@@ -1055,6 +1055,13 @@ valid-code population). Brute-forcing a 6-digit friend code within these limits
|
||||
accepted MVP risk with low blast radius (an unwanted friendship is removable/blockable);
|
||||
a dedicated redeem sub-limit or a longer code is the hardening step if abuse appears.
|
||||
|
||||
**Client source exposure.** The production UI build ships **no sourcemaps**
|
||||
(`vite.config.ts` gates `build.sourcemap` off when `mode === 'production'`), so the gateway
|
||||
and landing images serve only minified JS and the full TypeScript/Svelte source is not
|
||||
recoverable from a served `.map` at the edge. Dev and the `mock` e2e build (`vite build
|
||||
--mode mock`) keep maps for debugging. This is surface reduction, not secrecy — the single
|
||||
minified bundle still carries all platform code paths and is reversible with effort.
|
||||
|
||||
## 13. Deployment (informational)
|
||||
|
||||
Single public origin, path-routed. The Vite build has two entries: a lightweight
|
||||
|
||||
+7
-1
@@ -34,7 +34,13 @@ export default defineConfig(({ mode }) => ({
|
||||
},
|
||||
build: {
|
||||
target: 'es2022',
|
||||
sourcemap: true,
|
||||
// Emit sourcemaps everywhere except the production build. A shipped `.map`
|
||||
// carries full `sourcesContent` — the entire TypeScript/Svelte source — and the
|
||||
// gateway/landing images serve `dist/` verbatim, so production maps would expose
|
||||
// the whole client source at the edge. Dev and the `mock` e2e build
|
||||
// (`vite build --mode mock`) keep maps for debugging; the production `vite build`
|
||||
// (the Docker image build) drops them.
|
||||
sourcemap: mode !== 'production',
|
||||
// Two entries: the game SPA (index.html, served at /app/ + /telegram/) and the
|
||||
// public landing page (landing.html, served at /). Assets are shared in dist/assets/, and
|
||||
// the relative base lets one build serve under any path.
|
||||
|
||||
Reference in New Issue
Block a user