feat: board live sync

.env.prod.example

@@ -0,0 +1,63 @@
+# Production environment template for docker-compose.prod.yml.
+# Copy to `.env.prod`, fill in every required value, and make sure
+# the real file never leaves your infrastructure.
+
+# --- Postgres ---------------------------------------------------------
+POSTGRES_USER=loomy
+POSTGRES_PASSWORD=change-me-to-a-strong-random-password
+POSTGRES_DB=loomy
+
+# --- Redis ------------------------------------------------------------
+REDIS_PASSWORD=change-me-to-another-strong-random-password
+
+# --- API --------------------------------------------------------------
+# >= 32 chars, generated with `openssl rand -hex 32` or similar.
+SECRET_KEY=replace-with-32-plus-char-random-secret
+# Public URLs (no trailing slash).
+FRONTEND_URL=https://app.example.com
+# Ports published on the host; adjust if you terminate TLS elsewhere.
+API_PORT=8000
+UI_PORT=80
+
+# Token lifetimes (defaults shown).
+ACCESS_TOKEN_EXPIRE_MINUTES=60
+REFRESH_TOKEN_EXPIRE_DAYS=30
+
+# --- OAuth (optional) -------------------------------------------------
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_REDIRECT_URI=https://api.example.com/api/auth/github/callback
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_REDIRECT_URI=https://api.example.com/api/auth/google/callback
+
+# --- Email (required for password reset in production) ---------------
+# Set EMAIL_BACKEND=smtp and fill the rest to actually deliver mail.
+EMAIL_BACKEND=smtp
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASSWORD=
+SMTP_USE_TLS=true
+EMAIL_FROM_ADDRESS=no-reply@example.com
+EMAIL_FROM_NAME=Loomy
+
+# --- Object storage (required for user uploads) ---------------------
+# Point at any S3-compatible endpoint (AWS S3, MinIO, Backblaze B2, etc.).
+# Leave blank to disable user uploads (avatars, board logos, exports).
+S3_ENDPOINT_URL=
+S3_PUBLIC_ENDPOINT_URL=
+S3_REGION=us-east-1
+S3_ACCESS_KEY=
+S3_SECRET_KEY=
+S3_BUCKET=loomy-assets
+S3_FORCE_PATH_STYLE=true
+S3_PRESIGNED_URL_EXPIRE_SECONDS=3600
+
+# --- Frontend build --------------------------------------------------
+# Baked into the bundle at build time. Must be the public URL of the API.
+VITE_API_URL=https://api.example.com
+
+# --- Observability (optional) ----------------------------------------
+LOG_LEVEL=INFO
+SENTRY_DSN=

.github/workflows/api-ci.yml

@@ -35,4 +35,4 @@ jobs:
         run: uv run mypy .
 
       - name: Pytest
-        run: uv run pytest --tb=short -q || [ $? -eq 5 ]
+        run: uv run pytest --tb=short -q

.github/workflows/ui-ci.yml

@@ -38,5 +38,8 @@ jobs:
       - name: Format check
         run: npm run format:check
 
+      - name: Test
+        run: npm run test
+
       - name: Build
         run: npm run build

.gitignore

@@ -8,7 +8,9 @@ scripts/
 .cursor/
 .vscode/
 .claude/
+.agents/
 CLAUDE.md
+memory/
 .idea/
 *.sublime-*
 

api/app/.env.example

@@ -20,3 +20,18 @@ REDIS_URL=redis://localhost:6379/0
 
 # Frontend URL
 FRONTEND_URL=http://localhost:5173
+
+# Object storage (MinIO in dev). Leave blank to disable uploads entirely.
+# One bucket holds every app asset; keys are prefixed per kind:
+#   avatars/{user_id}/...            (user profile photos)
+#   boards/{board_id}/logo/...       (board logos, planned)
+#   boards/{board_id}/exports/...    (rendered exports, planned)
+#   templates/{slug}/thumbnail.png   (template previews, planned)
+S3_ENDPOINT_URL=http://localhost:9000
+S3_PUBLIC_ENDPOINT_URL=http://localhost:9000
+S3_REGION=us-east-1
+S3_ACCESS_KEY=minioadmin
+S3_SECRET_KEY=minioadmin
+S3_BUCKET=loomy-assets
+S3_FORCE_PATH_STYLE=true
+S3_PRESIGNED_URL_EXPIRE_SECONDS=3600

api/app/Dockerfile

@@ -1,18 +1,50 @@
-FROM python:3.12-slim
+# syntax=docker/dockerfile:1.7
+
+# --- Stage 1: dependencies + build -----------------------------------
+FROM python:3.12-slim AS builder
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    UV_LINK_MODE=copy
 
 WORKDIR /app
 
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
 
+# Install system build deps only for the build stage; they're not
+# copied into the runtime image.
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends build-essential \
+ && rm -rf /var/lib/apt/lists/*
+
 COPY pyproject.toml uv.lock ./
 RUN uv sync --frozen --no-dev --no-install-project
 
 COPY . .
-
 RUN uv sync --frozen --no-dev
 
-ENV PATH="/app/.venv/bin:$PATH"
+# --- Stage 2: lean runtime -------------------------------------------
+FROM python:3.12-slim AS runtime
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/app/.venv/bin:$PATH"
+
+# Non-root user so a broken process can't rewrite the image at runtime.
+RUN groupadd --system --gid 1001 loomy \
+ && useradd --system --uid 1001 --gid loomy --home /app loomy
+
+WORKDIR /app
+
+# Only copy what runtime needs — source + prebuilt venv.
+COPY --from=builder --chown=loomy:loomy /app /app
+
+USER loomy
 
 EXPOSE 8000
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD python -c "import urllib.request,sys;sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:8000/health',timeout=3).status==200 else 1)" \
+      || exit 1
+
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

api/app/alembic/env.py

@@ -7,7 +7,14 @@
 
 from app.config import settings
 from app.db.base import Base
-from app.modules.boards.model import Board, BoardStar, BoardView  # noqa: F401 - metadata
+from app.modules.boards.model import (  # noqa: F401 - metadata
+    Board,
+    BoardComment,
+    BoardShareToken,
+    BoardStar,
+    BoardTemplate,
+    BoardView,
+)
 from app.modules.elements.model import Element  # noqa: F401 - metadata
 from app.modules.users.model import OAuthAccount, User  # noqa: F401 - metadata
 from app.modules.workspaces.model import (  # noqa: F401 - metadata