Priyanshu-byte-coder · Harsh-Codes-77 · May 17, 2026 · May 18, 2026 · May 16, 2026 · May 17, 2026
@@ -0,0 +1,49 @@
+name: E2E
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened]
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  playwright:
+    name: Playwright smoke tests
+    runs-on: ubuntu-latest
+    env:
+      NEXTAUTH_SECRET: playwright-placeholder-secret-that-is-long-enough
+      NEXTAUTH_URL: http://127.0.0.1:3000
+      NEXT_PUBLIC_APP_URL: http://127.0.0.1:3000
+      GITHUB_ID: playwright-github-id
+      GITHUB_SECRET: playwright-github-secret
+      NEXT_PUBLIC_SUPABASE_URL: https://placeholder.supabase.co
+      NEXT_PUBLIC_SUPABASE_ANON_KEY: placeholder-anon-key
+      SUPABASE_SERVICE_ROLE_KEY: placeholder-service-role-key
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install app dependencies
+        run: npm ci
+
+      - name: Install Playwright browsers
+        run: npx -y @playwright/test@1.49.1 install --with-deps chromium
+
+      - name: Run Playwright tests
+        run: npx -y @playwright/test@1.49.1 test
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7
@@ -123,6 +123,7 @@ NEXTAUTH_SECRET=run_openssl_rand_base64_32
 
 GITHUB_ID=your_client_id
 GITHUB_SECRET=your_client_secret
+GITHUB_WEBHOOK_SECRET=your_random_webhook_secret
 ```
 
 ### 5. Run
@@ -133,6 +134,17 @@ npm run dev
 
 Visit `http://localhost:3000`.
 
+### GitHub Webhook Refresh
+
+DevTrack can accept GitHub push webhooks at `/api/webhooks/github` to mark a user's metrics for refresh as soon as new commits land.
+
+1. Generate `GITHUB_WEBHOOK_SECRET` and add it to your deployment environment.
+2. In the GitHub repository, open **Settings -> Webhooks -> Add webhook**.
+3. Set the payload URL to `{NEXTAUTH_URL}/api/webhooks/github`.
+4. Set content type to `application/json`, paste the same secret, and select the **Push** event.
+
+Webhook requests are verified with GitHub's `X-Hub-Signature-256` HMAC header before DevTrack touches user metrics.
+
 ---
 
 ## Contributing

@@ -33,6 +33,38 @@ Out of scope:
 - Social engineering attacks
 - Rate limiting / denial of service on free-tier Vercel/Supabase
 
+## Row Level Security (RLS)
+
+DevTrack uses Supabase with Row Level Security enabled on all tables to ensure users can only access their own data.
+
+### Protected Tables
+
+| Table | RLS Enabled | Policies |
+|-------|-------------|----------|
+| `users` | ✅ | SELECT, UPDATE own row only |
+| `goals` | ✅ | SELECT, INSERT, UPDATE, DELETE own rows only |
+| `metric_snapshots` | ✅ | SELECT, INSERT, DELETE own rows only |
+
+### How It Works
+
+- All RLS policies use `auth.uid()` to match against the `id` or `user_id` column
+- Users can only read, write, or delete their **own** rows
+- `supabaseAdmin` (service role key) bypasses RLS automatically for trusted server-side operations — it is **never** exposed to the client
+- The anon key has no access to any table by default
+
+### Migration
+
+RLS policies are defined in:
+
 ## Disclosure Policy
 
 Once a fix is released, we will publish a summary in the [GitHub Security Advisories](https://github.com/Priyanshu-byte-coder/devtrack/security/advisories) page. Credit will be given to the reporter unless they prefer to remain anonymous.
+
+To apply locally:
+```bash
+supabase db push
+```
+
+### Security Principle
+
+All client-facing queries use the anon key with RLS enforcement. Server-side API routes use `supabaseAdmin` only when elevated privileges are required (e.g. creating a user on first login).
@@ -0,0 +1,21 @@
+import { expect, test } from "@playwright/test";
+
+test("landing page renders GitHub sign-in entrypoint", async ({ page }) => {
+  await page.goto("/");
+
+  await expect(page.getByRole("heading", { name: "DevTrack" })).toBeVisible();
+  await expect(
+    page.getByRole("link", { name: "Sign in with GitHub" }),
+  ).toHaveAttribute("href", /\/api\/auth\/signin\/github\?callbackUrl=\/dashboard/);
+  await expect(page.getByRole("link", { name: "View on GitHub" })).toHaveAttribute(
+    "href",
+    "https://github.com/Priyanshu-byte-coder/devtrack",
+  );
+});
+
+test("dashboard stays protected for unauthenticated users", async ({ page }) => {
+  await page.goto("/dashboard");
+
+  await expect(page).toHaveURL(/\/$/);
+  await expect(page.getByRole("link", { name: "Sign in with GitHub" })).toBeVisible();
+});
@@ -0,0 +1,13 @@
+import { expect, test } from "@playwright/test";
+
+test("public profile route renders without requiring authentication", async ({ page }) => {
+  await page.goto("/u/playwright-user");
+
+  await expect(page).toHaveURL(/\/u\/playwright-user$/);
+  await expect(
+    page.getByRole("heading", {
+      name: /(@playwright-user's Profile|Profile Not Found)/,
+    }),
+  ).toBeVisible();
+  await expect(page.getByRole("link", { name: "Sign in with GitHub" })).toHaveCount(0);
+});
@@ -13,6 +13,7 @@
     "@supabase/supabase-js": "^2.43.4",
     "clsx": "^2.1.1",
     "date-fns": "^3.6.0",
+    "html-to-image": "^1.11.13",
     "jspdf": "^4.2.1",
     "jspdf-autotable": "^5.0.7",
     "next": "^14.2.35",

@@ -3,6 +3,7 @@ import { authOptions } from "@/lib/auth";
 import { fetchIssuesMetrics } from "@/lib/github";
 
 export const dynamic = "force-dynamic";
+export const revalidate=300;
 
 export async function GET() {
   const session = await getServerSession(authOptions);

@@ -95,17 +95,18 @@ async function fetchJson<T>(url: string, token: string, accept?: string): Promis
 
 async function fetchSignalsForRepo(
   token: string,
-  repoFullName: string
+  repoFullName: string,
+  days: number
 ): Promise<RepoHealthSignals> {
-  const since30 = new Date();
-  since30.setDate(since30.getDate() - 30);
-  const since30Str = toDateStr(since30);
+  const since = new Date(Date.now() - days * 24 * 60 * 60 * 1000)
+    .toISOString()
+    .split("T")[0];
 
   // a) commit frequency in last 30 days (sampled to 100 via per_page=100)
   const commitSearch = await fetchJson<{
     items: unknown[];
   }>(
-    `${GITHUB_API}/search/commits?q=repo:${repoFullName}+committer-date:>${since30Str}&per_page=100&sort=committer-date&order=desc`,
+    `${GITHUB_API}/search/commits?q=repo:${repoFullName}+committer-date:>${since}&per_page=100&sort=committer-date&order=desc`,
     token,
     "application/vnd.github+json"
   );
@@ -116,14 +117,14 @@ async function fetchSignalsForRepo(
     total_count: number;
     items: Array<{ created_at: string; closed_at: string | null }>;
   }>(
-    `${GITHUB_API}/search/issues?q=repo:${repoFullName}+type:pr+created:>${since30Str}&per_page=100&sort=created&order=desc`,
+    `${GITHUB_API}/search/issues?q=repo:${repoFullName}+type:pr+created:>${since}&per_page=100&sort=created&order=desc`,
     token
   );
 
   const mergedPrs = await fetchJson<{
     total_count: number;
   }>(
-    `${GITHUB_API}/search/issues?q=repo:${repoFullName}+type:pr+is:merged+merged:>${since30Str}&per_page=100&sort=updated&order=desc`,
+    `${GITHUB_API}/search/issues?q=repo:${repoFullName}+type:pr+is:merged+merged:>${since}&per_page=100&sort=updated&order=desc`,
     token
   );
 
@@ -170,10 +171,16 @@ export async function GET(req: NextRequest) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
+  const requestedDays = parseInt(
+    req.nextUrl.searchParams.get("days") ?? "30", 10
+  );
+  const days = requestedDays === 7 || requestedDays === 30
+    || requestedDays === 90 ? requestedDays : 30;
+
   // 1) Determine top repos (top 6 by commit count).
   let topRepos: RepoSummary[] = [];
   try {
-    topRepos = (await fetchReposForAccount(session.accessToken, session.githubLogin, 30)).repos;
+    topRepos = (await fetchReposForAccount(session.accessToken, session.githubLogin, days)).repos;
   } catch {
     return Response.json({ error: "GitHub API error" }, { status: 502 });
   }
@@ -183,7 +190,7 @@ export async function GET(req: NextRequest) {
   // 2) Fetch per-repo signals sequentially to preserve rate limits.
   for (const repo of topRepos) {
     try {
-      const signals = await fetchSignalsForRepo(session.accessToken, repo.name);
+      const signals = await fetchSignalsForRepo(session.accessToken, repo.name, days);
       scores.push(computeHealthScore(repo.name, signals));
     } catch {
       // Skip repo on any failure.