Private MVP for cognitive training, Brain ID identity, adaptive analytics, and real-time duel mechanics.
Current status: MVP / technical stabilization.
The main engineering priority is production risk reduction: boot recovery, storage contracts, privacy-safe identity, API consistency, test coverage, and deploy reproducibility come before new product features.
Tracking roadmap: #10
- React + Vite + TypeScript
- Tailwind CSS + Motion (
motion/react) - Express + Socket.io
- Prisma + PostgreSQL
- Vitest + Playwright
- JS analytics worker with a WASM-ready boundary for future hot paths
- Node.js 22
- pnpm 10.22.0
- PostgreSQL 15+
The canonical package manager is pnpm. Do not use npm or yarn lockfiles.
Install dependencies:
pnpm installCreate a local environment file:
cp .env.example .envStart PostgreSQL with Docker Compose:
docker compose up -d dbRun Prisma setup:
pnpm prisma generate
pnpm prisma db pushStart the full-stack dev server:
pnpm devDefault local URL: http://localhost:3006
See .env.example for the full list. Required for normal local work:
DATABASE_URLJWT_SECRETPORT=3006APP_URL=http://localhost:3006FRONTEND_URL=http://localhost:3006CORS_ORIGIN=http://localhost:3006CORS_ALLOW_DEV_WILDCARD=false
CORS_ORIGIN accepts a comma-separated allowlist shared by Express and Socket.io. Wildcard CORS requires CORS_ORIGIN=* plus CORS_ALLOW_DEV_WILDCARD=true and is accepted only in development/test; production without an allowlist fails closed for browser cross-origin requests and logs a startup warning.
Optional integrations include Telegram, SMTP, and legacy email channels. Public auth is Brain ID-first; legacy email features must remain explicitly gated.
Never commit real secrets, tokens, raw Brain IDs, production telemetry, or user data.
pnpm dev- start the Express/Vite development serverpnpm start- start the Express serverpnpm lint- generate Prisma client and run TypeScript checkspnpm test- run the Vitest suitepnpm validate- run the core validation suitepnpm build- generate Prisma client and build the frontendpnpm test:e2e- run Playwright E2E tests and let Playwright manage its production-style webServerpnpm test:e2e:attached- run Playwright against an already running local server; defaults tohttp://127.0.0.1:3006and is useful on Windows/proxy environmentspnpm clean- remove only the localdistdirectory through a cross-platform Node helper
Before opening or merging a production-risk change, run:
pnpm lint
pnpm test
pnpm buildFor navigation or post-game flow work, run:
pnpm test:e2eIf local Playwright webServer readiness is affected by a desktop proxy, start the app separately and use the attached mode:
pnpm dev
pnpm test:e2e:attachedThe attached mode sets NO_PROXY for localhost and uses BASE_URL if you need a non-default URL.
Known non-blocking local warnings currently include Recharts zero-size container warnings in jsdom and React act(...) warnings in existing dashboard tests. Treat new failures as blockers.
- Canonical port:
3006. - Public feedback submissions use the Prisma-backed
/api/feedbackroute as the runtime source of truth; operator verification is documented indocs/feedback-operations.md. - Public identity is Brain ID-first; do not expose raw Brain ID, email, token, or password hashes in UI/API responses.
- Brain ID storage/recovery boundaries are defined in
docs/brain-id-identity.md. - PWA/offline-first must remain disabled until
docs/pwa-offline-strategy.mdacceptance gates are met. - Rust/WASM and 60 FPS work must pass the frame-budget gate in
docs/frame-budget-benchmark.mdbefore implementation. - Client analytics
ClickEventuses{ cellId, reactionTimeMs }. - Direct production file patches are forbidden outside documented emergency hotfixes.
Normal deploy flow:
local branch -> commit -> push -> PR -> merge to main -> GitHub Actions deploy
The server should update through the repository-first flow. Do not edit /opt/kognitika/* or /opt/kognitika/dist/* directly during normal work.
Production health check:
curl https://kognitika.syntog.ru/api/healthThe response includes buildId, which should match the deployed commit short hash. The deploy workflow reads the internal health-check port from the server .env PORT value and falls back to 3006, so production-only port overrides do not break deploy verification.
GitHub Actions run:
- TypeScript lint
- Vitest tests
- build
- Playwright E2E
- deploy to the production server on
main
Build and run app + database:
docker compose up --buildThe app container exposes 3006:3006; PostgreSQL exposes 5432:5432.
Use clear title prefixes:
[P0]production outage, active security risk, or data-loss risk[P1]high-priority stabilization or privacy/security hardening[P2]medium-priority cleanup, docs, or contract hygiene[P3]strategic horizon
Preferred labels:
area:bootarea:securityarea:privacyarea:identityarea:storagearea:apiarea:infraarea:docs
Private repository. License is not defined for public distribution.