cd20ffb580
Five tests covering platform-wide guarantees: expired-token redirect, HttpOnly session cookie, bootstrap password not leaked into the DOM after login, missing-app slug fails gracefully, and an XSS-sink probe across the main authed routes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PiCloud Dashboard
SvelteKit SPA for the PiCloud control plane.
Stack
- SvelteKit 2 with
adapter-static(SPA fallback) - Svelte 5 (runes)
- TypeScript
- Vite
Scripts
npm install
npm run dev # vite dev server on :5173, proxies /api → PICLOUD_API
npm run build # static SPA bundle into ./build/
npm run check # svelte-check
npm run lint
npm run format
By default npm run dev proxies /api/* and /healthz to
http://127.0.0.1:18080. Override with PICLOUD_API=http://host:port npm run dev.
How it fits in
In production Caddy serves the contents of ./build/ as static files and
falls back to index.html for client-side routing. The dashboard only
talks to the control plane (/api/admin/* on the manager); data-plane
invocations go through /api/execute/* on the orchestrator and are not
issued from the dashboard directly during MVP.