CI/CD & Deployment
Status: Proposed Owner: @bilal @deen Last Updated: 2026-02-15
Infrastructure and deployment planning. Detailed configs and scripts live in the repo.
Pipeline Overview
PR → Lint + Type-Check → Unit Tests → Build → Security Scan → AI Code Review
→ DB Migrations → Deploy to Vercel → Smoke Tests → Live
Environment Strategy
| Environment | Database | Hosting | Status |
|---|---|---|---|
| Local | Supabase local (Docker) | localhost:3000 | Active |
| Production | Supabase Cloud | Vercel | Planned |
| Staging | Supabase Cloud (separate) | Vercel Preview | Future |
Branch Strategy
main → Production
├── staging → Staging (future)
└── feature/* → Development
└── claude/* → AI-generated branches
Local Development
Requires: Docker 24+, Node.js 20+, pnpm, Supabase CLI 1.150+.
supabase start # Start local Supabase (first run downloads ~2GB)
pnpm install && pnpm dev # Start Next.jsLocal services: App (:3000), Supabase API (:54321), Studio (:54323), PostgreSQL (:54322), Inbucket (:54324).
Seed users: admin@test.local, landlord@test.local, staff@test.local (all password123).
Environment Variables
Required for Production
| Category | Variables |
|---|---|
| Core | DATABASE_URL, DIRECT_URL, NEXTAUTH_URL, NEXTAUTH_SECRET |
| Supabase | NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY |
| LLM | ANTHROPIC_API_KEY, OPENAI_API_KEY |
| Comms | TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_WHATSAPP_NUMBER, VOICE_WEBHOOK_SECRET |
SENDGRID_API_KEY, SENDGRID_FROM_EMAIL | |
| Optional | SENTRY_DSN, UPTIME_ROBOT_KEY, KIMI_API_KEY, GLM_API_KEY |
CI Pipeline (GitHub Actions)
| Step | Tool | Runs On |
|---|---|---|
| Lint + type-check | ESLint, tsc | Every PR |
| Unit tests | Vitest (42 tests) | Every PR |
| Build | Next.js | Every PR |
| Secret scanning | Trufflehog | Every PR |
| SAST | Semgrep | Every PR |
| Dependency audit | pnpm audit | Every PR |
| AI code review | CodeRabbit | PRs only |
CD Pipeline
| Step | Tool |
|---|---|
| Deploy | Vercel (auto on main push) |
| DB migrations | Supabase CLI (supabase db push) |
| Smoke tests | curl health + message endpoints |
| Rollback | vercel rollback (automatic on failure) |
Security Tooling
| Tool | Purpose | Frequency |
|---|---|---|
| Trufflehog | Secret detection | Every PR |
| Semgrep | SAST / code analysis | Every PR |
| Trivy | Dependency scanning | Every PR |
| OWASP ZAP | DAST / web scanning | Weekly |
| pnpm audit | Dependency vulnerabilities | Every PR + Dependabot |
Local Isolation Strategy
External services are stubbed for local development:
| Component | Local | Production |
|---|---|---|
| PostgreSQL | Supabase local | Supabase Cloud |
| Auth | Supabase local (seeded users) | Supabase Auth |
| LLM | Stub provider (LLM_PROVIDER=stub) | Real API keys |
| Embeddings | Deterministic stub (content hashing) | OpenAI |
| Twilio | Test credentials (no send) | Real API |
| Inbucket (port 54324) | SendGrid | |
| Voice | Fixture payloads | VAPI/Retell |
Implementation Phases
Phase 0: Local Isolation — DONE (partial)
- Supabase local stack
- Seed auth users
-
.env.examplewith local defaults - LLM stub provider
- Embedding stub
- Webhook test fixtures
Phase 1: Foundation — IN PROGRESS
- Basic CI (lint + test on PR)
- Type-check + build in CI
- Vercel deployment
- Health check endpoint
Phase 2: Security — PLANNED
- Trufflehog
- Semgrep
- pnpm audit
- CodeRabbit AI review
Phase 3: Automation — PLANNED
- OWASP ZAP scheduled scans
- Slack notifications
- Rollback automation
Phase 4: Staging — FUTURE
- Staging Supabase project
- Staging environment config
- Data sync scripts