refactor: Update docker images

[NotGhoull]

TO-DO list

• Update server docker image
• Update frontend docker image
• Create github workflow to automatically update & release the images

---

• Expose BetterAuth trusted origin to environment
• Expose Client PUBLIC_SERVER_URL to environment
• Automatically update the database

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Chores

• Updated Dockerfiles for more consistent builds, improved ownership handling, and explicit base image versions.
• Refined package dependencies and versions across server, web, and UI packages.
• Enhanced .dockerignore and .gitignore for better exclusion of build and log files.
• Updated configuration files for improved build and deployment workflows.

New Features

• Automatic database migrations and realtime publication setup now run on server startup.
• Introduced an initial baseline database schema with core tables and relationships.

Bug Fixes

• Removed duplicate CSS class from the server creation popup.

Refactor

• Switched web app to a newer SvelteKit Bun adapter.
• Adjusted build commands and environment variable handling for clarity and reliability.

Documentation

• Minor formatting improvement in the README.

Summary by CodeRabbit

• Chores
  • Updated Dockerfiles to use a specific Bun version and improved build instructions for reliability and clarity.
  • Refined package dependencies and moved packages between dependencies and devDependencies for better project organisation.
  • Updated package versions for improved stability and compatibility.
  • Enhanced .dockerignore and .gitignore to exclude additional files and directories.
  • Switched SvelteKit adapter to a newer version and updated related configuration.
• Style
  • Removed a duplicated CSS class in the server creation popup component.
• Features
  • Added initial database schema migration including tables, constraints, and indexes.
  • Introduced migration runner and realtime publication setup in server database code.
  • Integrated migration execution into server startup sequence.
• Configuration
  • Added dependency ordering in turbo.json compile task.

Walkthrough

The changes update Dockerfiles to use a specific Bun version, refine build and install steps, and adjust file ownership and commands. Package dependencies are reorganised and updated across several package.json files. Build configuration is improved in turbo.json, and ignore files are updated. A new initial database schema migration is added along with migration and realtime setup functions. The server startup now runs migrations before serving. Minor Svelte component and config tweaks are included.

Changes

File(s)	Change Summary
apps/server/Dockerfile, apps/web/Dockerfile	Use specific Bun version (1.2.18-alpine), update build/install steps, adjust commands, set file ownership.
apps/server/package.json, apps/web/package.json, packages/ui/package.json	Reorganise dependencies and devDependencies, update package versions, add/remove packages as needed.
turbo.json	Add "dependsOn": ["^build"] to the "compile" task to enforce build order.
.dockerignore, .gitignore	Add patterns to exclude Dockerfile* and logs from build context and version control, respectively.
apps/web/src/components/Servers/CreateServerPopup.svelte	Remove duplicated p-0 class from a component's class attribute.
apps/web/svelte.config.js	Change SvelteKit adapter import to svelte-adapter-bun-next.
apps/web/vite.config.ts	Add empty build object to Vite config; minor formatting.
apps/server/src/db/migrations/20250715152007_inital_baseline_schema.sql	Add initial baseline database schema with tables, constraints, indexes, and row-level security on message.
apps/server/src/db/migrations/meta/20250715152007_snapshot.json	Add database schema snapshot for migration version 7 defining tables and constraints.
apps/server/src/db/migrations/meta/_journal.json	Add migration journal tracking the initial baseline schema migration.
apps/server/src/db/index.ts	Add runMigrations function to run migrations and setup realtime publication; integrate error handling.
apps/server/src/index.ts	Import and call runMigrations() during server startup before app instantiation.

Sequence Diagram(s)

sequenceDiagram
    participant Server as Server Startup
    participant DB as Database
    participant Migrator as Migration Runner

    Server->>DB: Validate environment variables
    Server->>Migrator: runMigrations()
    Migrator->>DB: Run migrations
    Migrator->>DB: Check and create realtime publication function
    Migrator->>DB: Add tables to realtime publication if needed
    Migrator-->>Server: Migration complete
    Server->>Server: Instantiate and start app

Loading

sequenceDiagram
    participant Turbo as turbo.json
    participant Build as build task
    participant Compile as compile task

    Turbo->>Compile: Start compile task
    Compile->>Build: Wait for build task (due to dependsOn)
    Build-->>Compile: build task completes
    Compile->>Compile: Run compile steps

Loading

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 99a3d59 and 38f4993.

📒 Files selected for processing (8)

• README.md (0 hunks)
• apps/server/Dockerfile (1 hunks)
• apps/server/drizzle.config.ts (1 hunks)
• apps/server/src/db/index.ts (1 hunks)
• apps/server/src/db/migrations/20250715152007_inital_baseline_schema.sql (1 hunks)
• apps/server/src/db/migrations/meta/20250715152007_snapshot.json (1 hunks)
• apps/server/src/db/migrations/meta/_journal.json (1 hunks)
• apps/server/src/index.ts (2 hunks)

💤 Files with no reviewable changes (1)

• README.md

🚧 Files skipped from review as they are similar to previous changes (7)

• apps/server/drizzle.config.ts
• apps/server/src/db/migrations/meta/_journal.json
• apps/server/Dockerfile
• apps/server/src/db/index.ts
• apps/server/src/db/migrations/meta/20250715152007_snapshot.json
• apps/server/src/db/migrations/20250715152007_inital_baseline_schema.sql
• apps/server/src/index.ts

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

turbo.json (1)

37-38: compile likely also needs the local build task

dependsOn: ["^build"] guarantees that up-stream packages are built, but not the current package.
If the server’s compile step relies on artefacts generated by its own build (e.g. type-checked JS output or generated Prisma/Drizzle files), missing that edge may introduce subtle cache-misses or CI failures.

-			"dependsOn": ["^build"]
+			"dependsOn": ["build", "^build"]

This keeps the intent while ensuring self-build always precedes compile.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70536f0 and 8ed54c6.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• apps/server/Dockerfile (1 hunks)
• apps/server/package.json (1 hunks)
• turbo.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

apps/server/package.json (1)

Learnt from: NotGhoull
PR: NotGhoull/spookcord#6
File: apps/web/src/components/Servers/CreateServerPopup.svelte:0-0
Timestamp: 2025-07-06T14:37:29.385Z
Learning: In the spookcord project, zod/v4 import paths work correctly, even though package.json may show different versions. The project uses zod/v4-mini for imports.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Potential runtime & build-time breakage by moving @spookcord/* to devDependencies

@spookcord/db-schema almost certainly ships runtime code (SQL helpers / Drizzle table objects). With this change it will no longer be installed inside the installer stage (bun install --production …), yet it will also not be present while Turbo runs build/compile inside that same stage because dev-deps are skipped.
Unless the whole server is statically bundled (and all references in compiled output tree-shaken), the binary or JS fallback will require() this package and crash at runtime.

Same concern for @spookcord/types if any value (not only types) is imported.

Please double-check that:

1. The server binary produced by bun build --compile really embeds these packages.
2. No dynamic import() / require() of the packages happens at runtime.

If either statement is false, move the packages back to dependencies.

---

🏁 Script executed:

#!/bin/bash
# Quick check: look for runtime imports of the schema package
rg --no-heading --trim -N $'import .*["@]spookcord/db-schema' apps/server/src

Length of output: 599

---

🏁 Script executed:

#!/bin/bash
# Locate Dockerfiles
fd Dockerfile
# Search for bun install commands
rg -n "bun install" -C2 .
# Search for bun build commands
rg -n "bun build" -C2 .

Length of output: 1586

---

Restore @spookcord/db-schema (and @spookcord/types, if used at runtime) to dependencies

The server’s Dockerfile does:
RUN bun install --production …
RUN bunx turbo compile

Since devDependencies aren’t installed in that stage, the bundler and runtime will be missing @spookcord/db-schema (imported throughout apps/server/src/*) and any non-pure-type exports from @spookcord/types. Please move them back to dependencies in apps/server/package.json to ensure they’re available both at compile time and runtime.

• apps/server/Dockerfile: line 22 uses bun install --production, skipping devDeps
• apps/server/src/…: multiple runtime import statements of @spookcord/db-schema
• apps/server/package.json: revert these from devDependencies → dependencies

--- a/apps/server/package.json
+++ b/apps/server/package.json
@@ -25,7 +25,7 @@
   "dependencies": {
-    "@spookcord/db-schema": "workspace:*",      ← restore here
-    "@spookcord/types": "workspace:*",          ← if any runtime imports
+    "@spookcord/db-schema": "workspace:*",
+    "@spookcord/types": "workspace:*",
     "@types/bun": "^1.2.13",
     "@types/jsonwebtoken": "^9.0.9",
   },
   "devDependencies": {
-    "@spookcord/db-schema": "workspace:*",
-    "@spookcord/types": "workspace:*",
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"@spookcord/db-schema": "workspace:*",
	"@spookcord/types": "workspace:*",
	"@types/bun": "^1.2.13",
	"@types/jsonwebtoken": "^9.0.9",
	--- a/apps/server/package.json
	+++ b/apps/server/package.json
	@@ -25,7 +25,9 @@
	"dependencies": {
	+ "@spookcord/db-schema": "workspace:*",
	+ "@spookcord/types": "workspace:*",
	"@types/bun": "^1.2.13",
	"@types/jsonwebtoken": "^9.0.9",
	},
	"devDependencies": {
	- "@spookcord/db-schema": "workspace:*",
	- "@spookcord/types": "workspace:*",
	}

🤖 Prompt for AI Agents

In apps/server/package.json around lines 28 to 31, move the packages
@spookcord/db-schema and @spookcord/types from devDependencies back to
dependencies. This ensures they are installed during the production bun install
step in the Dockerfile and available at both compile time and runtime. Update
the dependencies section accordingly and remove them from devDependencies.

[coderabbitai]

🛠️ Refactor suggestion

Dev-deps required during turbo compile will be missing

Inside the installer stage you first run:

RUN bun install --production --ignore-scripts --frozen-lockfile
RUN bunx turbo compile

Because --production drops devDependencies, any compile pipeline step that calls tsc, drizzle-kit generate, or similar tools from devDeps will fail. This risk increased after moving @spookcord/db-schema & friends to devDependencies.

Two safer options:

- RUN bun install --production --ignore-scripts --frozen-lockfile
- RUN bunx turbo compile
+ # Install *all* deps for the build, then prune afterwards
+ RUN bun install --ignore-scripts --frozen-lockfile
+ RUN bunx turbo compile
+ RUN bun prune --production   # remove devDeps before hand-off

or split compile into the earlier builder stage where full deps already exist.

🤖 Prompt for AI Agents

In apps/server/Dockerfile around lines 22 to 24, the use of `bun install
--production` removes devDependencies needed for the `turbo compile` step,
causing compile tools to fail. To fix this, move the `bunx turbo compile`
command to the earlier builder stage where all dependencies, including
devDependencies, are installed, or run `bun install` without the `--production`
flag before compiling to ensure devDependencies are present during compilation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/web/Dockerfile (1)

25-25: Prefer bunx turbo run build to avoid the global install and pin the invoked Turbo version

bun install -g turbo installs Turbo globally and silently upgrades whenever the base image is rebuilt, which can break deterministic Docker builds. Invoking Turbo via bunx downloads (or re-uses) the exact version declared in your lock-file, keeps the global namespace clean, and removes one layer from the image.

-# Build the project
-RUN bun turbo run build
+# Build the project without relying on a global Turbo installation
+RUN bunx turbo run build

You can then drop the global install in the earlier layer:

-RUN bun install -g turbo typescript
+RUN bun install -g typescript

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8ed54c6 and 76d96fc.

⛔ Files ignored due to path filters (2)

• bun.lock is excluded by !**/*.lock
• packages/ui/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• apps/server/Dockerfile (1 hunks)
• apps/server/package.json (1 hunks)
• apps/web/Dockerfile (1 hunks)
• apps/web/package.json (1 hunks)
• package.json (1 hunks)
• packages/db-schema/package.json (1 hunks)
• packages/types/package.json (1 hunks)
• packages/ui/package.json (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• package.json
• packages/ui/package.json
• apps/web/package.json

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/server/package.json
• apps/server/Dockerfile

🧰 Additional context used

🧠 Learnings (2)

packages/types/package.json (1)

Learnt from: NotGhoull
PR: NotGhoull/spookcord#6
File: apps/web/src/components/Servers/CreateServerPopup.svelte:0-0
Timestamp: 2025-07-06T14:37:29.385Z
Learning: In the spookcord project, zod/v4 import paths work correctly, even though package.json may show different versions. The project uses zod/v4-mini for imports.

packages/db-schema/package.json (1)

Learnt from: NotGhoull
PR: NotGhoull/spookcord#6
File: apps/web/src/components/Servers/CreateServerPopup.svelte:0-0
Timestamp: 2025-07-06T14:37:29.385Z
Learning: In the spookcord project, zod/v4 import paths work correctly, even though package.json may show different versions. The project uses zod/v4-mini for imports.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (4)

apps/web/Dockerfile (1)

22-24: Hard-coded PUBLIC_SERVER_URL risks leaking dev settings to production

ENV PUBLIC_SERVER_URL=localhost:3000 will be baked into every image, forcing consumers to override it explicitly in production and staging. Consider:

1. Replacing it with a build-time ARG that defaults to localhost:3000 but can be overridden by the CI pipeline.
2. Removing it entirely and documenting that the runtime orchestrator (Compose, Kubernetes, etc.) must provide the variable.

This avoids accidental misconfiguration when images are consumed outside local development.

packages/types/package.json (2)

33-35: Upgrade to zod v4 can introduce breaking API changes – verify all downstream usage

Jumping from v3 → v4 is a major bump; several helpers and coercion behaviours were renamed or removed. Run a full build & test sweep across every workspace and grep for deprecated patterns (z.*Type, z.union([…]).optional(), etc.) to avoid subtle runtime regressions.

---

36-36: Bun version pin added – ensure CI/Docker images install bun@1.2.18

The packageManager key only helps if all build surfaces (GitHub Actions, local dev containers, prod images) are aligned on the same Bun version. Confirm the updated Dockerfiles and workflow steps explicitly install bun 1.2.18.

packages/db-schema/package.json (1)

19-21: Consistency check: bun version pinning should be uniform repo-wide

Nice addition; just double-check that every other package.json (including the monorepo root) already contains packageManager": "bun@1.2.18" to prevent desynchronised lockfiles.

[NotGhoull]

dropped previous breaking commit

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

apps/server/src/db/index.ts (1)

40-41: The .exists check is necessary.

The comment questions whether .exists is needed. Yes, it is necessary as the query result contains a boolean field named exists from the PostgreSQL EXISTS clause.

Consider removing the comment to avoid confusion:

-		// Do we really need .exists?
 		const functionExists = functionExistsResult.rows[0]?.exists || false;

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c2e5a43 and 99a3d59.

📒 Files selected for processing (7)

• README.md (0 hunks)
• apps/server/drizzle.config.ts (1 hunks)
• apps/server/src/db/index.ts (1 hunks)
• apps/server/src/db/migrations/20250715152007_inital_baseline_schema.sql (1 hunks)
• apps/server/src/db/migrations/meta/20250715152007_snapshot.json (1 hunks)
• apps/server/src/db/migrations/meta/_journal.json (1 hunks)
• apps/server/src/index.ts (2 hunks)

💤 Files with no reviewable changes (1)

• README.md

✅ Files skipped from review due to trivial changes (3)

• apps/server/src/db/migrations/meta/_journal.json
• apps/server/src/db/migrations/meta/20250715152007_snapshot.json
• apps/server/src/db/migrations/20250715152007_inital_baseline_schema.sql

🧰 Additional context used

🧠 Learnings (1)

apps/server/src/index.ts (1)

Learnt from: NotGhoull
PR: NotGhoull/spookcord#6
File: apps/web/src/components/Servers/CreateServerPopup.svelte:0-0
Timestamp: 2025-07-06T14:37:29.385Z
Learning: In the spookcord project, zod/v4 import paths work correctly, even though package.json may show different versions. The project uses zod/v4-mini for imports.

🧬 Code Graph Analysis (1)

apps/server/src/index.ts (1)

apps/server/src/db/index.ts (1)

• runMigrations (11-25)

🔇 Additional comments (3)

apps/server/drizzle.config.ts (1)

21-21: Verify the implications of removing strict mode.

The removal of strict: true from the Drizzle configuration disables strict mode. This could potentially affect data validation and integrity checks during database operations.

Please confirm this change is intentional and verify that disabling strict mode won't compromise data integrity or validation requirements. Consider documenting the reasoning for this change.

apps/server/src/index.ts (1)

12-12: LGTM! Proper migration integration.

The migration setup is correctly placed after environment validation and before server initialisation. This ensures the database schema is up-to-date before the server starts handling requests.

Also applies to: 37-37

apps/server/src/db/index.ts (1)

46-60: Dynamic SQL function creation looks secure.

The implementation properly uses PostgreSQL's dollar-quoted strings and format function to prevent SQL injection. The function creation is well-structured with appropriate exception handling.

[coderabbitai]

⚠️ Potential issue

Fix typo in log message.

-					console.debug('[database] OK table aready exists');
+					console.debug('[database] OK table already exists');

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	console.debug('[database] OK table aready exists');
	console.debug('[database] OK table already exists');

🤖 Prompt for AI Agents

In apps/server/src/db/index.ts at line 88, there is a typo in the console.debug
log message: "aready" should be corrected to "already". Update the log message
to fix this spelling mistake.

[coderabbitai]

🛠️ Refactor suggestion

Consider using an absolute path for the migrations folder.

The relative path './src/db/migrations' could fail if the working directory changes. This might cause issues in different deployment environments.

Consider using an absolute path:

+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));

 export async function runMigrations() {
 	console.info('[database] Running migrations');
 	try {
-		await migrate(db, { migrationsFolder: './src/db/migrations' });
+		await migrate(db, { migrationsFolder: join(__dirname, 'migrations') });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	await migrate(db, { migrationsFolder: './src/db/migrations' });
	import { fileURLToPath } from 'url';
	import { dirname, join } from 'path';
	const __dirname = dirname(fileURLToPath(import.meta.url));
	export async function runMigrations() {
	console.info('[database] Running migrations');
	try {
	await migrate(db, { migrationsFolder: join(__dirname, 'migrations') });
	await checkRealtime(db);
	console.info('[database] Migrations completed');
	} catch (error) {
	console.error('[database] Migration failed', error);
	process.exit(1);
	}
	}

🤖 Prompt for AI Agents

In apps/server/src/db/index.ts at line 14, the migrations folder path is
currently relative, which can cause failures if the working directory changes.
Update the path to use an absolute path by resolving it with a method like
path.resolve or equivalent, ensuring it correctly points to the migrations
directory regardless of the working directory or deployment environment.