feat(phase-1): add identity spine infrastructure

README.md

@@ -32,6 +32,25 @@ pnpm build       # Build all apps and packages
 pnpm emulators   # Start Firebase emulator suite
 ```
 
+## Citizen PWA env vars
+
+Set these in `apps/citizen-pwa/.env.local` for local development:
+
+- `VITE_FIREBASE_API_KEY`
+- `VITE_FIREBASE_AUTH_DOMAIN`
+- `VITE_FIREBASE_PROJECT_ID`
+- `VITE_FIREBASE_APP_ID`
+- `VITE_FIREBASE_MESSAGING_SENDER_ID`
+- `VITE_FIREBASE_STORAGE_BUCKET`
+- `VITE_FIREBASE_APP_CHECK_SITE_KEY`
+
+## Phase 1 verification
+
+- `pnpm test`
+- `pnpm --filter @bantayog/functions test:unit`
+- `pnpm --filter @bantayog/functions test:rules`
+- `pnpm lint && pnpm typecheck && pnpm build`
+
 ## Repository layout
 
 See `docs/superpowers/specs/2026-04-17-phase-0-design.md` §1 for the canonical layout.

apps/citizen-pwa/package.json

@@ -8,15 +8,19 @@
     "build": "tsc --noEmit && vite build",
     "preview": "vite preview",
     "lint": "eslint src",
-    "typecheck": "tsc --noEmit"
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run"
   },
   "dependencies": {
+    "@bantayog/shared-firebase": "workspace:*",
     "@bantayog/shared-types": "workspace:*",
     "@bantayog/shared-ui": "workspace:*",
     "react": "^19.2.5",
     "react-dom": "^19.2.5"
   },
   "devDependencies": {
+    "@testing-library/jest-dom": "^6.4.0",
+    "@testing-library/react": "^16.0.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.1",

apps/citizen-pwa/src/App.module.css

@@ -1,25 +1,60 @@
 @import '@bantayog/shared-ui/theme.css';
 
-.container {
+.page {
   min-height: 100vh;
-  display: flex;
-  flex-direction: column;
-  align-items: center;
-  justify-content: center;
+  display: grid;
+  place-items: center;
   padding: var(--space-8);
-  background: var(--color-bg);
-  color: var(--color-text);
-  font-family: var(--font-sans);
+  background:
+    radial-gradient(circle at top left, rgb(20 184 166 / 0.16), transparent 28rem),
+    linear-gradient(180deg, #031521 0%, #0a2230 100%);
 }
 
-.heading {
-  font-size: var(--font-size-lg);
-  color: var(--color-accent);
-  margin: 0 0 var(--space-2) 0;
+.panel {
+  width: min(48rem, 100%);
+  padding: var(--space-8);
+  border-radius: 1.5rem;
+  background: rgb(255 255 255 / 0.92);
+  color: #092033;
+  box-shadow: 0 24px 80px rgb(0 0 0 / 0.18);
+}
+
+.eyebrow {
+  margin: 0 0 var(--space-2);
+  text-transform: uppercase;
+  letter-spacing: 0.12em;
+  font-size: 0.75rem;
+  color: #0f766e;
 }
 
-.subheading {
-  font-size: var(--font-size-md);
-  color: var(--color-text-muted);
+.title {
   margin: 0;
+  font-size: clamp(2rem, 5vw, 3rem);
+}
+
+.summary {
+  margin: var(--space-3) 0 var(--space-6);
+  color: #345064;
+}
+
+.meta {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(10rem, 1fr));
+  gap: var(--space-4);
+}
+
+.feed {
+  margin-top: var(--space-6);
+  display: grid;
+  gap: var(--space-4);
+}
+
+.alert {
+  padding: var(--space-4);
+  border-radius: 1rem;
+  background: #ecfeff;
+}
+
+.error {
+  color: #b91c1c;
 }

apps/citizen-pwa/src/App.test.tsx

@@ -0,0 +1,41 @@
+import '@testing-library/jest-dom'
+import { describe, it, expect } from 'vitest'
+import { render, screen } from '@testing-library/react'
+import { vi } from 'vitest'
+import { App } from './App.js'
+
+vi.mock('./useCitizenShell.js', () => ({
+  useCitizenShell: () => ({
+    status: 'ready',
+    authState: 'signed-in',
+    appCheckState: 'active',
+    user: { uid: 'anon-123' },
+    minAppVersion: {
+      citizen: '0.1.0',
+      admin: '0.1.0',
+      responder: '0.1.0',
+      updatedAt: 1713350400000,
+    },
+    alerts: [
+      {
+        title: 'System online',
+        body: 'Citizen shell wired for Phase 1.',
+        severity: 'info',
+        publishedAt: 1713350400000,
+        publishedBy: 'phase-1-bootstrap',
+      },
+    ],
+    error: null,
+  }),
+}))
+
+describe('App', () => {
+  it('renders auth status, app version, and the hello-world alert feed', () => {
+    render(<App />)
+
+    expect(screen.getByText(/anon-123/)).toBeInTheDocument()
+    expect(screen.getByText(/System online/)).toBeInTheDocument()
+    expect(screen.getByText(/0.1.0/)).toBeInTheDocument()
+    expect(screen.getByText(/signed-in/)).toBeInTheDocument()
+  })
+})

apps/citizen-pwa/src/App.tsx

@@ -1,10 +1,56 @@
 import styles from './App.module.css'
+import { useCitizenShell } from './useCitizenShell.js'
 
 export function App() {
+  const state = useCitizenShell()
+
   return (
-    <main className={styles.container}>
-      <h1 className={styles.heading}>Bantayog Alert — Citizen</h1>
-      <p className={styles.subheading}>Phase 0 scaffolding. Reporting arrives in Phase 2.</p>
+    <main className={styles.page}>
+      <section className={styles.panel}>
+        <p className={styles.eyebrow}>Bantayog Alert</p>
+        <h1 className={styles.title}>Citizen Phase 1 shell</h1>
+        <p className={styles.summary}>
+          Pseudonymous sign-in, app health, and a hello-world alert feed.
+        </p>
+
+        <dl className={styles.meta}>
+          <div>
+            <dt>Status</dt>
+            <dd>{state.status}</dd>
+          </div>
+          <div>
+            <dt>Auth</dt>
+            <dd>{state.authState}</dd>
+          </div>
+          <div>
+            <dt>App Check</dt>
+            <dd>{state.appCheckState}</dd>
+          </div>
+          <div>
+            <dt>User UID</dt>
+            <dd>{state.user?.uid ?? 'unavailable'}</dd>
+          </div>
+          <div>
+            <dt>Minimum citizen version</dt>
+            <dd>{state.minAppVersion?.citizen ?? 'unavailable'}</dd>
+          </div>
+        </dl>
+
+        {state.error ? <p className={styles.error}>{state.error}</p> : null}
+
+        <div className={styles.feed}>
+          {state.alerts.map((alert) => (
+            <article
+              key={`${alert.publishedBy}-${String(alert.publishedAt)}`}
+              className={styles.alert}
+            >
+              <h2>{alert.title}</h2>
+              <p>{alert.body}</p>
+              <span>{alert.severity}</span>
+            </article>
+          ))}
+        </div>
+      </section>
     </main>
   )
 }

apps/citizen-pwa/src/useCitizenShell.ts

@@ -0,0 +1,137 @@
+import { useEffect, useState, useRef } from 'react'
+import {
+  createAppCheck,
+  createFirebaseWebApp,
+  ensurePseudonymousSignIn,
+  getFirebaseAuth,
+  getFirebaseDb,
+  parseFirebaseWebEnv,
+  subscribeAlerts,
+  subscribeMinAppVersion,
+} from '@bantayog/shared-firebase'
+import type { AlertDoc, MinAppVersionDoc } from '@bantayog/shared-types'
+
+interface ShellState {
+  status: 'booting' | 'ready' | 'error'
+  authState: 'signed-out' | 'signed-in'
+  appCheckState: 'pending' | 'active' | 'failed'
+  user: { uid: string } | null
+  minAppVersion: MinAppVersionDoc | null
+  alerts: AlertDoc[]
+  error: string | null
+}
+
+const initialState: ShellState = {
+  status: 'booting',
+  authState: 'signed-out',
+  appCheckState: 'pending',
+  user: null,
+  minAppVersion: null,
+  alerts: [],
+  error: null,
+}
+
+export function useCitizenShell(): ShellState {
+  const [state, setState] = useState<ShellState>(initialState)
+
+  // Guard against state updates on unmounted component
+  const unmountedRef = useRef(false)
+
+  // Cleanup ref holds unsubscribe functions; initialized as no-ops in case
+  // unmount happens before subscriptions are established (Firestore onSnapshot
+  // returns unsubscribe only after subscription is created)
+  const cleanupRef = useRef<{ stopAlerts: () => void; stopVersion: () => void }>({
+    // eslint-disable-next-line @typescript-eslint/no-empty-function
+    stopAlerts: () => {},
+    // eslint-disable-next-line @typescript-eslint/no-empty-function
+    stopVersion: () => {},
+  })
+
+  useEffect(() => {
+    unmountedRef.current = false
+
+    let env
+    let app
+    let db
+    let auth
+
+    try {
+      env = parseFirebaseWebEnv(import.meta.env)
+      app = createFirebaseWebApp(env)
+      db = getFirebaseDb(app)
+      auth = getFirebaseAuth(app)
+    } catch (error) {
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+      if (!unmountedRef.current) {
+        setState({
+          ...initialState,
+          status: 'error',
+          appCheckState: 'failed',
+          error: error instanceof Error ? error.message : 'Firebase initialization failed',
+        })
+      }
+      return
+    }
+
+    // Capture refs in local variables to avoid exhaustive-deps warning in cleanup
+    const unmounted = unmountedRef
+    const cleanup = cleanupRef
+
+    try {
+      createAppCheck(app, env)
+      if (!unmounted.current) {
+        setState((current) => ({ ...current, appCheckState: 'active' }))
+      }
+    } catch (error) {
+      if (!unmounted.current) {
+        setState((current) => ({
+          ...current,
+          appCheckState: 'failed',
+          error: error instanceof Error ? error.message : 'App Check initialization failed',
+        }))
+      }
+    }
+
+    void ensurePseudonymousSignIn(auth)
+      .then((user) => {
+        // Set auth state once immediately after sign-in
+        if (!unmounted.current) {
+          setState((current) => ({
+            ...current,
+            status: 'ready',
+            authState: 'signed-in',
+            user: { uid: user.uid },
+          }))
+        }
+
+        cleanup.current.stopVersion = subscribeMinAppVersion(db, (minAppVersion) => {
+          if (!unmounted.current) {
+            setState((current) => ({ ...current, minAppVersion }))
+          }
+        })
+
+        cleanup.current.stopAlerts = subscribeAlerts(db, (alerts) => {
+          if (!unmounted.current) {
+            setState((current) => ({ ...current, alerts }))
+          }
+        })
+      })
+      .catch((error: unknown) => {
+        if (!unmounted.current) {
+          setState((current) => ({
+            ...current,
+            status: 'error',
+            error: error instanceof Error ? error.message : 'Pseudonymous sign-in failed',
+          }))
+        }
+      })
+
+    return () => {
+      unmounted.current = true
+      cleanup.current.stopAlerts()
+      cleanup.current.stopVersion()
+    }
+  }, [])
+
+  return state
+}

apps/citizen-pwa/tsconfig.json

@@ -2,7 +2,7 @@
   "extends": "../../tsconfig.base.json",
   "compilerOptions": {
     "rootDir": "src",
-    "types": ["vite/client"],
+    "types": ["vite/client", "vitest/globals"],
     "noEmit": true
   },
   "include": ["src/**/*"]

apps/citizen-pwa/vitest.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from 'vitest/config'
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'happy-dom',
+    include: ['src/**/*.test.tsx'],
+    setupFiles: ['@testing-library/jest-dom/vitest'],
+  },
+})