Developer Guide
This guide provides technical information for developers working with LeafLock, including API documentation, testing, scripts, and development workflows.
API Documentation
Section titled “API Documentation”Admin-only Swagger API documentation is available at:
- UI:
/api/v1/docs - Spec:
/api/v1/docs/openapi.json
All endpoints are documented in backend/docs/openapi.json.
Authentication
Section titled “Authentication”- Add a JWT bearer token (from
/auth/registeror/auth/login) - Access requires
adminrole
Testing Locally
Section titled “Testing Locally”- Bootstrap by setting
ADMIN_USER_IDS=<your-user-id>and restart backend - Open the UI and try the admin endpoints
Role-Based Access Control (RBAC)
Section titled “Role-Based Access Control (RBAC)”- admin: Full access to admin APIs and Swagger docs
- moderator: Reserved for future moderation actions
- auditor: Read-only reports in future
- user: Default role for every user
Roles are stored in tables roles and user_roles. Users also have a boolean is_admin for quick admin flag checking.
Admin APIs
Section titled “Admin APIs”| Method | Endpoint | Description |
|---|---|---|
GET | /api/v1/admin/health | Health check for admin |
PUT | /api/v1/admin/users/:id/admin | Toggle admin status |
GET | /api/v1/admin/roles | List all roles |
GET | /api/v1/admin/users/:id/roles | Get user roles |
POST | /api/v1/admin/users/:id/roles | Add role to user |
DELETE | /api/v1/admin/users/:id/roles/:role | Remove role from user |
All admin endpoints require JWT and admin role.
Local Bootstrap
Section titled “Local Bootstrap”- Temporary allowlist via env var:
ADMIN_USER_IDS=uuid1,uuid2 - Use it to grant first admin, then set
is_adminvia API
Rate Limiting
Section titled “Rate Limiting”Registration Rate Limiting
Section titled “Registration Rate Limiting”To reduce abuse in non-local environments, the registration endpoint is rate-limited.
- Endpoint:
POST /api/v1/auth/register - Limit: 5 requests per minute per IP
- Enabled when:
APP_ENVis notdevelopmentorlocal
Configuration
Section titled “Configuration”APP_ENV=productionenables limitingAPP_ENV=developmentdisables limiting for local dev- General app rate limiting (100/min/IP) still applies globally
Scripts and Automation
Section titled “Scripts and Automation”Use ./leaflock.sh for common tasks:
./leaflock.sh help./leaflock.sh icons # regenerate icons./leaflock.sh railway # bootstrap Railway backend+frontend./leaflock.sh docker:up # compose up -d --build./leaflock.sh docker:down./leaflock.sh docker:build./leaflock.sh k8s:deploy # wrapper for deploy-k8s.sh./leaflock.sh health # wrapper for health-check.sh./leaflock.sh troubleshoot # wrapper for troubleshoot.sh./leaflock.sh test # wrapper for test-automation.shSpecialized Scripts
Section titled “Specialized Scripts”Advanced scripts for CI or specific workflows:
deploy-k8s.sh,deploy.sh,deploy-docker.sh,deploy-from-ghcr.shsetup-docker.sh,setup-podman.sh,podman-kube-play.shhealth-check.sh,troubleshoot.sh,test-automation.shenv-setup.sh,dev-setup.sh,dev-watch.sh,init-ssl*.sh
Icons and Assets
Section titled “Icons and Assets”LeafLock ships with a full set of favicons and PWA icons generated from the LeafLock motif.
Assets Included
Section titled “Assets Included”favicon.svg(scalable primary icon)favicon.ico(multi-image 16/32/48)favicon-16.png,favicon-32.png,favicon-48.png,favicon-64.pngapple-touch-icon.png(180×180)icon-192.png,icon-512.pngicon-192-maskable.png,icon-512-maskable.png(safe padding for maskable PWAs)
Regenerating Icons
Section titled “Regenerating Icons”If you customize branding:
node scripts/generate-icons.mjsHTML Reference
Section titled “HTML Reference”For single reference in HTML:
<link rel="icon" type="image/svg+xml" href="/favicon.svg" />Testing and CI/CD
Section titled “Testing and CI/CD”E2E Verification Workflow
Section titled “E2E Verification Workflow”Located at .github/workflows/e2e-verify.yml
What it does:
- Runs frontend lint, typecheck, tests
- Builds and starts Postgres, Redis, backend, frontend via
docker compose - Waits for readiness and tests API flow (register + list notes)
- Smoke tests frontend (index + asset)
- Runs backend tests with coverage gate
- Verifies Swagger access with
ADMIN_USER_IDSfallback, then via RBAC grant
Admin panel in E2E:
- Sets
VITE_ENABLE_ADMIN_PANEL=trueso the UI contains the Admin section
Performance Optimization
Section titled “Performance Optimization”LeafLock includes built-in startup performance optimizations for containerized deployments:
Health Check Endpoints
Section titled “Health Check Endpoints”/api/v1/health/live: Basic liveness check (3-5 seconds)/api/v1/health/ready: Full readiness check (15-30 seconds)
Environment Variables (All have optimal defaults)
Section titled “Environment Variables (All have optimal defaults)”# These are enabled by default - no configuration neededLAZY_INIT_ADMIN=true # Admin user creation runs in backgroundASYNC_TEMPLATE_SEED=true # Template seeding runs in backgroundSKIP_MIGRATION_CHECK=false # Always run database migrationsPerformance Improvements
Section titled “Performance Improvements”- Startup time: Reduced from 90+ seconds to 15-30 seconds
- Async initialization: Non-critical operations run in background
- Progressive health checks: Fast container health detection
- Optimized connection pools: Faster database and Redis connections
Development Setup
Section titled “Development Setup”Refer to the main CLAUDE.md file in the repository root for:
- Environment setup
- Development commands
- Container operations
- Technology stack details
- Required environment variables
Contributing
Section titled “Contributing”When contributing to LeafLock:
- Follow the existing code style and patterns
- Update relevant documentation
- Add tests for new features
- Update API documentation if adding new endpoints
- Test admin functionality if making admin-related changes
Contact
Section titled “Contact”For technical questions, contact contact@leaflock.app.