chore: safe minor/patch dependency upgrades (Phase 0b)

Upgrades (all minor/patch, non-breaking):
- Tailwind CSS: 4.1.13 → 4.2.1, @tailwindcss/postcss: 4.1.13 → 4.2.1
- @tailwindcss/typography: 0.5.16 → 0.5.19
- tailwind-merge: 3.3.1 → 3.5.0
- 6 Radix UI packages (patch bumps)
- lucide-react: 0.544.0 → 0.576.0
- zod: 4.1.8 → 4.3.6
- react-hook-form: 7.62.0 → 7.71.2
- @hookform/resolvers: 5.2.1 → 5.2.2
- algoliasearch: 5.37.0 → 5.49.1
- instantsearch.js: 4.80.0 → 4.90.0
- react-instantsearch: 7.16.3 → 7.26.0
- react-instantsearch-nextjs: 1.0.2 → 1.1.0
- react-day-picker: 9.9.0 → 9.14.0
- feed: 5.1.0 → 5.2.0
- @marsidev/react-turnstile: 1.3.1 → 1.4.2

Includes prep-cleanup changes:
- Removed autoprefixer (not needed with Tailwind v4)
- Moved @tailwindcss/postcss to devDependencies
- Added @supabase/ssr, @supabase/supabase-js
- Added @playwright/test
- Added pnpm override for @portabletext/sanity-bridge to fix sanity build

Reverted unsafe major bumps from prep branch:
- @portabletext/* (kept at v3/v4/v3, not v5/v6/v5)
- react-resizable-panels (kept at v3, not v4)
- react-syntax-highlighter (kept at v15, not v16)
- react-dropzone (kept at v14, not v15)
- recharts (kept at v2, not v3)

Fixed ESLint error in become-sponsor-popup.tsx (unescaped apostrophe)

Build: compilation ✓, type-check ✓, lint ✓
(Page data collection fails due to missing SANITY_API_READ_TOKEN - expected in CI)

Co-authored-by: pm <pm@miriad.systems>

Author: Miriad

.env.example

@@ -0,0 +1,68 @@
+# =============================================================================
+# codingcat.dev — Environment Variables
+# =============================================================================
+# Copy this file to .env.local and fill in the values.
+# See: https://nextjs.org/docs/app/building-your-application/configuring/environment-variables
+# Variables prefixed with NEXT_PUBLIC_ are exposed to the browser.
+# All other variables are server-only.
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Public (client-side) variables — NEXT_PUBLIC_*
+# -----------------------------------------------------------------------------
+
+# Sanity CMS — project configuration
+NEXT_PUBLIC_SANITY_PROJECT_ID=           # Sanity project ID (from sanity.io/manage)
+NEXT_PUBLIC_SANITY_DATASET=              # Sanity dataset name (e.g. "prod")
+NEXT_PUBLIC_SANITY_API_VERSION=          # Sanity API version date (e.g. "2024-01-01")
+
+# Site URLs
+NEXT_PUBLIC_BASE_URL=                    # Canonical base URL (e.g. "https://codingcat.dev")
+NEXT_PUBLIC_VERCEL_URL=                  # Vercel preview URL (auto-set by Vercel)
+
+# Algolia search — public keys
+NEXT_PUBLIC_ALGOLIA_APP_ID=              # Algolia application ID
+NEXT_PUBLIC_ALGOLIA_INDEX=               # Algolia index name
+
+# Analytics
+NEXT_PUBLIC_FB_PIXEL_ID=                 # Facebook Pixel tracking ID
+
+# Preview mode
+NEXT_PUBLIC_PREVIEW_TOKEN_SECRET=        # Secret token for Sanity preview mode
+
+# -----------------------------------------------------------------------------
+# Server-only variables
+# -----------------------------------------------------------------------------
+
+# Sanity CMS — API tokens
+SANITY_API_READ_TOKEN=                   # Sanity read token (viewer role)
+SANITY_API_WRITE_TOKEN=                  # Sanity write token (editor role)
+
+# Algolia search — admin keys
+PRIVATE_ALGOLIA_ADMIN_API_KEY=           # Algolia admin API key (server-side indexing)
+PRIVATE_ALGOLIA_WEBOOK_SECRET=           # Shared secret for Algolia webhook verification
+
+# Syndication
+PRIVATE_SYNDICATE_WEBOOK_SECRET=         # Shared secret for syndication webhook verification
+PRIVATE_DEVTO=                           # Dev.to API key (cross-posting)
+PRIVATE_HASHNODE=                        # Hashnode API key (cross-posting)
+
+# Cloudflare Turnstile (bot protection)
+CLOUDFLARE_TURNSTILE_SECRET_KEY=         # Turnstile server-side secret key
+
+# Cron / scheduled jobs
+CRON_SECRET=                             # Secret for authenticating cron job requests
+
+# YouTube integration
+YOUTUBE_API_KEY=                         # YouTube Data API v3 key
+YOUTUBE_CHANNEL_ID=                      # YouTube channel ID to fetch videos from
+
+# Vercel
+VERCEL_PROJECT_PRODUCTION_URL=           # Production URL (auto-set by Vercel)
+
+# -----------------------------------------------------------------------------
+# Supabase
+# -----------------------------------------------------------------------------
+NEXT_PUBLIC_SUPABASE_URL=                # Supabase project URL (e.g. "https://xxx.supabase.co")
+NEXT_PUBLIC_SUPABASE_ANON_KEY=           # Supabase anonymous/public key
+SUPABASE_SERVICE_ROLE_KEY=               # Supabase service role key (server-only, bypasses RLS)

.github/workflows/ci.yml

@@ -0,0 +1,87 @@
+name: CI
+
+on:
+  push:
+    branches: [dev]
+  pull_request:
+    branches: [dev]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODE_VERSION: "20"
+
+jobs:
+  ci:
+    name: Lint, Build & Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Type-check
+        run: pnpm exec tsc --noEmit
+
+      - name: Lint (Biome)
+        run: pnpm exec biome check .
+
+      - name: Build
+        run: pnpm build
+        env:
+          # Provide dummy values for build-time env vars so Next.js build succeeds
+          NEXT_PUBLIC_SANITY_PROJECT_ID: ${{ secrets.NEXT_PUBLIC_SANITY_PROJECT_ID }}
+          NEXT_PUBLIC_SANITY_DATASET: ${{ secrets.NEXT_PUBLIC_SANITY_DATASET }}
+          NEXT_PUBLIC_SANITY_API_VERSION: ${{ secrets.NEXT_PUBLIC_SANITY_API_VERSION }}
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
+          SANITY_API_READ_TOKEN: ${{ secrets.SANITY_API_READ_TOKEN }}
+
+      - name: Cache Playwright browsers
+        uses: actions/cache@v4
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+
+      - name: Install Playwright browsers
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
+        run: pnpm exec playwright install --with-deps chromium
+
+      - name: Install Playwright system deps
+        if: steps.playwright-cache.outputs.cache-hit == 'true'
+        run: pnpm exec playwright install-deps chromium
+
+      - name: Run Playwright tests
+        run: pnpm exec playwright test
+        env:
+          CI: true
+          PLAYWRIGHT_BASE_URL: http://localhost:3000
+          NEXT_PUBLIC_SANITY_PROJECT_ID: ${{ secrets.NEXT_PUBLIC_SANITY_PROJECT_ID }}
+          NEXT_PUBLIC_SANITY_DATASET: ${{ secrets.NEXT_PUBLIC_SANITY_DATASET }}
+          NEXT_PUBLIC_SANITY_API_VERSION: ${{ secrets.NEXT_PUBLIC_SANITY_API_VERSION }}
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v4
+        if: ${{ !cancelled() }}
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7

.gitignore

@@ -9,6 +9,10 @@
 
 # testing
 /coverage
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/
 
 # next.js
 /.next/

biome.json

@@ -36,10 +36,10 @@
 		"enabled": true
 	},
 	"files": {
-		"ignore": ["node_modules/**", "sanity/types.ts"]
+		"ignore": ["node_modules/**", "sanity/types.ts", "supabase/**", "playwright-report/**", "test-results/**"]
 	},
 	"javascript": {
-		"jsxRuntime": "reactClassic",
+		"jsxRuntime": "automatic",
 		"formatter": {
 			"trailingCommas": "all",
 			"semicolons": "always"

components.json

@@ -4,7 +4,6 @@
   "rsc": true,
   "tsx": true,
   "tailwind": {
-    "config": "tailwind.config.ts",
     "css": "app/globals.css",
     "baseColor": "neutral",
     "cssVariables": true,

components/become-sponsor-popup.tsx

@@ -33,7 +33,7 @@ export function BecomeSponsorPopup() {
           <AlertDialogTitle>Become a Sponsor!</AlertDialogTitle>
           <AlertDialogDescription>
             Enjoying the content? Help us keep it going by becoming a sponsor.
-            You'll get your brand in front of a large audience of developers.
+            You&apos;ll get your brand in front of a large audience of developers.
           </AlertDialogDescription>
         </AlertDialogHeader>
         <AlertDialogFooter>

e2e/smoke.spec.ts

@@ -0,0 +1,27 @@
+import { expect, test } from "@playwright/test";
+
+test.describe("Smoke tests", () => {
+	test("homepage renders", async ({ page }) => {
+		await page.goto("/");
+		await expect(page).toHaveTitle(/codingcat/i);
+		// Ensure the page has meaningful content (not a blank error page)
+		await expect(page.locator("body")).not.toBeEmpty();
+	});
+
+	test("/blog page renders", async ({ page }) => {
+		await page.goto("/blog");
+		// The blog page should have rendered content
+		await expect(page.locator("body")).not.toBeEmpty();
+		// Check for a heading or main content area
+		await expect(
+			page.locator("main, [role='main'], article, h1").first(),
+		).toBeVisible();
+	});
+
+	test("Sanity studio route exists", async ({ page }) => {
+		const response = await page.goto("/studio");
+		// The studio route should return a valid response (not 404)
+		expect(response).not.toBeNull();
+		expect(response!.status()).toBeLessThan(400);
+	});
+});

lib/supabase/client.ts

@@ -0,0 +1,21 @@
+import { createBrowserClient } from "@supabase/ssr";
+
+/**
+ * Creates a Supabase client for use in Client Components (browser).
+ *
+ * Usage:
+ *   import { createClient } from "@/lib/supabase/client";
+ *   const supabase = createClient();
+ */
+export function createClient() {
+	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+	const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+	if (!supabaseUrl || !supabaseAnonKey) {
+		throw new Error(
+			"Missing NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_ANON_KEY environment variables",
+		);
+	}
+
+	return createBrowserClient(supabaseUrl, supabaseAnonKey);
+}

lib/supabase/server.ts

@@ -0,0 +1,70 @@
+import { createServerClient } from "@supabase/ssr";
+import { cookies } from "next/headers";
+
+/**
+ * Creates a Supabase client for use in Server Components, Route Handlers,
+ * and Server Actions.
+ *
+ * Usage:
+ *   import { createClient } from "@/lib/supabase/server";
+ *   const supabase = await createClient();
+ */
+export async function createClient() {
+	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+	const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+	if (!supabaseUrl || !supabaseAnonKey) {
+		throw new Error(
+			"Missing NEXT_PUBLIC_SUPABASE_URL or NEXT_PUBLIC_SUPABASE_ANON_KEY environment variables",
+		);
+	}
+
+	const cookieStore = await cookies();
+
+	return createServerClient(supabaseUrl, supabaseAnonKey, {
+		cookies: {
+			getAll() {
+				return cookieStore.getAll();
+			},
+			setAll(cookiesToSet) {
+				try {
+					for (const { name, value, options } of cookiesToSet) {
+						cookieStore.set(name, value, options);
+					}
+				} catch {
+					// The `setAll` method was called from a Server Component.
+					// This can be ignored if you have middleware refreshing
+					// user sessions.
+				}
+			},
+		},
+	});
+}
+
+/**
+ * Creates a Supabase admin client using the service role key.
+ * WARNING: This bypasses Row Level Security — use only in trusted server contexts.
+ *
+ * Usage:
+ *   import { createAdminClient } from "@/lib/supabase/server";
+ *   const supabase = createAdminClient();
+ */
+export function createAdminClient() {
+	const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+	const supabaseServiceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
+
+	if (!supabaseUrl || !supabaseServiceRoleKey) {
+		throw new Error(
+			"Missing NEXT_PUBLIC_SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY environment variables",
+		);
+	}
+
+	// Import directly to avoid cookie overhead for admin operations
+	const { createClient } = require("@supabase/supabase-js");
+	return createClient(supabaseUrl, supabaseServiceRoleKey, {
+		auth: {
+			autoRefreshToken: false,
+			persistSession: false,
+		},
+	});
+}

next.config.ts

@@ -0,0 +1,16 @@
+import type { NextConfig } from "next";
+
+const nextConfig: NextConfig = {
+	images: {
+		remotePatterns: [
+			{
+				protocol: "https",
+				hostname: "**",
+				port: "",
+				pathname: "**",
+			},
+		],
+	},
+};
+
+export default nextConfig;