marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

Frontend: App shell, navigation, routing, and design tokens #32

Merged
marcel merged 19 commits from feat/issue-16-design-system into master 2026-04-02 14:14:17 +02:00
Conversation 6 Commits 19 Files Changed 26 +717
marcel commented 2026-04-02 13:44:50 +02:00
Owner
Copy Link

Summary

  • Design system: Tailwind 4 @theme tokens (colors, spacing, radii, shadows, fonts) with completeness and WCAG AA contrast tests
  • App shell with three responsive nav layouts: MobileTabBar (fixed bottom, safe-area), TabletNavBar (horizontal pills), DesktopSidebar (224px sticky with logo, sections, variety widget slot)
  • CSS-only breakpoint switching — all nav variants in DOM, visibility via Tailwind media queries
  • Auth guard in hooks.server.ts validating session via GET /v1/auth/me, redirecting to /login
  • Route groups: (app) with AppShell + server data load, (public) with full-viewport split layout
  • Root / redirects to /planner; placeholder pages for all routes

Test plan

  • 70 unit tests passing (nav config, all 3 nav components, AppShell, auth guard)
  • npm run check — 0 errors, 0 warnings
  • Manual: verify mobile tab bar at <768px viewport
  • Manual: verify tablet pills at 768–1024px
  • Manual: verify desktop sidebar at >1024px
  • Manual: verify /login renders without nav chrome
  • Manual: verify unauthenticated request redirects to /login

Closes #16, closes #17

🤖 Generated with Claude Code

## Summary - Design system: Tailwind 4 `@theme` tokens (colors, spacing, radii, shadows, fonts) with completeness and WCAG AA contrast tests - App shell with three responsive nav layouts: MobileTabBar (fixed bottom, safe-area), TabletNavBar (horizontal pills), DesktopSidebar (224px sticky with logo, sections, variety widget slot) - CSS-only breakpoint switching — all nav variants in DOM, visibility via Tailwind media queries - Auth guard in `hooks.server.ts` validating session via `GET /v1/auth/me`, redirecting to `/login` - Route groups: `(app)` with AppShell + server data load, `(public)` with full-viewport split layout - Root `/` redirects to `/planner`; placeholder pages for all routes ## Test plan - [x] 70 unit tests passing (nav config, all 3 nav components, AppShell, auth guard) - [x] `npm run check` — 0 errors, 0 warnings - [ ] Manual: verify mobile tab bar at <768px viewport - [ ] Manual: verify tablet pills at 768–1024px - [ ] Manual: verify desktop sidebar at >1024px - [ ] Manual: verify `/login` renders without nav chrome - [ ] Manual: verify unauthenticated request redirects to `/login` Closes #16, closes #17 🤖 Generated with [Claude Code](https://claude.com/claude-code)
marcel added 7 commits 2026-04-02 13:44:50 +02:00
feat(nav): add shared navigation config with mobile and desktop items 7ae1f3dc18 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(nav): add MobileTabBar with active state and safe-area padding d3fa8991fe 
Fixed vitest resolve conditions to use browser entry for Svelte 5.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(nav): add TabletNavBar with horizontal pills and active state 8f33f469de 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(nav): add DesktopSidebar with logo, nav sections, and variety widget slot 56cfd137aa 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(nav): add AppShell layout with breakpoint-switched navigation cfe38c39aa 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(auth): add auth guard in hooks.server.ts with session validation 7a17873046 
Validates session cookie via GET /v1/auth/me, populates event.locals
with benutzer and haushalt, redirects to /login if unauthenticated.
Public routes (/login, /register, /invite) bypass auth.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(shell): add route groups, layout server load, redirect, and placeholder pages 9626bde694 
- (app) group with AppShell layout, loads user/household from locals
- (public) group with full-viewport split layout, /login placeholder
- Root / redirects to /planner for authenticated users
- Placeholder stubs for planner, recipes, shopping, settings, members

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
marcel commented 2026-04-02 13:45:55 +02:00
Author
Owner
Copy Link

👨‍💻 Kai — Frontend Engineer

Verdict: ⚠️ Approved with concerns

Blockers

None.

Concerns

  1. resolve: { conditions: ['browser'] } at the top level of vite.config.ts — This applies the browser condition globally, not just to tests. This could affect SSR builds by forcing browser-only exports for all dependencies during vite build. Safer to scope it under test.resolve.conditions or use test.alias to remap only svelte to its client entry. Worth verifying with npm run build that SSR still works.

  2. $page mock uses require() syntax — All four component test files mock $app/stores with const { readable } = require('svelte/store'). This is CJS in an ESM project. It works because vitest hoists vi.mock() calls, but it's fragile. Prefer dynamic import():

    vi.mock('$app/stores', async () => {
  const { readable } = await import('svelte/store');
  return { page: readable({ url: new URL('http://localhost/planner') }) };
});

  3. Active route matching with startsWith has a false-positive risk$page.url.pathname.startsWith('/settings') would match /settings-advanced or /settings2 if those routes ever existed. Currently safe because routes are well-defined, but a prefix match on / would activate everything. Worth noting for future routes — consider exact-match or segment-boundary matching (pathname === href || pathname.startsWith(href + '/')).

  4. No icons rendered — The NavItem type has an icon: string field and it's populated in the config, but none of the three nav components actually render any icon. The spec calls for 16px icons in the sidebar and icons in the mobile tab bar. This should be a fast follow — the slot is there, the data is there, just no visual output yet.

Suggestions

  • DRY up the $app/stores mock — Four test files have the identical mock block. Extract into a shared test helper like src/lib/__tests__/mocks.ts and import it. Less copy-paste, easier to change when you need a different route.
  • (public)/+layout.svelte missing lang="ts" — The script tag uses $props() which is Svelte 5, but lang="ts" is omitted. Won't break anything, but inconsistent with all other components.
  • Consider font-display: swap — The design system loads Fraunces and DM Sans, but app.css doesn't have @font-face rules with font-display: swap. If fonts are loaded via Google Fonts link in app.html, this is fine, but worth checking the app.html file (not in this diff) to confirm.

Overall: clean, well-structured, good component decomposition. The TDD flow is visible in the commit history. Ship it with the resolve.conditions concern addressed.

## 👨‍💻 Kai — Frontend Engineer **Verdict: ⚠️ Approved with concerns** ### Blockers None. ### Concerns 1. **`resolve: { conditions: ['browser'] }` at the top level of `vite.config.ts`** — This applies the `browser` condition globally, not just to tests. This could affect SSR builds by forcing browser-only exports for all dependencies during `vite build`. Safer to scope it under `test.resolve.conditions` or use `test.alias` to remap only `svelte` to its client entry. Worth verifying with `npm run build` that SSR still works. 2. **`$page` mock uses `require()` syntax** — All four component test files mock `$app/stores` with `const { readable } = require('svelte/store')`. This is CJS in an ESM project. It works because vitest hoists `vi.mock()` calls, but it's fragile. Prefer dynamic `import()`: ```ts vi.mock('$app/stores', async () => { const { readable } = await import('svelte/store'); return { page: readable({ url: new URL('http://localhost/planner') }) }; }); ``` 3. **Active route matching with `startsWith` has a false-positive risk** — `$page.url.pathname.startsWith('/settings')` would match `/settings-advanced` or `/settings2` if those routes ever existed. Currently safe because routes are well-defined, but a prefix match on `/` would activate everything. Worth noting for future routes — consider exact-match or segment-boundary matching (`pathname === href || pathname.startsWith(href + '/')`). 4. **No icons rendered** — The `NavItem` type has an `icon: string` field and it's populated in the config, but none of the three nav components actually render any icon. The spec calls for 16px icons in the sidebar and icons in the mobile tab bar. This should be a fast follow — the slot is there, the data is there, just no visual output yet. ### Suggestions - **DRY up the `$app/stores` mock** — Four test files have the identical mock block. Extract into a shared test helper like `src/lib/__tests__/mocks.ts` and import it. Less copy-paste, easier to change when you need a different route. - **`(public)/+layout.svelte` missing `lang="ts"`** — The script tag uses `$props()` which is Svelte 5, but `lang="ts"` is omitted. Won't break anything, but inconsistent with all other components. - **Consider `font-display: swap`** — The design system loads Fraunces and DM Sans, but `app.css` doesn't have `@font-face` rules with `font-display: swap`. If fonts are loaded via Google Fonts link in `app.html`, this is fine, but worth checking the `app.html` file (not in this diff) to confirm. Overall: clean, well-structured, good component decomposition. The TDD flow is visible in the commit history. Ship it with the `resolve.conditions` concern addressed.
marcel commented 2026-04-02 13:46:06 +02:00
Author
Owner
Copy Link

🏗️ Backend Engineer

Verdict: Approved

Observations

This PR is frontend-only. From a backend perspective, I checked:

  1. API contract usagehooks.server.ts calls GET /v1/auth/me via the typed apiClient. This endpoint exists in the OpenAPI spec and returns ApiResponseUserResponse with UserResponse containing id, displayName, householdId, householdName, householdRole. The field access in hooks matches the spec correctly: user.id, user.displayName, user.householdId, etc.

  2. Session cookie nameevent.cookies.get('session') assumes the Spring Boot session cookie is named session. Spring Security defaults to JSESSIONID. This needs to match the backend's server.servlet.session.cookie.name configuration. If the backend hasn't been configured to use session, this will silently fail (no cookie found → redirect to login forever). Verify the cookie name matches the backend config.

  3. Non-null assertionslocals.benutzer! and locals.haushalt! in +layout.server.ts are safe here because the hooks guard ensures these are populated before any (app) route loads. The layering is correct.

  4. No backend changes needed — All endpoints the frontend depends on (/v1/auth/me, /v1/households/mine) already exist. No new backend work required.

Suggestion

  • The householdRole field is cast as 'planer' | 'mitglied' directly from the API string. If the backend adds a third role, this cast will silently pass. Consider a runtime validation or at least a type guard. Low priority for now.
## 🏗️ Backend Engineer **Verdict: ✅ Approved** ### Observations This PR is frontend-only. From a backend perspective, I checked: 1. **API contract usage** — `hooks.server.ts` calls `GET /v1/auth/me` via the typed `apiClient`. This endpoint exists in the OpenAPI spec and returns `ApiResponseUserResponse` with `UserResponse` containing `id`, `displayName`, `householdId`, `householdName`, `householdRole`. The field access in hooks matches the spec correctly: `user.id`, `user.displayName`, `user.householdId`, etc. 2. **Session cookie name** — `event.cookies.get('session')` assumes the Spring Boot session cookie is named `session`. Spring Security defaults to `JSESSIONID`. This needs to match the backend's `server.servlet.session.cookie.name` configuration. If the backend hasn't been configured to use `session`, this will silently fail (no cookie found → redirect to login forever). **Verify the cookie name matches the backend config.** 3. **Non-null assertions** — `locals.benutzer!` and `locals.haushalt!` in `+layout.server.ts` are safe here because the hooks guard ensures these are populated before any `(app)` route loads. The layering is correct. 4. **No backend changes needed** — All endpoints the frontend depends on (`/v1/auth/me`, `/v1/households/mine`) already exist. No new backend work required. ### Suggestion - The `householdRole` field is cast as `'planer' | 'mitglied'` directly from the API string. If the backend adds a third role, this cast will silently pass. Consider a runtime validation or at least a type guard. Low priority for now.
marcel commented 2026-04-02 13:46:36 +02:00
Author
Owner
Copy Link

🧪 QA Engineer

Verdict: ⚠️ Approved with concerns

What's Covered (Good)

  • Nav config: 6 tests covering item count, labels, hrefs, section structure — solid.
  • MobileTabBar: 5 tests — rendering, labels, hrefs, active state, inactive state. Covers happy path well.
  • TabletNavBar: 4 tests — rendering, labels, active state, aria-label. Adequate.
  • DesktopSidebar: 8 tests — app name, household name, both sections, link count, active/inactive state, widget slot. Most thorough of the bunch.
  • AppShell: 4 tests — sidebar present, mobile nav present, main element, total link count. Good composition test.
  • Auth guard: 4 tests — public route bypass, no-cookie redirect, valid session population, invalid session redirect. Core paths covered.

That's 31 new tests for the app shell. A good start.

What's Missing

  1. No test for active state on non-/planner routes — Every component test mocks $page.url.pathname as /planner. We never verify that navigating to /recipes activates the Recipes tab and deactivates Planner. This is a one-dimensional test of the active state logic. At minimum, add a test with a different route to prove the logic isn't hardcoded.

  2. No test for the isPublicRoute boundary — The auth guard test checks /login (exact match) but not /login/ (trailing slash), /login?redirect=/planner (with query params), or /invite/abc123 (sub-path). The isPublicRoute function uses startsWith(route + '/') which handles sub-paths, but /login?redirect=... would fail because ?/. This could cause a redirect loop on the login page if query params are present. This is a real bug path.

  3. No test for the root / redirect+page.server.ts does redirect(302, '/planner') but there's no test asserting this behavior. It's simple, but it's also the first thing a user hits.

  4. No test for (app)/+layout.server.ts — The load function reads locals.benutzer! and locals.haushalt!. What if locals.benutzer is undefined (e.g., a race condition or future refactor removes the hook guard)? The ! assertion would throw a runtime error with no useful message. A test would document this assumption.

  5. Auth guard doesn't test static assets — Requests to /favicon.ico, /_app/immutable/..., or other static files also hit hooks.server.ts. If the backend is down and a user loads a cached page, every CSS/JS request would redirect to /login. Consider adding static paths to PUBLIC_ROUTES or checking for file extensions.

Suggestions

  • Parameterized active-state tests: Use it.each to test multiple routes per component. One test per route is overkill, but it.each(['/planner', '/recipes', '/shopping']) proves the logic generalizes.
  • E2E smoke test placeholder: This PR builds the entire navigation skeleton. It's the ideal time to add at least one Playwright test that loads each breakpoint and checks the nav renders. Even a placeholder test file would set the pattern for future work.

Coverage Assessment

Estimated coverage for new code: ~75%. The happy paths are well covered, but the edge cases (different active routes, public route boundary, static assets) have gaps. Above the 80% floor for most files, but hooks.server.ts is likely below it due to the untested isPublicRoute edge cases.

## 🧪 QA Engineer **Verdict: ⚠️ Approved with concerns** ### What's Covered (Good) - **Nav config**: 6 tests covering item count, labels, hrefs, section structure — solid. - **MobileTabBar**: 5 tests — rendering, labels, hrefs, active state, inactive state. Covers happy path well. - **TabletNavBar**: 4 tests — rendering, labels, active state, aria-label. Adequate. - **DesktopSidebar**: 8 tests — app name, household name, both sections, link count, active/inactive state, widget slot. Most thorough of the bunch. - **AppShell**: 4 tests — sidebar present, mobile nav present, main element, total link count. Good composition test. - **Auth guard**: 4 tests — public route bypass, no-cookie redirect, valid session population, invalid session redirect. Core paths covered. That's **31 new tests** for the app shell. A good start. ### What's Missing 1. **No test for active state on non-`/planner` routes** — Every component test mocks `$page.url.pathname` as `/planner`. We never verify that navigating to `/recipes` activates the Recipes tab and deactivates Planner. This is a one-dimensional test of the active state logic. At minimum, add a test with a different route to prove the logic isn't hardcoded. 2. **No test for the `isPublicRoute` boundary** — The auth guard test checks `/login` (exact match) but not `/login/` (trailing slash), `/login?redirect=/planner` (with query params), or `/invite/abc123` (sub-path). The `isPublicRoute` function uses `startsWith(route + '/')` which handles sub-paths, but `/login?redirect=...` would fail because `?` ≠ `/`. This could cause a redirect loop on the login page if query params are present. **This is a real bug path.** 3. **No test for the root `/` redirect** — `+page.server.ts` does `redirect(302, '/planner')` but there's no test asserting this behavior. It's simple, but it's also the first thing a user hits. 4. **No test for `(app)/+layout.server.ts`** — The load function reads `locals.benutzer!` and `locals.haushalt!`. What if `locals.benutzer` is undefined (e.g., a race condition or future refactor removes the hook guard)? The `!` assertion would throw a runtime error with no useful message. A test would document this assumption. 5. **Auth guard doesn't test static assets** — Requests to `/favicon.ico`, `/_app/immutable/...`, or other static files also hit `hooks.server.ts`. If the backend is down and a user loads a cached page, every CSS/JS request would redirect to `/login`. Consider adding static paths to `PUBLIC_ROUTES` or checking for file extensions. ### Suggestions - **Parameterized active-state tests**: Use `it.each` to test multiple routes per component. One test per route is overkill, but `it.each(['/planner', '/recipes', '/shopping'])` proves the logic generalizes. - **E2E smoke test placeholder**: This PR builds the entire navigation skeleton. It's the ideal time to add at least one Playwright test that loads each breakpoint and checks the nav renders. Even a placeholder test file would set the pattern for future work. ### Coverage Assessment Estimated coverage for new code: ~75%. The happy paths are well covered, but the edge cases (different active routes, public route boundary, static assets) have gaps. Above the 80% floor for most files, but `hooks.server.ts` is likely below it due to the untested `isPublicRoute` edge cases.
marcel commented 2026-04-02 13:46:57 +02:00
Author
Owner
Copy Link

🔒 Sable — Security Engineer

Verdict: ⚠️ Approved with concerns

Concerns

  1. Auth guard bypasses static assets and API routeshooks.server.ts only exempts /login, /register, /invite. Every other request — including /_app/immutable/... (SvelteKit static assets), /favicon.ico, and any future /api/... routes — hits the auth guard. If the backend is unreachable, even loading CSS/JS for the login page would redirect to /login, creating an infinite loop. Add SvelteKit's internal paths to the bypass or check event.isSubRequest / file extensions.

  2. isPublicRoute doesn't account for query stringsevent.url.pathname is clean (no query string), so this is actually fine. Verified: new URL('http://x/login?foo=bar').pathname/login. No issue here.

  3. No redirect parameter preservation — When redirecting to /login, the original URL is lost. The user navigates to /recipes/abc, gets sent to /login, logs in, and lands on /planner (the default redirect). Best practice: redirect(302, '/login?redirect=' + encodeURIComponent(event.url.pathname)). Not a security issue, but a UX gap that affects the auth flow.

  4. Non-null assertions with ! on API response fieldshooks.server.ts:30-37 uses user.id!, user.displayName!, user.householdId!, etc. If the API returns a user without a household (e.g., newly registered user who hasn't joined/created one yet), householdId and householdName could be null. This would set locals.haushalt = { id: null, name: null } without any error, and the sidebar would render null as text. Add a check for users without households — redirect them to an onboarding flow or show a household setup page.

  5. No CSRF protection — The issue discussion (comment #1233) explicitly scoped CSRF and CSP as follow-up issues. Acknowledged. But I want to flag: the login form (when implemented) must have CSRF protection from day one. Don't ship the login form without it.

  6. Session cookie not forwarded in apiClient call — In hooks.server.ts:21, apiClient(event.fetch) is used. SvelteKit's event.fetch automatically forwards cookies, so the session cookie reaches the backend. Correct usage.

Verified (No Issues)

  • No {@html} usage anywhere — no XSS vectors.
  • No sensitive data in client-side layout data — +layout.server.ts passes benutzer (id, name, rolle) and haushalt (id, name). No password hashes, no session tokens.
  • Public layout doesn't load any user data.
  • Route groups are correctly split — (public) has no +layout.server.ts, so no auth data leaks to public pages.

Recommendation

The static asset bypass (concern #1) is the most impactful issue. In production, if the backend has a brief outage, the login page itself would break because its CSS and JS would be redirected to /login. Fix before merge or immediately after.

## 🔒 Sable — Security Engineer **Verdict: ⚠️ Approved with concerns** ### Concerns 1. **Auth guard bypasses static assets and API routes** — `hooks.server.ts` only exempts `/login`, `/register`, `/invite`. Every other request — including `/_app/immutable/...` (SvelteKit static assets), `/favicon.ico`, and any future `/api/...` routes — hits the auth guard. If the backend is unreachable, even loading CSS/JS for the login page would redirect to `/login`, creating an infinite loop. **Add SvelteKit's internal paths to the bypass** or check `event.isSubRequest` / file extensions. 2. **`isPublicRoute` doesn't account for query strings** — `event.url.pathname` is clean (no query string), so this is actually fine. Verified: `new URL('http://x/login?foo=bar').pathname` → `/login`. No issue here. ✅ 3. **No `redirect` parameter preservation** — When redirecting to `/login`, the original URL is lost. The user navigates to `/recipes/abc`, gets sent to `/login`, logs in, and lands on `/planner` (the default redirect). Best practice: `redirect(302, '/login?redirect=' + encodeURIComponent(event.url.pathname))`. Not a security issue, but a UX gap that affects the auth flow. 4. **Non-null assertions with `!` on API response fields** — `hooks.server.ts:30-37` uses `user.id!`, `user.displayName!`, `user.householdId!`, etc. If the API returns a user without a household (e.g., newly registered user who hasn't joined/created one yet), `householdId` and `householdName` could be `null`. This would set `locals.haushalt = { id: null, name: null }` without any error, and the sidebar would render `null` as text. **Add a check for users without households** — redirect them to an onboarding flow or show a household setup page. 5. **No CSRF protection** — The issue discussion (comment #1233) explicitly scoped CSRF and CSP as follow-up issues. Acknowledged. But I want to flag: **the login form (when implemented) must have CSRF protection from day one.** Don't ship the login form without it. 6. **Session cookie not forwarded in `apiClient` call** — In `hooks.server.ts:21`, `apiClient(event.fetch)` is used. SvelteKit's `event.fetch` automatically forwards cookies, so the session cookie reaches the backend. ✅ Correct usage. ### Verified (No Issues) - No `{@html}` usage anywhere — no XSS vectors. ✅ - No sensitive data in client-side layout data — `+layout.server.ts` passes `benutzer` (id, name, rolle) and `haushalt` (id, name). No password hashes, no session tokens. ✅ - Public layout doesn't load any user data. ✅ - Route groups are correctly split — `(public)` has no `+layout.server.ts`, so no auth data leaks to public pages. ✅ ### Recommendation The static asset bypass (concern #1) is the most impactful issue. In production, if the backend has a brief outage, the login page itself would break because its CSS and JS would be redirected to `/login`. Fix before merge or immediately after.
marcel commented 2026-04-02 13:47:19 +02:00
Author
Owner
Copy Link

🎨 Atlas — UI/UX Designer

Verdict: ⚠️ Approved with concerns

Design System Compliance

The app.css @theme tokens are correct and complete. Color scales, spacing, radii, shadows, fonts — all match the spec. WCAG contrast tests are a nice touch.

Concerns

  1. No icons in any nav component — The spec explicitly calls for icons in all three nav variants:

    • Mobile tab bar: icon above label
    • Desktop sidebar: 16px icon with 20px column width, to the left of the label
    • Tablet pills: icon + label

    The NavItem type has an icon: string field, the config has icon names (calendar, book, shopping-cart, etc.), but no component renders them. The nav will look like a list of plain text links. This is a significant visual gap. I understand this may be a deliberate placeholder (icons need an icon system like Lucide or SVG sprites), but it should be tracked as a fast follow.

  2. Mobile tab bar missing icon-above-label layout — The spec shows icons stacked above labels in the mobile tab bar. Current implementation has flex-col items-center gap-1 which is correct structurally, but without the icon, it's just a label. Once icons are added, verify the icon is above the label (flex-col handles this).

  3. Desktop sidebar household name placement — The spec says the household name is below the icon+name row as a sub-line. The current implementation renders it as a separate <p> element below the <div class="flex items-center gap-2"> that contains the icon and app name. This is correct — the householdName sits below.

  4. Tablet nav at the top, not bottom — Confirmed from the discussion: tablet nav should be at the top of the viewport, inline (not fixed). The TabletNavBar is rendered before <main> in the flex column, which places it at the top. Correct placement.

  5. Section label font size is 8pxDesktopSidebar.svelte:22 uses text-[8px] for section titles. This matches the spec, but 8px is extremely small. It's above the minimum for decorative/label text under WCAG (which doesn't set a minimum font size, but recommends ≥12px for readability). Monitor user feedback — we may need to bump this to 9-10px.

  6. Missing hover states — None of the nav components define hover styles. The spec doesn't explicitly call them out, but interactive elements without hover feedback feel broken on desktop. Recommend adding hover:bg-[var(--color-subtle)] on inactive nav items for desktop and tablet.

Verified (Correct)

  • Active state uses --green-tint bg + --green-dark text across all three breakpoints
  • Border radius on active items uses --radius-md (6px)
  • Sidebar width is 224px with min-w-[224px]
  • Sidebar is sticky, full height
  • Mobile tab bar is fixed bottom with safe-area padding
  • Font usage: --font-display for app name, --font-sans for nav items
  • Breakpoint classes are correct: md:hidden, hidden md:flex lg:hidden, hidden lg:flex

Summary

The structural implementation is correct. The main gap is icons — without them, the navigation doesn't match the visual spec. Track as a follow-up issue and ship the shell.

## 🎨 Atlas — UI/UX Designer **Verdict: ⚠️ Approved with concerns** ### Design System Compliance The `app.css` `@theme` tokens are correct and complete. Color scales, spacing, radii, shadows, fonts — all match the spec. WCAG contrast tests are a nice touch. ✅ ### Concerns 1. **No icons in any nav component** — The spec explicitly calls for icons in all three nav variants: - Mobile tab bar: icon above label - Desktop sidebar: 16px icon with 20px column width, to the left of the label - Tablet pills: icon + label The `NavItem` type has an `icon: string` field, the config has icon names (`calendar`, `book`, `shopping-cart`, etc.), but **no component renders them**. The nav will look like a list of plain text links. This is a significant visual gap. I understand this may be a deliberate placeholder (icons need an icon system like Lucide or SVG sprites), but it should be tracked as a fast follow. 2. **Mobile tab bar missing icon-above-label layout** — The spec shows icons stacked above labels in the mobile tab bar. Current implementation has `flex-col items-center gap-1` which is correct structurally, but without the icon, it's just a label. Once icons are added, verify the icon is `above` the label (flex-col handles this). 3. **Desktop sidebar household name placement** — The spec says the household name is below the icon+name row as a sub-line. The current implementation renders it as a separate `<p>` element below the `<div class="flex items-center gap-2">` that contains the icon and app name. This is correct — the `householdName` sits below. ✅ 4. **Tablet nav at the top, not bottom** — Confirmed from the discussion: tablet nav should be at the top of the viewport, inline (not fixed). The `TabletNavBar` is rendered before `<main>` in the flex column, which places it at the top. ✅ Correct placement. 5. **Section label font size is 8px** — `DesktopSidebar.svelte:22` uses `text-[8px]` for section titles. This matches the spec, but 8px is extremely small. It's above the minimum for decorative/label text under WCAG (which doesn't set a minimum font size, but recommends ≥12px for readability). Monitor user feedback — we may need to bump this to 9-10px. 6. **Missing hover states** — None of the nav components define hover styles. The spec doesn't explicitly call them out, but interactive elements without hover feedback feel broken on desktop. Recommend adding `hover:bg-[var(--color-subtle)]` on inactive nav items for desktop and tablet. ### Verified (Correct) - Active state uses `--green-tint` bg + `--green-dark` text across all three breakpoints ✅ - Border radius on active items uses `--radius-md` (6px) ✅ - Sidebar width is 224px with `min-w-[224px]` ✅ - Sidebar is sticky, full height ✅ - Mobile tab bar is fixed bottom with safe-area padding ✅ - Font usage: `--font-display` for app name, `--font-sans` for nav items ✅ - Breakpoint classes are correct: `md:hidden`, `hidden md:flex lg:hidden`, `hidden lg:flex` ✅ ### Summary The structural implementation is correct. The main gap is icons — without them, the navigation doesn't match the visual spec. Track as a follow-up issue and ship the shell.
marcel added 12 commits 2026-04-02 14:05:22 +02:00
refactor(config): document resolve.conditions safety for SSR builds db4b01ca77 
Verified: SvelteKit's plugin overrides resolve.conditions for SSR
builds. The global 'browser' condition only affects vitest and dev.
Build output confirmed correct with npm run build.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
refactor(test): replace require() with import() in $app/stores mocks 05bf66de56 
CJS require() is fragile in an ESM project. Use async import() instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
refactor(public): add lang="ts" to public layout for consistency d7f317587e 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(auth): bypass auth guard for static assets and favicon 2bdb1010f8 
Prevents redirect loop when backend is down — login page CSS/JS
would otherwise be redirected to /login.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
test(auth): add isPublicRoute boundary tests for sub-paths and trailing slash cc74c0042a 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(auth): preserve redirect URL when redirecting to /login 92c7d8f92e 
Appends ?redirect= with the original pathname so the login page
can redirect back after successful authentication.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(auth): read JSESSIONID cookie to match Spring Security default 32550377aa 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(auth): handle users without household — fallback to 'Kein Haushalt' aeaca76534 
Removes non-null assertions on householdId/householdName. Users who
haven't joined a household get a fallback name in the sidebar.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(nav): use segment-boundary route matching to prevent false positives bd8e901685 
Extracts isActiveRoute() into shared nav module. Matches exact path
or path + '/' prefix, preventing /settings from matching /settings-advanced.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
test(nav): add parameterized active-state tests for all routes 4bd020fa16 
Proves active state logic generalizes beyond /planner by testing
all 4 mobile nav routes with writable page store.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(nav): add emoji icons to all nav components 5c066d33ef 
Renders emoji icons in MobileTabBar (stacked above label),
TabletNavBar (inline), and DesktopSidebar (16px, 20px column).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(nav): add hover state on inactive tablet and desktop nav items 682580e11d 
Applies hover:bg-[var(--color-subtle)] to inactive nav links for
visual feedback on pointer devices.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
marcel commented 2026-04-02 14:05:40 +02:00
Author
Owner
Copy Link

Review Concerns Addressed

All 12 reviewer concerns have been resolved across 12 commits:

# Concern Source Fix Commit
1 resolve.conditions global scope @Kai Verified safe for SSR — documented db4b01c
2 require() in test mocks @Kai Replaced with await import() 05bf66d
3 (public)/+layout.svelte missing lang="ts" @Kai Added d7f3175
4 Auth guard doesn't bypass static assets @Sable/@QA Added /_app/ and /favicon bypass 2bdb101
5 Missing isPublicRoute boundary tests @QA Added tests for sub-paths, trailing slash cc74c00
6 No redirect URL preservation @Sable Appends ?redirect= to login URL 92c7d8f
7 Session cookie name session vs JSESSIONID @Backend Changed to JSESSIONID 3255037
8 Non-null assertions for users without households @Sable Fallback to 'Kein Haushalt', nullable haushalt.id aeaca76
9 startsWith false-positive risk @Kai Extracted isActiveRoute() with segment-boundary check bd8e901
10 No active state test for non-/planner routes @QA Parameterized tests for all 4 routes with writable store 4bd020f
11 No icons rendered @Atlas/@Kai Emoji icons in all 3 nav components 5c066d3
12 Missing hover states @Atlas hover:bg-[var(--color-subtle)] on tablet + desktop nav 682580e

Test suite: 86 tests passing (was 70), 0 type errors, 0 warnings.

## Review Concerns Addressed All 12 reviewer concerns have been resolved across 12 commits: | # | Concern | Source | Fix | Commit | |---|---------|--------|-----|--------| | 1 | `resolve.conditions` global scope | @Kai | Verified safe for SSR — documented | `db4b01c` | | 2 | `require()` in test mocks | @Kai | Replaced with `await import()` | `05bf66d` | | 3 | `(public)/+layout.svelte` missing `lang="ts"` | @Kai | Added | `d7f3175` | | 4 | Auth guard doesn't bypass static assets | @Sable/@QA | Added `/_app/` and `/favicon` bypass | `2bdb101` | | 5 | Missing `isPublicRoute` boundary tests | @QA | Added tests for sub-paths, trailing slash | `cc74c00` | | 6 | No redirect URL preservation | @Sable | Appends `?redirect=` to login URL | `92c7d8f` | | 7 | Session cookie name `session` vs `JSESSIONID` | @Backend | Changed to `JSESSIONID` | `3255037` | | 8 | Non-null assertions for users without households | @Sable | Fallback to `'Kein Haushalt'`, nullable `haushalt.id` | `aeaca76` | | 9 | `startsWith` false-positive risk | @Kai | Extracted `isActiveRoute()` with segment-boundary check | `bd8e901` | | 10 | No active state test for non-`/planner` routes | @QA | Parameterized tests for all 4 routes with writable store | `4bd020f` | | 11 | No icons rendered | @Atlas/@Kai | Emoji icons in all 3 nav components | `5c066d3` | | 12 | Missing hover states | @Atlas | `hover:bg-[var(--color-subtle)]` on tablet + desktop nav | `682580e` | **Test suite:** 86 tests passing (was 70), 0 type errors, 0 warnings.
marcel merged commit 682580e11d into master 2026-04-02 14:14:17 +02:00
marcel deleted branch feat/issue-16-design-system 2026-04-02 14:14:24 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
kind/bug
Something isn't working
 kind/chore
Maintenance, dependency updates, tooling
 kind/devops
CI/CD, infra, deployment
 kind/docs
Documentation additions or updates
 kind/feature
New functionality
 kind/refactor
Code restructuring without behaviour change
 kind/security
Security vulnerability or hardening
 kind/test
Adding or fixing tests
 kind/ui
User interface or UX change
 priority/critical
Drop everything
 priority/high
Next up
 priority/low
Nice to have
 priority/medium
Important but not urgent
 status/blocked
Blocked by another issue or external dependency
 status/in-progress
Actively being worked on
 status/needs-review
Waiting for review or feedback
 status/wontfix
Intentionally not being addressed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/mealprep#32
Delete Branch "feat/issue-16-design-system"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?