On returning to the app with an expired Supabase access token, bootstrap requests fired with the stale token and 401'd before Supabase finished refreshing. The global 401 handler then hard-redirected to /login?from=… (a full window.location navigation), and once the refresh landed the app sent the user straight back in — the login/logout/login flicker. Two holes in the SaaS apiClient response interceptor caused it: 1. "public" endpoints (e.g. /api/v1/config/app-config) skipped the refresh-and-retry path. The backend 401s any expired Bearer token regardless of route, so those bootstrap calls 401'd and fell through to handleHttpError, which redirected to /login. Now public endpoints also refresh-and-retry, and a 401 on a public endpoint sets skipAuthRedirect so it can never trigger the global login redirect. 2. Concurrent 401s each called supabase.auth.refreshSession() independently. Supabase rotates the refresh token on first use, so the racing refreshes failed with "Invalid Refresh Token: Already Used" and bounced the app even though the session was recoverable. Refreshes are now de-duplicated through a single in-flight promise. Existing apiClient unit tests (refresh-and-retry on protected 401, bare /login redirect on genuine refresh failure) are preserved. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Frontend
All frontend commands are run from the repository root using Task:
task frontend:dev— start Vite dev server (localhost:5173)task frontend:build— production buildtask frontend:test— run teststask frontend:test:watch— run tests in watch modetask frontend:lint— run ESLint + cycle detectiontask frontend:typecheck— run TypeScript type checkingtask frontend:check— run typecheck + lint + testtask frontend:install— install npm dependencies
For desktop app development, see the Tauri section below.
Layout
frontend/ is a workspace containing one or more apps. Today it holds the
PDF editor under frontend/editor/; new apps (the developer portal, etc.)
will sit alongside it as siblings. Shared tooling — package.json, node_modules,
.storybook/, ESLint, Prettier — lives at frontend/ so every app installs
once and lints with the same config.
Environment Variables
The editor's environment variables live in committed .env files at
frontend/editor/:
.env— used by all builds (core, proprietary, and as the base for desktop/SaaS).env.desktop— additional vars loaded in desktop (Tauri) mode.env.saas— additional vars loaded in SaaS mode
These files contain non-secret defaults and are checked into Git, so most dev work needs no further setup.
To override values locally (API keys, machine-specific settings), create an uncommitted sibling editor/.env.local / editor/.env.desktop.local / editor/.env.saas.local. Vite automatically layers these on top of the committed files.
Docker Setup
For Docker deployments and configuration, see the Docker README.
Tauri
All desktop tasks are available via Task. From the root of the repo:
Dev
task desktop:dev
This ensures the JLink runtime and backend JAR exist (skipping if already built), then starts Tauri in dev mode.
Build
task desktop:build
This does a full clean rebuild of the backend JAR and JLink runtime, then builds the Tauri app for production.
Platform-specific dev builds are also available:
task desktop:build:dev # No bundling
task desktop:build:dev:mac # macOS .app bundle
task desktop:build:dev:windows # Windows NSIS installer
task desktop:build:dev:linux # Linux AppImage
JLink Tasks
You can also run JLink steps individually:
task desktop:jlink # Build JAR + create JLink runtime
task desktop:jlink:jar # Build backend JAR only
task desktop:jlink:runtime # Create JLink custom JRE only
task desktop:jlink:clean # Remove JLink artifacts
Clean
task desktop:clean
Removes all desktop build artifacts including JLink runtime, bundled JARs, Cargo build, and dist/build directories.