Tech Stack โ lantern_app ๐ก โ
Summary โ
This project will use a Google / Firebase + GCP-first stack focused on fast time-to-market, strong security defaults, and excellent PWA support. The list below explains what each technology is and what it does for the app.
What is a PWA? ๐ฑ โ
Progressive Web App (PWA) is a set of best practices and technologies that make web apps behave like native apps: installable to the home screen, load reliably and fast, work offline, and support push notifications. Core pieces:
- Service Worker โ background script that enables offline caching, request interception, and push handling.
- Web App Manifest โ JSON file (you already have
manifest.webmanifest) that describes the app (name, icons, theme) and enables installability. - HTTPS and secure contexts โ required for installability and service workers.
Core stack (what we will use and why) โ โ
Frontend โ
- React + Vite โ fast development, fast builds, and good PWA integration. (Already in repo)
- TypeScript (recommended) โ type safety and better developer experience.
- vite-plugin-pwa โ integrates service worker generation and caching strategies with Vite.
Authentication & Identity โ
- Firebase Authentication โ managed auth (email/password, OAuth providers, phone, multi-factor). Simplifies secure sign-in flows and integrates with other Firebase services.
Database & Offline โ
- Cloud Firestore (Firebase) โ document database with real-time sync and built-in offline persistence for web PWAs. Use it for user data and app state that benefits from realtime updates.
Storage โ
- Firebase Storage (backed by GCS) โ file uploads & user-generated content with secure rules and signed URL support.
Hosting & CDN โ
- Firebase Hosting โ global CDN optimized for static PWAs; works seamlessly with
firebase deployand serves the service worker & manifest correctly.
Serverless / Business Logic โ
- Cloud Functions for Firebase (or GCP Cloud Functions / Cloud Run) โ server-side logic, webhook handlers, scheduled jobs, and secure token verification.
Messaging & Notifications โ
- Firebase Cloud Messaging (FCM) โ web push notifications and mobile push integration.
Observability & Security โ
- Cloud Logging / Cloud Monitoring โ logs and metrics for backend services.
- Sentry (optional) โ frontend & server error tracking and release alerts.
- Cloud IAM & Secret Manager โ manage service account permissions and store secrets securely.
CI/CD & Quality โ
- GitHub Actions โ CI for lint/test/build and
firebasedeployment jobs. - Lighthouse CI โ automated PWA/performance audits in CI.
Security & hardening highlights ๐ โ
- App Check โ prevent abuse of backend resources by attesting legitimate clients.
- Firestore Security Rules โ deny-by-default rules and per-document access control.
- MFA & secure auth flows โ require MFA for sensitive accounts (admins).
- Short-lived credentials & Secret Manager โ rotate secrets and avoid embedding service account keys in the repo.
- HTTPS, CSP, HSTS, SRI โ protect clients and reduce XSS/CSRF risk.
- Firebase Emulator Suite โ local testing for Auth, Firestore, Functions, Storage and rules.
See ../governance/SECURITY.md for a full security checklist, threat model, incident response plan, and compliance roadmap.
Practical setup steps (next actions) โถ๏ธ โ
- Create a Firebase project and enable: Authentication, Firestore, Hosting, Storage, Functions, and App Check.
- Add Firebase config to your app via environment variables (do not commit keys). Example:
VITE_FIREBASE_API_KEYetc. - Install SDKs and plugins:
npm install firebasenpm install -D vite-plugin-pwa
- Add
vite-plugin-pwaconfig and a service worker strategy (e.g., network-first for API & cache-first for static assets). - Write basic Firestore Security Rules and test them with the Emulator.
- Add GitHub Actions: lint โ test โ build โ Lighthouse โ
firebase deploy(for hosting + functions).
Mobile roadmap (React Native) ๐ฑ โ
We plan to add Android and iOS apps using React Native after we validate the web PWA design. Key notes:
- Strategy: Start with a single codebase (React + React Native) and maximize code sharing using React Native for Web or a monorepo (e.g., Turborepo / pnpm workspaces).
- Build tools: Use Expo + EAS for fast native builds and OTA updates, or React Native CLI + Fastlane for more control.
- Firebase on mobile: Use
react-native-firebase(native SDKs) for Auth, Firestore, Storage, FCM, and Crashlytics; this provides better native integration than the web SDK. - Push & notifications: Configure FCM with native Android/iOS setup and handle native permission flows.
- Security & attestation: Use device attestation (Play Integrity / Apple DeviceCheck / App Attest) and server-side protections for critical operations; note App Check is web-focused.
- Testing & rollout: Use TestFlight / Google Play internal tracks and staged rollouts; add E2E mobile tests (Detox / Appium) and CI build pipelines.
PWA-first helps validate UX and offline behavior before investing in native builds.
Files / changes I can add in a starter PR ๐ ๏ธ โ
TECHSTACK.md(this file)firebasedirectory with examplefirestore.rules,storage.rules, andfirebase.jsonfor Hosting and Functions.vite.config.tschanges to addvite-plugin-pwasample config.- Example
src/firebase.tsshowing how to initialize Firebase withVITE_env vars and enable Firestore offline persistence. - CI workflow file (
.github/workflows/ci.yml) that includes Lighthouse CI and afirebasedeploy job (secrets set via GitHub).
Notes & tradeoffs โ
- Using Firebase/GCP gives strong managed security and fast time-to-market, but consider data residency and costs as reads/writes scale.
- For complex relational queries, use a hybrid approach (e.g., Cloud SQL + Cloud Run) later if needed.
If you'd like, I can open a starter PR that adds the Firebase config examples, PWA plugin integration, and a CI job. Which of the starter PR items above should I include first?
For governance & security guidance, see ../governance/GOVERNANCE.md and ../governance/SECURITY.md in the repository for recommended legal protections and a security-first checklist.