Add frontend build system

[TatevikGr]

Summary

Thanks for contributing to phpList!

Summary by CodeRabbit

• New Features

  • Modern frontend build and bundling setup with Node/Yarn support and asset compilation
  • CORS support enabled for API compatibility

• Chores

  • Updated build tooling and runtime dependencies; added image processing support in the runtime environment
  • Docker and compose improvements for build steps and persistent logs/cache; adjusted ignore rules

• Tests

  • Added test bootstrap and improved server-error assertion in endpoint tests

• Documentation

  • Added instructions to build and publish frontend assets

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a Node.js-based frontend build pipeline (Webpack Encore, Vue, Tailwind/PostCSS), integrates its build into Docker and docker-compose startup, updates Composer to include a CORS bundle and a Composer script to build frontend assets, adds test bootstrap and a test assertion, and updates ignore files.

Changes

Web frontend build & runtime wiring

Layer / File(s)	Summary
Data / Manifests package.json, yarn.lock	Adds root package.json with build/watch scripts, runtime and dev dependencies for Vue/Encore/Tailwind/ApexCharts/CKEditor.
Build config webpack.config.js, postcss.config.js	Adds Webpack Encore config (entries, output, Vue 3 loader, PostCSS) and PostCSS plugins (Tailwind + autoprefixer).
Composer integration composer.json	Adds build-web-frontend-assets script and registers Nelmio\CorsBundle; updates tatevikgr/rest-api-client constraint.
Container build Dockerfile, .dockerignore	Installs Node.js 20 and yarn, copies package.json/yarn.lock into build context, and enables PHP gd with freetype/jpeg support; .dockerignore changes remove yarn.lock ignore and add top-level 6, 7.
Runtime wiring / startup docker-compose.yml	Adds API_BASE_URL env, persistent ./var/logs/./var/cache volumes, and an app command that prepares dirs, runs composer run-script build-web-frontend-assets, then starts apache.
Docs README.md	Documents building/publishing web-frontend assets and Composer script usage.

Testing bootstrap & assertions

Layer / File(s)	Summary
Test bootstrap tests/bootstrap.php	Adds a new test bootstrap that enables strict_types=1, starts output buffering (ob_start()), and requires Composer autoloader.
PHPUnit config phpunit.xml.dist	Changes bootstrap to tests/bootstrap.php.
Test update tests/System/HttpEndpoints/WebFrontEndTest.php	Adds assertion to fail when /api/v2 returns HTTP 500 in testHomepageReturnsContent().
VCS ignores .gitignore	Adds node_modules/ to .gitignore.

sequenceDiagram
    participant Dev as Developer
    participant Repo as Git repo
    participant Docker as Docker build
    participant Node as Node/Yarn
    participant Composer as Composer
    participant Apache as Apache container

    Dev->>Repo: commit package.json, webpack.config.js, composer.json, Dockerfile, docker-compose.yml
    Docker->>Repo: copy `composer.json`, `composer.lock`, `package.json`, `yarn.lock`
    Docker->>Node: install Node.js 20 and global yarn
    Node->>Docker: run `yarn install` (during build or runtime script)
    Composer->>Node: `composer run-script build-web-frontend-assets` -> invokes `yarn build:web-frontend`
    Node->>Docker: produce `public/build` assets
    Apache->>Docker: container start command runs asset build, prepares dirs, then `apache2-foreground`
    Dev->>Repo: run tests (PHPUnit) which use `tests/bootstrap.php` for initialization

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add Docker setup and CI/CD improvements #107 — Overlaps in Docker and docker-compose configuration changes related to container build and runtime setup.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add frontend build system' accurately summarizes the main change—introducing Node.js build infrastructure, Webpack/Encore configuration, package.json, and related tooling for frontend asset compilation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.gitignore (1)

1-15: ⚠️ Potential issue | 🟠 Major

Remove the catch-all ignore unless force-adding every new file is intentional.

With * on Line 1 and no negate rules, Git ignores every new untracked file in the repository. That means future source/config additions require git add -f, and the new /node_modules/ entry is redundant anyway.

Suggested change

-*
 *.bak
 /.idea/
 /.project
 /.webprj

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 1 - 15, Remove the catch-all ignore pattern (*) from
.gitignore (or replace it with explicit patterns) so new untracked files are not
globally ignored; specifically remove or change the '*' entry and rely on
targeted patterns like '*~' for editor backups instead. Also remove the
redundant '/node_modules/' entry if your repo already manages node_modules
elsewhere, then verify the remaining patterns (e.g., '*~', '*.bak', '/var/')
only match intended files and commit the updated .gitignore.

🧹 Nitpick comments (1)

postcss.config.js (1)

2-4: autoprefixer looks redundant in this Tailwind 4 pipeline.

With Tailwind v4's @tailwindcss/postcss, vendor prefixing is already handled by the built-in Lightning CSS step. Keeping autoprefixer here adds an extra pass for no clear benefit, so I'd simplify this plugin list and drop the matching dependency as well.

Suggested change

 module.exports = {
     plugins: [
         require('@tailwindcss/postcss'),
-        require('autoprefixer'),
     ],
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@postcss.config.js` around lines 2 - 4, Remove the redundant autoprefixer
entry from the plugins array in postcss.config.js: delete the
require('autoprefixer') item and leave only require('@tailwindcss/postcss') in
the plugins list, and also remove the autoprefixer dependency from package.json
to avoid an unused package; after the change, run the build to verify no
regressions in the pipeline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@composer.json`:
- Around line 47-51: The composer file currently pins several packages to
unstable branch names ("phplist/core" -> dev-dev, "phplist/web-frontend" ->
dev-feat/campaigns, "tatevikgr/rest-api" -> dev-dev) which are moving targets;
replace these dev-branch references with concrete, versioned tags or commit
hashes (e.g., semantic versions or specific shas) for "phplist/core",
"phplist/rest-api", "phplist/web-frontend", and "tatevikgr/rest-api" before
merging. Also update the "build-web-frontend-assets" script to run yarn with a
lockfile present (ensure a yarn.lock is committed and run "yarn install
--frozen-lockfile" or equivalent) to prevent drift, and add "nelmio/cors-bundle"
as a Composer dependency to match the registered bundle
Nelmio\CorsBundle\NelmioCorsBundle in extra.phplist/core.bundles so runtime
resolution is explicit.
- Around line 111-115: composer.json currently references
Nelmio\CorsBundle\NelmioCorsBundle in the bundles list but does not declare
"nelmio/cors-bundle" as a direct dependency, relying on phplist/rest-api to pull
it transitively; add "nelmio/cors-bundle" to the "require" section of
composer.json with an appropriate stable constraint, run composer update/install
to lock it, and ensure the bundle entry (Nelmio\CorsBundle\NelmioCorsBundle)
remains in your kernel/bundles registration so the package and configuration
stay consistent even if phplist/rest-api changes.

In `@docker-compose.yml`:
- Around line 22-25: The docker-compose volumes bind-mount .:/var/www/html which
overwrites image-built files (vendor/, public/build, ownership fixes); remove
the .:/var/www/html mount and only bind the specific runtime dirs (keep
./var/logs:/var/www/html/var/log and ./var/cache:/var/www/html/var/cache or add
other specific app state dirs) so that the Composer-installed vendor tree and
generated assets from the image are preserved and Dockerfile ownership steps
still apply; update the volumes section by deleting the .:/var/www/html entry
and keeping or adding explicit mounts for only the mutable runtime directories
referenced in the diff (./var/logs and ./var/cache).

In `@README.md`:
- Around line 154-160: The README is missing a prerequisite note that `composer
run-script build-web-frontend-assets` invokes the `yarn` command; update the
README section around the phplist/web-frontend → public/build instructions to
add a short prerequisite sentence stating that Node.js and Yarn must be
installed locally (or point to Docker usage) before running `composer run-script
build-web-frontend-assets`, mentioning `yarn` explicitly so users know why those
tools are required.

---

Outside diff comments:
In @.gitignore:
- Around line 1-15: Remove the catch-all ignore pattern (*) from .gitignore (or
replace it with explicit patterns) so new untracked files are not globally
ignored; specifically remove or change the '*' entry and rely on targeted
patterns like '*~' for editor backups instead. Also remove the redundant
'/node_modules/' entry if your repo already manages node_modules elsewhere, then
verify the remaining patterns (e.g., '*~', '*.bak', '/var/') only match intended
files and commit the updated .gitignore.

---

Nitpick comments:
In `@postcss.config.js`:
- Around line 2-4: Remove the redundant autoprefixer entry from the plugins
array in postcss.config.js: delete the require('autoprefixer') item and leave
only require('@tailwindcss/postcss') in the plugins list, and also remove the
autoprefixer dependency from package.json to avoid an unused package; after the
change, run the build to verify no regressions in the pipeline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b0f46aa4-92ea-47c6-9646-c91ad6820f82

📥 Commits

Reviewing files that changed from the base of the PR and between 864e17f and 3ffc6d9.

⛔ Files ignored due to path filters (2)

• composer.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• .gitignore
• Dockerfile
• README.md
• composer.json
• docker-compose.yml
• package.json
• postcss.config.js
• webpack.config.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Document the local Node/Yarn prerequisite for this command.

composer run-script build-web-frontend-assets shells out to yarn, so on non-Docker setups this fails unless Node.js and Yarn are installed first. A short prerequisite note here would prevent a confusing first-run error.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 154 - 160, The README is missing a prerequisite note
that `composer run-script build-web-frontend-assets` invokes the `yarn` command;
update the README section around the phplist/web-frontend → public/build
instructions to add a short prerequisite sentence stating that Node.js and Yarn
must be installed locally (or point to Docker usage) before running `composer
run-script build-web-frontend-assets`, mentioning `yarn` explicitly so users
know why those tools are required.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docker-compose.yml (1)

16-17: Parameterize base URLs instead of hard-coding http://app/.

Using a fixed internal hostname can break externally generated links in non-local deployments. Prefer overrideable env-default expansion.

♻️ Proposed change

-      REST_API_BASE_URL: 'http://app/'
-      FRONT_END_BASE_URL: 'http://app/'
+      REST_API_BASE_URL: ${REST_API_BASE_URL:-http://app/}
+      FRONT_END_BASE_URL: ${FRONT_END_BASE_URL:-http://app/}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` around lines 16 - 17, The docker-compose service
currently hard-codes REST_API_BASE_URL and FRONT_END_BASE_URL to "http://app/",
which breaks externally generated links; change these to use
environment-variable expansion with sensible defaults so deployers can override
them (e.g., use ${REST_API_BASE_URL:-http://app/} and
${FRONT_END_BASE_URL:-http://app/} in the docker-compose env entries). Update
the REST_API_BASE_URL and FRONT_END_BASE_URL entries to reference those env vars
so external deployments can supply proper public-facing base URLs without
editing the compose file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Composer/SecurityConfigScriptHandler.php`:
- Around line 43-49: The patch in SecurityConfigScriptHandler.php currently sets
a catch-all dev firewall ($configuration['security']['firewalls']['dev']) to
pattern '^/' and security=false, which can disable auth in production; change
the handler to restrict the pattern to dev-only routes (e.g., '^/_') and guard
applying this default with an environment check (only apply when APP_ENV ===
'dev' or when a composer extra/dev flag is present) and/or skip modifying the
firewall if a non-dev environment is detected; update any associated README
notes to document the ordering risk and that the script only applies dev-pattern
defaults in development.
- Around line 24-27: The code in SecurityConfigScriptHandler should explicitly
handle file I/O and YAML parsing errors: after calling
file_get_contents($configurationFilePath) check for a false return and throw or
log a clear exception; wrap Yaml::parse(...) in a try-catch that catches
Symfony\Component\Yaml\Exception\ParseException and rethrows or reports a
descriptive error including the file path and parse message; avoid relying
solely on is_readable() (TOCTOU) by treating read failures as fatal when
file_get_contents fails; and when writing with file_put_contents(...) check for
a === false return and handle that failure (throw/log) so write errors are
detected. Reference these symbols: $configurationFilePath, file_get_contents,
Yaml::parse, ParseException, and file_put_contents in
SecurityConfigScriptHandler.php.

In `@tests/Integration/Composer/ScriptsTest.php`:
- Around line 128-133: The test
testModulesConfigurationFileContainsSecurityConfiguration is too weak because it
only checks for the 'security:' substring; instead parse the
config/config_modules.yml into a PHP array (e.g. using
Symfony\Component\Yaml\Yaml::parseFile or yaml_parse) and assert that a
top-level 'security' key exists and is an array, then assert the expected nested
keys and values produced by SecurityConfigScriptHandler (for example presence of
'firewalls', 'providers', and any required firewall names or settings) to ensure
the YAML structure and specific entries match what the handler generates.

---

Nitpick comments:
In `@docker-compose.yml`:
- Around line 16-17: The docker-compose service currently hard-codes
REST_API_BASE_URL and FRONT_END_BASE_URL to "http://app/", which breaks
externally generated links; change these to use environment-variable expansion
with sensible defaults so deployers can override them (e.g., use
${REST_API_BASE_URL:-http://app/} and ${FRONT_END_BASE_URL:-http://app/} in the
docker-compose env entries). Update the REST_API_BASE_URL and FRONT_END_BASE_URL
entries to reference those env vars so external deployments can supply proper
public-facing base URLs without editing the compose file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0827e2a0-a9c0-4b5f-8830-422b615c6086

📥 Commits

Reviewing files that changed from the base of the PR and between 1395941 and 3c1887e.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• composer.json
• docker-compose.yml
• phpunit.xml.dist
• src/Composer/SecurityConfigScriptHandler.php
• tests/Integration/Composer/ScriptsTest.php
• tests/bootstrap.php

✅ Files skipped from review due to trivial changes (1)

• phpunit.xml.dist

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/bootstrap.php
• composer.json

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

composer.json (1)

94-97: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

yarn install without --frozen-lockfile causes version drift.

This is still unaddressed from the previous review cycle. Without --frozen-lockfile (or --immutable for yarn berry), yarn install will silently upgrade packages whenever the registry has newer compatible versions, making the frontend build non-reproducible. A committed yarn.lock is only meaningful if the install is forced to respect it.

🔒 Proposed fix

     "build-web-frontend-assets": [
-        "yarn install",
+        "yarn install --frozen-lockfile",
         "yarn build:web-frontend"
     ],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@composer.json` around lines 94 - 97, The "build-web-frontend-assets" npm
script currently runs "yarn install" which allows dependency resolution drift;
update the script entry named build-web-frontend-assets so it runs a
lockfile-respecting install (e.g., replace "yarn install" with "yarn install
--frozen-lockfile" for Classic Yarn or "yarn install --immutable" for Yarn
Berry) to ensure the committed yarn.lock is honored during frontend builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-compose.yml`:
- Around line 30-37: The runtime command in docker-compose currently runs
composer run-script build-web-frontend-assets (which performs yarn install +
webpack production) before exec apache2-foreground, causing long cold starts and
network dependency; move the frontend build into the image build instead by
running the same build step after the image's composer install during Dockerfile
build (so Node/yarn are used at build time and public/build is baked into the
image) and then remove composer run-script build-web-frontend-assets from the
docker-compose command so the container just prepares caches/logs
(mkdir/chown/chmod) and then exec apache2-foreground; update references to the
build script name (composer run-script build-web-frontend-assets) and ensure
public/build is produced at Dockerfile time.

In `@Dockerfile`:
- Around line 22-24: The RUN layer that installs Node (`RUN curl -fsSL
https://deb.nodesource.com/setup_20.x | bash - \ && apt install -y nodejs \ &&
npm install -g yarn`) should use apt-get (not apt) and remove APT lists in the
same layer to avoid larger images: change `apt install -y nodejs` to `apt-get
update && apt-get install -y --no-install-recommends nodejs` (keep the curl
setup step), then chain `&& rm -rf /var/lib/apt/lists/*` at the end of that RUN;
ensure the entire sequence (curl | bash, apt-get update, apt-get install, npm
install -g yarn, and the rm -rf cleanup) remains in one RUN instruction.

---

Duplicate comments:
In `@composer.json`:
- Around line 94-97: The "build-web-frontend-assets" npm script currently runs
"yarn install" which allows dependency resolution drift; update the script entry
named build-web-frontend-assets so it runs a lockfile-respecting install (e.g.,
replace "yarn install" with "yarn install --frozen-lockfile" for Classic Yarn or
"yarn install --immutable" for Yarn Berry) to ensure the committed yarn.lock is
honored during frontend builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2cd6f035-4129-432f-b8b1-87a7ac8c734e

📥 Commits

Reviewing files that changed from the base of the PR and between 9f390bb and 21b08d6.

⛔ Files ignored due to path filters (2)

• composer.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• .dockerignore
• Dockerfile
• composer.json
• docker-compose.yml
• package.json

💤 Files with no reviewable changes (1)

• .dockerignore

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use apt-get instead of apt, and clean up apt lists in the same layer.

Two issues in this RUN block:

1. Line 23 uses apt install — apt is designed for interactive terminal use and is explicitly documented as having an unstable CLI interface not suitable for scripts. Use apt-get consistently with the rest of the Dockerfile.
2. No rm -rf /var/lib/apt/lists/* at the end of this layer, inflating the image size with package index data.

🔧 Proposed fix

 RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
-    && apt install -y nodejs \
-    && npm install -g yarn
+    && apt-get install -y --no-install-recommends nodejs \
+    && npm install -g yarn \
+    && rm -rf /var/lib/apt/lists/*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
	&& apt install -y nodejs \
	&& npm install -g yarn
	RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
	&& apt-get install -y --no-install-recommends nodejs \
	&& npm install -g yarn \
	&& rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 22 - 24, The RUN layer that installs Node (`RUN curl
-fsSL https://deb.nodesource.com/setup_20.x | bash - \ && apt install -y nodejs
\ && npm install -g yarn`) should use apt-get (not apt) and remove APT lists in
the same layer to avoid larger images: change `apt install -y nodejs` to
`apt-get update && apt-get install -y --no-install-recommends nodejs` (keep the
curl setup step), then chain `&& rm -rf /var/lib/apt/lists/*` at the end of that
RUN; ensure the entire sequence (curl | bash, apt-get update, apt-get install,
npm install -g yarn, and the rm -rf cleanup) remains in one RUN instruction.