# LumisCare CI — Snyk + Lighthouse for deployed packages (MC #102842) — 2026-06-03

## Summary
MC #102842 re-adds **Snyk** (dependency scan) and **Lighthouse** (performance) CI jobs to `.github/workflows/ci.yml` for the **deployed** pnpm packages, replacing the placeholder TODOs left by MC #102817 (which removed the old jobs that scanned the dead `frontend/web/` tree).

- **Repo:** github.com/johnatbasicas/vivacare — branch `ci/snyk-lighthouse-packages-102842` → **PR #43** (base `dev`)
- **Fix commit:** `1ed9f107`

## What was added
### `security` job (Snyk)
- Scans deployed packages: `frontend/packages/{backoffice,admin,family-portal}/package.json`
- Auth via `${{ secrets.SNYK_TOKEN }}` only — **never hardcoded**
- `--severity-threshold=high`
- **Advisory / non-blocking** (`continue-on-error: true`); NOT in the blocking `quality-gate` `needs:`
- **Graceful degrade:** a guard step checks the token; if absent it emits a `::warning::` and skips the scans (job stays success) rather than hard-failing

### `lighthouse` job
- Runs `lhci collect` against the **live** SWA URLs — `app.lumiscare.com`, `admin.lumiscare.com`, `family.lumiscare.com`
- Does **not** build the dead `frontend/web/` tree
- Advisory / non-blocking

## Defect caught + fixed before close
First CI run (`26888003662`) the Snyk job died at `pnpm install --frozen-lockfile` with `ERR_PNPM_IGNORED_BUILDS` (exit 1) — `pnpm/action-setup@v4 version: latest` resolved to pnpm v10, which treats ignored build scripts as a hard error. `deploy.yml` pins `PNPM_VERSION: "9"` (warn only). **Fix:** pin pnpm 9 + add pnpm cache, mirroring `deploy.yml`.

## Verification
- FINAL CI run **26888884509** = `completed/success`; all 5 jobs success (backend-test, security, lighthouse, code-scan, quality-gate REQUIRED).
- Snyk install step success (641 pkgs); guard fired (`skip=true`, token absent); scans skipped; job success.
- Independent verifier subagent: **13/13** atomic claims PASS.
- Company Mesh P2P pre-verifier (eval/Proveo): **PASS** — `mesh-thr-105cdec0-7dd4-4370-adb0-271547da635a`.
- til-done verdict: **DONE** — receipt `/tmp/til-done/102842-20260603T135849Z.json`.

## Standing CEO action
Add **`SNYK_TOKEN`** to the `johnatbasicas/vivacare` repo secrets (Settings → Secrets → Actions) to activate real Snyk scanning. Until then the job skips cleanly with a warning. (John's PAT lacks `secrets:write` — HTTP 403.)