making less changes and focusing on only one reproduceable builds feature

Author: developerzohaib786

console/Makefile

@@ -10,7 +10,7 @@ build-docker:
 
 .PHONY: install
 install:
-	npm install
+	npm ci
 
 .PHONY: lint
 lint: format-check
@@ -34,4 +34,19 @@ build: lint
 
 .PHONY: dev
 dev:
-	npm run dev
+	npm run dev
+
+# Reproducible build verification using devbox
+.PHONY: verify-reproducible
+verify-reproducible:
+	@command -v devbox >/dev/null 2>&1 || { echo "Please install devbox: curl -fsSL https://get.jetify.com/devbox | bash"; exit 1; }
+	@echo "Building twice and comparing checksums..."
+	@devbox run build
+	@tar --sort=name --mtime="1980-01-01 00:00:00 UTC" --owner=0 --group=0 --numeric-owner -cf /tmp/a.tar dist/
+	@rm -rf dist
+	@devbox run build
+	@tar --sort=name --mtime="1980-01-01 00:00:00 UTC" --owner=0 --group=0 --numeric-owner -cf /tmp/b.tar dist/
+	@echo "Build A:" && sha256sum /tmp/a.tar
+	@echo "Build B:" && sha256sum /tmp/b.tar
+	@diff <(sha256sum /tmp/a.tar | cut -d' ' -f1) <(sha256sum /tmp/b.tar | cut -d' ' -f1) && echo "✅ Builds are reproducible!" || { echo "❌ Builds are NOT reproducible"; exit 1; }
+	@rm -f /tmp/a.tar /tmp/b.tar

console/README.md

@@ -105,6 +105,28 @@ make build
 
 Output will be in the `dist/` directory.
 
+## Reproducible Builds
+
+For Apache releases and verification purposes, this project supports reproducible builds using [Devbox](https://www.jetify.com/devbox).
+
+### Prerequisites
+
+Install Devbox:
+
+```bash
+curl -fsSL https://get.jetify.com/devbox | bash
+```
+
+### Verifying Reproducibility
+
+To verify that builds are reproducible (builds twice and compares checksums):
+
+```bash
+make verify-reproducible
+```
+
+This will build the project twice and compare SHA256 checksums of the output tarballs.
+
 ## Production Deployment
 
 After building, you can serve the production files in several ways:

console/devbox.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.16.0/.schema/devbox.schema.json",
+  "packages": [
+    "nodejs@22.12.0"
+  ],
+  "shell": {
+    "init_hook": [
+      "npm ci"
+    ],
+    "scripts": {
+      "build": [
+        "npm run build"
+      ],
+      "dev": [
+        "npm run dev"
+      ],
+      "lint": [
+        "npm run lint"
+      ]
+    }
+  }
+}

console/docker/Dockerfile

@@ -28,10 +28,10 @@ ENV VITE_POLARIS_REALM_HEADER_NAME=Polaris-Realm
 WORKDIR /app
 
 # Copy package files
-COPY package.json ./
+COPY package.json package-lock.json ./
 
-# Install dependencies
-RUN npm install
+# Install dependencies (use npm ci for reproducible installs)
+RUN npm ci
 
 # Copy source code (excluding docker directory via .dockerignore)
 COPY . .

console/vite.config.ts

@@ -29,6 +29,25 @@ export default defineConfig({
       "@": path.resolve(__dirname, "./src"),
     },
   },
+  build: {
+    // Reproducibility: disable non-deterministic options
+    cssCodeSplit: false,
+    sourcemap: false,
+    rollupOptions: {
+      output: {
+        // Use content hash for deterministic chunk names
+        chunkFileNames: "assets/[name]-[hash].js",
+        entryFileNames: "assets/[name]-[hash].js",
+        assetFileNames: "assets/[name]-[hash][extname]",
+        // Ensure consistent chunk ordering by grouping node_modules
+        manualChunks: (id) => {
+          if (id.includes("node_modules")) {
+            return "vendor";
+          }
+        },
+      },
+    },
+  },
   server: {
     proxy: {
       "/api": {