# Web App Best Practices

When building apps or websites, follow these practices for professional-quality output.

## Getting Started - Start Here

**STRONGLY RECOMMENDED:** Start every new web app by adding a template with the `add` tool. Pick the right one (`web-simple` for static frontend-only, `web-fullstack` for backend+DB, `api` for pure API). It creates the standard `src/` structure with favicon, meta tags, and working starter files (including a demo you can customize). Deploy automatically uses `src/` when it exists. Only hand-roll files if the user explicitly tells you to skip the template.

**Naming:** Use the user's name verbatim if they gave one. If you need to invent a name, blend "Gip" or "Gipity" into it (e.g. "Gipity Notes", "GipPic", "Gip Tac Toe") - be creative but don't force it if it genuinely doesn't fit.

**Starting over in an existing project:** If `src/` (or `functions/`, `migrations/` for fullstack/api) already exists and the user wants a clean rebuild, call `file_delete` on those directories first, then run `add` normally. Or pass `force=true` to `add` to overwrite in one step - destructive, so confirm with the user first. Non-template content (media, data, notes) is preserved either way.

**Multi-language (web-simple):** The template ships a dormant i18n system. Flip `config.features.i18n` to `true` in `src/js/config.js` to enable the language picker and `translations.js` lookup; the code in `src/js/strings.js`, `src/js/i18n.js`, and `src/js/main.js` is self-documenting - read those to see the `render()` + `i18n:changed` event pattern.

## File Structure
- **Use src/ convention**: All app files live under `src/` - `src/index.html`, `src/css/styles.css`, `src/js/main.js`, `src/images/`
- **Separate files**: Split into `index.html`, `styles.css`, and `app.js` (or `main.js`). Never inline large blocks of CSS or JS in HTML.
- If the app grows, organize into folders: `src/css/`, `src/js/`, `src/assets/`, `src/sounds/`, `src/images/`, etc.
- **Use subfolders - don't flatten**: Reference assets from their folders (e.g. `sounds/click.ogg`, `images/logo.png`). Never copy files to the root just for convenience - deployed apps serve the full directory tree.
- Keep `index.html` clean - it should be structure/markup, not behavior or styling

## HTML
- Use semantic elements: `<header>`, `<nav>`, `<main>`, `<section>`, `<footer>`, `<article>`
- Always include `<meta name="viewport" content="width=device-width, initial-scale=1.0">`
- Add a proper `<title>` and favicon link
- Unless the user specifies a different CSS framework, include Water.css for automatic styling: `<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/water.css@2/out/water.css">`
- Water.css styles semantic HTML automatically (buttons, tables, forms, nav, cards) - no classes needed. It supports dark/light themes automatically. Add custom CSS on top for app-specific tweaks.

## CSS
- When using Water.css, it handles base styling, resets, and typography - don't duplicate what it provides
- Water.css exposes CSS variables for theming - override them in `:root` for custom colors/fonts
- Use CSS custom properties (variables) for app-specific colors, spacing, and fonts
- Add smooth transitions on interactive elements (buttons, links, hover states)

## JavaScript
- Use `const`/`let`, arrow functions, template literals, and modern ES6+ syntax
- Wait for DOM: wrap in `DOMContentLoaded` or place script at end of body
- Keep functions small and focused
- Use `addEventListener` - never inline `onclick` attributes in HTML

## External Packages
- **No npm install.** Gipity apps are static - there is no node_modules or build server.
- **Use import maps** to load npm packages from CDN. Add a `<script type="importmap">` block in `<head>`:
  ```
  <script type="importmap">
  { "imports": { "lodash-es": "https://esm.sh/lodash-es@4.17.21" } }
  </script>
  ```
  Then in JS: `import { debounce } from 'lodash-es';`
- **jsdelivr** (`cdn.jsdelivr.net/npm/`) - Use when the package ships a browser-ready ES module file (Three.js, Phaser, Rapier).
- **esm.sh** - Use for any npm package, especially those without a browser build. Add `?bundle-deps` if it has dependencies.
- CDN `<script>` tags (non-module) also work for libraries that expect a global (e.g. Phaser).

## Code Quality
- **Keep files under ~400 lines** unless the content genuinely requires it (e.g. a long data table, template string, or config object). When logic grows beyond that, split into focused modules (e.g. `utils.js`, `api.js`, `ui.js`).
- **Don't duplicate code.** If the same logic appears twice, extract it into a shared function. Before writing a new helper, check if one already exists or could be extended.
- **One responsibility per file.** A file that handles both UI rendering and API calls should be split.
- **Name things clearly.** Functions, variables, and files should describe what they do - no `temp`, `data2`, `stuff.js`.
- **Prefer simple, readable code** over clever code that hides bugs. Flat over nested - use early returns, avoid deep nesting.
- **Centralize configuration.** App settings, API URLs, feature flags, and magic numbers should live in a dedicated config file (e.g. `config.js` or `constants.js`), not scattered across the codebase.
- **Write utility functions** for repeated operations (formatting, validation, API calls). Keep them in a `utils.js` or `helpers.js` file. Small, pure functions are easy to test and reuse.

## Testing
- **Write tests for new functions** - especially utility/helper functions. Cover the happy path and edge cases (empty input, null, boundary values).
- **Don't mock unless absolutely required.** Tests should exercise real code paths. Only mock external paid services (APIs that cost money per call).
- **E2E tests should hit real infrastructure** (real API, real DB) - just clean up test data when done.
- **Test file naming**: `*.test.js` for unit tests, `*.e2e.test.js` for end-to-end tests.

## Images
- **Optimize images for web.** Generated images (DALL-E, Flux) are often 1-5MB PNGs. Before adding them to a web page, use the sandbox to convert to WebP at a reasonable size:
  ```
  convert input.png -resize 1200x1200\> -quality 80 output.webp
  ```
  This keeps images under ~100KB for most web use. Use `<img src="images/photo.webp">` in HTML.
- **Keep originals if the user wants them** - but reference the optimized version in HTML/CSS.
- **Size guide**: Hero images ~1200px wide, thumbnails ~400px, icons ~64-128px. Don't serve a 4000px image in a 600px container.
- **Use WebP** as the default format for photos and generated images. Use PNG only for images that need transparency with sharp edges (logos, icons). Use SVG for simple graphics and icons when possible.

## Deployment
- **src/ detection**: If a `src/` directory exists, only `src/` is deployed. Otherwise the full project root is deployed.
- **Local `<script>` tags MUST use `type="module"`** (e.g. `<script type="module" src="./js/main.js"></script>`). Prod deploys run Vite optimization which only traces module scripts; a plain `<script src="js/x.js">` gets silently dropped from the build and the deployed page 404s on that JS file. CDN `<script>` tags pointing at external URLs (Phaser, etc.) are fine without `type="module"` - the guard only enforces this for same-origin paths.
- **Auto-deploy**: When deploy mode is "auto-dev" or "auto-prod", ANY file change (write, edit, copy, move, delete) triggers automatic deployment
- **Rate limit**: Per-plan deploy-rate cap (shared between manual and auto)
- **Caching**: CloudFront cache is automatically invalidated on production deploys. Dev deploys use short cache TTLs.
- **File hosting**: Use `host_file` to make workspace files publicly accessible via URL (max 50MB). Useful for images in emails or sharing files outside the app.

## Browser Debugging

Two separate browser capabilities - pick the right one:

**`gipity page-inspect <url>`** (CLI) - one-shot inspection. Returns console errors, failed resources, timing, oversized images. No actions, no screenshots. Use this first after every deploy.
Options: `--wait <ms>` (default 3000), `--json`. If unsure: `gipity page-inspect --help`.

**`browser` agent tool** - interactive debugging with actions. Use when the CLI inspection surfaces something you need to dig into:
- `open` → `snapshot` - read DOM/accessibility tree
- `console` - captured `console.error`/`console.warn`
- `eval` - run JS expressions (check variables, DOM state)
- `screenshot` - always use for Canvas/WebGL; a clean console isn't proof the page rendered
- `click`, `fill`, `type`, `select` - form/nav flows

Flow: deploy → `gipity page-inspect <url>` → if anything's off, switch to the agent tool.

## Build Incrementally

For non-trivial apps, don't write the whole thing in one pass. Work in small verified steps:

1. Add a template (`add` tool / `gipity add <template>`) and deploy - confirm the starter renders.
2. Add ONE feature or screen, deploy, verify.
3. Repeat.

A 300+ line single-file rewrite is hard to debug when something breaks - a single bad API call or typo can break everything silently. Small increments keep the failure surface tiny and let you bisect by diff.

## Verification After Deploy

After `gipity deploy dev`:
- ALWAYS check the console (`gipity page-inspect <url>` or the `browser` agent tool `open` action).
- On the **first deploy** of a new app, and any time visual output matters (Canvas, WebGL, complex layout), also capture a **screenshot** and look at it. "Clean console" is necessary but NOT sufficient for Canvas/WebGL - render failures are often silent and the console interceptor can miss sync errors that fired during initial script parse.
- If you see a blank page, black canvas, or wrong-looking UI with a clean console: treat that as a real failure and investigate (screenshot, `eval` DOM state, re-read skill docs for gotchas) - don't declare success.

## Deploy Verification

Use the browser tool to verify deploys when it matters - first deploy, structural changes (new pages, new frameworks, changed imports), or when something might have broken. Skip verification for trivial changes (copy tweaks, style adjustments, config values).

To verify: `browser action=open url=<deployed-url>` - waits for async modules, captures console errors automatically. Check output for `[Console errors captured after page load]`. Use `browser action=screenshot` to confirm visual correctness.

**Debugging in production:** Add `console.error()` calls to app code for diagnostics, redeploy, then use `browser action=console` to read the output. Remove debug logging when done.

## 3D World

**3D World** is the 3D multiplayer game template on Gipity. All 3D World games share the same visual style, physics engine (Rapier), and multiplayer backend (Colyseus). All files are fully editable.

Add a 3D World project with `add name=3d-world` (web agent) or `gipity add 3d-world` (CLI). This creates a playable 3D game with Three.js + Rapier physics + Colyseus multiplayer. Key files: `config.js` (metadata), `settings.js` (tunable values), `strings.js` (display text), `objects.js` (entity factories), `game.js` (orchestrator), plus engine files (`core.js`, `world.js`, `physics.js`, etc.).

**Genres:** obby/parkour, tycoon, simulator, PvP combat, shooter, tower defense, horror, racing, RPG, social.

**Features:** Opt-in gameplay modules enabled via `config.features`. Available: `rocket-launcher` (projectile weapon with physics explosions). Example: `features: { 'rocket-launcher': true }` in config.js. Features auto-initialize during boot.

Regular game requests ("make a wordle", "build a quiz") should use the standard web scaffold - they don't need the 3D template.

Load `3d-engine` for a blank-slate template, or `3d-world` for the full API, genre recipes, and playable starter.

## 2D Game

**2D Game** is the Phaser-based game scaffold on Gipity. It creates a fully editable project with the Phaser 3 game engine loaded via CDN - no build step, no locked files.

Add a 2D game with `add name=2d-game` (web agent) or `gipity add 2d-game` (CLI). This creates a playable 2D game with arcade physics, keyboard input, and a Boot/Game scene structure. All files are editable: `config.js` (Phaser setup), `settings.js` (tunable values), `strings.js` (display text), `scenes/boot.js` (preloader), `scenes/game.js` (main gameplay).

**Genres:** side-scroller, platformer, top-down, arcade, puzzle, endless runner, shooter, RPG.

Use `2d-game` when the user wants a 2D game with physics, sprites, or scene management. Use `web` for simple games (wordle, quiz, card games) that don't need a game engine. Use `3d-world` for 3D multiplayer games.

Load `2d-game` for the full Phaser API and genre recipes.

## Make it testable

A few small rules turn a flaky click test into a reliable one:

- **Every interactive element gets a stable `data-testid`** (or a documented `id`) - buttons, inputs, list items, dialogs. Tests use those, never CSS selectors that leak layout.
- **Expose the current screen as a body attribute**: `<body data-screen="home">`, updated by your screen-switcher. A test then waits with `waitForSelector('body[data-screen="lobby"]')` instead of probing internal class / hidden state.
- **A single readiness signal**: set `document.body.dataset.ready = 'true'` once the app's main loop is up and ready for input. Tests wait on that, not on guessed timeouts.

These are about ten lines of code in total. For multiplayer apps, also read the **URL-param test mode** pattern in `app-realtime` - it turns a click-driven 2-client test into two passive page loads.

## Related App Skills
When building apps that need backend features, load these skills:
- `2d-game` - 2D games with Phaser (platformer, scroller, arcade, puzzle, endless runner)
- `3d-engine` - minimal 3D multiplayer template (Three.js + Rapier + Colyseus, no gameplay)
- `3d-world` - playable 3D multiplayer starter built on 3d-engine (obby, tycoon, simulator, PvP, shooter, etc.)
- `app-development` - Functions, database & API
- `app-llm` - AI/LLM service for your app
- `app-auth` - User authentication (Sign in with Gipity)
- `app-realtime` - Real-time multiplayer rooms and WebSocket
- `app-image` - Image generation (OpenAI, BFL/Flux, Gemini/Nano Banana)
- `app-video` - Video generation (Veo 3.1) and video understanding (Gemini)
- `app-tts` - Text-to-speech (ElevenLabs, OpenAI, Gemini - multi-speaker, 60+ languages)
- `app-audio` - Sound effects, music generation, and audio transcription
- `app-files` - File uploads (presigned S3, up to 30GB, progress tracking, thumbnails)