Built a local-first Typst publishing platform where your source files stay on disk, compilation runs in a containerized service, and auth is enforced server-side.

The flow is simple on the surface and hard underneath: open a local folder in Chrome, bundle files, send to a compiler API, and preview the generated PDF instantly. Under the hood, this required solving CORS edges, Docker networking (localhost vs host.docker.internal), OAuth redirect behavior, JWT verification, and Terraform/GitHub OIDC deployment plumbing.

The key design decision was trust boundaries. The frontend handles UX (folder access, login redirects, preview), while the compiler enforces security (token validation, issuer/audience/scope checks). We intentionally moved auth policy out of the browser and into server config, then used discovery to reduce duplicated settings.

Deployment is fully infrastructure-as-code with Terraform: Cloud Run services for viewer and compiler, Artifact Registry, and GitHub Actions federation via Workload Identity (no long-lived keys). First bootstrap was painful; after that, pushes to main are the release mechanism.

This project is now a practical blueprint for local-first docs workflows: author locally, compile remotely, keep security centralized, and automate the platform lifecycle end to end.