fix(types): unblock catch-all routes under stricter Next 15.5 typing + Phase 2B deps

Two changes bundled (build was failing on the type fix; deps came along on the same branch). 1. RouteHandler / withAuth / withPermission are now generic over the route's params shape. Default stays `Record<string, string>` for the common `[id]`-style routes (no caller changes needed). Catch-all routes like `[...path]` declare their narrow shape via a type-arg: export const PATCH = withAuth<{ path: string[] }>( withPermission<{ path: string[] }>('files', 'manage_folders', async (req, ctx, params) => { /* params.path: string[] */ } ), ); Without this, Next.js 15.5+'s stricter route-type checking rejected the build because the inferred `params: Promise<{ path: string[] }>` for `[...path]` doesn't satisfy `Promise<Record<string, string>>`. Updated `src/app/api/v1/files/folders/[...path]/route.ts` (the only catch-all in the tree right now) to use the new generic. 2. Phase 2B deps (within-major-jump where the API didn't actually break): - @pdfme/common, @pdfme/generator, @pdfme/schemas: 5.5.10 → 6.1.2 (closes 3 mod XSS/SSRF/decompression-bomb advisories) - lucide-react: 0.460.0 → 1.14.0 - sonner: 1.7.4 → 2.0.7 - tailwind-merge: 2.6.1 → 3.5.0 Tests: 1185/1185 vitest. tsc clean. Local `next build` succeeds. Reverted (deferred to a focused PR): - @hookform/resolvers 5: Resolver<T> typing change requires per-form useForm migration - eslint 10: incompatible with @rushstack/eslint-patch (pulled in by eslint-config-next) - react-day-picker 10: ClassNames removed `table`; needs calendar.tsx migration - zod 4: 94 type errors cascading through drizzle insert types; needs comprehensive migration Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 17:07:07 +02:00
parent fdb5beb81a
commit 2b1024ff7a
4 changed files with 77 additions and 1314 deletions
--- a/src/lib/api/helpers.ts
+++ b/src/lib/api/helpers.ts
@@ -44,11 +44,18 @@ export interface AuthContext {
  userAgent: string;
 }

-export type RouteHandler<T = unknown> = (
-  req: NextRequest,
-  ctx: AuthContext,
-  params: Record<string, string>,
-) => Promise<NextResponse<T>>;
+/**
+ * Route params type. Defaults to `Record<string, string>` for the common
+ * `[id]`-style routes. Catch-all routes (`[...slug]`) need to override
+ * `TParams` so Next.js 15.5+'s stricter route-type checking accepts the
+ * exported handler against the inferred `{ slug: string[] }` shape.
+ */
+export type RouteParams = Record<string, string | string[]>;
+
+export type RouteHandler<
+  TParams extends RouteParams = Record<string, string>,
+  T = unknown,
+> = (req: NextRequest, ctx: AuthContext, params: TParams) => Promise<NextResponse<T>>;

 // ─── deepMerge ───────────────────────────────────────────────────────────────

@@ -95,11 +102,11 @@ export function deepMerge(
 * export const POST = withAuth(withPermission('clients', 'create', handler));
 * ```
 */
-export function withAuth(
-  handler: RouteHandler,
+export function withAuth<TParams extends RouteParams = Record<string, string>>(
+  handler: RouteHandler<TParams>,
 ): (
  req: NextRequest,
-  routeContext: { params: Promise<Record<string, string>> },
+  routeContext: { params: Promise<TParams> },
 ) => Promise<NextResponse> {
  return async (req, routeContext) => {
    // Mint or accept a request id BEFORE entering the ALS frame so every
@@ -286,11 +293,11 @@ export function requireSuperAdmin(ctx: AuthContext, attemptedAction = 'super_adm
 * export const DELETE = withAuth(withPermission('clients', 'delete', handler));
 * ```
 */
-export function withPermission(
+export function withPermission<TParams extends RouteParams = Record<string, string>>(
  resource: keyof RolePermissions,
  action: string,
-  handler: RouteHandler,
-): RouteHandler {
+  handler: RouteHandler<TParams>,
+): RouteHandler<TParams> {
  return async (req, ctx, params) => {
    if (!ctx.isSuperAdmin) {
      const resourcePerms = ctx.permissions?.[resource] as Record<string, boolean> | undefined;