d3960af340
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast
...
Four low-risk adds before the Zod 4 / drizzle-zod headliner:
- @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse
→ unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set
literals respect typed Set targets). Caught 179 latent type errors;
fixed all production sites (8 files) and added `any` cast escape hatch
in test files (ESLint exemption scoped to tests/).
- web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter
client component: establishes Core Web Vitals baseline (LCP/INP/CLS/
FCP/TTFB) via navigator.sendBeacon. Required before optimisation work.
- @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector,
lazy-loaded via next/dynamic so the chunk is excluded from prod
bundles entirely.
- @tanstack/query-broadcast-client-experimental: cross-tab cache sync
via BroadcastChannel — wired in query-provider.tsx, 1-liner.
Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive
second-pass package sweep) covering ~20 package adoption candidates and
4-5 deprecation candidates.
Verified: tsc clean, vitest 1293/1293 pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-12 18:16:18 +02:00
82049eea92
deps: bump Tier-A patches + react-day-picker 10 + esbuild 0.28
...
Successfully bumped:
- bullmq 5.76.6 → 5.76.8
- @tanstack/react-query 5.100.9 → 5.100.10
- @tanstack/react-query-devtools 5.100.9 → 5.100.10
- better-auth 1.6.9 → 1.6.10
- @playwright/test 1.59.1 → 1.60.0
- libphonenumber-js 1.12.43 → 1.13.1
- tailwind-merge 3.5.0 → 3.6.0
- vitest 4.1.5 → 4.1.6
- @vitest/coverage-v8 4.1.5 → 4.1.6
- lint-staged 17.0.3 → 17.0.4
- esbuild 0.27.7 → 0.28.0
- react-grab 0.1.33 → 0.1.34
- react-day-picker 9.14.0 → 10.0.0
react-day-picker 10 verified safe: probed v10 release notes against
src/components/ui/calendar.tsx — we use only v9-canonical APIs that
v10 preserves. Removed the `table` className entry from the wrapper
(v10 dropped it since the renderer is now CSS-grid, not table-based).
Tried + rolled back:
- @hookform/resolvers 3 → 5: stricter input/output inference broke
every form using <{schema}, any, {schema}> implicit shape. Needs
per-form refactor; parked.
Verified clean: pnpm audit (prod + dev) = 0 vulnerabilities;
pnpm exec tsc --noEmit clean; vitest 1293/1293 pass.
Remaining outdated (deliberately deferred — see docs/AUDIT-2026-05-12.md §34):
- next/eslint-config-next 15 → 16 (2-4 wk wait)
- zod 3 → 4 (couple with @hookform/resolvers 5; codemod-needed)
- tailwindcss 3 → 4 (focused-afternoon project)
- @types/node ^20.19 stays pinned to match runtime (audit decision)
- archiver 7 stays (no @types/archiver@8 published)
- eslint 9 stays (locked to eslint-config-next 15)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-12 17:33:24 +02:00
a7d0dd95e2
audit: append Context7-assisted dependency upgrade analysis (§34)
...
Companion to the deps-auditor report. Per-major pros/cons informed by
upstream changelogs queried via Context7. Sequencing:
- Tier A (patches + esbuild minor) → do now
- Zod 4 + @hookform/resolvers 5 → couple together, codemod-able
- Next 15 → 16 (incl. middleware → proxy.ts rename) → 2-4 weeks
- Tailwind 4 → afternoon project, visual review pages
- Defer indefinitely: archiver 8 (failed last try), react-day-picker 10
Top-line baseline: 0 known vulns; no GPL/AGPL; lockfile reproducible.
Everything below is dev-experience/perf, not security-blocker.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-12 17:23:19 +02:00
0baca41693
audit: Tier 0 quick wins — EMAIL_REDIRECT_TO prod guard + storage routing + metadata masking
...
Tier 0.2: src/lib/env.ts now refuses boot when NODE_ENV=production AND
EMAIL_REDIRECT_TO is set. Sendmail logs the rewrite at warn (was debug)
so dev/staging windows where someone forgets to unset are immediately
visible.
Tier 0.6: backup_jobs.storage_path added to TABLES_WITH_STORAGE_KEYS in
src/lib/storage/migrate.ts. Flipping the storage backend used to
silently orphan every pg_dump artefact — last-resort recovery path is
now actually portable.
Tier 1.7: createAuditLog now runs metadata through maskSensitiveFields
(was only applied to old/new value diffs). Portal-auth, crm-invite,
hard-delete and email-accounts services were writing raw emails into
this column unbounded.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-12 17:02:10 +02:00
bdc9c019a8
audit: append storage-pathing report — all 33 agents now inlined
...
docs/AUDIT-2026-05-12.md now contains every audit verbatim
(6488 lines). Last to land was the S3-vs-internal-DB routing audit
covering the storage-backend boundary, presigned-URL round-trip,
magic-byte verification on both paths, migrate-storage coverage,
and orphan-blob risk on transaction failure.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-12 16:53:16 +02:00
4b9743a594
audit: 33-agent comprehensive audit + critical fixes
...
Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets
Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-12 16:52:35 +02:00
