Commit Graph

6 Commits

Author SHA1 Message Date
null 787d3cf694 chore(ops): deploy checklist + standing dependency guards (Phase 8)
- docs/DEPLOY_CHECKLIST.md: the prod-config items that only lived in
  session notes are now in the repo — TOKEN_ENCRYPTION_KEY (v2:->e2:
  migration), WEBAUTHN_RP_ID/_ORIGIN, simplefin_debug_logging off,
  cdn.sheetjs.com egress, Node-version alignment, TS7 deferral
- renovate.json: weekly grouped non-majors, dashboard-approval majors,
  xlsx (CDN-pinned) excluded, typescript capped <7 until
  typescript-eslint supports it
- .forgejo/workflows/deps-audit.yml: weekly scheduled audit that FAILS
  on high+ prod vulns + prints npm outdated — the durable QA-B0-02 fix
  that works even before Renovate is enabled on the Forgejo instance

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-10 22:24:42 -05:00
null a31a774f95 chore: dead-code sweep — knip now clean and blocking in CI (Phase 5)
- delete root test-functional.js (imported uninstalled 'playwright' —
  could never run) and run-functional-test.js (legacy pre-Playwright)
- delete postcss.config.js + autoprefixer/postcss devDeps (tailwind v4's
  vite plugin owns the pipeline; the config had no plugins left)
- client/lib/money.ts: drop unused SUPPORTED_CURRENCIES; keep
  dollarsToCents exported + @public-tagged (API symmetry with
  centsToDollars — the sanctioned unit crossing)
- client/lib/billDrafts.ts: drop unused BillDraft type export
- move the two runtime seed JSONs (advisory filters, merchant-store
  matches; 7 MB) out of docs/ into db/data/ next to their loader;
  fresh-DB seed verified (5000+5000 rows); Dockerfile COPY . covers it
- knip.json: apply config hints, ignore the two CSS-side tailwind deps;
  npx knip exits 0 — added to CI as a BLOCKING step so unused
  files/exports/deps fail instead of rotting (this is how the WebAuthn
  ghost feature survived four QA cycles)

NOT deleted: client/public/img/doingmypart.jpg — flagged unused by the
code grep but actually referenced from HISTORY.md markdown that the
release-notes renderer serves (user catch). Lesson encoded in the QA
plan: asset-reference sweeps must include rendered markdown content.

Full ci green (252 server / 52 client / build / knip 0).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-10 18:15:04 -05:00
null af20d8de07 fix(deps)!: clear both high-severity vulns; CI audit gate raised to high
- nodemailer 8 -> 9 (GHSA-p6gq-j5cr-w38f, raw-option file-read/SSRF; we
  never use the raw option — notificationDelivery tests 13/13)
- xlsx -> official SheetJS dist 0.20.3 (prototype pollution
  GHSA-4r6h-8v6p-xvw6 + ReDoS GHSA-5pgg-2g8v-p4x9; npm registry line is
  abandoned at 0.18.5 with no fix). API-identical for our 8 call sites;
  import/export round-trip tests green. NOTE: the lockfile now pins
  https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz — CI runners and
  Docker builds need egress to cdn.sheetjs.com
- CI: npm audit --audit-level critical -> high (0 vulns as of this
  commit; highs can no longer pass silently — QA-B0-02)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-10 17:34:51 -05:00
null aee23d6025 feat(security): CI secret-scan + dep-audit, SECURITY.md, auth-coverage test (Pillar C)
- CI now runs gitleaks (secret scanning, .gitleaks.toml allowlists
  fixtures/data/generated) and `npm audit --audit-level=critical`.
- SECURITY.md: disclosure policy, the controls in place, operational
  hardening, and the two assessed HIGH audit exceptions (nodemailer `raw`
  unused → not exploitable; xlsx confined to import w/ raw:false + limits).
- tests/securityCoverage.test.js: static invariant that every non-public
  router mount carries requireAuth (+ CSRF for authed, requireAdmin for
  admin) — a new unprotected route now fails CI. 4 tests; suite 236/236.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 14:40:17 -05:00
null 5aaf292b2e ci(enforce): run the full gate in CI + add lefthook pre-commit + Knip
Pillar A enforcement so standards can't drift:
- .forgejo CI now runs format:check + lint (client+server) + typecheck
  (client) + typecheck:server, in addition to the existing check:server /
  tests / build. Previously lint and typecheck were NOT run in CI.
- lefthook pre-commit auto-formats staged files (prettier) + lints;
  pre-push typechecks. Auto-installed via the `prepare` script.
- Knip config (advisory `npm run knip`) for dead-code/unused-export
  review; the design-system ui/** is ignored to keep signal clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 14:27:03 -05:00
null dc49eb9633 feat(cashflow): safe-to-spend projection with timeline, vitest setup, package upgrades 2026-06-12 01:32:28 -05:00