- server.cts (the app entry): dropped @ts-nocheck, added the leading
import type + handler/callback annotations (30 mechanical errors).
types/http.d.ts gained the 2-arg res.redirect(status, url) overload
(same gap class as the download overload). Verified by a real boot
smoke: node server.cts → /api/health + /api/version both 200.
- The 8 remaining files (4 db migration/seed factories + 4 dynamic
parsers/matchers: spreadsheet/userDbImport/subscription/oidc) now carry
an INTENTIONAL rationale instead of a bare 'TODO: type incrementally' —
they parse inherently-unknown input or mutate arbitrary historical
schemas, where full typing yields 'any' anyway or adds risk to
data-critical boot code. This is the defensible steady state, not debt.
@ts-nocheck server count: 9 -> 8, and QA-B0-04 is now CLOSED: all 29
routes + server.cts checked, 8 documented exceptions. ci green.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- delete root test-functional.js (imported uninstalled 'playwright' —
could never run) and run-functional-test.js (legacy pre-Playwright)
- delete postcss.config.js + autoprefixer/postcss devDeps (tailwind v4's
vite plugin owns the pipeline; the config had no plugins left)
- client/lib/money.ts: drop unused SUPPORTED_CURRENCIES; keep
dollarsToCents exported + @public-tagged (API symmetry with
centsToDollars — the sanctioned unit crossing)
- client/lib/billDrafts.ts: drop unused BillDraft type export
- move the two runtime seed JSONs (advisory filters, merchant-store
matches; 7 MB) out of docs/ into db/data/ next to their loader;
fresh-DB seed verified (5000+5000 rows); Dockerfile COPY . covers it
- knip.json: apply config hints, ignore the two CSS-side tailwind deps;
npx knip exits 0 — added to CI as a BLOCKING step so unused
files/exports/deps fail instead of rotting (this is how the WebAuthn
ghost feature survived four QA cycles)
NOT deleted: client/public/img/doingmypart.jpg — flagged unused by the
code grep but actually referenced from HISTORY.md markdown that the
release-notes renderer serves (user catch). Lesson encoded in the QA
plan: asset-reference sweeps must include rendered markdown content.
Full ci green (252 server / 52 client / build / knip 0).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
utils/logger.cts — console-compatible log.{debug,info,warn,error} with:
- level gating (LOG_LEVEL; debug in dev / info in prod), and
- REDACTION of secrets/PII (sensitive keys + bearer/JWT) so tokens,
passwords, and encrypted values never reach the logs (financial app).
Backend is abstracted (console now, swappable to pino later).
Swept all 317 server-runtime console.* across 35 files → log.* + inserted
the import at correct scope. tests/logger.test.js pins the redaction
contract (4 tests). CODE_STANDARDS updated; raw console.* is now banned in
server code.
Verified: check:server + typecheck:server + lint clean; 240/240 server
tests; client 50/50; build; e2e probe 17/17; boot smoke logs flow through
the logger and graceful shutdown intact.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>