Dropped @ts-nocheck from admin/payments/monthly-starting-amounts/
subscriptions/authOidc/calendar/export (~113 errors). Mostly mechanical
(catch bindings, params, never[] arrays), but the checker earned its keep:
- types/http.d.ts: added the 4-arg res.download(path, name, options, cb)
overload — the v0.42.0 root-option download fix (admin backup + user-db
export) didn't type-check against the old 3-arg-only signature.
- routes/calendar.cts: deleted dead clampDay() (zero callers; was also a
standing lint warning).
@ts-nocheck server count: 21 -> 14. Server suite 252/252.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
CODE_STANDARDS 'every multi-statement write runs inside db.transaction()'
hits from the review: snowball plan create (abandon-existing + insert),
webauthn disable (credential delete + flag clear — a failure between them
recreates the stale-flag state), admin password reset (hash update +
session invalidation). Cleanups: dead ApiError import (payments), dead
action: params on the four snowball transition callers, createSession
consolidated into auth.cts's top-level import.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Build drops 6.5s -> 0.65s. Three breakages found by the prod-smoke gate,
all fixed:
- rolldown removed object-form manualChunks -> function form in
vite.config.mjs (same vendor split, all @radix/@tanstack grouped)
- the 4a 'send' bump rejects bare absolute paths: SPA fallback sendFile
and both download routes (admin backup, user-db export) now use the
root-option form
- rolldown minifies inline HTML scripts, breaking any CSP hash approach:
the pre-paint theme script moved to client/public/theme-init.js so
script-src 'self' holds with no inline hash to maintain
@testing-library/dom added (peer no longer auto-installed). Server 252,
client 52, probe 18/18, PROD SMOKE: PASS.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Ten call sites returned internal error text to clients on server failures.
Intentionally user-facing messages survive, but only through controlled
paths: 4xx service errors (err.status < 500) and explicit ApiError wraps
(notification test-send SMTP/push feedback, coded rollback errors). All
5xx bodies are now generic; internals go to the server log / audit trail.
- notifications.cts, spending.cts: full throw-pattern conversion
(CODE_STANDARDS exemplar shape; terminal handler formats + masks)
- transactions.cts: bulk-unmatch per-item results mask 500-class messages
- import.cts: sendImportError user-facing branch tightened to 4xx-only
- admin.cts: bank-sync-config + migration-rollback mask unknown failures
(QA-B13-02; full conversion of the remaining routes continues in the
standards-unification phase)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
utils/logger.cts — console-compatible log.{debug,info,warn,error} with:
- level gating (LOG_LEVEL; debug in dev / info in prod), and
- REDACTION of secrets/PII (sensitive keys + bearer/JWT) so tokens,
passwords, and encrypted values never reach the logs (financial app).
Backend is abstracted (console now, swappable to pino later).
Swept all 317 server-runtime console.* across 35 files → log.* + inserted
the import at correct scope. tests/logger.test.js pins the redaction
contract (4 tests). CODE_STANDARDS updated; raw console.* is now banned in
server code.
Verified: check:server + typecheck:server + lint clean; 240/240 server
tests; client 50/50; build; e2e probe 17/17; boot smoke logs flow through
the logger and graceful shutdown intact.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Every routes/*.js → .cts, with handler signatures typed against the shared
http Req/Res/Next types. Routes carry @ts-nocheck for now — they're thin glue
over the (fully typed) services, so full route-level type-checking is deferred;
the handler-param typing is a head-start. server.js + test requires updated to
the explicit .cts paths.
Behavior-preserving. Verified: check:server 0, typecheck:server 0, suite 226/226,
real boot → /api/health + /api/about 200 (all routes mount).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>