BillTracker/routes
null 88a32a983f feat(auth): passkey / security-key UI — WebAuthn ships end to end
The backend existed since 99abca9 with no way to reach it (QA-B1-01).
Now wired:

- LoginPage: requires_webauthn second step mirrors TOTP — the key prompt
  fires automatically after the password; cancel/retry + back-to-sign-in
- ProfilePage: PasskeySection (mirrors TotpSection) — enroll with a name,
  list keys, password-gated per-key remove + remove-all
- webauthnService: WEBAUTHN_ORIGIN stays authoritative; otherwise accept
  the browser's origin when its hostname equals the RP ID — fixes real
  dev/e2e enrollment where the Vite UI port differs from the API port
  (the browser already enforces RP ID ⊆ origin, so no widened trust)
- Deploy safety: WEBAUTHN_RP_ID documented in .env.example + a boot-time
  prod warning in utils/env.cts (localhost-bound keys silently fail
  behind a real domain)
- e2e/webauthn.probe.spec.js: CDP virtual authenticator drives the full
  lifecycle (enroll -> key sign-in -> password-gated removal), retiring
  Cycle 1's 'needs a human with a key' assumption. Probe suite 18/18.

Server 252/252, client 52/52, typecheck + build clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-10 17:30:14 -05:00
..
about.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
aboutAdmin.cts refactor(routes): throw-pattern for profile, transactions, admin, aboutAdmin 2026-07-10 17:18:28 -05:00
admin.cts refactor(routes): throw-pattern for profile, transactions, admin, aboutAdmin 2026-07-10 17:18:28 -05:00
analytics.cts refactor(routes): analytics + tracker → throw pattern (batch 1) 2026-07-06 14:59:29 -05:00
auth.cts feat(auth): passkey / security-key UI — WebAuthn ships end to end 2026-07-10 17:30:14 -05:00
authOidc.cts feat(logging): redacted, level-gated logger; migrate all server console.* (Pillar D) 2026-07-06 16:05:18 -05:00
bills.cts refactor(routes): throw-pattern for bills.cts (largest route, 43+ sites) 2026-07-10 17:00:01 -05:00
calendar.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
calendarFeed.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
categories.cts refactor(categories): adopt Kysely for the /groups query (real production use) 2026-07-06 16:25:30 -05:00
dataSources.cts refactor(routes): throw-pattern for summary, matches, snowball, dataSources 2026-07-10 16:44:19 -05:00
export.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
import.cts fix(routes): stop leaking raw err.message on 5xx responses 2026-07-10 16:36:27 -05:00
matches.cts refactor(routes): throw-pattern for summary, matches, snowball, dataSources 2026-07-10 16:44:19 -05:00
monthly-starting-amounts.cts refactor(routes): monthly-starting-amounts → throw pattern; doc exemplar 2026-07-06 15:03:52 -05:00
notifications.cts fix(routes): stop leaking raw err.message on 5xx responses 2026-07-10 16:36:27 -05:00
payments.cts refactor(routes): throw-pattern for payments + subscriptions 2026-07-10 16:53:20 -05:00
privacy.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
profile.cts refactor(routes): throw-pattern for profile, transactions, admin, aboutAdmin 2026-07-10 17:18:28 -05:00
settings.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
snowball.cts refactor(routes): throw-pattern for summary, matches, snowball, dataSources 2026-07-10 16:44:19 -05:00
spending.cts fix(routes): stop leaking raw err.message on 5xx responses 2026-07-10 16:36:27 -05:00
status.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
subscriptions.cts refactor(routes): throw-pattern for payments + subscriptions 2026-07-10 16:53:20 -05:00
summary.cts refactor(routes): throw-pattern for summary, matches, snowball, dataSources 2026-07-10 16:44:19 -05:00
tracker.cts refactor(routes): analytics + tracker → throw pattern (batch 1) 2026-07-06 14:59:29 -05:00
transactions.cts refactor(routes): throw-pattern for profile, transactions, admin, aboutAdmin 2026-07-10 17:18:28 -05:00
user.cts style: apply Prettier across client + server (no behavior change) 2026-07-06 14:23:53 -05:00
version.cts refactor(routes): version → throw pattern; keep graceful update-status fallback 2026-07-06 15:01:35 -05:00