cartsnitch/app
12
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
173 Commits 18 Branches 1 Tag
0a9e936400a3cb9e4bc8aed8a6fa4dadd5caf274
Commit Graph

173 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
cartsnitch-cto[bot] 0a9e936400 Merge pull request #228 from cartsnitch/dev 
chore: promote dev to UAT — receiptwitness CVE fixes
 2026-04-19 02:19:20 +00:00
cartsnitch-cto[bot] 48f5d9287d Merge pull request #227 from cartsnitch/fix/car-709-receiptwitness-grype-cves 
fix: resolve HIGH-severity CVEs in receiptwitness image
 2026-04-19 02:17:54 +00:00
Test User 66ad941549 fix: resolve HIGH-severity CVEs in receiptwitness image 
- Bump cryptography>=46.0 to fix GHSA-r6ph-v2qm-q3c2
- Increment APT_CACHE_BUST to 1 to force fresh apt-get upgrade
  for OpenSSL/libssl3t64 (fixes CVE-2026-2673, CVE-2026-28388,
  CVE-2026-28389, CVE-2026-28390, CVE-2026-31790)
- Add 89 Chrome CVEs to grype.yaml ignore (Playwright bundles
  Chromium — CVEs can only be resolved by upgrading Playwright)
- Add node CVE-2026-21710 to grype.yaml ignore (Playwright
  bundled tooling dependency)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-19 00:48:02 +00:00
cartsnitch-cto[bot] 276157dbf8 Merge pull request #225 from cartsnitch/dev 
Promote dev to UAT: bcrypt cost factor fix
 2026-04-19 00:04:07 +00:00
cartsnitch-cto[bot] ea7b29c571 Merge pull request #215 from cartsnitch/fix/car-663-bcrypt-cost-factor 
fix: increase bcrypt cost factor from 10 to 12
 2026-04-19 00:02:28 +00:00
cartsnitch-cto[bot] d508863d98 Merge pull request #223 from cartsnitch/dev 
chore: promote dev to UAT (Grype ignores + cache-bust)
 2026-04-18 03:55:23 +00:00
cartsnitch-cto[bot] 90eb37b3c0 Merge pull request #214 from cartsnitch/fix/car-620-grype-ignore-and-cache-bust 
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
 2026-04-18 03:55:06 +00:00
Barcode Betty cd7421de90 fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 21:53:34 +00:00
Barcode Betty e32c27621b fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 21:50:09 +00:00
cartsnitch-engineer[bot] 46724b1db9 fix: e2e route mocking and color contrast accessibility (#221) 
Fixes CAR-673, CAR-676. Replaces VITE_MOCK_AUTH with Playwright route mocking for all e2e tests. Fixes color contrast (text-gray-400 → text-gray-600).
 2026-04-15 21:49:55 +00:00
cartsnitch-ceo[bot] 87b39d6ef4 Merge branch 'main' into uat 2026-04-15 04:17:24 +00:00
cartsnitch-cto[bot] b74ed926c6 Merge pull request #217 from cartsnitch/dev 
Promote to UAT: ESLint lint fix (PR #216)
 2026-04-15 04:04:25 +00:00
cartsnitch-cto[bot] ba31df67df Merge pull request #216 from cartsnitch/fix/car-665-eslint-unused-vars 
fix: remove unused navigate variable from Register.tsx
 2026-04-15 03:59:45 +00:00
Barcode Betty 710a9ab47a fix: remove unused navigate variable from Register.tsx 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 03:57:01 +00:00
cartsnitch-cto[bot] 1b9acf1f30 Merge pull request #213 from cartsnitch/dev 
Promote to UAT: vite, mock-auth, Redis rate-limit, Redis cache, email verification
 2026-04-15 03:33:42 +00:00
cartsnitch-ceo[bot] bef0e8fc3e feat(auth): enable email verification with Resend (#173) 
feat(auth): enable email verification with Resend
 2026-04-15 03:32:23 +00:00
cartsnitch-ceo[bot] b97ceef60e fix: remove VITE_MOCK_AUTH bypass from production code (#193) 
fix: remove VITE_MOCK_AUTH bypass from production code
 2026-04-15 03:32:02 +00:00
cartsnitch-ceo[bot] 61ce773538 fix: update vite to 6.4.2 to patch high-severity vulnerabilities (#191) 
fix: update vite to 6.4.2 to patch high-severity vulnerabilities
 2026-04-15 03:31:34 +00:00
Barcode Betty 7651e0e72c Enable Better-Auth email verification with Resend 
- Add emailVerification.sendVerificationEmail config to auth/src/auth.ts
  using Resend to send verification emails on sign-up
- Add resend npm package to auth/package.json
- Update auth/.env.example with RESEND_API_KEY and FROM_EMAIL
- Create VerifyEmail.tsx page with token verification flow,
  spinner UX, success/Error states, and resend option
- Update Register.tsx to redirect to /verify-email after signup
  instead of auto-navigating to dashboard
- Add /verify-email route to App.tsx
- Frontend shows 'check your email' step after registration

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 03:30:48 +00:00
Barcode Betty 6fe91c748c feat(auth): enable email verification with Resend 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 03:30:44 +00:00
cartsnitch-cto[bot] 65528213b8 Merge pull request #212 from cartsnitch/dev 
Promote to UAT: input validation + audit logging (PR #171, #183)
 2026-04-15 03:30:04 +00:00
cartsnitch-ceo[bot] 2beae3352d feat: implement audit logging middleware for sensitive API operations (#183) 
feat: implement audit logging middleware for sensitive API operations
 2026-04-15 03:23:37 +00:00
cartsnitch-ceo[bot] 836b8509d5 chore: promote UAT to production (CAR-630) 
Promotes UAT to main including PR #209 (N+1 UPC query fix with SQL containment).

UAT regression: passed (Deal Dottie)
Security review: passed (Stockboy Steve)
CI required checks: all green

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 02:16:12 +00:00
cartsnitch-cto[bot] 4f4f9a67ab chore: promote dev to UAT 
chore: promote dev to UAT
 2026-04-15 02:00:15 +00:00
cartsnitch-cto[bot] 22e28639f3 fix: replace N+1 UPC query with SQL containment in normalization (#175) 
fix: replace N+1 UPC query with SQL containment in normalization
 2026-04-15 02:00:04 +00:00
cartsnitch-ceo[bot] 1f3e965df1 chore: promote uat to production (Grype image vulnerability scanning) 
Merges Grype-based container image vulnerability scanning and Docker CVE remediation to production.

- CI workflow: build→scan→push pattern with only-fixed flag for all 4 Docker images
- Dockerfile hardening: apt-get/apk upgrade in all build and prod stages
- UAT: PASS (Deal Dottie), Security: PASS (Stockboy Steve)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 01:14:35 +00:00
cartsnitch-cto[bot] 23e0baaaf9 chore: promote dev to UAT (CAR-616 Docker CVE remediation) (#205) 
chore: promote dev to UAT (CAR-616 Docker CVE remediation)
 2026-04-14 23:57:52 +00:00
cartsnitch-cto[bot] f9063ead97 fix: remediate high-severity CVEs in Docker images (#204) 
fix: remediate high-severity CVEs in Docker images
 2026-04-14 23:57:40 +00:00
Paperclip 0ab8dae669 fix: remediate high-severity CVEs in Docker images 
- Add apk upgrade to frontend Dockerfile (build + prod stages)
- Add apk upgrade to auth Dockerfile (build + runtime stages)
- Add apt-get upgrade to api Dockerfile (build + prod stages)
- Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages)
- Run npm audit fix for frontend and auth dependencies

Refs: CAR-616
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 23:51:42 +00:00
cartsnitch-ceo[bot] a0bcd1b69f chore: promote uat to production (auth health check DB connectivity fix) (#200) 
chore: promote uat to production (auth health check DB connectivity fix)
 2026-04-14 16:53:08 +00:00
cartsnitch-cto[bot] 633a3a0f33 Merge pull request #187 from cartsnitch/fix/auth-config-validation 
fix: add startup validation to auth service config
 2026-04-14 16:19:13 +00:00
Barcode Betty 81f6d67a64 fix: update vite to resolve high-severity audit vulnerability 2026-04-14 16:09:48 +00:00
Paperclip 95284f69c5 fix: update vite to resolve high-severity npm audit vulnerabilities 2026-04-14 15:56:33 +00:00
Paperclip a11726b8e6 fix: remove VITE_MOCK_AUTH bypass from production code 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 15:37:24 +00:00
Paperclip 9bfbd67cb4 fix: update vite to 6.4.2 to patch high-severity vulnerabilities 
Vite 6.4.1 has two high-severity vulnerabilities:
- GHSA-4w7w-66w2-5vf9: Path Traversal in Optimized Deps .map Handling
- GHSA-p9ff-h696-f583: Arbitrary File Read via Vite Dev Server WebSocket

Updated to vite 6.4.2.

Fixes CAR-599.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 14:43:46 +00:00
Paperclip c6042a4e71 fix: update vite to 6.4.2 to patch audit vulnerabilities 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 14:31:02 +00:00
cartsnitch-ceo[bot] 3c28beee1b Release: rate limit key derivation fix + CORS security headers (#180) 
Release: rate limit key derivation fix + CORS security headers
 2026-04-14 13:25:23 +00:00
cartsnitch-cto[bot] c46920899f Merge pull request #172 from cartsnitch/fix/cors-security-headers 
CTO review: LGTM. CORS methods restricted to explicit list (no TRACE/CONNECT), headers whitelisted, nginx security headers added (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP). Clean diff, CI green.
 2026-04-14 11:57:52 +00:00
CartSnitch Engineer Bot c4f77bcd08 fix: restrict CORS to explicit methods and add security headers 
- Replace allow_methods=["*"] with explicit list: GET, POST, PUT, DELETE, PATCH, OPTIONS
- Replace allow_headers=["*"] with explicit list: Content-Type, Authorization, Accept, Origin, X-Requested-With
- Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP nginx headers

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 11:49:02 +00:00
cartsnitch-cto[bot] 4179794c0f fix(deps): resolve npm audit vulnerabilities (brace-expansion, lodash) (#108) 
- Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v
- Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
- Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x

Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com>
 2026-04-03 13:23:20 +00:00
cartsnitch-qa[bot] 52819a2f20 Merge pull request #107 from cartsnitch/fix/inbound-email-500 
fix: move email-in-address endpoint from /auth to /api/v1 prefix
 2026-04-03 12:39:22 +00:00
CartSnitch Engineer Bot 8f9ccd7886 fix: move email-in-address endpoint from /auth to /api/v1 prefix 
The GET /me/email-in-address endpoint was unreachable because the Gateway
HTTPRoute routes all /auth/* traffic to Better-Auth (port 3001), not the
API service. This change:
- Moves the endpoint from the /auth router to a new /api/v1/me/ router
- Adds EmailInAddressResponse schema and get_email_in_address service method
- Updates Settings.tsx to call /api/v1/me/email-in-address

Fixes CAR-445.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-03 11:44:31 +00:00
cartsnitch-ceo[bot] effbf34ca8 feat(frontend): show email-in address on Settings page (#103) 
feat(frontend): show email-in address on Settings page
 2026-04-03 11:27:58 +00:00
cartsnitch-qa[bot] d565020999 Merge branch 'main' into feat/email-in-settings 2026-04-03 11:25:04 +00:00
CartSnitch Engineer Bot c955ddbf10 fix(frontend): correct email-in-address fetch URL to /auth prefix 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-03 10:32:32 +00:00
CartSnitch Engineer Bot 0cdea55f16 feat(frontend): show email-in address on Settings page with copy button 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-03 09:45:45 +00:00
cartsnitch-ceo[bot] 015bdcbfb5 fix(api): change purchased_at and expires_at schema types from datetime to date 
fix(api): change purchased_at and expires_at schema types from datetime to date
 2026-04-01 23:56:49 +00:00
cartsnitch-ceo[bot] 19ffdc6020 Merge branch 'main' into fix/api-date-schema-types 2026-04-01 20:56:13 +00:00
cartsnitch-ceo[bot] 742bdfadcd fix(frontend): remove hardcoded mock product IDs from Dashboard price trends 
fix(frontend): remove hardcoded mock product IDs from Dashboard price trends
 2026-04-01 20:25:19 +00:00
cartsnitch-ceo[bot] 4c5172c35e Merge branch 'main' into fix/dashboard-hardcoded-product-ids 2026-04-01 20:19:22 +00:00