Resolves GHSA-3v7f-55p6-f55p (picomatch ReDoS) and
GHSA-c2c7-rcm5-vvqj (picomatch method injection) flagged by the new
npm audit CI job. Also bump @vitejs/plugin-react to 4.7.0.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds MSW (Mock Service Worker) for integration test mocking. Creates mock API handlers for purchases, products, coupons, and alerts. Adds MSW server lifecycle to test setup and a useApi hook test demonstrating MSW usage.
Adds picomatch@^4.0.4 as a direct dependency to override the vulnerable
4.0.3 pinned in transitive deps (vitest). Resolves 2 high-severity CVEs.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
package.json references packages (better-auth@1.5.6, etc.) not present
in the lock file, causing npm ci to fail on CI. Regenerate the lock file
so CI can install dependencies correctly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Install Mock Service Worker (MSW) and configure it for vitest.
Write one integration test for usePurchases hook using MSW.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The feat/playwright-setup branch added @playwright/test to package.json
but the lockfile was not regenerated, causing npm ci to fail.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add formatCurrency, formatDate, and storeSlugs utilities in src/utils/
with 21 vitest unit tests covering standard and edge cases.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Avoids ERR_CONNECTION_REFUSED in deployed environments where
VITE_AUTH_URL is not set at build time. Empty-string fallback
routes auth requests to same origin, which the HTTPRoute forwards
to the auth service.
cc @cpfarhood
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Register sends display_name instead of name
- Register/Login handle TokenResponse (access_token, not token)
- Fetch /auth/me after register/login to populate user object
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Pre-existing test failure from Phase 1 better-auth migration.
Dashboard calls authClient.useSession() which makes an unresolved
async call in test environment. Mock it to return null session
(isPending: false) so the unauthenticated UI renders correctly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Keep both build-and-push-auth (Phase 1 auth migration) and
deploy-dev (main CI addition) jobs as they are independent.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- stores.md: replace "secure loyalty program integration" with honest
description of automated scraper pulling from store loyalty portals
- privacy.md: replace all "loyalty program" / "read-only connection"
language with accurate description of automated scraper architecture
- how-it-works.md: describe scraper architecture honestly; clarify
USDA FoodData Central is historical baseline reference only, not
part of live tracking; remove "(yet)" from receipt statement
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace hand-rolled JWT auth with Better-Auth session-based authentication.
- Scaffold auth/ Node.js service with Better-Auth, bcrypt password compat,
Postgres adapter mapped to existing users table
- Add Alembic migration (002) creating sessions, accounts, verifications
tables and migrating password hashes to accounts table
- Update FastAPI auth dependency to validate sessions via shared DB
(supports both cookie and Bearer token)
- Remove registration/login/refresh endpoints from API gateway (now
handled by Better-Auth service)
- Update frontend to use better-auth/react client with httpOnly cookies
(no tokens in localStorage or memory)
- Rewrite auth store, Login, Register, Dashboard, Settings, ProtectedRoute
to use session-based auth
- Update all tests to create sessions directly in DB instead of JWT tokens
Resolves CAR-27
See plan: CAR-26#document-plan
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Removes quantity qualifier from two instances since pre-beta coverage
is not verified. per QA and CEO review comments on PR #42.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Critical fixes:
- stores.md: Correct supported retailers to Meijer, Kroger, Target.
Remove Safeway (never scoped). Replace named Coming Soon list with
generic demand-based evaluation language.
- privacy.md: Replace all OAuth/API claims with accurate language
describing read-only headless browser access to loyalty portals.
- about.md: Remove "price gouging on our roadmap" claim.
Clarify USDA FoodData Central is reference data only, not a source
of price data.
- blog/price-gouging-vs-shrinkflation.md: Remove roadmap claim.
Remove implication that price gouging detection is coming.
- methodology.md: Fix cereal example math — 16.2% → 16.1%.
Use raw values per the stated formula. Clarify USDA FoodData
Central role for package sizing baselines only.
- how-it-works.md: Correct retailers. Remove "(yet)" from receipt
claim. Clarify USDA FoodData Central is reference data.
Important fixes:
- press-kit.md: Correct supported stores. Remove USDA FoodData Central
from dollar-cost attribution — reattribute to CartSnitch analysis of
manufacturer packaging data.
- app-store-listing.md: Remove "thousands of products" claims
(pre-launch beta, quantity unverified).
- social/launch-day-posts.md: Remove "thousands of products" claim.
Correct retailer list.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Barcode Betty
Stockboy Steve
Chris Farhood