65528213b8
Merge pull request #212 from cartsnitch/dev
...
Promote to UAT: input validation + audit logging (PR #171 , #183 )
2026-04-15 03:30:04 +00:00
2beae3352d
feat: implement audit logging middleware for sensitive API operations ( #183 )
...
feat: implement audit logging middleware for sensitive API operations
2026-04-15 03:23:37 +00:00
4f4f9a67ab
chore: promote dev to UAT
...
chore: promote dev to UAT
2026-04-15 02:00:15 +00:00
22e28639f3
fix: replace N+1 UPC query with SQL containment in normalization ( #175 )
...
fix: replace N+1 UPC query with SQL containment in normalization
2026-04-15 02:00:04 +00:00
23e0baaaf9
chore: promote dev to UAT (CAR-616 Docker CVE remediation) ( #205 )
...
chore: promote dev to UAT (CAR-616 Docker CVE remediation)
2026-04-14 23:57:52 +00:00
f9063ead97
fix: remediate high-severity CVEs in Docker images ( #204 )
...
fix: remediate high-severity CVEs in Docker images
2026-04-14 23:57:40 +00:00
0ab8dae669
fix: remediate high-severity CVEs in Docker images
...
- Add apk upgrade to frontend Dockerfile (build + prod stages)
- Add apk upgrade to auth Dockerfile (build + runtime stages)
- Add apt-get upgrade to api Dockerfile (build + prod stages)
- Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages)
- Run npm audit fix for frontend and auth dependencies
Refs: CAR-616
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 23:51:42 +00:00
a0bcd1b69f
chore: promote uat to production (auth health check DB connectivity fix) ( #200 )
...
chore: promote uat to production (auth health check DB connectivity fix)
2026-04-14 16:53:08 +00:00
633a3a0f33
Merge pull request #187 from cartsnitch/fix/auth-config-validation
...
fix: add startup validation to auth service config
2026-04-14 16:19:13 +00:00
81f6d67a64
fix: update vite to resolve high-severity audit vulnerability
2026-04-14 16:09:48 +00:00
95284f69c5
fix: update vite to resolve high-severity npm audit vulnerabilities
2026-04-14 15:56:33 +00:00
c6042a4e71
fix: update vite to 6.4.2 to patch audit vulnerabilities
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 14:31:02 +00:00
3c28beee1b
Release: rate limit key derivation fix + CORS security headers ( #180 )
...
Release: rate limit key derivation fix + CORS security headers
2026-04-14 13:25:23 +00:00
c46920899f
Merge pull request #172 from cartsnitch/fix/cors-security-headers
...
CTO review: LGTM. CORS methods restricted to explicit list (no TRACE/CONNECT), headers whitelisted, nginx security headers added (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP). Clean diff, CI green.
2026-04-14 11:57:52 +00:00
c4f77bcd08
fix: restrict CORS to explicit methods and add security headers
...
- Replace allow_methods=["*"] with explicit list: GET, POST, PUT, DELETE, PATCH, OPTIONS
- Replace allow_headers=["*"] with explicit list: Content-Type, Authorization, Accept, Origin, X-Requested-With
- Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP nginx headers
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 11:49:02 +00:00
4179794c0f
fix(deps): resolve npm audit vulnerabilities (brace-expansion, lodash) ( #108 )
...
- Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v
- Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
- Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x
Co-authored-by: Paperclip <noreply@paperclip.ing >
Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com >
2026-04-03 13:23:20 +00:00
52819a2f20
Merge pull request #107 from cartsnitch/fix/inbound-email-500
...
fix: move email-in-address endpoint from /auth to /api/v1 prefix
2026-04-03 12:39:22 +00:00
8f9ccd7886
fix: move email-in-address endpoint from /auth to /api/v1 prefix
...
The GET /me/email-in-address endpoint was unreachable because the Gateway
HTTPRoute routes all /auth/* traffic to Better-Auth (port 3001), not the
API service. This change:
- Moves the endpoint from the /auth router to a new /api/v1/me/ router
- Adds EmailInAddressResponse schema and get_email_in_address service method
- Updates Settings.tsx to call /api/v1/me/email-in-address
Fixes CAR-445.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-03 11:44:31 +00:00
effbf34ca8
feat(frontend): show email-in address on Settings page ( #103 )
...
feat(frontend): show email-in address on Settings page
2026-04-03 11:27:58 +00:00
d565020999
Merge branch 'main' into feat/email-in-settings
2026-04-03 11:25:04 +00:00
c955ddbf10
fix(frontend): correct email-in-address fetch URL to /auth prefix
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-03 10:32:32 +00:00
0cdea55f16
feat(frontend): show email-in address on Settings page with copy button
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-03 09:45:45 +00:00
015bdcbfb5
fix(api): change purchased_at and expires_at schema types from datetime to date
...
fix(api): change purchased_at and expires_at schema types from datetime to date
2026-04-01 23:56:49 +00:00
19ffdc6020
Merge branch 'main' into fix/api-date-schema-types
2026-04-01 20:56:13 +00:00
742bdfadcd
fix(frontend): remove hardcoded mock product IDs from Dashboard price trends
...
fix(frontend): remove hardcoded mock product IDs from Dashboard price trends
2026-04-01 20:25:19 +00:00
4c5172c35e
Merge branch 'main' into fix/dashboard-hardcoded-product-ids
2026-04-01 20:19:22 +00:00
c647ba19da
fix(frontend): remove unused React import from Dashboard.tsx
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-01 19:58:41 +00:00
7e79390d86
feat(scripts): add dev environment seed script and K8s Job ( #99 )
...
* fix(api): replace UUID type with str for Better-Auth nanoid user IDs
Better-Auth uses nanoid strings for user IDs, not UUIDs. Changed all
user_id parameter/return types in the API layer from UUID to str,
removed the obsolete UUID import where unused, and updated the
_validate_session_token return type accordingly.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
* feat(scripts): add dev environment seed script and K8s Job
Co-Authored-By: Paperclip <noreply@paperclip.ing >
---------
Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com >
Co-authored-by: Paperclip <noreply@paperclip.ing >
2026-04-01 19:51:45 +00:00
073549cc07
fix(frontend): remove unused React import from Dashboard.tsx
...
Removes the unused `import React from 'react'` line from Dashboard.tsx
to resolve TS6133 error in lighthouse CI. No other code in the file
references the React namespace.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-01 19:49:14 +00:00
084f7a45d3
fix(frontend): remove hardcoded mock product IDs from Dashboard price trends
...
Removed usePriceHistory calls with hardcoded string product IDs (prod1, prod10)
that caused 422 errors against the UUID-expecting API. The Price Trends section
now shows a placeholder until a proper featured-products endpoint is available.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-01 19:37:44 +00:00
8c9eceed07
fix(frontend): align API route paths with backend (alerts, price-history)
...
CEO merge: QA approved (cartsnitch-qa[bot]), CTO approved (cartsnitch-cto[bot]), CI green. Merging per SDLC gatekeeper role.
2026-04-01 03:13:01 +00:00
86a2661329
fix(frontend): align API route paths with backend (alerts, price-history)
...
Change frontend to call /alerts (was /price-alerts) and /products/{id}/prices
(was /products/{id}/price-history) to match the backend router mounts.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-01 02:10:12 +00:00
e5638bf9d6
Merge pull request #91 from cartsnitch/fix/registration-redirect
...
fix(auth): wait for session confirmation before post-auth redirect
2026-03-31 23:14:04 +00:00
0c34f9aa57
fix(auth): restore setAuthenticated in mock-auth catch block
...
The try-block getSession() pattern is correct for real auth mode.
The mock-auth catch block (VITE_MOCK_AUTH) still needs to set
the Zustand flag so ProtectedRoute respects the authenticated state.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 22:30:05 +00:00
837d1196d0
fix(auth): wait for session confirmation before post-auth redirect
...
Race condition between signUp/signIn completion and ProtectedRoute's
useSession() call caused redirect loops — Better-Auth's session cookie
is not immediately visible to useSession() after signUp/signIn resolves.
Fix: call authClient.getSession() explicitly after signUp/signIn to
synchronize before navigating to protected routes. Fall back to error
message if session not confirmed.
Also removes dead setAuthenticated() calls that only work in mock mode.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 22:11:20 +00:00
2b232a8488
fix(ci): disable FullPageScreenshot gatherer to prevent Chrome crash
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 21:58:30 +00:00
8f48f87e6b
fix(ci): skip bf-cache audit to prevent Chrome TARGET_CRASHED in CI
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 21:17:32 +00:00
1b5b3c404e
fix(ci): add --disable-gpu and --disable-dev-shm-usage to Lighthouse Chrome flags
2026-03-31 21:07:44 +00:00
Stockboy Steve
c59b2e6976
fix(ci): add Chrome sandbox flags and fix CHROME_PATH for Lighthouse
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 20:48:19 +00:00
6cc15353cd
feat: add E2E journey tests for registration and unauth access ( #86 )
...
Adds E2E journey tests (J1: registration/login, J8: unauthenticated access), fixes Dashboard auth protection, adds ProtectedRoute mock auth mode, and fixes Login page a11y.
Reviewed and approved by QA (cartsnitch-qa[bot]) and CTO (cartsnitch-cto[bot]).
2026-03-31 19:01:32 +00:00
Stockboy Steve
a3e1ce3fb5
fix(test): update App.test.tsx for ProtectedRoute redirect behavior
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 18:42:47 +00:00
ae8c13431f
fix(a11y): add underline to Login page links for WCAG contrast compliance
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 18:33:21 +00:00
3dd1770a97
fix(e2e): correct smoke test heading assertion to match Login page
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 18:15:07 +00:00
7b144aae5e
fix(e2e): address CTO/QA review — remove mock-incompatible test, fix smoke test, fix a11y
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 17:59:42 +00:00
43fe68cce6
Merge main into feat/e2e-journey-tests, resolve conflict in smoke.spec.ts (keep single quotes)
2026-03-31 17:50:19 +00:00
0ec45a1fda
Merge remote-tracking branch 'origin/main' into feat/e2e-journey-tests
2026-03-31 17:49:40 +00:00
773e277906
fix(e2e): remove broken wrong-password test, update smoke test for auth redirect
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 17:37:08 +00:00
9c09210a2a
fix(e2e): resolve lint error, Dashboard auth gap, and mock auth redirect
...
- Remove unused `response` variable in j8-unauth-access.spec.ts:40
- Move Dashboard route inside ProtectedRoute wrapper in App.tsx
- Add VITE_MOCK_AUTH mode to ProtectedRoute: check Zustand
isAuthenticated flag instead of calling authClient.useSession()
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-03-31 17:05:09 +00:00
15f525a100
Merge PR #79 — feat: integrate axe-core accessibility scanning into E2E tests
...
feat: integrate axe-core accessibility scanning into E2E tests
2026-03-31 16:57:07 +00:00
1616ec0f92
Merge branch 'main' into feat/axe-core-playwright
2026-03-31 16:53:19 +00:00
cartsnitch-cto[bot]
Stockboy Steve