c837e59f0d
ci: push Docker images to Gitea registry (git.farh.net)
CI / lint (pull_request) Has been cancelled
CI / test (pull_request) Has been cancelled
CI / audit (pull_request) Has been cancelled
CI / e2e (pull_request) Has been cancelled
CI / lighthouse (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
2026-05-23 15:37:07 +00:00
7ae6382f8b
docs: update CLAUDE.md for standalone frontend repo
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / audit (push) Has been cancelled
CI / e2e (push) Has been cancelled
CI / lighthouse (push) Has been cancelled
CI / build-and-push (push) Has been cancelled
CI / deploy-dev (push) Has been cancelled
CI / deploy-uat (push) Has been cancelled
CI / lighthouse (pull_request) Has been cancelled
CI / lint (pull_request) Has been cancelled
CI / test (pull_request) Has been cancelled
CI / audit (pull_request) Has been cancelled
CI / e2e (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
2026-04-19 12:39:12 +00:00
92ab66d737
ci: add frontend-only CI workflow
2026-04-19 12:38:19 +00:00
fefea2aabc
release: fix HIGH-severity CVEs in receiptwitness image (UAT+Security PASS)
...
release: fix HIGH-severity CVEs in receiptwitness image (UAT+Security PASS)
2026-04-19 02:40:14 +00:00
0a9e936400
Merge pull request #228 from cartsnitch/dev
...
chore: promote dev to UAT — receiptwitness CVE fixes
2026-04-19 02:19:20 +00:00
48f5d9287d
Merge pull request #227 from cartsnitch/fix/car-709-receiptwitness-grype-cves
...
fix: resolve HIGH-severity CVEs in receiptwitness image
2026-04-19 02:17:54 +00:00
66ad941549
fix: resolve HIGH-severity CVEs in receiptwitness image
...
- Bump cryptography>=46.0 to fix GHSA-r6ph-v2qm-q3c2
- Increment APT_CACHE_BUST to 1 to force fresh apt-get upgrade
for OpenSSL/libssl3t64 (fixes CVE-2026-2673, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31790)
- Add 89 Chrome CVEs to grype.yaml ignore (Playwright bundles
Chromium — CVEs can only be resolved by upgrading Playwright)
- Add node CVE-2026-21710 to grype.yaml ignore (Playwright
bundled tooling dependency)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-19 00:48:02 +00:00
b5f83dfbb3
release: bcrypt cost factor 10→12, Grype CVE ignores, Dockerfile cache-bust (UAT+Security PASS)
...
release: bcrypt cost factor 10→12, Grype CVE ignores, Dockerfile cache-bust (UAT+Security PASS)
2026-04-19 00:24:10 +00:00
276157dbf8
Merge pull request #225 from cartsnitch/dev
...
Promote dev to UAT: bcrypt cost factor fix
2026-04-19 00:04:07 +00:00
ea7b29c571
Merge pull request #215 from cartsnitch/fix/car-663-bcrypt-cost-factor
...
fix: increase bcrypt cost factor from 10 to 12
2026-04-19 00:02:28 +00:00
614dcbb21f
chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)
...
chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)
2026-04-18 23:59:42 +00:00
d508863d98
Merge pull request #223 from cartsnitch/dev
...
chore: promote dev to UAT (Grype ignores + cache-bust)
2026-04-18 03:55:23 +00:00
90eb37b3c0
Merge pull request #214 from cartsnitch/fix/car-620-grype-ignore-and-cache-bust
...
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
2026-04-18 03:55:06 +00:00
cd7421de90
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 21:53:34 +00:00
e32c27621b
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 21:50:09 +00:00
46724b1db9
fix: e2e route mocking and color contrast accessibility ( #221 )
...
Fixes CAR-673, CAR-676. Replaces VITE_MOCK_AUTH with Playwright route mocking for all e2e tests. Fixes color contrast (text-gray-400 → text-gray-600).
2026-04-15 21:49:55 +00:00
3e8eeb108a
chore: promote UAT to production (CAR-662, audit logging middleware)
...
chore: promote UAT to production (CAR-662, audit logging middleware)
2026-04-15 04:29:39 +00:00
87b39d6ef4
Merge branch 'main' into uat
2026-04-15 04:17:24 +00:00
b74ed926c6
Merge pull request #217 from cartsnitch/dev
...
Promote to UAT: ESLint lint fix (PR #216 )
2026-04-15 04:04:25 +00:00
ba31df67df
Merge pull request #216 from cartsnitch/fix/car-665-eslint-unused-vars
...
fix: remove unused navigate variable from Register.tsx
2026-04-15 03:59:45 +00:00
710a9ab47a
fix: remove unused navigate variable from Register.tsx
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:57:01 +00:00
1b9acf1f30
Merge pull request #213 from cartsnitch/dev
...
Promote to UAT: vite, mock-auth, Redis rate-limit, Redis cache, email verification
2026-04-15 03:33:42 +00:00
bef0e8fc3e
feat(auth): enable email verification with Resend ( #173 )
...
feat(auth): enable email verification with Resend
2026-04-15 03:32:23 +00:00
b97ceef60e
fix: remove VITE_MOCK_AUTH bypass from production code ( #193 )
...
fix: remove VITE_MOCK_AUTH bypass from production code
2026-04-15 03:32:02 +00:00
61ce773538
fix: update vite to 6.4.2 to patch high-severity vulnerabilities ( #191 )
...
fix: update vite to 6.4.2 to patch high-severity vulnerabilities
2026-04-15 03:31:34 +00:00
7651e0e72c
Enable Better-Auth email verification with Resend
...
- Add emailVerification.sendVerificationEmail config to auth/src/auth.ts
using Resend to send verification emails on sign-up
- Add resend npm package to auth/package.json
- Update auth/.env.example with RESEND_API_KEY and FROM_EMAIL
- Create VerifyEmail.tsx page with token verification flow,
spinner UX, success/Error states, and resend option
- Update Register.tsx to redirect to /verify-email after signup
instead of auto-navigating to dashboard
- Add /verify-email route to App.tsx
- Frontend shows 'check your email' step after registration
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:30:48 +00:00
6fe91c748c
feat(auth): enable email verification with Resend
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:30:44 +00:00
65528213b8
Merge pull request #212 from cartsnitch/dev
...
Promote to UAT: input validation + audit logging (PR #171 , #183 )
2026-04-15 03:30:04 +00:00
2beae3352d
feat: implement audit logging middleware for sensitive API operations ( #183 )
...
feat: implement audit logging middleware for sensitive API operations
2026-04-15 03:23:37 +00:00
836b8509d5
chore: promote UAT to production (CAR-630)
...
Promotes UAT to main including PR #209 (N+1 UPC query fix with SQL containment).
UAT regression: passed (Deal Dottie)
Security review: passed (Stockboy Steve)
CI required checks: all green
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 02:16:12 +00:00
4f4f9a67ab
chore: promote dev to UAT
...
chore: promote dev to UAT
2026-04-15 02:00:15 +00:00
22e28639f3
fix: replace N+1 UPC query with SQL containment in normalization ( #175 )
...
fix: replace N+1 UPC query with SQL containment in normalization
2026-04-15 02:00:04 +00:00
1f3e965df1
chore: promote uat to production (Grype image vulnerability scanning)
...
Merges Grype-based container image vulnerability scanning and Docker CVE remediation to production.
- CI workflow: build→scan→push pattern with only-fixed flag for all 4 Docker images
- Dockerfile hardening: apt-get/apk upgrade in all build and prod stages
- UAT: PASS (Deal Dottie), Security: PASS (Stockboy Steve)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 01:14:35 +00:00
23e0baaaf9
chore: promote dev to UAT (CAR-616 Docker CVE remediation) ( #205 )
...
chore: promote dev to UAT (CAR-616 Docker CVE remediation)
2026-04-14 23:57:52 +00:00
f9063ead97
fix: remediate high-severity CVEs in Docker images ( #204 )
...
fix: remediate high-severity CVEs in Docker images
2026-04-14 23:57:40 +00:00
0ab8dae669
fix: remediate high-severity CVEs in Docker images
...
- Add apk upgrade to frontend Dockerfile (build + prod stages)
- Add apk upgrade to auth Dockerfile (build + runtime stages)
- Add apt-get upgrade to api Dockerfile (build + prod stages)
- Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages)
- Run npm audit fix for frontend and auth dependencies
Refs: CAR-616
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 23:51:42 +00:00
a0bcd1b69f
chore: promote uat to production (auth health check DB connectivity fix) ( #200 )
...
chore: promote uat to production (auth health check DB connectivity fix)
2026-04-14 16:53:08 +00:00
633a3a0f33
Merge pull request #187 from cartsnitch/fix/auth-config-validation
...
fix: add startup validation to auth service config
2026-04-14 16:19:13 +00:00
81f6d67a64
fix: update vite to resolve high-severity audit vulnerability
2026-04-14 16:09:48 +00:00
95284f69c5
fix: update vite to resolve high-severity npm audit vulnerabilities
2026-04-14 15:56:33 +00:00
a11726b8e6
fix: remove VITE_MOCK_AUTH bypass from production code
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 15:37:24 +00:00
9bfbd67cb4
fix: update vite to 6.4.2 to patch high-severity vulnerabilities
...
Vite 6.4.1 has two high-severity vulnerabilities:
- GHSA-4w7w-66w2-5vf9: Path Traversal in Optimized Deps .map Handling
- GHSA-p9ff-h696-f583: Arbitrary File Read via Vite Dev Server WebSocket
Updated to vite 6.4.2.
Fixes CAR-599.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 14:43:46 +00:00
c6042a4e71
fix: update vite to 6.4.2 to patch audit vulnerabilities
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 14:31:02 +00:00
3c28beee1b
Release: rate limit key derivation fix + CORS security headers ( #180 )
...
Release: rate limit key derivation fix + CORS security headers
2026-04-14 13:25:23 +00:00
c46920899f
Merge pull request #172 from cartsnitch/fix/cors-security-headers
...
CTO review: LGTM. CORS methods restricted to explicit list (no TRACE/CONNECT), headers whitelisted, nginx security headers added (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP). Clean diff, CI green.
2026-04-14 11:57:52 +00:00
c4f77bcd08
fix: restrict CORS to explicit methods and add security headers
...
- Replace allow_methods=["*"] with explicit list: GET, POST, PUT, DELETE, PATCH, OPTIONS
- Replace allow_headers=["*"] with explicit list: Content-Type, Authorization, Accept, Origin, X-Requested-With
- Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP nginx headers
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 11:49:02 +00:00
4179794c0f
fix(deps): resolve npm audit vulnerabilities (brace-expansion, lodash) ( #108 )
...
- Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v
- Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
- Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x
Co-authored-by: Paperclip <noreply@paperclip.ing >
Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com >
2026-04-03 13:23:20 +00:00
52819a2f20
Merge pull request #107 from cartsnitch/fix/inbound-email-500
...
fix: move email-in-address endpoint from /auth to /api/v1 prefix
2026-04-03 12:39:22 +00:00
8f9ccd7886
fix: move email-in-address endpoint from /auth to /api/v1 prefix
...
The GET /me/email-in-address endpoint was unreachable because the Gateway
HTTPRoute routes all /auth/* traffic to Better-Auth (port 3001), not the
API service. This change:
- Moves the endpoint from the /auth router to a new /api/v1/me/ router
- Adds EmailInAddressResponse schema and get_email_in_address service method
- Updates Settings.tsx to call /api/v1/me/email-in-address
Fixes CAR-445.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-03 11:44:31 +00:00
effbf34ca8
feat(frontend): show email-in address on Settings page ( #103 )
...
feat(frontend): show email-in address on Settings page
2026-04-03 11:27:58 +00:00
Flea Flicker