Savannah Savings
ddc3a846bc
Merge pull request 'Promote dev → uat: remove stale .github/workflows [CAR-934]' ( #8 ) from dev into uat
...
CI / build-and-push (push) Failing after 7s
CI / test (push) Successful in 13s
CI / lint (push) Successful in 15s
CI / audit (push) Failing after 11s
CI / deploy-uat (push) Failing after 32s
CI / deploy-dev (push) Has been skipped
CI / lighthouse (push) Failing after 1m18s
CI / e2e (push) Successful in 43s
Promote dev→uat: pin setup-node to SHA [CAR-935]
2026-05-21 19:36:15 +00:00
Savannah Savings
9af0e36db0
Merge pull request 'ci: pin setup-node to SHA to fix Gitea Actions module error [CAR-935]' ( #9 ) from betty/car-935-fix-setup-node into dev
...
CI / audit (push) Failing after 10s
CI / lint (push) Successful in 13s
CI / deploy-uat (push) Has been skipped
CI / test (push) Successful in 12s
CI / e2e (push) Successful in 38s
CI / build-and-push (push) Failing after 9s
CI / deploy-dev (push) Failing after 33s
CI / lighthouse (push) Failing after 1m18s
CI / lint (pull_request) Successful in 14s
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m13s
CI / audit (pull_request) Failing after 4s
CI / test (pull_request) Successful in 13s
CI / e2e (pull_request) Successful in 42s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
Merge: ci: pin setup-node to SHA to fix Gitea Actions module error [CAR-935]
2026-05-21 19:34:39 +00:00
1ffc9466fc
ci: pin setup-node to SHA 49933ea5288caeca8642d1e84afbd3f7d6820020
...
CI / audit (pull_request) Failing after 42s
CI / e2e (pull_request) Successful in 38s
CI / test (pull_request) Successful in 43s
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m13s
CI / lint (pull_request) Successful in 42s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
Fixes 'Cannot find module .../dist/setup/index.js' error in Gitea Actions runner.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 19:25:45 +00:00
Savannah Savings
49413c31bf
Merge pull request 'chore: promote workflow migration to UAT (CAR-896)' ( #7 ) from dev into uat
2026-05-21 12:24:45 +00:00
Savannah Savings
456e938310
Merge pull request 'chore: move workflows from .github to .gitea' ( #5 ) from barcode-betty/move-workflows-to-gitea into dev
...
CI / lint (pull_request) Failing after 4s
CI / test (pull_request) Successful in 11s
CI / audit (pull_request) Failing after 11s
CI / e2e (pull_request) Successful in 46s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m13s
chore: move workflows from .github to .gitea (CAR-896)
Merge PR #5 to dev. QA verified by Checkout Charlie.
2026-05-21 12:14:16 +00:00
Savannah Savings
23ddc8b8e2
Merge pull request 'ci: convert GitHub Actions to Gitea Actions (ubuntu-latest)' ( #4 ) from betty/car-869-gitea-actions-app into dev
...
CI / audit (push) Failing after 11s
CI / test (push) Successful in 13s
CI / lint (push) Successful in 14s
CI / test (pull_request) Successful in 12s
CI / lint (pull_request) Successful in 14s
CI / e2e (push) Successful in 42s
CI / audit (pull_request) Failing after 12s
CI / e2e (pull_request) Successful in 41s
CI / build-and-push (push) Failing after 7s
CI / build-and-push (pull_request) Has been skipped
CI / lighthouse (push) Failing after 1m18s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (push) Failing after 27s
CI / lighthouse (pull_request) Failing after 1m16s
ci: convert GitHub Actions to Gitea Actions (ubuntu-latest)
CTO-approved. QA passed. Mechanical CI migration.
cc @cpfarhood
2026-05-21 11:55:47 +00:00
5076f12486
chore: move workflows from .github to .gitea
...
CI / lint (pull_request) Has been cancelled
CI / test (pull_request) Has been cancelled
CI / audit (pull_request) Has been cancelled
CI / e2e (pull_request) Has been cancelled
CI / lighthouse (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 11:54:10 +00:00
95466ccfef
ci: convert GitHub Actions to Gitea Actions (ubuntu-latest)
...
CI / audit (pull_request) Failing after 11s
CI / test (pull_request) Successful in 14s
CI / lint (pull_request) Successful in 15s
CI / e2e (pull_request) Successful in 37s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m14s
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 04:10:33 +00:00
67c2d27e74
promote: dev → uat (Register account-created success message) ( #3 )
...
* ci: add frontend-only CI workflow
* docs: update CLAUDE.md for standalone frontend repo
* fix(register): replace check-your-email success state with inline message (#2 )
* fix(register): replace check-your-email success state with inline message
Ports PR #181 intent from cartsnitch/cartsnitch to cartsnitch/app.
Removes registrationComplete, resendLoading, resendMessage state and the
handleResendVerification function. After successful signUp.email, now
sets setError('Account created! Please sign in.') instead of showing
the separate "Check your email" page.
Refs: CAR-822, CAR-818
* fix(e2e): update registration test to match new inline success message
Renames 'can register a new account and see check your email screen' to
'shows success message after registration' and asserts .bg-red-50 contains
'Account created! Please sign in.' instead of checking for a heading.
Updates 'can sign in with credentials' test to first register a fresh account
and assert the success message, then proceed with login.
Refs: CAR-822, PR cartsnitch/cartsnitch#181
---------
Co-authored-by: Chris Farhood <chris@farhood.org >
---------
Co-authored-by: Test User <test@example.com >
Co-authored-by: savannah-savings-cto[bot] <269715008+savannah-savings-cto[bot]@users.noreply.github.com>
Co-authored-by: cartsnitch-engineer[bot] <269717931+cartsnitch-engineer[bot]@users.noreply.github.com>
Co-authored-by: Chris Farhood <chris@farhood.org >
2026-05-04 19:08:27 +00:00
7ae6382f8b
docs: update CLAUDE.md for standalone frontend repo
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / audit (push) Has been cancelled
CI / e2e (push) Has been cancelled
CI / lighthouse (push) Has been cancelled
CI / build-and-push (push) Has been cancelled
CI / deploy-dev (push) Has been cancelled
CI / deploy-uat (push) Has been cancelled
CI / lighthouse (pull_request) Has been cancelled
CI / lint (pull_request) Has been cancelled
CI / test (pull_request) Has been cancelled
CI / audit (pull_request) Has been cancelled
CI / e2e (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
2026-04-19 12:39:12 +00:00
92ab66d737
ci: add frontend-only CI workflow
2026-04-19 12:38:19 +00:00
fefea2aabc
release: fix HIGH-severity CVEs in receiptwitness image (UAT+Security PASS)
...
release: fix HIGH-severity CVEs in receiptwitness image (UAT+Security PASS)
2026-04-19 02:40:14 +00:00
0a9e936400
Merge pull request #228 from cartsnitch/dev
...
chore: promote dev to UAT — receiptwitness CVE fixes
2026-04-19 02:19:20 +00:00
48f5d9287d
Merge pull request #227 from cartsnitch/fix/car-709-receiptwitness-grype-cves
...
fix: resolve HIGH-severity CVEs in receiptwitness image
2026-04-19 02:17:54 +00:00
66ad941549
fix: resolve HIGH-severity CVEs in receiptwitness image
...
- Bump cryptography>=46.0 to fix GHSA-r6ph-v2qm-q3c2
- Increment APT_CACHE_BUST to 1 to force fresh apt-get upgrade
for OpenSSL/libssl3t64 (fixes CVE-2026-2673, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31790)
- Add 89 Chrome CVEs to grype.yaml ignore (Playwright bundles
Chromium — CVEs can only be resolved by upgrading Playwright)
- Add node CVE-2026-21710 to grype.yaml ignore (Playwright
bundled tooling dependency)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-19 00:48:02 +00:00
b5f83dfbb3
release: bcrypt cost factor 10→12, Grype CVE ignores, Dockerfile cache-bust (UAT+Security PASS)
...
release: bcrypt cost factor 10→12, Grype CVE ignores, Dockerfile cache-bust (UAT+Security PASS)
2026-04-19 00:24:10 +00:00
276157dbf8
Merge pull request #225 from cartsnitch/dev
...
Promote dev to UAT: bcrypt cost factor fix
2026-04-19 00:04:07 +00:00
ea7b29c571
Merge pull request #215 from cartsnitch/fix/car-663-bcrypt-cost-factor
...
fix: increase bcrypt cost factor from 10 to 12
2026-04-19 00:02:28 +00:00
614dcbb21f
chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)
...
chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)
2026-04-18 23:59:42 +00:00
d508863d98
Merge pull request #223 from cartsnitch/dev
...
chore: promote dev to UAT (Grype ignores + cache-bust)
2026-04-18 03:55:23 +00:00
90eb37b3c0
Merge pull request #214 from cartsnitch/fix/car-620-grype-ignore-and-cache-bust
...
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
2026-04-18 03:55:06 +00:00
cd7421de90
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 21:53:34 +00:00
e32c27621b
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 21:50:09 +00:00
46724b1db9
fix: e2e route mocking and color contrast accessibility ( #221 )
...
Fixes CAR-673, CAR-676. Replaces VITE_MOCK_AUTH with Playwright route mocking for all e2e tests. Fixes color contrast (text-gray-400 → text-gray-600).
2026-04-15 21:49:55 +00:00
3e8eeb108a
chore: promote UAT to production (CAR-662, audit logging middleware)
...
chore: promote UAT to production (CAR-662, audit logging middleware)
2026-04-15 04:29:39 +00:00
87b39d6ef4
Merge branch 'main' into uat
2026-04-15 04:17:24 +00:00
b74ed926c6
Merge pull request #217 from cartsnitch/dev
...
Promote to UAT: ESLint lint fix (PR #216 )
2026-04-15 04:04:25 +00:00
ba31df67df
Merge pull request #216 from cartsnitch/fix/car-665-eslint-unused-vars
...
fix: remove unused navigate variable from Register.tsx
2026-04-15 03:59:45 +00:00
710a9ab47a
fix: remove unused navigate variable from Register.tsx
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:57:01 +00:00
1b9acf1f30
Merge pull request #213 from cartsnitch/dev
...
Promote to UAT: vite, mock-auth, Redis rate-limit, Redis cache, email verification
2026-04-15 03:33:42 +00:00
bef0e8fc3e
feat(auth): enable email verification with Resend ( #173 )
...
feat(auth): enable email verification with Resend
2026-04-15 03:32:23 +00:00
b97ceef60e
fix: remove VITE_MOCK_AUTH bypass from production code ( #193 )
...
fix: remove VITE_MOCK_AUTH bypass from production code
2026-04-15 03:32:02 +00:00
61ce773538
fix: update vite to 6.4.2 to patch high-severity vulnerabilities ( #191 )
...
fix: update vite to 6.4.2 to patch high-severity vulnerabilities
2026-04-15 03:31:34 +00:00
7651e0e72c
Enable Better-Auth email verification with Resend
...
- Add emailVerification.sendVerificationEmail config to auth/src/auth.ts
using Resend to send verification emails on sign-up
- Add resend npm package to auth/package.json
- Update auth/.env.example with RESEND_API_KEY and FROM_EMAIL
- Create VerifyEmail.tsx page with token verification flow,
spinner UX, success/Error states, and resend option
- Update Register.tsx to redirect to /verify-email after signup
instead of auto-navigating to dashboard
- Add /verify-email route to App.tsx
- Frontend shows 'check your email' step after registration
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:30:48 +00:00
6fe91c748c
feat(auth): enable email verification with Resend
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:30:44 +00:00
65528213b8
Merge pull request #212 from cartsnitch/dev
...
Promote to UAT: input validation + audit logging (PR #171 , #183 )
2026-04-15 03:30:04 +00:00
2beae3352d
feat: implement audit logging middleware for sensitive API operations ( #183 )
...
feat: implement audit logging middleware for sensitive API operations
2026-04-15 03:23:37 +00:00
836b8509d5
chore: promote UAT to production (CAR-630)
...
Promotes UAT to main including PR #209 (N+1 UPC query fix with SQL containment).
UAT regression: passed (Deal Dottie)
Security review: passed (Stockboy Steve)
CI required checks: all green
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 02:16:12 +00:00
4f4f9a67ab
chore: promote dev to UAT
...
chore: promote dev to UAT
2026-04-15 02:00:15 +00:00
22e28639f3
fix: replace N+1 UPC query with SQL containment in normalization ( #175 )
...
fix: replace N+1 UPC query with SQL containment in normalization
2026-04-15 02:00:04 +00:00
1f3e965df1
chore: promote uat to production (Grype image vulnerability scanning)
...
Merges Grype-based container image vulnerability scanning and Docker CVE remediation to production.
- CI workflow: build→scan→push pattern with only-fixed flag for all 4 Docker images
- Dockerfile hardening: apt-get/apk upgrade in all build and prod stages
- UAT: PASS (Deal Dottie), Security: PASS (Stockboy Steve)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 01:14:35 +00:00
23e0baaaf9
chore: promote dev to UAT (CAR-616 Docker CVE remediation) ( #205 )
...
chore: promote dev to UAT (CAR-616 Docker CVE remediation)
2026-04-14 23:57:52 +00:00
f9063ead97
fix: remediate high-severity CVEs in Docker images ( #204 )
...
fix: remediate high-severity CVEs in Docker images
2026-04-14 23:57:40 +00:00
0ab8dae669
fix: remediate high-severity CVEs in Docker images
...
- Add apk upgrade to frontend Dockerfile (build + prod stages)
- Add apk upgrade to auth Dockerfile (build + runtime stages)
- Add apt-get upgrade to api Dockerfile (build + prod stages)
- Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages)
- Run npm audit fix for frontend and auth dependencies
Refs: CAR-616
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 23:51:42 +00:00
a0bcd1b69f
chore: promote uat to production (auth health check DB connectivity fix) ( #200 )
...
chore: promote uat to production (auth health check DB connectivity fix)
2026-04-14 16:53:08 +00:00
633a3a0f33
Merge pull request #187 from cartsnitch/fix/auth-config-validation
...
fix: add startup validation to auth service config
2026-04-14 16:19:13 +00:00
81f6d67a64
fix: update vite to resolve high-severity audit vulnerability
2026-04-14 16:09:48 +00:00
95284f69c5
fix: update vite to resolve high-severity npm audit vulnerabilities
2026-04-14 15:56:33 +00:00
a11726b8e6
fix: remove VITE_MOCK_AUTH bypass from production code
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 15:37:24 +00:00
9bfbd67cb4
fix: update vite to 6.4.2 to patch high-severity vulnerabilities
...
Vite 6.4.1 has two high-severity vulnerabilities:
- GHSA-4w7w-66w2-5vf9: Path Traversal in Optimized Deps .map Handling
- GHSA-p9ff-h696-f583: Arbitrary File Read via Vite Dev Server WebSocket
Updated to vite 6.4.2.
Fixes CAR-599.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-14 14:43:46 +00:00
Savannah Savings
Savannah Savings