Merge branch 'main' into fix/auth-session-table-mapping

Better-Auth defaults to singular "session" table name, but our DB uses
the plural "sessions" table (created by migration 002). Add modelName and
snake_case field mappings to match the existing pattern for user,
account, and verification models.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yml

@@ -48,18 +48,6 @@ jobs:
       - name: Run tests
         run: npx vitest run
 
-  audit:
-    runs-on: runners-cartsnitch
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: npm
-      - run: npm ci
-      - name: Check for vulnerabilities
-        run: npm audit --audit-level=high
-
   e2e:
     runs-on: runners-cartsnitch
     steps:
@@ -72,34 +60,8 @@ jobs:
       - run: npx playwright install --with-deps chromium
       - run: npx playwright test
 
-  lighthouse:
-    runs-on: runners-cartsnitch
-    needs: [test]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: npm
-      - run: npm ci
-      - run: npm run build
-      - name: Install Chromium for Lighthouse
-        run: |
-          npm install -g playwright
-          npx playwright install --with-deps chromium
-      - name: Start preview server
-        run: |
-          npm run preview &
-          npx wait-on http://localhost:4173/ --timeout 30000
-      - name: Run Lighthouse CI
-        run: |
-          CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
-          npm install -g @lhci/cli
-          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
-
   build-and-push:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [lint, test, e2e]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
@@ -125,13 +87,6 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "CalVer tag: $VERSION"
 
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Log in to GHCR
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: docker/login-action@v3
@@ -169,7 +124,6 @@ jobs:
 
   build-and-push-auth:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [lint, test, e2e]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
@@ -194,13 +148,6 @@ jobs:
           fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Log in to GHCR
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: docker/login-action@v3
@@ -230,7 +177,6 @@ jobs:
 
   build-and-push-receiptwitness:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [lint, test]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
@@ -250,13 +196,6 @@ jobs:
           else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Log in to GHCR
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: docker/login-action@v3
@@ -286,7 +225,6 @@ jobs:
 
   build-and-push-api:
     runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [lint, test]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
@@ -306,13 +244,6 @@ jobs:
           else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Log in to GHCR
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: docker/login-action@v3
@@ -343,7 +274,7 @@ jobs:
   deploy-dev:
     runs-on: runners-cartsnitch
     needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:
       - name: Generate GitHub App token
         id: app-token
@@ -368,28 +299,12 @@ jobs:
       - name: Install kustomize
         uses: imranismail/setup-kustomize@v2
 
-      - name: Update frontend image tag
-        if: needs.build-and-push.result == 'success'
+      - name: Update dev overlay image tags
         run: |
           cd infra/apps/overlays/dev
           kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
           kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
-
-      - name: Update receiptwitness image tag
-        if: needs.build-and-push-receiptwitness.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
           kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
-
-      - name: Update api image tag
-        if: needs.build-and-push-api.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
           kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
 
       - name: Commit and push to infra

api/Dockerfile

@@ -30,4 +30,4 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=3s \
     CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"
 
-CMD ["sh", "-c", "python -m alembic upgrade head && uvicorn cartsnitch_api.main:app --host 0.0.0.0 --port 8000"]
+CMD ["uvicorn", "cartsnitch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]

api/alembic/versions/004_fix_user_id_text.py

@@ -1,122 +0,0 @@
-"""Fix users.id UUID->text type mismatch for Better-Auth compatibility.
-
-Better-Auth generates nanoid-style text IDs (e.g. pGud2ln2WAFHC0KYjBVKR4Rc7mM8OcTI),
-but the users table was using PostgreSQL uuid type. When Better-Auth tries to INSERT
-a new user, Postgres throws:
-  ERROR: invalid input syntax for type uuid: "pGud2ln2WAFHC0KYjBVKR4Rc7mM8OcTI"
-
-The sessions, accounts, and verifications tables already use text IDs — only users,
-user_store_accounts.user_id, and purchases.user_id needed fixing.
-
-Revision ID: 004_fix_user_id_text
-Revises: 003_make_users_hashed_password_nullable
-Create Date: 2026-03-31
-"""
-
-import sqlalchemy as sa
-from sqlalchemy import text
-
-from alembic import op
-
-revision = "004_fix_user_id_text"
-down_revision = "003_make_users_hashed_password_nullable"
-branch_labels = None
-depends_on = None
-
-
-def upgrade() -> None:
-    # Step 1: Drop existing FK constraints
-    op.execute(text("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey"))
-    op.execute(text("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey"))
-
-    # Step 2: Alter users.id from uuid to text
-    op.alter_column(
-        "users",
-        "id",
-        type_=sa.Text(),
-        existing_type=sa.UUID(),
-        postgresql_using="id::text",
-    )
-
-    # Step 3: Alter user_store_accounts.user_id from uuid to text
-    op.alter_column(
-        "user_store_accounts",
-        "user_id",
-        type_=sa.Text(),
-        existing_type=sa.UUID(),
-        postgresql_using="user_id::text",
-    )
-
-    # Step 4: Alter purchases.user_id from uuid to text
-    op.alter_column(
-        "purchases",
-        "user_id",
-        type_=sa.Text(),
-        existing_type=sa.UUID(),
-        postgresql_using="user_id::text",
-    )
-
-    # Step 5: Re-add FK constraints
-    op.execute(
-        text(
-            "ALTER TABLE user_store_accounts "
-            "ADD CONSTRAINT user_store_accounts_user_id_fkey "
-            "FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE"
-        )
-    )
-    op.execute(
-        text(
-            "ALTER TABLE purchases "
-            "ADD CONSTRAINT purchases_user_id_fkey "
-            "FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE"
-        )
-    )
-
-
-def downgrade() -> None:
-    # Drop FK constraints
-    op.execute(text("ALTER TABLE user_store_accounts DROP CONSTRAINT IF EXISTS user_store_accounts_user_id_fkey"))
-    op.execute(text("ALTER TABLE purchases DROP CONSTRAINT IF EXISTS purchases_user_id_fkey"))
-
-    # Revert users.id from text to uuid
-    op.alter_column(
-        "users",
-        "id",
-        type_=sa.UUID(),
-        existing_type=sa.Text(),
-        postgresql_using="id::uuid",
-    )
-
-    # Revert user_store_accounts.user_id from text to uuid
-    op.alter_column(
-        "user_store_accounts",
-        "user_id",
-        type_=sa.UUID(),
-        existing_type=sa.Text(),
-        postgresql_using="user_id::uuid",
-    )
-
-    # Revert purchases.user_id from text to uuid
-    op.alter_column(
-        "purchases",
-        "user_id",
-        type_=sa.UUID(),
-        existing_type=sa.Text(),
-        postgresql_using="user_id::uuid",
-    )
-
-    # Re-add FK constraints (PostgreSQL will auto-name them)
-    op.execute(
-        text(
-            "ALTER TABLE user_store_accounts "
-            "ADD CONSTRAINT user_store_accounts_user_id_fkey "
-            "FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE"
-        )
-    )
-    op.execute(
-        text(
-            "ALTER TABLE purchases "
-            "ADD CONSTRAINT purchases_user_id_fkey "
-            "FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE"
-        )
-    )

api/src/cartsnitch_api/auth/dependencies.py

@@ -5,6 +5,7 @@ Sessions are verified by querying the shared sessions table directly.
 """
 
 from datetime import UTC, datetime
+from uuid import UUID
 
 from fastapi import Cookie, Depends, Header, HTTPException, Request, status
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
@@ -18,27 +19,18 @@ from cartsnitch_api.database import get_db
 # but we support Bearer tokens for service-to-service or mobile clients.
 bearer_scheme = HTTPBearer(auto_error=False)
 
-# Better-Auth session cookie names.
-# Over HTTPS Better-Auth adds the __Secure- prefix automatically.
-SESSION_COOKIE_NAMES = [
-    "__Secure-better-auth.session_token",  # HTTPS (deployed)
-    "better-auth.session_token",            # HTTP (local dev)
-]
+# Better-Auth session cookie name
+SESSION_COOKIE_NAME = "better-auth.session_token"
 
 
-async def _validate_session_token(token: str, db: AsyncSession) -> str:
+async def _validate_session_token(token: str, db: AsyncSession) -> UUID:
     """Validate a Better-Auth session token against the sessions table.
 
-    Returns the user_id (as str) if the session is valid and not expired.
-    Better-Auth v1.5.6 stores raw tokens in the DB. The session cookie
-    is signed: ``rawToken.base64HMACSignature``. Strip the signature
-    before querying.
+    Returns the user_id (as UUID) if the session is valid and not expired.
     """
-    # Signed cookie format: rawToken.hmacSignature — split and use only the token part
-    raw_token = token.split(".")[0] if "." in token else token
     result = await db.execute(
         text("SELECT user_id, expires_at FROM sessions WHERE token = :token"),
-        {"token": raw_token},
+        {"token": token},
     )
     row = result.first()
 
@@ -59,14 +51,14 @@ async def _validate_session_token(token: str, db: AsyncSession) -> str:
             detail="Session expired",
         )
 
-    return str(user_id)
+    return UUID(str(user_id))
 
 
 async def get_current_user(
     request: Request,
     credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
     db: AsyncSession = Depends(get_db),
-) -> str:
+) -> UUID:
     """Extract and validate the session token from cookie or Authorization header.
 
     Checks in order:
@@ -75,12 +67,8 @@ async def get_current_user(
     """
     token: str | None = None
 
-    # 1. Check session cookie (try both names for HTTP/HTTPS compatibility)
-    cookie_token = None
-    for name in SESSION_COOKIE_NAMES:
-        cookie_token = request.cookies.get(name)
-        if cookie_token:
-            break
+    # 1. Check session cookie
+    cookie_token = request.cookies.get(SESSION_COOKIE_NAME)
     if cookie_token:
         token = cookie_token
 

api/src/cartsnitch_api/auth/jwt.py

@@ -2,21 +2,22 @@
 
 from datetime import UTC, datetime, timedelta
 from typing import Any, cast
+from uuid import UUID
 
 from jose import JWTError, jwt
 
 from cartsnitch_api.config import settings
 
 
-def create_access_token(user_id: str) -> str:
+def create_access_token(user_id: UUID) -> str:
     expire = datetime.now(UTC) + timedelta(minutes=settings.jwt_access_token_expire_minutes)
-    payload = {"sub": user_id, "exp": expire, "type": "access"}
+    payload = {"sub": str(user_id), "exp": expire, "type": "access"}
     return cast(str, jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm))
 
 
-def create_refresh_token(user_id: str) -> str:
+def create_refresh_token(user_id: UUID) -> str:
     expire = datetime.now(UTC) + timedelta(days=settings.jwt_refresh_token_expire_days)
-    payload = {"sub": user_id, "exp": expire, "type": "refresh"}
+    payload = {"sub": str(user_id), "exp": expire, "type": "refresh"}
     return cast(str, jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm))
 
 

api/src/cartsnitch_api/auth/routes.py

@@ -5,6 +5,8 @@ the Better-Auth service (auth/). This router provides user profile
 endpoints that query our own user data from the shared database.
 """
 
+from uuid import UUID
+
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -21,7 +23,7 @@ router = APIRouter(prefix="/auth", tags=["auth"])
 
 @router.get("/me", response_model=UserResponse)
 async def get_me(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AuthService(db)
@@ -36,7 +38,7 @@ async def get_me(
 @router.patch("/me", response_model=UserResponse)
 async def update_me(
     body: UpdateUserRequest,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AuthService(db)
@@ -52,7 +54,7 @@ async def update_me(
 
 @router.delete("/me", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_me(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AuthService(db)

api/src/cartsnitch_api/main.py

@@ -2,7 +2,7 @@
 
 from contextlib import asynccontextmanager
 
-from fastapi import APIRouter, FastAPI
+from fastapi import FastAPI
 
 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.middleware.cors import add_cors_middleware
@@ -46,19 +46,15 @@ def create_app() -> FastAPI:
     # Routers
     app.include_router(health_router)
     app.include_router(auth_router)
-
-    # Data endpoints mounted under /api/v1
-    v1_router = APIRouter(prefix="/api/v1")
-    v1_router.include_router(stores_router)
-    v1_router.include_router(purchases_router)
-    v1_router.include_router(products_router)
-    v1_router.include_router(prices_router)
-    v1_router.include_router(coupons_router)
-    v1_router.include_router(shopping_router)
-    v1_router.include_router(alerts_router)
-    v1_router.include_router(scraping_router)
-    v1_router.include_router(public_router)
-    app.include_router(v1_router)
+    app.include_router(stores_router)
+    app.include_router(purchases_router)
+    app.include_router(products_router)
+    app.include_router(prices_router)
+    app.include_router(coupons_router)
+    app.include_router(shopping_router)
+    app.include_router(alerts_router)
+    app.include_router(scraping_router)
+    app.include_router(public_router)
 
     return app
 

api/src/cartsnitch_api/models/purchase.py

@@ -32,7 +32,7 @@ class Purchase(UUIDPrimaryKeyMixin, TimestampMixin, Base):
 
     __tablename__ = "purchases"
 
-    user_id: Mapped[str] = mapped_column(ForeignKey("users.id"), nullable=False)
+    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("users.id"), nullable=False)
     store_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("stores.id"), nullable=False)
     store_location_id: Mapped[uuid.UUID | None] = mapped_column(ForeignKey("store_locations.id"))
     receipt_id: Mapped[str] = mapped_column(String(200), nullable=False)

api/src/cartsnitch_api/models/user.py

@@ -4,7 +4,7 @@ import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING
 
-from sqlalchemy import DateTime, ForeignKey, String, Text, UniqueConstraint
+from sqlalchemy import DateTime, ForeignKey, String, UniqueConstraint
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from cartsnitch_api.constants import AccountStatus
@@ -16,12 +16,11 @@ if TYPE_CHECKING:
     from cartsnitch_api.models.store import Store
 
 
-class User(TimestampMixin, Base):
+class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     """Application user."""
 
     __tablename__ = "users"
 
-    id: Mapped[str] = mapped_column(Text, primary_key=True)
     email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
     hashed_password: Mapped[str] = mapped_column(String(255), nullable=False)
     display_name: Mapped[str | None] = mapped_column(String(100))
@@ -37,7 +36,7 @@ class UserStoreAccount(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     __tablename__ = "user_store_accounts"
     __table_args__ = (UniqueConstraint("user_id", "store_id", name="uq_user_store_account"),)
 
-    user_id: Mapped[str] = mapped_column(ForeignKey("users.id"), nullable=False)
+    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("users.id"), nullable=False)
     store_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("stores.id"), nullable=False)
     session_data: Mapped[dict | None] = mapped_column(EncryptedJSON)
     session_expires_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))

api/src/cartsnitch_api/routes/alerts.py

@@ -1,5 +1,7 @@
 """Alert routes: list alerts, manage settings."""
 
+from uuid import UUID
+
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -13,7 +15,7 @@ router = APIRouter(prefix="/alerts", tags=["alerts"])
 
 @router.get("", response_model=list[AlertResponse])
 async def list_alerts(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AlertService(db)
@@ -22,7 +24,7 @@ async def list_alerts(
 
 @router.get("/settings", response_model=AlertSettingsResponse)
 async def get_alert_settings(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = AlertService(db)
@@ -32,7 +34,7 @@ async def get_alert_settings(
 @router.put("/settings")
 async def update_alert_settings(
     body: AlertSettingsRequest,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     raise HTTPException(

api/src/cartsnitch_api/routes/coupons.py

@@ -16,7 +16,7 @@ router = APIRouter(prefix="/coupons", tags=["coupons"])
 @router.get("", response_model=list[CouponResponse])
 async def list_coupons(
     store_id: UUID | None = Query(None),
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = CouponService(db)
@@ -25,7 +25,7 @@ async def list_coupons(
 
 @router.get("/relevant", response_model=list[CouponResponse])
 async def relevant_coupons(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = CouponService(db)

api/src/cartsnitch_api/routes/prices.py

@@ -20,7 +20,7 @@ router = APIRouter(prefix="/prices", tags=["prices"])
 
 @router.get("/trends", response_model=list[PriceTrendResponse])
 async def price_trends(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     category: str | None = Query(None),
     db: AsyncSession = Depends(get_db),
 ):
@@ -30,7 +30,7 @@ async def price_trends(
 
 @router.get("/increases", response_model=list[PriceIncreaseResponse])
 async def price_increases(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PriceService(db)
@@ -40,7 +40,7 @@ async def price_increases(
 @router.get("/comparison", response_model=list[PriceComparisonResponse])
 async def price_comparison(
     product_ids: Annotated[list[UUID], Query()],
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PriceService(db)

api/src/cartsnitch_api/routes/products.py

@@ -15,7 +15,7 @@ router = APIRouter(prefix="/products", tags=["products"])
 
 @router.get("", response_model=list[ProductResponse])
 async def list_products(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     q: str | None = Query(None),
     category: str | None = Query(None),
     page: int = Query(1, ge=1),
@@ -29,7 +29,7 @@ async def list_products(
 @router.get("/{product_id}", response_model=ProductDetailResponse)
 async def get_product(
     product_id: UUID,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = ProductService(db)
@@ -44,7 +44,7 @@ async def get_product(
 @router.get("/{product_id}/prices", response_model=PriceTrendResponse)
 async def get_product_prices(
     product_id: UUID,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = ProductService(db)

api/src/cartsnitch_api/routes/purchases.py

@@ -15,7 +15,7 @@ router = APIRouter(prefix="/purchases", tags=["purchases"])
 
 @router.get("", response_model=list[PurchaseResponse])
 async def list_purchases(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     store_id: UUID | None = Query(None),
     page: int = Query(1, ge=1),
     page_size: int = Query(20, ge=1, le=100),
@@ -27,7 +27,7 @@ async def list_purchases(
 
 @router.get("/stats", response_model=PurchaseStatsResponse)
 async def purchase_stats(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PurchaseService(db)
@@ -37,7 +37,7 @@ async def purchase_stats(
 @router.get("/{purchase_id}", response_model=PurchaseDetailResponse)
 async def get_purchase(
     purchase_id: UUID,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = PurchaseService(db)

api/src/cartsnitch_api/routes/scraping.py

@@ -1,5 +1,7 @@
 """Scraping routes: trigger sync, check status (proxy to ReceiptWitness)."""
 
+from uuid import UUID
+
 from fastapi import APIRouter, Depends, HTTPException, status
 from httpx import HTTPStatusError, RequestError
 
@@ -11,7 +13,7 @@ router = APIRouter(prefix="/scraping", tags=["scraping"])
 
 
 @router.post("/{store_slug}/sync", response_model=SyncTriggerResponse)
-async def trigger_sync(store_slug: str, user_id: str = Depends(get_current_user)):
+async def trigger_sync(store_slug: str, user_id: UUID = Depends(get_current_user)):
     client = ReceiptWitnessClient()
     try:
         result = await client.trigger_sync(str(user_id), store_slug)
@@ -29,7 +31,7 @@ async def trigger_sync(store_slug: str, user_id: str = Depends(get_current_user)
 
 
 @router.get("/status", response_model=list[SyncStatusResponse])
-async def sync_status(user_id: str = Depends(get_current_user)):
+async def sync_status(user_id: UUID = Depends(get_current_user)):
     client = ReceiptWitnessClient()
     try:
         return await client.get_sync_status(str(user_id))

api/src/cartsnitch_api/routes/shopping.py

@@ -1,5 +1,7 @@
 """Shopping routes: optimize list, saved lists."""
 
+from uuid import UUID
+
 from fastapi import APIRouter, Depends, HTTPException, status
 from httpx import HTTPStatusError, RequestError
 
@@ -11,7 +13,7 @@ router = APIRouter(prefix="/shopping", tags=["shopping"])
 
 
 @router.post("/optimize", response_model=OptimizeResponse)
-async def optimize_shopping(body: OptimizeRequest, user_id: str = Depends(get_current_user)):
+async def optimize_shopping(body: OptimizeRequest, user_id: UUID = Depends(get_current_user)):
     client = ClipArtistClient()
     try:
         result = await client.optimize(
@@ -35,7 +37,7 @@ async def optimize_shopping(body: OptimizeRequest, user_id: str = Depends(get_cu
 
 
 @router.get("/lists", response_model=list[ShoppingListResponse])
-async def list_shopping_lists(user_id: str = Depends(get_current_user)):
+async def list_shopping_lists(user_id: UUID = Depends(get_current_user)):
     client = ClipArtistClient()
     try:
         return await client.get_shopping_lists(str(user_id))

api/src/cartsnitch_api/routes/stores.py

@@ -1,5 +1,7 @@
 """Store routes: list stores, manage user store connections."""
 
+from uuid import UUID
+
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -19,7 +21,7 @@ async def list_stores(db: AsyncSession = Depends(get_db)):
 
 @router.get("/me/stores", response_model=list[StoreAccountResponse])
 async def list_user_stores(
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = StoreService(db)
@@ -34,7 +36,7 @@ async def list_user_stores(
 async def connect_store(
     store_slug: str,
     body: ConnectStoreRequest,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = StoreService(db)
@@ -49,7 +51,7 @@ async def connect_store(
 @router.delete("/me/stores/{store_slug}", status_code=status.HTTP_204_NO_CONTENT)
 async def disconnect_store(
     store_slug: str,
-    user_id: str = Depends(get_current_user),
+    user_id: UUID = Depends(get_current_user),
     db: AsyncSession = Depends(get_db),
 ):
     svc = StoreService(db)

api/src/cartsnitch_api/schemas.py

@@ -16,7 +16,7 @@ class UpdateUserRequest(BaseModel):
 
 
 class UserResponse(BaseModel):
-    id: str
+    id: UUID
     email: str
     display_name: str
     created_at: datetime

api/src/cartsnitch_api/services/alerts.py

@@ -4,6 +4,8 @@ Alerts are generated by StickerShock and ShrinkRay services and written to the D
 This service reads them for the API gateway.
 """
 
+from uuid import UUID
+
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
@@ -13,7 +15,7 @@ class AlertService:
     def __init__(self, db: AsyncSession) -> None:
         self.db = db
 
-    async def list_alerts(self, user_id: str) -> list[dict]:
+    async def list_alerts(self, user_id: UUID) -> list[dict]:
         """List shrinkflation events for products the user has purchased."""
         from cartsnitch_api.models import Purchase, PurchaseItem, ShrinkflationEvent
 
@@ -55,7 +57,7 @@ class AlertService:
             for e in events
         ]
 
-    async def get_settings(self, user_id: str) -> dict:
+    async def get_settings(self, user_id: UUID) -> dict:
         # Alert settings would be stored in a user_settings table.
         # For now, return defaults since the table doesn't exist yet in common lib.
         return {
@@ -64,7 +66,7 @@ class AlertService:
             "email_notifications": False,
         }
 
-    async def update_settings(self, user_id: str, **fields) -> dict:
+    async def update_settings(self, user_id: UUID, **fields) -> dict:
         # Would update user_settings table. Return merged defaults for now.
         current = await self.get_settings(user_id)
         for k, v in fields.items():

api/src/cartsnitch_api/services/auth.py

@@ -5,6 +5,8 @@ handled by the Better-Auth service (auth/). This service provides
 user lookup and profile update operations for the API gateway.
 """
 
+from uuid import UUID
+
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -13,7 +15,7 @@ class AuthService:
     def __init__(self, db: AsyncSession) -> None:
         self.db = db
 
-    async def get_user(self, user_id: str) -> dict:
+    async def get_user(self, user_id: UUID) -> dict:
         from cartsnitch_api.models import User
 
         result = await self.db.execute(select(User).where(User.id == user_id))
@@ -28,7 +30,7 @@ class AuthService:
             "created_at": user.created_at,
         }
 
-    async def update_user(self, user_id: str, **fields) -> dict:
+    async def update_user(self, user_id: UUID, **fields) -> dict:
         from cartsnitch_api.models import User
 
         result = await self.db.execute(select(User).where(User.id == user_id))
@@ -56,7 +58,7 @@ class AuthService:
             "created_at": user.created_at,
         }
 
-    async def delete_user(self, user_id: str) -> None:
+    async def delete_user(self, user_id: UUID) -> None:
         from cartsnitch_api.models import User
 
         result = await self.db.execute(select(User).where(User.id == user_id))

api/src/cartsnitch_api/services/coupons.py

@@ -29,7 +29,7 @@ class CouponService:
         coupons = result.scalars().all()
         return [self._to_dict(c) for c in coupons]
 
-    async def relevant_coupons(self, user_id: str) -> list[dict]:
+    async def relevant_coupons(self, user_id: UUID) -> list[dict]:
         """Coupons for products the user has purchased."""
         from cartsnitch_api.models import Coupon, PurchaseItem
 

api/src/cartsnitch_api/services/purchases.py

@@ -13,7 +13,7 @@ class PurchaseService:
 
     async def list_purchases(
         self,
-        user_id: str,
+        user_id: UUID,
         store_id: UUID | None = None,
         page: int = 1,
         page_size: int = 20,
@@ -56,7 +56,7 @@ class PurchaseService:
             for p, item_count, store_name in result.all()
         ]
 
-    async def get_purchase(self, purchase_id: UUID, user_id: str) -> dict:
+    async def get_purchase(self, purchase_id: UUID, user_id: UUID) -> dict:
         from cartsnitch_api.models import Purchase
 
         result = await self.db.execute(
@@ -88,7 +88,7 @@ class PurchaseService:
             ],
         }
 
-    async def get_stats(self, user_id: str) -> dict:
+    async def get_stats(self, user_id: UUID) -> dict:
         from cartsnitch_api.models import Purchase
 
         result = await self.db.execute(

api/src/cartsnitch_api/services/stores.py

@@ -1,6 +1,7 @@
 """Store service — list stores, manage user store account connections."""
 
 import json
+from uuid import UUID
 
 from cryptography.fernet import Fernet
 from sqlalchemy import select
@@ -34,7 +35,7 @@ class StoreService:
             for s in stores
         ]
 
-    async def list_user_stores(self, user_id: str) -> list[dict]:
+    async def list_user_stores(self, user_id: UUID) -> list[dict]:
         from cartsnitch_api.models import UserStoreAccount
 
         result = await self.db.execute(
@@ -59,7 +60,7 @@ class StoreService:
             for a in accounts
         ]
 
-    async def connect_store(self, user_id: str, store_slug: str, credentials: dict | None) -> dict:
+    async def connect_store(self, user_id: UUID, store_slug: str, credentials: dict | None) -> dict:
         from cartsnitch_api.models import Store, UserStoreAccount
 
         result = await self.db.execute(select(Store).where(Store.slug == store_slug))
@@ -106,7 +107,7 @@ class StoreService:
             "sync_status": "active",
         }
 
-    async def disconnect_store(self, user_id: str, store_slug: str) -> None:
+    async def disconnect_store(self, user_id: UUID, store_slug: str) -> None:
         from cartsnitch_api.models import Store, UserStoreAccount
 
         result = await self.db.execute(select(Store).where(Store.slug == store_slug))

e2e/fixtures.ts

@@ -1,12 +0,0 @@
-import { test as base, expect } from "@playwright/test";
-import AxeBuilder from "@axe-core/playwright";
-
-export const test = base.extend<{ axeCheck: void }>({
-  axeCheck: [async ({ page }, use) => {
-    await use();
-    const results = await new AxeBuilder({ page }).analyze();
-    expect(results.violations).toEqual([]);
-  }, { auto: true }],
-});
-
-export { expect } from "@playwright/test";

e2e/journeys/j1-registration-login.spec.ts

@@ -1,56 +0,0 @@
-import { test, expect } from '@playwright/test';
-
-const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;
-
-test.describe('J1: Registration and Login', () => {
-  test('can register a new account and lands on dashboard', async ({ page }) => {
-    await page.goto('/register');
-    await page.fill('[placeholder="Full Name"]', 'Betty Tester');
-    await page.fill('[placeholder="Email"]', uniqueEmail());
-    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-
-    // With VITE_MOCK_AUTH=true the app navigates to "/" on success
-    await expect(page).toHaveURL('http://localhost:5173/');
-    await expect(page.getByRole('heading', { name: /cart/i })).toBeVisible();
-  });
-
-  test('shows validation error when registration fields are empty', async ({ page }) => {
-    await page.goto('/register');
-    await page.click('button[type="submit"]');
-
-    await expect(page.locator('.bg-red-50')).toContainText('Please fill in all fields');
-  });
-
-  test('can navigate from register to login', async ({ page }) => {
-    await page.goto('/register');
-    await page.getByRole('link', { name: /sign in/i }).click();
-
-    await expect(page).toHaveURL(/\/login/);
-    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
-  });
-
-  test('can sign in with credentials and land on dashboard', async ({ page }) => {
-    // Register first so we have a real account
-    const email = uniqueEmail();
-    await page.goto('/register');
-    await page.fill('[placeholder="Full Name"]', 'Login Betty');
-    await page.fill('[placeholder="Email"]', email);
-    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-    await expect(page).toHaveURL('http://localhost:5173/');
-
-    // Sign out by clearing the mock session (reload with no session)
-    await page.goto('/');
-    await page.reload();
-
-    // Now sign in
-    await page.goto('/login');
-    await page.fill('[placeholder="Email"]', email);
-    await page.fill('[placeholder="Password"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-
-    await expect(page).toHaveURL('http://localhost:5173/');
-  });
-
-});

e2e/journeys/j8-unauth-access.spec.ts

@@ -1,49 +0,0 @@
-import { test, expect } from '@playwright/test';
-
-test.describe('J8: Unauthenticated Access', () => {
-  test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
-    // No session cookie — start fresh
-    await page.context().clearCookies();
-    await page.goto('/');
-
-    await expect(page).toHaveURL(/\/login/);
-    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
-  });
-
-  test('redirects /purchases to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
-    await page.goto('/purchases');
-
-    await expect(page).toHaveURL(/\/login/);
-    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
-  });
-
-  test('redirects /products to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
-    await page.goto('/products');
-
-    await expect(page).toHaveURL(/\/login/);
-    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
-  });
-
-  test('redirects /coupons to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
-    await page.goto('/coupons');
-
-    await expect(page).toHaveURL(/\/login/);
-    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
-  });
-
-  test('shows loading spinner while auth session is pending', async ({ page }) => {
-    // Intercept but don't respond — session stays pending
-    await page.context().clearCookies();
-    await page.request.fetch('/api/auth/session', {
-      method: 'GET',
-    });
-
-    // Just navigate to a protected route — ProtectedRoute will show spinner while session is pending
-    await page.goto('/purchases');
-    // Spinner is visible briefly; once resolved, should redirect to login
-    await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
-  });
-});

e2e/smoke.spec.ts

@@ -1,8 +1,6 @@
-import { test, expect } from './fixtures';
+import { test, expect } from '@playwright/test';
 
 test('app loads', async ({ page }) => {
   await page.goto('/');
-  // Unauthenticated users are redirected to /login
-  await expect(page).toHaveURL(/\/login/);
-  await expect(page.getByRole('heading', { name: /CartSnitch/i })).toBeVisible();
+  await expect(page).toHaveTitle(/CartSnitch/);
 });

lighthouserc.json

@@ -1,24 +0,0 @@
-{
-  "ci": {
-    "collect": {
-      "staticDistDir": "./dist",
-      "url": ["http://localhost:4173/"],
-      "numberOfRuns": 1,
-      "settings": {
-        "chromeFlags": ["--headless=new", "--no-sandbox", "--disable-gpu", "--disable-dev-shm-usage"],
-        "skipAudits": ["bf-cache"],
-        "disableFullPageScreenshot": true
-      }
-    },
-    "assert": {
-      "assertions": {
-        "categories:performance": ["warn", { "minScore": 0.7 }],
-        "categories:accessibility": ["error", { "minScore": 0.9 }],
-        "categories:best-practices": ["warn", { "minScore": 0.8 }]
-      }
-    },
-    "upload": {
-      "target": "temporary-public-storage"
-    }
-  }
-}

package-lock.json

@@ -10,7 +10,6 @@
       "dependencies": {
         "@tanstack/react-query": "^5.0.0",
         "better-auth": "^1.2.0",
-        "picomatch": "4.0.4",
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-router-dom": "^7.0.0",
@@ -18,23 +17,21 @@
         "zustand": "^5.0.0"
       },
       "devDependencies": {
-        "@axe-core/playwright": "^4.10.0",
         "@eslint/js": "^9.39.4",
-        "@playwright/test": "^1.58.2",
+        "@playwright/test": "^1.49.0",
         "@tailwindcss/vite": "^4.0.0",
         "@testing-library/jest-dom": "^6.6.3",
         "@testing-library/react": "^16.3.2",
         "@types/node": "^24.12.0",
         "@types/react": "^18.3.28",
         "@types/react-dom": "^18.3.7",
-        "@vitejs/plugin-react": "^4.7.0",
+        "@vitejs/plugin-react": "^4.5.2",
         "eslint": "^9.39.4",
         "eslint-plugin-react-hooks": "^7.0.1",
         "eslint-plugin-react-refresh": "^0.5.2",
         "globals": "^17.4.0",
         "jsdom": "^25.0.1",
         "msw": "^2.12.14",
-        "playwright": "^1.58.2",
         "tailwindcss": "^4.0.0",
         "typescript": "^5.7.3",
         "typescript-eslint": "^8.56.1",
@@ -71,19 +68,6 @@
       "devOptional": true,
       "license": "ISC"
     },
-    "node_modules/@axe-core/playwright": {
-      "version": "4.11.1",
-      "resolved": "https://registry.npmjs.org/@axe-core/playwright/-/playwright-4.11.1.tgz",
-      "integrity": "sha512-mKEfoUIB1MkVTht0BGZFXtSAEKXMJoDkyV5YZ9jbBmZCcWDz71tegNsdTkIN8zc/yMi5Gm2kx7Z5YQ9PfWNAWw==",
-      "dev": true,
-      "license": "MPL-2.0",
-      "dependencies": {
-        "axe-core": "~4.11.1"
-      },
-      "peerDependencies": {
-        "playwright-core": ">= 1.0.0"
-      }
-    },
     "node_modules/@babel/code-frame": {
       "version": "7.29.0",
       "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
@@ -4508,16 +4492,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/axe-core": {
-      "version": "4.11.1",
-      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.1.tgz",
-      "integrity": "sha512-BASOg+YwO2C+346x3LZOeoovTIoTrRqEsqMa6fmfAV0P+U9mFr9NsyOEpiYvFjbc64NMrSswhV50WdXzdb/Z5A==",
-      "dev": true,
-      "license": "MPL-2.0",
-      "engines": {
-        "node": ">=4"
-      }
-    },
     "node_modules/babel-plugin-polyfill-corejs2": {
       "version": "0.4.16",
       "resolved": "https://registry.npmjs.org/babel-plugin-polyfill-corejs2/-/babel-plugin-polyfill-corejs2-0.4.16.tgz",
@@ -6078,9 +6052,9 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "version": "3.4.1",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.1.tgz",
+      "integrity": "sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==",
       "dev": true,
       "license": "ISC"
     },
@@ -8203,9 +8177,10 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "devOptional": true,
       "license": "MIT",
       "engines": {
         "node": ">=12"
@@ -8363,6 +8338,16 @@
         "node": ">=6"
       }
     },
+    "node_modules/randombytes": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
+      "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "^5.1.0"
+      }
+    },
     "node_modules/react": {
       "version": "18.3.1",
       "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
@@ -8769,6 +8754,27 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT"
+    },
     "node_modules/safe-push-apply": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/safe-push-apply/-/safe-push-apply-1.0.0.tgz",
@@ -8844,13 +8850,13 @@
       }
     },
     "node_modules/serialize-javascript": {
-      "version": "7.0.5",
-      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz",
-      "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==",
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz",
+      "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==",
       "dev": true,
       "license": "BSD-3-Clause",
-      "engines": {
-        "node": ">=20.0.0"
+      "dependencies": {
+        "randombytes": "^2.1.0"
       }
     },
     "node_modules/set-cookie-parser": {
@@ -10440,6 +10446,31 @@
         "rollup": "^1.20.0 || ^2.0.0"
       }
     },
+    "node_modules/workbox-build/node_modules/@rollup/pluginutils": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-3.1.0.tgz",
+      "integrity": "sha512-GksZ6pr6TpIjHm8h9lSQ8pi8BE9VeubNT0OMJ3B5uZJ8pz73NPiqOtCog/x2/QzM1ENChPKxMDhiQuRHsqc+lg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "0.0.39",
+        "estree-walker": "^1.0.1",
+        "picomatch": "^2.2.2"
+      },
+      "engines": {
+        "node": ">= 8.0.0"
+      },
+      "peerDependencies": {
+        "rollup": "^1.20.0||^2.0.0"
+      }
+    },
+    "node_modules/workbox-build/node_modules/@types/estree": {
+      "version": "0.0.39",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-0.0.39.tgz",
+      "integrity": "sha512-EYNwp3bU+98cpU4lAWYYL7Zz+2gryWH1qbdDTidVd6hkiR6weksdbMadyXKXNPEkQFhXM+hVO9ZygomHXp+AIw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/workbox-build/node_modules/ajv": {
       "version": "8.18.0",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
@@ -10457,6 +10488,13 @@
         "url": "https://github.com/sponsors/epoberezkin"
       }
     },
+    "node_modules/workbox-build/node_modules/estree-walker": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-1.0.1.tgz",
+      "integrity": "sha512-1fMXF3YP4pZZVozF8j/ZLfvnR8NSIljt56UhbZ5PeeDmmGHpgpdwQt7ITlGvYaQukCvuBRMLEiKiYC+oeIg4cg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/workbox-build/node_modules/json-schema-traverse": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz",
@@ -10474,6 +10512,19 @@
         "sourcemap-codec": "^1.4.8"
       }
     },
+    "node_modules/workbox-build/node_modules/picomatch": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
     "node_modules/workbox-build/node_modules/pretty-bytes": {
       "version": "5.6.0",
       "resolved": "https://registry.npmjs.org/pretty-bytes/-/pretty-bytes-5.6.0.tgz",

package.json

@@ -15,7 +15,6 @@
   "dependencies": {
     "@tanstack/react-query": "^5.0.0",
     "better-auth": "^1.2.0",
-    "picomatch": "4.0.4",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^7.0.0",
@@ -23,33 +22,26 @@
     "zustand": "^5.0.0"
   },
   "devDependencies": {
-    "@axe-core/playwright": "^4.10.0",
     "@eslint/js": "^9.39.4",
-    "@playwright/test": "^1.58.2",
     "@tailwindcss/vite": "^4.0.0",
     "@testing-library/jest-dom": "^6.6.3",
     "@testing-library/react": "^16.3.2",
     "@types/node": "^24.12.0",
     "@types/react": "^18.3.28",
     "@types/react-dom": "^18.3.7",
-    "@vitejs/plugin-react": "^4.7.0",
+    "@vitejs/plugin-react": "^4.5.2",
     "eslint": "^9.39.4",
     "eslint-plugin-react-hooks": "^7.0.1",
     "eslint-plugin-react-refresh": "^0.5.2",
+    "@playwright/test": "^1.49.0",
     "globals": "^17.4.0",
     "jsdom": "^25.0.1",
     "msw": "^2.12.14",
-    "playwright": "^1.58.2",
     "tailwindcss": "^4.0.0",
     "typescript": "^5.7.3",
     "typescript-eslint": "^8.56.1",
     "vite": "^6.3.5",
     "vite-plugin-pwa": "^0.21.2",
     "vitest": "^3.2.4"
-  },
-  "overrides": {
-    "@rollup/pluginutils": "5.3.0",
-    "flatted": "^3.4.2",
-    "serialize-javascript": "7.0.5"
   }
 }

playwright.config.ts

@@ -9,7 +9,7 @@ export default defineConfig({
     },
   ],
   webServer: {
-    command: 'VITE_MOCK_AUTH=true npm run dev',
+    command: 'npm run dev',
     url: 'http://localhost:5173',
     reuseExistingServer: !process.env.CI,
   },

public/robots.txt

@@ -1,4 +0,0 @@
-User-agent: *
-Allow: /
-
-Sitemap: https://cartsnitch.com/sitemap.xml

src/App.test.tsx

@@ -1,17 +1,23 @@
-import { render, screen } from '@testing-library/react'
-import { describe, it, expect, vi } from 'vitest'
-import App from './App.tsx'
-
-vi.mock('./lib/auth-client.ts', () => ({
-  authClient: {
-    useSession: () => ({ data: null, isPending: false }),
-  },
-}))
-
-describe('App', () => {
-  it('redirects unauthenticated users to login', () => {
-    render(<App />)
-    expect(screen.getByText('CartSnitch')).toBeInTheDocument()
-    expect(screen.getByRole('button', { name: /sign in/i })).toBeInTheDocument()
-  })
-})
+import { render, screen } from '@testing-library/react'
+import { describe, it, expect, vi } from 'vitest'
+import App from './App.tsx'
+
+vi.mock('./lib/auth-client.ts', () => ({
+  authClient: {
+    useSession: () => ({ data: null, isPending: false }),
+  },
+}))
+
+describe('App', () => {
+  it('renders the dashboard on the root route', () => {
+    render(<App />)
+    expect(screen.getByText('CartSnitch')).toBeInTheDocument()
+  })
+
+  it('renders the bottom navigation', () => {
+    render(<App />)
+    expect(screen.getByText('Home')).toBeInTheDocument()
+    expect(screen.getByText('Purchases')).toBeInTheDocument()
+    expect(screen.getByText('Products')).toBeInTheDocument()
+  })
+})

src/App.tsx

@@ -31,8 +31,8 @@ export default function App() {
       <BrowserRouter>
         <Routes>
           <Route element={<Layout />}>
+            <Route index element={<Dashboard />} />
             <Route element={<ProtectedRoute />}>
-              <Route index element={<Dashboard />} />
               <Route path="purchases" element={<Purchases />} />
               <Route path="purchases/:id" element={<PurchaseDetail />} />
               <Route path="products" element={<Products />} />

src/components/ProtectedRoute.tsx

@@ -4,22 +4,12 @@ import { authClient } from '../lib/auth-client.ts'
 import { useAuthStore } from '../stores/auth.ts'
 
 export function ProtectedRoute() {
-  const isMockAuth = import.meta.env.VITE_MOCK_AUTH === 'true'
   const { data: session, isPending } = authClient.useSession()
-  const isAuthenticated = useAuthStore((s) => s.isAuthenticated)
   const setAuthenticated = useAuthStore((s) => s.setAuthenticated)
 
   useEffect(() => {
-    if (!isMockAuth) {
-      setAuthenticated(!!session)
-    }
-  }, [session, setAuthenticated, isMockAuth])
-
-  // In mock auth mode, rely on Zustand store (set by Login/Register pages)
-  if (isMockAuth) {
-    if (!isAuthenticated) return <Navigate to="/login" replace />
-    return <Outlet />
-  }
+    setAuthenticated(!!session)
+  }, [session, setAuthenticated])
 
   if (isPending) {
     return (

src/hooks/useApi.ts

@@ -35,7 +35,7 @@ export function useProduct(id: string) {
 export function usePriceHistory(productId: string) {
   return useQuery({
     queryKey: ['priceHistory', productId],
-    queryFn: () => api.get<PriceHistory[]>(`/products/${productId}/prices`),
+    queryFn: () => api.get<PriceHistory[]>(`/products/${productId}/price-history`),
     enabled: !!productId,
   })
 }
@@ -50,6 +50,6 @@ export function useCoupons() {
 export function usePriceAlerts() {
   return useQuery({
     queryKey: ['priceAlerts'],
-    queryFn: () => api.get<PriceAlert[]>('/alerts'),
+    queryFn: () => api.get<PriceAlert[]>('/price-alerts'),
   })
 }

src/lib/api.ts

@@ -15,7 +15,7 @@ const mockRoutes: Record<string, (path: string) => unknown> = {
   '/purchases': () => mockPurchases,
   '/products': () => mockProducts,
   '/coupons': () => mockCoupons,
-  '/alerts': () => mockAlerts,
+  '/price-alerts': () => mockAlerts,
 }
 
 function matchMockRoute<T>(path: string): T | null {
@@ -30,7 +30,7 @@ function matchMockRoute<T>(path: string): T | null {
   }
 
   // /products/:id/price-history
-  const priceHistoryMatch = path.match(/^\/products\/(.+)\/prices$/)
+  const priceHistoryMatch = path.match(/^\/products\/(.+)\/price-history$/)
   if (priceHistoryMatch) {
     return getMockPriceHistory(priceHistoryMatch[1]) as T
   }

src/pages/Dashboard.tsx

@@ -173,7 +173,6 @@ function AuthenticatedDashboard({ userName }: { userName: string }) {
 function DashboardSkeleton() {
   return (
     <div className="animate-pulse">
-      <h1 className="sr-only">Loading CartSnitch…</h1>
       <div className="h-8 w-40 rounded bg-gray-200" />
       <div className="mt-4 grid grid-cols-2 gap-3">
         <div className="h-24 rounded-xl bg-gray-200" />

src/pages/Login.tsx

@@ -31,14 +31,8 @@ export function Login() {
         throw new Error(authError.message ?? 'Sign in failed')
       }
 
-      // After successful signIn, force a session fetch to confirm the cookie is set
-      // before navigating to the protected route
-      const sessionResult = await authClient.getSession()
-      if (sessionResult.data) {
-        navigate('/')
-      } else {
-        setError('Sign in failed. Please try again.')
-      }
+      setAuthenticated(true)
+      navigate('/')
     } catch {
       if (import.meta.env.VITE_MOCK_AUTH === 'true') {
         setAuthenticated(true)
@@ -52,7 +46,7 @@ export function Login() {
   }
 
   return (
-    <main className="flex min-h-screen flex-col items-center justify-center px-4">
+    <div className="flex min-h-screen flex-col items-center justify-center px-4">
       <h1 className="mb-2 text-3xl font-bold text-gray-900">CartSnitch</h1>
       <p className="mb-8 text-sm text-gray-500">Track prices. Save money.</p>
 
@@ -94,10 +88,10 @@ export function Login() {
 
       <p className="mt-6 text-sm text-gray-500">
         Don't have an account?{' '}
-        <Link to="/register" className="text-brand-blue underline">
+        <Link to="/register" className="text-brand-blue">
           Sign up
         </Link>
       </p>
-    </main>
+    </div>
   )
 }

src/pages/Register.tsx

@@ -38,15 +38,8 @@ export function Register() {
         throw new Error(authError.message ?? 'Registration failed')
       }
 
-      // After successful signUp, force a session fetch to confirm the cookie is set
-      // before navigating to the protected route
-      const sessionResult = await authClient.getSession()
-      if (sessionResult.data) {
-        navigate('/')
-      } else {
-        // Session not established — show success message and link to login
-        setError('Account created! Please sign in.')
-      }
+      setAuthenticated(true)
+      navigate('/')
     } catch {
       if (import.meta.env.VITE_MOCK_AUTH === 'true') {
         setAuthenticated(true)

src/test/mocks/handlers.ts

@@ -61,5 +61,5 @@ export const handlers = [
   http.get('/api/v1/products', () => HttpResponse.json(mockProducts)),
   http.get('/api/v1/products/prod_1', () => HttpResponse.json(mockProducts[0])),
   http.get('/api/v1/coupons', () => HttpResponse.json(mockCoupons)),
-  http.get('/api/v1/alerts', () => HttpResponse.json(mockAlerts)),
+  http.get('/api/v1/price-alerts', () => HttpResponse.json(mockAlerts)),
 ]