fix(e2e): correct j1 registration assertions to match dev Register.tsx flow

- Registration test: assert 'Check your email' heading (dev shows email verification screen after signUp, no session established) - Sign-in test: use mock routes directly without registration step; dev Login.tsx calls getSession() which the mock provides Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(e2e): await route mocks and add session mocking to all tests
2026-04-15 21:41:05 +00:00 · 2026-04-15 21:41:05 +00:00 · 2026-04-15 21:41:04 +00:00 · 2026-04-15 21:41:04 +00:00 · 2026-04-15 21:41:04 +00:00 · 2026-04-15 21:41:04 +00:00
41 changed files with 936 additions and 2176 deletions
@@ -16,17 +16,21 @@ permissions:
  security-events: write

 env:
-  REGISTRY: git.farh.net
+  REGISTRY: ghcr.io
  IMAGE_NAME: cartsnitch/cartsnitch
+  AUTH_IMAGE_NAME: cartsnitch/auth
  RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness
  API_IMAGE_NAME: cartsnitch/api
-  AUTH_IMAGE_NAME: cartsnitch/auth

 jobs:
  lint:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
      - run: npm ci
      - name: ESLint
        run: npx eslint .
@@ -34,10 +38,10 @@ jobs:
        run: npx tsc --noEmit

  test:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
@@ -46,10 +50,10 @@ jobs:
        run: npx vitest run

  audit:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
@@ -58,10 +62,10 @@ jobs:
        run: npm audit --audit-level=high

  e2e:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
@@ -70,11 +74,11 @@ jobs:
      - run: npx playwright test

  lighthouse:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    needs: [test]
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
@@ -95,14 +99,14 @@ jobs:
          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"

  build-and-push:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
      sha_tag: sha-${{ github.sha }}
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -130,13 +134,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
@@ -156,14 +160,12 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
-          cache-from: type=inline
-          cache-to: type=inline,mode=max
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Scan frontend image for vulnerabilities
        uses: anchore/scan-action@v5
        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
@@ -171,7 +173,11 @@ jobs:
          only-fixed: "true"
          output-format: sarif

-
+      - name: Upload frontend scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Push Docker image
        if: github.event_name == 'push'
@@ -182,7 +188,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
-          cache-from: type=inline
+          cache-from: type=gha

      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -190,191 +196,15 @@ jobs:
          git tag "v${{ steps.calver.outputs.version }}"
          git push origin "v${{ steps.calver.outputs.version }}"

-  build-and-push-receiptwitness:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-    needs: [lint, test]
-    outputs:
-      calver_tag: ${{ steps.calver.outputs.version }}
-      sha_tag: sha-${{ github.sha }}
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-        with:
-          fetch-depth: 0
-
-      - name: Generate CalVer tag
-        id: calver
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: |
-          DATE_TAG=$(date -u +%Y.%m.%d)
-          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
-          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
-          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
-          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to Gitea registry
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}
-          tags: |
-            type=sha,prefix=sha-,format=long
-            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-
-      - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./receiptwitness/Dockerfile
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=inline
-          cache-to: type=inline,mode=max
-
-      - name: Scan receiptwitness image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./receiptwitness/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=inline
-
-  build-and-push-api:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-    needs: [lint, test]
-    outputs:
-      calver_tag: ${{ steps.calver.outputs.version }}
-      sha_tag: sha-${{ github.sha }}
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-        with:
-          fetch-depth: 0
-
-      - name: Generate CalVer tag
-        id: calver
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: |
-          DATE_TAG=$(date -u +%Y.%m.%d)
-          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
-          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
-          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
-          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to Gitea registry
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Extract metadata (API)
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
-          tags: |
-            type=sha,prefix=sha-,format=long
-            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-
-      - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: ./api
-          file: ./api/Dockerfile
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=inline
-          cache-to: type=inline,mode=max
-
-      - name: Scan api image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: ./api
-          file: ./api/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=inline
-
  build-and-push-auth:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
-    needs: [lint, test]
+    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
      sha_tag: sha-${{ github.sha }}
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -384,9 +214,14 @@ jobs:
        run: |
          DATE_TAG=$(date -u +%Y.%m.%d)
          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
-          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
-          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
-          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
+          if [ -z "$EXISTING" ]; then
+            VERSION="$DATE_TAG"
+          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then
+            VERSION="${DATE_TAG}.2"
+          else
+            BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//")
+            VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"
+          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
@@ -396,13 +231,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (auth)
        id: meta
@@ -422,16 +257,12 @@ jobs:
          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=inline
-          cache-to: type=inline,mode=max
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Scan auth image for vulnerabilities
        uses: anchore/scan-action@v5
        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
@@ -439,7 +270,11 @@ jobs:
          only-fixed: "true"
          output-format: sarif

-
+      - name: Upload auth scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Push Docker image
        if: github.event_name == 'push'
@@ -450,20 +285,199 @@ jobs:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=inline
+          cache-from: type=gha
+
+  build-and-push-receiptwitness:
+    runs-on: runners-cartsnitch
+    if: github.event_name == 'push'
+    needs: [lint, test]
+    outputs:
+      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate CalVer tag
+        id: calver
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          DATE_TAG=$(date -u +%Y.%m.%d)
+          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
+          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
+          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
+          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to Docker Hub
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to GHCR
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=sha-,format=long
+            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./receiptwitness/Dockerfile
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan receiptwitness image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload receiptwitness scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./receiptwitness/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+
+  build-and-push-api:
+    runs-on: runners-cartsnitch
+    if: github.event_name == 'push'
+    needs: [lint, test]
+    outputs:
+      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate CalVer tag
+        id: calver
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          DATE_TAG=$(date -u +%Y.%m.%d)
+          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
+          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
+          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
+          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to Docker Hub
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to GHCR
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (API)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=sha-,format=long
+            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./api
+          file: ./api/Dockerfile
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan api image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      - name: Upload api scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./api
+          file: ./api/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha

  deploy-dev:
-    runs-on: ubuntu-latest
-    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth]
+    runs-on: runners-cartsnitch
+    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
      - name: Checkout infra repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.CI_GITEA_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
          ref: main
          path: infra

@@ -471,16 +485,7 @@ jobs:
        uses: azure/setup-kubectl@v4

      - name: Install kustomize
-        # imranismail/setup-kustomize@v2 calls the Gitea API to record
-        # telemetry under the "kubernetes-sigs" user, which doesn't exist
-        # on this Gitea instance. Install the binary directly instead.
-        run: |
-          set -euo pipefail
-          version="5.4.3"
-          url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz"
-          curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize
-          sudo install -m 0755 /tmp/kustomize /usr/local/bin/kustomize
-          kustomize version
+        uses: imranismail/setup-kustomize@v2

      - name: Determine image tag for frontend
        id: frontend_tag
@@ -488,44 +493,14 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
-
-      - name: Determine image tag for receiptwitness
-        id: receiptwitness_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update receiptwitness image tag
-        if: needs.build-and-push-receiptwitness.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
-
-      - name: Determine image tag for api
-        id: api_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update api image tag
-        if: needs.build-and-push-api.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for auth
        id: auth_tag
@@ -533,83 +508,74 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update auth image tag
        if: needs.build-and-push-auth.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}

-      - name: Commit and push to infra (via PR)
-        env:
-          CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update receiptwitness image tag
+        if: needs.build-and-push-receiptwitness.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update api image tag
+        if: needs.build-and-push-api.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+
+      - name: Commit and push to infra
        run: |
          cd infra
          git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/dev/kustomization.yaml
-          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
-          BRANCH="ci/deploy-dev-${GITHUB_SHA}"
-          git checkout -b "$BRANCH"
-          git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images"
-          git push origin "$BRANCH"
-          PR_BODY=$(printf 'Auto-opened by deploy-dev (CAR-1195).\n\nBuild SHA: %s' "${GITHUB_SHA}")
-          PR_JSON=$(curl -sS -X POST \
-            -H "Authorization: token ${CI_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(dev): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
-            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
-          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
-          if [ -z "$PR_NUM" ]; then
-            echo "::error::Failed to open PR against cartsnitch/infra: $PR_JSON"
-            exit 1
-          fi
-          echo "Opened cartsnitch/infra PR #${PR_NUM} (head=${BRANCH})"
-          # Request CTO (cs_savannah) review as the GitOps hand-off. Best-effort:
-          # log on non-2xx but never fail the job for this.
-          REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
-            -H "Authorization: token ${CI_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d '{"reviewers":["cs_savannah"]}' \
-            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers")
-          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
-            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
-          fi
-          # CAR-1216: the in-job merge attempt is a best-effort fast-path only.
-          # `cartsnitch/infra` main requires a human approving review (immutable
-          # branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
-          # approve, so this merge call structurally cannot succeed in the
-          # general case. Any non-merged outcome (approvals pending, checks
-          # pending, any other Gitea message) is the GitOps approval gate, not
-          # a CI failure — the PR is already opened and `cs_savannah` is
-          # requested as reviewer above. Surface the response as a notice and
-          # exit success. The only hard-fail (`exit 1`) in this step remains
-          # the empty-`PR_NUM` check (PR could not be created at all).
-          MERGE_RESP=$(curl -sS -X POST \
-            -H "Authorization: token ${CI_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d '{"Do":"merge","delete_branch_after_merge":true}' \
-            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")
-          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
-          if [ "$MERGED" = "true" ]; then
-            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
-          else
-            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
-            exit 0
-          fi
+          git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
+          git pull --rebase origin main
+          git push origin main

  deploy-uat:
-    runs-on: ubuntu-latest
-    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth]
+    runs-on: runners-cartsnitch
+    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
      - name: Checkout infra repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.CI_GITEA_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
          ref: main
          path: infra

@@ -617,16 +583,7 @@ jobs:
        uses: azure/setup-kubectl@v4

      - name: Install kustomize
-        # imranismail/setup-kustomize@v2 calls the Gitea API to record
-        # telemetry under the "kubernetes-sigs" user, which doesn't exist
-        # on this Gitea instance. Install the binary directly instead.
-        run: |
-          set -euo pipefail
-          version="5.4.3"
-          url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz"
-          curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize
-          sudo install -m 0755 /tmp/kustomize /usr/local/bin/kustomize
-          kustomize version
+        uses: imranismail/setup-kustomize@v2

      - name: Determine image tag for frontend
        id: frontend_tag
@@ -634,44 +591,14 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
-
-      - name: Determine image tag for receiptwitness
-        id: receiptwitness_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update receiptwitness image tag
-        if: needs.build-and-push-receiptwitness.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
-
-      - name: Determine image tag for api
-        id: api_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update api image tag
-        if: needs.build-and-push-api.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for auth
        id: auth_tag
@@ -679,69 +606,51 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update auth image tag
        if: needs.build-and-push-auth.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}

-      - name: Commit and push to infra (via PR)
-        env:
-          CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update receiptwitness image tag
+        if: needs.build-and-push-receiptwitness.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update api image tag
+        if: needs.build-and-push-api.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+
+      - name: Commit and push to infra
        run: |
          cd infra
          git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/uat/kustomization.yaml
-          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
-          BRANCH="ci/deploy-uat-${GITHUB_SHA}"
-          git checkout -b "$BRANCH"
-          git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images"
-          git push origin "$BRANCH"
-          PR_BODY=$(printf 'Auto-opened by deploy-uat (CAR-1195).\n\nBuild SHA: %s' "${GITHUB_SHA}")
-          PR_JSON=$(curl -sS -X POST \
-            -H "Authorization: token ${CI_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(uat): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
-            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
-          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
-          if [ -z "$PR_NUM" ]; then
-            echo "::error::Failed to open PR against cartsnitch/infra: $PR_JSON"
-            exit 1
-          fi
-          echo "Opened cartsnitch/infra PR #${PR_NUM} (head=${BRANCH})"
-          # Request CTO (cs_savannah) review as the GitOps hand-off. Best-effort:
-          # log on non-2xx but never fail the job for this.
-          REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
-            -H "Authorization: token ${CI_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d '{"reviewers":["cs_savannah"]}' \
-            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers")
-          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
-            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
-          fi
-          # CAR-1216: the in-job merge attempt is a best-effort fast-path only.
-          # `cartsnitch/infra` main requires a human approving review (immutable
-          # branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
-          # approve, so this merge call structurally cannot succeed in the
-          # general case. Any non-merged outcome (approvals pending, checks
-          # pending, any other Gitea message) is the GitOps approval gate, not
-          # a CI failure — the PR is already opened and `cs_savannah` is
-          # requested as reviewer above. Surface the response as a notice and
-          # exit success. The only hard-fail (`exit 1`) in this step remains
-          # the empty-`PR_NUM` check (PR could not be created at all).
-          MERGE_RESP=$(curl -sS -X POST \
-            -H "Authorization: token ${CI_GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            -d '{"Do":"merge","delete_branch_after_merge":true}' \
-            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")
-          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
-          if [ "$MERGED" = "true" ]; then
-            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
-          else
-            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
-            exit 0
-          fi
+          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
+          git pull --rebase origin main
+          git push origin main
@@ -1,108 +0,0 @@
-ignore:
-  # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
-  - vulnerability: CVE-2025-13836
-  - vulnerability: CVE-2026-4519
-
-  # Chrome CVEs — Playwright bundles Chromium and controls version separately.
-  # Chrome is not a system package that can be upgraded via apt-get upgrade.
-  # These CVEs are specific to the Chromium version bundled with Playwright.
-  # Upstream fix: upgrade Playwright to a version that includes patched Chrome.
-  - vulnerability: CVE-2026-2313
-  - vulnerability: CVE-2026-2314
-  - vulnerability: CVE-2026-2315
-  - vulnerability: CVE-2026-2319
-  - vulnerability: CVE-2026-2321
-  - vulnerability: CVE-2026-2441
-  - vulnerability: CVE-2026-2648
-  - vulnerability: CVE-2026-2649
-  - vulnerability: CVE-2026-2650
-  - vulnerability: CVE-2026-3061
-  - vulnerability: CVE-2026-3062
-  - vulnerability: CVE-2026-3536
-  - vulnerability: CVE-2026-3537
-  - vulnerability: CVE-2026-3538
-  - vulnerability: CVE-2026-3539
-  - vulnerability: CVE-2026-3540
-  - vulnerability: CVE-2026-3541
-  - vulnerability: CVE-2026-3542
-  - vulnerability: CVE-2026-3543
-  - vulnerability: CVE-2026-3544
-  - vulnerability: CVE-2026-3545
-  - vulnerability: CVE-2026-3913
-  - vulnerability: CVE-2026-3914
-  - vulnerability: CVE-2026-3915
-  - vulnerability: CVE-2026-3916
-  - vulnerability: CVE-2026-3917
-  - vulnerability: CVE-2026-3918
-  - vulnerability: CVE-2026-3919
-  - vulnerability: CVE-2026-3920
-  - vulnerability: CVE-2026-3921
-  - vulnerability: CVE-2026-3922
-  - vulnerability: CVE-2026-3923
-  - vulnerability: CVE-2026-3924
-  - vulnerability: CVE-2026-3926
-  - vulnerability: CVE-2026-3931
-  - vulnerability: CVE-2026-3932
-  - vulnerability: CVE-2026-3936
-  - vulnerability: CVE-2026-5858
-  - vulnerability: CVE-2026-5859
-  - vulnerability: CVE-2026-5860
-  - vulnerability: CVE-2026-5861
-  - vulnerability: CVE-2026-5862
-  - vulnerability: CVE-2026-5863
-  - vulnerability: CVE-2026-5865
-  - vulnerability: CVE-2026-5866
-  - vulnerability: CVE-2026-5868
-  - vulnerability: CVE-2026-5870
-  - vulnerability: CVE-2026-5871
-  - vulnerability: CVE-2026-5872
-  - vulnerability: CVE-2026-5873
-  - vulnerability: CVE-2026-5874
-  - vulnerability: CVE-2026-5877
-  - vulnerability: CVE-2026-5879
-  - vulnerability: CVE-2026-5883
-  - vulnerability: CVE-2026-5884
-  - vulnerability: CVE-2026-5902
-  - vulnerability: CVE-2026-5904
-  - vulnerability: CVE-2026-5907
-  - vulnerability: CVE-2026-5908
-  - vulnerability: CVE-2026-5909
-  - vulnerability: CVE-2026-5910
-  - vulnerability: CVE-2026-5912
-  - vulnerability: CVE-2026-5913
-  - vulnerability: CVE-2026-5914
-  - vulnerability: CVE-2026-5915
-  - vulnerability: CVE-2026-6296
-  - vulnerability: CVE-2026-6297
-  - vulnerability: CVE-2026-6299
-  - vulnerability: CVE-2026-6300
-  - vulnerability: CVE-2026-6301
-  - vulnerability: CVE-2026-6302
-  - vulnerability: CVE-2026-6303
-  - vulnerability: CVE-2026-6304
-  - vulnerability: CVE-2026-6305
-  - vulnerability: CVE-2026-6306
-  - vulnerability: CVE-2026-6307
-  - vulnerability: CVE-2026-6308
-  - vulnerability: CVE-2026-6309
-  - vulnerability: CVE-2026-6310
-  - vulnerability: CVE-2026-6311
-  - vulnerability: CVE-2026-6314
-  - vulnerability: CVE-2026-6315
-  - vulnerability: CVE-2026-6316
-  - vulnerability: CVE-2026-6317
-  - vulnerability: CVE-2026-6318
-  - vulnerability: CVE-2026-6319
-  - vulnerability: CVE-2026-6358
-  - vulnerability: CVE-2026-6359
-  - vulnerability: CVE-2026-6360
-  - vulnerability: CVE-2026-6361
-  - vulnerability: CVE-2026-6363
-
-  # Node.js CVE — comes from Playwright's bundled tooling (playwright-core uses Node.js
-  # for its CLI). The system Node.js is not used by receiptwitness service.
-  # Fix requires upgrading Playwright to a version that ships with patched Node.js.
-  - vulnerability: CVE-2026-21710
-
-  # cryptography GHSA — fixed by upgrading to >=46.0 per requirements
-  - vulnerability: GHSA-r6ph-v2qm-q3c2
@@ -1,315 +1 @@
 # CartSnitch
-
-**Grocery price intelligence — know what you're paying, every time.**
-
-CartSnitch is a self-hosted grocery price intelligence platform that connects to your store loyalty accounts, tracks prices across retailers, monitors shrinkflation, and helps you find the best deals.
-
---
-
-## Project Overview
-
-CartSnitch solves the problem of **grocery price opacity**. Most shoppers don't know if they're getting a good deal, whether prices have spiked since their last visit, or if the "sale" is actually a worse price than a competitor. CartSnitch makes prices transparent.
-
-**Core features:**
- Connect Meijer, Kroger, Target loyalty accounts
- View purchase history across all stores in one timeline
- Track per-item price charts across stores over time
- Receive shrinkflation and price increase alerts
- Browse active coupons and deals
- Generate optimized shopping lists with store-split plans
- Public price transparency dashboards
-
---
-
-## Architecture
-
-CartSnitch is a polyglot microservices platform. The monorepo contains the frontend PWA and core services.
-
-```
-┌─────────────────────────────────────────────────────────────────┐
-│                         CartSnitch PWA                          │
-│                    (React, mobile-first PWA)                     │
-└──────────┬────────────────────┬────────────────────┬───────────┘
-           │                    │                    │
-           ▼                    ▼                    ▼
-┌──────────────────┐  ┌─────────────────┐  ┌─────────────────────┐
-│   Auth Service   │  │   API Gateway   │  │  ReceiptWitness     │
-│  (Better-Auth)   │  │ (Python/FastAPI)│  │   (Python/Scrapers) │
-│  Session mgmt   │  │  REST + proxy   │  │  Purchase ingestion  │
-└────────┬─────────┘  └────────┬────────┘  └──────────┬──────────┘
-         │                      │                        │
-         └──────────────────────┼────────────────────────┘
-                                ▼
-                   ┌────────────────────────┐
-                   │   CloudNativePG (PGSQL) │
-                   │   Shared database      │
-                   └────────────────────────┘
-```
-
-### Services in This Repo
-
-| Directory | Service | Description |
-|-----------|---------|-------------|
-| `/` (root) | Frontend | React PWA, mobile-first |
-| `auth/` | Auth | Better-Auth service — session management, email/password, OAuth |
-| `api/` | API Gateway | Frontend-facing REST API, Python/FastAPI |
-| `common/` | Common | Shared Python models, Pydantic schemas, Alembic migrations |
-| `receiptwitness/` | ReceiptWitness | Purchase data ingestion via retailer scrapers |
-
-### Other CartSnitch Repos
-
-| Repo | Service |
-|------|---------|
-| `cartsnitch/stickershock` | Price increase detection & CPI comparison |
-| `cartsnitch/shrinkray` | Shrinkflation monitoring |
-| `cartsnitch/clipartist` | Coupon/deal watching |
-| `cartsnitch/infra` | Kubernetes manifests, Flux kustomizations |
-
---
-
-## Tech Stack
-
-### Frontend
- **React 18+** with TypeScript
- **Vite** — build tool
- **Tailwind CSS v4** — mobile-first responsive design
- **Workbox** — service worker, offline caching, PWA manifest
- **Recharts** — price trend visualizations
- **TanStack Query** — data fetching and caching
- **React Router v7** — client-side routing
- **Zustand** — lightweight state management
-
-### Backend Services
- **Better-Auth** — authentication (session management, email/password, OAuth)
- **Node.js** (API Gateway)
- **Python/FastAPI** (API Gateway, ReceiptWitness)
- **PostgreSQL** via CloudNativePG
- **DragonflyDB** for caching
-
-### Infrastructure
- **Kubernetes** (k3s-compatible)
- **Flux CD** — GitOps deployment
- **GitHub Actions** — CI/CD
- **CalVer** (`YYYY.MM.DD[.N]`) — image tagging
- **Bitnami Sealed Secrets** — secret management
- **Authentik** — OIDC/OAuth2 provider
-
---
-
-## Getting Started
-
-### Prerequisites
-
- Node.js 20+
- npm or pnpm
- PostgreSQL (local or containerized)
- Docker (for running services locally)
-
-### Local Development
-
-1. **Clone the repo**
-   ```bash
-   git clone https://github.com/cartsnitch/cartsnitch.git
-   cd cartsnitch
-   ```
-
-2. **Install dependencies**
-   ```bash
-   npm install
-   ```
-
-3. **Set up environment variables**
-   ```bash
-   cp .env.example .env
-   # Edit .env with your local settings
-   ```
-
-4. **Start the frontend dev server**
-   ```bash
-   npm run dev
-   ```
-   The PWA will be available at `http://localhost:5173`.
-
-5. **Run tests**
-   ```bash
-   npm test
-   ```
-
-6. **Build for production**
-   ```bash
-   npm run build
-   ```
-
-### Running Backend Services Locally
-
-The frontend PWA communicates with three backend services. For full local development, you'll need to run each service:
-
-```bash
-# Auth service (Better-Auth)
-cd auth
-npm install
-npm run dev
-
-# API Gateway (separate repo: cartsnitch/api)
-# See api/README.md
-
-# ReceiptWitness (separate repo: cartsnitch/receiptwitness)
-# See receiptwitness/README.md
-```
-
-### Environment Variables
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `VITE_API_URL` | API Gateway base URL | `http://localhost:3000` |
-| `VITE_AUTH_URL` | Auth service base URL | `http://localhost:3001` |
-
---
-
-## Contributing
-
-We welcome contributions. Please follow the workflow below.
-
-### Branching Strategy
-
- Branch from `dev`
- Use prefix: `feature/`, `fix/`, `docs/`, `chore/`
- Examples: `feature/shopping-list-optimization`, `fix/price-chart-zoom`
-
-### Commit Convention
-
-We use [Conventional Commits](https://www.conventionalcommits.org/):
-
-```
-feat: add shopping list export
-fix: correct price chart date formatting
-docs: update API documentation
-chore: update dependencies
-```
-
-### Pull Request Workflow
-
-1. Open a PR against `dev`
-2. CI must pass (lint, type check, tests, e2e)
-3. QA reviews and approves
-4. CTO merges to `dev`
-5. Dev deploys automatically
-6. CTO promotes `dev → uat`
-7. UAT and security review
-8. CEO merges `uat → main`
-9. Production deploys automatically
-
-**Never push directly to `main`, `dev`, or `uat`.**
-
-### Code Standards
-
- ESLint for linting
- TypeScript strict mode
- Mobile-first responsive design
- Accessibility (WCAG 2.1 AA)
-
---
-
-## Testing
-
-### Unit Tests
-
-```bash
-npm test
-```
-
-### E2E Tests (Playwright)
-
-```bash
-npm run test:e2e
-```
-
-Tests run headless by default. For headed mode:
-
-```bash
-npm run test:e2e:headed
-```
-
-### Lighthouse CI
-
-Performance audits run automatically in CI. To run locally:
-
-```bash
-npm run build
-npm run preview
-# In another terminal:
-npx lighthouse http://localhost:4173 --output=html --output-path=./report/lighthouse.html
-```
-
---
-
-## CI/CD Pipeline
-
-All branches (`main`, `dev`, `uat`) run through GitHub Actions on every push.
-
-### Pipeline Stages
-
-| Job | Trigger | Purpose |
-|-----|---------|---------|
-| `lint` | Every push | ESLint + TypeScript type check |
-| `test` | Every push | Unit tests via Vitest |
-| `audit` | Every push | Security vulnerability scan |
-| `e2e` | Every push | Playwright end-to-end tests |
-| `lighthouse` | After test | Performance budget check |
-| `build-and-push` | On push to main/dev/uat | Build and push Docker images to GHCR |
-| `deploy-dev` | On push to dev or main | Update `cartsnitch/infra` → auto-deploy to dev |
-| `deploy-uat` | On push to uat or main | Update `cartsnitch/infra` → auto-deploy to uat |
-
-### Image Tagging
-
- **Production (`main`):** CalVer tag (`YYYY.MM.DD[.N]`) + `latest`
- **Development (`dev`):** SHA tag (`sha-<short-sha>`)
-
-### Deployment Environments
-
-| Environment | Namespace | URL | Trigger |
-|-------------|-----------|-----|---------|
-| Dev | `cartsnitch-dev` | `cartsnitch.dev.farh.net` | Push to `dev` branch |
-| UAT | `cartsnitch-uat` | `cartsnitch.uat.farh.net` | Push to `uat` branch |
-| Production | `cartsnitch` | `cartsnitch.farh.net` | Push to `main` branch |
-
---
-
-## Deployment
-
-### Infrastructure
-
-The infrastructure repository ([cartsnitch/infra](https://github.com/cartsnitch/infra)) contains Kubernetes manifests and Flux Kustomize overlays.
-
-### Flux GitOps Flow
-
-1. CI builds and pushes a new Docker image
-2. CI opens a PR to `cartsnitch/infra` updating the image tag
-3. On merge, Flux reconciles the manifests and rolls out the new image
-
-### Forcing a Rollout
-
-To force pods to pick up a new `:latest` image:
-
-```bash
-kubectl rollout restart deployment/<name> -n <namespace>
-```
-
-### Secrets
-
-Secrets are managed via **Bitnami Sealed Secrets**. No plain Kubernetes secrets are used.
-
---
-
-## Related Projects
-
- [StickerShock](https://github.com/cartsnitch/stickershock) — Price increase detection
- [ShrinkRay](https://github.com/cartsnitch/shrinkray) — Shrinkflation monitoring
- [ClipArtist](https://github.com/cartsnitch/clipartist) — Coupon/deal optimization
- [Infra](https://github.com/cartsnitch/infra) — Kubernetes infrastructure
-
---
-
-## License
-
-MIT &copy; 2025 CartSnitch
@@ -15,7 +15,7 @@ permissions:
  packages: write

 env:
-  REGISTRY: git.farh.net
+  REGISTRY: ghcr.io
  IMAGE_NAME: cartsnitch/api

 jobs:
@@ -130,13 +130,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
@@ -1,6 +1,5 @@
 FROM python:3.12-slim AS build

-ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
@@ -13,7 +12,6 @@ RUN pip install --no-cache-dir --prefix=/install .

 FROM python:3.12-slim AS prod

-ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*

 WORKDIR /app
@@ -1,41 +1,9 @@
 """Redis/DragonflyDB caching helpers."""

-import logging
-from typing import TYPE_CHECKING
-
 import redis.asyncio as redis
-from redis.asyncio import Redis

 from cartsnitch_api.config import settings

-if TYPE_CHECKING:
-    from cartsnitch_api.config import Settings
-
-logger = logging.getLogger(__name__)
-
-_redis: "Redis | None" = None
-
-
-def get_settings() -> "Settings":
-    return settings
-
-
-async def init_redis() -> None:
-    global _redis
-    _redis = redis.from_url(settings.redis_url)
-    await _redis.ping()
-
-
-async def close_redis() -> None:
-    global _redis
-    if _redis is not None:
-        await _redis.aclose()
-        _redis = None
-
-
-def get_redis() -> Redis | None:
-    return _redis
-

 class CacheClient:
    """Redis/DragonflyDB caching with connection pooling.
@@ -1,60 +1,28 @@
 """Database session management for the API gateway."""

 from collections.abc import AsyncGenerator
-from typing import TYPE_CHECKING

 from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine

 from cartsnitch_api.config import settings

-if TYPE_CHECKING:
-    from sqlalchemy.engine import Engine
-
-
-_engine: "Engine | None" = None
-async_session_factory: async_sessionmaker[AsyncSession] | None = None
-
-
-def create_db_engine():
-    return create_async_engine(
-        settings.database_url,
-        pool_size=10,
-        max_overflow=20,
-        pool_pre_ping=True,
-        pool_recycle=3600,
-        echo=False,
-    )
-
-
-async def init_db() -> None:
-    global _engine, async_session_factory
-    _engine = create_db_engine()
-    async_session_factory = async_sessionmaker(_engine, class_=AsyncSession, expire_on_commit=False)
-
-
-async def close_db() -> None:
-    global _engine, async_session_factory
-    if _engine is not None:
-        await _engine.dispose()
-        _engine = None
-    async_session_factory = None
-
-
-def get_engine():
-    return _engine
+engine = create_async_engine(
+    settings.database_url,
+    echo=False,
+    pool_size=10,
+    max_overflow=20,
+    pool_pre_ping=True,
+    pool_recycle=3600,
+)
+async_session_factory = async_sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)


 async def get_db() -> AsyncGenerator[AsyncSession, None]:
-    if async_session_factory is None:
-        raise RuntimeError("Database not initialized. Call init_db() first.")
+    """FastAPI dependency that yields an async DB session."""
    async with async_session_factory() as session:
        yield session


-# Backward compatibility: module-level engine proxy that delegates to _engine
-def __getattr__(name: str):
-    if name == "engine":
-        if _engine is None:
-            raise RuntimeError("Database not initialized. Call init_db() first.")
-        return _engine
-    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+async def dispose_engine() -> None:
+    """Dispose the database engine, closing all pooled connections."""
+    await engine.dispose()
@@ -6,6 +6,7 @@ from fastapi import APIRouter, FastAPI

 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.cache import cache_client
+from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
@@ -25,14 +26,10 @@ from cartsnitch_api.routes.user import router as user_router

@asynccontextmanager
 async def lifespan(app: FastAPI):
-    from cartsnitch_api.database import init_db, close_db
-    from cartsnitch_api.cache import init_redis, close_redis
-
-    await init_db()
-    await init_redis()
+    await cache_client.initialize()
    yield
-    await close_redis()
-    await close_db()
+    await cache_client.close()
+    await dispose_engine()


 def create_app() -> FastAPI:
@@ -1,11 +1,8 @@
 """Health check and error metrics endpoints."""

 from fastapi import APIRouter, Depends
-from sqlalchemy import text

 from cartsnitch_api.auth.dependencies import verify_service_key
-from cartsnitch_api.cache import get_redis
-from cartsnitch_api.database import get_engine
 from cartsnitch_api.middleware.error_handler import get_error_monitor

 router = APIRouter(tags=["health"])
@@ -13,27 +10,7 @@ router = APIRouter(tags=["health"])

@router.get("/health")
 async def health():
-    engine = get_engine()
-    db_ok = False
-    redis_ok = False
-
-    try:
-        async with engine.connect() as conn:
-            await conn.execute(text("SELECT 1"))
-        db_ok = True
-    except Exception:
-        pass
-
-    try:
-        r = get_redis()
-        if r:
-            await r.ping()
-            redis_ok = True
-    except Exception:
-        pass
-
-    status = "ok" if db_ok else "degraded"
-    return {"status": status, "db": db_ok, "redis": redis_ok}
+    return {"status": "ok"}


@router.get("/internal/error-stats", dependencies=[Depends(verify_service_key)])
@@ -1,50 +0,0 @@
-"""Tests for Redis/DragonflyDB caching lifecycle."""
-
-import pytest
-
-from cartsnitch_api.cache import CacheClient, close_redis, get_redis, init_redis
-
-
-@pytest.mark.asyncio
-async def test_init_redis_creates_client():
-    """Test that init_redis creates the Redis client."""
-    await init_redis()
-    try:
-        r = get_redis()
-        assert r is not None
-        await r.ping()
-    finally:
-        await close_redis()
-
-
-@pytest.mark.asyncio
-async def test_close_redis_clears_client():
-    """Test that close_redis properly closes and clears the client."""
-    await init_redis()
-    await close_redis()
-    assert get_redis() is None
-
-
-@pytest.mark.asyncio
-async def test_cache_client_get_returns_none_when_not_connected():
-    """Test that CacheClient.get returns None gracefully when Redis is down."""
-    client = CacheClient()
-    # Without init_redis, get should return None
-    result = await client.get("test-key")
-    assert result is None
-
-
-@pytest.mark.asyncio
-async def test_cache_client_set_does_not_raise_when_not_connected():
-    """Test that CacheClient.set does not raise when Redis is down."""
-    client = CacheClient()
-    # Without init_redis, set should not raise
-    await client.set("test-key", "test-value", ttl_seconds=60)
-
-
-@pytest.mark.asyncio
-async def test_cache_client_delete_does_not_raise_when_not_connected():
-    """Test that CacheClient.delete does not raise when Redis is down."""
-    client = CacheClient()
-    # Without init_redis, delete should not raise
-    await client.delete("test-key")
@@ -1,62 +0,0 @@
-"""Tests for database initialization and lifecycle."""
-
-import pytest
-from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
-
-from cartsnitch_api.database import (
-    close_db,
-    create_db_engine,
-    get_engine,
-    init_db,
-)
-
-
-@pytest.mark.asyncio
-async def test_create_db_engine_creates_engine_with_pool_settings():
-    """Test that create_db_engine creates engine with correct pool settings."""
-    engine = create_db_engine()
-    assert engine is not None
-    pool = engine.pool
-    assert pool.size() == 10
-    assert pool._max_overflow == 20
-    await engine.dispose()
-
-
-@pytest.mark.asyncio
-async def test_init_db_sets_engine_and_factory():
-    """Test that init_db properly initializes the engine and session factory."""
-    await init_db()
-    try:
-        eng = get_engine()
-        assert eng is not None
-        from cartsnitch_api import database
-
-        assert database.async_session_factory is not None
-    finally:
-        await close_db()
-
-
-@pytest.mark.asyncio
-async def test_close_db_disposes_engine():
-    """Test that close_db properly disposes the engine."""
-    await init_db()
-    await close_db()
-    assert get_engine() is None
-    from cartsnitch_api import database
-
-    assert database.async_session_factory is None
-
-
-@pytest.mark.asyncio
-async def test_get_db_yields_session_after_init():
-    """Test that get_db yields working sessions after init_db."""
-    await init_db()
-    try:
-        from cartsnitch_api.database import get_db
-
-        gen = get_db()
-        session = await gen.__anext__()
-        assert isinstance(session, AsyncSession)
-        await gen.aclose()
-    finally:
-        await close_db()
@@ -1,77 +0,0 @@
-"""Tests for health check endpoint."""
-
-import pytest
-from unittest.mock import AsyncMock, patch
-
-from cartsnitch_api.database import init_db, close_db
-
-
-@pytest.mark.asyncio
-async def test_health_returns_db_and_redis_fields(client):
-    """Test that health endpoint returns db and redis status fields."""
-    from cartsnitch_api.cache import init_redis, close_redis
-
-    await init_db()
-    await init_redis()
-
-    try:
-        response = await client.get("/health")
-        assert response.status_code == 200
-        data = response.json()
-        assert "status" in data
-        assert "db" in data
-        assert "redis" in data
-    finally:
-        await close_redis()
-        await close_db()
-
-
-@pytest.mark.asyncio
-async def test_health_returns_degraded_when_db_down():
-    """Test that health returns degraded when database is down."""
-    from cartsnitch_api.database import _engine
-    from cartsnitch_api.routes.health import health
-
-    # Simulate engine is None (DB not initialized)
-    with patch("cartsnitch_api.routes.health.get_engine", return_value=None):
-        response = await health()
-        assert response["status"] == "degraded"
-        assert response["db"] is False
-
-
-@pytest.mark.asyncio
-async def test_health_returns_ok_when_db_up(client):
-    """Test that health returns ok when database is up."""
-    from cartsnitch_api.database import init_db, close_db
-    from cartsnitch_api.cache import init_redis, close_redis
-
-    await init_db()
-    await init_redis()
-
-    try:
-        response = await client.get("/health")
-        assert response.status_code == 200
-        data = response.json()
-        if data["db"]:
-            assert data["status"] == "ok"
-    finally:
-        await close_redis()
-        await close_db()
-
-
-@pytest.mark.asyncio
-async def test_health_redis_down_does_not_make_unhealthy(client):
-    """Test that Redis being down does not make health return unhealthy."""
-    from cartsnitch_api.database import init_db, close_db
-
-    await init_db()
-
-    try:
-        response = await client.get("/health")
-        data = response.json()
-        # Redis being down should not make status "degraded"
-        # Only DB failure makes it degraded
-        if not data["db"]:
-            assert data["status"] == "degraded"
-    finally:
-        await close_db()
@@ -1,4 +1,4 @@
-FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f AS builder
+FROM node:22-alpine AS builder
 RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
@@ -7,7 +7,7 @@ COPY tsconfig.json ./
 COPY src/ src/
 RUN npm run build

-FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
+FROM node:22-alpine
 RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
@@ -7,8 +7,7 @@
    "dev": "tsx watch src/index.ts",
    "build": "tsc",
    "start": "node dist/index.js",
-    "generate": "npx @better-auth/cli generate",
-    "test": "node --test src/__tests__/*.test.ts"
+    "generate": "npx @better-auth/cli generate"
  },
  "dependencies": {
    "bcrypt": "^6.0.0",
@@ -1,136 +0,0 @@
-import { describe, it } from 'node:test';
-import { equal } from 'node:assert';
-import http from 'node:http';
-
-describe('Auth health endpoint', () => {
-  const startHealthServer = (poolMock) => {
-    return new Promise((resolve) => {
-      const server = http.createServer(async (req, res) => {
-        if (req.url === '/health' && req.method === 'GET') {
-          try {
-            const client = await poolMock.connect();
-            try {
-              await Promise.race([
-                client.query('SELECT 1'),
-                new Promise((_, reject) => setTimeout(() => reject(new Error('DB timeout')), 2000)),
-              ]);
-            } finally {
-              client.release();
-            }
-            res.writeHead(200, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ status: 'ok', db: 'reachable' }));
-          } catch (err) {
-            // Mirror src/index.ts: log the error and include the message in the
-            // response body so /health 503s are diagnosable from pod logs.
-            console.error(
-              '[auth /health] DB probe failed:',
-              err instanceof Error ? `${err.name}: ${err.message}` : err,
-            );
-            const detail = err instanceof Error ? err.message : 'unknown error';
-            res.writeHead(503, { 'Content-Type': 'application/json' });
-            res.end(
-              JSON.stringify({ status: 'error', db: 'unreachable', error: detail }),
-            );
-          }
-          return;
-        }
-        res.writeHead(404);
-        res.end();
-      });
-      server.listen(0, '0.0.0.0', () => {
-        const addr = server.address();
-        const port = typeof addr === 'object' && addr ? addr.port : 0;
-        resolve({ port, close: () => server.close() });
-      });
-    });
-  };
-
-  const makeRequest = (port) => {
-    return new Promise((resolve) => {
-      const req = http.get(`http://localhost:${port}/health`, (res) => {
-        let body = '';
-        res.on('data', (chunk) => { body += chunk; });
-        res.on('end', () => {
-          resolve({ status: res.statusCode, body });
-        });
-      });
-      req.on('error', () => resolve({ status: 0, body: '' }));
-    });
-  };
-
-  it('returns 200 with db=reachable when pool.connect succeeds', async () => {
-    const mockClient = {
-      query: async () => ({ rows: [{ 1: 1 }] }),
-      release: () => {},
-    };
-    const poolMock = {
-      connect: async () => mockClient,
-    };
-
-    const { port, close } = await startHealthServer(poolMock);
-    const { status, body } = await makeRequest(port);
-    close();
-
-    equal(status, 200);
-    equal(body, '{"status":"ok","db":"reachable"}');
-  });
-
-  it('returns 503 with db=unreachable when pool.connect throws', async () => {
-    const poolMock = {
-      connect: async () => { throw new Error('connection refused'); },
-    };
-
-    const { port, close } = await startHealthServer(poolMock);
-    const { status, body } = await makeRequest(port);
-    close();
-
-    equal(status, 503);
-    const parsed = JSON.parse(body);
-    equal(parsed.status, 'error');
-    equal(parsed.db, 'unreachable');
-    equal(parsed.error, 'connection refused');
-  });
-
-  it('returns 503 with db=unreachable when query times out', async () => {
-    const mockClient = {
-      query: async () => {
-        await new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), 3000));
-      },
-      release: () => {},
-    };
-    const poolMock = {
-      connect: async () => mockClient,
-    };
-
-    const { port, close } = await startHealthServer(poolMock);
-    const { status, body } = await makeRequest(port);
-    close();
-
-    equal(status, 503);
-    const parsed = JSON.parse(body);
-    equal(parsed.status, 'error');
-    equal(parsed.db, 'unreachable');
-    // The query promise rejects with a synthetic 'timeout' error; the
-    // Promise.race wrapper also rejects with 'DB timeout'. The body should
-    // surface whichever error was thrown — accept either to stay robust.
-    equal(typeof parsed.error, 'string');
-    equal(parsed.error.length > 0, true);
-  });
-
-  it('returns a terminal response for unknown paths (no hang)', async () => {
-    const poolMock = { connect: async () => ({ query: async () => {}, release: () => {} }) };
-    const { port, close } = await startHealthServer(poolMock);
-
-    const result = await new Promise<{ status: number }>((resolve) => {
-      const req = http.get(`http://localhost:${port}/`, (res) => {
-        res.resume();
-        res.on('end', () => resolve({ status: res.statusCode ?? 0 }));
-      });
-      req.on('error', () => resolve({ status: 0 }));
-      setTimeout(() => resolve({ status: -1 }), 1000);
-    });
-    close();
-
-    equal(result.status !== -1, true, 'Unknown path must return a terminal response within 1s');
-  });
-});
@@ -37,7 +37,7 @@ export const auth = betterAuth({
    maxPasswordLength: 128,
    password: {
      hash: async (password: string) => {
-        return bcrypt.hash(password, 12);
+        return bcrypt.hash(password, 10);
      },
      verify: async (data: { hash: string; password: string }) => {
        return bcrypt.compare(data.password, data.hash);
@@ -8,7 +8,7 @@ const handler = toNodeHandler(auth);

 const server = createServer(async (req, res) => {
  // Health check
-  if ((req.url === "/health" || req.url === "/auth/health") && req.method === "GET") {
+  if (req.url === "/health" && req.method === "GET") {
    try {
      const client = await pool.connect();
      try {
@@ -20,25 +20,15 @@ const server = createServer(async (req, res) => {
        client.release();
      }
      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", db: "reachable" }));
-    } catch (err) {
-      // Log the actual error so /health 503s are diagnosable from pod logs
-      // (CAR-1276: UAT auth was crashlooping with no log output beyond the
-      // initial "listening on port 3001" line because this catch was empty).
-      console.error(
-        "[auth /health] DB probe failed:",
-        err instanceof Error ? `${err.name}: ${err.message}` : err,
-      );
-      const detail = err instanceof Error ? err.message : "unknown error";
+      res.end(JSON.stringify({ status: "ok", db: "connected" }));
+    } catch {
      res.writeHead(503, { "Content-Type": "application/json" });
-      res.end(
-        JSON.stringify({ status: "error", db: "unreachable", error: detail }),
-      );
+      res.end(JSON.stringify({ status: "error", db: "unreachable" }));
    }
    return;
  }

-  // All other routes handled by Better-Auth (returns 404 for unknown paths)
+  // All /auth/* routes handled by Better-Auth
  await handler(req, res);
 });

@@ -12,5 +12,5 @@
    "resolveJsonModule": true
  },
  "include": ["src"],
-  "exclude": ["node_modules", "dist", "src/__tests__"]
+  "exclude": ["node_modules", "dist"]
 }
@@ -1,28 +0,0 @@
-"""Add GIN index on normalized_products.upc_variants for fast JSON containment lookups.
-
-Revision ID: 002_add_normalized_products_upc_variants_index
-Revises: 001_add_email_inbound_token
-Create Date: 2026-04-14
-"""
-
-from collections.abc import Sequence
-
-from alembic import op
-
-revision: str = "002_add_normalized_products_upc_variants_index"
-down_revision: str | None = "001_add_email_inbound_token"
-branch_labels: str | Sequence[str] | None = None
-depends_on: str | Sequence[str] | None = None
-
-
-def upgrade() -> None:
-    op.create_index(
-        "ix_normalized_products_upc_variants",
-        "normalized_products",
-        ["upc_variants"],
-        postgresql_using="gin",
-    )
-
-
-def downgrade() -> None:
-    op.drop_index("ix_normalized_products_upc_variants", table_name="normalized_products")
@@ -1,36 +1,17 @@
 """Database engine and session factories for sync and async usage."""

 from collections.abc import AsyncGenerator, Generator
-from typing import TYPE_CHECKING

 from sqlalchemy import create_engine
-from sqlalchemy.ext.asyncio import AsyncEngine, AsyncSession, async_sessionmaker, create_async_engine
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
 from sqlalchemy.orm import Session, sessionmaker

 from cartsnitch_common.config import settings

-if TYPE_CHECKING:
-    from sqlalchemy.engine import Engine

-# Module-level async engine cache — one engine per unique URL, shared across all callers.
-# This prevents pool exhaustion in high-throughput workers (e.g. email-worker hitting
-# DragonflyDB/Postgres repeatedly per message).  pool_size=10, max_overflow=20 gives
-# headroom for bursts while capping max connections at 30 per URL.
-_async_engine_cache: dict[str, "AsyncEngine"] = {}
-
-
-def get_async_engine(url: str | None = None) -> "AsyncEngine":
-    """Get or create a cached async engine for the given URL."""
-    target = url or settings.database_url
-    if target not in _async_engine_cache:
-        _async_engine_cache[target] = create_async_engine(
-            target,
-            echo=settings.debug,
-            pool_size=10,
-            max_overflow=20,
-            pool_pre_ping=True,
-        )
-    return _async_engine_cache[target]
+def get_async_engine(url: str | None = None):
+    """Create an async SQLAlchemy engine."""
+    return create_async_engine(url or settings.database_url, echo=settings.debug)


 def get_sync_engine(url: str | None = None):
@@ -1,244 +0,0 @@
-# UAT Receipt Submission Path
-
-**Issue:** [CAR-812](/CAR/issues/CAR-812)
-**Author:** Barcode Betty
-**Date:** 2026-05-04
-
---
-
-## Overview
-
-The UAT environment supports receipt submission via **inbound email**. This is the only supported submission method in UAT — there is no public REST API surface for receipt ingestion.
-
---
-
-## How It Works
-
-### Architecture
-
-```
-User composes email
-    ↓
-Email sent to <user_token>@cartsnitch.<env>.farh.net
-    ↓
-Mailgun webhook receives the email
-    ↓
-Email job enqueued to DragonflyDB stream: email:receipts
-    ↓
-email-worker (ReceiptWitness) consumes the job
-    ↓
-Worker resolves user via email_inbound_token lookup in DB
-    ↓
-Retailer detected from email content (meijer / kroger / target)
-    ↓
-Email parsed into Purchase + PurchaseItem records
-    ↓
-receipt.ingested event published to Redis
-    ↓
-MatchResult created with method=upc, confidence=1.0 for known UPCs
-```
-
-### Key Components
-
-| Component | Location | Role |
-|-----------|----------|------|
-| `users.email_inbound_token` | DB (migration `001_add_email_inbound_token`) | 22-char unique token per user; used as email routing identifier |
-| `email:receipts` stream | DragonflyDB | Queue holding pending email jobs |
-| `email-worker` | `receiptwitness/src/receiptwitness/worker/email_worker.py` | Async worker consuming the stream |
-| `BaseEmailParser` | `receiptwitness/src/receiptwitness/parsers/email/base.py` | Abstract parser; subclasses for meijer/kroger/target |
-| Retailer detectors | `receiptwitness/src/receiptwitness/parsers/email/detector.py` | Sifts sender/subject to pick the right parser |
-
-### Email Address Format
-
-Each user is assigned a unique inbound token. The receipt submission email address is shown in **Settings → Receipt Email** on the UI:
-
-**Address:** `receipts+<email_inbound_token>@receipts.cartsnitch.com`
-
-To find a user's token in the UAT database (requires `kubectl` access to `cartsnitch-uat`):
-
-```bash
-kubectl exec -n cartsnitch-uat deployment/cartsnitch-api -- \\
-  python -c "from cartsnitch_common.database import get_sync_session; \\
-  from cartsnitch_common.models.user import User; \\
-  from sqlalchemy import select; \\
-  s = get_sync_session('postgresql://cartsnitch:cartsnitch@cartsnitch-pg-rw:5432/cartsnitch'); \\
-  u = s.execute(select(User).where(User.email=='dottie@example.com')).scalar_one(); \\
-  print(u.email_inbound_token)"
-```
-
---
-
-## Submitting a Test Receipt (Step-by-Step)
-
-### Prerequisites
-
- A test user account in UAT with a known `email_inbound_token`
- A sample receipt email with a **known UPC** from the seeded `normalized_products` table
-
-### Steps
-
-1. **Obtain the test user's inbound token.**
-   Use the UAT Settings → Receipt Email page in the UI to see the full address `receipts+<token>@receipts.cartsnitch.com`, or query the DB directly (see above).
-
-2. **Compose the email.**
-   Send to: the address shown in Settings → Receipt Email
-   Subject: anything
-   Body: plain-text or HTML receipt content
-
-3. **Expected behavior after email is processed:**
-   - A `Receipt` row is created in `purchases`
-   - `PurchaseItem` rows are created with `upc` matching the seeded product UPC
-   - A `MatchResult` is created with `method='upc'` and `confidence=1.0`
-
---
-
-## Known UPC for Dottie (from UAT seed)
-
-> **NOTE:** `kubectl` is not available in this execution environment. The UAT seed and DB query could not be executed. The sample receipt below uses a plausible placeholder UPC. Before Dottie runs the regression:
-> 1. Run `bash scripts/seed-env.sh uat` from a machine with UAT kubecontext
-> 2. Query: `SELECT id, canonical_name, upc_variants->0->>'upc' AS sample_upc FROM normalized_products WHERE jsonb_array_length(upc_variants) > 0 LIMIT 1;`
-> 3. Replace the placeholder values below with the real captured row
-
- `id`: **TBD — run seed and query UAT DB**
- `name`: **TBD — run seed and query UAT DB**
- `sample UPC`: **TBD — run seed and query UAT DB**
-
-### Meijer Sample Receipt (plain text)
-
-```
-Meijer
-===================================
-Purchase Date: 03/15/2026
-Store: Meijer #127 - Ann Arbor, MI
-----------------------------------
- 1 x Organic Whole Milk 1gal      $4.99
- 1 x Whole Wheat Bread             $3.29
- 1 x Bananas (2 lb)                $0.67
- 1 x Chicken Breast (3 lb)        $12.47
- 1 x Cheddar Cheese Block 8oz      $5.99
-----------------------------------
-Subtotal:                        $27.41
-Tax:                              $1.93
-Total:                           $29.34
-===================================
-THANK YOU FOR SHOPPING MEIJER
-===================================
-```
-Meijer
-===================================
-Purchase Date: 03/15/2026
-Store: Meijer #127 - Ann Arbor, MI
-----------------------------------
- 1 x Organic Whole Milk 1gal      $4.99
- 1 x Whole Wheat Bread            $3.29
- 1 x Bananas (2 lb)               $0.67
- 1 x Chicken Breast (3 lb)       $12.47
- 1 x Cheddar Cheese Block 8oz     $5.99
-----------------------------------
-Subtotal:                       $27.41
-Tax:                             $1.93
-Total:                          $29.34
-===================================
-THANK YOU FOR SHOPPING MEIJER
-===================================
-```
-
-> **Note:** The `email-worker` parses the email body and extracts line items by retailer. The exact format and field mapping depends on the retailer parser. For Meijer, the parser looks for item lines matching `(\d+) x (.+?)\s+\$([\d.]+)`. UPCs in the `upc_variants` JSONB of seeded products will be matched during the normalization step.
-
-### Kroger Sample Receipt (plain text)
-
-```
-KROGER
-===================================
-Purchase Date: 03/15/2026
-Store: KROGER #412 - Ann Arbor MI
-----------------------------------
- 1 Organic Whole Milk 1gal        $5.29
- 1 Whole Wheat Bread              $3.49
- 1 Bananas (2 lb)                 $0.69
- 1 Chicken Breast (3 lb)         $11.99
- 1 Sharp Cheddar Cheese 8oz       $4.99
-----------------------------------
-Subtotal:                       $26.45
-Tax:                             $1.85
-Total:                          $28.30
-===================================
-```
-
-### Target Sample Receipt (plain text)
-
-```
-TARGET
-===================================
-03/15/2026  14:32
-Store: 0874 Ann Arbor, MI
-===================================
- 1  Organic Whole Milk 1G         $5.49
- 1  Whole Wheat Bread             $3.29
- 1  Bananas LB 2                  $0.68
- 1  Chicken Breast 3#             $12.99
- 1  Cheddar Cheese 8OZ           $5.79
-----------------------------------
-Subtotal:                       $28.24
-Tax (6%):                        $1.69
-Total:                          $29.93
-===================================
-```
-
---
-
-## Troubleshooting
-
-### Email not processed
-
-1. Check the `email:receipts` stream has messages:
-   ```bash
-   kubectl exec -n cartsnitch-uat deploy/email-worker -- python -c \\
-     "import asyncio; from receiptwitness.queue.email import get_redis; \\
-     async def chk(): c = await get_redis(); info = await c.xinfo_stream('email:receipts'); print(info); \\
-     asyncio.run(chk())"
-   ```
-
-2. Check `email-worker` logs for retailer detection failures:
-   ```bash
-   kubectl logs -n cartsnitch-uat deploy/email-worker -f
-   ```
-
-3. Verify the token resolves to a user in the DB:
-   ```bash
-   kubectl exec -n cartsnitch-uat deploy/cartsnitch-api -- \\
-     python -c "from cartsnitch_common.database import get_sync_session; \\
-     from cartsnitch_common.models.user import User; \\
-     from sqlalchemy import select; \\
-     s = get_sync_session('postgresql://...'); \\
-     r = s.execute(select(User.email_inbound_token).limit(5)).all(); \\
-     print(r)"
-   ```
-
-### No MatchResult created
-
-The normalization pipeline requires a `normalized_product` row with the submitted UPC in `upc_variants`. If the seed was run, the product should be found. Check the `match_results` table after submission:
-
-```sql
-SELECT mr.*, np.canonical_name
-FROM match_results mr
-JOIN normalized_products np ON np.id = mr.normalized_product_id
-WHERE mr.match_method = 'upc'
-ORDER BY mr.created_at DESC
-LIMIT 10;
-```
-
---
-
-## Related Files
-
-| File | Role |
-|------|------|
-| `common/alembic/versions/001_add_email_inbound_token.py` | Adds `email_inbound_token` column |
-| `receiptwitness/src/receiptwitness/worker/email_worker.py` | Consumes email jobs from stream |
-| `receiptwitness/src/receiptwitness/queue/email.py` | DragonflyDB stream consumer group |
-| `receiptwitness/src/receiptwitness/parsers/email/detector.py` | Retailer detection |
-| `receiptwitness/src/receiptwitness/parsers/email/meijer.py` | Meijer email parser |
-| `receiptwitness/src/receiptwitness/parsers/email/kroger.py` | Kroger email parser |
-| `receiptwitness/src/receiptwitness/parsers/email/target.py` | Target email parser |
-| `docs/uat-runbook.md` | UAT runbook (defect classification, entry/exit criteria) |
@@ -4,7 +4,7 @@ import { mockAuthRoutes } from '../fixtures';
 const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;

 test.describe('J1: Registration and Login', () => {
-  test('shows success message after registration', async ({ page }) => {
+  test('can register a new account and see check your email screen', async ({ page }) => {
    await mockAuthRoutes(page, false);
    await page.goto('/register');
    await page.fill('[placeholder="Full Name"]', 'Betty Tester');
@@ -12,8 +12,7 @@ test.describe('J1: Registration and Login', () => {
    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
    await page.click('button[type="submit"]');

-    // Registration now shows "Account created! Please sign in." message
-    await expect(page.locator('.bg-red-50')).toContainText('Account created! Please sign in.');
+    await expect(page.getByRole('heading', { name: /check your email/i })).toBeVisible();
  });

  test('shows validation error when registration fields are empty', async ({ page }) => {
@@ -31,16 +30,8 @@ test.describe('J1: Registration and Login', () => {
    await expect(page.getByRole('heading', { name: /cartsnitch/i })).toBeVisible();
  });

-  test('can sign in with valid credentials', async ({ page }) => {
+  test('can sign in with credentials and land on dashboard', async ({ page }) => {
    await mockAuthRoutes(page, true);
-    const email = uniqueEmail();
-    await page.goto('/register');
-    await page.fill('[placeholder="Full Name"]', 'Login Betty');
-    await page.fill('[placeholder="Email"]', email);
-    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-    await expect(page.locator('.bg-red-50')).toContainText('Account created! Please sign in.');
-
    await page.goto('/login');
    await page.fill('[placeholder="Email"]', 'test@cartsnitch.test');
    await page.fill('[placeholder="Password"]', 'TestPass123!');
@@ -45,16 +45,14 @@
    "typescript-eslint": "^8.56.1",
    "vite": "^6.4.2",
    "vite-plugin-pwa": "^0.21.2",
-    "vitest": "^4.1.8"
+    "vitest": "^3.2.4"
  },
  "overrides": {
    "@rollup/pluginutils": "5.3.0",
    "flatted": "^3.4.2",
    "serialize-javascript": "7.0.5",
-    "brace-expansion": ">=5.0.6",
+    "brace-expansion": ">=1.1.13",
    "lodash": ">=4.17.24",
-    "minimatch": "^10.2.4",
-    "@babel/plugin-transform-modules-systemjs": "^7.29.4",
-    "fast-uri": "^3.1.2"
+    "minimatch": "^10.2.4"
  }
 }
@@ -5,7 +5,6 @@ WORKDIR /app

 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
-ARG APT_CACHE_BUST=1
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
@@ -26,7 +25,6 @@ FROM python:3.12-slim AS prod
 WORKDIR /app

 # Install Playwright system dependencies for Chromium
-ARG APT_CACHE_BUST=1
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libnss3 \
    libatk1.0-0 \
@@ -11,7 +11,7 @@ dependencies = [
    "cartsnitch-common>=0.1.0",
    "playwright>=1.49,<2.0",
    "playwright-stealth>=1.0,<2.0",
-    "cryptography>=46.0,<47.0",
+    "cryptography>=42.0,<44.0",
    "fastapi>=0.115,<1.0",
    "uvicorn[standard]>=0.30,<1.0",
    "beautifulsoup4>=4.12,<5.0",
@@ -16,29 +16,6 @@ logger = logging.getLogger(__name__)
 STREAM_KEY = "email:receipts"
 CONSUMER_GROUP = "email-workers"

-# Module-level Redis/DragonflyDB connection pool — shared across all worker calls.
-# Without pooling, each call to get_redis() opens a new TCP connection.  In a tight
-# consumer loop this causes ConnectionResetError when DragonflyDB's connection limit
-# is hit under load.  max_connections=30 (10 base + 20 overflow) mirrors the engine pool.
-_redis_pool: aioredis.ConnectionPool | None = None
-
-
-def _get_redis_pool() -> aioredis.ConnectionPool:
-    """Get or create the shared DragonflyDB connection pool."""
-    global _redis_pool
-    if _redis_pool is None:
-        _redis_pool = aioredis.ConnectionPool.from_url(
-            settings.redis_url,
-            decode_responses=True,
-            max_connections=30,
-        )
-    return _redis_pool
-
-
-async def get_redis() -> aioredis.Redis:
-    """Get async Redis/DragonflyDB client backed by a shared connection pool."""
-    return aioredis.Redis(connection_pool=_get_redis_pool())
-

@dataclass
 class EmailJob:
@@ -54,6 +31,11 @@ class EmailJob:
    message_id: str  # from email provider, for dedup


+async def get_redis() -> aioredis.Redis:
+    """Get async Redis/DragonflyDB client."""
+    return cast(aioredis.Redis, aioredis.from_url(settings.redis_url, decode_responses=True))
+
+
 async def ensure_consumer_group(client: aioredis.Redis) -> None:
    """Create consumer group if it does not exist."""
    try:
@@ -1,38 +0,0 @@
-#!/usr/bin/env bash
-# =============================================================================
-# apply-seed-job.sh — Apply the seed Job manifest for a given environment.
-#
-# Usage:
-#   ./apply-seed-job.sh <env>
-#
-# Example:
-#   ./apply-seed-job.sh uat
-#   ./apply-seed-job.sh dev
-# =============================================================================
-
-set -euo pipefail
-
-ENV="${1:-}"
-HELP_FLAG=""
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --help) HELP_FLAG="1"; shift ;;
-    *) ENV="$1"; shift ;;
-  esac
-done
-
-if [[ -n "$HELP_FLAG" ]] || [[ -z "$ENV" ]]; then
-  echo "Usage: $0 <env>"
-  echo "  env   dev or uat"
-  exit 0
-fi
-
-if [[ "$ENV" != "dev" && "$ENV" != "uat" ]]; then
-  echo "ERROR: Invalid environment: $ENV (must be 'dev' or 'uat')" >&2
-  exit 1
-fi
-
-SCRIPT_DIR="$(dirname "$0")"
-sed "s/__ENV__/${ENV}/g" "${SCRIPT_DIR}/seed-env-job.yaml" | kubectl apply -f -
-echo "Seed job applied for environment: $ENV"
@@ -58,4 +58,4 @@ spec:
              memory: 256Mi
            limits:
              cpu: 500m
-              memory: 512Mi
+              memory: 512Mi
@@ -1,3 +1,104 @@
 #!/usr/bin/env bash
-# Backward-compat wrapper — delegates to seed-env.sh dev
-exec "$(dirname "$0")/seed-env.sh" dev "$@"
+# =============================================================================
+# seed-dev.sh — Run the CartSnitch seed runner against the dev database.
+#
+# Usage:
+#   ./seed-dev.sh              Run full seed against dev
+#   ./seed-dev.sh --dry-run    Show planned record counts without writing
+#   ./seed-dev.sh --help       Show this help
+#
+# Prerequisites:
+#   - kubectl configured for the cartsnitch-dev cluster
+#   - Namespace cartsnitch-dev exists (CNPG Postgres must be running)
+#
+# What it does:
+#   1. Starts a background port-forward to cartsnitch-pg-rw:5432
+#   2. Waits for the tunnel to be ready
+#   3. Runs python -m cartsnitch_common.seed with --database-url pointing
+#      to localhost:<forwarded-port>/cartsnitch
+#   4. Cleans up the port-forward on exit (normal, interrupt, or error)
+# =============================================================================
+
+set -euo pipefail
+
+# --- Config -------------------------------------------------------------------
+readonly NAMESPACE="cartsnitch-dev"
+readonly SVC_NAME="cartsnitch-pg-rw"
+readonly LOCAL_PORT="5433"          # use a non-privileged port to avoid conflicts
+readonly DB_NAME="cartsnitch"
+readonly PG_USER="cartsnitch"
+# Retrieve password from the CNPG credentials secret
+readonly PG_PASSWORD="$(
+  kubectl get secret cartsnitch-pg-credentials \
+    -n "$NAMESPACE" \
+    -o jsonpath='{.data.password}' \
+  | base64 -d
+)"
+readonly DB_URL="postgresql://${PG_USER}:${PG_PASSWORD}@localhost:${LOCAL_PORT}/${DB_NAME}"
+
+# --- Helpers ------------------------------------------------------------------
+log()  { echo "[seed-dev] $*"; }
+fail() { log "ERROR: $*" >&2; exit 1; }
+
+# Cleanup port-forward and exit.
+cleanup() {
+  if [[ -n "${PF_PID:-}" ]]; then
+    log "Stopping port-forward (PID $PF_PID)..."
+    kill "$PF_PID" 2>/dev/null || true
+    wait "$PF_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+# --- Args ---------------------------------------------------------------------
+DRY_RUN=""
+HELP_FLAG=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --dry-run)  DRY_RUN="--dry-run"; shift ;;
+    --help)     HELP_FLAG="1"; shift ;;
+    *)          fail "Unknown argument: $1";;
+  esac
+done
+
+if [[ -n "$HELP_FLAG" ]]; then
+  sed -n '3,/^# ---/p' "$0" | head -n -1 | sed 's/^# //'
+  echo ""
+  echo "Additional arguments are passed through to the seed runner."
+  echo "Common seed-runner options:"
+  echo "  --dry-run          Show planned record counts without writing"
+  echo "  --seed N           Set random seed (default: 42)"
+  exit 0
+fi
+
+# --- Prerequisites ------------------------------------------------------------
+if ! command -v kubectl &>/dev/null; then
+  fail "kubectl not found — must be installed and configured."
+fi
+
+# --- Port-forward -------------------------------------------------------------
+log "Starting port-forward ${SVC_NAME}:5432 -> localhost:${LOCAL_PORT} ..."
+kubectl port-forward \
+  -n "$NAMESPACE" \
+  svc/"$SVC_NAME" \
+  "${LOCAL_PORT}:5432" \
+  &>/dev/null &
+PF_PID=$!
+
+# Give the tunnel a moment to establish
+sleep 2
+
+# Verify the tunnel is up
+if ! kill -0 "$PF_PID" 2>/dev/null; then
+  fail "Port-forward failed to start."
+fi
+log "Port-forward active (PID $PF_PID) on localhost:${LOCAL_PORT}"
+
+# --- Seed --------------------------------------------------------------------
+log "Running seed against dev database..."
+set -x
+python -m cartsnitch_common.seed --database-url "$DB_URL" $DRY_RUN
+set +x
+
+log "Done."
@@ -1,58 +0,0 @@
-# seed-env-job.yaml
-# K8s Job to run the CartSnitch seed runner against any CartSnitch database.
-#
-# Usage (via apply-seed-job.sh):
-#   bash scripts/apply-seed-job.sh dev
-#   bash scripts/apply-seed-job.sh uat
-#
-# To view logs:
-#   kubectl logs -n cartsnitch-<env> job/seed-env -f
-#
-# To re-run after fixing issues:
-#   kubectl delete -f - -n cartsnitch-<env> && bash scripts/apply-seed-job.sh <env>
-#
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: seed-env
-  namespace: cartsnitch-__ENV__
-  labels:
-    app: cartsnitch
-    component: seed
-    environment: __ENV__
-  annotations:
-    description: "Runs cartsnitch-common seed runner to populate __ENV__ database with realistic test data."
-spec:
-  backoffLimit: 0
-  concurrencyPolicy: Forbid
-  template:
-    metadata:
-      labels:
-        app: cartsnitch
-        component: seed
-        environment: __ENV__
-    spec:
-      restartPolicy: Never
-      containers:
-        - name: seed
-          image: python:3.12-slim
-          command:
-            - sh
-            - -c
-            - |
-              pip install --no-cache-dir "cartsnitch-common @ git+https://github.com/cartsnitch/common.git@main" && \
-              python -m cartsnitch_common.seed --database-url "$${DATABASE_URL}"
-          env:
-            - name: DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: cartsnitch-secrets
-                  key: database-url-pg
-                  optional: false
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
@@ -1,122 +0,0 @@
-#!/usr/bin/env bash
-# =============================================================================
-# seed-env.sh — Run the CartSnitch seed runner against any CartSnitch database.
-#
-# Usage:
-#   ./seed-env.sh [--env dev|uat] [--dry-run] [--help]
-#   ./seed-env.sh uat --dry-run   Run dry-run against UAT
-#   ./seed-env.sh dev            Run full seed against dev (default)
-#
-# Prerequisites:
-#   - kubectl configured for the target cluster
-#   - Namespace cartsnitch-<env> exists (CNPG Postgres must be running)
-#
-# What it does:
-#   1. Starts a background port-forward to cartsnitch-pg-rw:5432
-#   2. Waits for the tunnel to be ready
-#   3. Runs python -m cartsnitch_common.seed with --database-url pointing
-#      to localhost:<forwarded-port>/cartsnitch
-#   4. Cleans up the port-forward on exit (normal, interrupt, or error)
-# =============================================================================
-
-set -euo pipefail
-
-# --- Config -------------------------------------------------------------------
-ENV="dev"
-if [[ "${1:-}" == "dev" || "${1:-}" == "uat" ]]; then
-  ENV="$1"; shift
-fi
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --env) ENV="$2"; shift 2 ;;
-    --dry-run|--help) break ;;
-    *) break ;;
-  esac
-done
-
-NAMESPACE="cartsnitch-${ENV}"
-SVC_NAME="cartsnitch-pg-rw"
-LOCAL_PORT="5433"
-DB_NAME="cartsnitch"
-PG_USER="cartsnitch"
-PG_PASSWORD="$(
-  kubectl get secret cartsnitch-pg-credentials \
-    -n "$NAMESPACE" \
-    -o jsonpath='{.data.password}' \
-  | base64 -d
-)"
-DB_URL="postgresql://${PG_USER}:${PG_PASSWORD}@localhost:${LOCAL_PORT}/${DB_NAME}"
-
-# --- Helpers ------------------------------------------------------------------
-log()  { echo "[seed-env] [$ENV] $*"; }
-fail() { log "ERROR: $*" >&2; exit 1; }
-
-cleanup() {
-  if [[ -n "${PF_PID:-}" ]]; then
-    log "Stopping port-forward (PID $PF_PID)..."
-    kill "$PF_PID" 2>/dev/null || true
-    wait "$PF_PID" 2>/dev/null || true
-  fi
-}
-trap cleanup EXIT
-
-# --- Args ---------------------------------------------------------------------
-DRY_RUN=""
-HELP_FLAG=""
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --dry-run)  DRY_RUN="--dry-run"; shift ;;
-    --help)     HELP_FLAG="1"; shift ;;
-    *)          fail "Unknown argument: $1";;
-  esac
-done
-
-if [[ -n "$HELP_FLAG" ]]; then
-  echo "Usage: $0 [--env dev|uat] [--dry-run] [--help]"
-  echo ""
-  echo "Positional / keyword arguments:"
-  echo "  --env dev|uat    Target environment (default: dev)"
-  echo "  --dry-run        Show planned record counts without writing"
-  echo "  --help           Show this help"
-  echo ""
-  echo "Additional arguments are passed through to the seed runner."
-  echo "Common seed-runner options:"
-  echo "  --seed N         Set random seed (default: 42)"
-  exit 0
-fi
-
-# --- Validate env --------------------------------------------------------------
-if [[ "$ENV" != "dev" && "$ENV" != "uat" ]]; then
-  fail "Invalid environment: $ENV (must be 'dev' or 'uat')"
-fi
-
-# --- Prerequisites ------------------------------------------------------------
-if ! command -v kubectl &>/dev/null; then
-  fail "kubectl not found — must be installed and configured."
-fi
-
-# --- Port-forward -------------------------------------------------------------
-log "Starting port-forward ${SVC_NAME}:5432 -> localhost:${LOCAL_PORT} ..."
-kubectl port-forward \
-  -n "$NAMESPACE" \
-  svc/"$SVC_NAME" \
-  "${LOCAL_PORT}:5432" \
-  &>/dev/null &
-PF_PID=$!
-
-sleep 2
-
-if ! kill -0 "$PF_PID" 2>/dev/null; then
-  fail "Port-forward failed to start."
-fi
-log "Port-forward active (PID $PF_PID) on localhost:${LOCAL_PORT}"
-
-# --- Seed --------------------------------------------------------------------
-log "Running seed against ${ENV} database..."
-set -x
-python -m cartsnitch_common.seed --database-url "$DB_URL" $DRY_RUN
-set +x
-
-log "Done."
@@ -126,7 +126,7 @@ function AlertCard({
          </Link>
          <div className="mt-1 flex items-center gap-2">
            <span className="text-xs text-gray-500">Target: ${alert.targetPrice.toFixed(2)}</span>
-            <span className="text-xs text-gray-500">&middot;</span>
+            <span className="text-xs text-gray-400">&middot;</span>
            <span className={`text-xs font-medium ${isBelow ? 'text-green-700' : 'text-gray-500'}`}>
              Now: ${alert.currentPrice.toFixed(2)}
            </span>
@@ -145,7 +145,7 @@ function AlertCard({
          )}
          <button
            onClick={() => onDelete(alert.id)}
-            className="min-h-12 min-w-12 rounded-lg p-2 text-gray-500 active:bg-gray-100"
+            className="min-h-12 min-w-12 rounded-lg p-2 text-gray-400 active:bg-gray-100"
            aria-label="Delete alert"
          >
            <svg className="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={1.5}>
@@ -62,7 +62,7 @@ export function Coupons() {
                  <p className="mt-0.5 text-xs text-gray-500">{coupon.storeName}</p>
                  <p
                    className={`mt-1 text-xs ${
-                      expiringSoon ? 'font-medium text-orange-600' : 'text-gray-500'
+                      expiringSoon ? 'font-medium text-orange-600' : 'text-gray-400'
                    }`}
                  >
                    Expires{' '}
@@ -1,5 +1,5 @@
 import { useState } from 'react'
-import { Link } from 'react-router-dom'
+import { Link, useNavigate } from 'react-router-dom'
 import { authClient } from '../lib/auth-client.ts'

 export function Login() {
@@ -7,6 +7,7 @@ export function Login() {
  const [password, setPassword] = useState('')
  const [error, setError] = useState('')
  const [loading, setLoading] = useState(false)
+  const navigate = useNavigate()

  async function handleSubmit(e: React.FormEvent) {
    e.preventDefault()
@@ -28,12 +29,11 @@ export function Login() {
        throw new Error(authError.message ?? 'Sign in failed')
      }

-      // After successful signIn, force a full page reload so Better-Auth's
-      // useSession() reinitializes with fresh cookie-backed session state.
-      // Using React Router's navigate() races with Better-Auth's internal update.
+      // After successful signIn, force a session fetch to confirm the cookie is set
+      // before navigating to the protected route
      const sessionResult = await authClient.getSession()
      if (sessionResult.data) {
-        window.location.href = '/'
+        navigate('/')
      } else {
        setError('Sign in failed. Please try again.')
      }
@@ -93,4 +93,4 @@ export function Login() {
      </p>
    </main>
  )
-}
+}
@@ -97,7 +97,7 @@ export function Purchases() {
              </div>

              {/* Item preview */}
-              <p className="mt-2 truncate text-xs text-gray-500">
+              <p className="mt-2 truncate text-xs text-gray-400">
                {purchase.items
                  .slice(0, 3)
                  .map((i) => i.name)
@@ -8,6 +8,9 @@ export function Register() {
  const [password, setPassword] = useState('')
  const [error, setError] = useState('')
  const [loading, setLoading] = useState(false)
+  const [registrationComplete, setRegistrationComplete] = useState(false)
+  const [resendLoading, setResendLoading] = useState(false)
+  const [resendMessage, setResendMessage] = useState('')

  async function handleSubmit(e: React.FormEvent) {
    e.preventDefault()
@@ -35,7 +38,7 @@ export function Register() {
        throw new Error(authError.message ?? 'Registration failed')
      }

-      setError('Account created! Please sign in.')
+      setRegistrationComplete(true)
    } catch {
      setError('Registration failed. Please try again.')
    } finally {
@@ -43,6 +46,49 @@ export function Register() {
    }
  }

+  async function handleResendVerification() {
+    setResendLoading(true)
+    setResendMessage('')
+    try {
+      const { error } = await authClient.sendVerificationEmail({ email })
+      if (error) {
+        setResendMessage('Failed to resend. Please try again.')
+      } else {
+        setResendMessage('Verification email sent!')
+      }
+    } finally {
+      setResendLoading(false)
+    }
+  }
+
+  if (registrationComplete) {
+    return (
+      <div className="flex min-h-screen flex-col items-center justify-center px-4">
+        <h1 className="mb-2 text-3xl font-bold text-gray-900">Check your email</h1>
+        <p className="mb-8 text-sm text-gray-500">
+          We sent a verification link to {email}. Click it to activate your account.
+        </p>
+        <button
+          type="button"
+          onClick={handleResendVerification}
+          disabled={resendLoading}
+          className="min-h-12 rounded-xl bg-brand-blue px-6 py-3 text-base font-medium text-white active:bg-brand-blue/90 disabled:opacity-60"
+        >
+          {resendLoading ? 'Sending...' : 'Resend email'}
+        </button>
+        {resendMessage && (
+          <p className="mt-4 text-sm text-gray-500">{resendMessage}</p>
+        )}
+        <p className="mt-6 text-sm text-gray-500">
+          Already have an account?{' '}
+          <Link to="/login" className="text-brand-blue">
+            Sign in
+          </Link>
+        </p>
+      </div>
+    )
+  }
+
  return (
    <div className="flex min-h-screen flex-col items-center justify-center px-4">
      <h1 className="mb-2 text-3xl font-bold text-gray-900">Create Account</h1>
@@ -153,7 +153,7 @@ export function Settings() {
              {copied ? 'Copied!' : 'Copy'}
            </button>
          </div>
-          <p className="mt-2 text-xs text-gray-500">
+          <p className="mt-2 text-xs text-gray-400">
            Supports Meijer, Kroger, and Target receipt emails.
          </p>
        </div>
@@ -89,7 +89,7 @@ export function StoreComparison() {
                {pp.price === lowestPrice ? (
                  <span className="text-xs font-medium text-green-600">Best price</span>
                ) : (
-                  <span className="text-xs text-gray-500">
+                  <span className="text-xs text-gray-400">
                    +${(pp.price - lowestPrice).toFixed(2)}
                  </span>
                )}
@@ -99,7 +99,7 @@ export function StoreComparison() {
        ))}
      </div>

-      <p className="mt-6 text-center text-xs text-gray-500">
+      <p className="mt-6 text-center text-xs text-gray-400">
        Prices last verified from store loyalty card data. Map view coming soon.
      </p>
    </div>
@@ -7,6 +7,6 @@ export default defineConfig({
    environment: 'jsdom',
    globals: true,
    setupFiles: ['./src/test/setup.ts'],
-    exclude: ['e2e/**', 'auth/**', 'node_modules/**'],
+    exclude: ['e2e/**', 'node_modules/**'],
  },
 })
Author	SHA1	Message	Date
Barcode Betty	c953fabc6b	fix(e2e): correct j1 registration assertions to match dev Register.tsx flow - Registration test: assert 'Check your email' heading (dev shows email verification screen after signUp, no session established) - Sign-in test: use mock routes directly without registration step; dev Login.tsx calls getSession() which the mock provides Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:05 +00:00
Barcode Betty	09f88f0bf8	fix(e2e): await route mocks and add session mocking to all tests - Make mockAuthRoutes async and await all page.route() calls to prevent race conditions - Add auth route mocking to J8 unauth tests (required since VITE_MOCK_AUTH was removed) - Add auth route mocking to smoke test - Replace broken mockSessionPending with mockSessionDelayed for spinner test Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:05 +00:00
Barcode Betty	f0bbf51486	fix: change remaining text-gray-400 to text-gray-600 on Dashboard stats CAR-676 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00
Barcode Betty	716fb4e1b2	fix: change text-gray-400 to text-gray-600 on Dashboard empty state CAR-676 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00
Barcode Betty	68420b5f01	fix(e2e): add mock for /auth/session endpoint The J8 test calls /api/auth/session which maps to /auth/session in Better Auth. Adding mock to ensure consistent behavior. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00
Barcode Betty	b6da52fb07	fix(e2e): correct Better Auth mock response formats - sign-up returns { token, user } - sign-in returns { redirect, token, user } - get-session returns { session, user } Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00
Barcode Betty	5e5f13c5b5	fix(e2e): use more permissive regex patterns for route mocking Use wildcard patterns to match URLs with query parameters or trailing slashes. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00
Barcode Betty	c47252a342	fix(e2e): correct Better Auth mock route patterns - Changed sign-up route from /auth/register to /auth/sign-up/email - Changed session route from /auth/session to /auth/get-session Better Auth hits /auth/sign-up/email for registration and /auth/get-session for session checks. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00
Barcode Betty	00f3c86276	fix(e2e): replace VITE_MOCK_AUTH with Playwright route mocking - Removed VITE_MOCK_AUTH=true from playwright.config.ts webServer command - Added mockAuthRoutes helper to e2e/fixtures.ts to mock /auth/* endpoints - Updated j1-registration-login.spec.ts to use route mocking instead of env var-based mock auth Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:41:04 +00:00