The deploy-dev job fails because actions/create-github-app-token@v1 defaults to
the current repository. Adding owner + repositories scopes the token to include
cartsnitch/infra so the subsequent checkout step succeeds.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Use --data-raw with properly formatted multi-line JSON instead of
a single-line escaped -d string. This ensures newlines in the
description are correctly interpreted.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add deploy-dev job to update the dev overlay image tag in cartsnitch/infra
via kustomize after a successful main build. Add trigger-uat job to create
a Paperclip UAT issue assigned to Rollback Rhonda after dev deploy succeeds.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The auth Deployment in cartsnitch/infra (PR #83) references
ghcr.io/cartsnitch/auth:latest, but no CI job builds that image.
Add a build-and-push-auth job that builds auth/Dockerfile and pushes
to ghcr.io/cartsnitch/auth with the same CalVer + sha tagging scheme.
Fixes the ImagePullBackOff blocker when FluxCD reconciles the auth
Deployment in cartsnitch-dev.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Remove hardcoded fallback secret that allowed sessions to be
signed with a well-known value if the env var was unset.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- stores.md: replace "secure loyalty program integration" with honest
description of automated scraper pulling from store loyalty portals
- privacy.md: replace all "loyalty program" / "read-only connection"
language with accurate description of automated scraper architecture
- how-it-works.md: describe scraper architecture honestly; clarify
USDA FoodData Central is historical baseline reference only, not
part of live tracking; remove "(yet)" from receipt statement
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace hand-rolled JWT auth with Better-Auth session-based authentication.
- Scaffold auth/ Node.js service with Better-Auth, bcrypt password compat,
Postgres adapter mapped to existing users table
- Add Alembic migration (002) creating sessions, accounts, verifications
tables and migrating password hashes to accounts table
- Update FastAPI auth dependency to validate sessions via shared DB
(supports both cookie and Bearer token)
- Remove registration/login/refresh endpoints from API gateway (now
handled by Better-Auth service)
- Update frontend to use better-auth/react client with httpOnly cookies
(no tokens in localStorage or memory)
- Rewrite auth store, Login, Register, Dashboard, Settings, ProtectedRoute
to use session-based auth
- Update all tests to create sessions directly in DB instead of JWT tokens
Resolves CAR-27
See plan: CAR-26#document-plan
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Removes quantity qualifier from two instances since pre-beta coverage
is not verified. per QA and CEO review comments on PR #42.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Critical fixes:
- stores.md: Correct supported retailers to Meijer, Kroger, Target.
Remove Safeway (never scoped). Replace named Coming Soon list with
generic demand-based evaluation language.
- privacy.md: Replace all OAuth/API claims with accurate language
describing read-only headless browser access to loyalty portals.
- about.md: Remove "price gouging on our roadmap" claim.
Clarify USDA FoodData Central is reference data only, not a source
of price data.
- blog/price-gouging-vs-shrinkflation.md: Remove roadmap claim.
Remove implication that price gouging detection is coming.
- methodology.md: Fix cereal example math — 16.2% → 16.1%.
Use raw values per the stated formula. Clarify USDA FoodData
Central role for package sizing baselines only.
- how-it-works.md: Correct retailers. Remove "(yet)" from receipt
claim. Clarify USDA FoodData Central is reference data.
Important fixes:
- press-kit.md: Correct supported stores. Remove USDA FoodData Central
from dollar-cost attribution — reattribute to CartSnitch analysis of
manufacturer packaging data.
- app-store-listing.md: Remove "thousands of products" claims
(pre-launch beta, quantity unverified).
- social/launch-day-posts.md: Remove "thousands of products" claim.
Correct retailer list.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
USDA FoodData Central is a nutrient composition database, not a price
analysis tool. Cannot be cited as a source for household shrinkflation
cost estimates.
Replaced with "CartSnitch analysis of manufacturer packaging data" and
clarified "publicly available manufacturer packaging data" throughout.
Added trailing newline to end of file.
Fixes CTO review feedback on PR #39.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Kubernetes runAsNonRoot validation requires the USER directive to be
explicitly set in the image metadata. nginx-unprivileged runs as UID 101
internally, but without the explicit USER directive Kubernetes cannot
verify this from the image config and fails with CreateContainerConfigError.
Fixes CAR-231.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds top-of-funnel explainer article targeting "what is unit price",
"how to calculate unit price", and "unit price vs shelf price" keywords.
Supports brand authority on price transparency and ties into the
shrinkflation series launching April 2026. Closes CAR-218.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Non-root users cannot bind to ports < 1024. Port 8080 is used by
nginxinc/nginx-unprivileged by default.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Switch from nginx:stable-alpine to nginxinc/nginx-unprivileged:stable-alpine.
The unprivileged image runs as nginx user (UID 101) on port 8080, satisfying
the runAsNonRoot: true security context in Kubernetes.
Fixes: https://github.com/cartsnitch/infra/issues/65
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Full Twitter/X and Reddit promotional copy for all 5 shrinkflation
series posts (anchor top-10, dairy, frozen, household, snacks).
Includes 7-tweet thread + Reddit crosspost for Apr 1 anchor, and
single-tweet + thread teaser for Apr 3-11 series posts.
Refs: CAR-202, CAR-170, CAR-199
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds data-driven ranking of grocery products with the highest effective
unit price increases from shrinkflation between 2021 and 2025.
Refs: CAR-170, CAR-114, CAR-131
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Update frontmatter and footer navigation for dairy, frozen food,
household essentials, and snacks posts to match the cereal post series
format. Sets consistent series name "The Shrinkflation Files", correct
part numbers (2–5), and properly linked prev/next nav footers.
Refs: CAR-157, CAR-114
Co-authored-by: Frontend Frankie <frankie@cartsnitch.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* content: add founder story blog post — Why We Built CartSnitch
Replaces the Phase 1 draft with the final founder story from CMO
content-spec (CAR-134). Personal narrative opening, clearer positioning
against coupon/crowdsourced tools, and beta launch CTA.
Refs: CAR-134, CAR-114
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* content: merge founder story with data stats per Penny's review (v1.1)
Restores BLS/USDA statistics, specific shrinkflation examples, and
privacy footer from the original draft. Keeps the founder pasta story,
three-things framework, and cleaner positioning from the CMO content-spec.
Combined version addresses all points raised in Penny's changes-requested review.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Frontend Frankie <frankie@cartsnitch.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* content: add shrinkflation series post 1 — The Shrinkflation Files: Cereal
Updates cereal blog post with final content-spec v1.0 from CAR-141.
Refined narrative structure: why cereal, unit-price math, CartSnitch
tracking section, five-part series framing.
Part of shrinkflation series (CAR-141, parent CAR-114).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* content: update cereal shrinkflation post to v1.1 with brand-specific data
Restores brand data table (Cheerios, Frosted Flakes, Lucky Charms, etc. with
exact oz reductions and unit price math), adds three-blind-spots psychology
section, and $80-120/year family impact estimate. Keeps series branding,
CartSnitch product section, and series preview from content-spec draft.
Addresses CEO changes-requested review on PR #29.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Frontend Frankie <frankie@cartsnitch.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Flea Flicker
Savannah Savings
Chris Farhood