- Adds docker/login-action@v3 step before each GHCR login in all 4
build jobs (build-and-push, build-and-push-auth,
build-and-push-receiptwitness, build-and-push-api)
- Uses DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets
- Also fixes: removes duplicate API image tag from the receiptwitness
kustomize update step (was causing the API image to be set twice)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Better-Auth defaults to singular "session" table name, but our DB uses
the plural "sessions" table (created by migration 002). Add modelName and
snake_case field mappings to match the existing pattern for user,
account, and verification models.
Co-authored-by: Stockboy Steve <steve@cartsnitch.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>
Resolves GHSA-3v7f-55p6-f55p (picomatch ReDoS) and
GHSA-c2c7-rcm5-vvqj (picomatch method injection) flagged by the new
npm audit CI job. Also bump @vitejs/plugin-react to 4.7.0.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The api/Dockerfile used bare paths (COPY pyproject.toml ./, COPY src/
./src/) which resolved to the repo root with context: ., causing Docker
builds to fail since api/pyproject.toml and api/src/ don't exist at the
repo root.
Add 'api/' prefix to all COPY source paths, matching the pattern already
used in receiptwitness/Dockerfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds MSW (Mock Service Worker) for integration test mocking. Creates mock API handlers for purchases, products, coupons, and alerts. Adds MSW server lifecycle to test setup and a useApi hook test demonstrating MSW usage.
Adds picomatch@^4.0.4 as a direct dependency to override the vulnerable
4.0.3 pinned in transitive deps (vitest). Resolves 2 high-severity CVEs.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds an audit job to the CI workflow that runs npm audit with
--audit-level=high, failing the job on critical or high severity
vulnerabilities. Runs in parallel with lint and test, and does
not gate the build-and-push jobs.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
package.json references packages (better-auth@1.5.6, etc.) not present
in the lock file, causing npm ci to fail on CI. Regenerate the lock file
so CI can install dependencies correctly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Install Mock Service Worker (MSW) and configure it for vitest.
Write one integration test for usePurchases hook using MSW.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add alembic.ini and alembic/ directory to production API Docker image. Includes migration 003 (make hashed_password nullable).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Delete nested .github/workflows/ci.yml files from api/ and receiptwitness/
directories. These workflows were from the polyrepo era and reference the
deleted cartsnitch/common repo. They do not execute as GitHub Actions (not
at repo root) and are confusing.
No functional change — the monorepo CI is defined at .github/workflows/.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds alembic.ini and alembic/ directory to the production API image so
alembic upgrade head can run in-cluster as an init container.
Also carries migration 003 (make hashed_password nullable) from PR #66.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The feat/playwright-setup branch added @playwright/test to package.json
but the lockfile was not regenerated, causing npm ci to fail.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add formatCurrency, formatDate, and storeSlugs utilities in src/utils/
with 21 vitest unit tests covering standard and edge cases.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Avoids ERR_CONNECTION_REFUSED in deployed environments where
VITE_AUTH_URL is not set at build time. Empty-string fallback
routes auth requests to same origin, which the HTTPRoute forwards
to the auth service.
cc @cpfarhood
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Register sends display_name instead of name
- Register/Login handle TokenResponse (access_token, not token)
- Fetch /auth/me after register/login to populate user object
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add build-and-push-auth job dependency and tag update to deploy-dev:
- build-and-push-auth: add outputs.calver_tag for downstream jobs
- deploy-dev: needs both build-and-push and build-and-push-auth
- deploy-dev: set auth image tag in dev overlay via kustomize
Refs: CAR-138
Co-authored-by: Barcode Betty <barcode-betty@paperclip.ing>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>
cartsnitch-ceo[bot]