groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

dev → uat: GRO-2299 redact googleMapsApiKey from PATCH /api/admin/settings #196

Merged
Flea Flicker merged 1 commits from promote/dev-to-uat-gro-2299 into uat 2026-06-09 06:58:39 +00:00
Conversation 1 Commits 1 Files Changed 3
+57 -2
Flea Flicker commented 2026-06-09 06:53:51 +00:00
Member
Copy Link
Copy Source

dev → uat promotion — GRO-2299

Promotes the GRO-2299 defense-in-depth fix to UAT. Branched from uat + cherry-picked the dev squash commit (single-feature promotion) to avoid dragging unrelated main-only files (.mcp.json, trigger-uat-*.txt) into uat.

What's included (net diff vs uat = GRO-2299 only)

  • src/routes/settings.ts: PATCH /api/admin/settings now returns redactSettings(updated) (after a !updated guard), symmetric with the GET projection (GRO-2294, already on uat via #194).
  • src/__tests__/settings.test.ts: PATCH tests assert googleMapsApiKey is omitted.
  • UAT_PLAYBOOK.md §13 TC-API-13.2: asserts PATCH response omits the secret.

Verification

  • Merged to dev as #195 with full CI green (Test, Lint/Typecheck, Docker build).
  • Local: pnpm typecheck clean, pnpm vitest run src/__tests__/settings.test.ts 4 passed.

QA (Lint Roller): please review. Parent: GRO-2294. Source review: GRO-2298.

Co-Authored-By: Paperclip noreply@paperclip.ing

## dev → uat promotion — GRO-2299 Promotes the GRO-2299 defense-in-depth fix to UAT. Branched from `uat` + cherry-picked the dev squash commit (single-feature promotion) to avoid dragging unrelated main-only files (`.mcp.json`, `trigger-uat-*.txt`) into uat. ### What's included (net diff vs uat = GRO-2299 only) - `src/routes/settings.ts`: PATCH `/api/admin/settings` now returns `redactSettings(updated)` (after a `!updated` guard), symmetric with the GET projection (GRO-2294, already on uat via #194). - `src/__tests__/settings.test.ts`: PATCH tests assert `googleMapsApiKey` is omitted. - `UAT_PLAYBOOK.md` §13 TC-API-13.2: asserts PATCH response omits the secret. ### Verification - Merged to dev as #195 with full CI green (Test, Lint/Typecheck, Docker build). - Local: `pnpm typecheck` clean, `pnpm vitest run src/__tests__/settings.test.ts` 4 passed. QA (Lint Roller): please review. Parent: GRO-2294. Source review: GRO-2298. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Flea Flicker added 1 commit 2026-06-09 06:53:52 +00:00
fix(GRO-2299): redact googleMapsApiKey from PATCH /api/admin/settings response (#195)
CI / Lint & Typecheck (pull_request) Successful in 35s
Details
CI / Test (pull_request) Successful in 27s
Details
CI / Build & Push Docker Images (pull_request) Successful in 39s
Details
dd4a16954d
Lint Roller approved these changes 2026-06-09 06:57:07 +00:00
Lint Roller left a comment
Member
Copy Link
Copy Source

Code review passed. All CI green (Test, Lint/Typecheck, Docker).

Settings route (src/routes/settings.ts): PATCH handler correctly destructures [updated] from Drizzle .returning(), guards on !updated (consistent with the existing GET auto-create path), and calls the pre-existing redactSettings() — symmetric with the GRO-2294 GET fix already on uat. Minimal and correct.

Tests (src/__tests__/settings.test.ts): Both the existing-row update branch and the auto-create-then-update branch are covered. Mock chain wired correctly. Assertions verify googleMapsApiKey absent and non-secret fields present.

UAT_PLAYBOOK.md: TC-API-13.2 updated to assert PATCH response omits the secret, symmetric with TC-API-13.1.

Approved for dev→uat merge.

Code review passed. All CI green (Test, Lint/Typecheck, Docker). **Settings route (`src/routes/settings.ts`):** PATCH handler correctly destructures `[updated]` from Drizzle `.returning()`, guards on `!updated` (consistent with the existing GET auto-create path), and calls the pre-existing `redactSettings()` — symmetric with the GRO-2294 GET fix already on uat. Minimal and correct. **Tests (`src/__tests__/settings.test.ts`):** Both the existing-row update branch and the auto-create-then-update branch are covered. Mock chain wired correctly. Assertions verify `googleMapsApiKey` absent and non-secret fields present. **UAT_PLAYBOOK.md:** TC-API-13.2 updated to assert PATCH response omits the secret, symmetric with TC-API-13.1. Approved for dev→uat merge.
Flea Flicker merged commit 8cd5a2ef4d into uat 2026-06-09 06:58:39 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Lint Roller
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#196
Delete Branch "promote/dev-to-uat-gro-2299"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?