diff --git a/docs/codebase-audit-2026-06-06.md b/docs/codebase-audit-2026-06-06.md index ae94b9f..54ec63d 100644 --- a/docs/codebase-audit-2026-06-06.md +++ b/docs/codebase-audit-2026-06-06.md @@ -34,18 +34,57 @@ (Discovery sweep results appended below as agents report. Severity: critical/high/medium/low. Fix class: safe-auto / needs-judgment / manual.) -## Changes applied on this branch +## Changes applied on this branch (all verified: server+client tsc 0, vitest 134, build 0) -- `86e4cbf` fix(modals): commit FormModal footerLeft/hideCloseButton enhancements committed code depends on. -- `55a2c50` test(auth): fix 2 failing verifyAccessToken tests (assert no-log for expected token errors). +Correctness / bugs: + +- `86e4cbf` **C1** modal `footerLeft`/`hideCloseButton` enhancements committed (fixes v1.9.0 regression + tsc error). +- `55a2c50` **C2** fix 2 failing `verifyAccessToken` tests (red on master). +- `379725a` **H1/H4** `isAdminLike` reads `roleName` not `role` (admins were self-scoped on /entries,/overrides); dropped 4 stale `as any` category casts. +- `c5f986a` **H5** corrected + unified audit `entity_type` label map (was showing raw English for invoice/order/quotation/trip/vehicle + all warehouse\_\*). +- `1f05ef6` date: `todayLocalStr()` replaces 11 UTC-`today` defaults (off-by-one in post-midnight Prague). +- `744baec` security: audit-log session termination (single + all-others); new `session` EntityType. + +Consistency / cleanup: + +- `9ae49c0` parseId (trips/sessions), broad `["offers"]` invalidation, Czech messages (attendance/orders/offers/project-files), Zod 4 `z.strictObject`. +- `522afef` undefined `--danger-color`→`--danger`, dedup `formatDate` + `require2FAOptions`, removed dead `systemSettingsOptions`, dropped double `plan.css` import. +- `9c582e1` **H2/H3** log the 30 silent NAS filesystem catches (kept 3 ENOENT-expected as deliberate no-logs). + +Docs: + +- `94a9fb8` CLAUDE.md: codified "Conventions (enforced)" section; corrected stale known-issues #4 (NAS) and #5 (sanitization is in place, not a gap). +- `58bf034`/`0559664` this report + full 84-finding catalog (`codebase-audit-findings-2026-06-06.md`). + +## Remaining recommendations (NOT auto-applied — for your review) + +Deliberately left for review (too broad/behavior-risky to apply unattended, or low value): + +- **`reply.send` → helpers** (medium): ~1/3 of route files use raw `reply.send({success:true,...})` instead of `success()/paginated()`. Mechanical but touches many files + response-shape sensitive — convert per-file when touched. (List in findings catalog, dimension `routes`.) +- **Zod coercion helpers** (medium): the number/nullable-number/boolean-from-form coercions are copy-pasted ~150×; extract to `src/schemas/common.ts` (with a `NaN` guard — current coercion silently yields `NaN`). Big mechanical sweep — do with review. +- **console.\* → request logger** (medium): services log via `console.*` (bypasses pino/log-level). Architectural; needs a service-logging strategy. +- **`markOverdueInvoices`** (medium): swallows the DB-update failure and returns void, so the route treats a failed update as success — surface the error. Also it compares a `@db.Date` due_date against full `new Date()` (flips "overdue" on the due day) — compare date-only. +- **Dead exports** (low): `previewPattern()` (numbering.service), `usersQuery`/`planKeys.users()` (lib/queries/plan) — unused API surface; remove or wire up. +- **`ShiftFormModal`** (low): inline styles use `--danger-color`/`--success-color`/etc. (undefined; rely on fallbacks) — switch to the `--danger`/`--success` design tokens. +- **`.env.example` drift** (low): out of sync with vars read in `config/env.ts` — regenerate. +- **`@/*` path alias** (low): declared in tsconfig but not wired into Vite/vitest — either wire it up or remove. +- **warehouse soft-delete test** (low): a test named "soft delete" asserts a hard delete its own comment flags as buggy — clarify intent. +- **TOTP verify** doesn't increment failed-login counter (relies on rate limit); **HSTS** lacks `preload` — security hardening, low. + +Full detail + file:line for every item: `docs/codebase-audit-findings-2026-06-06.md`. ## Progress tracker - [x] Branch + clean baseline (tsc server 0 / client 0; vitest 134). -- [x] C1 modal regression found + fixed. -- [x] C2 red test suite found + fixed (134/134). -- [ ] Discovery sweep (parallel audit across ~16 dimensions) — running. -- [ ] Synthesis + prioritization. -- [ ] Safe unifications applied (verified). -- [ ] CLAUDE.md updated with codified conventions. -- [ ] Final verification + summary. +- [x] C1 modal regression + C2 red tests found & fixed (134/134). +- [x] Discovery sweep (16 parallel dimensions, 84 findings). +- [x] Synthesis + prioritization (high + safe-auto). +- [x] Safe unifications applied (12 commits, each verified green). +- [x] CLAUDE.md updated with codified conventions. +- [x] Remaining items documented as a review roadmap. +- [x] Final verification. + +## ⚠️ Action for you in the morning + +- **v1.9.1 patch:** C1 (plan edit-modal delete button) + C2 (red tests) affect production v1.9.0. Merge this branch (or cherry-pick `86e4cbf`,`55a2c50`,`379725a`,`c5f986a`) and cut a patch. +- Review this branch (`chore/codebase-consistency-audit`, 12 commits) and merge what you like. Nothing here is pushed or deployed.