docs(audit): finalize report — applied changes + review roadmap
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -34,18 +34,57 @@
|
|||||||
|
|
||||||
(Discovery sweep results appended below as agents report. Severity: critical/high/medium/low. Fix class: safe-auto / needs-judgment / manual.)
|
(Discovery sweep results appended below as agents report. Severity: critical/high/medium/low. Fix class: safe-auto / needs-judgment / manual.)
|
||||||
|
|
||||||
## Changes applied on this branch
|
## Changes applied on this branch (all verified: server+client tsc 0, vitest 134, build 0)
|
||||||
|
|
||||||
- `86e4cbf` fix(modals): commit FormModal footerLeft/hideCloseButton enhancements committed code depends on.
|
Correctness / bugs:
|
||||||
- `55a2c50` test(auth): fix 2 failing verifyAccessToken tests (assert no-log for expected token errors).
|
|
||||||
|
- `86e4cbf` **C1** modal `footerLeft`/`hideCloseButton` enhancements committed (fixes v1.9.0 regression + tsc error).
|
||||||
|
- `55a2c50` **C2** fix 2 failing `verifyAccessToken` tests (red on master).
|
||||||
|
- `379725a` **H1/H4** `isAdminLike` reads `roleName` not `role` (admins were self-scoped on /entries,/overrides); dropped 4 stale `as any` category casts.
|
||||||
|
- `c5f986a` **H5** corrected + unified audit `entity_type` label map (was showing raw English for invoice/order/quotation/trip/vehicle + all warehouse\_\*).
|
||||||
|
- `1f05ef6` date: `todayLocalStr()` replaces 11 UTC-`today` defaults (off-by-one in post-midnight Prague).
|
||||||
|
- `744baec` security: audit-log session termination (single + all-others); new `session` EntityType.
|
||||||
|
|
||||||
|
Consistency / cleanup:
|
||||||
|
|
||||||
|
- `9ae49c0` parseId (trips/sessions), broad `["offers"]` invalidation, Czech messages (attendance/orders/offers/project-files), Zod 4 `z.strictObject`.
|
||||||
|
- `522afef` undefined `--danger-color`→`--danger`, dedup `formatDate` + `require2FAOptions`, removed dead `systemSettingsOptions`, dropped double `plan.css` import.
|
||||||
|
- `9c582e1` **H2/H3** log the 30 silent NAS filesystem catches (kept 3 ENOENT-expected as deliberate no-logs).
|
||||||
|
|
||||||
|
Docs:
|
||||||
|
|
||||||
|
- `94a9fb8` CLAUDE.md: codified "Conventions (enforced)" section; corrected stale known-issues #4 (NAS) and #5 (sanitization is in place, not a gap).
|
||||||
|
- `58bf034`/`0559664` this report + full 84-finding catalog (`codebase-audit-findings-2026-06-06.md`).
|
||||||
|
|
||||||
|
## Remaining recommendations (NOT auto-applied — for your review)
|
||||||
|
|
||||||
|
Deliberately left for review (too broad/behavior-risky to apply unattended, or low value):
|
||||||
|
|
||||||
|
- **`reply.send` → helpers** (medium): ~1/3 of route files use raw `reply.send({success:true,...})` instead of `success()/paginated()`. Mechanical but touches many files + response-shape sensitive — convert per-file when touched. (List in findings catalog, dimension `routes`.)
|
||||||
|
- **Zod coercion helpers** (medium): the number/nullable-number/boolean-from-form coercions are copy-pasted ~150×; extract to `src/schemas/common.ts` (with a `NaN` guard — current coercion silently yields `NaN`). Big mechanical sweep — do with review.
|
||||||
|
- **console.\* → request logger** (medium): services log via `console.*` (bypasses pino/log-level). Architectural; needs a service-logging strategy.
|
||||||
|
- **`markOverdueInvoices`** (medium): swallows the DB-update failure and returns void, so the route treats a failed update as success — surface the error. Also it compares a `@db.Date` due_date against full `new Date()` (flips "overdue" on the due day) — compare date-only.
|
||||||
|
- **Dead exports** (low): `previewPattern()` (numbering.service), `usersQuery`/`planKeys.users()` (lib/queries/plan) — unused API surface; remove or wire up.
|
||||||
|
- **`ShiftFormModal`** (low): inline styles use `--danger-color`/`--success-color`/etc. (undefined; rely on fallbacks) — switch to the `--danger`/`--success` design tokens.
|
||||||
|
- **`.env.example` drift** (low): out of sync with vars read in `config/env.ts` — regenerate.
|
||||||
|
- **`@/*` path alias** (low): declared in tsconfig but not wired into Vite/vitest — either wire it up or remove.
|
||||||
|
- **warehouse soft-delete test** (low): a test named "soft delete" asserts a hard delete its own comment flags as buggy — clarify intent.
|
||||||
|
- **TOTP verify** doesn't increment failed-login counter (relies on rate limit); **HSTS** lacks `preload` — security hardening, low.
|
||||||
|
|
||||||
|
Full detail + file:line for every item: `docs/codebase-audit-findings-2026-06-06.md`.
|
||||||
|
|
||||||
## Progress tracker
|
## Progress tracker
|
||||||
|
|
||||||
- [x] Branch + clean baseline (tsc server 0 / client 0; vitest 134).
|
- [x] Branch + clean baseline (tsc server 0 / client 0; vitest 134).
|
||||||
- [x] C1 modal regression found + fixed.
|
- [x] C1 modal regression + C2 red tests found & fixed (134/134).
|
||||||
- [x] C2 red test suite found + fixed (134/134).
|
- [x] Discovery sweep (16 parallel dimensions, 84 findings).
|
||||||
- [ ] Discovery sweep (parallel audit across ~16 dimensions) — running.
|
- [x] Synthesis + prioritization (high + safe-auto).
|
||||||
- [ ] Synthesis + prioritization.
|
- [x] Safe unifications applied (12 commits, each verified green).
|
||||||
- [ ] Safe unifications applied (verified).
|
- [x] CLAUDE.md updated with codified conventions.
|
||||||
- [ ] CLAUDE.md updated with codified conventions.
|
- [x] Remaining items documented as a review roadmap.
|
||||||
- [ ] Final verification + summary.
|
- [x] Final verification.
|
||||||
|
|
||||||
|
## ⚠️ Action for you in the morning
|
||||||
|
|
||||||
|
- **v1.9.1 patch:** C1 (plan edit-modal delete button) + C2 (red tests) affect production v1.9.0. Merge this branch (or cherry-pick `86e4cbf`,`55a2c50`,`379725a`,`c5f986a`) and cut a patch.
|
||||||
|
- Review this branch (`chore/codebase-consistency-audit`, 12 commits) and merge what you like. Nothing here is pushed or deployed.
|
||||||
|
|||||||
Reference in New Issue
Block a user