BOHA
1ee59b54bc
chore(release): v2.4.35 — lint cleanup (68→0) + duplicate-Zavřít modal fix
...
UI fix:
- Close-only modals showing a redundant second close button now use
hideCancel: ReceivedInvoices paid-detail modal (was two identical "Zavřít"
buttons) and PlanCellModal "Den je součástí rozsahu".
- Add modal-duplicate-close test enforcing close-only modals set hideCancel.
Lint: cleared all 68 warnings → 0.
- preserve-caught-error: attach { cause } in ai.service / exchange-rates.
- no-require-imports: package.json version read via fs (APP_VERSION) instead
of require(), avoiding a rootDir-expanding static JSON import.
- react-hooks/exhaustive-deps (11): ref-in-cleanup copies, derived-value
useMemo wrapping, PlanGrid field extraction, stable nextKey useCallback,
AuthContext documented cycle-break.
- no-explicit-any (53): precise route param/Prisma types, generic enrich*()
preserving payload shape, minimal vite module type, frontend body/query-key
types, SystemInfo for Settings.
Refactor (test enablement): shift-form types moved to dependency-free
shiftFormTypes.ts so the print-HTML builders are unit-testable without the
component graph; characterization test pins their output.
Gates: 649 tests pass, tsc -b clean, lint 0. Verified touched flows live
via Playwright (PlanWork CRUD + optimistic cache, warehouse form keys,
Settings system info, invoice detail).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-13 18:35:31 +02:00
BOHA
519edce373
fix: 2026-06-09 full-codebase audit hardening
...
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.
Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.
Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).
Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.
Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.
Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-09 06:45:26 +02:00
BOHA
d7c7fbad88
fix: security, validation, and data integrity fixes across 53 files
...
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-28 08:40:38 +02:00
BOHA
aa6c1b5094
refactor: fix all Low findings from FLAWS_REPORT audit
...
- Auth: TOTP params from config, JWT error logging, audit log failure
logging, replaced_by_hash validation on token rotation
- Invoices: remove dead VAT code, consistent PDF permissions,
WebP magic-byte detection, deduped exchange-rate fetches
- Orders/Offers: multipart limit from config, use paginated() helper,
payment method from DB in PDF
- Projects: verify project exists before creating note
- Attendance: action_type enum validation, consistent local-time
shift_date construction, holiday attendance in work fund,
trips.view permission on last-km query
- Users: paginated() helper usage, remove duplicate dashboard keys,
parallel currency conversion, single hashToken implementation
- Frontend: memoized customInput, reliable print onload, modal prop
standardization (isOpen), ConfirmModal type icons, id===0 key
fallback, Login useCallback, CompanySettings ConfirmModal,
Attendance timeout cleanup, Dashboard memoization, beforeunload
dirty-state warnings on Invoice/Offer/Order detail
- Schema: invoice_alert_log timestamp, config/env comment on
Date.prototype.toJSON override
- Utils: exchange-rate inflight dedup
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 08:45:37 +02:00
BOHA
4f4b12f039
security: fix all Medium findings from FLAWS_REPORT audit
...
- Auth: TOTP replay protection with counter tracking, constant-time
backup code comparison, atomic lockout increment, per-token logout
- Invoices/PDFs: net-based VAT calculation, dangerous URL scheme
stripping in cleanQuillHtml, orders-pdf error handling
- Orders: reject item changes on status transition, cascading
delete cleanup, take:1 with orderBy
- Projects: atomic rename collision handling, MIME/extension
validation, empty customer name rejection
- Attendance: Czech public holiday awareness in frontend fund
calculation, leave_hours 0 handling, invalid date NaN guard,
bounded per-month queries in workfund
- Users/Admin: profile audit logging + password validation, session
revocation guard, session ID validation, dashboard DB aggregation,
soft-deleted record protection in scope templates
- Frontend: FormField label linkage, Pagination ARIA, error
handling in OrderConfirmationModal, 401 propagation, GPS emoji
hidden from screen readers, table sort state fix, geolocation
race/abort cleanup, Leaflet popup DOM safety, Vehicles toggleActive
minimal body, CompanySettings ref mutation fix, OfferDetail unlock
abort, AttendanceBalances combined fetches
- Utils: env validation, Puppeteer concurrency mutex, invoice alert
cron cleanup on shutdown, body limit alignment, TOTP error logging,
trustProxy from env, symlink rejection, rate cache Map usage
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 08:24:14 +02:00
BOHA
528e55991b
security: fix all Critical and High findings from FLAWS_REPORT audit
...
- Auth: pessimistic locking on login tokens and refresh token rotation,
backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
HTML, ref mutation fixes, accessibility attributes
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 00:58:35 +02:00
BOHA
8cdf057ab3
feat: CNB exchange rates, multi-currency KPI stats, invoice PDF VAT in CZK
...
- ČNB exchange rate service with date-specific rates and caching
- Invoice/received invoice stats convert foreign currencies to CZK
- Dashboard revenue converts all currencies to CZK
- Invoice PDF: VAT recap table always in CZK with CNB rate footer
- Inline styles replaced with utility classes (step 4 cleanup)
- Spinner animation exempt from prefers-reduced-motion
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-27 13:44:53 +01:00