- e2e: switch schema reset + sanity check from psql (not installed in
act_runner's catthehacker/ubuntu image) to `prisma db execute --stdin`
which is already a dev dep.
- docker-deploy: after `db push` the schema matches schema.prisma but
_prisma_migrations is empty, so the follow-up `migrate deploy` fails
with P3005. Baseline each migration directory as applied via
`prisma migrate resolve --applied` before deploy; the migrations
themselves are idempotent supplements, so marking-as-applied is safe.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- e2e: use prisma db push --force-reset so the job starts from a
guaranteed clean schema (previous runs hit missing audit_logs
even though push reported in-sync; suspected stale service volume).
- docker-deploy: run prisma db push before db:migrate:deploy in
app-dev-start.sh. The migrations/*.sql files are idempotent
supplements (IF NOT EXISTS guards) that assume base tables already
exist; a fresh container has no tables, so the first incremental
migration's FK on "users" fails. db push creates the baseline,
migrate deploy then layers on the incremental additions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bind mount (.:/app) provides workspace-level node_modules symlinks
from the host, but those target the root node_modules/.pnpm store which
inside the container is a named volume with different content-addressable
hashes. Added `pnpm install --frozen-lockfile` to app-dev-start.sh so
symlinks are regenerated against the container's store on every boot.
Also adds restart.sh convenience script for image rebuilds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Install eslint-plugin-jsx-a11y and add 24 recommended rules to the
nextjs ESLint config, all set to warn. Baseline: 292 warnings
(207 label-has-associated-control, 52 no-static-element-interactions,
22 click-events-have-key-events, 10 no-autofocus, 1 html-has-lang).
Will be upgraded to errors after Phase 5c fixes core components.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Install husky v9 + lint-staged: pre-commit runs eslint --fix and prettier on staged files
- Tighten ESLint base config: no-console→error, ban-ts-comment (ts-ignore banned, ts-expect-error with description allowed), reportUnusedDisableDirectives→error
- Migrate web app from deprecated `next lint` to `eslint src/` with flat config and react-hooks plugin
- Convert all 5 @ts-ignore to @ts-expect-error with descriptions, remove stale disable comments
- Add NEXT_PUBLIC_SENTRY_DSN to docker-compose.prod.yml and .env.example
- Add coverage artifact upload step to CI test job
- Pre-existing violations (102 warnings) downgraded to warn in web config for Phase 2 cleanup
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs postgresql-client in the dev image so pg_isready is available.
The startup script now polls until postgres accepts connections, preventing
the P1001 "can't reach database" crash when the app container starts before
postgres is fully ready.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request
#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
run db:migrate:deploy on container start so a fresh checkout boots without manual steps
Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)
Co-Authored-By: claude-flow <ruv@ruv.net>
Hartmut