package.json requested ^15.5.15 but pnpm-lock.yaml had ^16.2.3,
breaking container startup under --frozen-lockfile.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The useQuery type cast was using `as any` behind a blanket eslint-disable.
Using an explicit function-shape cast is both safer and removes the lint
error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BenchResourceCard, MobileProjectCard, MobileCapacityCard, DynamicFieldRenderer,
BudgetStatusBar, and TimelineHeader use no hooks, event handlers, or browser APIs —
they can be server components, reducing client bundle size.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- KeyboardShortcutOverlay: add role="dialog", aria-modal, aria-labelledby, close button aria-label
- Timeline popovers (5 files): add aria-label="Close" to symbol-only close buttons
- TimelineToolbar: add aria-label to navigation and undo/redo icon buttons
- ComputationGraphClient: add aria-pressed to 2D/3D and view mode toggle buttons
- BulkEditModal: fix type mismatch from jsonb field hardening
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace z.unknown() with z.union([z.string(), z.number(), z.boolean(), z.null()])
to constrain what values can be written into the dynamicFields jsonb column via
the $executeRaw path. Prevents arbitrary nested structures from being serialized.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- MfaPromptBanner: silently hide on query error (non-critical advisory banner)
- Step1Identity: show skeleton placeholders while blueprint list loads
- MobileSummaryClient: add error state with retry button for dashboard queries
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SmtpSettingsPanel now owns its form state, save/test mutations, and feedback state
internally. Props reduced from 17 to 2 (initialSettings + onSettingsSaved callback).
Removes 7 useState declarations, 2 mutation definitions, and 1 handler from the parent.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract overlay/popover JSX from TimelineView (1268→1037 lines) into TimelineDragOverlays and
TimelinePopovers. Extract ResourceMonthConfigSection from ReportBuilder (1132→1018 lines).
Extract ResourceSkillsEditor and ResourceOrgClassification from ResourceModal (1035→714 lines).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- timeline-holiday-load-support: deduplicate getResolvedCalendarHolidays
by location key so resources sharing the same country/state/city resolve
holidays once instead of per-resource
- rate-card-lookup: add lookupRatesBatch that loads rate card lines once
and scores locally per demand line, replacing per-line DB round-trips
in estimate-demand-lines autoFillDemandLineRates
- config-readmodels: include _count in utilization-category list query
instead of calling getById per category for project counts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move renderOpenDemandRow, renderProjectUtilOverlay, and renderProjectDragHandles
(534 lines) to timelineProjectRenderers.tsx. TimelineProjectPanel: 1230 -> 687 lines.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract ReportResultsPanel (293 lines) from ReportBuilder (1231→1044 lines)
and move 38 inline icon components from AppShell (937→833 lines) to nav-icons.tsx.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace z.array(z.unknown()) with RolePresetsSchema for blueprint
role presets mutation input, ensuring structural validation before
Prisma JSON cast. Also adds SECURITY.md for vulnerability disclosure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add pnpm audit --audit-level=high to CI guardrails job so vulnerable
packages are caught before merge, not just in nightly scans
- Add CODEOWNERS for review routing on infra, schema, and auth changes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract each wizard step into its own file under project-wizard/:
StepBar, DynamicFieldInput, Step1Identity, ResourcePersonPicker,
Step2Timeline, Step3Staffing, Step4Suggestions, Step5Review.
Main file reduced from 1,385 to 112 lines.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- useInvalidateTimeline and useInvalidatePlanningViews now return
Promise.all instead of fire-and-forget void calls
- Timeline mutations now use useInvalidatePlanningViews to also
invalidate allocation list views, preventing stale data
- AllocationsClient sequential awaits replaced with single
invalidatePlanningViews() call (parallel invalidation)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reduces unnecessary re-renders by separating the monolithic 20+ property
context into TimelineDataContext, TimelineViewContext, and
TimelineDisplayContext. Panel components now subscribe only to the
slices they need.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Root, auth, invite, and setup routes now have error.tsx files,
ensuring every Next.js page route has error boundary coverage.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add indexes on Resource(blueprintId, roleId), DemandRequirement(roleId),
Assignment(roleId) — commonly filtered FK columns that were missing indexes
- Replace N+1 batch delete pattern (2N queries) with findAllocationEntries()
that does 2 total queries via findMany({ id: { in: ids } })
- Add take/skip pagination with default limit of 500 to listDemands and
listAssignments to prevent unbounded result sets
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move CI_AUTH_SECRET from plaintext to ${{ secrets.CI_AUTH_SECRET }}
- Wrap password reset (update + session kill + token mark) in $transaction
to prevent stale sessions on partial failure (CWE-613)
- Rate limiter Redis fallback now uses stricter degraded limits
(maxRequests/10) and logs at error level instead of warn
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bind mount (.:/app) provides workspace-level node_modules symlinks
from the host, but those target the root node_modules/.pnpm store which
inside the container is a named volume with different content-addressable
hashes. Added `pnpm install --frozen-lockfile` to app-dev-start.sh so
symlinks are regenerated against the container's store on every boot.
Also adds restart.sh convenience script for image rebuilds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Extract detectAuthAnomalies + THRESHOLDS from route.ts to detect.ts
(Next.js rejects non-standard exports from route files)
- Add explicit RenderResult return type to test-utils customRender
- Skip ESLint during next build (runs separately via pnpm lint)
- Revert test file exclusions from tsconfig (breaks eslint parser)
- Update route.test.ts imports to match new file structure
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds @axe-core/playwright with a shared fixture providing an `axe`
helper. New a11y.spec.ts runs WCAG 2.1 AA checks on signin, dashboard,
timeline, allocations, resources, and projects pages. Currently reports
violations as warnings — upgrade to hard failures after fixes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Covers: aria-sort/aria-labelledby attributes, non-Error throws in
ErrorBoundary, NaN/MAX_SAFE_INTEGER in formatCents, invalid dates,
carriage returns in CSV, self-closing HTML tags in sanitize, non-digit
input in DateInput, panel-click-not-dismissing in ConfirmDialog,
role="search" on FilterBar.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds `pnpm check:unused` script powered by knip. Initial run finds
17 unused files, 3 unused deps, 96 unused exports, and 117 unused
exported types — all candidates for cleanup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Install eslint-plugin-jsx-a11y and add 24 recommended rules to the
nextjs ESLint config, all set to warn. Baseline: 292 warnings
(207 label-has-associated-control, 52 no-static-element-interactions,
22 click-events-have-key-events, 10 no-autofocus, 1 html-has-lang).
Will be upgraded to errors after Phase 5c fixes core components.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move renderAllocBlocksFromData, renderLoadGraph, renderHeatmapOverlay,
renderDailyBars into timelineResourceRender.tsx (707 lines).
TimelineResourcePanel reduced from 1,270 to 589 lines.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract types.ts, FilterDropdown.tsx, BooleanBadge.tsx from
ResourcesClient.tsx into resource-client/ subdirectory.
ResourcesClient reduced from 1,613 to 1,507 lines.
Fix TypeScript strict mode errors across 8 test files:
- Add id/order to BlueprintFieldDefinition test objects
- Use FieldType enum instead of string literals in useFilters
- Add non-null assertions for mock.calls array access
- Type ScrollDiv for jsdom scrollLeft workaround
- Fix exactOptionalPropertyTypes violations
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Covers estimate list, getById, version snapshot aggregation, rethrowEstimateRouterError,
submit/approve/createRevision workflow procedures. Vacation read covers isSameUtcDay,
list, getById, getForResource, team overlap, and team overlap detail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Covers comment CRUD/resolve/delete, project status transitions and cascade
deletes, dispo import batch read/cancel/commit/resolve, and holiday calendar
catalog read with identifier fallback lookup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 3c continued: covers admin settings CRUD with secret handling,
webhook lifecycle with SSRF validation, and calculation rules with
controller/manager authorization boundaries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 3c: covers list/getById/create/update for all three routers
including authorization guards, conflict detection, NOT_FOUND errors,
and audit logging verification.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 3b continued: covers chargeability-relevance pure functions,
estimate CRUD (create, clone, list with filters), and version lifecycle
(submit, approve, create revision) with NOT_FOUND and status guard tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 3b Tier 2: covers skill gaps, project health, top value resources,
and peak times dashboard queries including empty data edge cases,
filtering logic, and authorization guards.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 3a: raises shared schema coverage from 5.5% to ~95%. Tests cover
valid roundtrips, invalid rejection, edge cases for refinements, defaults,
date coercion, and the generateDynamicZodSchema runtime builder.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Tests fell behind source changes: lastTotpAt replay-attack prevention,
activeSession invalidation on password reset, select clauses in
permission updates, UNAUTHORIZED (anti-enumeration) for disabled TOTP,
and password minimum raised from 8 to 12 characters.
Also fix root eslint.config.mjs to ignore packages/ (linted via turbo)
and add --no-warn-ignored to lint-staged to suppress warnings for
ignored files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cast Zod schemas with .refine()/.superRefine() to z.ZodType<InferredType> at the
procedure level. This short-circuits TypeScript's deep type recursion through
tRPC's middleware chain, eliminating 4 of 5 @ts-expect-error TS2589 suppressions
in web components (VacationModal, ProjectModal, UsersClient, CountriesClient).
Applied same pattern to allocation, timeline, staffing, dashboard, project, and
resource query/mutation procedures to reduce client-side type depth.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- ProjectHealthWidget: row already typed as ProjectHealthRow with id field
- ResourceDetail: use narrowed unknown cast instead of any for error code
- provider.tsx: same pattern for TRPCClientError data access
- ChatPanel: use intersection type for Next.js typed route push
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hartmut