- Extract detectAuthAnomalies + THRESHOLDS from route.ts to detect.ts
(Next.js rejects non-standard exports from route files)
- Add explicit RenderResult return type to test-utils customRender
- Skip ESLint during next build (runs separately via pnpm lint)
- Revert test file exclusions from tsconfig (breaks eslint parser)
- Update route.test.ts imports to match new file structure
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- #51: Add permanent redirect /login → /auth/signin in next.config.ts
so users/testers who type the common alias land on the correct auth page
- #53: Add "Allocations → New Planning Entry" link to empty states of
ProjectDemandsTable and ProjectAssignmentsTable; add shortcut link in
demands table header for canEdit users
- #54: Track confirmed dropdown selection in ResourcePersonPicker —
green ring + checkmark icon shown when user picks from suggestions;
cleared on any manual keypress so free-text is clearly unconfirmed
Co-Authored-By: claude-flow <ruv@ruv.net>
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request
#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
run db:migrate:deploy on container start so a fresh checkout boots without manual steps
Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)
Co-Authored-By: claude-flow <ruv@ruv.net>
The static import of @sentry/nextjs at module level triggered worker
thread creation even when withSentryConfig was only called in production.
This caused recurring "Cannot find module vendor-chunks/lib/worker.js"
crashes that killed the dev server mid-request.
Fix: replaced static import with dynamic require() inside a
NODE_ENV === "production" block. In dev mode, the Sentry module
is never loaded at all.
Co-Authored-By: claude-flow <ruv@ruv.net>
The withSentryConfig() wrapper caused recurring worker.js crashes
in Next.js dev mode (vendor-chunks/lib/worker.js MODULE_NOT_FOUND).
This crashed the server mid-request during image generation and
other long-running operations.
Fix: only apply withSentryConfig in production. In dev mode, use
the raw Next.js config. Sentry instrumentation also gated to
production only.
Co-Authored-By: claude-flow <ruv@ruv.net>
- @sentry/nextjs installed and configured for client, server, and edge
- Instrumentation hook registers Sentry on Node.js and edge runtimes
- Global error boundary captures unhandled errors to Sentry
- next.config.ts wrapped with withSentryConfig (source maps disabled)
- No-op when NEXT_PUBLIC_SENTRY_DSN is not set
To enable: set NEXT_PUBLIC_SENTRY_DSN in .env.local or .env.production
Co-Authored-By: claude-flow <ruv@ruv.net>
Redesigned timeline project and resource panels with expanded detail views,
added quick filter toolbar, improved drag handling, and enhanced vacation/entitlement
router logic. Includes e2e test updates and minor API fixes.
Co-Authored-By: claude-flow <ruv@ruv.net>
Hartmut