WS-3 session 1c — Phase B Q1=B-revised (Bert's call after the
plugin-reality discovery).
eslint-plugin-boundaries treats both static `import` and dynamic
`await import(...)` as boundary edges. The original Q1=B mechanism
("convert static→dynamic to satisfy the rule") doesn't actually
satisfy the rule — all 4 store accesses in lib/axios.ts trip
boundaries/element-types: lines 3, 4 (static, pre-1c) and lines
61, 72 (dynamic, from 1b-iii).
Three options were on the table; Bert chose B-revised:
- A-reversal (allow lib→stores in matrix) was rejected because it
permanently loosens the boundary for 4 imports — exactly the
silent exception the zero-compromise principle forbids.
- B-extract (decouple axios.ts from stores via callback-injection)
is real architectural work and deserves a focused session, not
the tail-end of a tooling sprint. Filed as TECH-AXIOS-STORE-
COUPLING in the next docs commit; the four sites carry per-line
TODO references to it.
- B-revised (this commit) preserves the strict matrix:
boundaries/element-types stays at 'error' globally; the four
axios.ts sites are explicit per-line exceptions, not a rule
loosening. Future lib/X.ts writers still hit the wall.
Behavior unchanged. Only lint visibility changed — 4 disable
comments added at:
- src/lib/axios.ts:3 (static useNotificationStore import)
- src/lib/axios.ts:5 (static useOrganisationStore import; was line 4)
- src/lib/axios.ts:63 (dynamic useImpersonationStore await import; was line 61)
- src/lib/axios.ts:75 (dynamic useAuthStore await import; was line 72)
Each comment is exactly:
// eslint-disable-next-line boundaries/element-types -- TECH-AXIOS-STORE-COUPLING: deliberate HTTP↔state seam, refactor scheduled per backlog.
Commit verb is `chore` not `refactor` per Bert: the code's behavior
doesn't change, only its lint-visibility does. Honest naming.
Tests + typecheck + build verified green:
- apps/app vitest: 49 passed
- apps/app vue-tsc: clean
- apps/app pnpm build: succeeded in 11.24s
Lint baseline: 4 → 0 errors. WS-3 1c acceptance criterion satisfied.
Co-Authored-By: Claude <noreply@anthropic.com>
WS-3 session 1b-iii Task 3.
Rewrites the response-interceptor error handler from
\`error => { ... void import(...).then(...) }\` to
\`async error => { ... await import(...) }\`.
Motivation: session 1b-ii's Q4 chose option-a (\`void\` prefix on
the dynamic-import chains), but empirically that doesn't satisfy
the promise/no-promise-in-callback rule — the rule fires on any
promise creation inside a callback, regardless of discard pattern.
Two warnings remained on lib/axios.ts:61, 73.
The async/await rewrite is semantically identical:
- Both call sites already end in window.location.href = ... which
navigates away, so the few ms of \`await\` resolution latency is
unobservable.
- The original return Promise.reject(error) becomes throw error in
an async function (async wraps throws in rejected promises).
Verified preserved byte-for-byte:
- 403 + impersonation_ended branch: clearState + redirect to /platform
+ rejection (now via throw)
- 401 branch: handleUnauthorized when authStore.isInitialized
- 403 / 404 / 422 / 503 / 5xx / !response notification branches
(untouched in diff — all still in same order, same messages)
- Final rejection so calling code's catch fires (now via throw)
- Request interceptor not touched
- No imports added or removed
Tests + typecheck verified green. Build smoke: pnpm build succeeded
in 11.13s, zero warnings.
Lint baseline: 3 → 1 (the 2 promise/no-promise-in-callback warnings
on axios.ts:61, 73 are gone). The remaining 1 item is a pre-existing
sonarjs/no-collapsible-if at useImpersonationStore.ts:103 — see the
1b-iii final report.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 5b+c (audit Bucket E.2-E.5 — 6 items resolved,
2 promise/no-promise-in-callback warnings remain on dynamic-import
sites — see deviations).
This commit is split out from the originally-planned grouped Task 5
because the API stream timed out mid-session. E.1 (isAxiosError) is in
the preceding commit 0f155d9.
E.2 — vitest spec to Composition API (1× vue/component-api-style):
- useFormFailures.spec.ts: rewrote the test wrapper from
\`{ setup() { return { result } }, render: () => h('div') }\`
to \`setup(_, { expose }) { expose({ result }); return () => h('div') }\`.
Pure Composition API: setup returns the render function; expose()
declares the instance-visible \`result\` that the 7 \`vm.result.*\`
assertions consume. Tests still pass green (49 tests).
E.3 — REAL BUG: missing return in computed (1× vue/return-in-computed-property):
- useTimeSlotDropdown.ts:80: the \`fetchParams\` computed had a switch
over the \`DropdownScenario\` type (4 string-literal cases) without
a \`default\` branch. If \`scenario.value\` ever returned a value
outside the four narrowed cases (e.g. via a future type-assertion
drift), the computed silently returned \`undefined\`, and the
consumer code (\`fetchParams.value.includeParent\`) would throw
\`Cannot read property 'includeParent' of undefined\`. Added a
\`default\` branch returning \`{ includeParent: false, includeChildren: false }\`
— same as the 'flat' case (the safest baseline: include only own
slots, no hierarchy).
E.4 — SECURITY (1× vue/no-template-target-blank):
- pages/organisation/index.vue:343: the external website anchor had
\`target='_blank'\` with \`rel='noopener'\` (only one). The rule
requires the full \`rel='noopener noreferrer'\` pair. Updated.
Mitigates reverse-tabnabbing (window.opener) AND referrer-leakage
to the linked third-party site.
E.5 — axios fire-and-forget (3× promise/no-promise-in-callback,
1 fully resolved + 2 warnings remain):
- lib/axios.ts:42: changed \`error => Promise.reject(error)\` to
\`async error => { throw error }\`. Semantically identical (axios
interceptor onRejected returns a rejected promise either way) and
satisfies the lint rule.
- lib/axios.ts:61, 73: prefixed the dynamic-import chains with \`void\`
per Q4's option-a decision (\`void import('@/stores/...').then(...)\`).
This makes the discard intent explicit, but empirically does NOT
satisfy promise/no-promise-in-callback — the rule fires on any
promise creation inside a callback, regardless of the discard
pattern. The 2 warnings remain in the post-Task-5 baseline.
Resolution path is Bert's call: either keep \`void\` and accept
the warnings as documentation, or rewrite to \`async error => {
const { useStore } = await import(...); ... }\` which sequentializes
the dynamic-import resolution with the rejection. Out of scope for
this session per the literal Q4 recipe.
Tests + typecheck verified green.
Lint baseline: 34 → 32.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The approve() and bulkApprove() methods in ShiftAssignmentService
hard-blocked with a 422 when all slots were filled. This was incorrect
for organiser actions — only volunteer claims (portal self-service)
should enforce capacity limits. Organiser assign() already allowed
overbooking, making the approve block inconsistent.
Changes:
- Remove capacity hard-block from approve() and bulkApprove(), replace
with audit log entry (shift.overbooked_approval)
- Add overbook confirmation dialog in ShiftDetailPanel before approving
a full shift (single + bulk approve)
- Add onError handlers to all mutations in ShiftDetailPanel (approve,
reject, cancel, bulk-approve) so errors display in the snackbar
- Add global 422 validation error display in axios interceptor via
useNotificationStore as safety net for all components
- Add PHPUnit test for approve-when-full scenario
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backend:
- CookieBearerToken middleware reads httpOnly cookie and injects Authorization
header before Sanctum validates (prepended to API middleware group)
- SetAuthCookie trait provides cookie creation/expiry helpers with per-app
cookie names (crewli_admin_token, crewli_app_token, crewli_portal_token)
- LoginController sets token via Set-Cookie, removes it from JSON body
- LogoutController expires the auth cookie on logout
- AuthRefreshController (POST /auth/refresh) rotates tokens with new cookie
- InvitationController accept also sets token via cookie, not JSON body
- All cookies: httpOnly, SameSite=Strict, Secure (in production)
Frontend (all three SPAs):
- Removed all localStorage token storage (apps/app, apps/portal)
- Removed all JS-readable cookie token storage (apps/admin)
- Removed Authorization: Bearer header interceptors from axios
- Auth stores now rely on GET /auth/me to validate httpOnly cookie
- Admin app: new Pinia auth store replaces useCookie-based auth pattern
- withCredentials: true ensures browser sends cookies automatically
Fixes security findings A13-1 (localStorage tokens) and A13-2 (admin
cookie flags). Tokens are now invisible to JavaScript.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config
Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
