Per WS-3 PR-B1 charter §4.2: portal pages relocate into the
single-SPA layout under apps/app/src/pages/portal/** (authenticated
portal context) and apps/app/src/pages/register/** (public
token-based form-fill / confirmation).
Updated meta blocks:
- Portal pages: layout: 'PortalLayout', context: 'portal'
(preserving original requiresAuth + nav fields)
- Register pages: layout: 'PublicLayout' (drop requiresAuth)
Skipped (apps/portal duplicates of pages already in apps/app):
index.vue, login.vue, wachtwoord-{vergeten,resetten}.vue,
verify-email-change.vue. Deleted: [...path].vue (apps/app already
has [...error].vue catch-all).
NOTE: Component/store/composable imports inside these files still
point at apps/portal-relative paths and will be rewritten in the
next commits. Build will not be green again until commit 6
(composables/lib).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Inlines the form-schema source folder (no package.json, alias-only)
into apps/app/src/composables/forms. Drops the @form-schema alias
from apps/app/vite.config.ts (replaced by @/composables/forms via
the existing @ alias). apps/portal vite + vitest configs keep
@form-schema as a temporary alias pointing at the new location so
portal tests/build keep working until apps/portal is removed at the
end of this PR. Two pure-logic form-schema tests moved alongside.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Creates portal/register/shared/forms sub-folders ahead of the moves
in subsequent commits. Empty .gitkeep markers will be replaced by
real content as the moves land.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Records the naming-vs-coverage gap surfaced during WS-6 closure
verification: ARCH-FORM-BUILDER §31 references five integration
contract tests by name that don't exist under those filenames in
api/tests/Feature/FormBuilder/Integration/. Coverage may be intact
under different filenames; only the §31 naming index is stale.
Low priority — defer to whoever next touches FormBuilder
integration tests.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
WS-6 (FormBindingApplicator pipeline) is fully landed in main —
sessions 1, 2, and 3 all merged. Verification on 2026-05-04
confirmed every RFC-WS-6.md §7 deliverable plus the v1.1/v1.2
addenda. Backend test suite green at 1486 tests, above the RFC
§8 target of 1445-1465.
Adds a closure-marker note documenting what's verified in main
and adds a single status line under §6.2 of the consolidation
plan pointing at it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After today's WS-6 feat-branch audit revealed ten stale branches that
had been merged via squash/cherry-pick paths but never deleted, codify
the cleanup expectation directly in CLAUDE.md. Each feature branch is
expected to be deleted locally and on origin immediately after merge —
not "eventually" — to prevent SHA-illusion confusion in future audits.
Co-Authored-By: Claude <noreply@anthropic.com>
Both interceptor error handlers in lib/axios.ts were declared
`async` but contain zero `await` calls — the request handler
just rethrows, and the response handler walks a synchronous
status-code branching tree before rethrowing. axios accepts both
sync and async handler signatures, so dropping the keyword is
mechanical and behavior-neutral.
Co-Authored-By: Claude <noreply@anthropic.com>
Chose Option A from the follow-up brief: useImpersonationStore
already holds an `ImpersonationState` ref hydrated from
sessionStorage at store-init and exposes the active impersonation
target user as a public `targetUserId` computed. The store is the
canonical source; sessionStorage is just its persistence sidecar.
Adds a fifth callback `getImpersonationTargetUserId: () => string
| null` to AxiosBindingsDeps and replaces the
sessionStorage.getItem('crewli_impersonation') + JSON.parse block
in the request interceptor with a single `deps.getImpersonationTargetUserId()`
call. The bindings plugin wires it to
`useImpersonationStore().targetUserId`.
After this commit lib/axios.ts has zero references to
sessionStorage and zero magic strings about impersonation
persistence — the only persistence-mechanism knowledge left is in
useImpersonationStore (where it belongs) and in
plugins/3.axios-bindings.ts (allowed to know about stores). The
HTTP module is now unambiguously pure infrastructure.
Behavior preserved 1:1: the store hydrates from sessionStorage
synchronously inside the defineStore factory, so the very first
HTTP request after page load sees the same target user id as
before.
Co-Authored-By: Claude <noreply@anthropic.com>
Removes the closed TECH-AXIOS-STORE-COUPLING entry from BACKLOG.md
(the structural decoupling landed in 53f6a7b + 26a92b3). The
git-history search `git log --grep=TECH-AXIOS-STORE-COUPLING`
remains the durable closure record, per the backlog hygiene
convention.
Adds a follow-up entry TECH-AXIOS-INTERCEPTOR-TESTS that captures
all four acceptance scenarios (X-Organisation-Id header
injection, 401 auth-fail flow, 403+impersonation_ended revocation
flow, 4xx/5xx error toast). Phase A audit found that none of
these is tested today; the refactor is gedragsneutraal so no
regression was introduced, but the gap is real and should not
silently outlive the refactor that made it visible. Priority
medium per Bert's Phase B sign-off.
Appends the debt-closed sentence to the Sessie 1c entry in
ARCH-CONSOLIDATION-2026-04.md, citing commit 53f6a7b.
Co-Authored-By: Claude <noreply@anthropic.com>
Supplies the runtime closures that the registerInterceptors seam
needs. The plugin imports the four stores
(`useOrganisationStore`, `useNotificationStore`, `useAuthStore`,
`useImpersonationStore`) — allowed by the boundaries matrix
(`plugins → stores`) — and passes them as lazy callbacks so the
store factories only resolve when an HTTP call actually fires.
Numeric prefix `3.` runs after `2.pinia.ts` (auto-loaded by
`@core/utils/plugins.ts` in alphabetical-path order), so Pinia is
guaranteed active before the bindings register. No change to
`main.ts` is required — the file is picked up by the existing
`import.meta.glob('./plugins/*.{ts,js}')` glob.
Two redirects previously inside axios.ts now live where they
belong:
- `window.location.href = '/platform'` on impersonation
revocation, in the `onImpersonationRevoked` closure.
- `handleUnauthorized()` (which itself redirects to `/login`)
on 401, gated by `isInitialized` inside the `onAuthFail`
closure — preserves the race-condition fix from sessie 1b-iii.
With this commit the two Vite mixed-import warnings
(useAuthStore + useImpersonationStore being both statically and
dynamically imported) disappear from `pnpm build`. Lint stays at
0 problems, typecheck clean, 49/49 tests pass.
Refs TECH-AXIOS-STORE-COUPLING.
Co-Authored-By: Claude <noreply@anthropic.com>
Closes the lib → stores boundary violations that WS-3 sessie 1c
flagged. lib/axios.ts is now pure HTTP infrastructure: it exports
the configured `apiClient` plus a `registerInterceptors(client,
deps)` function that takes a typed `AxiosBindingsDeps` callback
bag (`getActiveOrgId`, `notify`, `onAuthFail`,
`onImpersonationRevoked`). All four `eslint-disable-next-line
boundaries/element-types` comments referencing
TECH-AXIOS-STORE-COUPLING are removed in the same change because
the imports they suppressed are gone — they would otherwise be
orphan disables.
Behavior is preserved 1:1: same status-code branching, same toast
messages, same DEV-only console logs, same sessionStorage-driven
X-Impersonate-User header (which never depended on a store and
stays in lib/axios.ts as before). The two redirects that used to
live in axios.ts (`/platform` on impersonation revocation,
`/login` on auth fail) move into the bindings-plugin closures so
the HTTP module stops knowing about routing.
The `apiClient` singleton is now exported without interceptors
attached — the bindings plugin
(`plugins/3.axios-bindings.ts`, follow-up commit) wires them up
during plugin-init, before `app.mount`.
Refs TECH-AXIOS-STORE-COUPLING.
Co-Authored-By: Claude <noreply@anthropic.com>
Phase A of TECH-AXIOS-STORE-COUPLING. Read-only inventory of the
four lib/axios.ts → stores/ touchpoints (lines 3, 5, 63, 75 carry
per-line boundary disables), plugin load-ordering analysis, test
coverage matrix, consumer audit (30 importers, all using the
`apiClient` named export), and Vite mixed-import warning
confirmation.
Surfaces four open questions for Phase B sign-off:
Q1 callback-injection vs event-bus → recommends callback-injection
Q2 location of `Deps` type → recommends inside lib/axios.ts
Q3 test scope for this session → recommends defer to backlog
Q4 plugin filename → recommends 3.axios-bindings.ts
No code changed. No BACKLOG.md edit. Awaiting Bert's Phase B
sign-off before implementing Phase C.
Co-Authored-By: Claude <noreply@anthropic.com>
Triggered by the typed-router.d.ts regeneration in 3198698. Documents
three approaches (lefthook pre-commit, gitignore+postinstall, CI-check)
with their trade-offs. Defers selection to implementation time;
recommends bundling with the next pages-tree refactor (likely WS-3 PR-B).
Co-Authored-By: Claude <noreply@anthropic.com>
unplugin-vue-router regenerates this file at build time. Missed in an
earlier merge — probably during a WS-6 admin-UI consolidation. The
form-failures pages and tests are already in main; only the typed
declaration was stale.
Routes added to the typed declaration:
- /organisation/form-failures
- /organisation/form-failures/:id
- /platform/form-failures
- /platform/form-failures/:id
Co-Authored-By: Claude <noreply@anthropic.com>
- TECH-VSCODE-STALE-ADMIN-ENTRY: closed in b9f8f558d1
- TECH-DELETE-DEAD-VIEWS: closed in bdbd5b0335
Both items shipped; references preserved in git history.
Co-Authored-By: Claude <noreply@anthropic.com>
src/views/ contained a single Vuexy-template file
(views/pages/authentication/AuthProvider.vue) with zero importers
in the repo. Vendored dead code from the original Vuexy template;
the §4.2 post-consolidation target layout drops views/ entirely.
Removed:
- apps/app/src/views/ (recursive)
- 'src/views/**' line from boundaries/ignore in .eslintrc.cjs
Closes TECH-DELETE-DEAD-VIEWS.
Co-Authored-By: Claude <noreply@anthropic.com>
apps/admin/ was removed in April 2026 (admin SPA merged into apps/app/
under /platform/*). Cursor's ESLint extension silently skipped the
missing directory, but the dead config entry caused confusion when
debugging extension activation issues.
Closes TECH-VSCODE-STALE-ADMIN-ENTRY.
Co-Authored-By: Claude <noreply@anthropic.com>
WS-3 session 1c — Phase B Q1=B-revised (Bert's call after the
plugin-reality discovery).
eslint-plugin-boundaries treats both static `import` and dynamic
`await import(...)` as boundary edges. The original Q1=B mechanism
("convert static→dynamic to satisfy the rule") doesn't actually
satisfy the rule — all 4 store accesses in lib/axios.ts trip
boundaries/element-types: lines 3, 4 (static, pre-1c) and lines
61, 72 (dynamic, from 1b-iii).
Three options were on the table; Bert chose B-revised:
- A-reversal (allow lib→stores in matrix) was rejected because it
permanently loosens the boundary for 4 imports — exactly the
silent exception the zero-compromise principle forbids.
- B-extract (decouple axios.ts from stores via callback-injection)
is real architectural work and deserves a focused session, not
the tail-end of a tooling sprint. Filed as TECH-AXIOS-STORE-
COUPLING in the next docs commit; the four sites carry per-line
TODO references to it.
- B-revised (this commit) preserves the strict matrix:
boundaries/element-types stays at 'error' globally; the four
axios.ts sites are explicit per-line exceptions, not a rule
loosening. Future lib/X.ts writers still hit the wall.
Behavior unchanged. Only lint visibility changed — 4 disable
comments added at:
- src/lib/axios.ts:3 (static useNotificationStore import)
- src/lib/axios.ts:5 (static useOrganisationStore import; was line 4)
- src/lib/axios.ts:63 (dynamic useImpersonationStore await import; was line 61)
- src/lib/axios.ts:75 (dynamic useAuthStore await import; was line 72)
Each comment is exactly:
// eslint-disable-next-line boundaries/element-types -- TECH-AXIOS-STORE-COUPLING: deliberate HTTP↔state seam, refactor scheduled per backlog.
Commit verb is `chore` not `refactor` per Bert: the code's behavior
doesn't change, only its lint-visibility does. Honest naming.
Tests + typecheck + build verified green:
- apps/app vitest: 49 passed
- apps/app vue-tsc: clean
- apps/app pnpm build: succeeded in 11.24s
Lint baseline: 4 → 0 errors. WS-3 1c acceptance criterion satisfied.
Co-Authored-By: Claude <noreply@anthropic.com>
Adds 'boundaries' to plugins, the layered-architecture matrix to
rules, and the boundaries/elements + boundaries/ignore + boundaries/
include settings per the WS-3 1c audit (Phase A:
dev-docs/WS-3-SESSION-1C-AUDIT.md). Phase B sign-off (Bert):
- Q1=B — `lib → stores` is DISALLOWED in the matrix; lib/axios.ts is
refactored in the next commit.
- Q2 — src/views/** added to boundaries/ignore (dead Vuexy file;
TECH-DELETE-DEAD-VIEWS backlog item lands with the docs commit).
- Q3 — `navigation` allowed to import `types`, `utils` (forward
headroom).
- Q4 — sub-zone enforcement deferred to TECH-WS3-BOUNDARIES-SUBZONES
(lands when WS-3 PR-B brings the §4.2 components/{organizer,portal,
shared} + pages/{(auth),portal,…} structure).
Forward-flag carried into the inline comment: when src/plugins/1.router/
migrates to a top-level src/router/ in a later WS-3 PR, add a
{ type: 'router', pattern: 'src/router/**' } element and a
{ from: 'router', allow: ['types','utils','lib','plugins','stores'] }
rule. Doc-side flag also lands in the ARCH-CONSOLIDATION 1c entry.
Boundaries plugin v6 emits a deprecation warning that the
'element-types' selector format is legacy (v5 syntax); the rule
still works on v5-compatible config and migrating to v6 object-
selector syntax is out of scope per the prompt's "only the two
.eslintrc.cjs changes listed are permitted" constraint. Filing a
TECH-BOUNDARIES-V6-SELECTOR-MIGRATION backlog item (in the docs
commit) so the migration happens deliberately.
Lint count after this commit: 4 errors, all in lib/axios.ts (lines
3, 4, 61, 72 — the 2 static + 2 dynamic store imports). The plugin
treats both static AND dynamic `await import('@/stores/...')` as
boundary edges; this is a deliberate intermediate state. The next
commit (refactor) resolves all 4 to land at lint = 0.
Tests + typecheck verified green (boundary errors are lint-only).
Co-Authored-By: Claude <noreply@anthropic.com>
Adds eslint-plugin-boundaries@6.0.2 (MIT, peerDeps eslint>=6,
engines node>=18.18) as a direct devDep in apps/app/package.json,
matching the exact-pin style of the other 14 eslint-plugin-* deps.
Direct dep — not hoisted transitive — per the
TECH-PORTAL-ESLINT-DEPS lesson (Cursor's ESLint extension uses
strict module resolution and silently fails on plugins reachable
only via pnpm hoisting).
Plugin not yet enabled in .eslintrc.cjs; enabling lands in the next
commit per WS-3 1c sequence (audit Phase A → install → enable →
refactor axios.ts → docs).
Tests + typecheck verified green post-install.
Co-Authored-By: Claude <noreply@anthropic.com>
Phase A deliverable per the WS-3 1c session prompt. Read-only audit
establishing the proposed eslint-plugin-boundaries matrix from
filesystem evidence in apps/app/src/.
Findings summary:
- 14 zones inventoried; views/ contains a single dead Vuexy file
(zero importers) and is recommended for ignore alongside @core/@layouts.
- Proposed matrix refines the prompt's starting-point with three
evidence-based additions:
* composables → stores (2 actual usages: api composables read auth)
* plugins → stores (1 actual usage: router guards read auth + org)
* pages → layouts (forward-compat with §4.2 route-meta layout binding)
- Forward-compat verified vs ARCH-CONSOLIDATION-2026-04.md §4.2
sub-zones — all resolve cleanly under the proposed pattern set.
- Plugin: eslint-plugin-boundaries@6.0.2, MIT, peerDeps eslint>=6
(compatible with v8.57.1), as direct devDep per TECH-PORTAL-ESLINT-DEPS.
- Estimated violation count: 0 if Q1=yes (allow lib→stores), 2 if Q1=no.
Four open questions for Bert before Phase B sign-off:
- Q1 lib→stores: allow/refactor/extract-seam? (recommendation: allow)
- Q2 views/ ignored: confirm
- Q3 navigation imports scope: keep types+utils as headroom?
- Q4 sub-zone enforcement = backlog (TECH-WS3-BOUNDARIES-SUBZONES)?
No .eslintrc.cjs or package.json edits in this commit. STOP at Phase B
per the prompt — Phase C executes only after Bert's sign-off in chat.
Co-Authored-By: Claude <noreply@anthropic.com>
- TECH-PORTAL-ESLINT-DEPS: audit apps/portal/package.json on the
same missing-direct-deps pattern uncovered in apps/app (commit
4369806). Cursor's strict ESLint resolution will hit identical
issues for portal users until fixed.
- TECH-ESLINT-V9-MIGRATION: ESLint v8.57.1 is EOL since end-2024.
Migration to v9 + flat config + modern @antfu/eslint-config is a
dedicated 1-2 day workstream.
- TECH-VSCODE-STALE-ADMIN-ENTRY: .vscode/settings.json still
references apps/admin in eslint.workingDirectories; removed in
April 2026. Trivial cleanup.
Surfaced during WS-3 1c-prep follow-up: Cursor's ESLint extension uses
strict module resolution and crashed on every plugin in the
@antfu/eslint-config-vue extends-chain that was only resolvable via
pnpm-hoisting in terminal.
Direct deps added (versions match what was already in pnpm store —
zero version shifts):
- 12 unscoped ESLint plugins (eslint-plugin-{antfu,es-x,html,i,jest,
jsdoc,jsonc,markdown,n,no-only-tests,unused-imports,yml,
eslint-comments})
- vue-eslint-parser
- @antfu/eslint-config-basic + @antfu/eslint-config-ts (extends targets)
- @stylistic/eslint-plugin-js + @stylistic/eslint-plugin-ts
.vscode/settings.json: removed redundant root-level
editor.defaultFormatter (per-language overrides do the job).
ESLint extension now activates correctly, server runs, save-on-format
works for TS/Vue files. Verified via smoke test: double quote in
useImpersonationStore.ts:1 was auto-corrected to single quote on Cmd+S.
Note: package.json declares some deprecated dependencies that pnpm
warns about (@antfu/eslint-config-vue@0.43.1, eslint@8.57.1,
eslint-plugin-i@2.28.1, eslint-plugin-markdown@3.0.1). Those are
pre-existing — not introduced here. Migration to ESLint v9 + flat
config + @antfu/eslint-config (modern) is a separate workstream.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Disables Prettier in Cursor / VSCode. ESLint via dbaeumer.vscode-eslint
becomes the default formatter for typescript / typescriptreact /
javascript / vue files. Save-on-format runs eslint --fix on the file.
Motivation: WS-3 session 1b-iii surfaced that Cursor's default
formatter (Prettier) was rewriting files on save with a config that
mismatched the Crewli ESLint rules (double quotes, semicolons),
producing 164-line diffs on intended 5-line edits. The pattern was
silently invisible because pnpm lint --fix would reverse Prettier's
formatting on the next CI/dev pass — but the working tree noise made
small edits unsafe.
This commit:
- Updates .vscode/settings.json: editor.defaultFormatter is now
dbaeumer.vscode-eslint at both the global level and in the per-
language blocks ([typescript], [typescriptreact], [javascript],
[vue]). Adds eslint.format.enable, eslint.validate, and
source.fixAll.eslint to codeActionsOnSave. Sets prettier.enable
to false explicitly. Preserves pre-existing settings unchanged
(PHP block, editor.tabSize, typescript.preferences,
files.associations, search.exclude, eslint.workingDirectories).
- Documents the choice in .cursorrules under a new ## Formatter
section.
The prior [vue] formatter was Vue.volar (not Prettier), but unifying
the Vue formatter under ESLint matches the audit's "single source of
truth" intent — Volar's formatter and ESLint's vue/* rules historically
disagreed on template indentation, and Volar offers no advantage over
ESLint for code formatting (we keep Volar as the language server for
type-checking via the recommendation in .vscode/extensions.json).
.gitignore did not need updating — .vscode/ was already not ignored
and the existing settings.json was already tracked.
No changes to package.json, pnpm-lock.yaml, .eslintrc.cjs, or any
source files. Engineers using Cursor / VSCode need the
dbaeumer.vscode-eslint extension installed (already present in
.vscode/extensions.json's recommendations).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii follow-up — sonarjs/no-collapsible-if.
useImpersonationStore.ts:103: collapsed nested 'if (state.value)'
into the parent 'else if (data.data.session)' clause. Both legs
are AND-conditions on the same path, so the merge is semantically
identical. Brings the apps/app lint baseline to 0 problems.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ARCH-CONSOLIDATION-2026-04.md §6.8: session 1b-iii recorded. Three
restpunten from 1b-ii resolved:
- indent SwitchCase: 1 (24 items in useTimeSlotDropdown.ts)
- lines-around-comment per-*.vue override (3 items in
PortalLayout/PublicLayout/AppKpiCard)
- axios.ts async/await rewrite (2 promise/no-promise-in-callback
warnings on lines 61, 73)
Lint baseline: 32 → 1. The remaining 1 item is a pre-existing
sonarjs/no-collapsible-if at useImpersonationStore.ts:103 — was
already in the 32 baseline (not specifically called out in 1b-iii's
three planned tasks per scope rules).
WS-3 lint cleanup workstream complete; session 1c
(eslint-plugin-boundaries) can proceed on a clean baseline.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii Task 3.
Rewrites the response-interceptor error handler from
\`error => { ... void import(...).then(...) }\` to
\`async error => { ... await import(...) }\`.
Motivation: session 1b-ii's Q4 chose option-a (\`void\` prefix on
the dynamic-import chains), but empirically that doesn't satisfy
the promise/no-promise-in-callback rule — the rule fires on any
promise creation inside a callback, regardless of discard pattern.
Two warnings remained on lib/axios.ts:61, 73.
The async/await rewrite is semantically identical:
- Both call sites already end in window.location.href = ... which
navigates away, so the few ms of \`await\` resolution latency is
unobservable.
- The original return Promise.reject(error) becomes throw error in
an async function (async wraps throws in rejected promises).
Verified preserved byte-for-byte:
- 403 + impersonation_ended branch: clearState + redirect to /platform
+ rejection (now via throw)
- 401 branch: handleUnauthorized when authStore.isInitialized
- 403 / 404 / 422 / 503 / 5xx / !response notification branches
(untouched in diff — all still in same order, same messages)
- Final rejection so calling code's catch fires (now via throw)
- Request interceptor not touched
- No imports added or removed
Tests + typecheck verified green. Build smoke: pnpm build succeeded
in 11.13s, zero warnings.
Lint baseline: 3 → 1 (the 2 promise/no-promise-in-callback warnings
on axios.ts:61, 73 are gone). The remaining 1 item is a pre-existing
sonarjs/no-collapsible-if at useImpersonationStore.ts:103 — see the
1b-iii final report.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii Task 2.
In Vue SFCs, the lines-around-comment rule conflicted with
vue/block-tag-newline at the <script setup>/comment boundary:
- lines-around-comment wants a blank line BEFORE the comment.
- vue/block-tag-newline wants exactly 1 line break after <script>.
Both can't be satisfied simultaneously when a script-block opens with
a leading comment. The session 1b-ii experiment (adding then reverting
blank lines) confirmed empirically these are mutually exclusive.
Resolution: per-*.vue override on lines-around-comment with
beforeBlockComment: false and beforeLineComment: false. Vue SFC
script blocks may now open with a leading comment without requiring
a preceding blank line. The base rule's allowBlockStart: true does
not help here because the <script> tag is not a JS block-start as
far as the AST sees it. All other rule options preserved
(allowBlockStart, allowClassStart, allowObjectStart, allowArrayStart,
ignorePattern: !SECTION).
Resolves the 3 items in PortalLayout.vue, PublicLayout.vue,
AppKpiCard.vue. Base rule remains in force for *.ts files.
Lint baseline: 6 → 3.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii Task 1.
Codebase consistently uses SwitchCase: 1 (cases indented 2 spaces from
switch keyword), but the eslint rule was running with default
SwitchCase: 0 (cases at the same column as switch). This produced 24
unfixable indent items in useTimeSlotDropdown.ts (and 0 in other
files because they didn't have switch statements with this pattern).
Resolution: pass { SwitchCase: 1 } to the indent rule's options so
its expectation matches the codebase reality. The autofix would
reformat the codebase to match the default if SwitchCase: 0 were
correct, but our codebase deliberately uses 1 — this is the
zero-compromise path, no codebase rewrite needed.
Lint baseline: 32 → 6 (Task 1 alone).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 5b+c (audit Bucket E.2-E.5 — 6 items resolved,
2 promise/no-promise-in-callback warnings remain on dynamic-import
sites — see deviations).
This commit is split out from the originally-planned grouped Task 5
because the API stream timed out mid-session. E.1 (isAxiosError) is in
the preceding commit 0f155d9.
E.2 — vitest spec to Composition API (1× vue/component-api-style):
- useFormFailures.spec.ts: rewrote the test wrapper from
\`{ setup() { return { result } }, render: () => h('div') }\`
to \`setup(_, { expose }) { expose({ result }); return () => h('div') }\`.
Pure Composition API: setup returns the render function; expose()
declares the instance-visible \`result\` that the 7 \`vm.result.*\`
assertions consume. Tests still pass green (49 tests).
E.3 — REAL BUG: missing return in computed (1× vue/return-in-computed-property):
- useTimeSlotDropdown.ts:80: the \`fetchParams\` computed had a switch
over the \`DropdownScenario\` type (4 string-literal cases) without
a \`default\` branch. If \`scenario.value\` ever returned a value
outside the four narrowed cases (e.g. via a future type-assertion
drift), the computed silently returned \`undefined\`, and the
consumer code (\`fetchParams.value.includeParent\`) would throw
\`Cannot read property 'includeParent' of undefined\`. Added a
\`default\` branch returning \`{ includeParent: false, includeChildren: false }\`
— same as the 'flat' case (the safest baseline: include only own
slots, no hierarchy).
E.4 — SECURITY (1× vue/no-template-target-blank):
- pages/organisation/index.vue:343: the external website anchor had
\`target='_blank'\` with \`rel='noopener'\` (only one). The rule
requires the full \`rel='noopener noreferrer'\` pair. Updated.
Mitigates reverse-tabnabbing (window.opener) AND referrer-leakage
to the linked third-party site.
E.5 — axios fire-and-forget (3× promise/no-promise-in-callback,
1 fully resolved + 2 warnings remain):
- lib/axios.ts:42: changed \`error => Promise.reject(error)\` to
\`async error => { throw error }\`. Semantically identical (axios
interceptor onRejected returns a rejected promise either way) and
satisfies the lint rule.
- lib/axios.ts:61, 73: prefixed the dynamic-import chains with \`void\`
per Q4's option-a decision (\`void import('@/stores/...').then(...)\`).
This makes the discard intent explicit, but empirically does NOT
satisfy promise/no-promise-in-callback — the rule fires on any
promise creation inside a callback, regardless of the discard
pattern. The 2 warnings remain in the post-Task-5 baseline.
Resolution path is Bert's call: either keep \`void\` and accept
the warnings as documentation, or rewrite to \`async error => {
const { useStore } = await import(...); ... }\` which sequentializes
the dynamic-import resolution with the rejection. Out of scope for
this session per the literal Q4 recipe.
Tests + typecheck verified green.
Lint baseline: 34 → 32.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 5a (audit Bucket E.1 — 2 items).
EventTabsNav.vue:
- Replaced \`import axios from 'axios'\` with
\`import { isAxiosError } from 'axios'\` (no other axios.* usage in
the file).
- Updated both call sites: \`axios.isAxiosError(...)\` → \`isAxiosError(...)\`
on lines 53 and 76.
Modern axios pattern; resolves the import/no-named-as-default-member
warnings flagged in the WS-3 1b-i audit. No behaviour change — the
named export is the same function.
Note: this commit is split out from the originally-planned grouped
Task 5 commit because the API stream timed out mid-task. E.2-E.5
follow in subsequent commits.
Tests + typecheck verified green.
Lint baseline: 36 → 34.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 3 (audit Bucket B — 34 items: 21 absorbed
via ignorePatterns + 14 real fixes; the count of 21 is the actual
non-Tier-3 lint-count drop from the .eslintrc edit, slightly above
the audit's predicted 20 because additional vendored-Vuexy items
beyond the 23 no-explicit-any landed in those paths too).
Config:
- .eslintrc.cjs: add src/@core/** and src/@layouts/** to ignorePatterns.
Vendored Vuexy code, precedent: src/plugins/iconify/*.js. The
CLAUDE.md no-any rule remains in force for our own code under src/.
Real type-safety fixes:
- B.1 ref<any> in our code (3 occurrences):
* blank.vue / default.vue: AppLoadingIndicator template ref now
typed as InstanceType<typeof AppLoadingIndicator> | null. Picks
up the defineExpose'd fallbackHandle / resolveHandle methods.
* NavSearchBar.vue:109: useApi<any>(...) → useApi<SearchResults[]>(...)
matching the existing searchResult ref type.
- B.2 ShiftDetailPanel.vue: moved the Cancel-dialog ref declarations
(isCancelDialogOpen, cancellingAssignment) from line 305-307 to
line 248 — directly above the onCancel handler that uses them.
Resolves all 7 no-use-before-define items in one move. Same-file,
no logic change.
- B.3 useImpersonationStore.ts:119: renamed inner 'stored' to
'storedSnapshot' to resolve shadowing of the outer 'stored' on
line 18.
- B.4 useFormSchemas.ts:97-99: renamed local mutationFn parameter
'confirmed_name' to camelCase 'confirmedName'. Wire-format key
stays snake_case via destructure-alias:
params: confirmedName ? { confirmed_name: confirmedName } : undefined
No callers found in apps/app/src — safe rename.
Tests + typecheck verified green.
Lint baseline: 97 → 62.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 1.
Splits the apps/app lint script:
- \`pnpm lint\` → no-fix; reports problems (used in CI, in audits).
- \`pnpm lint:fix\` → --fix; explicit autofix on demand.
Resolves the cause of the WS-3 1b-i pre-flight confusion: when 'pnpm
lint' silently ran --fix, ad-hoc invocations reported the post-fix
remainder as if it were the baseline (the wrong '105' number that
broke session 1b-i's first attempt).
No code changes. Behaviour change is opt-in per script invocation.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ARCH-CONSOLIDATION-2026-04.md §6.8: session 1b-i recorded.
Risk-tiered eslint --fix pass (Tier 1 + Tier 2 + whitespace) reduced
the apps/app baseline from 1451 to 231 problems. Tier 3 config files
deferred to 1b-ii under hand-reviewed conditions.
.claude-sync/ regenerated locally (gitignored — not in this commit).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-i Task 3.
The Tier 1 + Tier 2 autofix passes (curly-brace stripping in
particular) left trailing whitespace on the affected lines. \`git diff
--check\` flagged 1 file with 7 trailing-whitespace lines:
- apps/app/src/layouts/components/DefaultLayoutWithVerticalNav.vue
Used full-file sed strip per the prompt's <30-files decision rule.
Once the trailing whitespace was gone, a follow-up
\`eslint --fix\` on the same file resolved 8 additional cascading
items that the original Tier 1 pass couldn't reach because of
ESLint's default 10-pass cap (curly-strip → exposed-indent →
multi-blank-line cascade). The re-indented body is now consistent
(4/8/6 spaces), no logic touched. This second-pass cleanup is folded
into this commit because it was triggered by — and is only a
mechanical follow-up to — the whitespace strip.
Other Tier 1 / Tier 2 files may have similar pass-cap residue
(161 fixable items remain in the post-Tier-2 baseline). Those are
deferred to session 1b-ii's planned second-pass autofix and are
flagged in the audit report.
Tests + typecheck still green.
Lint baseline progression:
- Pre-Task-3 (post-Tier-2): 246 problems
- Post-Task-3: 231 problems
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
VUEXY_COMPONENTS.md: three new named layouts documented (OrganizerLayout,
PortalLayout, PublicLayout) — listed alongside default/blank with the
"not yet wired to router" status.
ARCH-CONSOLIDATION-2026-04.md: WS-3 §6.8 marked with session 1a progress
(lefthook migration, three layout skeletons, vitest 41 -> 49).
.claude-sync/ regenerated locally (gitignored — not in this commit).
WS-3 session 1a Task 3.
Vitest covers each layout with: (1) it mounts without throwing,
(2) it renders the expected DOM structure (top-bar/main/footer for
PortalLayout, none for PublicLayout, slot-passthrough for
OrganizerLayout), (3) it places <RouterView /> in the right region.
Vuetify components (VApp/VAppBar/VMain/VFooter) are stubbed to their
semantic HTML equivalents so the structural assertions still hold
without pulling vuetify/components into the trimmed-down vitest
config (which lacks the CSS plugin needed to transform Vuetify's
.css side effects). OrganizerLayout uses vi.mock to short-circuit
the DefaultLayoutWithVerticalNav import for the same reason.
Vitest count: 41 -> 49 in apps/app.
WS-3 session 1a Task 2.
Three layout skeletons added to apps/app/src/layouts/. They are NOT
yet referenced by the router — that wiring is a later session.
- OrganizerLayout: thin wrapper around DefaultLayoutWithVerticalNav,
visually identical to default.vue. Provides a semantically named
target for future router meta:layout='OrganizerLayout'.
- PortalLayout: scaffold for volunteer/crew portal experience.
Top bar + main + footer regions, no content yet.
- PublicLayout: minimal centered viewport for unauthenticated pages
(login, password-reset, public form viewer).
default.vue and blank.vue are unchanged and remain the active layouts
referenced by the router. Their replacement happens in the router
consolidation session.
Refs: ARCH-CONSOLIDATION-2026-04.md §4 + §6.8.
WS-3 session 1a Task 1.
Lefthook installed as root dev-dependency with postinstall = lefthook
install. The two hand-rolled scripts in .githooks/ (post-commit,
pre-push) are dispatched 1:1 from lefthook.yml: each lefthook command
shells out to the existing .githooks/<hook> script. The script bodies
are kept as the source of truth because the bash logic (merge-commit
detection, .claude-sync.conf parsing, non-blocking pre-push warning)
would be lossy to translate into a YAML run: | block.
Active hook path moved from .githooks/ to .git/hooks/ via lefthook
install (core.hooksPath unset, git falls back to its default). The
.githooks/ directory is preserved and now documented as the
implementation invoked by lefthook plus an emergency rollback target
(README added).
Smoke-tested locally: the post-commit hook fires on every commit
(verified by reverted test commit). The pre-push hook fires on every
real push with new commits — manual `lefthook run pre-push` requires
`--force` because lefthook v2 skips when {push_files} is empty (see
lefthook.yml comment).
