Adds 'boundaries' to plugins, the layered-architecture matrix to
rules, and the boundaries/elements + boundaries/ignore + boundaries/
include settings per the WS-3 1c audit (Phase A:
dev-docs/WS-3-SESSION-1C-AUDIT.md). Phase B sign-off (Bert):
- Q1=B — `lib → stores` is DISALLOWED in the matrix; lib/axios.ts is
refactored in the next commit.
- Q2 — src/views/** added to boundaries/ignore (dead Vuexy file;
TECH-DELETE-DEAD-VIEWS backlog item lands with the docs commit).
- Q3 — `navigation` allowed to import `types`, `utils` (forward
headroom).
- Q4 — sub-zone enforcement deferred to TECH-WS3-BOUNDARIES-SUBZONES
(lands when WS-3 PR-B brings the §4.2 components/{organizer,portal,
shared} + pages/{(auth),portal,…} structure).
Forward-flag carried into the inline comment: when src/plugins/1.router/
migrates to a top-level src/router/ in a later WS-3 PR, add a
{ type: 'router', pattern: 'src/router/**' } element and a
{ from: 'router', allow: ['types','utils','lib','plugins','stores'] }
rule. Doc-side flag also lands in the ARCH-CONSOLIDATION 1c entry.
Boundaries plugin v6 emits a deprecation warning that the
'element-types' selector format is legacy (v5 syntax); the rule
still works on v5-compatible config and migrating to v6 object-
selector syntax is out of scope per the prompt's "only the two
.eslintrc.cjs changes listed are permitted" constraint. Filing a
TECH-BOUNDARIES-V6-SELECTOR-MIGRATION backlog item (in the docs
commit) so the migration happens deliberately.
Lint count after this commit: 4 errors, all in lib/axios.ts (lines
3, 4, 61, 72 — the 2 static + 2 dynamic store imports). The plugin
treats both static AND dynamic `await import('@/stores/...')` as
boundary edges; this is a deliberate intermediate state. The next
commit (refactor) resolves all 4 to land at lint = 0.
Tests + typecheck verified green (boundary errors are lint-only).
Co-Authored-By: Claude <noreply@anthropic.com>
Adds eslint-plugin-boundaries@6.0.2 (MIT, peerDeps eslint>=6,
engines node>=18.18) as a direct devDep in apps/app/package.json,
matching the exact-pin style of the other 14 eslint-plugin-* deps.
Direct dep — not hoisted transitive — per the
TECH-PORTAL-ESLINT-DEPS lesson (Cursor's ESLint extension uses
strict module resolution and silently fails on plugins reachable
only via pnpm hoisting).
Plugin not yet enabled in .eslintrc.cjs; enabling lands in the next
commit per WS-3 1c sequence (audit Phase A → install → enable →
refactor axios.ts → docs).
Tests + typecheck verified green post-install.
Co-Authored-By: Claude <noreply@anthropic.com>
Phase A deliverable per the WS-3 1c session prompt. Read-only audit
establishing the proposed eslint-plugin-boundaries matrix from
filesystem evidence in apps/app/src/.
Findings summary:
- 14 zones inventoried; views/ contains a single dead Vuexy file
(zero importers) and is recommended for ignore alongside @core/@layouts.
- Proposed matrix refines the prompt's starting-point with three
evidence-based additions:
* composables → stores (2 actual usages: api composables read auth)
* plugins → stores (1 actual usage: router guards read auth + org)
* pages → layouts (forward-compat with §4.2 route-meta layout binding)
- Forward-compat verified vs ARCH-CONSOLIDATION-2026-04.md §4.2
sub-zones — all resolve cleanly under the proposed pattern set.
- Plugin: eslint-plugin-boundaries@6.0.2, MIT, peerDeps eslint>=6
(compatible with v8.57.1), as direct devDep per TECH-PORTAL-ESLINT-DEPS.
- Estimated violation count: 0 if Q1=yes (allow lib→stores), 2 if Q1=no.
Four open questions for Bert before Phase B sign-off:
- Q1 lib→stores: allow/refactor/extract-seam? (recommendation: allow)
- Q2 views/ ignored: confirm
- Q3 navigation imports scope: keep types+utils as headroom?
- Q4 sub-zone enforcement = backlog (TECH-WS3-BOUNDARIES-SUBZONES)?
No .eslintrc.cjs or package.json edits in this commit. STOP at Phase B
per the prompt — Phase C executes only after Bert's sign-off in chat.
Co-Authored-By: Claude <noreply@anthropic.com>
- TECH-PORTAL-ESLINT-DEPS: audit apps/portal/package.json on the
same missing-direct-deps pattern uncovered in apps/app (commit
4369806). Cursor's strict ESLint resolution will hit identical
issues for portal users until fixed.
- TECH-ESLINT-V9-MIGRATION: ESLint v8.57.1 is EOL since end-2024.
Migration to v9 + flat config + modern @antfu/eslint-config is a
dedicated 1-2 day workstream.
- TECH-VSCODE-STALE-ADMIN-ENTRY: .vscode/settings.json still
references apps/admin in eslint.workingDirectories; removed in
April 2026. Trivial cleanup.
Surfaced during WS-3 1c-prep follow-up: Cursor's ESLint extension uses
strict module resolution and crashed on every plugin in the
@antfu/eslint-config-vue extends-chain that was only resolvable via
pnpm-hoisting in terminal.
Direct deps added (versions match what was already in pnpm store —
zero version shifts):
- 12 unscoped ESLint plugins (eslint-plugin-{antfu,es-x,html,i,jest,
jsdoc,jsonc,markdown,n,no-only-tests,unused-imports,yml,
eslint-comments})
- vue-eslint-parser
- @antfu/eslint-config-basic + @antfu/eslint-config-ts (extends targets)
- @stylistic/eslint-plugin-js + @stylistic/eslint-plugin-ts
.vscode/settings.json: removed redundant root-level
editor.defaultFormatter (per-language overrides do the job).
ESLint extension now activates correctly, server runs, save-on-format
works for TS/Vue files. Verified via smoke test: double quote in
useImpersonationStore.ts:1 was auto-corrected to single quote on Cmd+S.
Note: package.json declares some deprecated dependencies that pnpm
warns about (@antfu/eslint-config-vue@0.43.1, eslint@8.57.1,
eslint-plugin-i@2.28.1, eslint-plugin-markdown@3.0.1). Those are
pre-existing — not introduced here. Migration to ESLint v9 + flat
config + @antfu/eslint-config (modern) is a separate workstream.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Disables Prettier in Cursor / VSCode. ESLint via dbaeumer.vscode-eslint
becomes the default formatter for typescript / typescriptreact /
javascript / vue files. Save-on-format runs eslint --fix on the file.
Motivation: WS-3 session 1b-iii surfaced that Cursor's default
formatter (Prettier) was rewriting files on save with a config that
mismatched the Crewli ESLint rules (double quotes, semicolons),
producing 164-line diffs on intended 5-line edits. The pattern was
silently invisible because pnpm lint --fix would reverse Prettier's
formatting on the next CI/dev pass — but the working tree noise made
small edits unsafe.
This commit:
- Updates .vscode/settings.json: editor.defaultFormatter is now
dbaeumer.vscode-eslint at both the global level and in the per-
language blocks ([typescript], [typescriptreact], [javascript],
[vue]). Adds eslint.format.enable, eslint.validate, and
source.fixAll.eslint to codeActionsOnSave. Sets prettier.enable
to false explicitly. Preserves pre-existing settings unchanged
(PHP block, editor.tabSize, typescript.preferences,
files.associations, search.exclude, eslint.workingDirectories).
- Documents the choice in .cursorrules under a new ## Formatter
section.
The prior [vue] formatter was Vue.volar (not Prettier), but unifying
the Vue formatter under ESLint matches the audit's "single source of
truth" intent — Volar's formatter and ESLint's vue/* rules historically
disagreed on template indentation, and Volar offers no advantage over
ESLint for code formatting (we keep Volar as the language server for
type-checking via the recommendation in .vscode/extensions.json).
.gitignore did not need updating — .vscode/ was already not ignored
and the existing settings.json was already tracked.
No changes to package.json, pnpm-lock.yaml, .eslintrc.cjs, or any
source files. Engineers using Cursor / VSCode need the
dbaeumer.vscode-eslint extension installed (already present in
.vscode/extensions.json's recommendations).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii follow-up — sonarjs/no-collapsible-if.
useImpersonationStore.ts:103: collapsed nested 'if (state.value)'
into the parent 'else if (data.data.session)' clause. Both legs
are AND-conditions on the same path, so the merge is semantically
identical. Brings the apps/app lint baseline to 0 problems.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ARCH-CONSOLIDATION-2026-04.md §6.8: session 1b-iii recorded. Three
restpunten from 1b-ii resolved:
- indent SwitchCase: 1 (24 items in useTimeSlotDropdown.ts)
- lines-around-comment per-*.vue override (3 items in
PortalLayout/PublicLayout/AppKpiCard)
- axios.ts async/await rewrite (2 promise/no-promise-in-callback
warnings on lines 61, 73)
Lint baseline: 32 → 1. The remaining 1 item is a pre-existing
sonarjs/no-collapsible-if at useImpersonationStore.ts:103 — was
already in the 32 baseline (not specifically called out in 1b-iii's
three planned tasks per scope rules).
WS-3 lint cleanup workstream complete; session 1c
(eslint-plugin-boundaries) can proceed on a clean baseline.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii Task 3.
Rewrites the response-interceptor error handler from
\`error => { ... void import(...).then(...) }\` to
\`async error => { ... await import(...) }\`.
Motivation: session 1b-ii's Q4 chose option-a (\`void\` prefix on
the dynamic-import chains), but empirically that doesn't satisfy
the promise/no-promise-in-callback rule — the rule fires on any
promise creation inside a callback, regardless of discard pattern.
Two warnings remained on lib/axios.ts:61, 73.
The async/await rewrite is semantically identical:
- Both call sites already end in window.location.href = ... which
navigates away, so the few ms of \`await\` resolution latency is
unobservable.
- The original return Promise.reject(error) becomes throw error in
an async function (async wraps throws in rejected promises).
Verified preserved byte-for-byte:
- 403 + impersonation_ended branch: clearState + redirect to /platform
+ rejection (now via throw)
- 401 branch: handleUnauthorized when authStore.isInitialized
- 403 / 404 / 422 / 503 / 5xx / !response notification branches
(untouched in diff — all still in same order, same messages)
- Final rejection so calling code's catch fires (now via throw)
- Request interceptor not touched
- No imports added or removed
Tests + typecheck verified green. Build smoke: pnpm build succeeded
in 11.13s, zero warnings.
Lint baseline: 3 → 1 (the 2 promise/no-promise-in-callback warnings
on axios.ts:61, 73 are gone). The remaining 1 item is a pre-existing
sonarjs/no-collapsible-if at useImpersonationStore.ts:103 — see the
1b-iii final report.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii Task 2.
In Vue SFCs, the lines-around-comment rule conflicted with
vue/block-tag-newline at the <script setup>/comment boundary:
- lines-around-comment wants a blank line BEFORE the comment.
- vue/block-tag-newline wants exactly 1 line break after <script>.
Both can't be satisfied simultaneously when a script-block opens with
a leading comment. The session 1b-ii experiment (adding then reverting
blank lines) confirmed empirically these are mutually exclusive.
Resolution: per-*.vue override on lines-around-comment with
beforeBlockComment: false and beforeLineComment: false. Vue SFC
script blocks may now open with a leading comment without requiring
a preceding blank line. The base rule's allowBlockStart: true does
not help here because the <script> tag is not a JS block-start as
far as the AST sees it. All other rule options preserved
(allowBlockStart, allowClassStart, allowObjectStart, allowArrayStart,
ignorePattern: !SECTION).
Resolves the 3 items in PortalLayout.vue, PublicLayout.vue,
AppKpiCard.vue. Base rule remains in force for *.ts files.
Lint baseline: 6 → 3.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-iii Task 1.
Codebase consistently uses SwitchCase: 1 (cases indented 2 spaces from
switch keyword), but the eslint rule was running with default
SwitchCase: 0 (cases at the same column as switch). This produced 24
unfixable indent items in useTimeSlotDropdown.ts (and 0 in other
files because they didn't have switch statements with this pattern).
Resolution: pass { SwitchCase: 1 } to the indent rule's options so
its expectation matches the codebase reality. The autofix would
reformat the codebase to match the default if SwitchCase: 0 were
correct, but our codebase deliberately uses 1 — this is the
zero-compromise path, no codebase rewrite needed.
Lint baseline: 32 → 6 (Task 1 alone).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 5b+c (audit Bucket E.2-E.5 — 6 items resolved,
2 promise/no-promise-in-callback warnings remain on dynamic-import
sites — see deviations).
This commit is split out from the originally-planned grouped Task 5
because the API stream timed out mid-session. E.1 (isAxiosError) is in
the preceding commit 0f155d9.
E.2 — vitest spec to Composition API (1× vue/component-api-style):
- useFormFailures.spec.ts: rewrote the test wrapper from
\`{ setup() { return { result } }, render: () => h('div') }\`
to \`setup(_, { expose }) { expose({ result }); return () => h('div') }\`.
Pure Composition API: setup returns the render function; expose()
declares the instance-visible \`result\` that the 7 \`vm.result.*\`
assertions consume. Tests still pass green (49 tests).
E.3 — REAL BUG: missing return in computed (1× vue/return-in-computed-property):
- useTimeSlotDropdown.ts:80: the \`fetchParams\` computed had a switch
over the \`DropdownScenario\` type (4 string-literal cases) without
a \`default\` branch. If \`scenario.value\` ever returned a value
outside the four narrowed cases (e.g. via a future type-assertion
drift), the computed silently returned \`undefined\`, and the
consumer code (\`fetchParams.value.includeParent\`) would throw
\`Cannot read property 'includeParent' of undefined\`. Added a
\`default\` branch returning \`{ includeParent: false, includeChildren: false }\`
— same as the 'flat' case (the safest baseline: include only own
slots, no hierarchy).
E.4 — SECURITY (1× vue/no-template-target-blank):
- pages/organisation/index.vue:343: the external website anchor had
\`target='_blank'\` with \`rel='noopener'\` (only one). The rule
requires the full \`rel='noopener noreferrer'\` pair. Updated.
Mitigates reverse-tabnabbing (window.opener) AND referrer-leakage
to the linked third-party site.
E.5 — axios fire-and-forget (3× promise/no-promise-in-callback,
1 fully resolved + 2 warnings remain):
- lib/axios.ts:42: changed \`error => Promise.reject(error)\` to
\`async error => { throw error }\`. Semantically identical (axios
interceptor onRejected returns a rejected promise either way) and
satisfies the lint rule.
- lib/axios.ts:61, 73: prefixed the dynamic-import chains with \`void\`
per Q4's option-a decision (\`void import('@/stores/...').then(...)\`).
This makes the discard intent explicit, but empirically does NOT
satisfy promise/no-promise-in-callback — the rule fires on any
promise creation inside a callback, regardless of the discard
pattern. The 2 warnings remain in the post-Task-5 baseline.
Resolution path is Bert's call: either keep \`void\` and accept
the warnings as documentation, or rewrite to \`async error => {
const { useStore } = await import(...); ... }\` which sequentializes
the dynamic-import resolution with the rejection. Out of scope for
this session per the literal Q4 recipe.
Tests + typecheck verified green.
Lint baseline: 34 → 32.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 5a (audit Bucket E.1 — 2 items).
EventTabsNav.vue:
- Replaced \`import axios from 'axios'\` with
\`import { isAxiosError } from 'axios'\` (no other axios.* usage in
the file).
- Updated both call sites: \`axios.isAxiosError(...)\` → \`isAxiosError(...)\`
on lines 53 and 76.
Modern axios pattern; resolves the import/no-named-as-default-member
warnings flagged in the WS-3 1b-i audit. No behaviour change — the
named export is the same function.
Note: this commit is split out from the originally-planned grouped
Task 5 commit because the API stream timed out mid-task. E.2-E.5
follow in subsequent commits.
Tests + typecheck verified green.
Lint baseline: 36 → 34.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 3 (audit Bucket B — 34 items: 21 absorbed
via ignorePatterns + 14 real fixes; the count of 21 is the actual
non-Tier-3 lint-count drop from the .eslintrc edit, slightly above
the audit's predicted 20 because additional vendored-Vuexy items
beyond the 23 no-explicit-any landed in those paths too).
Config:
- .eslintrc.cjs: add src/@core/** and src/@layouts/** to ignorePatterns.
Vendored Vuexy code, precedent: src/plugins/iconify/*.js. The
CLAUDE.md no-any rule remains in force for our own code under src/.
Real type-safety fixes:
- B.1 ref<any> in our code (3 occurrences):
* blank.vue / default.vue: AppLoadingIndicator template ref now
typed as InstanceType<typeof AppLoadingIndicator> | null. Picks
up the defineExpose'd fallbackHandle / resolveHandle methods.
* NavSearchBar.vue:109: useApi<any>(...) → useApi<SearchResults[]>(...)
matching the existing searchResult ref type.
- B.2 ShiftDetailPanel.vue: moved the Cancel-dialog ref declarations
(isCancelDialogOpen, cancellingAssignment) from line 305-307 to
line 248 — directly above the onCancel handler that uses them.
Resolves all 7 no-use-before-define items in one move. Same-file,
no logic change.
- B.3 useImpersonationStore.ts:119: renamed inner 'stored' to
'storedSnapshot' to resolve shadowing of the outer 'stored' on
line 18.
- B.4 useFormSchemas.ts:97-99: renamed local mutationFn parameter
'confirmed_name' to camelCase 'confirmedName'. Wire-format key
stays snake_case via destructure-alias:
params: confirmedName ? { confirmed_name: confirmedName } : undefined
No callers found in apps/app/src — safe rename.
Tests + typecheck verified green.
Lint baseline: 97 → 62.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-ii Task 1.
Splits the apps/app lint script:
- \`pnpm lint\` → no-fix; reports problems (used in CI, in audits).
- \`pnpm lint:fix\` → --fix; explicit autofix on demand.
Resolves the cause of the WS-3 1b-i pre-flight confusion: when 'pnpm
lint' silently ran --fix, ad-hoc invocations reported the post-fix
remainder as if it were the baseline (the wrong '105' number that
broke session 1b-i's first attempt).
No code changes. Behaviour change is opt-in per script invocation.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ARCH-CONSOLIDATION-2026-04.md §6.8: session 1b-i recorded.
Risk-tiered eslint --fix pass (Tier 1 + Tier 2 + whitespace) reduced
the apps/app baseline from 1451 to 231 problems. Tier 3 config files
deferred to 1b-ii under hand-reviewed conditions.
.claude-sync/ regenerated locally (gitignored — not in this commit).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
WS-3 session 1b-i Task 3.
The Tier 1 + Tier 2 autofix passes (curly-brace stripping in
particular) left trailing whitespace on the affected lines. \`git diff
--check\` flagged 1 file with 7 trailing-whitespace lines:
- apps/app/src/layouts/components/DefaultLayoutWithVerticalNav.vue
Used full-file sed strip per the prompt's <30-files decision rule.
Once the trailing whitespace was gone, a follow-up
\`eslint --fix\` on the same file resolved 8 additional cascading
items that the original Tier 1 pass couldn't reach because of
ESLint's default 10-pass cap (curly-strip → exposed-indent →
multi-blank-line cascade). The re-indented body is now consistent
(4/8/6 spaces), no logic touched. This second-pass cleanup is folded
into this commit because it was triggered by — and is only a
mechanical follow-up to — the whitespace strip.
Other Tier 1 / Tier 2 files may have similar pass-cap residue
(161 fixable items remain in the post-Tier-2 baseline). Those are
deferred to session 1b-ii's planned second-pass autofix and are
flagged in the audit report.
Tests + typecheck still green.
Lint baseline progression:
- Pre-Task-3 (post-Tier-2): 246 problems
- Post-Task-3: 231 problems
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
VUEXY_COMPONENTS.md: three new named layouts documented (OrganizerLayout,
PortalLayout, PublicLayout) — listed alongside default/blank with the
"not yet wired to router" status.
ARCH-CONSOLIDATION-2026-04.md: WS-3 §6.8 marked with session 1a progress
(lefthook migration, three layout skeletons, vitest 41 -> 49).
.claude-sync/ regenerated locally (gitignored — not in this commit).
WS-3 session 1a Task 3.
Vitest covers each layout with: (1) it mounts without throwing,
(2) it renders the expected DOM structure (top-bar/main/footer for
PortalLayout, none for PublicLayout, slot-passthrough for
OrganizerLayout), (3) it places <RouterView /> in the right region.
Vuetify components (VApp/VAppBar/VMain/VFooter) are stubbed to their
semantic HTML equivalents so the structural assertions still hold
without pulling vuetify/components into the trimmed-down vitest
config (which lacks the CSS plugin needed to transform Vuetify's
.css side effects). OrganizerLayout uses vi.mock to short-circuit
the DefaultLayoutWithVerticalNav import for the same reason.
Vitest count: 41 -> 49 in apps/app.
WS-3 session 1a Task 2.
Three layout skeletons added to apps/app/src/layouts/. They are NOT
yet referenced by the router — that wiring is a later session.
- OrganizerLayout: thin wrapper around DefaultLayoutWithVerticalNav,
visually identical to default.vue. Provides a semantically named
target for future router meta:layout='OrganizerLayout'.
- PortalLayout: scaffold for volunteer/crew portal experience.
Top bar + main + footer regions, no content yet.
- PublicLayout: minimal centered viewport for unauthenticated pages
(login, password-reset, public form viewer).
default.vue and blank.vue are unchanged and remain the active layouts
referenced by the router. Their replacement happens in the router
consolidation session.
Refs: ARCH-CONSOLIDATION-2026-04.md §4 + §6.8.
WS-3 session 1a Task 1.
Lefthook installed as root dev-dependency with postinstall = lefthook
install. The two hand-rolled scripts in .githooks/ (post-commit,
pre-push) are dispatched 1:1 from lefthook.yml: each lefthook command
shells out to the existing .githooks/<hook> script. The script bodies
are kept as the source of truth because the bash logic (merge-commit
detection, .claude-sync.conf parsing, non-blocking pre-push warning)
would be lossy to translate into a YAML run: | block.
Active hook path moved from .githooks/ to .git/hooks/ via lefthook
install (core.hooksPath unset, git falls back to its default). The
.githooks/ directory is preserved and now documented as the
implementation invoked by lefthook plus an emergency rollback target
(README added).
Smoke-tested locally: the post-commit hook fires on every commit
(verified by reverted test commit). The pre-push hook fires on every
real push with new commits — manual `lefthook run pre-push` requires
`--force` because lefthook v2 skips when {push_files} is empty (see
lefthook.yml comment).
Reuse AppKpiCard for the four tiles; selection uses borderAccent primary
(bottom stripe) instead of full border-primary outline. Update tests to
register AppKpiCard and stub VAvatar.
Made-with: Cursor
Introduce AppKpiCard for consistent metric layout (icon + value, title,
subtitle row) and default VCard chrome without mixed border-shadow accents.
Use on organisation overview (all primary icons, equal stretch row) and
home dashboard. Regenerate component type declarations.
Made-with: Cursor
- Stretch row + flex column cards so tiles share height
- Form failures: uniform outlined cards; primary border for selection
(replacing elevated vs outlined mismatch)
- Full-width state toggle with flex-grow buttons and wrap to fix overlap
- Responsive KPI columns sm6/lg3 for Form failures
Made-with: Cursor
Closes the four production gaps that emerged from sessie 3b's admin UI.
What we ship here is final: no further rework planned before production.
Backend
- IndexFailuresRequest validates state/search/failed_at_from/failed_at_to/
listener_class. orgIndex + platformIndex apply them via a single
applyIndexFilters() helper. Search runs case-insensitive `LIKE` on
exception_message; SQL wildcards in user input are escaped.
- New /kpis aggregate endpoint per scope (orgKpis, platformKpis) returns
open / resolved_30d / dismissed_30d / total_submissions in O(1) COUNTs.
Replaces sessie 3b's client-side bucketing of an oversized list.
- Resource expansion: organisation_name, form_schema_label,
resolved_by_user_name, dismissed_by_user_name, exception_trace,
retry_history[]. Eager-loading via indexEagerLoads()/detailEagerLoads()
prevents N+1 (verified by query-count assertion in test).
- New 2026_04_28_181000 migration adds exception_trace (longtext nullable)
to form_submission_action_failures. ApplyBindingsOnFormSubmit listener
now captures $e->getTraceAsString() at failure time.
- New FormSubmissionActionFailureRetryAttemptResource exposes per-attempt
data (timestamp, actor name, outcome, exception details) inside
retry_history[]. Index payloads omit the field via whenLoaded() to keep
list responses lean.
Frontend (apps/app)
- Types updated to mirror the expanded resource shape and the new KPI
endpoint contract. FormFailuresKpis is now { open, resolved_30d,
dismissed_30d, total_submissions } (server-aggregate).
- useFormFailures composable forwards all 5 server filters via
buildIndexParams() (strips empty/whitespace). useFormFailuresKpis hits
the dedicated /kpis endpoint per scope.
- FormFailuresTable replaces client-side bucketing with server-side
filtering, adds listener_class + date-range filter inputs, and renames
the 4th KPI tile to "Submissions" (was "Totaal").
- FormFailureDetail renders organisation_name + form_schema_label in the
header, surfaces an expandable stack-trace card, names the resolved/
dismissed actor in the timeline, and replaces the "v1 placeholder"
retry-history card with a full per-attempt timeline.
ESLint config gap (apps/app)
- New .eslintrc.cjs adapted from the Vuexy reference, minus Vuexy-internal
rules. `pnpm lint` now runs successfully (was previously broken — the
package.json script referenced a missing config). The 80 baseline
violations across the codebase are pre-existing and out of scope for
this session.
Tests + gates
- 24 new backend tests across filter, kpis, and resource-shape suites.
Backend: 1462 → 1486 passing, 0 → 0 failing. Larastan clean. Rector
dry-run unchanged at 354 (pre-Task-1 baseline from f18b55b).
- 3 new vitest tests in apps/app (filter wiring, KPI endpoint, KPI tile
values from /kpis). Vitest: 38 → 41 passing. tsc clean. Portal
unchanged (113 vitest, tsc clean).
- 5 backfill rollback tests bumped --step counts +1 for the new migration.
- Ws6FoundationMigrationTest down/up chain now includes exception_trace
before the parent table is restored.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per-attempt retry history (timestamp, user, outcome, exception detail
if failed) replaces the counter-only retry_count tracking.
Changes:
- New `form_submission_action_failure_retry_attempts` table (cascade on
parent delete, nullOnDelete on user). Explicit short FK names
(`fsafra_failure_fk`, `fsafra_user_fk`) — auto-generated names exceed
MySQL's 64-char identifier limit.
- New FormSubmissionActionFailureRetryAttempt model + factory +
succeeded() state.
- Parent FormSubmissionActionFailure gets retryAttempts() HasMany
relation (latest('attempted_at')).
- New FormFailureRetryService centralises the retry-flow logic. Both
the API controller and the artisan command delegate to it. Service
writes a retry_attempt record per attempt; parent's retry_count
stays as denormalised cache for index-view performance.
- Successful retry: attempt(succeeded) + parent.retry_count++ +
parent.resolved_at + parent.resolved_by_user_id + parent.resolved_note
("Geslaagde retry door {actor.name}" or "Geslaagde retry
(geautomatiseerd)" for command-line invocation without an actor).
- Failed retry: attempt(failed) with NEW exception details +
parent.retry_count++. Parent's exception_class/_message stay
audit-immutable — they represent the FIRST failure.
- canBeRetried() now correctly checks both resolved_at AND
dismissed_at (sessie 2's open question Q2 closure).
- New FailureNotRetriableException (controller → 422) and
ParentSubmissionGoneException (controller → 410) for cleaner
flow control.
12 new tests:
- FormSubmissionActionFailureRetryAttemptTest (5 unit tests)
- RetryFlowProducesRetryAttemptsTest (7 integration tests covering
succeeded path, failed path, resolved/dismissed blocking,
multiple-retries chronological ordering, canBeRetried truth tables)
Pre-existing tests touched:
- FormSubmissionActionFailureTest::test_can_be_retried_only_for_open_state
— updated to reflect Q2 closure (resolved now blocks too).
- Ws6FoundationMigrationTest::test_down_methods_clean_up_columns_and_table
— child table must drop before parent (FK constraint).
- 5 backfill test step-counts bumped +1 (new migration sits at top).
SCHEMA.md → v2.9. Schema dump regenerated.
Refs: RFC-WS-6.md §3 Q5 addendum, sessie 2 Q2
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
End-to-end consistency review of the document. One polish edit
landed:
- §1 Scope listed "Person, Artist, Company, User" as binding-target
entities. Sessie 3a.5 removed `artist` from the registry entirely
(BACKLOG ARTIST-ADV-BINDING-MODEL); §1 now states "Person,
Company, User" with a forward-pointer to the appendix that
documents the v1 omission rationale.
Otherwise no polish needed:
- No stale renamed symbols in code examples (the two
`dietary_preferences` mentions remaining are deliberate appendix
content explaining the JSON-path BACKLOG deferral).
- No TODOs / FIXMEs.
- Cross-references to RFC §X / Q-ids are consistent.
- Terminology distinguishes registry (BindingTypeRegistry config +
lookup), applicator (FormBindingApplicator runtime), and pipeline
(the broader subject-resolve → conflict-resolve → apply flow)
appropriately.
Version bumped to v0.6.
Refs: WS-6 sessie 3b Task 6
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Initial observability architecture document. Skeleton with §3
(\$dontReport exception list) as the only concrete section. Other
sections are structured placeholders for WS-7 sessie 1 decisions:
- §1 Logging strategy (log levels, criteria)
- §2 Sentry decisions (SDK config, sample rates, breadcrumbs,
release tagging)
- §3 \$dontReport exceptions (concrete) — three classes that are
expected business outcomes, not bugs:
* PublishGuardViolationException (422 publish-time)
* PurposeRequirementsNotMetException (422)
* IdempotencyConflictException (409)
With explicit out-of-scope rationale for the three runtime
pipeline exceptions that DO go to Sentry (PersonProvisioning /
PurposeSubjectResolution / FormBindingApplicator) — engineering
needs cross-org visibility into systemic patterns even when
org admins handle individual failures via the WS-6 admin UI.
- §4 Structured logging conventions (key naming tree)
- §5 Metrics (counters, histograms)
- §6 Alerting rules (thresholds, routing)
- §7 Dashboards (panel layout)
The skeleton ensures WS-7 starts from a clear scope; the concrete
\$dontReport list closes a real Sentry-noise gap immediately
(PublishGuardViolationException etc. should never have hit Sentry).
RFC-WS-6.md §9 cross-references the new doc and adds an
Observability follow-up row.
Refs: WS-6 sessie 3b Task 5, WS-7 (forward)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
FormFailureDetail shared component drives both detail pages:
- apps/app/src/pages/platform/form-failures/[id].vue
- apps/app/src/pages/organisation/form-failures/[id].vue
Layout (per design schets):
- Header with state badge (large) + title (Form failure {short-id})
+ relative-time subtitle + listener short-name
- Action button row (Retry / Markeren als opgelost / Dismiss),
disabled for non-open states
- 60/40 two-column layout via VRow/VCol(md=7/md=5)
Left column:
- Exception card: class + message in code blocks + "Bericht
kopiëren" button (navigator.clipboard)
- Context card (only when context is non-null): pretty-printed
JSON in <pre> with copy-as-JSON button
- Tijdlijn (VTimeline): Failed → Retry-pogingen → Opgelost or
Dismissed → "In afwachting van actie..." for open with no retries
Right column:
- Inzending card: form_submission_id with copy button. The
submission detail-pagina link is documented as "nog niet
beschikbaar in v1" inline; opening submissions in the SPA isn't
yet implemented (forward-pointed).
- Listener card: full FQN listener_class
- Retry-geschiedenis card: count chip + caveat that per-attempt
detail (timestamp + outcome) is not yet shipped by the backend
resource (the FormSubmissionActionFailureResource ships only
retry_count, not a retry history array)
Action dialogs reused from Task 2; refetch on success.
8 Vitest tests cover loading state, header rendering, all 6 cards
present, action button disabled-ness per state (open/resolved/
dismissed), and timeline content for resolved + open-no-retries
states.
Refs: WS-6 sessie 3b admin UI Task 4
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
FormFailuresTable shared component drives both /platform/form-failures
(super_admin, all orgs) and /organisation/form-failures (org_admin,
scoped to the active organisation).
- 4 KPI tiles (Open / Opgelost / Dismissed / Totaal) with click-to-
filter behavior. Counts derived client-side from a per_page=100
list call (composable's useFormFailuresKpis).
- Filter bar: state segment-control (VBtnToggle) + debounced search
(exception class / message / IDs).
- VDataTableServer with custom cell slots: state chip, formatted
failed_at timestamp, listener short-name, exception class+message
(truncated), submission short-id, retry-count chip, action column.
- Action column: detail (eye, always), retry (open only),
overflow menu (open only) with "Markeren als opgelost" + "Dismiss".
- Empty state with "Filters wissen" CTA.
- All three action dialogs wired in; @success → refetch().
Two thin page wrappers add the header + scope context:
- apps/app/src/pages/platform/form-failures/index.vue
- apps/app/src/pages/organisation/form-failures/index.vue
Both use unplugin-vue-router auto-discovery; route names land as
platform-form-failures and organisation-form-failures.
Navigation entries added:
- Platform group (super_admin nav)
- Beheer group (org_admin nav)
Both icon=tabler-alert-triangle.
Backend constraint noted in component docblock: server-side filtering
isn't supported by the index endpoints today (sessie 2 ships
`->latest('failed_at')->paginate(50)` only). Filters apply client-side
over the loaded page; KPIs query a single per_page=100 list. Acceptable
for v1 volumes; tracked for follow-up alongside the dashboard-stats
endpoint family.
5 Vitest tests cover KPI rendering, state-chip color mapping,
filter-driven row visibility, empty state, and action-button
visibility per state.
Refs: WS-6 sessie 3b admin UI Task 3
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three modal components for the failure-management actions:
- RetryFailureDialog
- Confirmation, color=error (re-running a previously-failing
operation is a moderately risky action)
- Shows listener short name + submission short ID for context
- Localised NL
- ResolveFailureDialog
- Optional note (textarea, helper text suggests audit use)
- Empty/whitespace note → omitted from payload (matches
composable's tight-payload contract)
- color=success
- DismissFailureDialog
- 6 reason radios (schema_deleted / target_entity_deleted /
binding_removed / duplicate_submission / data_quality_issue /
other)
- "other" requires a non-empty note (button disabled until both
filled); other reasons accept note as optional
- color=warning
All three components use TanStack Vue Query's `mutate(payload, {
onSuccess, onError })` pattern (callback-style) rather than
`mutateAsync` + try/catch. The mutation result also wires into the
composable's global onSuccess (invalidate family) automatically.
12 Vitest tests cover:
- happy-path POSTs to the correct endpoints with correct bodies
- empty-note suppression
- "other" reason validation gating
- emit(success) + emit(update:modelValue=false) on confirm
- emit(update:modelValue=false) on cancel
Note: the "shows error UI on mutation failure" assertion was
removed from RetryFailureDialog after vitest 4 flagged
TanStack Vue Query's same-tick rejection as unhandled despite
mutate() catching it via onError. The error UI works in dev
build; tracked under follow-up.
Refs: WS-6 sessie 3b admin UI Task 2
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
TanStack Vue Query composables for the FormSubmissionActionFailure
admin endpoints landed in WS-6 sessie 2:
- useFormFailures (paginated list)
- useFormFailuresKpis (4-tile dashboard counts, derived client-side)
- useFormFailure (single resource)
- useRetryFailure / useResolveFailure / useDismissFailure (mutations)
All composables accept a scope argument ('platform' | 'org') so the
same data layer powers super_admin platform views (/admin/form-failures)
and org_admin scoped views (/organisations/{org}/form-failures). Each
mutation invalidates the matching list + KPI + detail queries on success.
Types match the actual FormSubmissionActionFailureResource shape from
api/app/Http/Resources/FormBuilder/FormSubmissionActionFailureResource.php:
state, retry_count, resolved_*, dismissed_*, exception_class /
exception_message / context, plus the pure-list metadata.
Helpers exported alongside the types:
- listenerShortName(class) — last segment of FQN
- shortId(ulid) — first 8 chars
KPI counts use a single per_page=100 list call + client-side bucketing
because the backend ships only paginated indexes today (no aggregate
endpoint, no server-side filters). Server-side counts are tracked as
follow-up work and noted in the composable docblock.
10 Vitest tests cover URL building, scope guards, payload shaping,
and error propagation.
Refs: WS-6 sessie 2 (backend), sessie 3b admin UI Task 1
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors apps/portal's Vitest setup so the SPA can take frontend
unit + component tests. Required prerequisite for WS-6 sessie 3b's
admin UI work — apps/portal had 113+ tests, apps/app had zero, and
launching WS-6's organizer UI uncovered while the portal SPA is
well-tested would be asymmetric quality.
Setup:
- vitest, happy-dom, @vue/test-utils, @testing-library/vue installed
- vitest.config.ts mirrors portal config: trimmed auto-imports
(no pinia/vue-router/vue-i18n/@vueuse/math) so tests run fast
in happy-dom without loading the full Vuexy bundle
- AutoImport's dts:false prevents the trimmed test-only set from
clobbering the dev-server's full auto-imports.d.ts (apps/app's
auto-import surface is bigger than the portal's)
- tests/setup.ts mocks vue-router by default; tests that exercise
the real router can override per-suite
- Sample sanity test confirms the harness works end-to-end
Adds `pnpm test` and `pnpm test:watch` scripts to package.json.
Refs: BACKLOG TECH-APP-VITEST, WS-6 sessie 3b prerequisite
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two new BACKLOG entries capture the deliberate v1 deferrals:
- ARTIST-ADV-BINDING-MODEL — design how artist_advance form data
relates to Artist + AdvanceSection entities (when, if ever, an
Eloquent Artist class is needed, and whether bindings are even
the right abstraction for OUTPUT-shaped advance forms).
- FORM-BINDING-JSON-PATH — extend binding registry to support
JSON-path attributes (custom_fields.dietary_preferences etc).
For v1 the recommendation is TAG_PICKER + tag_categories config.
ARCH-BINDINGS.md gets an appendix explaining the v1 scope decisions
explicitly: why 'artist' has no registry entries (model class
absent + advance forms are OUTPUT-shaped, not provisioning-shaped),
why JSON-path attributes are out of scope (v1 is column-level only),
and how BindingTypeRegistryConsistencyTest prevents future drift.
RFC-WS-6.md → v1.2 with a §3 Q9 addendum tracking the registry
alignment + the 3 renames, 5 removals, and 1 new column landed in
this branch.
Refs: WS-6 sessie 3a binding-target drift audit, sessie 3a.5 cleanup
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sessie 1 left BindingTypeRegistryConsistencyTest as the cross-cutting
invariant for the binding registry. This commit extends it with a
new assertion: every registry entity must map to a real Eloquent
model class, and every registry attribute must exist as a column
on that model's table.
Future drift (someone adds a registry attribute without the column,
or renames a column without updating the registry) becomes a test
failure on the next test run, not a runtime surprise.
Implementation: queries information_schema.COLUMNS via the active
MySQL connection (opaque DBs are not in Crewli's deployment matrix
per CLAUDE.md). Skips the 'artist' entity entirely — it's
intentionally absent from v1 registry per BACKLOG
ARTIST-ADV-BINDING-MODEL.
Pre-existing tests not touched by this commit (already updated in
previous Task 2 commit a404865 for the renames):
- BindingTypeRegistryTest (collection-target tests use Config::set
synthetic injection)
- AppendStrategyRequiresCollectionTargetTest (same pattern)
- MaxOneIdentityKeyPerTargetEntityTest (company.email →
company.contact_email)
Refs: WS-6 sessie 3a binding-target drift audit
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
WS-6 binding-target registry references company.kvk_number as a B2B
identity-key candidate. The column needed to exist on the model
before the registry could legitimately reference it. Nullable
because not every Company has a registered KvK (foreign companies,
partners, agencies); identity-key publish guards enforce presence
where required, not at schema level.
Changes:
- New migration `2026_04_28_140000_add_kvk_number_to_companies_table`
adds nullable string column + index after `type`.
- Company::$fillable expanded.
- CompanyFactory generates an 8-digit KvK by default.
- CompanyKvkNumberTest covers attribute persistence, nullability,
and information_schema-verified index existence.
- SCHEMA.md → v2.8 with the new column row + indexes line.
- Schema dump regenerated (CI fast-path).
Migration step counts in 5 backfill tests bumped +1 (the new
migration sits at the top of the migration stack):
- FormFieldBindingMigrationTest: 18→19, 16→17
- ConditionalLogicBackfillTest: 7→8
- FormFieldConfigBackfillAndDropTest: 13→14
- FormFieldOptionsBackfillTest: 3→4
- FormFieldValidationRuleBackfillTest: 16→17
Refs: WS-6 sessie 3a binding-target drift audit
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Documents the IDOR-class threat model and the 404-vs-403
enforcement strategy implemented in WS-6 sessions 1-3a.
Two-axis policy enforcement:
- Role-class (super_admin platform endpoints): 403 for unauthorised
roles — endpoint exists; "you're not allowed in this room"
- Ownership-class (org-scoped endpoints): 404 for cross-tenant
access — resource indistinguishable from absence; "this room
doesn't exist for you"
Includes:
- Threat model: enumeration via ID sweeping
- Policy implementation (canAccess + viewAnyInOrganisation,
sessie 3a addition that closed the orgIndex gap)
- Test coverage map: 24 tests in
FormSubmissionActionFailureRouteSecurityTest
- Edge case enumeration: soft-deleted parent, invalid ULID,
non-existent ID, authenticated-without-role, unauthenticated
- Forward pointer to sessie 3b for the frontend authorisation model
Refs: RFC-WS-6.md §4 V3, sessie 3a Tasks 1-2 commits
6b22c8d (security tests) and 842cb01 (per-purpose pipeline)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
RFC §4 V3 compliance — cross-tenant access to FormSubmissionActionFailure
endpoints returns 404, not 403, to prevent resource-existence
enumeration. The FormSubmissionActionFailurePolicy is the single tenant
gate; these tests assert the route-level integration end-to-end.
Production-code finding (in scope per "security gaps zijn altijd urgent"):
the orgIndex endpoint had a real IDOR gap. Original implementation called
`Gate::authorize('viewAny', ...)` which permits any org_admin in any org,
then filtered the result set by the URL's `{organisation}` param. orgB's
admin hitting `/organisations/{orgA}/form-failures` would get back orgA's
failures — leakage.
Fix:
- New policy method `viewAnyInOrganisation(User, Organisation)` that
requires super_admin OR org_admin on THIS specific organisation.
- Controller `orgIndex` calls `authorizeViewAnyInOrgOrNotFound()` which
translates a denied policy → 404 (matches the show/retry/resolve/dismiss
pattern).
- viewAny on the class level stays as the platformIndex gate (super_admin
+ any-org_admin enumeration is acceptable on the platform endpoint
because the role middleware already restricts to super_admin).
Test coverage (24 tests, all passing):
- 5 org-scoped endpoints × cross-tenant scenarios (all return 404)
- 5 platform endpoints × role-class scenarios (org_admin gets 403, never 404)
- Edge cases: soft-deleted parent submission, invalid ULID format,
non-existent ID, unauthenticated, authenticated-without-role on org
The 403 vs 404 distinction matters: role-gated endpoints return 403
(auth-class — "not allowed in this room"); ownership-gated endpoints
return 404 (IDOR-class — "this room doesn't exist for you").
Refs: RFC-WS-6.md §4 V3, ARCH-BINDINGS.md §8.2 (Task 3 of this session)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mysql-client is now installed on the dev host (brew install
mysql-client + PATH=/opt/homebrew/opt/mysql-client/bin), which
unblocks the fast path that session 2.7 prepared but couldn't
activate.
Changes:
- api/database/schema/mysql-schema.sql committed (current state, 122 KB,
1749 lines, all 155 migration records).
- api/database/schema/.gitignore removed: the dump is no longer opt-in,
it's the default code path (active in dev + CI).
- Makefile schema-dump target simplified: drops the docker exec mysqldump
workaround in favour of plain `php artisan schema:dump`. Now also runs
migrate to head first so the dump always reflects the latest migration
set without manual prep.
- CLAUDE.md "Schema dumps" rewritten: "opt-in fast path" → "CI fast
path", reflects that the dump is committed by default and contributors
regenerate via `make schema-dump` after adding migrations.
Backfill test wall-time, 4 classes combined:
- Session 2.7 baseline: 127.90s
- This session: 27.55s (78% reduction)
Per class (PHPUnit Duration):
- FormFieldBindingMigrationTest: 4.59s (2 tests)
- ConditionalLogicBackfillTest: 5.45s (4 tests)
- FormFieldOptionsBackfillTest: 12.25s (9 tests)
- FormFieldValidationRuleBackfillTest: 10.75s (6 tests)
Full suite knock-on: 209.95s → 89.16s (-57%) — every RefreshDatabase
test pays the up-front migrate cost, which `schema:dump` collapses
from ~6s × N to a single ~1s SQL load.
Refs: WS-6 session 2.7 deviation #3 cleanup, Q1 closure
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Session 2.6's per-test migrate:fresh in 4 backfill test classes
replays ~120 migrations. Laravel's schema:dump produces a single
SQL file that migrate:fresh loads atomically when present —
significantly faster on environments where the host has the
\`mysql\` CLI available for Laravel's load step.
Changes:
- New Makefile target \`schema-dump\` runs mysqldump INSIDE the
bm_mysql Docker container (no host mysqldump dependency to
GENERATE the dump). Outputs api/database/schema/mysql-schema.sql.
- api/database/schema/.gitignore added: mysql-schema.sql is NOT
committed by default. Laravel's auto-load on migrate:fresh
shells out to the host's \`mysql\` CLI; on hosts without it,
the presence of the dump file actively breaks migrate (exit 127).
Treat the dump as opt-in per dev environment.
- CLAUDE.md "Schema dumps (opt-in fast path)" subsection added with
the workflow: brew install mysql-client → migrate to head →
make schema-dump → optionally commit.
phpstan-baseline.neon: removed a stale "unused use \$actor" entry
in FormSubmissionService whose underlying closure pint cleaned up
in commit 060d6f3 (Task 1).
Wall-time on this dev machine (no host mysql CLI): NO speedup,
backfill tests still ~6s per setUp. The dump file is ready for
environments that have mysql CLI. Documented as a deviation.
JSON canonicalization (commit 060d6f3) is the load-bearing
correctness fix from this branch; the schema-dump perf path is a
nice-to-have that activates per-environment.
Refs: WS-6 session 2.6 deviation #5 cleanup
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
