Skip to content

chore: repo hygiene — document merge-lines endpoint, remove dead BudgetPage, close test-parity gaps#1853

Merged
steilerDev merged 1 commit into
betafrom
chore/1821-repo-hygiene
Jul 8, 2026
Merged

chore: repo hygiene — document merge-lines endpoint, remove dead BudgetPage, close test-parity gaps#1853
steilerDev merged 1 commit into
betafrom
chore/1821-repo-hygiene

Conversation

@steilerDev

Copy link
Copy Markdown
Owner

Summary

Fixes #1821

Notes for the repo owner

  • Base-checkout hygiene (informational, not actionable from any worktree): the base checkout has 42 pre-existing stray items (agent-memory edits + a dirty wiki pointer) that predate this batch and sit outside any worktree's reach per CLAUDE.md's "never cd to the base checkout" rule. These need a manual sweep by the repo owner.
  • Legacy wiki gap (follow-up candidate): during the API-Contract audit, two older documentation gaps were found that predate this issue's staleness window and were left out of scope — full CRUD docs for vendor-contacts (routes added March 2026) and complete endpoint documentation for subsidy-programs (added Feb 2026, currently only referenced in a summary table). Worth a separate follow-up issue if a full legacy audit is wanted.

Test plan

  • AutoItemizePdfPreview.test.tsx run locally: 8/8 passed, 100% coverage on the target file
  • errorHandler.ts verified comment-only (function body byte-for-byte unchanged)
  • Wiki endpoint doc cross-checked field-by-field against route schema, shared types, and service error paths
  • ESLint clean on touched files
  • CI Quality Gates

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

…etPage, close test-parity gaps

Addresses the four items from issue #1821's repo hygiene audit:
- Wiki: document the previously-missing POST /api/invoices/auto-itemize/merge-lines
  endpoint (Story #1797, PR #1803) in API-Contract.md. Audited all other candidate
  gaps (cost-basis filter, vendor reassignment, document attachment) and confirmed
  they were already documented or client-only; older vendor-contacts/subsidy-programs
  doc gaps predate this issue's staleness window and are left as a follow-up
  candidate (see PR body).
- Remove dead client/src/pages/BudgetPage/ (unrouted, zero references, superseded
  by BudgetOverviewPage/BudgetSourcesPage).
- Add missing unit test for AutoItemizePdfPreview.tsx (8 scenarios, 100% coverage).
- Broaden the test-file-parity exemption (dev-team-lead.md,
  implementation-checklist.md, CLAUDE.md) to explicitly cover bare `types.ts`
  filenames and pure re-export barrels, matching existing practice.
- Codify in CLAUDE.md that agent-memory updates ride along with session-worktree
  PRs rather than sitting uncommitted in the base checkout.

Also folds in a deferred nit from #1811: errorHandler.ts's doc comment referenced
a non-existent fallbackErrorCode() function; corrected to point at the actual
inline fallback branch in mapFastifyErrorCode().

Fixes #1821

Co-Authored-By: Claude dev-team-lead (Sonnet 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude product-architect (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude backend-developer (Haiku 4.5) <noreply@anthropic.com>
Co-Authored-By: Claude frontend-developer (Haiku 4.5) <noreply@anthropic.com>
Co-Authored-By: Claude qa-integration-tester (Sonnet 4.5) <noreply@anthropic.com>
@steilerDev

Copy link
Copy Markdown
Owner Author

[security-engineer] Security review of PR #1853 (chore/1821-repo-hygiene).

Scope reviewed: git diff origin/beta..HEAD excluding .claude/agent-memory/**.

1. Deleted client/src/pages/BudgetPage/ — confirmed dead code: unrouted (no reference in App.tsx/routes), zero remaining references anywhere in client/src after deletion (verified via grep). The component only rendered static t()-translated title/description text with no props, no API calls, no auth logic, no user input. No security surface removed or introduced.

2. New AutoItemizePdfPreview.test.tsx — the component under test (AutoItemizePdfPreview.tsx) is pre-existing and unchanged by this PR; only the test file is new.

  • iframe src={getDocumentPreviewUrl(documentId)}getDocumentPreviewUrl builds ${getBaseUrl()}/paperless/documents/${id}/preview, where getBaseUrl() returns the app's own internal API base (not attacker/env-controlled), and documentId is a number. No SSRF/open-redirect vector — the iframe always points at the app's own authenticated proxy route, never a raw external Paperless URL.
  • Confirmed no real network activity in the test: Jest's client project uses testEnvironment: 'jsdom' (jest.config.ts:74) without resources: 'usable', so jsdom does not fetch iframe src. Ran the suite locally (npx jest .../AutoItemizePdfPreview.test.tsx) — 8/8 pass, all assertions operate on the DOM attribute/fired synthetic events only.
  • No dangerouslySetInnerHTML/innerHTML/eval in test or component. The paperlessUrl fallback link (target="_blank" with rel="noopener noreferrer" already present) is unchanged pre-existing code, correctly guarded.

3. Wiki doc for POST /api/invoices/auto-itemize/merge-lines — cross-checked against server/src/routes/invoiceAutoItemize.ts:264-272. The route does if (!request.user) throw new UnauthorizedError(); before calling the service — auth is required, matching the wiki's "Auth required: Yes". Request schema also matches (descriptions 2-200 items/1-1000 chars, availableCategories max 50 items/1-30 chars, additionalProperties: false) — no drift between documentation and implementation.

4. errorHandler.ts doc-comment fix — confirmed comment-only change (git diff shows a single-line docblock edit); function body byte-for-byte unchanged. No behavior change.

5. Policy/checklist amendments (CLAUDE.md, dev-team-lead.md, implementation-checklist.md) — process documentation only, no security implications.

No injection, auth, XSS, SSRF, or sensitive-data-exposure issues found. This is a clean hygiene PR.

Verdict: APPROVED — no findings.

@steilerDev steilerDev merged commit dcf1c38 into beta Jul 8, 2026
28 of 32 checks passed
@steilerDev steilerDev deleted the chore/1821-repo-hygiene branch July 8, 2026 00:49
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 2.13.0-beta.22 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant