Add tests for SMS handler:
- SendCode with valid phone number
- SendCode with invalid phone (returns 400)
- SendCode with missing phone (validation error)
- SendCode when service not configured (returns 503)
Coverage: handler 27.7% → 28.6%
- Add router package tests to improve coverage
- Update README status date to 2026-05-29
- Mark all P0/P1 review blockers as resolved
- Update project readiness rating to B (conditional ready)
- Document completion of all P0 blocker fixes from HERMES_FULL_REVIEW_2026-05-27
- Document completion of all P1 important issues
- Record TOTP atomic verification path implementation
- Update readiness rating from D to B (conditional ready)
Refs: review-fix-closure-2026-05-28, HERMES_FULL_REVIEW_2026-05-27
- Change ApiResponse.data from T to T | null to match backend reality
- Add compile-time type contract file (http.typecheck.ts)
- Maintain backward compatibility with existing service calls
- Add test for success response with null data
Refs: review-fix-closure-2026-05-28 ApiResponse nullability
- Remove render-time fallback to module store (auth-session) for roles
- Consolidate login/refresh/clear logic into reusable helpers
- Prevent UI logout flicker on transient /auth/userinfo failures
- Add test to verify module store changes don't pollute provider state
Refs: review-fix-closure-2026-05-28 AuthProvider state convergence
- Replace raw SQL with GORM chain calls in Create/Update/Delete/List
- Maintain backward compatibility for *sql.DB construction (wrapped via GORM)
- Update only permitted fields in Update to prevent accidental overwrite of binding keys
- Add repository-level tests for new implementation
Refs: UNFIXED_ISSUES_20260329 social_account_repo GORM refactor
- Add ConsumeTOTPRecoveryCode to UserRepository for atomic read-verify-update
- Update TOTPService.VerifyTOTP to prefer atomic consumption when available
- Update AuthService.verifyTOTPCodeOrRecoveryCode with same pattern
- Fix critical bug: ConsumeTOTPRecoveryCode now correctly returns consumed=false on mismatch
- Maintain backward compatibility: falls back to non-atomic path if repo doesn't implement interface
- Add comprehensive unit tests for atomic consumption path
Refs: review-fix-closure-2026-05-28 TOTP recovery code atomicity
- Add security features section to README
- Add security architecture section 12.1 and 12.2 to ARCHITECTURE
- Add validation commands section to DEPLOYMENT
- Update PRD with fix completion status
P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security
P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage
P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)
P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring
P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing
P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.
Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)
Frontend updated to match new API endpoints.
The JWT GenerateTokenPair functions were updated to require a PCE (Password
Changed Epoch) parameter for token invalidation. This commit updates test files
in concurrent and performance packages to include this parameter.
- internal/concurrent/concurrent_test.go: 2 call sites fixed
- internal/performance/benchmark_test.go: 3 call sites fixed
- internal/performance/performance_test.go: 4 call sites fixed
P1-02: OAuth ExchangeCode and GetUserInfo now accept context parameter
to properly propagate request context to HTTP calls
P1-16: AuthProvider isAuthenticated now uses single source of truth
(effectiveUser !== null) instead of double-checking both
React state and module-level function
