Skip to content

chore(deps): upgrade TypeScript 6 + @hookform/resolvers 5#80

Merged
EmiyaKiritsugu3 merged 3 commits into
mainfrom
chore/deps-major
Apr 21, 2026
Merged

chore(deps): upgrade TypeScript 6 + @hookform/resolvers 5#80
EmiyaKiritsugu3 merged 3 commits into
mainfrom
chore/deps-major

Conversation

@EmiyaKiritsugu3

@EmiyaKiritsugu3 EmiyaKiritsugu3 commented Apr 21, 2026

Copy link
Copy Markdown
Owner

Summary

Handles Dependabot PRs #75 and #76 with a properly regenerated lockfile and all breaking changes addressed.

Changes

Package Before After Breaking changes
typescript ^5.9.3 ^6.0.3 TS2882: side-effect CSS imports now require type declaration
@hookform/resolvers ^4.1.3 ^5.2.2 None in our usage

src/types/css.d.ts (new file)

TypeScript 6 introduced TS2882 — side-effect imports (import './globals.css') now require module declarations. Next.js hasn't updated its bundled types yet. One-line fix: declare module '*.css' {}.

recharts 3 (deferred)

PR #78 (recharts 2 → 3) was NOT included. Recharts 3 has breaking type changes in src/components/ui/chart.tsx (7 TS errors — payload/label properties removed from Tooltip props, any inference in callbacks). This requires a dedicated chart.tsx rewrite and is deferred to It5.

Closes #75
Closes #76

Test plan

  • npm run typecheck — 0 errors (TS6 strict)
  • npm run lint — 0 errors
  • npm test — 22/22 passing
  • CI Quality Gates pass

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated development dependency versions for improved stability and compatibility.
    • Added a TypeScript declaration so CSS imports are accepted without type errors.
  • CI
    • Upgraded CI runtime and package manager versions and tightened secret validation to fail on missing keys.
  • Documentation
    • Minor formatting and whitespace cleanups in project docs.

…ule declaration

- typescript 5.9 → 6.0 (major): requires declare module '*.css' for side-effect
  imports — TypeScript 6 added TS2882 check that Next.js types don't cover yet
- @hookform/resolvers 4.1 → 5.2 (major): no breaking changes in our usage
- recharts pinned at ^2.x (recharts 3 has breaking type changes in chart.tsx
  that require a dedicated fix — deferred to It5)

Closes #75
Closes #76

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vercel

vercel Bot commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
smartmanagementsystem Ready Ready Preview, Comment Apr 21, 2026 1:08am

@coderabbitai

coderabbitai Bot commented Apr 21, 2026

Copy link
Copy Markdown

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)
Validation error: Invalid enum value. Expected 'de' | 'de-DE' | 'de-AT' | 'de-CH' | 'en' | 'en-US' | 'en-AU' | 'en-GB' | 'en-CA' | 'en-NZ' | 'en-ZA' | 'es' | 'es-AR' | 'fr' | 'fr-CA' | 'fr-CH' | 'fr-BE' | 'nl' | 'nl-BE' | 'pt-AO' | 'pt' | 'pt-BR' | 'pt-MZ' | 'pt-PT' | 'ar' | 'ast-ES' | 'ast' | 'be-BY' | 'be' | 'br-FR' | 'br' | 'ca-ES' | 'ca' | 'ca-ES-valencia' | 'ca-ES-balear' | 'da-DK' | 'da' | 'de-DE-x-simple-language' | 'el-GR' | 'el' | 'eo' | 'fa' | 'ga-IE' | 'ga' | 'gl-ES' | 'gl' | 'it' | 'ja-JP' | 'ja' | 'km-KH' | 'km' | 'ko-KR' | 'ko' | 'pl-PL' | 'pl' | 'ro-RO' | 'ro' | 'ru-RU' | 'ru' | 'sk-SK' | 'sk' | 'sl-SI' | 'sl' | 'sv' | 'ta-IN' | 'ta' | 'tl-PH' | 'tl' | 'tr' | 'uk-UA' | 'uk' | 'zh-CN' | 'zh' | 'crh-UA' | 'crh' | 'cs-CZ' | 'cs' | 'nb' | 'no' | 'nl-NL' | 'de-DE-x-simple-language-DE' | 'es-ES' | 'it-IT' | 'fa-IR' | 'sv-SE' | 'de-LU' | 'fr-FR' | 'bg-BG' | 'bg' | 'he-IL' | 'he' | 'hi-IN' | 'hi' | 'vi-VN' | 'vi' | 'th-TH' | 'th' | 'bn-BD' | 'bn', received 'typescript' at "code_generation.docstrings.language"
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9cc57bdc-0a80-441c-9844-944849ab5c39

📥 Commits

Reviewing files that changed from the base of the PR and between ec12cf6 and 77fb85d.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • CLAUDE.md
✅ Files skipped from review due to trivial changes (1)
  • CLAUDE.md

📝 Walkthrough

Walkthrough

Bumped two dependency version ranges in package.json (@hookform/resolvers to ^5.2.2 and typescript to ^6.0.3), added a TypeScript ambient module for *.css imports, updated CI to Node 24 and npm 11 with stricter Supabase key validation, and made small whitespace edits to CLAUDE.md.

Changes

Cohort / File(s) Summary
Dependency Updates
package.json
Updated @hookform/resolvers from ^4.1.3^5.2.2 and typescript from ^5.9.3^6.0.3.
Type Support
src/types/css.d.ts
Added ambient module declaration declare module '*.css' {} to allow importing CSS in TypeScript without type errors.
CI Workflow
.github/workflows/ci.yml
Upgraded CI jobs to Node.js 24, added step to upgrade npm to v11, and replaced fallback Supabase key behavior with strict validation that fails the job if keys cannot be extracted.
Docs / Formatting
CLAUDE.md
Minor whitespace/formatting changes (blank lines added/removed) in documentation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰
Hopping through changes, I cheer and sing,
Types lifted, resolvers take wing.
CSS imports now glide with ease,
CI stricter — no silent keys.
A tiny hop for code, a joyful spring.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The description provides a clear summary of changes, impact analysis, and test results. However, it does not follow the repository's template structure with explicit sections like 'Type of Change' and 'Checklist'. Consider restructuring the description to match the template with explicit checkboxes for test steps and Type of Change, even though the core information is present.
Out of Scope Changes check ❓ Inconclusive CI workflow updates (Node 24, npm 11, stricter validation) and CLAUDE.md formatting are supporting changes that enable the dependency upgrades but are not strictly required by issues #75 and #76. Clarify whether CI and documentation formatting changes were necessary for the main dependency upgrade objectives, or consider separating them into a dedicated infrastructure PR.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main changes: upgrading TypeScript to v6 and @hookform/resolvers to v5, addressing the primary objectives.
Linked Issues check ✅ Passed All code changes directly address the requirements from issues #75 and #76: TypeScript upgraded to v6.0.3 with TS2882 fix via css.d.ts, @hookform/resolvers upgraded to v5.2.2, lockfile regenerated, and all tests passing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/deps-major

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 135: The package.json dependency line "typescript": "^6.0.3" conflicts
with the repository policy in CLAUDE.md which mandates TypeScript v5 with strict
catch handling; either revert the package.json change to a supported v5.x range
(replace the "typescript" entry with a v5 version) OR update CLAUDE.md to
explicitly permit TypeScript 6.x and add the required configuration (e.g.,
retain strict mode and document the equivalent for useUnknownInCatchVariables or
any new compiler flags) so the PR and policy stay aligned; update the
package.json dependency key "typescript" and/or the CLAUDE.md policy text
accordingly.
- Line 49: The PR updates TypeScript to 6.0.3 which violates the repo policy
documented in CLAUDE.md that mandates TypeScript 5 (strict); either revert the
TypeScript dependency entry in package.json to an allowed 5.x version (e.g.,
"typescript": "5.x") or update CLAUDE.md to explicitly permit TypeScript 6 and
get the change approved; ensure the change keeps existing code patterns like
zodResolver(formSchema) in form-plano.tsx, form-aluno.tsx,
workout-generator.tsx, treinos-client.tsx, and login/page.tsx functioning by
running the TypeScript build/CI and updating any tsconfig strict settings if you
ratify TypeScript 6.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b324bed-7a48-4ad7-bca7-940dc5b63609

📥 Commits

Reviewing files that changed from the base of the PR and between 9fa3500 and ec12cf6.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • package.json
  • src/types/css.d.ts

Comment thread package.json
Comment thread package.json
- node-version 22 → 24 (Node 24 LTS, latest stable)
- Add 'npm install -g npm@11' in all 3 jobs to match local dev environment
  (npm 10 vs npm 11 generate incompatible lockfiles — deduplication differs)
- Remove hardcoded Supabase demo JWT fallbacks (CWE-321); fail explicitly
  instead if supabase status does not return keys (supabase CLI ≥ v1.23
  always returns keys after supabase start succeeds)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CLAUDE.md was previously gitignored; now tracked, prettier check in CI
catches formatting issues.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@EmiyaKiritsugu3 EmiyaKiritsugu3 merged commit 2dc556b into main Apr 21, 2026
10 checks passed
@EmiyaKiritsugu3 EmiyaKiritsugu3 deleted the chore/deps-major branch April 21, 2026 01:57
EmiyaKiritsugu3 added a commit that referenced this pull request Apr 22, 2026
* docs(it5): open It5-T01 branch — update CURRENT-STATE + CLAUDE.md

Marks branch feat/007-it5-instrutor-auth as active. CURRENT-STATE.md
reflects the 12-task T01 plan (INSTRUTOR auth hardening), promotes the
auth gap to P1 in the incomplete table, and extends the auth.ts key
files entry. CLAUDE.md updated with It5 tech context via agent script.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(it5): document pre-existing TS2882 regression in quality gates

globals.css side-effect import errors since src/types/css.d.ts was
deleted in PR #80 (TypeScript 6 upgrade). Tracked as P2 — must be
fixed before any It5 PR merges to main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(typecheck): restore src/types/css.d.ts deleted in PR #80 TS6 upgrade

TS2882 side-effect import error on globals.css was introduced when the
TS6 upgrade PR accidentally removed this ambient declaration file. One
line: declare module '*.css' {}

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(it5): mark TS2882 resolved in CURRENT-STATE quality gates

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add requireAnyRole helper to auth.ts

T001 — exports requireAnyRole(allowedRoles: Role[]): Promise<void>
following the exact same fail-closed pattern as requireRole. redirects
to /login if unauthenticated, /dashboard if role is not in allowedRoles
or on any DB error. needed by the /dashboard/treinos route gate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add failing E2E negative auth test (TDD red)

T002 — instrutor-auth-negative.spec.ts asserts RECEPCIONISTA and ALUNO
cannot access /dashboard/treinos (must redirect). tests fail until T003
adds the requireAnyRole gate to the page — that is the intended red phase.

also anchors /specs/ in .gitignore to root so tests/e2e/specs/ is no
longer inadvertently excluded.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): gate /dashboard/treinos with requireAnyRole

T003 — replaces bare if(!user) check with requireAnyRole(['INSTRUTOR',
'GERENTE']). RECEPCIONISTA and ALUNO are now redirected fail-closed to
/dashboard. getUser() call kept temporarily for instrutorId={user.id}
prop; removed in T008 after client cleanup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add failing unit tests for treinos actions (TDD red)

T004 + T009 — treinos.test.ts covers upsertTreinoAction (instrutorId
derivation) and ownership checks for deleteTreinoAction and
updateTreinoDayAction. 4 tests currently fail (red phase): INSTRUTOR
instrutorId derivation, RECEPCIONISTA blocked, and both non-owner
ownership guards. tests written before implementation as required by
constitution principle III.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): remove instrutorId from TreinoBaseSchema (server-derived)

T005: instrutorId is now server-derived from session in upsertTreinoAction.
Removed from TreinoBaseSchema (client input); preserved in TreinoSchema
(entity read-type). Cascade errors in treinos.ts:35 and
treinos-client.tsx:384,433 are intentional red state — fixed in T006/T007.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): derive instrutorId from session in upsertTreinoAction

T006: instrutorId is now fetched from the funcionarios table instead of
the client payload. RECEPCIONISTA is blocked (Acesso não autorizado).
ALUNO (not in funcionarios → data=null) and GERENTE both receive
instrutorId=null. INSTRUTOR receives their own user.id.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): remove instrutorId prop from TreinosManagementClient

T007: instrutorId is no longer needed as a component prop since
upsertTreinoAction now derives it server-side from session. Removed
from props interface and both upsertTreinoAction call sites.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): remove redundant getUser and instrutorId prop from TreinosPage

T008: requireAnyRole already asserts authentication, so the subsequent
supabase.auth.getUser() call and instrutorId={user.id} prop are removed.
instrutorId is now fully derived server-side in upsertTreinoAction.
Zero typecheck errors after this task.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add ownership check to updateTreinoDayAction

T010: INSTRUTOR can only update treinos they own (instrutorId = user.id).
GERENTE can update any treino. Unauthorized callers receive
{ success: false, error: 'Acesso não autorizado' }.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add ownership check to deleteTreinoAction

T011: mirrors T010 pattern — INSTRUTOR can only delete treinos they own;
GERENTE can delete any treino. All 10 unit tests green. Zero typecheck
and lint errors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore(it5): update CRITICAL-PATHS.md 18 → 19 scenarios

T012: added entry for instrutor-auth-negative.spec.ts (RECEPCIONISTA/ALUNO
blocked from /dashboard/treinos). All 12 tasks for 007-it5-instrutor-auth
are now complete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: update CURRENT-STATE.md for It5 completion

All 12 tasks complete. Auth gap closed. Unit tests 22→32.
E2E scenarios 18→19. Auth gap removed from incomplete list.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test(it5): add requireAnyRole unit tests to restore auth.ts 100% coverage

CI coverage threshold for src/lib/auth.ts requires 100%. Adding
requireAnyRole tests mirrors the requireRole test structure: allowed role
resolves without redirect, wrong role → /dashboard, no user → /login,
DB error → /dashboard, null record (ALUNO) → /dashboard.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(auth): address CodeRabbit review findings on PR #81

auth.ts: requireRole now delegates to requireAnyRole([role]) eliminating
duplicated auth/redirect logic; consistent fail-closed behavior guaranteed
by single implementation.

treinos.ts: fix two security issues flagged by CodeRabbit:
- upsertTreinoAction: ALUNOs (funcData=null) now get alunoId=user.id
  server-side, preventing cross-user spoofing of alunoId from client
- updateTreinoDayAction + deleteTreinoAction: ownership guard now also
  checks treino.alunoId === user.id, allowing ALUNOs to manage their own
  treinos (previously blocked because instrutorId is null on ALUNO-created
  treinos)

instrutor-auth-negative.spec.ts: ALUNO redirect test now asserts
destination /aluno (middleware redirects non-funcionarios to /aluno)
instead of weak negative assertion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Emiya Kiritsugu <emiyakiritsugu3@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
EmiyaKiritsugu3 added a commit that referenced this pull request Apr 23, 2026
* docs(it5): open It5-T01 branch — update CURRENT-STATE + CLAUDE.md

Marks branch feat/007-it5-instrutor-auth as active. CURRENT-STATE.md
reflects the 12-task T01 plan (INSTRUTOR auth hardening), promotes the
auth gap to P1 in the incomplete table, and extends the auth.ts key
files entry. CLAUDE.md updated with It5 tech context via agent script.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(it5): document pre-existing TS2882 regression in quality gates

globals.css side-effect import errors since src/types/css.d.ts was
deleted in PR #80 (TypeScript 6 upgrade). Tracked as P2 — must be
fixed before any It5 PR merges to main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(typecheck): restore src/types/css.d.ts deleted in PR #80 TS6 upgrade

TS2882 side-effect import error on globals.css was introduced when the
TS6 upgrade PR accidentally removed this ambient declaration file. One
line: declare module '*.css' {}

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(it5): mark TS2882 resolved in CURRENT-STATE quality gates

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add requireAnyRole helper to auth.ts

T001 — exports requireAnyRole(allowedRoles: Role[]): Promise<void>
following the exact same fail-closed pattern as requireRole. redirects
to /login if unauthenticated, /dashboard if role is not in allowedRoles
or on any DB error. needed by the /dashboard/treinos route gate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add failing E2E negative auth test (TDD red)

T002 — instrutor-auth-negative.spec.ts asserts RECEPCIONISTA and ALUNO
cannot access /dashboard/treinos (must redirect). tests fail until T003
adds the requireAnyRole gate to the page — that is the intended red phase.

also anchors /specs/ in .gitignore to root so tests/e2e/specs/ is no
longer inadvertently excluded.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): gate /dashboard/treinos with requireAnyRole

T003 — replaces bare if(!user) check with requireAnyRole(['INSTRUTOR',
'GERENTE']). RECEPCIONISTA and ALUNO are now redirected fail-closed to
/dashboard. getUser() call kept temporarily for instrutorId={user.id}
prop; removed in T008 after client cleanup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add failing unit tests for treinos actions (TDD red)

T004 + T009 — treinos.test.ts covers upsertTreinoAction (instrutorId
derivation) and ownership checks for deleteTreinoAction and
updateTreinoDayAction. 4 tests currently fail (red phase): INSTRUTOR
instrutorId derivation, RECEPCIONISTA blocked, and both non-owner
ownership guards. tests written before implementation as required by
constitution principle III.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): remove instrutorId from TreinoBaseSchema (server-derived)

T005: instrutorId is now server-derived from session in upsertTreinoAction.
Removed from TreinoBaseSchema (client input); preserved in TreinoSchema
(entity read-type). Cascade errors in treinos.ts:35 and
treinos-client.tsx:384,433 are intentional red state — fixed in T006/T007.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): derive instrutorId from session in upsertTreinoAction

T006: instrutorId is now fetched from the funcionarios table instead of
the client payload. RECEPCIONISTA is blocked (Acesso não autorizado).
ALUNO (not in funcionarios → data=null) and GERENTE both receive
instrutorId=null. INSTRUTOR receives their own user.id.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): remove instrutorId prop from TreinosManagementClient

T007: instrutorId is no longer needed as a component prop since
upsertTreinoAction now derives it server-side from session. Removed
from props interface and both upsertTreinoAction call sites.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): remove redundant getUser and instrutorId prop from TreinosPage

T008: requireAnyRole already asserts authentication, so the subsequent
supabase.auth.getUser() call and instrutorId={user.id} prop are removed.
instrutorId is now fully derived server-side in upsertTreinoAction.
Zero typecheck errors after this task.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add ownership check to updateTreinoDayAction

T010: INSTRUTOR can only update treinos they own (instrutorId = user.id).
GERENTE can update any treino. Unauthorized callers receive
{ success: false, error: 'Acesso não autorizado' }.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(it5): add ownership check to deleteTreinoAction

T011: mirrors T010 pattern — INSTRUTOR can only delete treinos they own;
GERENTE can delete any treino. All 10 unit tests green. Zero typecheck
and lint errors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore(it5): update CRITICAL-PATHS.md 18 → 19 scenarios

T012: added entry for instrutor-auth-negative.spec.ts (RECEPCIONISTA/ALUNO
blocked from /dashboard/treinos). All 12 tasks for 007-it5-instrutor-auth
are now complete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: update CURRENT-STATE.md for It5 completion

All 12 tasks complete. Auth gap closed. Unit tests 22→32.
E2E scenarios 18→19. Auth gap removed from incomplete list.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test(it5): add requireAnyRole unit tests to restore auth.ts 100% coverage

CI coverage threshold for src/lib/auth.ts requires 100%. Adding
requireAnyRole tests mirrors the requireRole test structure: allowed role
resolves without redirect, wrong role → /dashboard, no user → /login,
DB error → /dashboard, null record (ALUNO) → /dashboard.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(auth): address CodeRabbit review findings on PR #81

auth.ts: requireRole now delegates to requireAnyRole([role]) eliminating
duplicated auth/redirect logic; consistent fail-closed behavior guaranteed
by single implementation.

treinos.ts: fix two security issues flagged by CodeRabbit:
- upsertTreinoAction: ALUNOs (funcData=null) now get alunoId=user.id
  server-side, preventing cross-user spoofing of alunoId from client
- updateTreinoDayAction + deleteTreinoAction: ownership guard now also
  checks treino.alunoId === user.id, allowing ALUNOs to manage their own
  treinos (previously blocked because instrutorId is null on ALUNO-created
  treinos)

instrutor-auth-negative.spec.ts: ALUNO redirect test now asserts
destination /aluno (middleware redirects non-funcionarios to /aluno)
instead of weak negative assertion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Emiya Kiritsugu <emiyakiritsugu3@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant