You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Merge PR: Launch-readiness remediation (10 fixes from audit swarm)
Lands the 10 launch-blocker + High fixes from the 73-agent audit
swarm's review-report.md, one logical commit per finding for the
audit trail.
Critical (launch-blockers):
- SECURITY-1: BOLA on analyze-jobs routes — owner_user_id binding +
auth dependency on status/cancel, 404 (not 403) on mismatch.
- CRITICAL-2: async /analyze-jobs path now enforces quota
synchronously before spawning the worker AND carries the structured
quota error envelope through the polling hook, so a capped Free
user hits the global 429 + upgrade CTA instead of the generic
"workflow failed" toast.
High:
- FLOW-3: theme entitlement scoped to the exported artifact (Free
résumé export no longer blocked by an unrelated cover-letter theme).
- FE-SEC-1: security response headers (X-Frame-Options DENY, CSP
Report-Only, HSTS, X-Content-Type-Options, Referrer-Policy).
- BACKEND-2: per-user in-flight cap (1 run/user) before the global
semaphore, closing the concurrent-run weekly-token bypass and the
unrelated-user 503 fairness gap.
- LLM-1 + OBS-1: web_search routed through OpenAIService with full
metering + cost-tracing; _record_cost_trace ContextVar fallback
closes the JD/résumé parser + embedding cost-trace gap.
- OBS-2: jd_parsed + resume_built PostHog funnel events plug the
funnel hole between job_searched and analysis_started.
- PERF-1 + PERF-2: assistant streaming state moved out of
WorkspaceShell; buildJobReview memoized; b-canvas children
React.memo'd. No more whole-tree reconciliation per stream token
or JD keystroke.
- A11Y-1 + A11Y-2: shared useAccessibleDialog primitive (focus trap,
initial focus, Escape, focus restore) applied to ⌘K palette + FAB
popover; palette also gets combobox/listbox semantics.
- TEST-1: Vitest + React Testing Library baseline, 5 coverage cases
(humanizeApiError, auth-session, useWorkspaceQuota, tier-gate
render, JDReview submit wiring). CI frontend job now runs lint +
build + test.
Explicitly skipped (deferred):
- H1 (upgrade CTA URL 404) — payment isn't live yet; revisit when
Lemon Squeezy ships.
- PERFDB-1/3/4 — 1000-row time-bombs (saved-jobs cleanup,
retention sweeper, cached_jobs DDL not in migration); acceptable
pre-traction.
- All Medium + Low — separate cleanup PR.
Test gates passed: 502+ pytest, ruff clean on touched files,
tsc + eslint clean on frontend, Vitest baseline green.
0 commit comments