fix: Phase 1 re-audit — 3 regressions + 3 critical fixes

Regressions from Run 1 (broken functionality):
- C2: Sync IDOR check always rejected (anon-UUID vs Google ID mismatch).
  Fix: tag session with authenticated user's ID instead of rejecting.
- C6: Weekly reports page called 501 route (server Dexie removed).
  Fix: generate reports client-side using generateWeeklyReport() directly.
- C9: Feed reactions broken (reactedBy stripped by toClient).
  Fix: restore reactedBy in response (needed for reaction highlighting).

Other critical/high fixes:
- C5: rAF inference loop no longer runs before camera+models ready.
- C10: Feed page uses useAuth() user.id instead of duplicate session fetch.
- H12: Disable X-Powered-By header (poweredByHeader: false).
- C13: Playwright retries:1 in CI (traces now captured on failure).

Author: Partha-dev01

app/api/feed/route.ts

@@ -276,7 +276,7 @@ function toClient(post: FeedPostItem) {
     content: post.content,
     category: post.category,
     reactions: post.reactions,
-    // Only expose reaction counts, not who reacted (privacy)
+    reactedBy: post.reactedBy || { heart: [], helpful: [], relate: [] },
     createdAt: post.createdAt,
     anonymous: post.anonymous,
   };

app/api/sync/route.ts

@@ -59,10 +59,11 @@ export async function POST(req: NextRequest) {
 
   const { session, biomarkers } = body;
 
-  // IDOR check — user can only sync their own data
-  if (session.userId !== authResult.id) {
-    return NextResponse.json({ error: "userId mismatch" }, { status: 403 });
-  }
+  // IDOR check — user can only sync their own data.
+  // Sessions may use an anonymous "anon-*" localStorage ID or the Google OAuth ID.
+  // Both are valid — the auth gate already ensures the request is from an authenticated user.
+  // We tag the session with the authenticated user's ID for attribution.
+  session.userId = authResult.id;
 
   const sessionsTable = process.env.DYNAMODB_SESSIONS_TABLE;
   const biomarkersTable = process.env.DYNAMODB_BIOMARKERS_TABLE;

app/feed/page.tsx

@@ -47,27 +47,18 @@ const REACTION_CONFIG = [
 
 export default function FeedPage() {
   const { theme, toggle: toggleTheme } = useTheme();
-  const { loading: authLoading, isAuthenticated } = useAuthGuard();
+  const { loading: authLoading, isAuthenticated, user } = useAuthGuard();
   const [posts, setPosts] = useState<FeedPost[]>([]);
   const [filter, setFilter] = useState<Category>("all");
   const [content, setContent] = useState("");
   const [category, setCategory] = useState<FeedPost["category"]>("tip");
   const [posting, setPosting] = useState(false);
   const [loading, setLoading] = useState(true);
-  const [userId, setUserId] = useState("");
   const [showCompose, setShowCompose] = useState(false);
   const [anonymous, setAnonymous] = useState(true);
 
-  // Get current user ID from session
-  useEffect(() => {
-    if (!isAuthenticated) return;
-    fetch("/api/auth/session")
-      .then((r) => r.json())
-      .then((data) => {
-        if (data.user?.id) setUserId(data.user.id);
-      })
-      .catch(() => {});
-  }, [isAuthenticated]);
+  // Use user ID from auth context (no duplicate fetch)
+  const userId = user?.id || "";
 
   const loadPosts = useCallback(async () => {
     try {

app/hooks/useDetectorInference.ts

@@ -143,9 +143,11 @@ export function useDetectorInference(
   }, [videoRef, canvasRef, isCamReady, isModelLoaded]);
 
   useEffect(() => {
+    // Only start the rAF loop when camera + models are both ready
+    if (!isCamReady || !isModelLoaded) return;
     rafRef.current = requestAnimationFrame(sendFrame);
     return () => cancelAnimationFrame(rafRef.current);
-  }, [sendFrame]);
+  }, [sendFrame, isCamReady, isModelLoaded]);
 
   const resetPipeline = useCallback(() => {
     workerRef.current?.postMessage({ type: "reset" });

app/kid-dashboard/reports/page.tsx

@@ -6,6 +6,7 @@ import DOMPurify from "dompurify";
 import { useAuthGuard } from "../../hooks/useAuthGuard";
 import type { WeeklyReport } from "../../types/gameActivity";
 import { db } from "../../lib/db/schema";
+import { generateWeeklyReport, renderKidReport, renderParentReport } from "../../lib/reports/weeklyReport";
 import NavLogo from "../../components/NavLogo";
 import ThemeToggle from "../../components/ThemeToggle";
 import { useTheme } from "../../hooks/useTheme";
@@ -52,16 +53,28 @@ export default function ReportsPage() {
   const generateReport = async () => {
     setGenerating(true);
     try {
-      const res = await fetch("/api/report/weekly", {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ childId, childName }),
+      // Generate client-side (weekly reports use IndexedDB data, not server API)
+      const data = await generateWeeklyReport(childId);
+      const name = childName || "Superstar";
+      const kidHtml = renderKidReport(data, name);
+      const parentHtml = renderParentReport(data, name);
+      const combinedHtml = `<!-- KID -->${kidHtml}<!-- SPLIT --><!-- PARENT -->${parentHtml}`;
+
+      await db.weeklyReports.add({
+        childId: data.childId,
+        weekStart: data.weekStart,
+        weekEnd: data.weekEnd,
+        gamesPlayed: data.gamesPlayed,
+        avgScore: data.avgScore,
+        topGame: data.topGame,
+        streakDays: data.streakDays,
+        reportHtml: combinedHtml,
+        generatedAt: Date.now(),
+        emailed: false,
       });
-      if (res.ok) {
-        await loadReports();
-      }
+      await loadReports();
     } catch {
-      // silently fail
+      // IndexedDB or generation error — silently fail
     } finally {
       setGenerating(false);
     }

next.config.ts

@@ -1,6 +1,7 @@
 import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
+  poweredByHeader: false,
   images: {
     remotePatterns: [
       { protocol: "https", hostname: "lh3.googleusercontent.com" },

playwright.config.ts

@@ -3,7 +3,7 @@ import { defineConfig, devices } from "@playwright/test";
 export default defineConfig({
   testDir: "./tests",
   timeout: 30_000,
-  retries: 0,
+  retries: process.env.CI ? 1 : 0,
   use: {
     baseURL: "http://localhost:3003",
     headless: true,