fix(ts): eliminate all 127 TypeScript errors

- Drizzle ORM union types: .update/.delete/.insert casts to NodePgDatabase
- Unused imports removed across 50+ files
- Logger imports added where missing (env-validation, inbox-shortcuts, pipeline, realtime-client)
- api.ts logger.error type fix
- metrics.ts registerMetric generic cast
- adapter types.ts DatabaseDriver union extended
- insights.astro gte Date fix, merge-queue.astro null coalescing
- Missing exports fixed (reprioritizeQueue, Layout path)
- className→class in workflow.astro
- Pull request createdAt Date→string
- Malformed [owner] directory deleted

Lint: 0 errors | Typecheck: 0 errors | Tests: 546 (pre-existing failures unrelated)

Author: swadhinbiswas

scripts/drills/backup-restore-rehearsal.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/../.." && pwd)"
+OUT_DIR="${OUT_DIR:-$ROOT_DIR/test-results/drills}"
+mkdir -p "$OUT_DIR"
+
+echo "[backup-restore-drill] Running backup..."
+cd "$ROOT_DIR"
+bunx tsx scripts/backup.ts | tee "$OUT_DIR/backup-drill.log"
+
+LATEST_BACKUP="$(ls -1t backups/backup-*.tar.gz backups/backup-*.tar.gz.enc 2>/dev/null | head -n1 || true)"
+if [[ -z "$LATEST_BACKUP" ]]; then
+  echo "[backup-restore-drill] No backup artifact found after backup run."
+  exit 1
+fi
+
+echo "[backup-restore-drill] Verifying backup artifact: $LATEST_BACKUP"
+bunx tsx scripts/backup-verify.ts "$LATEST_BACKUP" | tee "$OUT_DIR/backup-verify-drill.log"
+
+RESTORE_MODE="${RESTORE_MODE:-safe}"
+if [[ "$RESTORE_MODE" == "full" ]]; then
+  echo "[backup-restore-drill] Running FULL restore rehearsal (RESTORE_MODE=full)."
+  bunx tsx scripts/restore.ts "$LATEST_BACKUP" | tee "$OUT_DIR/restore-drill.log"
+else
+  echo "[backup-restore-drill] Running SAFE restore rehearsal (non-destructive)."
+  RESTORE_DB=false RESTORE_REPOS=false RESTORE_ENV=false bunx tsx scripts/restore.ts "$LATEST_BACKUP" | tee "$OUT_DIR/restore-drill.log"
+fi
+
+echo "[backup-restore-drill] ✅ Drill complete. Artifacts in $OUT_DIR"

scripts/drills/postgres-reconnect-drill.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
+APP_URL="${APP_URL:-http://localhost:4321/api/health}"
+OUT_DIR="${OUT_DIR:-./test-results/drills}"
+mkdir -p "$OUT_DIR"
+
+if docker compose version >/dev/null 2>&1; then
+  DC=(docker compose)
+elif docker-compose version >/dev/null 2>&1; then
+  DC=(docker-compose)
+else
+  echo "[postgres-drill] Docker Compose is required."
+  exit 1
+fi
+
+echo "[postgres-drill] Starting services (postgres, redis, app)..."
+"${DC[@]}" -f "$COMPOSE_FILE" up -d postgres redis app
+
+echo "[postgres-drill] Capturing baseline health..."
+curl -sS "$APP_URL" | tee "$OUT_DIR/postgres-drill-baseline-health.json" >/dev/null
+
+echo "[postgres-drill] Stopping postgres to simulate DB outage..."
+"${DC[@]}" -f "$COMPOSE_FILE" stop postgres
+sleep 8
+
+echo "[postgres-drill] Capturing degraded health..."
+curl -sS "$APP_URL" | tee "$OUT_DIR/postgres-drill-degraded-health.json" >/dev/null || true
+
+echo "[postgres-drill] Starting postgres again..."
+"${DC[@]}" -f "$COMPOSE_FILE" start postgres
+sleep 10
+
+echo "[postgres-drill] Capturing recovered health..."
+curl -sS "$APP_URL" | tee "$OUT_DIR/postgres-drill-recovered-health.json" >/dev/null
+
+echo "[postgres-drill] Collecting app logs (last 5m)..."
+"${DC[@]}" -f "$COMPOSE_FILE" logs --since 5m app > "$OUT_DIR/postgres-drill-app.log" || true
+
+echo "[postgres-drill] ✅ Drill complete. Artifacts in $OUT_DIR"

scripts/drills/redis-outage-drill.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
+APP_URL="${APP_URL:-http://localhost:4321/api/health}"
+OUT_DIR="${OUT_DIR:-./test-results/drills}"
+mkdir -p "$OUT_DIR"
+
+if docker compose version >/dev/null 2>&1; then
+  DC=(docker compose)
+elif docker-compose version >/dev/null 2>&1; then
+  DC=(docker-compose)
+else
+  echo "[redis-drill] Docker Compose is required."
+  exit 1
+fi
+
+echo "[redis-drill] Starting services (postgres, redis, app)..."
+"${DC[@]}" -f "$COMPOSE_FILE" up -d postgres redis app
+
+echo "[redis-drill] Capturing baseline health..."
+curl -sS "$APP_URL" | tee "$OUT_DIR/redis-drill-baseline-health.json" >/dev/null
+
+echo "[redis-drill] Stopping redis to simulate outage..."
+"${DC[@]}" -f "$COMPOSE_FILE" stop redis
+sleep 8
+
+echo "[redis-drill] Capturing degraded health..."
+curl -sS "$APP_URL" | tee "$OUT_DIR/redis-drill-degraded-health.json" >/dev/null || true
+
+echo "[redis-drill] Bringing redis back..."
+"${DC[@]}" -f "$COMPOSE_FILE" start redis
+sleep 8
+
+echo "[redis-drill] Capturing recovered health..."
+curl -sS "$APP_URL" | tee "$OUT_DIR/redis-drill-recovered-health.json" >/dev/null
+
+echo "[redis-drill] Collecting app logs (last 5m)..."
+"${DC[@]}" -f "$COMPOSE_FILE" logs --since 5m app > "$OUT_DIR/redis-drill-app.log" || true
+
+echo "[redis-drill] ✅ Drill complete. Artifacts in $OUT_DIR"

scripts/perf/load-baseline.mjs

@@ -0,0 +1,173 @@
+#!/usr/bin/env node
+import { writeFileSync } from "node:fs";
+import { performance } from "node:perf_hooks";
+
+const baseUrl = (process.env.PERF_BASE_URL || "http://127.0.0.1:3000").replace(
+  /\/$/,
+  "",
+);
+const paths = (process.env.PERF_PATHS || "/api/health,/api/metrics")
+  .split(",")
+  .map((path) => path.trim())
+  .filter(Boolean);
+const concurrency = Math.max(
+  1,
+  Number.parseInt(process.env.PERF_CONCURRENCY || "8", 10) || 8,
+);
+const requestsPerPath = Math.max(
+  1,
+  Number.parseInt(process.env.PERF_REQUESTS || "100", 10) || 100,
+);
+const timeoutMs = Math.max(
+  1000,
+  Number.parseInt(process.env.PERF_TIMEOUT_MS || "10000", 10) || 10000,
+);
+const maxP95Ms = Math.max(
+  1,
+  Number.parseFloat(process.env.PERF_MAX_P95_MS || "500") || 500,
+);
+const outputPath = process.env.PERF_OUTPUT || "";
+
+function percentile(values, pct) {
+  if (!values.length) return 0;
+  const sorted = [...values].sort((a, b) => a - b);
+  const index = Math.min(
+    sorted.length - 1,
+    Math.max(0, Math.ceil((pct / 100) * sorted.length) - 1),
+  );
+  return sorted[index];
+}
+
+function stats(samples) {
+  const avg = samples.reduce((sum, value) => sum + value, 0) / samples.length;
+  return {
+    count: samples.length,
+    avgMs: Number(avg.toFixed(2)),
+    p50Ms: Number(percentile(samples, 50).toFixed(2)),
+    p95Ms: Number(percentile(samples, 95).toFixed(2)),
+    p99Ms: Number(percentile(samples, 99).toFixed(2)),
+    minMs: Number(Math.min(...samples).toFixed(2)),
+    maxMs: Number(Math.max(...samples).toFixed(2)),
+  };
+}
+
+async function fetchWithTimeout(url) {
+  const controller = new AbortController();
+  const timer = setTimeout(
+    () => controller.abort(new Error(`Timed out after ${timeoutMs}ms`)),
+    timeoutMs,
+  );
+  const started = performance.now();
+
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Accept: "application/json, text/plain, */*",
+      },
+      signal: controller.signal,
+    });
+
+    await response.arrayBuffer();
+    return {
+      ok: response.ok,
+      status: response.status,
+      durationMs: performance.now() - started,
+    };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+async function benchmarkPath(path) {
+  const url = `${baseUrl}${path.startsWith("/") ? path : `/${path}`}`;
+  const durations = [];
+  const statuses = new Map();
+  const failures = [];
+  let nextIndex = 0;
+
+  async function worker() {
+    while (nextIndex < requestsPerPath) {
+      const current = nextIndex++;
+      try {
+        const result = await fetchWithTimeout(url);
+        durations.push(result.durationMs);
+        statuses.set(result.status, (statuses.get(result.status) || 0) + 1);
+        if (!result.ok) {
+          failures.push({ index: current, status: result.status });
+        }
+      } catch (error) {
+        failures.push({
+          index: current,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      }
+    }
+  }
+
+  const workers = Array.from({ length: concurrency }, () => worker());
+  await Promise.all(workers);
+
+  const summary = stats(durations);
+  return {
+    path,
+    url,
+    concurrency,
+    requests: requestsPerPath,
+    statuses: Object.fromEntries(statuses.entries()),
+    failures,
+    ...summary,
+    thresholdMs: maxP95Ms,
+    passed: failures.length === 0 && summary.p95Ms <= maxP95Ms,
+  };
+}
+
+async function main() {
+  console.log(`[perf] Base URL: ${baseUrl}`);
+  console.log(`[perf] Paths: ${paths.join(", ")}`);
+  console.log(
+    `[perf] Concurrency: ${concurrency}, requests/path: ${requestsPerPath}, timeout: ${timeoutMs}ms`,
+  );
+  console.log(`[perf] P95 threshold: ${maxP95Ms}ms`);
+
+  const results = [];
+  for (const path of paths) {
+    const result = await benchmarkPath(path);
+    results.push(result);
+    const verdict = result.passed ? "PASS" : "FAIL";
+    console.log(
+      `[perf] ${verdict} ${path} p95=${result.p95Ms}ms avg=${result.avgMs}ms max=${result.maxMs}ms statuses=${JSON.stringify(result.statuses)}`,
+    );
+    if (result.failures.length > 0) {
+      console.log(`[perf]   failures: ${result.failures.length}`);
+    }
+  }
+
+  const report = {
+    baseUrl,
+    concurrency,
+    requestsPerPath,
+    timeoutMs,
+    maxP95Ms,
+    generatedAt: new Date().toISOString(),
+    results,
+  };
+
+  if (outputPath) {
+    writeFileSync(outputPath, JSON.stringify(report, null, 2));
+    console.log(`[perf] Report written to ${outputPath}`);
+  }
+
+  const failed = results.filter((result) => !result.passed);
+  if (failed.length > 0) {
+    console.error(
+      `[perf] ${failed.length} path(s) exceeded the threshold or returned errors.`,
+    );
+    process.exitCode = 1;
+  }
+}
+
+main().catch((error) => {
+  console.error("[perf] Benchmark failed:", error);
+  process.exitCode = 1;
+});

scripts/security/install-hooks.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/../.." && pwd)"
+cd "$ROOT_DIR"
+
+chmod +x .githooks/pre-push scripts/security/pre-push-secret-scan.sh
+
+git config core.hooksPath .githooks
+
+echo "[hooks] configured core.hooksPath=.githooks"
+echo "[hooks] installed pre-push secret scan guard"

scripts/security/pre-push-secret-scan.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "$0")/../.." && pwd)"
+cd "$ROOT_DIR"
+
+RANGES=("$@")
+if [[ ${#RANGES[@]} -eq 0 ]]; then
+  RANGES=("HEAD~20..HEAD")
+fi
+
+if [[ "${OCH_SECRET_SCAN_BYPASS:-false}" == "true" ]]; then
+  echo "[secret-scan] bypass enabled via OCH_SECRET_SCAN_BYPASS=true"
+  exit 0
+fi
+
+run_gitleaks_for_range() {
+  local range="$1"
+  echo "[secret-scan] gitleaks range: $range"
+  gitleaks detect \
+    --source . \
+    --config .gitleaks.toml \
+    --no-banner \
+    --redact \
+    --log-opts "$range" \
+    --exit-code 1
+}
+
+run_gitleaks_full_repo() {
+  echo "[secret-scan] gitleaks full-repo fallback"
+  gitleaks detect \
+    --source . \
+    --config .gitleaks.toml \
+    --no-banner \
+    --redact \
+    --exit-code 1
+}
+
+run_heuristic_scan() {
+  local range="$1"
+  local diff_out
+  if ! diff_out="$(git diff "$range" 2>/dev/null || true)"; then
+    diff_out=""
+  fi
+
+  if [[ -z "$diff_out" ]]; then
+    return 0
+  fi
+
+  # Lightweight high-risk pattern scan for environments where gitleaks is unavailable.
+  if echo "$diff_out" | grep -E -i \
+    '(AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|ghp_[A-Za-z0-9]{36,}|github_pat_[A-Za-z0-9_]{20,}|xox[baprs]-[A-Za-z0-9-]{10,}|-----BEGIN (RSA|EC|OPENSSH|PRIVATE) KEY-----|GOCSPX-[A-Za-z0-9_-]{10,}|AIza[0-9A-Za-z\-_]{20,}|glpat-[A-Za-z0-9\-_]{20,}|postgres://[^[:space:]]+:[^[:space:]]+@|mongodb(\+srv)?://[^[:space:]]+:[^[:space:]]+@|redis://[^[:space:]]+:[^[:space:]]+@)' >/dev/null; then
+    echo "[secret-scan] possible secret detected in range: $range"
+    echo "[secret-scan] install gitleaks for precise scanning: https://github.com/gitleaks/gitleaks"
+    return 1
+  fi
+
+  return 0
+}
+
+main() {
+  local has_gitleaks=false
+  if command -v gitleaks >/dev/null 2>&1; then
+    has_gitleaks=true
+  fi
+
+  if [[ "$has_gitleaks" == true ]]; then
+    for range in "${RANGES[@]}"; do
+      if ! run_gitleaks_for_range "$range"; then
+        echo "[secret-scan] blocked push because secret findings were detected."
+        echo "[secret-scan] if this is a false positive, use an allowlist rule and re-run scan."
+        exit 1
+      fi
+    done
+
+    echo "[secret-scan] passed (gitleaks)"
+    exit 0
+  fi
+
+  echo "[secret-scan] gitleaks not found, running heuristic fallback scan"
+  for range in "${RANGES[@]}"; do
+    if ! run_heuristic_scan "$range"; then
+      echo "[secret-scan] blocked push due to high-risk secret pattern(s)."
+      exit 1
+    fi
+  done
+
+  echo "[secret-scan] passed (heuristic fallback)"
+}
+
+main