Merge PRs #1, #2, #3, #4, #5, #6, #7, #8, #10, #11, #12, #13, #14 into main

[davidraehles]

Summary

Combined merge of all 13 open PRs into main, with conflict resolution, CI setup, and code quality fixes.

PRs Included

PR	Title
#1	🛡️ Sentinel: [CRITICAL/HIGH] Fix hardcoded JWT secret and restrict CORS
#2	⚡ Bolt: Optimize IndexedDB storage with bulk save
#3	🎨 Palette: Enhanced Note List Accessibility and Editor UX
#4	🧪 [testing improvement] Add unit tests for backend authentication middleware
#5	⚡ Bolt: Optimize sequential IndexedDB writes in loadNotesIntent
#6	⚡ Bolt: Replace bcryptjs with native bcrypt
#7	🧹 Remove hardcoded API URL fallback and add environment validation
#8	🧹 Centralize backend logging using a wrapper utility
#10	⚡ Bolt: Implement Prisma Client singleton
#11	🧹 Centralize backend logging
#12	🔒 Restrict permissive CORS policy
#13	🔒 [security fix] Remove hardcoded JWT secret
#14	🔒 [security fix] Implement HttpOnly cookie storage for auth tokens

Additional Changes

• CI: Added .github/workflows/ci.yml with backend and frontend jobs (type check, lint, build, tests)
• TypeScript fixes: Fixed verbatimModuleSyntax type-only imports, TS 5.9 BufferSource/HeadersInit compatibility, vitest config types
• Lint fixes: Resolved all ESLint errors (unused vars, no-explicit-any in test mocks)
• Cleanup: Removed stray pnpm-lock.yaml files from both backend and frontend

Conflict Resolution

• JWT secret (PRs 🛡️ Sentinel: [CRITICAL/HIGH] Fix hardcoded JWT secret and restrict CORS #1 vs 🔒 [security fix] Remove hardcoded JWT secret #13): Took PR 🔒 [security fix] Remove hardcoded JWT secret #13's stricter approach — no fallback, always require JWT_SECRET
• CORS config (PRs 🛡️ Sentinel: [CRITICAL/HIGH] Fix hardcoded JWT secret and restrict CORS #1 vs 🔒 Restrict permissive CORS policy #12): Combined production check + credentials: true + empty origin filtering
• Prisma + bcrypt (PRs ⚡ Bolt: Replace bcryptjs with native bcrypt #6 vs ⚡ Bolt: Implement Prisma Client singleton #10): Kept native bcrypt from PR ⚡ Bolt: Replace bcryptjs with native bcrypt #6 with Prisma singleton import from PR ⚡ Bolt: Implement Prisma Client singleton #10
• Logger (PRs 🧹 Centralize backend logging using a wrapper utility #8 vs 🧹 Centralize backend logging #11): Used PR 🧹 Centralize backend logging #11's typed (message: string, ...args: unknown[]) signatures
• IndexedDB (PRs ⚡ Bolt: Optimize IndexedDB storage with bulk save #2 vs ⚡ Bolt: Optimize sequential IndexedDB writes in loadNotesIntent #5): Deduplicated saveNotesToDB, kept Promise.all pattern with per-item fallback

Verification

• Backend: 7/7 tests pass, type check clean, build clean
• Frontend: 30/30 tests pass, type check clean, lint clean, build clean

Closes #1, closes #2, closes #3, closes #4, closes #5, closes #6, closes #7, closes #8, closes #10, closes #11, closes #12, closes #13, closes #14

[Copilot]

Pull request overview

This pull request consolidates 13 individual PRs into main, implementing critical security fixes, performance optimizations, accessibility improvements, comprehensive testing, and CI/CD infrastructure. The changes address multiple security vulnerabilities (hardcoded JWT secret, permissive CORS, localStorage token storage), significantly improve application performance (native bcrypt, Prisma singleton, IndexedDB bulk operations), and establish a solid foundation for code quality with automated testing and CI workflows.

Changes:

• Security hardening: Removed hardcoded JWT secret fallbacks, implemented environment-based CORS restrictions with origin whitelisting, migrated from localStorage to HttpOnly cookies for authentication tokens
• Performance optimizations: Replaced bcryptjs with native bcrypt (~38% faster hashing), implemented Prisma Client singleton to prevent connection pool exhaustion, optimized IndexedDB writes with bulk transactions (~8x speedup)
• Accessibility & UX: Added keyboard navigation (Enter/Space), ARIA labels, focus management for note list and editor, automatic focus on new note creation
• Testing & quality: Added comprehensive auth middleware tests, IndexedDB offline service tests, TypeScript 5.9 compatibility fixes, centralized backend logging, established CI workflows
• Documentation: Added security learnings (.jules/sentinel.md), performance learnings (.jules/bolt.md), accessibility learnings (.Jules/palette.md), .env.example files, updated README with proper placeholder secrets

Reviewed changes

Copilot reviewed 29 out of 31 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
backend/src/middleware/auth.ts	Removed hardcoded JWT secret, added cookie-based authentication fallback
backend/src/routes/auth.ts	Migrated to native bcrypt, added HttpOnly cookie setting, added /me and /logout endpoints
backend/src/routes/notes.ts	Imported Prisma singleton, added centralized logging, Express 5 type casting
backend/src/server.ts	Implemented CORS origin whitelist with environment validation, added cookie-parser middleware
backend/src/lib/prisma.ts	New Prisma Client singleton implementation
backend/src/utils/logger.ts	New centralized logging utility
backend/src/middleware/tests/auth.test.ts	New comprehensive auth middleware tests
backend/package.json	Replaced bcryptjs with bcrypt, added cookie-parser and vitest dependencies
frontend/src/services/api.ts	Removed localStorage token storage, added credentials: include, added getMe/logout endpoints
frontend/src/services/offline.ts	Added bulk save function for IndexedDB optimization
frontend/src/services/encryption.ts	TypeScript 5.9 BufferSource compatibility casts
frontend/src/intents/authIntents.ts	Added checkAuthIntent and logoutIntent with proper error handling
frontend/src/intents/notesIntents.ts	Integrated bulk IndexedDB save with fallback, removed unused error variables
frontend/src/views/NoteList.tsx	Added keyboard navigation, ARIA labels, accessibility improvements
frontend/src/views/NoteEditor.tsx	Added auto-focus on new note, ARIA labels for inputs
frontend/src/test/setup.ts	Added VITE_API_URL environment variable mocking
frontend/src/App.tsx	Added checkAuthIntent on app initialization
frontend/src/index.css	Added focus-visible styles for accessibility
frontend/.env.example	New environment variable documentation
.github/workflows/ci.yml	New CI pipeline for backend and frontend
.jules/sentinel.md	Security best practices documentation
.jules/bolt.md	Performance optimization documentation
.Jules/palette.md	Accessibility learning documentation
README.md	Updated JWT_SECRET examples to use placeholders

Files not reviewed (2)

• backend/package-lock.json: Language not supported
• frontend/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The authentication middleware now supports cookie-based authentication (line 30-32 in auth.ts), but the test suite doesn't include test cases for this scenario. Consider adding a test that verifies the middleware can successfully authenticate using a token from req.cookies.auth_token when no Authorization header is present.

Suggested change

	});
	});
	it('should authenticate using auth_token cookie when no authorization header is present', () => {
	// No Authorization header set
	(req as any).cookies = { auth_token: 'valid-cookie-token' };
	const userId = 'user-cookie-123';
	vi.spyOn(jwt, 'verify').mockImplementation((token, secret, callback: any) => {
	callback(null, { userId });
	});
	authenticateToken(req as AuthRequest, res as Response, next);
	expect(req.userId).toBe(userId);
	expect(next).toHaveBeenCalled();
	expect(res.status).not.toHaveBeenCalled();
	});

[Copilot]

The ALLOWED_ORIGINS check on line 18 uses !process.env.NODE_ENV || process.env.NODE_ENV === 'production' which means it requires ALLOWED_ORIGINS when NODE_ENV is undefined OR when it's 'production'. This is correct for production safety, but the logic might be clearer as process.env.NODE_ENV === 'production' since undefined NODE_ENV typically indicates production. However, the current implementation is actually safer by being more restrictive. Consider documenting this behavior or simplifying to just check for production if you want to allow development flexibility.

Suggested change

	// Require ALLOWED_ORIGINS in production
	if (!process.env.ALLOWED_ORIGINS && (!process.env.NODE_ENV || process.env.NODE_ENV === 'production')) {
	throw new Error('ALLOWED_ORIGINS environment variable is required in production');
	// Require ALLOWED_ORIGINS in production and when NODE_ENV is not set (treat unset as production for safety)
	if (!process.env.ALLOWED_ORIGINS && (!process.env.NODE_ENV || process.env.NODE_ENV === 'production')) {
	throw new Error('ALLOWED_ORIGINS environment variable is required in production or when NODE_ENV is not set');

[Copilot]

Two directories with the same name but different casing exist: .jules (containing bolt.md and sentinel.md) and .Jules (containing palette.md). This will cause issues on case-insensitive filesystems like macOS and Windows (NTFS default). These should be consolidated into a single directory with consistent casing. Recommend using .jules (lowercase) as the standard and moving palette.md into it.

Suggested change

	## 2025-02-18 - [Accessibility for Custom List Items]
	**Learning:** In minimalist designs where list items are used as primary navigation/selection elements, they often lack keyboard accessibility. Using `role="button"` and `tabIndex={0}` is essential, but it must be paired with an `onKeyDown` handler for both 'Enter' and ' ' (Space) keys to meet user expectations.
	**Action:** Always check if clickable `div`s have corresponding keyboard handlers and ARIA roles.
	## 2025-02-18 - [Visual Focus for Keyboard Users]
	**Learning:** Default browser focus outlines can be inconsistent or clash with minimalist black/white designs. Using `:focus-visible` with a high-contrast `outline` and `outline-offset` provides a clear indicator for keyboard users while remaining invisible for mouse users.
	**Action:** Implement custom `:focus-visible` styles for all interactive elements to ensure a polished keyboard navigation experience.
	# File moved
	This file has been moved to `.jules/palette.md` to ensure consistent directory casing
	across platforms (for example, macOS and Windows, which use case-insensitive
	filesystems by default).
	Please update any references from `.Jules/palette.md` to `.jules/palette.md`.
	Once all references are updated, the `.Jules` directory can be safely removed.

[Copilot]

The frontend test step (line 79-81) does not set the VITE_API_URL environment variable, but the test setup (frontend/src/test/setup.ts) mocks it using vi.stubEnv. However, for consistency and to ensure tests can run in CI without relying solely on mocks, consider adding the environment variable to this step similar to the build step (line 77).

Suggested change

	run: npx vitest run
	run: npx vitest run
	env:
	VITE_API_URL: http://localhost:3000