feat(worker): Phase 3b — port domain writes (warranties/insurance/legal-cases creates)#40
Open
chitcommit wants to merge 1 commit into
Open
Conversation
…al-cases creates) Ports the three remaining domain write routes from Express to Hono: POST /api/assets/:assetId/warranties (server/routes.ts:476) POST /api/assets/:assetId/insurance (server/routes.ts:508) POST /api/legal-cases (server/routes.ts:540) Pattern mirrors Phase 3a evidence attach: - Zod input schemas omit server-owned fields (userId / assetId-from-URL / chittyId) so clients cannot spoof them. - For warranties + insurance, parent-asset ownership is verified inside the same transaction as the INSERT (SELECT id FROM assets WHERE id=? AND user_id=?), returning 404 on mismatch — no existence leak. - For legal_cases, user_id is server-injected from claims; no parent asset. - Express version emits no timeline_events side effects for these creates; parity preserved (pure INSERTs). - Timestamp columns (start_date / end_date / filing_date / next_hearing) are coerced via z.coerce.date() since JSON carries ISO strings while drizzle-zod emits z.date(). Documented divergence from raw insertSchema. Stacks on #39 → #38 → #37 → #36 → #34 → #33. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This was referenced May 17, 2026
Open
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the three remaining domain write routes from Express to Hono:
POST /api/assets/:assetId/warranties—server/routes.ts:476POST /api/assets/:assetId/insurance—server/routes.ts:508POST /api/legal-cases—server/routes.ts:540Stacks on #39 → #38 → #37 → #36 → #34 → #33. Base:
feat/hono-phase-3a-asset-writes.Pattern
Mirrors Phase 3a evidence attach:
userId,assetIdfrom URL,chittyId) so clients cannot spoof them.SELECT id FROM assets WHERE id=? AND user_id=?) → 404 on mismatch with no existence leak.legal_cases,user_idis server-injected from claims; no parent asset to verify, so a non-transactional single INSERT suffices.timeline_eventsside effects for these creates; parity preserved (pure INSERTs, no extra rows).start_date/end_date/filing_date/next_hearing) usez.coerce.date()since JSON bodies carry ISO strings while drizzle-zod emitsz.date(). Documented divergence inline.Validation evidence
Typecheck
npm run check— 0 new errors inworker/(pre-existing errors inserver/unchanged).Tests — real Neon, NO MOCKS
Ran full worker integration suite on an ephemeral Neon branch (
phase-3b-domain-writes-teston projectsteep-cloud-28172078, deleted after run):New file
worker/__tests__/domain-writes.integration.test.tsadds 17 tests covering 201/400/401/404 paths, server-owned-field stripping, intruder rejection, bad-UUID rejection, and invalid-JSON rejection across all three routes. Fixture suffixes5E/5Fchosen to avoid collision with existing 5A..5L identities.Wrangler dry-run
All bindings present (Hyperdrive, Assets, all CHITTYAUTH/MINT/CONNECT/LEDGER env vars, tail to chittytrack).
Neon MCP transaction validation (BEGIN/ROLLBACK)
Executed live against the test branch via Neon MCP
run_sql_transaction, ending withROLLBACK. All three INSERTs returned real rows:{ id: 3ecd6bb9-..., asset_id: e3e01c03-..., provider: "AppleCare+", is_active: true }{ id: dec0d78e-..., policy_number: "CHUBB-VAL-001" }{ id: 7e8f4972-..., case_number: "2025-CV-VAL-001", title: "Phase 3b validation case" }Test plan
npm run check— 0 new worker errorsnpx wrangler deploy --dry-run --env productionsucceedscurl assets.chitty.cc/api/v1/statusto confirmmigration_status: "PHASE_3B_DOMAIN_WRITES"and new routes listedDivergences from Express
z.coerce.date()extension on timestamp fields — Express's body-parser path silently passed strings through Drizzle; we make coercion explicit in Hono.timeline_eventsrows emitted (matches Express — flagged because Phase 3a evidence/asset writes DO emit them).🤖 Generated with Claude Code