What's Changed
Security & Validation Hardening
- Fixed task status enum mismatch (
blocked→quality_review) in validation schema - Added 12 new Zod input validation schemas covering all previously unvalidated mutation routes
- Applied
validateBody()across 11 API route POST/PUT handlers - Extended rate limiting:
readLimiter(120/min) for memory & logs GET,heavyLimiterfor search, backup, cleanup - Added security headers to all middleware responses:
X-Content-Type-Options: nosniff,X-Frame-Options: DENY,Referrer-Policy: strict-origin-when-cross-origin
Unit Tests
- Filled auth test stubs with real assertions (safeCompare, requireRole)
- Added validation test suite (27 tests across 10 schema groups)
- Added rate-limit test suite (limits, 429 responses, window reset, IP isolation)
- Added db-helpers test suite (parseMentions, logActivity, createNotification, updateAgentStatus)
- 60 total tests, all passing
Code Quality & DX
- Replaced
as anycasts with typed interfaces (SessionQueryRow,UserQueryRow,CountRow) - Bumped version from 1.0.0 to 1.2.0
- Added
CHANGELOG.mdwith v1.0.0, v1.1.0, v1.2.0 entries - Updated README roadmap: 11 items marked complete, 6 new items added
Quality Gates
| Check | Result |
|---|---|
| TypeScript | 0 errors |
| ESLint | 0 errors |
| Unit tests | 60/60 pass |
| Production build | Clean |
Full Changelog: v1.1.0...v1.2.0