What's Changed
TypeScript Migration
- Complete migration from JavaScript to TypeScript (131 files, 0 JS remaining)
- Zero
anytypes — fully typed codebase with shared interfaces - Typed Zustand stores, Express routes, React components, and hooks
Code Refactoring
- Monolithic tripStore (863 lines) split into 8 focused domain slices
- Custom hooks extracted from god-components (useResizablePanels, useRouteCalculation, useTripWebSocket, usePlaceSelection, useDayNotes)
- Server: service layer, shared query helpers, tripAccess middleware
- 10 dead code files removed (~2000 lines)
- Magic numbers replaced with named constants
Security Fixes (26 issues resolved)
- Critical: Uploads path traversal protection, file upload type filtering, npm install --ignore-scripts
- High: SSRF protection with DNS resolution, OIDC auth code flow (JWT no longer in URL), CSP enabled, rate limiting on password change + backup, trust proxy support
- Medium: Input length validation, API key masking in responses, HTTPS redirect, rate limiter cleanup, file upload race condition fix
- Low: Password complexity requirements, bcrypt rounds 10→12, JWT payload minimized, cache size limits
Upgrade Notes
- No breaking changes — existing Docker volumes, databases, and configurations work as-is
docker pull mauriceboe/nomad:latestand restart- Password change now requires current password (UI updated accordingly)