bf920696ac
ci: harden workflow + add security scanning and format gates
...
CI / storybook-a11y (push) Successful in 4m3s
CI / backend (push) Successful in 1m1s
CI / codeql (csharp) (push) Failing after 39m18s
CI / codeql (javascript-typescript) (push) Failing after 1m22s
CI / frontend (push) Successful in 1m25s
CI / api-client-drift (push) Successful in 1m34s
- permissions: contents:read (least privilege), concurrency cancel,
scope push to main+tags (was: every branch, double-running with PRs),
per-job timeout-minutes.
- security: npm audit --omit=dev, CodeQL SAST (TS + C#), Dependabot
(npm/nuget/actions).
- format: npm run format:check + dotnet format --verify-no-changes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-07-03 13:39:31 +02:00
97f7de4590
feat(a11y): WP-01 — axe-on-every-story CI gate
...
Turn the interactive Storybook a11y addon into a build gate:
- @storybook/test-runner + axe-playwright over the static build
(.storybook/test-runner.ts reads the a11y tags from story context)
- test-storybook / test-storybook:ci scripts; storybook-a11y CI job
- triage: escape-hatch a11y.disable on stories whose display:contents
wrapper splits <ul>/<li> or <dl>/<dt>/<dd> (structural, deferred to
WP-11/WP-12, each with justification + cross-ref)
- fix trivial violations: footer/wizard-shell contrast, text-input label,
wizard stories missing provideApiClient
Verified: broken story fails the gate; 133 stories pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-07-02 19:13:18 +02:00
d08f3877f7
Architect-review remediation: enforce conventions, prod-safe tooling, one form idiom, resilience seams
...
Acts on the showcase review. Four workstreams; all tests green
(npm run lint, 70 FE tests, ng build, 33 backend tests).
Enforcement + CI:
- eslint.config.mjs bans `any` and enforces layer/context boundaries
(domain ≠ Angular; herregistratie → registratie → shared, auth → shared);
`npm run lint` added; ajv 6 scoped to ESLint via nested override.
- .github/workflows/ci.yml: FE lint+check:tokens+test+build, backend dotnet test,
and an API-client drift check.
One form idiom (the headline finding):
- change-request-form converged onto the wizard pattern — change-request.machine.ts
(Model/Msg/reduce + value objects) + submit-change-request.ts (Result) + a real
POST /api/v1/change-requests (server re-validates). Spec + story added; the detail
page no longer holds an ad-hoc success signal.
Resilience/observability seam:
- api-client.provider.ts: request timeout, X-Correlation-Id, Idempotency-Key for
writes; comments naming the retry/auth seams.
- Backend logs correlation id + a no-PII submit-audit line; /api/v1 prefix +
backward-compat note; client regenerated.
Quick wins:
- Dev tooling excluded from prod: scenario.interceptor wired only under isDevMode()
(?scenario= inert in prod); debug panel @if(isDev) (tree-shaken out).
- src/environments + apiBaseUrl into provideApiClient (angular.json fileReplacements).
- Backend /health + /health/ready.
- Debug view PII-minimised (redactProfile: name/address/DOB redacted, BIG masked).
- IntakePolicyAdapter (removes inline resource in the intake wizard).
- README de-staled; CLAUDE.md gains EN/NL + forms-one-idiom + lint/CI notes.
- Stories: text-input, link, data-row, site-header, site-footer, change-request-form.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-27 08:25:51 +02:00