Phase 0 of the OpenAPI typegen migration. Locks in the existing
check-types-sync.sh (which was committed but never wired) so we stop
accumulating drift between veza-backend-api/openapi.yaml and
apps/web/src/types/generated/ before we migrate to orval (Phase 1).
Three enforcement points:
1. Pre-commit hook (.husky/pre-commit)
Replaces the naked generate-types.sh call with check-types-sync.sh,
which regenerates and fails if the working tree differs. Skippable
via SKIP_TYPES=1 (already documented in CLAUDE.md) for emergency
commits and for environments without node_modules.
2. CI gate (.github/workflows/frontend-ci.yml)
New "Check OpenAPI types in sync" step before lint/build. Catches
PRs that touched openapi.yaml without regenerating types.
Expanded the paths trigger to include veza-backend-api/openapi.yaml
and docs/swagger.yaml so spec-only edits still run the check.
3. Makefile target (make openapi-check)
Local convenience — same check as CI/hook, callable without staging
anything. Pairs with existing `make openapi` (regenerate spec from
swaggo annotations).
No spec or type file changes in this commit — pure plumbing.
Refs:
- AUDIT_REPORT.md §9 item #8 (OpenAPI typegen, deferred v1.0.8)
- Memory: project_next_priority_openapi_client.md
- /home/senke/.claude/plans/audit-fonctionnel-wild-hickey.md Item 2 Phase 0
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge SSL env vars into existing env block instead of creating a
duplicate (YAML doesn't allow duplicate top-level keys).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)
29/30 findings remediated. 1 noted (LOW-002).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
