From 27886a8fe42e2a4ef858b867b271ca0ea90b35f6 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 22 Mar 2026 15:12:48 +0000 Subject: [PATCH 1/2] fix: security and type safety hardening 1. Remove unsafe 'as string' assertions on Supabase env vars (supabase.ts) - VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY were cast to string, hiding the string | undefined type from TypeScript. The existing null-guard and ?? '' fallback on createClient() already handle the missing-var case; removing the assertions lets the compiler enforce that handling correctly. 2. Add explicit radix to parseInt in CSV import (exportUtils.ts) - parseInt(taskData.duration) without a radix relies on implicit base-10 inference. Added parseInt(taskData.duration, 10) to make intent explicit and prevent any engine-specific octal/hex surprises. 3. Gate window debug helpers behind import.meta.env.DEV (supabase.ts) - getDbCallStats, resetDbCallStats, and clearDbCallLog were attached to window in all environments, exposing internal database call telemetry to anyone with DevTools access in production. Now gated behind DEV so the helpers are stripped from production bundles by Vite's tree-shaker. https://claude.ai/code/session_012AmNjF3Ju9VJwSWybJqBEw --- src/lib/supabase.ts | 8 ++++---- src/utils/exportUtils.ts | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lib/supabase.ts b/src/lib/supabase.ts index 924d290..d176133 100644 --- a/src/lib/supabase.ts +++ b/src/lib/supabase.ts @@ -1,6 +1,6 @@ import { createClient, User } from '@supabase/supabase-js'; -const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL as string; -const SUPABASE_ANON_KEY = import.meta.env.VITE_SUPABASE_ANON_KEY as string; +const SUPABASE_URL = import.meta.env.VITE_SUPABASE_URL; +const SUPABASE_ANON_KEY = import.meta.env.VITE_SUPABASE_ANON_KEY; if (!SUPABASE_URL || !SUPABASE_ANON_KEY) { console.warn('Supabase env vars not found. Supabase sync will be disabled.'); @@ -191,8 +191,8 @@ export const resetDbCallStats = () => { dbCallLog = []; }; -// Make these functions available globally for debugging -if (typeof window !== 'undefined') { +// Make these functions available globally for debugging (development only) +if (import.meta.env.DEV && typeof window !== 'undefined') { (window as Window & typeof globalThis & { getDbCallStats: typeof getDbCallStats; resetDbCallStats: typeof resetDbCallStats; diff --git a/src/utils/exportUtils.ts b/src/utils/exportUtils.ts index d439854..12a8c1b 100644 --- a/src/utils/exportUtils.ts +++ b/src/utils/exportUtils.ts @@ -314,7 +314,7 @@ export function parseCSVImport( description: taskData.description || undefined, startTime: new Date(taskData.start_time), endTime: taskData.end_time ? new Date(taskData.end_time) : undefined, - duration: taskData.duration ? parseInt(taskData.duration) : undefined, + duration: taskData.duration ? parseInt(taskData.duration, 10) : undefined, project: taskData.project_name || undefined, client: taskData.client || undefined, category: categoryId From 0327e85836b35d469b541407132389ee84585cb7 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 22 Mar 2026 15:13:13 +0000 Subject: [PATCH 2/2] docs: update CHANGELOG with security and type safety entries https://claude.ai/code/session_012AmNjF3Ju9VJwSWybJqBEw --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b6524d4..a2345ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Archive Edit Dialog**: 4 time pickers (2 for day start/end, 2 for task start/end) - Removed duplicate `generateTimeOptions()` helper functions from all dialog components +### Security +- Removed unsafe `as string` type assertions on `VITE_SUPABASE_URL` and `VITE_SUPABASE_ANON_KEY` in `src/lib/supabase.ts` — the assertions hid the `string | undefined` type from TypeScript, preventing the compiler from enforcing the existing null-guard; variables are now correctly typed so the `?? ''` fallback and early warn are properly enforced +- Gated `getDbCallStats`, `resetDbCallStats`, and `clearDbCallLog` window attachments behind `import.meta.env.DEV` in `src/lib/supabase.ts` — internal database call telemetry was previously exposed to anyone with DevTools access in production; Vite now tree-shakes the attachment block out of production bundles +- Added explicit radix `10` to `parseInt()` call in CSV import (`src/utils/exportUtils.ts`) — implicit radix is deprecated and could silently misparse duration strings with leading zeros + ### Removed - Deleted `src/hooks/.useReportSummary-Claude.ts` — unused development dotfile that contained a direct Anthropic API key reference - Deleted `src/utils/supabase.ts` — duplicate Supabase client that was never imported, creating a redundant connection