v1.1.5: fix OAuth, navigation scaling, and comprehensive codebase audit

Critical fixes:
- Fix OAuth broken in production: add .trim() to all env var reads in
  auth.config.ts to handle trailing newlines from Vercel encrypted vars
- Fix navigation bar text overlap at intermediate widths by raising
  desktop breakpoint from md (768px) to lg (1024px)

Codebase audit (40+ files across all packages):
- CI: fix actions/checkout@v6 → @v4 and actions/setup-node@v6 → @v4
- Web: parallel data fetching with Promise.all, extract shared latex.ts,
  module-scope Framer Motion variants, focus-visible patterns, a11y attrs
- API: remove double error logging, Redis pipeline for atomic ops,
  optional chaining in profile resolver, typed logger levels
- Math engine: Set-based isMathFunction with missing Si/Ci/erf/li,
  astEquals over JSON.stringify, factorial overflow guard, NodeType enums
- Plot engine: fix renderCurve scene leak, remove dead WebGL code,
  typed gridColor
- Database: fix singleton always-store pattern, remove redundant index
- Workers: extract arcLengthSchema to validators module
- Docs: version refs, DataLoader counts, path corrections

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ABCrimson

.github/workflows/ci.yml

@@ -24,13 +24,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
         with:
           version: 11.0.0-alpha.11
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'pnpm'
@@ -63,13 +63,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
         with:
           version: 11.0.0-alpha.11
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -97,13 +97,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
         with:
           version: 11.0.0-alpha.11
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -139,13 +139,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
         with:
           version: 11.0.0-alpha.11
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
 
@@ -199,13 +199,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v4
         with:
           version: 11.0.0-alpha.11
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
 

.github/workflows/deploy-workers.yml

@@ -14,9 +14,9 @@ jobs:
       matrix:
         worker: [cas-service, export-service, rate-limiter]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v4
         with:
           node-version: '24'
           cache: 'pnpm'

ARCHITECTURE.md

@@ -130,7 +130,7 @@ GraphQL API integrated into the Next.js app via route handler.
 - Upstash Redis caching in `src/lib/cache.ts`
 - API package exports source `.ts` files (not dist/) for monorepo dev
 
-**Tech:** Apollo Server 5.4.0, GraphQL 16.12.0, DataLoader 2.2.3, Zod
+**Tech:** Apollo Server 5.4.0, GraphQL 16.13.0, DataLoader 2.2.3, Zod
 
 ### @nextcalc/types
 

apps/api/README.md

@@ -4,7 +4,7 @@ Backend GraphQL API for NextCalc Pro, built with Apollo Server, Prisma, and Next
 
 ## Tech Stack
 
-- **Database:** Neon PostgreSQL with Prisma 7.5.0-dev.32
+- **Database:** Neon PostgreSQL with Prisma 7.5.0-dev.33
 - **API:** GraphQL with Apollo Server 5.4.0
 - **Authentication:** Auth.js v5 (NextAuth 5.0-beta.30) with OAuth + jose 6.1.3 JWT verification
 - **Caching:** Upstash Redis
@@ -364,7 +364,7 @@ vercel --prod
 
 # Run database migrations
 vercel env pull .env.production
-pnpm prisma:deploy
+pnpm --filter @nextcalc/database db:migrate:deploy
 ```
 
 ### Environment Variables

apps/api/src/graphql/resolvers/profile.ts

@@ -15,10 +15,10 @@ export const profileResolvers = {
       args: { input: { name?: string; bio?: string } },
       context: GraphQLContext,
     ) => {
-      requireAuth(context);
+      const user = requireAuth(context);
       const { name, bio } = args.input;
       const updated = await context.prisma.user.update({
-        where: { id: context.user?.id },
+        where: { id: user.id },
         data: {
           ...(name !== undefined ? { name } : {}),
           ...(bio !== undefined ? { bio } : {}),
@@ -30,9 +30,9 @@ export const profileResolvers = {
 
   Query: {
     userProfile: async (_parent: unknown, args: { userId: string }, context: GraphQLContext) => {
-      requireAuth(context);
+      const user = requireAuth(context);
 
-      if (args.userId !== context.user?.id) {
+      if (args.userId !== user.id) {
         throw new ForbiddenError('You can only view your own profile data');
       }
 
@@ -91,9 +91,9 @@ export const profileResolvers = {
       args: { userId: string; days: number },
       context: GraphQLContext,
     ) => {
-      requireAuth(context);
+      const user = requireAuth(context);
 
-      if (args.userId !== context.user?.id) {
+      if (args.userId !== user.id) {
         throw new ForbiddenError('You can only view your own profile data');
       }
 
@@ -133,9 +133,9 @@ export const profileResolvers = {
     },
 
     userAnalytics: async (_parent: unknown, args: { userId: string }, context: GraphQLContext) => {
-      requireAuth(context);
+      const user = requireAuth(context);
 
-      if (args.userId !== context.user?.id) {
+      if (args.userId !== user.id) {
         throw new ForbiddenError('You can only view your own profile data');
       }
 

apps/api/src/lib/cache.ts

@@ -260,15 +260,13 @@ export async function getCachedUpvoteCount(targetId: string): Promise<number | n
 export async function incrementUpvoteCount(targetId: string): Promise<void> {
   if (!redis) return;
   const key = cacheKey(CACHE_KEYS.UPVOTE_COUNT, targetId);
-  await redis.incr(key);
-  await redis.expire(key, CACHE_TTL.UPVOTE_COUNT);
+  await redis.pipeline().incr(key).expire(key, CACHE_TTL.UPVOTE_COUNT).exec();
 }
 
 export async function decrementUpvoteCount(targetId: string): Promise<void> {
   if (!redis) return;
   const key = cacheKey(CACHE_KEYS.UPVOTE_COUNT, targetId);
-  await redis.decr(key);
-  await redis.expire(key, CACHE_TTL.UPVOTE_COUNT);
+  await redis.pipeline().decr(key).expire(key, CACHE_TTL.UPVOTE_COUNT).exec();
 }
 
 export async function cacheCommentCount(postId: string, count: number): Promise<void> {

apps/api/src/plugins/performance-monitoring.ts

@@ -79,7 +79,8 @@ export const performanceMonitoringPlugin = (): ApolloServerPlugin<GraphQLContext
           timestamp: new Date().toISOString(),
         };
 
-        const logLevel = errors > 0 ? 'error' : duration > 1000 ? 'warn' : 'info';
+        const logLevel: 'error' | 'warn' | 'info' =
+          errors > 0 ? 'error' : duration > 1000 ? 'warn' : 'info';
 
         logger[logLevel]('GraphQL request completed', {
           operationName: metrics.operationName ?? 'anonymous',

apps/api/src/server.ts

@@ -11,7 +11,6 @@
  */
 
 import { ApolloServer } from '@apollo/server';
-import { unwrapResolverError } from '@apollo/server/errors';
 import { ApolloServerPluginDrainHttpServer } from '@apollo/server/plugin/drainHttpServer';
 import {
   ApolloServerPluginLandingPageLocalDefault,
@@ -23,7 +22,6 @@ import { resolvers } from './graphql/resolvers';
 import { typeDefs } from './graphql/schema';
 import type { GraphQLContext } from './lib/context';
 import { createDataLoaders } from './lib/dataloaders';
-import { logger } from './lib/logger';
 import {
   errorTrackingPlugin,
   performanceMonitoringPlugin,
@@ -44,23 +42,14 @@ const isDevelopment = process.env.NODE_ENV !== 'production';
  * AS5 formatError using unwrapResolverError
  *
  * unwrapResolverError extracts the original error thrown by the resolver,
- * stripping away Apollo's wrapper. This allows logging the real error
- * while masking internal details in production responses.
+ * stripping away Apollo's wrapper. Error logging is handled by
+ * errorTrackingPlugin (didEncounterErrors hook) — formatError only
+ * masks internal details in production responses.
  */
 const formatError = (
   formattedError: GraphQLFormattedError,
-  error: unknown,
+  _error: unknown,
 ): GraphQLFormattedError => {
-  const originalError = unwrapResolverError(error);
-
-  // Always log errors structurally — in production the level filter handles visibility
-  logger.error('GraphQL error in formatError', {
-    message: formattedError.message,
-    path: formattedError.path?.join('.'),
-    code: formattedError.extensions?.code as string | undefined,
-    original: originalError instanceof Error ? originalError.message : undefined,
-  });
-
   // In production, mask internal server errors to avoid leaking implementation details
   if (
     !isDevelopment &&
@@ -98,23 +87,8 @@ export function createApolloServer(httpServer?: import('node:http').Server) {
             footer: false,
           }),
 
-      // AS5 error lifecycle hooks
-      {
-        async contextCreationDidFail({ error }) {
-          logger.error('Context creation failed', {
-            error: error instanceof Error ? error.message : String(error),
-            stack: error instanceof Error ? error.stack : undefined,
-          });
-        },
-        async unexpectedErrorProcessingRequest({ error }) {
-          logger.error('Unexpected Apollo Server error', {
-            error: error instanceof Error ? error.message : String(error),
-            stack: error instanceof Error ? error.stack : undefined,
-          });
-        },
-      },
-
-      // Custom plugins
+      // Custom plugins (errorTrackingPlugin handles contextCreationDidFail
+      // and unexpectedErrorProcessingRequest — no inline duplicates needed)
       performanceMonitoringPlugin(),
       responseCachingPlugin(),
       queryComplexityPlugin(1000),

apps/web/app/[locale]/learn/[topic]/page.tsx

@@ -67,8 +67,10 @@ export default async function TopicPage({ params }: { params: Promise<{ topic: s
     notFound();
   }
 
-  const definitions = await getDefinitionsByTopic(topic);
-  const problems = await getProblemsByTopic(topic);
+  const [definitions, problems] = await Promise.all([
+    getDefinitionsByTopic(topic),
+    getProblemsByTopic(topic),
+  ]);
 
   // Fetch user's bookmarked definition IDs
   let bookmarkedIds: string[] = [];

apps/web/app/[locale]/worksheet/client-wrapper.tsx

@@ -17,9 +17,9 @@ const WorksheetEditor = dynamic(
   {
     ssr: false,
     loading: () => (
-      <div className="flex items-center justify-center min-h-[60vh]">
+      <div className="flex items-center justify-center min-h-[60vh]" role="status" aria-live="polite">
         <div className="flex flex-col items-center gap-4 text-muted-foreground rounded-2xl border border-border/50 bg-card/50 backdrop-blur-md px-10 py-8 shadow-sm">
-          <Loader2 className="h-8 w-8 animate-spin" aria-label="Loading worksheet editor" />
+          <Loader2 className="h-8 w-8 animate-spin" aria-hidden="true" />
           <p className="text-sm">Loading worksheet editor...</p>
         </div>
       </div>