Skip to content

Commit 96fcf22

Browse files
authored
chore: project-wide comment cleanup + 4 small-bug fixes (#393)
Swept the whole codebase (12 disjoint slices, ~211 files) to remove AI/bot/ process noise from comments and make them read like professional engineering comments — about the code, not the process: - Stripped bot-reviewer attributions (Copilot/Codex/Sourcery review #N, "finding YYYY-MM-DD"), process/PR meta ("in this PR", "as discussed"), and standalone wave/cycle/date WHEN-stamps that git already records. - Rewrote each to keep the WHY (security/ordering/rationale) without the noise; deleted purely redundant "what" comments. - Preserved load-bearing anchors exactly: CLAUDE.md A-rule refs, decision #N, Phase N flag tags, G-/L-finding security-addendum anchors, RFC/NIST/spec citations, real Claude/Anthropic API product references, and all @smoke/@regression/@cycle CI grep tags + test/describe titles (untouched). Small bugs found + fixed during the sweep: - onboarding.service.js: note.create used an unknown Prisma field `visibility:'private'` (Note has `private`) — would throw a validation error and 500 the onboarding "upload_note" first-action. Now `private: true`. - DataAndBatteryTab.jsx: success toast was the JS string 'Data & battery preferences saved.' so it rendered the literal "&". Now plain "&". - moderationEngine.js: JSDoc said "scans via OpenAI Moderation API" but the code calls Claude Haiku — corrected the doc. - achievements.engine.js: JSDoc referenced a non-existent function name. Backend 3,507 + frontend 876 tests pass; lint + build clean. No behavior change beyond the two real fixes above. Riskier items (settings export field drift, a moderation ternary precedence) were REPORTED, not changed — left for review.
2 parents 66548e3 + a07fa3b commit 96fcf22

212 files changed

Lines changed: 730 additions & 858 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

backend/scripts/migrate-to-send-error.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/usr/bin/env node
22
/**
3-
* migrate-to-send-error.js — one-shot codemod for Day 3 of the tech-debt week.
3+
* migrate-to-send-error.js — one-shot codemod.
44
*
55
* Rewrites `res.status(XXX).json({ error: '...' })` → `sendError(res, XXX, '...', ERROR_CODES.Y)`
66
* and inserts the `sendError` import if absent. Supports:

backend/scripts/restoreVolumeFromR2.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**
22
* restoreVolumeFromR2.js — disaster-recovery for /data/uploads.
33
*
4-
* Wave-12.11. Pairs with backend/src/lib/jobs/uploadVolumeBackup.js.
4+
* Pairs with backend/src/lib/jobs/uploadVolumeBackup.js.
55
*
66
* When to run: the Railway volume is gone, corrupted, or replaced. The
77
* DB rows still point at /uploads/... paths; without restoring the

backend/scripts/seedBetaUsers.js

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -163,10 +163,9 @@ async function seedFeedFixture(studentUserId) {
163163
* /users/beta_student1?tab=overview renders a happy-path card out of
164164
* the box — no curl, no Prisma Studio, no manual setup.
165165
*
166-
* Codifies the "every feature must ship with seed data" rule added to
167-
* CLAUDE.md §Working-Agreement #11 during the Day 3 smoke-test
168-
* regression. See docs/internal/audits/2026-04-24-day3-polish-and-
169-
* ship-handoff.md.
166+
* Codifies the "every feature must ship with seed data" rule from
167+
* CLAUDE.md §Working-Agreement #11. See
168+
* docs/internal/audits/2026-04-24-day3-polish-and-ship-handoff.md.
170169
*
171170
* Idempotent: uses a stable (userId, title) de-dupe so re-running
172171
* `npm run seed:beta` doesn't pile up duplicate rows.
@@ -301,7 +300,7 @@ async function seedAiSuggestions(studentUsers) {
301300
}
302301

303302
/**
304-
* Seed published study sheets for the Sheets Grid view (Phase 4 Day 3).
303+
* Seed published study sheets for the Sheets Grid view (Phase 4).
305304
*
306305
* /sheets must show beta_student1 a meaningful state out of the box —
307306
* 6+ sheets across 3 courses, all with non-null previewText so the Grid

backend/src/index.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -708,7 +708,7 @@ app.use('/api/library', libraryRoutes)
708708
// Scholar v1 endpoints under /api/scholar (master plan §18).
709709
app.use('/api/scholar', scholarRoutes)
710710

711-
// Related-work strips on detail pages (wave-12.3 ecosystem Track 5).
711+
// Related-work strips on detail pages (ecosystem Track 5).
712712
// Public read-only — surfaces sibling sheets / linked notes / cross-
713713
// surface references for sheets, notes, papers, and library books.
714714
app.use('/api/related', relatedRoutes)
@@ -898,8 +898,8 @@ async function startServer() {
898898
).unref()
899899
}, msUntilNextFour).unref()
900900

901-
// Wave-12.11 — daily mirror of /data/uploads to R2 so user-
902-
// uploaded photos survive a Railway volume crash. No-ops
901+
// Daily mirror of /data/uploads to R2 so user-uploaded photos
902+
// survive a Railway volume crash. No-ops
903903
// gracefully when R2_BUCKET_UPLOAD_BACKUP is unset. Recovery
904904
// procedure documented in docs/internal/security/
905905
// RUNBOOK_DB_RESTORE.md "Upload Volume Recovery" section.

backend/src/lib/dataSaverNegotiation.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**
22
* dataSaverNegotiation.js — server-side data-saver detection.
33
*
4-
* Wave-12.11. Pairs with the frontend `useDataSaver` hook.
4+
* Pairs with the frontend `useDataSaver` hook.
55
*
66
* Returns true when the current request should receive a lighter
77
* response (smaller image variants, no thumbnail array, no SSE

backend/src/lib/deleteUserAccount.js

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -325,8 +325,7 @@ async function deleteUserAccount(prisma, { userId, username, reason = null, deta
325325
// schema.prisma, so Prisma 6 defaults to Restrict. Deleting the user
326326
// FIRST would crash with a foreign-key constraint violation. This
327327
// delete-messages-then-user ordering is the contract — do not reorder
328-
// without first migrating the schema to `onDelete: SetNull` (audit
329-
// 2026-05-03).
328+
// without first migrating the schema to `onDelete: SetNull`.
330329
await tx.messageReaction.deleteMany({ where: { userId } })
331330
await tx.message.deleteMany({ where: { senderId: userId } })
332331
// Remove user from all conversations as participant

backend/src/lib/deviceCookie.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,10 @@
1212
* Reads are cheap. Writes happen at most once per browser-lifetime unless
1313
* the user manually clears cookies or we explicitly rotate (panic mode).
1414
*
15-
* SameSite history (2026-05-14): was hard-coded to 'lax' which caused
16-
* the device cookie to drop on cross-site fetches between SPA and API
17-
* origins, degrading device-trust scoring and triggering extra 2FA
18-
* prompts. Mirrors the proven `authTokens.js` pattern now.
15+
* SameSite must follow the cross-origin rules: a hard-coded 'lax' drops
16+
* the device cookie on cross-site fetches between the SPA and API origins,
17+
* degrading device-trust scoring and triggering extra 2FA prompts. Mirrors
18+
* the `authTokens.js` cookie pattern.
1919
*/
2020

2121
const crypto = require('crypto')

backend/src/lib/getUserPlan.js

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,10 @@
66
const prisma = require('./prisma')
77

88
// Active statuses that grant Pro access. `past_due` is intentionally NOT
9-
// here as of 2026-05-03: previously a payment failure granted up to 3
10-
// weeks of free Pro while Stripe's smart retry chain ran. Now we treat
11-
// past_due as a hard cutoff — the UI shows a "fix payment" banner but the
12-
// quotas drop to free. The user can restore Pro by updating their card via
13-
// the Stripe Customer Portal.
9+
// here: including it would grant up to 3 weeks of free Pro while Stripe's
10+
// smart retry chain runs. past_due is a hard cutoff — the UI shows a "fix
11+
// payment" banner but quotas drop to free. The user can restore Pro by
12+
// updating their card via the Stripe Customer Portal.
1413
const ACTIVE_STATUSES = ['active', 'trialing']
1514

1615
async function getUserPlan(userId) {

backend/src/lib/html/htmlDraftWorkflow.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -249,7 +249,7 @@ async function submitHtmlDraftForReview(prisma, { sheetId, user }) {
249249
// the AI-first model the founder approved 2026-05-03 — admins should
250250
// see "special cases" only, not the full Tier 2 firehose. The
251251
// sendHighRiskSheetAlert + admin notification fan-out lives in
252-
// sheetReviewer.service.js's escalation branch (Copilot review #4).
252+
// sheetReviewer.service.js's escalation branch.
253253

254254
// Tier 3 — notify the AUTHOR that their sheet was auto-rejected with the
255255
// reason so they can fix it and resubmit. CLAUDE.md ESSENTIAL list

backend/src/lib/jobs/uploadVolumeBackup.js

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
/**
22
* uploadVolumeBackup.js — daily mirror of /data/uploads to R2.
33
*
4-
* Wave-12.11 — closes the gap documented in RUNBOOK_DB_RESTORE.md
5-
* "What's NOT backed up: Uploaded files (avatars, attachments, school
6-
* logos)". A Railway volume is a single point of failure: if the
4+
* Closes the gap documented in RUNBOOK_DB_RESTORE.md "What's NOT
5+
* backed up: Uploaded files (avatars, attachments, school logos)".
6+
* A Railway volume is a single point of failure: if the
77
* disk corrupts or the instance is rebuilt, every user-uploaded image
88
* is gone forever and the DB row points at a 404.
99
*
@@ -86,9 +86,8 @@ function fileToKey(uploadsDir, filePath) {
8686
* Streams the file rather than buffering it: video uploads can be
8787
* hundreds of MB, and `fs.readFileSync` would force the whole file
8888
* into Node's heap. AWS SDK v3 supports a ReadStream Body — the
89-
* underlying http client consumes it incrementally. Caught by the
90-
* wave-12.11 audit pass as an OOM risk on Railway hobby tiers
91-
* (default 512 MB).
89+
* underlying http client consumes it incrementally. Buffering would
90+
* be an OOM risk on Railway hobby tiers (default 512 MB).
9291
*/
9392
async function mirrorFile(uploadsDir, filePath, bucketOverride) {
9493
const key = fileToKey(uploadsDir, filePath)

0 commit comments

Comments
 (0)