fix(server): remove start:replit scripts + add food-search/parse-pantry contract fixtures + barcode producer test

[Skords-01]

Summary

• Task 1 — Replit cleanup: Remove start:replit scripts from root package.json and apps/server/package.json; simplify config.ts to ServerMode = "railway" only; remove SERVER_MODE / REPLIT_DEV_DOMAIN / REPLIT_DOMAINS from env schema and auth origin detection. CSP/security code is unchanged — only dead deploy-target scaffolding removed. Closes cleanup-audit item from docs/90-work/audits/2026-06-08-codebase-cleanup-audit.md.

• Task 2 — Contract fixtures (@sergeant/shared):

  • packages/shared/src/contract-fixtures/food-search.ts — 4 success + 2 error fixtures with assertFoodSearchFixturesValid().
  • packages/shared/src/contract-fixtures/parse-pantry.ts — 4 named fixtures + manual invariant check.
  • packages/shared/src/contract-fixtures/index.ts barrel updated.

• Task 3 — Producer-side barcode contract test (apps/server):

  • apps/server/src/routes/barcode.contract.test.ts — 16 tests across 4 describe blocks: fixture integrity, success envelope, error envelope, cross-side invariants.

• Lockfile: pnpm dedupe removed orphaned tools/openclaw entries from pnpm-lock.yaml.

Closes testing-devx-roast P1-1 (contract-fixture pattern). Hard Rule #3.

Governing Skill

• Primary skill: sergeant-server-api
• Secondary skill: sergeant-data-and-migrations (fixtures touch @sergeant/shared schemas)

Playbook

• Primary playbook: N/A — no dedicated playbook for contract-fixture addition.
• Why this playbook: Followed barcode.ts pattern from existing me.contract.test.ts.
• If no playbook matched, why: Novel contract-fixture pattern establishment.

Verification

• pnpm --filter @sergeant/shared typecheck passes
• Barcode producer test: 16/16 passed locally (SERGEANT_HEAVY_OK=1 pnpm --filter @sergeant/server test -- --run src/routes/barcode.contract.test.ts)
• No start:replit or SERVER_MODE=replit references remain in package.json scripts
• CSP/security code untouched (Replit-mode removal only)
• pnpm dedupe cleaned orphaned tools/openclaw lockfile entries

Docs and Governance

• I updated docs that changed with the behavior, contract, workflow, or rollout.
• I checked whether AGENTS.md needed an update.
• I checked whether a playbook or skill needed an update.
• I checked whether governance docs or review docs needed an update.

Updated docs: Internal docs (comments, JSDoc) updated inline; historical note in apps/server/src/http/security.ts references 2026-06-08 removal date.

Risk and Rollout

• Replit removal: zero runtime risk — Replit was already not a deploy target; config.ts already hardcoded "railway" before this PR. No migrations.
• Contract fixtures: additive only — no production code changed, only test/shared packages.
• Barcode test: additive only — mocks globalThis.fetch in test scope, isolated via __barcodeTestHooks().reset().

Hard Rule #15

• I read AGENTS.md before coding.
• Internal docs I touched are in Ukrainian.
• I did not use --no-verify.

Reviewer Notes

Replit cleanup closes the cleanup-audit item. Contract fixtures establish the pattern for future food/pantry consumer tests. Lockfile dedupe removes orphaned entries from the now-deleted tools/openclaw workspace.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sergeant	Ready	Preview, Comment	Jun 9, 2026 2:19am

[coderabbitai]

Warning

Review limit reached

@Skords-01, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 11 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: cfbc88be-3ec9-44ee-bc95-cb8c6a4ce966

📥 Commits

Reviewing files that changed from the base of the PR and between bad54cc and 0b677e0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• docs/02-engineering/architecture/diagrams/c3-workspaces.md
• docs/04-governance/governance/freshness-dashboard.html
• docs/04-governance/governance/knowledge-graph.html
• docs/04-governance/governance/knowledge-graph.json
• docs/04-governance/governance/retrieval-index.json
• packages/shared/src/utils/date.property.test.ts

📝 Walkthrough

Walkthrough

This PR updates documentation in the security middleware and reorganizes section headers in the barcode contract test file with divider comments for clarity. No functional logic or test behavior is changed.

Changes

Documentation and Test Organization

Layer / File(s)	Summary
Security middleware documentation clarification apps/server/src/http/security.ts	Inline comment for servesFrontend in apiHelmetMiddleware is clarified to state this code path remains only as a generic capability and is a candidate for removal in a separate PR.
Barcode test file section organization apps/server/src/routes/barcode.contract.test.ts	Section divider comments are added around dynamic imports, fixture-integrity tests, success-envelope, error-envelope, and cross-side invariants sections. Test logic, assertions, and fixtures remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

size/M

Poem

A rabbit hops through docs so clean, 🐰
Dividing tests where none had been.
Comments clarified with gentle care,
No logic changed—just tidied there!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title lists multiple distinct changes (Replit scripts, food-search/parse-pantry fixtures, barcode test) but the raw_summary shows only documentation and test reorganization changes in two files, with no evidence of Replit script removal or contract fixtures.	The PR title describes multiple major tasks (Replit cleanup, contract fixtures, producer test) that are not reflected in the provided file summaries. Align the title with actual changes in the changeset or verify all intended changes are included.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/server-cleanup-contracts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⏱️ CI Pipeline Duration Report

Based on the last 50 successful runs on the default branch.

Overall Pipeline

Metric	Value
p50	6m 26s
p95	7m 55s
p99	9m 3s
Current run	17m 41s
vs p95	+123.4%

Trend (last 20 runs): ▃▃▁▂▃▃▃▂▃▃▂▂▄▃▃▆▅▄█▆

Per-Job Breakdown

Job	p50	p95	p99	Current	vs p95
Accessibility (axe-core)	2m 5s	2m 21s	2m 23s	0s	-100.0%
Commit messages (commitlint)	0s	0s	0s	27s	N/A
Critical-flow E2E (Playwright)	1m 36s	1m 44s	1m 44s	2m 22s	+36.5%
Migration lint (AGENTS rule	0s	0s	0s	8s	N/A
Pipeline duration (p95 trend)	26s	27s	27s	—	—
Secret scan (gitleaks)	8s	11s	11s	8s	-27.3%
Smoke E2E (Playwright)	1m 26s	1m 40s	1m 40s	—	—
Test coverage (vitest)	2m 4s	2m 33s	2m 33s	1m 19s	-48.4%
Workflow lint (actionlint)	7s	7s	7s	8s	+14.3%
check	4m 12s	4m 54s	5m 6s	15m 10s	+209.5%
tsconfig strict guard (PR-1.A)	5s	14s	14s	8s	-42.9%

⚠️ Warning: Current run (17m 41s) exceeds p95 + 20% threshold (9m 30s). Consider reviewing slow jobs.