- Install and configure helmet with basic CSP in app.js
- Restrict CORS to ALLOWED_ORIGIN env var (default localhost:5173)
- Add express.json 1mb body size limit to prevent memory exhaustion
- Add parseInt+isNaN validation for all :id route params in bills.js
and financing.js (GET/PUT/DELETE/:id and PATCH financing-payments/:id)
- Extend bills.routes.test.js and financing.routes.test.js with ID
validation tests (non-numeric IDs → HTTP 400)
Nightshift-Task: security-footgun
Nightshift-Ref: https://github.com/marcus/nightshift
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Set up Vitest for both server (Node + Supertest) and client (jsdom + React
Testing Library). Extract Express app into app.js for testability. Add example
tests covering bills validation, bills route CRUD, ThemeContext, and App nav
rendering. Update CLAUDE.md with testing docs and requirement to write tests
with features.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The ./server bind mount overwrites /app/server including node_modules
installed during the Docker build. Running npm install on startup
ensures deps are present after the volume mount.
Also reverts the node_modules named-volume workaround in favor of
this cleaner approach (requires node installed locally for non-Docker dev).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
