refactor: nuclear-review cleanup — turnstile fail-closed, cart dedup, dead-code removal#229
Merged
Merged
Conversation
The Cloudflare siteverify response was read via an unchecked `as` cast. A shape change would silently surface `success` as undefined and could be misread. Parse with a zod schema and, on any unexpected shape, return a failed verification so the gate stays closed.
removeItem/addItem/updateItemQuantity each inlined the same IP + standard rate-limit prelude. Hoist it into one helper; behavior is identical.
…nsforms Collapse the repeated createSourceFile/getFullText/removeSourceFile ceremony across the op handlers into one helper with finally-cleanup. Behavior- preserving; all codemod tests unchanged. ~60 fewer lines.
- raf: drop unused batch/measure exports (only mutate is consumed) - webgl: hoist duplicated ShaderMaterial<K>/DoubleRenderTarget types to utils - ui: remove flat Select/Menu/Tabs part exports with zero importers (the compound API used by stories is unchanged)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
A maintainability pass from a whole-codebase audit. The one behavior-affecting change: Turnstile bot-verification now fails closed — if Cloudflare returns an unexpected response shape, the request is treated as not verified instead of trusting an unchecked cast. Everything else is internal cleanup that leaves runtime behavior identical: less duplicated rate-limiting in the cart, a smaller codemod engine, and removal of dead/duplicate exports.
No public API of the starter kit changes — the
Select/Menu/Tabscompound components and all integration entry points are untouched.Summary
as-castsuccess.runCartActionsoremoveItem/addItem/updateItemQuantityshare one IP + standard rate-limit prelude instead of inlining it three times.createSourceFile/getFullText/removeSourceFilelifecycle inast-transformsthrough onewithSourceFilehelper with guaranteed cleanup (~60 fewer lines, behavior-preserving).batch/measurefromlib/utils/raf.ts, hoist the duplicatedShaderMaterial<K>/DoubleRenderTargetwebgl types intolib/webgl/utils, and drop the flatSelect*/Menu*/Tabs*part exports that had zero importers.CHANGELOG.md[Unreleased].Deliberately out of scope
The audit's largest finding — restructuring the snapshot/strip→re-add setup architecture — was not touched: the wrapper Canvas mount and webgl→theatre AST stripping are intentional (team-knowledge
webgl-gpu-resource-effect-ownership), and the self-pruning machinery is a cross-repo contract with create-darkroom. That's a design decision for a separate discussion, not a cleanup.Test Plan
bun run checkgreen (biome + tsgo +bun test: 330 pass / 0 fail)