Skip to content

docs(audit): correct /payment-result route framing — already shipped 2026-04-16 #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TortoiseWolfe merged 1 commit into from
Apr 27, 2026
Merged

docs(audit): correct /payment-result route framing — already shipped 2026-04-16 #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions STATUS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ Raw machine-readable data: [`scripts/audit/truth-table.json`](scripts/audit/trut

- [~] **038 Payment Dashboard** — components built; `/payment/dashboard` route missing (#3)
- [~] **039 Payment Offline Queue** — logic built; status indicator UI + `/payment/history` missing (#4)
- [!] **040 Payment Retry UI** — retry logic in service; `/payment/result` page + retry surface missing
- [~] **040 Payment Retry UI** — `/payment-result` route shipped (commit `ffb33a1`, 2026-04-16) — 6-state page + retry button. Real gaps (#43): retry doesn't reuse queued `idempotency_key`, no attempt counter / cooling period (FR-008-010), no error categorization (FR-002), no offline error banner, no audit log on retry, P1 stories 3+4 (update-method, recovery wizard) unbuilt
- [~] **041 PayPal Subscriptions** — backend ready; `/payment/subscriptions` page + grace-period banner + duplicate prevention + 4 edge functions missing (#5)
- [x] **042 Payment RLS Policies** — 20+ policies verified by `pnpm test:rls` (55/55 across 5 files, both local + cloud) — #44 closed 2026-04-26

Expand Down Expand Up @@ -134,7 +134,7 @@ The full code-review findings (35 high-confidence items) live in [`scripts/audit

1. Create Stripe sandbox + PayPal developer accounts (~30-60 min external setup)
2. Populate 6 keys in `.env` + Supabase Vault
3. Wire 4 missing routes (`/payment/dashboard`, `/payment/subscriptions`, `/payment/history`, `/payment/result`)
3. Wire 3 missing routes (`/payment-dashboard`, `/payment-subscriptions`, `/payment-history`); `/payment-result` already shipped — see 040 entry for its remaining UX gaps
4. Build offline-queue UI affordances (status indicator, sync pill, retry button)
5. As each route lands, remove the corresponding skips from `tests/e2e/payment/` per [#53](https://github.com/TortoiseWolfe/ScriptHammer/issues/53)

Expand Down
68 changes: 36 additions & 32 deletions docs/SESSION-HANDOFF-2026-04-27.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,16 @@ Issues filed during the session that remain open: #49, #53, #57.
- **`pnpm test:rls` recovers from killed prior runs.** A globalSetup hook walks the FK chain (`payment_intents → subscriptions → user_profiles → auth.deleteUser`) for every `*@scripthammer.test` user before tests collect, so the manual cleanup that was needed on 2026-04-26 is no longer needed.
- **Three consecutive green chromium-msg shards.** PR #58, PR #59, PR #60 all passed messaging E2E on first try. The "9 rounds of flake mitigation" framing in STATUS.md may overstate the current frequency; #57 is probably P2, not P1, but I haven't downgraded its label yet.

## Recommended next pickup: B1 (#43, `/payment/result` page)
## Recommended next pickup: B1 (#43, `/payment-result` retry-UX gaps)

Reasoning: stability backlog is thin enough that user-facing work is now the higher-leverage front. #43 is the smallest of the four missing payment routes, and shipping it un-gates ~5 of the 84 `test.skip`s in `tests/e2e/payment/` (per #53's index). It's also the right warm-up because:
> **Correction (next session, 2026-04-27)**: I called the route "missing" here. It's not. `src/app/payment-result/page.tsx` shipped in commit `ffb33a1` on 2026-04-16 — a 290-LOC, 6-state page with auth gating, real-time updates, and a working retry button. The 2026-04-25 audit cross-referenced spec text rather than the filesystem and concluded "route missing"; that error then propagated through STATUS.md, PRP-STATUS.md, the spec, and into this doc. The route name is `/payment-result` (kebab-case, matching `/payment-demo`), not `/payment/result` (which never existed).
>
> The real B1 work is the _retry UX_ gaps that were obscured by the framing — see "Real B1 work" below. Doc-correction PR: branch `043/doc-fix-payment-result-route-name`.

- The route is a single `src/app/payment/result/page.tsx` plus its 5-file component suite per the project's atomic-design convention.
- The retry surface lives in the existing `src/services/payment-service.ts` — no new business logic needed.
Reasoning: stability backlog is thin enough that user-facing work is now the higher-leverage front. The remaining work in #43 is real: idempotency-key reuse on retry, retry attempt counter + cooling period (FR-008-010), error categorization (FR-002), offline error banner, audit-log on retry (NFR-007). User Stories 3 (update payment method) and 4 (recovery wizard) are P1 in the spec but likely a follow-up PR.

- The page is at `src/app/payment-result/page.tsx`, with the retry button in `src/components/payment/PaymentStatusDisplay/PaymentStatusDisplay.tsx`.
- `retryFailedPayment()` is in `src/lib/payments/payment-service.ts:237` — currently calls `createPaymentIntent()` for a fresh INSERT, which loses the queued `idempotency_key` and bypasses the partial unique index. Fixing that is the first concrete change.
- The PaymentConsentModal (already-resolved hotspot) handles the consent-gate flow, so there's no auth-race risk introduced.

Alternatives the next session might prefer:
Expand All @@ -47,33 +51,33 @@ Alternatives the next session might prefer:

## Open issues (gap-audit) — current state

| # | Title | Family | Notes |
| --- | ------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------ |
| #21 | 001 WCAG AA: AAA scope gap + 4 ContactForm a11y failures | (audit-tier) | Pre-existing |
| #22 | 004 Mobile-First: regenerate wireframes + perf tests | (audit-tier) | Pre-existing |
| #23 | 005 Security Hardening: session-timeout UI + audit dashboard + secret detection | (audit-tier) | Pre-existing |
| #24 | 006 Template Fork: Supabase missing-config first-run banner | (audit-tier) | Pre-existing |
| #25 | 010 Unified Blog: offline edit + sync + migration | (audit-tier) | Pre-existing |
| #26 | 011 + 043 Group Chats: 8 stub member-management methods | (audit-tier) | Pre-existing |
| #27 | 012 + 014: welcome message admin gate flow | (audit-tier) | Pre-existing |
| #28 | 013 OAuth Messaging Password | (audit-tier) | Pre-existing |
| #29 | 015 OAuth Display Name | (audit-tier) | Pre-existing |
| #30 | 016 Messaging Critical Fixes (5 UX) | (audit-tier) | Pre-existing |
| #31 | 019 Google Analytics: wire NEXT_PUBLIC_GA_MEASUREMENT_ID | (audit-tier) | Pre-existing |
| #32 | 020 PWA Background Sync: Firefox/Safari fallback | (audit-tier) | Pre-existing |
| #34 | 023 EmailJS Integration: provider health dashboard | (audit-tier) | Pre-existing |
| #35 | 026 Unified Messaging Sidebar: mobile drawer + badge sync | (audit-tier) | Pre-existing |
| #37 | 028 Enhanced Geolocation: address search + mobile GPS | (audit-tier) | Pre-existing |
| #38 | 029 SEO Editorial Assistant: technical.ts test coverage | C1 | Pre-existing |
| #39 | 030 Calendar Integration: env vars + 32-theme mapping | (audit-tier) | Pre-existing |
| #41 | 035 Messaging Service Tests | C2 | Pre-existing; multi-day |
| #43 | 040 Payment Retry UI: `/payment/result` page + retry surface | **B1** | **Recommended next** |
| #45 | 044 Error Handler Integrations: Sentry/LogRocket | (audit-tier) | Pre-existing |
| #46 | 045 Disqus Theme: 32-theme mapping | (audit-tier) | Pre-existing |
| #47 | gdpr-compliance.spec.ts: ENOTFOUND scripthammer-supabase-kong-1 | (audit-tier) | Pre-existing — real bug, not in any family yet |
| #49 | auth_audit_logs sign_up events not written for all signup paths | **D2** | Filed in this session |
| #53 | tests/e2e/payment/: 84 test.skip — index by blocker | **B5** | Filed in this session; closes incrementally as B1–B4 ship |
| #57 | Messaging E2E: chromium-msg cross-window propagation | — | Filed in this session; possibly de-prioritize to P2 given 3 consecutive greens |
| # | Title | Family | Notes |
| --- | -------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------ |
| #21 | 001 WCAG AA: AAA scope gap + 4 ContactForm a11y failures | (audit-tier) | Pre-existing |
| #22 | 004 Mobile-First: regenerate wireframes + perf tests | (audit-tier) | Pre-existing |
| #23 | 005 Security Hardening: session-timeout UI + audit dashboard + secret detection | (audit-tier) | Pre-existing |
| #24 | 006 Template Fork: Supabase missing-config first-run banner | (audit-tier) | Pre-existing |
| #25 | 010 Unified Blog: offline edit + sync + migration | (audit-tier) | Pre-existing |
| #26 | 011 + 043 Group Chats: 8 stub member-management methods | (audit-tier) | Pre-existing |
| #27 | 012 + 014: welcome message admin gate flow | (audit-tier) | Pre-existing |
| #28 | 013 OAuth Messaging Password | (audit-tier) | Pre-existing |
| #29 | 015 OAuth Display Name | (audit-tier) | Pre-existing |
| #30 | 016 Messaging Critical Fixes (5 UX) | (audit-tier) | Pre-existing |
| #31 | 019 Google Analytics: wire NEXT_PUBLIC_GA_MEASUREMENT_ID | (audit-tier) | Pre-existing |
| #32 | 020 PWA Background Sync: Firefox/Safari fallback | (audit-tier) | Pre-existing |
| #34 | 023 EmailJS Integration: provider health dashboard | (audit-tier) | Pre-existing |
| #35 | 026 Unified Messaging Sidebar: mobile drawer + badge sync | (audit-tier) | Pre-existing |
| #37 | 028 Enhanced Geolocation: address search + mobile GPS | (audit-tier) | Pre-existing |
| #38 | 029 SEO Editorial Assistant: technical.ts test coverage | C1 | Pre-existing |
| #39 | 030 Calendar Integration: env vars + 32-theme mapping | (audit-tier) | Pre-existing |
| #41 | 035 Messaging Service Tests | C2 | Pre-existing; multi-day |
| #43 | 040 Payment Retry UI: `/payment-result` retry-UX gaps (route shipped 2026-04-16) | **B1** | **Recommended next** |
| #45 | 044 Error Handler Integrations: Sentry/LogRocket | (audit-tier) | Pre-existing |
| #46 | 045 Disqus Theme: 32-theme mapping | (audit-tier) | Pre-existing |
| #47 | gdpr-compliance.spec.ts: ENOTFOUND scripthammer-supabase-kong-1 | (audit-tier) | Pre-existing — real bug, not in any family yet |
| #49 | auth_audit_logs sign_up events not written for all signup paths | **D2** | Filed in this session |
| #53 | tests/e2e/payment/: 84 test.skip — index by blocker | **B5** | Filed in this session; closes incrementally as B1–B4 ship |
| #57 | Messaging E2E: chromium-msg cross-window propagation | — | Filed in this session; possibly de-prioritize to P2 given 3 consecutive greens |

Eval-backlog items (separate label): #3, #4, #5 — all map to Family B (B2, B3, B4 respectively).

Expand Down Expand Up @@ -103,6 +107,6 @@ docker compose exec scripthammer git checkout -b 043/payment-result-page

## What would be a good shape for the next session's first message

> "Read STATUS.md and docs/SESSION-HANDOFF-2026-04-27.md. Pick up B1 (#43): build the /payment/result route per features/payments/040-payment-retry-ui/spec.md. Brainstorm-design-plan-implement per the superpowers workflow. Branch off main."
> "Read STATUS.md and docs/SESSION-HANDOFF-2026-04-27.md. Pick up B1 (#43): close the retry-UX gaps in `/payment-result` per features/payments/040-payment-retry-ui/spec.md. The route itself shipped 2026-04-16; real work is idempotency-key reuse on retry, attempt counter + cooling period, error categorization, offline error banner, audit-log on retry. Brainstorm-design-plan-implement per the superpowers workflow. Branch off main."

That's enough to ground the next agent without re-deriving anything from this conversation.
Loading
Loading