Chore/project hardening

[rossgalloway]

Project Hardening Final Completion Report

Executive Summary

• Consolidated critical auth, upload, and shared helper logic into hardened modules that now run in Vercel's Edge runtime while preserving Node compatibility.
• Refactored the upload experience end-to-end: modular React components, cancellable ERC-20 lookups, deterministic FormData builders, and a fortified API that validates inputs before opening GitHub PRs.
• Upgraded developer tooling by migrating to Biome for lint/format, expanding Vitest coverage, and documenting the workflow so contributors can confidently validate changes.
• Instrumented and stabilized the GitHub OAuth pipeline with structured logging, crypto-strong state, inline UX feedback, and explicit runtime guards, eliminating the 504 timeout regressions.
• NOTE: extensive work done by OpenAI codex with reviews by Claude Sonnet 4.0 and ChatGPT-5-PRO

Change Overview

Shared Platform Foundations

• docs/02-APP-project-hardening/tasks/completed/shared-utilities-alignment.md: Established src/shared/{env,evm,api}.ts plus image helpers that work in both browser and Edge contexts, backed by Vitest suites and updated build aliases.
• docs/02-APP-project-hardening/tasks/completed/developer-experience-upgrades.md: Introduced repository-wide lint/test commands (now served by Biome + Vitest) and refreshed contributor guidance so every surface imports the shared utilities consistently.

Upload Pipeline

• docs/02-APP-project-hardening/tasks/completed/upload-workflow-refactor.md: Replaced the monolithic upload route with useUploadForm and focused presentation components (TokenAssetCard, ChainAssetCard, PreviewPanel, ReviewDialog), added cancellable ERC-20 lookups, and centralized preview generation in src/lib/imagePreview.ts.
• docs/02-APP-project-hardening/tasks/completed/upload-api-hardening.md: Rebuilt app/api/upload.ts around _lib/upload helpers, enforced PNG/EVM validation, unified GitHub PR creation for direct vs fork flows, and expanded test coverage for parsing and imaging utilities.

Auth & OAuth Hardening

• docs/02-APP-project-hardening/tasks/completed/auth-flow-hardening.md: Delivered the useGithubAuth hook, React Query profile caching, crypto-grade state generation, and inline status messaging so the UI no longer blocks on modal dialogs.
• docs/02-APP-project-hardening/tasks/completed/github-oauth-callback-debugging.md & docs/02-APP-project-hardening/tasks/completed/github-oauth-callback-remediation-notes.md: Added structured diagnostics, base URL resolution guards, explicit redirect handling, and SPA rewrite fixes; documented the remediation timeline for historical context.
• docs/02-APP-project-hardening/tasks/completed/edge-runtime-review.md: Confirmed callback.ts, erc20-name.ts, and upload.ts operate cleanly on Edge, recommended explicit 302 responses, and validated the shared helpers for runtime parity.

ERC-20 Name Service

• docs/02-APP-project-hardening/tasks/completed/erc20-name-lookup.md: Centralized ABI decoding + address validation in src/shared/erc20.ts, added configurable in-memory caching with structured error responses, and aligned client abort handling with the new API contract.

Developer Tooling & Frontend Platform

• biome.json (root) and updated package scripts replace ESLint/Prettier with Biome, harmonizing lint + format commands across worktrees; see docs/02-APP-project-hardening/tasks/completed/developer-experience-upgrades.md for the rollout details.
• docs/02-APP-project-hardening/tasks/completed/frontend-platform-upgrades.md: Tracks the follow-on UX/tooling backlog (GitHub button loading state, upstream PR targeting); branch work closed out the Biome migration portion.

Validation & Outstanding Actions

• Automated checks: bun typecheck, bun lint (Biome), bun build, and bun run test/bun run validate reported clean runs across tasks.
• Manual smoke tests still recommended (per task notes) for:
  • OAuth round-trip via vercel dev confirming cross-tab token sync (auth-flow-hardening.md).
  • Upload API with real assets to exercise GitHub PR emission and new error payloads (upload-api-hardening.md).
  • Upload UI flow ensuring FormData ordering and PR metadata match backend expectations (upload-workflow-refactor.md).
  • ERC-20 lookup cache hit/miss behavior and RPC fallback logging (erc20-name-lookup.md).

Reviewer Guidance

• Auth stack: Validate app/api/auth/github/callback.ts, src/hooks/useGithubAuth.ts, and src/components/GithubSignIn.tsx for consistent state handling, logging guards, and inline UX updates.
• Upload stack: Review src/features/upload/useUploadForm.ts, src/lib/imagePreview.ts, and app/api/_lib/upload.ts together; confirm FormData keys align with API parsing and that previews revoke object URLs correctly.
• Shared utilities: Inspect src/shared/{env,evm,erc20,api}.ts plus associated tests to verify runtime-agnostic logic and env resolution fallbacks.
• Tooling shift: Check biome.json, updated package scripts, and any pre-commit hooks to understand the new lint/format expectations.
• Documentation: Cross-reference task write-ups under docs/02-APP-project-hardening/tasks/completed/ for rationale, validation logs, and remaining follow-up items.

Risk & Monitoring Notes

• Edge runtime deployments rely on Web-standard APIs; monitor Vercel logs for any oversized payloads that could stress the base64 fallbacks noted in edge-runtime-review.md.
• OAuth instrumentation emits detailed logs when GITHUB_OAUTH_DEBUG is enabled—ensure the flag is tuned appropriately per environment to avoid noisy production logs.
• The upload cache sizes and ERC-20 lookup cache TTLs are configurable; review environment values post-merge to align with expected traffic patterns.

Source Document Index

• docs/02-APP-project-hardening/overview.md
• docs/02-APP-project-hardening/review-tracker.md
• docs/02-APP-project-hardening/tasks/completed/auth-flow-hardening.md
• docs/02-APP-project-hardening/tasks/completed/developer-experience-upgrades.md
• docs/02-APP-project-hardening/tasks/completed/edge-runtime-review.md
• docs/02-APP-project-hardening/tasks/completed/erc20-name-lookup.md
• docs/02-APP-project-hardening/tasks/completed/frontend-platform-upgrades.md
• docs/02-APP-project-hardening/tasks/completed/github-oauth-callback-debugging.md
• docs/02-APP-project-hardening/tasks/completed/github-oauth-callback-remediation-notes.md
• docs/02-APP-project-hardening/tasks/completed/shared-utilities-alignment.md
• docs/02-APP-project-hardening/tasks/completed/upload-api-hardening.md
• docs/02-APP-project-hardening/tasks/completed/upload-workflow-refactor.md

[vercel]

@rossgalloway is attempting to deploy a commit to the yearn Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Pull Request Overview

This pull request represents a comprehensive project hardening effort that consolidates critical infrastructure improvements across authentication, upload workflows, and developer tooling. The changes establish robust shared utilities that work across both browser and Edge runtime environments while significantly refactoring the upload experience into modular, testable components.

Key changes include:

• Migration from ESLint/Prettier to Biome for unified linting and formatting
• Complete refactoring of the monolithic upload component into focused, reusable modules
• Implementation of hardened GitHub OAuth flow with crypto-strong state generation and structured logging

Reviewed Changes

Copilot reviewed 104 out of 110 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
biome.json	Replaces ESLint/Prettier configuration with unified Biome setup for consistent code formatting and linting
package.json	Updates root package scripts to use Biome commands and removes deprecated tooling dependencies
app/	Complete restructuring from image-tools/ to root-level app directory with modernized configuration
scripts/	Removes legacy token ingestion scripts and adds new Git hooks and agent bootstrap utilities
docs/02-APP-project-hardening/	Comprehensive documentation of all completed hardening tasks with technical reviews and validation logs

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The function calls startsWith twice which could be optimized. Consider using a single regex test or storing the lowercase version: const lower = trimmed.toLowerCase(); if (lower.startsWith('0x')) ...

Suggested change

	const withoutPrefix = trimmed.startsWith('0x') || trimmed.startsWith('0X') ? trimmed.slice(2) : trimmed;
	const lower = trimmed.toLowerCase();
	const withoutPrefix = lower.startsWith('0x') ? trimmed.slice(2) : trimmed;

[Copilot]

[nitpick] The onBlur event for ERC-20 name resolution may not be ideal for accessibility. Consider adding a dedicated 'Resolve Name' button or using debounced onChange to avoid triggering on every focus change.