Thoughts

Tat-Tally Session 46: Post-Feature Audit (2026-03-15) Audited all new code from Sessions 43-45 (entry codes, registration desk app, scoring modes/display overhaul). Bottom-up review: database, Edge Functions, shared package, frontend apps, infrastructure. SECURITY FIXES APPLIED: - Entry codes RLS policies were missing event_id scoping. Staff from one event could read/write codes for another event. Fixed by adding event_id = get_request_event_id() to all 3 staff policies. - Scoring trigger had 0 >= 0 edge case: when no judges or criteria were assigned, the trigger would calculate and set a false final_score. Added zero guard to both update_entry_final_score() and recalculate_event_scores(). OPERATIONAL FIXES: - expire_old_entry_codes() function existed but nothing called it. Enabled pg_cron extension and scheduled it to run every 5 minutes. - formatScore() showed "87.0 / 0" when maxPossible was 0. Added guard. - Admin event settings: scoring mode save and recalculation RPC were non-atomic. Added rollback if RPC fails. - Registration app had no ErrorBoundary (white screen on crash). Added React class-based ErrorBoundary with reload fallback. - CI workflow was missing registration app in build matrix. Added it. EDGE FUNCTIONS AUDITED (all clean, no fixes needed): - generate-entry-code: auth, event scoping, crypto random codes, 30min expiry - validate-entry-code: status checks, expiry, category status validation - submit-entry v7: atomic code claim, phone dedup, rate limiting, rollback on failure - get-portal v7: scoring_mode, max_possible, per-judge breakdowns all correct DOCUMENTATION: Updated CLAUDE.md (MC now shows entrant names intentionally, app count updated to 6, registration app added). Two commits pushed to main: b1adcf5 (Session 45 features) and a94fa8e (Session 46 audit fixes). All 6 apps pass tsc --noEmit. Two migrations applied to Supabase: session46_audit_fixes and enable_pg_cron_expire_entry_codes. Next up: Norfolk test event planning (Phase 12).