Conversation
This is to estimate prices for warehouse. Adds POST /api/shipping-rates endpoint that allows ambassadors to get Canada Post shipping rate quotes by providing destination address, package type (envelope/box), dimensions (inches), and weight (grams).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…ctions CI pipeline
…ubble packet with 0.5in thickness
- Warehouse: stripped admin controls from items/orders pages, now read-only for ambassadors and admins - Warehouse-Backend: new admin-only route with full CRUD for items, orders, categories, and tags
- Fix ArrayBuffer type error in utils.ts by wrapping in Uint8Array - Remove unused CSS selectors (.clouds, .success-icon, h2) - Add ARIA roles and tabindex to modal overlays/dialogs - Suppress intentional state_referenced_locally warnings - Use \ for reactive ref page pathway info
Request 4x6 label format directly from the API for both contract and non-contract shipments, eliminating the unreliable client-side PDF crop. Removes pdf-lib dependency from this code path.
…ipments Chit Chats API rejects province_code for US (and other non-Canadian) destinations — the correct field is state_code. Now conditionally sends province_code for CA and state_code for all other countries.
Displays in-stock counts in search results and the items table, disables out-of-stock items in search, highlights over-quantity rows with inline errors, and prevents advancing past step 2 when requested qty exceeds stock.
state_code is also rejected — Chit Chats only accepts province_code for Canadian destinations; omit the field for all other countries.
Chit Chats uses province_code for both US states and Canadian provinces but rejects the field for non-North American destinations.
Shows a select with all 50 states + DC (acronym only) when country is US, falls back to a text input for other countries. Resets state/province when country changes to avoid carrying over invalid values.
…dation Both JSON parse failures and Zod schema validation failures now log the raw input, error details, and userId to the server console so failures are visible in logs. Error messages returned to the client now include the specific reason rather than the generic "Invalid items data". Also adds Zod schema validation to order-templates (previously only did raw JSON.parse with no type checking).
Seeds the access token from HCB_ACCESS_TOKEN env var on first use (matching how hermes does it), but now adds a 401-retry path that clears the cache and does a proper refresh_token OAuth grant before retrying. This handles stale tokens from redeploys without consuming the refresh token on every cold start.
Route orders to lettermail, 6x10" bubble mailer, or the smallest-fitting stocked box (6x4x4, 8x6x4, 10x8x6, 12x10x4, 14x10x8) based on combined item dimensions and weight, rather than aggregating into a single synthetic package. Quote rates against the real container and persist the choice on the order so carrier calls and the packing slip match. Also add a $1 CAD handling fee to Chit Chats rate quotes, mirroring the existing $2 fee on Canada Post parcel rates.
|
Review of #12 — 63 files, 10.7k additions. Scope is enormous and the feature set is impressive, but there are several blocking issues (mostly around migrations, auth, and deploy behaviour) that need to be resolved before merge. Also the branch is currently 🚨 Blocking1. Migration history is broken and destructiveMain has
This is only "working" in staging because of issue #2 below. 2.
|
Additional Review Findings (not yet covered)1. 🚨 Critical: Client-controlled shipping cost used for HCB billingFile: \src/routes/app/warehouse/orders/new/+page.server.ts\ (lines 65–201) \estimatedShippingCents\ is read directly from the client's form data and passed straight into \createHcbTransfer\ to charge the ambassador's org. An attacker can intercept the request and set it to \ |
…tion Consolidated response to review feedback on the warehouse PR: Migrations - Restored 0003_misty_week_prize_image (was dropped on this branch) - Added 0004_left_pretty_boy from main (is_submissions_open) - Renumbered conflicting 0002_add_package_type_and_orders -> 0005 and downstream migrations 0003/0004/0005/0006 -> 0006/0007/0008/0009 - Added 0010_warehouse_indexes_and_tags with the schema fields that had no DDL anywhere: fulfillment_id, estimated_duties_cents, estimated_service_code, warehouse_order_tag, indexes - Added warehouse_category + warehouse_item CREATE TABLE inside 0005 (the 0002_violet_nighthawk that originally added them was never committed; only its journal entry was) - Made every new migration statement idempotent (IF NOT EXISTS, DO $$) so staging DBs that already have the schema don't blow up - Regenerated _journal.json to include every migration in order - Reverted payoutStatusEnum from CANCELLED back to CANCELED to match the live 0000_curly_raza enum value on main Deploy / Dockerfile - entrypoint.sh now runs `drizzle-kit migrate` against committed migrations instead of `drizzle-kit push` (which was silently dropping columns and swallowing failures) - Removed duplicate COPY lines and the second drizzle-kit install from Dockerfile Auth - STAGING_MODE login bypass refuses to run when NODE_ENV=production - Staging user is no longer auto-provisioned as admin - .env.example warns against setting STAGING_MODE=true in prod Authz / SSRF - guardAdminOrAmbassador helper; every action in warehouse/batches and warehouse/order-templates now goes through it so participants can't create batches or templates - get-label now refuses to fetch label URLs outside an allowlist of canadapost.ca / chitchats.com / mail.hackclub.com hosts Billing - Added billing_status + billing_failure_reason columns to warehouse_order - HCB transfer failure now writes billing_status='FAILED' on the order instead of silently continuing, so admins can reconcile - Bounded client-submitted estimatedShippingCents via Zod to prevent a hostile client from inflating the HCB charge XML / misc - escapeXml now wraps every postal-code interpolation in canada-post.ts (not just the non-CA branch) - Added commentary on sizingChoice, order templates, batches, lettermail rate card, chit-chats auth header contract - Removed committed bun.lock; CLAUDE.md updated to match the npm-ci-based CI/Docker flow - Concurrent-update stock error now includes the item name
Reconcile warehouse-dev with main's bun-based build: - Adopt bun.lock + bun-based Dockerfile from main (drop package-lock.json) - Keep entrypoint.sh's drizzle-kit migrate safety fix, now invoked via bunx - Drop duplicate prizeImageUrl schema declaration (main already had it) - Keep main's non-svelte-ignore version of the ambassador week editor - Include warehouse migrations 0005-0010 after main's 0003/0004
2 participants
Summary
Adds a complete warehouse management system to Resolution, allowing ambassadors to place orders for physical inventory and admins to fulfill them with integrated multi-carrier shipping label generation.
Features
Warehouse Storefront (Ambassadors - /app/warehouse)
Browse inventory items grouped by category
Multi-step order wizard with address entry, item selection, and real-time shipping rate comparison
Order templates for quick reordering
Batch ordering via CSV upload with auto-field-mapping and a linked Google Sheets template
Tag input with chips and autocomplete for order filtering
Orders and batches scoped to the logged-in user
Warehouse Backend (Admins - /app/warehouse-backend)
Full CRUD for inventory categories and items (photo uploads via Hack Club CDN, dimensions, HS codes, sizing options)
Inventory tracking with automatic quantity subtraction on order placement (prevents negative stock)
Fulfillment panel with label generation, printing, and reprint support
Shipping Integration
Canada Post — contract and non-contract shipment support, state/province → 2-letter code resolution, country name → ISO code mapping, 8.5×11 → 4×6 label cropping
Chit Chats — rate quoting and shipment creation with HTS codes and manufacturer details; automatic fallback when Canada Post fails internationally
Theseus — lettermail label support
Zonos — landed cost integration for US-bound shipments
Cheapest-rate auto-selection across all carriers for batch shipping
Flat package type with envelope size snapping (4×6 / 6×9)
Printing
QZ Tray integration for direct thermal label printing (4×6)
Combined label + packing slip print button
Reprint support for previously generated labels
Billing
HCB (Hack Club Bank) billing integration for warehouse orders
Infrastructure
4 new Drizzle migrations (orders, templates/batches, label tracking, HS codes)
drizzle-kit push at container startup for auto-migrations
entrypoint.sh for container orchestration
removeAdmin.mjs CLI script
Staging mode to bypass OAuth for local/staging testing
Body size limit increased to 10MB for image uploads
UI
Phantom Sans font and clean white UI on warehouse, admin, and ambassador pages
Shipping cost estimate disclaimers on order and batch pages
Modified
Extended DB schema with warehouse orders, templates, batches, label/tracking fields
Updated admin page with warehouse backend link and inventory management
Updated validation schemas and tests for new order/item types
CI triggers on warehouse-dev branch
P.S. DO NOT MERGE YET, I NEED TO ADD ENV VARS.