DEPLOYED parts live on a host; every other state lives in a bin (or
unassigned). Previously binId and hostId were independent nullable
fields with no validation, so the Edit Part dialog could leave a
DEPLOYED part with only a bin and no host — which silently dropped
it from the repair problem-part picker.
- Service: resolveLocation() helper enforces the invariant on create
and update. On a state transition, update auto-clears the stale
relation and emits LOCATION_CHANGED for the cleared side.
- Zod: CreatePartRequest.superRefine rejects mismatched state/location
up front; UpdatePartRequest rejects both-fields-set.
- Web: PartFormDialog swaps a single Location field between Host
combobox (DEPLOYED) and Bin combobox (others); switching State
clears the opposite field. Parts list + detail render host first,
then bin path, then Unassigned.
- Tests: 9 new cases covering the invariant including the no-op guard
so an unrelated PATCH on a DEPLOYED part doesn't touch hostId/binId.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Four domain-model changes driven by exercising the deployed 2.0 build:
- EOL moves from manufacturer to MPN via new PartModel catalog table,
so alerts fire on the thing that actually ages.
- Repairs re-home to Host (required hostId + problem text) with an
optional RepairJobPart join for affected parts; drop Part.replacementPartId.
- New /repairs/:id detail page with editable problem, part list, and
a RepairComment thread (REPAIR_COMMENTED events fan out to each
problem part's timeline).
- Host.assetId (required, unique) surfaces prominently on the repair
page so techs can confirm they're touching the right box.
Single destructive migration reshapes existing dev data. All 7 packages
typecheck clean; 30 API tests pass (9 new covering host membership,
upsertByMpn idempotency + race, assetId 409, comment userId stamping).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Every cookie was flagged Secure whenever NODE_ENV=production. Over
plain HTTP (single-host compose deploy without TLS) browsers silently
discard Secure cookies, so the access token, refresh token, and CSRF
cookie all vanished after login — producing 401 Unauthorized on every
GET and 403 "CSRF token missing or invalid" on every mutation.
Add COOKIE_SECURE to ApiEnv: optional boolean, falls back to
NODE_ENV === 'production' when unset. Controllers and middleware now
read env.COOKIE_SECURE instead of the NODE_ENV shortcut. The compose
file sets it to false by default with a comment to flip once TLS is in
front; HTTPS deployments can override via .env or drop the override to
pick up the secure default.
josh