♻️ Modernize client

[NatoBoram]

Refactor client URL handling and modernize dev toolchain

Added

• ✨ Add newUrl utility in packages/client/src/new_url.ts
• ✅ Add newUrl tests in packages/client/src/new_url.test.ts
• 🔧 Add ignoredBuiltDependencies: ["esbuild"] in pnpm-workspace.yaml

Changed

• ♻️ Replace gcUrl with newUrl in packages/client/src/gigachads_server_client.ts
• ♻️ Refactor packages/client/src/gigachads_server_client.ts to use # private fields and methods
• ⬆️ Bump devDependencies in package.json, packages/*/package.json, and apps/server/package.json (TypeScript -> 6.0.0-beta, eslint -> ^10, vitest -> ^4, prettier -> ^3.8.1, etc.)
• 🚀 Bump Docker base image from node:23-slim to node:25-slim in Dockerfile and apps/server/Dockerfile
• 📝 Set "types": ["node"] in packages/config/tsconfig.json
• 🔨 Replace lint:fix script in root package.json to use syncpack fix

Removed

• 🔥 Remove GEMINI.md
• 🔥 Remove .gemini/settings.json and .vscode/mcp.json
• 🔇 Remove typescript.tsdk setting from .vscode/settings.json

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a URL utility and tests; refactors GigachadsServerClient internals to private # fields/helpers and uses newUrl; upgrades tooling/devDependencies; updates Docker base images; and removes several workspace/IDE documentation/config files.

Changes

Cohort / File(s)	Summary
URL Construction Utility packages/client/src/new_url.ts, packages/client/src/new_url.test.ts	Adds newUrl to normalize/build request URLs (handles leading/trailing slashes and query serialization, Date -> ISO) and adds tests for slash combinations and date query.
Client Refactoring packages/client/src/gigachads_server_client.ts	Replaces bespoke gcUrl usage with newUrl; converts internal fields/methods to private # fields (e.g., #base, #fetch, #token, #get/#post/...) and private header helpers; updates internal calls accordingly; public API unchanged.
Tooling / Workspace config package.json, packages/*/package.json, apps/server/package.json, packages/config/package.json, pnpm-workspace.yaml	Bumps many devDependencies (TypeScript -> 6.0.0-beta, ESLint 10, Vitest 4, Prettier, etc.), updates packageManager pnpm entry, and adds ignoredBuiltDependencies: [esbuild] to pnpm workspace.
Docker base image Dockerfile, apps/server/Dockerfile	Updates Node base image from node:23-slim to node:25-slim and replaces corepack enable with explicit pnpm install steps (apt/wget + pnpm installer).
IDE / Docs removals .gemini/settings.json, .vscode/mcp.json, .vscode/settings.json, GEMINI.md	Removes GEMINI.md and deletes or trims VSCode/Gemini MCP-related workspace and settings files.
TS config packages/config/tsconfig.json	Adds "types": ["node"] to compilerOptions to include Node type declarations.

Possibly related PRs

• ⬆️ pnpm update gigachad.ts#186 — overlapping tooling and devDependency version upgrades (TypeScript/ESLint/Vitest etc.).
• 👽️ FROM node:25-slim gigachad.ts#161 — makes the same Docker change to node:25-slim and replaces corepack/pnpm setup steps.
• ⬆️ Bump eslint from 10.0.1 to 10.0.2 in the patch group across 1 directory gigachad.ts#187 — matches the ESLint v10.x dependency bump present here.

Suggested labels

javascript, dependencies, docker

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely missing; no content was provided by the author despite the template requiring description and references sections.	Add a comprehensive description explaining the modernization changes, including why the refactoring was needed, what improvements were made, and relevant references or issue links.
Gitmoji Commits	❓ Inconclusive	PR commit history cannot be verified without access to actual git repository or PR metadata.	Execute the provided git commands in the repository to verify commits, or provide git log output and PR branch information for assessment.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title uses the ♻️ emoji (refactor code) and clearly describes the main change of modernizing the client codebase with dependency updates and internal refactoring.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Git Flow	✅ Passed	The pull request branch name feature/modernize-client correctly follows Git Flow configuration with the required feature/ prefix and targets the main branch.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/modernize-client

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/client/src/gigachads_server_client.ts`:
- Around line 117-127: Multiple identical header builders (`#patchHeaders`,
`#postHeaders`, `#putHeaders`) should be consolidated into a single private helper
(e.g., create a method like `#buildJsonHeaders`(init?: HeadersInit): Headers) that
sets Accept, Authorization (Bearer this.#token) and Content-Type when missing;
update `#patchHeaders`, the `#post` method and the `#put` method to call that new
helper and remove the duplicate `#postHeaders` and `#putHeaders` methods so all
three request paths reuse the single helper.

In `@packages/client/src/new_url.test.ts`:
- Around line 4-26: Add unit tests in packages/client/src/new_url.test.ts for
query parameter serialization around the newUrl function: verify that Date
values are serialized to ISO strings, arrays become repeated query keys (e.g.,
?a=1&a=2) or the library's chosen representation, strings with special
characters are percent-encoded, null/undefined are omitted, and that passing
unsupported complex objects (like plain objects or functions) yields the
expected error/behavior; include positive cases (single param, multiple params,
Date, array) and negative/error cases to cover edge conditions.

In `@packages/client/src/new_url.ts`:
- Around line 18-22: The loop over query entries currently uses String(value)
which yields undesirable representations for null/undefined and complex types;
update the handling in the block that iterates over query (the for (const [name,
value] of Object.entries(query)) loop) to: skip null and undefined values
(continue), handle Date via toISOString as before, handle arrays with
url.searchParams.append for each element, serialize plain objects (e.g.,
JSON.stringify) or otherwise decide a clear representation, and continue to use
url.searchParams.set for primitive values (string/number/boolean) so you avoid
producing "null", "undefined", or "[object Object]".

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2582635 and ebce593.

📒 Files selected for processing (3)

• packages/client/src/gigachads_server_client.ts
• packages/client/src/new_url.test.ts
• packages/client/src/new_url.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/config/package.json`:
- Around line 47-54: The package.json dependencies list pins "typescript" to
"6.0.0-beta" which is incompatible with "typescript-eslint" (~8.56.1) that
requires ">=4.8.4 <6.0.0"; update the "typescript" entry in
packages/config/package.json to a stable 5.x release (e.g., "^5.2.2" or another
current 5.x) so it satisfies typescript-eslint's supported range, then run
install/lockfile update to ensure the lockfile reflects the downgraded
TypeScript.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ebce593 and 02b912b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• .gemini/settings.json
• .vscode/mcp.json
• .vscode/settings.json
• GEMINI.md
• apps/server/package.json
• package.json
• packages/client/package.json
• packages/config/package.json
• pnpm-workspace.yaml

💤 Files with no reviewable changes (3)

• GEMINI.md
• .vscode/mcp.json
• .gemini/settings.json

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Line 1: The base image in the Dockerfile uses node:25-slim which is not an LTS
release; update the FROM instruction to use node:24-slim (or alternatively pin a
specific digest for reproducibility) so the production container runs an LTS
Node.js version; locate the FROM line in the Dockerfile and replace node:25-slim
with node:24-slim (or a pinned digest) and rebuild images.

In `@packages/client/src/new_url.test.ts`:
- Around line 32-36: Replace the non-deterministic Date in the "with date" test
by using a fixed ISO timestamp (e.g., new Date("2020-01-01T00:00:00.000Z")) and
assert the full URL string returned by newUrl rather than only checking
searchParams; update the test that calls newUrl("/", new
URL("https://example.org/path"), { date }) to expect the exact serialized URL
(including path and ?date=<ISO>) so path+query regressions are caught.
- Around line 4-30: Extract a small setup helper in new_url.test.ts that returns
the base URL and expected string (e.g., function setup(base =
"https://example.org/path", expected = "https://example.org/path/param") {
return { base: new URL(base), expected }; }) and use it across tests to remove
repeated new URL(...) calls; rename each test to describe the expected outcome
(e.g., test("returns https://example.org/path/param when input has
leading/trailing slashes") etc.) and update each invocation to call newUrl with
values from setup and assert against setup().expected; specifically update tests
referencing newUrl(...) to use the shared setup helper and outcome-oriented test
names while keeping the same assertions.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 02b912b and ef9389a.

📒 Files selected for processing (3)

• Dockerfile
• apps/server/Dockerfile
• packages/client/src/new_url.test.ts

[coderabbitai]

♻️ Duplicate comments (4)

package.json (1)

55-70: ⚠️ Potential issue | 🟠 Major

Root manifest repeats the same unsupported dependency matrix.

Lines 59, 68, and 69 still combine eslint@^10.0.2 and typescript@6.0.0-beta with typescript-eslint@~8.56.1, which should be aligned to supported ranges before merge.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 55 - 70, The package.json root manifest lists
incompatible versions: "eslint" (^10.0.2), "typescript" (6.0.0-beta) and
"typescript-eslint" (~8.56.1) must be aligned to supported ranges; update the
dependency matrix so the three entries are mutually compatible — either use a
stable TypeScript version supported by `@typescript-eslint` v8 (e.g., downgrade
"typescript" to a supported 5.x release) or upgrade "typescript-eslint" to a
version that supports TypeScript 6, and ensure "eslint" remains a compatible
major; modify the "eslint", "typescript", and "typescript-eslint" entries in
package.json accordingly and run your lockfile update (install) to verify no
conflicts.

apps/server/package.json (1)

71-87: ⚠️ Potential issue | 🟠 Major

Same dependency matrix issue is repeated here.

Lines 78, 85, and 86 pin the same unsupported combo (eslint@^10.0.2, typescript@6.0.0-beta, typescript-eslint@~8.56.1). Please align this file with the compatibility fix.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/server/package.json` around lines 71 - 87, The package.json dependency
trio is pinned to an incompatible set (eslint@^10.0.2, typescript@6.0.0-beta,
typescript-eslint@~8.56.1); update the versions in the dependencies block so
they match the compatibility fix used elsewhere: choose a supported TypeScript
(stable 5.x) with a matching `@typescript-eslint` release and an eslint version
compatible with that `@typescript-eslint` release (update the "typescript",
"eslint", and "typescript-eslint" entries to the same versions used in the
approved compatibility fix).

packages/config/package.json (1)

47-54: ⚠️ Potential issue | 🟠 Major

Unsupported lint toolchain combination in Lines 48, 53, and 54.

typescript-eslint@~8.56.1 is not aligned with typescript@6.0.0-beta (Line 53) and eslint@^10.0.2 (Line 48). This can cause peer conflicts and unstable lint/parser behaviour.

#!/bin/bash
set -euo pipefail

echo "typescript-eslint@8.56.1 peerDependencies:"
curl -s https://registry.npmjs.org/typescript-eslint/8.56.1 | jq '.peerDependencies'

echo "@typescript-eslint/parser@8.56.1 peerDependencies:"
curl -s https://registry.npmjs.org/%40typescript-eslint%2Fparser/8.56.1 | jq '.peerDependencies'

echo "@typescript-eslint/eslint-plugin@8.56.1 peerDependencies:"
curl -s https://registry.npmjs.org/%40typescript-eslint%2Feslint-plugin/8.56.1 | jq '.peerDependencies'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/config/package.json` around lines 47 - 54, package.json lists an
incompatible lint/toolchain trio: "typescript":"6.0.0-beta", "eslint":"^10.0.2",
and "typescript-eslint":"~8.56.1" causing peer conflicts; fix by aligning
versions in package.json so the three are mutually compatible — either (A) pin
"typescript" to a stable version supported by typescript-eslint@8.56.1 (e.g., a
5.x release) or (B) bump "typescript-eslint" to a release that explicitly
supports TypeScript 6 and ESLint 10; update the "typescript" /
"typescript-eslint" / "eslint" entries accordingly (the keys to edit are the
dependency strings shown in the diff) and run install to verify peerDependencies
are satisfied.

packages/client/package.json (1)

57-70: ⚠️ Potential issue | 🟠 Major

Same dependency matrix issue is repeated here.

Lines 61, 68, and 69 use the same unsupported combo (eslint@^10.0.2, typescript@6.0.0-beta, typescript-eslint@~8.56.1). Please apply the same compatibility correction in this package.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/client/package.json` around lines 57 - 70, The package.json in
packages/client repeats the incompatible trio (dependencies "eslint",
"typescript", "typescript-eslint"); update those entries to the same compatible
versions you used to fix the other package (replace eslint@^10.0.2,
typescript@6.0.0-beta, typescript-eslint@~8.56.1 with the corrected versions you
applied elsewhere) so the dependency matrix matches across the repo.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@apps/server/package.json`:
- Around line 71-87: The package.json dependency trio is pinned to an
incompatible set (eslint@^10.0.2, typescript@6.0.0-beta,
typescript-eslint@~8.56.1); update the versions in the dependencies block so
they match the compatibility fix used elsewhere: choose a supported TypeScript
(stable 5.x) with a matching `@typescript-eslint` release and an eslint version
compatible with that `@typescript-eslint` release (update the "typescript",
"eslint", and "typescript-eslint" entries to the same versions used in the
approved compatibility fix).

In `@package.json`:
- Around line 55-70: The package.json root manifest lists incompatible versions:
"eslint" (^10.0.2), "typescript" (6.0.0-beta) and "typescript-eslint" (~8.56.1)
must be aligned to supported ranges; update the dependency matrix so the three
entries are mutually compatible — either use a stable TypeScript version
supported by `@typescript-eslint` v8 (e.g., downgrade "typescript" to a supported
5.x release) or upgrade "typescript-eslint" to a version that supports
TypeScript 6, and ensure "eslint" remains a compatible major; modify the
"eslint", "typescript", and "typescript-eslint" entries in package.json
accordingly and run your lockfile update (install) to verify no conflicts.

In `@packages/client/package.json`:
- Around line 57-70: The package.json in packages/client repeats the
incompatible trio (dependencies "eslint", "typescript", "typescript-eslint");
update those entries to the same compatible versions you used to fix the other
package (replace eslint@^10.0.2, typescript@6.0.0-beta,
typescript-eslint@~8.56.1 with the corrected versions you applied elsewhere) so
the dependency matrix matches across the repo.

In `@packages/config/package.json`:
- Around line 47-54: package.json lists an incompatible lint/toolchain trio:
"typescript":"6.0.0-beta", "eslint":"^10.0.2", and "typescript-eslint":"~8.56.1"
causing peer conflicts; fix by aligning versions in package.json so the three
are mutually compatible — either (A) pin "typescript" to a stable version
supported by typescript-eslint@8.56.1 (e.g., a 5.x release) or (B) bump
"typescript-eslint" to a release that explicitly supports TypeScript 6 and
ESLint 10; update the "typescript" / "typescript-eslint" / "eslint" entries
accordingly (the keys to edit are the dependency strings shown in the diff) and
run install to verify peerDependencies are satisfied.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef9389a and 6ff416f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• apps/server/package.json
• package.json
• packages/client/package.json
• packages/config/package.json
• packages/config/tsconfig.json

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/server/Dockerfile (1)

14-18: ⚠️ Potential issue | 🟠 Major

Drop root privileges in the runtime stage.

The container still runs as root by default. Please switch to a non-root user in the final stage.

🔒 Suggested hardening

 FROM base AS server
-COPY --from=build /prod/server /prod/server
+COPY --from=build --chown=node:node /prod/server /prod/server
 WORKDIR /prod/server
+USER node
 EXPOSE 3000
 CMD [ "pnpm", "start" ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/server/Dockerfile` around lines 14 - 18, The final Dockerfile stage
labeled "server" currently runs as root; add a non-root user and switch to it in
that stage (create a user/group, chown the /prod/server files to that user, and
set USER) so the container drops root privileges at runtime; update the stage
that contains COPY --from=build /prod/server /prod/server, WORKDIR /prod/server,
EXPOSE 3000, and CMD ["pnpm","start"] to perform these user creation/chown steps
and then use USER <nonroot> before CMD.

Dockerfile (1)

14-18: ⚠️ Potential issue | 🟠 Major

Run the server container as a non-root user.

The runtime stage has no USER instruction, so the app runs as root. That is an avoidable security posture gap.

🔒 Runtime hardening diff

 FROM base AS server
-COPY --from=build /prod/server /prod/server
+COPY --from=build --chown=node:node /prod/server /prod/server
 WORKDIR /prod/server
+USER node
 EXPOSE 3000
 CMD [ "pnpm", "start" ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 14 - 18, The runtime Docker stage named "server"
runs the app as root; create a non-root user and switch to it in that stage
(referencing the "server" stage, WORKDIR /prod/server, and CMD ["pnpm","start"])
— add steps to create a limited user (e.g., addgroup/adduser or
groupadd/useradd), chown the application directory (/prod/server) to that user,
and add a USER instruction so the container process runs as the non-root user at
runtime; ensure any files the app needs are owned by that user before switching.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/server/Dockerfile`:
- Around line 4-5: Replace the insecure piped installer command ("wget -qO-
https://get.pnpm.io/install.sh | ENV=... bash -") with a deterministic npm-based
install: remove the wget|bash RUN line and invoke npm to install pnpm globally
(npm install --global pnpm@latest), ensuring npm/node is available in the image
before that RUN; keep the apt update/install steps as needed and avoid running
remote scripts as root for reproducibility and security.

In `@Dockerfile`:
- Around line 4-5: Replace the two RUN steps that fetch and pipe the pnpm
installer (the lines starting with "RUN apt update && apt install --yes wget
..." and "RUN wget -qO- https://get.pnpm.io/install.sh | ... bash -") with a
reproducible approach: base the image on a Node.js image that includes Corepack
(eg. Node.js 25-slim) and run "corepack enable" in a single RUN step to activate
pnpm; remove the wget/remote-script usage and any unnecessary apt installs so
the Dockerfile uses Corepack to provide pnpm securely and reproducibly.

---

Outside diff comments:
In `@apps/server/Dockerfile`:
- Around line 14-18: The final Dockerfile stage labeled "server" currently runs
as root; add a non-root user and switch to it in that stage (create a
user/group, chown the /prod/server files to that user, and set USER) so the
container drops root privileges at runtime; update the stage that contains COPY
--from=build /prod/server /prod/server, WORKDIR /prod/server, EXPOSE 3000, and
CMD ["pnpm","start"] to perform these user creation/chown steps and then use
USER <nonroot> before CMD.

In `@Dockerfile`:
- Around line 14-18: The runtime Docker stage named "server" runs the app as
root; create a non-root user and switch to it in that stage (referencing the
"server" stage, WORKDIR /prod/server, and CMD ["pnpm","start"]) — add steps to
create a limited user (e.g., addgroup/adduser or groupadd/useradd), chown the
application directory (/prod/server) to that user, and add a USER instruction so
the container process runs as the non-root user at runtime; ensure any files the
app needs are owned by that user before switching.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ff416f and 53be17e.

📒 Files selected for processing (2)

• Dockerfile
• apps/server/Dockerfile