Feature/f 013 single lockfile

[chiemezie1]

PR: Enforce Single Lockfile Policy (pnpm) (#184)

Summary:
Removes package-lock.json to enforce pnpm as the sole package manager lockfile. This prevents dependency drift and ensures all contributors use the same dependency versions.

Context:

• Fixes F-013 — Both package-lock.json and pnpm-lock.yaml #184 (F-013 — Both package-lock.json and pnpm-lock.yaml)
• Acceptance: Single lockfile policy enforced in CI.

Details:

• Deleted package-lock.json from the repository root.
• Only pnpm-lock.yaml remains for dependency management.
• No other changes to dependencies or configuration.

closes: #184

Summary by CodeRabbit

• Chores
  • Updated repository configuration to better manage dependency lock files.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 11ae6294-3181-4124-ab96-7c46957b8c3a

📥 Commits

Reviewing files that changed from the base of the PR and between 9d98c63 and dc07cc6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• .gitignore

🚧 Files skipped from review as they are similar to previous changes (1)

• .gitignore

---

📝 Walkthrough

Walkthrough

The .gitignore file is updated to ignore both package-lock.json and pnpm-lock.yaml lockfiles, preventing dependency drift across contributors using different package managers. A trailing newline is also added to the file.

Changes

Cohort / File(s)	Summary
Lockfile ignore policy .gitignore	Added package-lock.json and pnpm-lock.yaml to ignored files; added trailing newline.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Two managers vying for the crown so bright,
Now both their locks rest hidden from sight,
In .gitignore's embrace, no more the fight,
One tool shall reign with peaceful delight! 🔐✨

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The pull request partially addresses issue #184 by adding lockfiles to .gitignore, but doesn't fully enforce the single lockfile policy in CI as required by the acceptance criteria.	Implement CI checks to enforce that only pnpm-lock.yaml exists and that package-lock.json is not committed, as specified in issue #184's acceptance criteria.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Feature/f 013 single lockfile' is vague and uses a branch naming convention rather than a clear PR description. It references a feature ID but doesn't clearly convey what change was made.	Use a clearer title like 'Add pnpm and package-lock.json to .gitignore to enforce single lockfile' to better describe the actual changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Out of Scope Changes check	✅ Passed	The .gitignore changes align with the objective to enforce a single lockfile policy by ignoring package-lock.json and pnpm-lock.yaml, which is directly related to issue #184.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[drips-wave]

@chiemezie1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.gitignore (1)

27-29: LGTM — aligns with single-lockfile policy.

Ignoring package-lock.json correctly enforces pnpm as the sole lockfile at the repo level. As an optional hardening step, you might also consider ignoring yarn.lock to cover contributors who accidentally run yarn, and pairing this with a CI check (e.g., fail the build if package-lock.json or yarn.lock is present) to meet the acceptance criterion "single lockfile policy enforced in CI" from issue #184.

Optional tweak

 next-env.d.ts
 package-lock.json
+yarn.lock

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 27 - 29, Add an optional hardening change: update
.gitignore to also ignore yarn.lock alongside package-lock.json and add a CI job
(e.g., "single-lockfile" check) that fails the build if package-lock.json or
yarn.lock are present in the repo; this ensures the repository enforces a single
lockfile policy by both ignoring alternate lockfiles in .gitignore and
explicitly rejecting them in CI.

lib/api/client.ts (1)

21-55: Optional: tighten request() robustness while you're here.

Non-blocking observations on the surrounding function (pre-existing, not introduced by this PR — address only if convenient):

• await res.json() on line 44 can throw on malformed JSON bodies, bypassing the structured ApiError path and surfacing a SyntaxError to callers. Wrapping it in try/catch and falling back to { error: res.statusText } would make error handling uniform.
• DELETE requests can legitimately have bodies in some APIs; del() currently hard-codes undefined. Fine if the backend never needs it, but worth noting.
• Given relevant snippets show lib/api/user.ts::getReceiveQrcode() and app/(app)/me/kyc/upload/page.tsx bypass request() with their own fetch() calls, consider a follow-up to consolidate on a single client so future cross-cutting concerns (auth, tracing, retries) apply uniformly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/api/client.ts` around lines 21 - 55, The request() function can throw a
raw SyntaxError if await res.json() fails; update request (function name:
request) to wrap the JSON parse in try/catch: attempt res.json() when
content-type includes application/json, but if parsing throws, set data = {
error: res.statusText || 'Invalid JSON response', details: parseError } so the
subsequent ApiError construction (type ApiError) uses that structured info;
ensure non-OK responses still produce an ApiError with err.status = res.status
and err.details populated from data (or the parse error) before throwing so
callers always receive a consistent ApiError object even on malformed JSON.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/api/client.ts`:
- Around line 31-34: This hunk mixes an auth/security change into the lockfile
PR—revert the change in lib/api/client.ts so the CSRF cookie/XSRF-TOKEN logic is
restored and the new Authorization header behavior (the opts.token ->
headers['Authorization'] assignment) is removed from this commit; locate the
conditional around opts.token and the comment "CSRF cookie logic removed" and
restore the previous CSRF/XSRF handling code, moving any token/auth changes into
a separate focused PR with tests and backend coordination.
- Line 31: Confirm with the backend team whether any endpoints validate the
X-XSRF-TOKEN header and, if not, add a short top-of-file comment in
lib/api/client.ts (or an ADR) stating CSRF cookies/XSRF-TOKEN are intentionally
removed because the app uses Bearer Authorization headers; then refactor the
outlier getReceiveQrcode() in lib/api/user.ts to call the centralized request()
helper instead of a direct fetch so it receives the same auth and security
headers/behavior, and ensure request() preserves all required headers and error
handling for 419/403 responses.

---

Nitpick comments:
In @.gitignore:
- Around line 27-29: Add an optional hardening change: update .gitignore to also
ignore yarn.lock alongside package-lock.json and add a CI job (e.g.,
"single-lockfile" check) that fails the build if package-lock.json or yarn.lock
are present in the repo; this ensures the repository enforces a single lockfile
policy by both ignoring alternate lockfiles in .gitignore and explicitly
rejecting them in CI.

In `@lib/api/client.ts`:
- Around line 21-55: The request() function can throw a raw SyntaxError if await
res.json() fails; update request (function name: request) to wrap the JSON parse
in try/catch: attempt res.json() when content-type includes application/json,
but if parsing throws, set data = { error: res.statusText || 'Invalid JSON
response', details: parseError } so the subsequent ApiError construction (type
ApiError) uses that structured info; ensure non-OK responses still produce an
ApiError with err.status = res.status and err.details populated from data (or
the parse error) before throwing so callers always receive a consistent ApiError
object even on malformed JSON.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 807b19bc-0ae8-4c60-a973-5476ba928c20

📥 Commits

Reviewing files that changed from the base of the PR and between cd9e29f and 9d98c63.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .gitignore
• lib/api/client.ts

[Junman140]

@chiemezie1 resolve conflicts

[chiemezie1]

@Junman140 all conflicts fixed.

Resolved merge conflicts and aligned with single lockfile policy (pnpm).
package-lock.json removed and pnpm-lock.yaml retained for dependency management.