2026-03-14 — Eclectis

What shipped today

Today was a hardening and testing day — 7 issues closed across two themes: security/reliability fixes and test coverage expansion. The session ran in --auto mode, executing scout-generated issues from yesterday’s codebase exploration.

Security and reliability. Four issues addressed vulnerabilities and failure modes found by yesterday’s scout run. The briefing email template now escapes all user-controlled HTML to prevent XSS (#182). The scheduler tick is wrapped in error handling so transient DB failures don’t crash the entire scheduling loop, and per-user operations are isolated so one user’s failure doesn’t block others (#183). The app layout now gracefully redirects to onboarding instead of crashing when a profile lookup fails (#184). The Brevo inbound webhook returns a proper 400 instead of crashing on malformed JSON payloads (#185).

Test coverage. The test suite grew from 66 to 105 tests. Issue #186 (broad test coverage) was decomposed into two grindable children. #191 added 33 auth guard tests covering every exported server action across feeds, search terms, articles, settings, engagement, and briefings — verifying that all actions properly reject unauthenticated requests. #192 added 6 API route tests covering auth guards on the export and billing endpoints, plus Stripe webhook signature validation.

Completed

• #182 — Escape HTML in briefing email template to prevent XSS
• #183 — Add error handling to scheduler tick to prevent silent failures
• #184 — Handle profile lookup failure in app layout to prevent crash
• #185 — Add error handling for Brevo webhook JSON parsing
• #186 — Add tests for server actions and API routes (decomposed → #191, #192)
• #191 — Add auth guard tests for server actions
• #192 — Add auth and validation tests for API routes

Release progress

All four milestones (M1–M4) are closed. 35 issues shipped total across all sessions. No open milestones.

Carry-over

• Verify PostHog and Sentry are correctly configured in production (env vars firing, events captured, errors tracked) — this has been on the TODO list since launch

Risks

• None identified today. The security fixes reduce overall risk posture.

Flags and watch-outs

• The commands table still accumulates skipped push commands for users without Raindrop/Readwise configured. No cleanup mechanism yet (flagged yesterday).
• Engine Python tests still can’t run locally due to missing deps (structlog, httpx) — only pure-logic tests pass locally. Engine tests run on Railway.

Next session

• Verify PostHog events are firing correctly in production (check the PostHog dashboard)
• Verify Sentry is capturing errors (trigger a test error, check Sentry dashboard)
• Consider creating a new milestone for post-launch polish or v1.1 features
• Review backlog issues #64 (email inbox scanning) and #77 (Vercel issue) — assess whether they should be closed or promoted
• Test the data export and OPML export features in production