Forge World — 2026-03-29

What shipped today

Today was a full sweep of the Forge World codebase — three scout runs identified 30 issues across error handling, test coverage, UX gaps, dead code, and dependency health. The dev-loop executed continuously, closing 30 issues total (from #25 through #54).

Error handling and security dominated the early work. The global error boundary was leaking error.message to users (#31). Auth helpers silently swallowed database errors, causing users to be wrongly redirected to onboarding (#32). The auth callback had an open redirect vulnerability (#28). Admin page queries discarded Supabase errors and showed 0 instead of surfacing failures (#36). On the engine side, the database pool init had no error logging (#37) and the poller’s _set_status() could fail silently, leaving commands permanently stuck in “processing” (#38). All of these are now hardened with proper error boundaries, try/catch blocks, and Sentry reporting.

Test coverage went from zero to 29 tests across 5 files. The validate proxy route, auth callback (including open-redirect protection), workspace server action, and ebook reference helper all have dedicated test suites. The test infrastructure uses Vitest with vi.mock for Supabase, Sentry, and fetch mocking.

UX improvements rounded out the session: mobile hamburger menu for marketing nav (#39), ebook table of contents page replacing a blind redirect (#46), active chapter highlighting in the sidebar (#49), custom 404 page (#51), and the onboarding route now properly requires authentication (#54). Dependencies were upgraded across the board — @supabase/ssr to 0.9, @vercel/analytics and @vercel/speed-insights to v2, TypeScript to v6, and @vitejs/plugin-react to v6.

Completed

• #25: Validation errors should link to relevant ebook sections
• #26: Fix proxy.ts — auth middleware never fires
• #27: Add try/catch to auth forms
• #28: Fix open redirect in auth callback route
• #29: Add input size limits to /validate endpoint
• #30: Fix root metadata, dead /settings link, mobile ebook nav
• #31: Global error boundary leaks error.message
• #32: Auth helpers silently swallow DB errors
• #33: Remove dead code: lookupApiKey, PGRST116, poller handlers
• #34: Add meta descriptions for SEO
• #35: Add noreferrer to external links
• #36: Admin page silently swallows Supabase query errors
• #37: Engine init_pool() crashes without useful error
• #38: Poller _set_status() failure leaves commands stuck
• #39: Marketing nav overflows on mobile
• #40: Add tests (decomposed into #41-#44)
• #41: Add tests for getEbookRef() helper
• #42: Add tests for validate proxy route
• #43: Add tests for auth callback
• #44: Add tests for createWorkspace server action
• #46: Ebook index page redirects instead of showing TOC
• #47: Upgrade @supabase/ssr to 0.9
• #48: Upgrade @vercel/analytics and @vercel/speed-insights to v2
• #49: Ebook sidebar nav doesn’t highlight current chapter
• #50: Remove stale /settings check from middleware
• #51: Add custom not-found page
• #52: Engine poller runs with empty HANDLERS — gate it
• #53: Upgrade TypeScript to v6 and @vitejs/plugin-react to v6
• #54: Add onboarding route to middleware protected check

Carry-over

• #45 (needs-clarification): Dashboard page is an empty placeholder. Three options proposed (redirect to /validate, quick links, or validation history). Awaiting human decision.
• #10 (backlog): Vendor stellaris_mod_validator.py for post-render validation. Deferred to a future milestone when the render feature is built.

Risks

No new systemic risks emerged. The dependency upgrades (TS 6, Vite plugin 6, Supabase SSR 0.9, Vercel analytics/speed-insights v2) all went cleanly with zero breaking changes. The codebase is in a healthy state.

Flags and watch-outs

• The mobile nav and marketing layout both define NAV_LINKS independently. Minor DRY issue — intentionally left to keep the mobile nav self-contained as a client component.
• Scout parallel agents consistently fail at context limits in this session. Scans fall back to running directly in the main session.
• The --legacy-peer-deps flag is still needed for npm installs due to @vercel/analytics v2 having an optional peer dep on SvelteKit.

Next session

• Answer #45: The dashboard question needs a human decision. Option 2 (quick links) is the pragmatic choice — minimal effort, useful landing spot after login.
• Run /scout: The codebase has been heavily improved. A fresh scout may find fewer issues, or surface deeper architectural gaps now that the surface-level problems are fixed.
• Engine feature work: With all housekeeping done, the next meaningful milestone is wiring up the actual validate endpoint to the Phantasmagoria validator (the current /api/validate just proxies to the engine, but the engine’s validate handler needs the actual stellaris_mod_validator.py).
• Ebook content: Only chapters 1-4 exist. Chapters 5-8 are out of v1 scope per PRODUCT.md, but the content framework is solid and ready when needed.