Skip to content

WEB-PRIVACY-001B: redact public product-load failures#257

Open
daliu wants to merge 1 commit into
mainfrom
codex/issue-256-product-error-redaction
Open

WEB-PRIVACY-001B: redact public product-load failures#257
daliu wants to merge 1 commit into
mainfrom
codex/issue-256-product-error-redaction

Conversation

@daliu

@daliu daliu commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Closes #256

Outcome

The public /shop/:slug route now treats a rejected product read as untrusted. It discards the rejection and shows exactly We could not load this product right now. Please try again later. in an assertive atomic alert.

Loading ends on failure. The lookup effect clears stale page state and ignores results from older slugs, so an out-of-order request cannot replace or declassify the current route result. Genuine missing products, successful product displays, and checkout behavior remain unchanged.

Safety invariant

  • never bind, inspect, coerce, render, store, or log a rejected product-lookup value
  • show only the fixed source-owned sentence to an anonymous visitor
  • do not retain a previous product or error across a new slug lookup
  • ignore fulfillment or rejection from an inactive older lookup
  • preserve successful, genuine-not-found, and checkout behavior
  • tests use only made-up values and mocks with no Firebase or provider network access

Verification

Old-source red proof:

  • 10 passed / 2 intended failures
  • the raw private canary reached the public page
  • a hostile message getter executed and left the page loading

Final local proof on Node 20:

  • focused actual-App product route: 14/14
  • full frontend: 12 suites / 269 tests
  • TypeScript no-emit: passed
  • lint safety: unchanged at 106 files / 123 reviewed legacy errors / 7 warnings
  • SPA navigation: 11/11
  • workflow, release, Firebase-readback, and artifact safety: 42/42
  • diagnostic production build: passed
  • git diff --check: passed
  • exact three-path diff SHA-256: 909de1e935297db09ca0d3e13fc26b7587e81e6ffaeadbaa46e049d1e42597c3
  • independent security/privacy, frontend/lifecycle/accessibility, and officer/scope reviews: PASS

Scope

Only:

Open commerce #249/#246 paths are disjoint and untouched. The checkout handler is byte-identical to the claimed base.

Officer impact: Visitors and officers receive one plain retry-later instruction without database, provider, account, endpoint, or technical detail. Older in-flight product reads cannot replace the current page result.
Officer documentation: docs/officers/EVENTS_SHOP_MEMBERS.md, section Public product-detail load failure privacy — SOURCE ONLY, NOT LIVE.
Deployment evidence: None yet. This pull request changes source, tests, and documentation only. No release workflow, production website, runmprc.com, Firebase, database permissions, provider configuration, production data, migration, checkout, or live-behavior action occurred.

Residual risk

This source slice does not publish the website, deploy or verify Firebase, change product permissions, configure a provider, or prove live behavior. Those require a separately approved protected release and exact revision checks.

@netlify

netlify Bot commented Jul 14, 2026

Copy link
Copy Markdown

Deploy Preview for luminous-fox-7c393f ready!

Name Link
🔨 Latest commit 428c0aa
🔍 Latest deploy log https://app.netlify.com/projects/luminous-fox-7c393f/deploys/6a55f6853d4a4a0008b0c67c
😎 Deploy Preview https://deploy-preview-257--luminous-fox-7c393f.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

WEB-PRIVACY-001B — Redact public Shop product-load failures

1 participant