sderickson · sderickson · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/.github/workflows/typecheck.yaml b/.github/workflows/typecheck.yaml
@@ -9,9 +9,9 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
       - name: Install dependencies

diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
@@ -17,9 +17,9 @@ jobs:
           - saflib
           # END WORKFLOW AREA
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
           cache: "npm"

diff --git a/.github/workflows/workflow-checklist.yaml b/.github/workflows/workflow-checklist.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 

diff --git a/.github/workflows/workflow-git.yaml b/.github/workflows/workflow-git.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-git-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 

diff --git a/.github/workflows/workflow-print.yaml b/.github/workflows/workflow-print.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 

diff --git a/.github/workflows/workflow-run.yaml b/.github/workflows/workflow-run.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 

diff --git a/.github/workflows/workflow-script.yaml b/.github/workflows/workflow-script.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 

diff --git a/analytics-service/AnalyticsServiceBase.ts b/analytics-service/AnalyticsServiceBase.ts
@@ -1,4 +1,4 @@
-import { getSafContext } from "@saflib/node";
+import { getSafContext, getSafReporters } from "@saflib/node";
 import type { SafContext } from "@saflib/node";
 import type { AnalyticsService, CommonEvent, IdentifyProps } from "./types.ts";
 
@@ -52,6 +52,13 @@ export abstract class AnalyticsServiceBase implements AnalyticsService {
       event: event.event,
       context: mergedContext,
     });
+
+    const { log } = getSafReporters();
+    log.info(`Product event: ${event.event}`, {
+      event: event.event,
+      distinct_id: distinctId,
+      ...(mergedContext !== undefined ? { context: mergedContext } : {}),
+    });
   }
 
   protected abstract emitCapture(event: {

diff --git a/backup/backup-sdk/Dockerfile.template b/backup/backup-sdk/Dockerfile.template
@@ -7,8 +7,7 @@ RUN npm install -g npm@11.14.1
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install
-RUN npm install @rollup/rollup-linux-arm64-gnu
+RUN npm ci
 
 #{ copy_src }#
 

diff --git a/cron/cron/Dockerfile.template b/cron/cron/Dockerfile.template
@@ -4,7 +4,7 @@ FROM node:alpine3.19
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 #{ copy_src }#
 
 WORKDIR /app/services/cron

diff --git a/drizzle/types/file-metadata.ts b/drizzle/types/file-metadata.ts
@@ -20,6 +20,7 @@ export const fileMetadataColumns = {
   file_original_name: text("file_original_name").notNull(),
   mimetype: text("mimetype").notNull(),
   size: integer("size").notNull(),
+  md5_hash: text("md5_hash"),
   created_at: text("created_at")
     .notNull()
     .$defaultFn(() => new Date().toISOString()),
@@ -47,6 +48,7 @@ export interface FileMetadataFields {
   file_original_name: string;
   mimetype: string;
   size: number;
+  md5_hash: string | null;
   created_at: string;
   updated_at: string;
 }
diff --git a/express/src/middleware/auth.ts b/express/src/middleware/auth.ts
@@ -4,6 +4,7 @@ import {
   AUTH_ERROR_EMAIL_VERIFICATION_REQUIRED,
   AUTH_ERROR_MFA_REQUIRED,
 } from "@saflib/sdk/auth-error-codes";
+import { typedEnv } from "@saflib/env";
 
 interface AuthMiddlewareOptions {
   adminRequired?: boolean;
@@ -57,7 +58,7 @@ export const makeAuthMiddleware = (
     const routeRequiresMfa =
       Boolean(mfaRequired) ||
       tags?.includes("mfa-required") === true ||
-      Boolean(adminRequired);
+      (Boolean(adminRequired) && typedEnv.NODE_ENV === "production");
 
     if (tags?.includes("no-auth")) {
       return next();

diff --git a/express/src/middleware/csrf.ts b/express/src/middleware/csrf.ts
@@ -6,14 +6,17 @@ const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
 /**
  * Enforce CSRF double-submit token validation on state-changing requests.
  * Skips routes tagged `no-auth` (same convention as auth middleware).
+ * Skips `csrf-exempt` for browser-initiated posts that cannot attach our token
+ * (e.g. Content-Security-Policy violation reports).
  */
 export const makeCsrfMiddleware = (): Handler => {
   return (req, res, next): void => {
     if (typedEnv.NODE_ENV === "test") {
       return next();
     }
 
-    if (req.openapi?.schema?.tags?.includes("no-auth")) {
+    const tags = req.openapi?.schema?.tags;
+    if (tags?.includes("no-auth") || tags?.includes("csrf-exempt")) {
       return next();
     }
 

diff --git a/express/src/middleware/errors.ts b/express/src/middleware/errors.ts
@@ -1,6 +1,6 @@
 import createError, { HttpError } from "http-errors";
 import type { Request, Response, NextFunction, Handler } from "express";
-import { safReportersStorage } from "@saflib/node";
+import { getErrorCollectors, safReportersStorage } from "@saflib/node";
 import { typedEnv } from "@saflib/env";
 /**
  * 404 Handler
@@ -24,13 +24,19 @@ export const errorHandler = (
   const status = err.status || 500;
 
   if (status >= 500) {
-    if (typedEnv.NODE_ENV === "test") {
+    if (
+      typedEnv.NODE_ENV === "test" &&
+      getErrorCollectors().length === 0
+    ) {
       console.error(err.stack);
     }
     const store = safReportersStorage.getStore();
     if (store) {
       store.logError(err);
-    } else {
+    } else if (
+      typedEnv.NODE_ENV !== "test" ||
+      getErrorCollectors().length === 0
+    ) {
       console.log("Error", err);
     }
   }

diff --git a/node/src/errors.ts b/node/src/errors.ts
@@ -18,7 +18,7 @@ export const addErrorCollector = (collector: ErrorCollector) => {
   errorCollectors.push(collector);
 };
 
-const getErrorCollectors = () => {
+export const getErrorCollectors = () => {
   return errorCollectors.slice();
 };
 

diff --git a/package.json b/package.json
@@ -17,7 +17,6 @@
     "@saflib/vue": "*",
     "@vue/tsconfig": "^0.9.1",
     "typescript": "~6.0.0",
-    "vite": "^8.0.9",
     "vue-router": "^5.0.0",
     "vue-tsc": "^3.0.6"
   },

diff --git a/processes/workflows/spec-project.ts b/processes/workflows/spec-project.ts
@@ -126,6 +126,8 @@ export const SpecProjectWorkflowDefinition = defineWorkflow<
 
       Now that you have a plan, you can write the workflows per the aligned plan to implement the spec. Only one workflow has been generated, but make as many as the plan dictates. Have the main one run the others (orchestrating them).
 
+      **Step shape:** Do not start a phase workflow (or the orchestrator) with a review-only \`PromptStepMachine\` that only tells the agent to read the spec/plan. The first step should be real work (\`CdStepMachine\`, a sub-workflow, or an implementation prompt). Put context in that first step's prompt with \`Use workflow docFiles (**<name>.spec.md**, **<name>.plan.md** Phase N)\` — the workflow's \`docFiles\` block already wires those paths; reading them is not a separate step. Follow \`daemon/plans/notes/2026-05-21-questionnaire-mappings/\` phase workflows as the reference shape.
+
       For each workflow, run "npm exec saf-workflow dry-run ./path/to/workflow.ts" to make sure everything is wired up correctly. One of the more common errors is for the workflow to not include "CdStepMachine" to move into the right directory before running the workflow. Location matters.
       `,
     })),

diff --git a/product/workflows/templates/.github/actions/setup-node-deps/action.yml b/product/workflows/templates/.github/actions/setup-node-deps/action.yml
@@ -0,0 +1,36 @@
+name: Setup Node dependencies
+description: >-
+  Setup Node.js, restore ~/.npm and workspace node_modules caches, and run npm ci
+  only on cache miss. The monorepo installs into nested node_modules (e.g.
+  saflib/node_modules); caching only the repo root tree breaks typecheck.
+inputs:
+  node-version:
+    description: Node.js version
+    required: false
+    default: "24"
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: npm
+
+    - name: Cache node_modules
+      id: node-modules-cache
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      with:
+        path: |
+          node_modules
+          saflib/**/node_modules
+          daemon/**/node_modules
+          deploy/**/node_modules
+        key: node-modules-v2-${{ runner.os }}-node-${{ inputs.node-version }}-${{ hashFiles('package-lock.json') }}
+        restore-keys: |
+          node-modules-v2-${{ runner.os }}-node-${{ inputs.node-version }}-
+
+    - name: Install dependencies
+      if: steps.node-modules-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: npm ci --prefer-offline --no-audit --no-fund
diff --git a/product/workflows/templates/.github/workflows/playwright.yml b/product/workflows/templates/.github/workflows/playwright.yml
@@ -10,15 +10,10 @@ jobs:
       run:
         working-directory: .
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: lts/*
-          cache: "npm"
-      - name: Install submodules
-        run: git submodule update --init
-      - name: Install dependencies
-        run: npm ci
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
       # For some reason, github actions hang when I do `npm exec saf-docker generate`. So we run the script directly.
       - name: Generate Docker
         run: node --experimental-strip-types --disable-warning=ExperimentalWarning saflib/dev-tools/src/saf-docker-cli.ts generate
@@ -36,14 +31,14 @@ jobs:
       - name: Shut down
         run: docker stop $(docker ps -a -q)
       # TODO: gather all logs and upload them as artifacts
-      # - uses: actions/upload-artifact@v4
+      # - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
       #   if: ${{ !cancelled() }}
       #   with:
       #     name: playwright-report
       #     path: ./clients/web-auth/playwright-report/
       #     retention-days: 30
       - name: Upload docker compose logs
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7
         if: ${{ !cancelled() }}
         with:
           name: last-docker-compose-log

diff --git a/product/workflows/templates/.github/workflows/push.yml b/product/workflows/templates/.github/workflows/push.yml
@@ -26,21 +26,13 @@ jobs:
     env:
       CONTAINER_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
-      - uses: actions/checkout@v6
-      - name: Install submodules
-        run: git submodule update --init
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 24
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
 
       - name: Log in to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/product/workflows/templates/.github/workflows/typecheck.yml b/product/workflows/templates/.github/workflows/typecheck.yml
@@ -9,15 +9,9 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 24
-          cache: "npm"
-      - name: Install submodules
-        run: git submodule update --init
-      - name: Install dependencies
-        run: npm ci
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
       - name: Run Typecheck
         run: npm run typecheck
diff --git a/product/workflows/templates/.github/workflows/unit-tests.yaml b/product/workflows/templates/.github/workflows/unit-tests.yaml
@@ -17,20 +17,10 @@ jobs:
           - __product-name__
           # END WORKFLOW AREA
     steps:
-      - uses: actions/checkout@v6
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 24
-          cache: "npm"
-      - name: Install submodules
-        run: git submodule update --init
-      - name: Install dependencies
-        run: npm ci
-
-      # Tests fail to run if this one package isn't installed
-      - name: Install rollup for linux
-        run: npm install @rollup/rollup-linux-x64-gnu
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
 
       - name: Run Unit Tests
         run: npm run test -- --project='*${{ matrix.project }}*'
diff --git a/product/workflows/templates/__product-name__/dev/Dockerfile.template b/product/workflows/templates/__product-name__/dev/Dockerfile.template
@@ -14,7 +14,7 @@ RUN npm install -g npm@11.14.1
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 
 #{ copy_src }#
 

diff --git a/product/workflows/templates/__product-name__/dev/kratos/kratos.yml b/product/workflows/templates/__product-name__/dev/kratos/kratos.yml
@@ -13,11 +13,13 @@ serve:
 selfservice:
   default_browser_return_url: http://auth.docker.localhost/
 
-  # Permit return_to from any app on this dev domain (e.g. app.recipes.docker.localhost).
-  # Root host is listed separately; *.docker.localhost does not match the apex.
+  # Only apex and product hosts (no subdomain wildcard — T-9 open redirect).
   allowed_return_urls:
     - http://docker.localhost/
-    - http://*.docker.localhost/
+    - http://app.docker.localhost/
+    - http://admin.docker.localhost/
+    - http://auth.docker.localhost/
+    - http://account.docker.localhost/
 
   flows:
     registration:
-Original file line number
+Diff line change
@@ Expand Up @@
           Now that you have a plan, you can write the workflows per the aligned plan to implement the spec. Only one workflow has been generated, but make as many as the plan dictates. Have the main one run the others (orchestrating them).
+          **Step shape:** Do not start a phase workflow (or the orchestrator) with a review-only \`PromptStepMachine\` that only tells the agent to read the spec/plan. The first step should be real work (\`CdStepMachine\`, a sub-workflow, or an implementation prompt). Put context in that first step's prompt with \`Use workflow docFiles (**<name>.spec.md**, **<name>.plan.md** Phase N)\` — the workflow's \`docFiles\` block already wires those paths; reading them is not a separate step. Follow \`daemon/plans/notes/2026-05-21-questionnaire-mappings/\` phase workflows as the reference shape.
           For each workflow, run "npm exec saf-workflow dry-run ./path/to/workflow.ts" to make sure everything is wired up correctly. One of the more common errors is for the workflow to not include "CdStepMachine" to move into the right directory before running the workflow. Location matters.
           `,
         })),
@@ Expand Down @@