Lab: Harden it
Write the test script and door tests, then close the four classic v1 holes: input limits, rate limiting the AI route, double-submit protection, and the security once-over.
Hardening week: Replyable goes from 'works when I use it nicely' to 'survives being used badly' — which is the actual bar for anything with a public URL, and next module it gets one.
- 1Write TESTING.md and run it cold: the 12-15 step script from the lesson, plus your seam steps. First cold run typically finds 2-3 real issues (the long-message layout break and the double-click double-draft are the usual suspects). Fix them via the debugging loop; add nothing to the script that you don't actually intend to run.
- 2Add the door tests: ask the assistant to set up the test runner and write 8-10 API tests (each route: one good knock, one bad). Get
npm testgreen, then prove the tests test: break a validation on purpose, watch the red, restore, green. A test suite you've never seen fail is a decoration. - 3Close the four classic holes: (1) input limits everywhere — max lengths on every text field, enforced at the door (the 4,000-char body gets truncated-with-notice or refused, your call, but decided); (2) rate-limit `/api/ai/draft` — a simple per-minute cap (the assistant knows the standard patterns) so a stuck loop or a stranger can't spend your budget; (3) double-submit protection — buttons disable while their request is in flight, everywhere a click costs money or creates rows; (4) the injection audit — search the codebase for any SQL built by string-pasting (there shouldn't be any; placeholders everywhere since Module 4 — verify, don't assume).
- 4The security once-over with the assistant: paste your routes and ask for a beginner-appropriate review: 'What could a hostile stranger with just the URL do to this app? Rank by severity.' Expect honest findings you'll accept for v1 (no auth = anyone can use it — known, it's on the cut list, and Module 7 decides what that means for launch) and quick wins you'll take now. Judgment about which is which is the lesson.
- 5Full regression to close: script + door tests, green in one sitting, committed:
hardened v1. Note your time-to-run for the script (should be under ten minutes) — if it's more, trim the script; a checklist too long to run is a checklist that stops being run.
Symptom-to-diagnosis drills: six bug reports written the way real users write them ('it ate my reply', 'the AI button does nothing sometimes') to route to browser/server/database before touching code; one Network-tab screenshot to read like an X-ray; and a code review exercise — a planted route with three vulnerabilities (string-built SQL, no validation, key logged to console) to find without hints. You've seen every pattern; this proves you'd catch them in the wild.