roostorg · pawiecz · Apr 15, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
@@ -10,9 +10,9 @@ import { MapperKind, mapSchema } from '@graphql-tools/utils';
 import { MultiSamlStrategy } from '@node-saml/passport-saml';
 import { SpanStatusCode } from '@opentelemetry/api';
 import {
-  SEMATTRS_EXCEPTION_MESSAGE,
-  SEMATTRS_EXCEPTION_STACKTRACE,
-  SEMATTRS_EXCEPTION_TYPE,
+  ATTR_EXCEPTION_MESSAGE,
+  ATTR_EXCEPTION_STACKTRACE,
+  ATTR_EXCEPTION_TYPE,
 } from '@opentelemetry/semantic-conventions';
 import connectPgSimple from 'connect-pg-simple';
 import cors from 'cors';
@@ -276,7 +276,7 @@ export default async function makeApiServer(deps: Dependencies) {
     },
   );
 
-  passport.serializeUser((user: any, done) => {
+  passport.serializeUser((user, done) => {
     done(null, user.id);
   });
 
@@ -422,11 +422,11 @@ export default async function makeApiServer(deps: Dependencies) {
         span.setStatus({ code: SpanStatusCode.ERROR, message: err.message });
 
         // I don't know if these attributes are necessary, with recordException
-        span.setAttribute(SEMATTRS_EXCEPTION_MESSAGE, err.message);
+        span.setAttribute(ATTR_EXCEPTION_MESSAGE, err.message);
         if (err.stack) {
-          span.setAttribute(SEMATTRS_EXCEPTION_STACKTRACE, err.stack);
+          span.setAttribute(ATTR_EXCEPTION_STACKTRACE, err.stack);
         }
-        span.setAttribute(SEMATTRS_EXCEPTION_TYPE, err.name);
+        span.setAttribute(ATTR_EXCEPTION_TYPE, err.name);
 
         const errors = (() => {
           if (err instanceof AggregateError) {

@@ -1,14 +1,16 @@
 #!/usr/bin/env node
 import _ from 'lodash';
 
-import getBottle from '../iocContainer/index.js';
+import getBottle, { type Dependencies } from '../iocContainer/index.js';
 import { logErrorJson } from '../utils/logging.js';
 import { type WorkerOrJob } from '../workers_jobs/index.js';
 
 const { container } = await getBottle();
 
 const workerOrJobName = process.argv[2];
-const workerOrJob = (container as any)[workerOrJobName] as WorkerOrJob;
+const workerOrJob = container[
+  workerOrJobName as keyof Dependencies
+] as WorkerOrJob;
 const controller = new AbortController();
 
 // When the worker/job finishes naturally (which only applies to jobs, as

@@ -85,8 +85,12 @@ describe('Condition Evaluation', () => {
 
               await getConditionSetResults(
                 { conditions, conjunction: ConditionConjunction.OR },
+                // Tests only exercise getSignalCost / tracer.getActiveSpan;
+                // a full RuleEvaluationContext / SafeTracer is unnecessary.
+                /* eslint-disable @typescript-eslint/no-explicit-any */
                 { getSignalCost } as any,
                 jest.fn() as any,
+                /* eslint-enable @typescript-eslint/no-explicit-any */
                 stubRunLeafCondition,
               );
 

@@ -69,12 +69,19 @@ export async function getConditionSetResults(
   runLeafCondition = defaultRunLeafCondition,
 ): Promise<Required<ConditionSetWithResult>> {
   const { conjunction } = conditionSet;
-  const result: ConditionSetWithResult = {
-    conjunction,
-    conditions: [] as unknown as
-      | NonEmptyArray<LeafConditionWithResult>
-      | NonEmptyArray<ConditionSetWithResult>,
-  };
+  // We collect mixed condition results during the loop, then narrow back to
+  // the public "ConditionSetWithResult.conditions" shape at return time. The
+  // public type is a discriminated union of "all leaves" or "all sets", which
+  // can't be safely pushed into; the array's runtime contents stay uniform
+  // because the input "conditionSet.conditions" is uniform.
+  //
+  // The element type is "ReadonlyDeep<...>" here because the inputs we push
+  // come from "ReadonlyDeep<ConditionSet>". We cast back to the mutable
+  // shape at the return site below; the cast is sound because the data is
+  // freshly built and never mutated by callers.
+  const conditionsWithResult: Array<
+    ReadonlyDeep<LeafConditionWithResult | ConditionSetWithResult>
+  > = [];
 
   // The conditions, sorted with lowest cost ones first.
   const getSignalCost = evaluationContext.getSignalCost.bind(evaluationContext);
@@ -99,17 +106,17 @@ export async function getConditionSetResults(
   // if we can determine it before evaluating all conditions.
   let finalOutcome: ConditionOutcome | undefined;
 
-  // This is basically mapping `conditions` to ConditionWithResult, and putting
-  // the mapped array in result.conditions. But we don't use `map` because we
-  // want to run the conditions in sequence (i.e., with an `await` on each loop
+  // This is basically mapping "conditions" to ConditionWithResult, and pushing
+  // them onto "conditionsWithResult". But we don't use "map" because we want to
+  // run the conditions in sequence (i.e., with an "await" on each loop
   // iteration), and map would run them in parallel.
   for (const condition of sortedConditions) {
     // If we already know the final outcome for the condition set, then we can
     // skip all subsequent conditions, and a condition that's skipped has an
     // identical representation for its ConditionWithResult, so we just push
-    // the skipped condition into result.conditions.
+    // the skipped condition through.
     if (finalOutcome !== undefined) {
-      result.conditions.push(condition as any);
+      conditionsWithResult.push(condition);
       continue;
     }
 
@@ -133,14 +140,14 @@ export async function getConditionSetResults(
             ),
           };
 
-    result.conditions.push(conditionWithResult as any);
+    conditionsWithResult.push(conditionWithResult);
     // console.log('RESULT ' + conditionWithResult.result.outcome);
 
     // Attempt to determine the result for the whole condition set from the
     // outcomes so far. If we can, save that result to skip running each
     // condition for the rest of the loop
     const conditionSetOutcome = tryGetOutcomeFromPartialOutcomes(
-      result.conditions.map((c) => c.result!.outcome),
+      conditionsWithResult.map((c) => c.result!.outcome),
       conjunction,
     );
 
@@ -150,12 +157,14 @@ export async function getConditionSetResults(
   }
 
   return {
-    ...result,
+    conjunction,
+    conditions:
+      conditionsWithResult as ConditionSetWithResult['conditions'],
     result: {
       outcome:
         finalOutcome ??
         getConditionSetOutcome(
-          result.conditions.map((c) => c.result!.outcome),
+          conditionsWithResult.map((c) => c.result!.outcome),
           conjunction,
         ),
     },

@@ -203,7 +203,7 @@ export async function runLeafCondition(
           });
         }),
       )
-    : signalInputValues.map((it): SignalResult<any> => {
+    : signalInputValues.map((it): SignalResult<SignalOutputType> => {
         // If the condition specified no signal, then we should act as though
         // the "identity" signal was used; i.e., the value that the condition
         // picked out (with `condition.input`) should be returned as-is.
@@ -259,7 +259,7 @@ export async function runLeafCondition(
               it.score,
               condition.threshold,
               condition.comparator,
-              it.outputType as SignalOutputType,
+              it.outputType,
             )
           : (it as SignalResult<{ scalarType: ScalarTypes['BOOLEAN'] }>).score,
       ),

@@ -1,3 +1,11 @@
+declare namespace Express {
+  // Extend Express.User so passport callbacks (serializeUser, etc.) see the
+  // fields we actually use without per-call `as any` casts.
+  interface User {
+    id: string;
+  }
+}
+
 declare module 'homoglyph-search';
 declare module 'nilsimsa';
 

@@ -14,6 +14,10 @@ import {
 } from '../../utils/errors.js';
 import { safePick } from '../../utils/misc.js';
 import { WEEK_MS } from '../../utils/time.js';
+import {
+  type GQLMutationLoginArgs,
+  type GQLMutationSignUpArgs,
+} from '../generated.js';
 import { type PassportGqlContext } from '../utils/passportContext.js';
 import { buildGraphqlRuleParent } from './buildGraphqlRuleParent.js';
 import { type GraphQLRuleParent } from './ruleKyselyPersistence.js';
@@ -74,7 +78,7 @@ class UserAPI {
     return kyselyUserFindByIds(this.kyselyPg, ids);
   }
 
-  async login(params: any, context: PassportGqlContext) {
+  async login(params: GQLMutationLoginArgs, context: PassportGqlContext) {
     const { email, password } = safePick(params.input, ['email', 'password']);
 
     // Reject missing/empty credentials as a bad request before verifying.
@@ -118,7 +122,10 @@ class UserAPI {
     }
   }
 
-  async signUp(params: any, _: any): Promise<GraphQLUserParent> {
+  async signUp(
+    params: GQLMutationSignUpArgs,
+    _: unknown,
+  ): Promise<GraphQLUserParent> {
     const { role } = params.input;
     const {
       email,

@@ -2,17 +2,7 @@ import { ErrorType, CoopError } from '../../utils/errors.js';
 import { logErrorJson } from '../../utils/logging.js';
 import { gqlErrorResult, gqlSuccessResult } from '../utils/gqlResult.js';
 import { forbiddenError } from '../utils/errors.js';
-
-/** Context shape required by rotateWebhookSigningKey (avoids importing resolvers). */
-type RotateWebhookSigningKeyContext = {
-  getUser: () => {
-    orgId: string;
-    getPermissions: () => readonly string[];
-  } | null | undefined;
-  dataSources: {
-    orgAPI: { rotateWebhookSigningKey: (orgId: string) => Promise<string> };
-  };
-};
+import { type GQLMutationResolvers, type GQLQueryResolvers } from '../generated.js';
 
 const typeDefs = /* GraphQL */ `
   type ApiKey {
@@ -73,8 +63,8 @@ const typeDefs = /* GraphQL */ `
   }
 `;
 
-const Query: any = {
-  async apiKey(_: any, __: any, context: any) {
+const Query: GQLQueryResolvers = {
+  async apiKey(_, __, context) {
     const user = context.getUser();
     if (!user || !user.orgId) {
       throw forbiddenError('User does not have permission to check if key exists');
@@ -89,8 +79,8 @@ const Query: any = {
   },
 };
 
-const Mutation: any = {
-  async rotateApiKey(_: any, { input }: any, context: any) {
+const Mutation: GQLMutationResolvers = {
+  async rotateApiKey(_, { input }, context) {
     const user = context.getUser();
     if (!user || !user.orgId) {
       throw forbiddenError('User does not have permission to rotate the API key');
@@ -103,7 +93,7 @@ const Mutation: any = {
       const { apiKey, record } = await context.services.ApiKeyService.rotateApiKey(
         user.orgId,
         input.name,
-        input.description || null,
+        input.description ?? null,
         user.id
       );
 
@@ -116,7 +106,7 @@ const Mutation: any = {
             description: record.description,
             isActive: record.isActive,
             createdAt: record.createdAt.toISOString(),
-            lastUsedAt: record.lastUsedAt?.toISOString() || null,
+            lastUsedAt: record.lastUsedAt?.toISOString() ?? null,
             createdBy: record.createdBy,
           },
         },
@@ -132,17 +122,13 @@ const Mutation: any = {
           type: [ErrorType.InternalServerError],
           title: 'Failed to rotate API key',
           detail: 'An error occurred while rotating the API key',
-          name: 'InternalServerError',
+          name: 'RotateApiKeyError',
           shouldErrorSpan: true,
         }),
       );
     }
   },
-  async rotateWebhookSigningKey(
-    _: unknown,
-    __: Record<string, never>,
-    context: RotateWebhookSigningKeyContext,
-  ) {
+  async rotateWebhookSigningKey(_, __, context) {
     const user = context.getUser();
     if (!user || !user.orgId) {
       throw forbiddenError('User does not have permission to rotate the webhook signing key');
@@ -171,7 +157,7 @@ const Mutation: any = {
           type: [ErrorType.InternalServerError],
           title: 'Failed to rotate webhook signing key',
           detail: 'An error occurred while rotating the webhook signing key',
-          name: 'InternalServerError',
+          name: 'RotateWebhookSigningKeyError',
           shouldErrorSpan: true,
         }),
       );