Merge Staging to Main

[earzalien]

Summary by cubic

Improved trips, invitations, and budget UX with accessible modals, validated forms, mobile-friendly tabs, and consistent styles. Cleaned up data fetching and types, updated app metadata to 1.0.0, and secured CI deploy notifications with clear Telegram alerts.

• Refactors

  • Modal: lock body scroll, auto-focus on open, Escape to close; aria-modal; refreshed overlay and close button.
  • AddExpenseForm: labeled inputs, inline error banner, submit state; better number/select handling (step=0.01, inputMode), reset after success.
  • Invitations: combined trip + invitations fetch with AbortController; clearer loading/error; organizer included; simpler delete flow with scoped modal buttons and toasts.
  • Guests: unified props; accessible avatars; actionable “Retirer” button for attendees; tighter list layout.
  • NavTabs: NavLink active state with end; ARIA labels + tablist; mobile scrollable tabs; inactive items aria-disabled; minor icon/title fixes.
  • TripInfos/TripCard: accessible headings; safe date formatting; participant pluralization; clearer layout with title fallback and location/date/participants.
  • TripInvitation: accessible overlay; improved header and meta; clearer placeholders; Escape handling.
  • Budget: consistent modal button classes/styles in delete confirmations.
  • Types: TheTrip adds owner_firstname/owner_lastname to match backend.
  • Deploy: clearer step labels, StrictHostKeyChecking, ENVIRONMENT var; secured Telegram success/failure alerts (HTML, URL-encoded) with action run links.

• Dependencies

  • package.json: updated metadata/keywords and bumped version to 1.0.0.

^{Written for commit 740c26c. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 20 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="client/src/components/TripInfos.tsx">

<violation number="1" location="client/src/components/TripInfos.tsx:29">
P2: `aria-labelledby` points to an element id that does not exist, so assistive tech will not find a label for this section. Use an `aria-label` or ensure a matching id exists.</violation>
</file>

<file name="client/src/components/Modal.tsx">

<violation number="1" location="client/src/components/Modal.tsx:35">
P2: Escape key handling is now duplicated (document listener + overlay onKeyDown), so `onClose()` can fire twice for one keypress. This can cause double state updates/unmount side effects. Remove one of the handlers (typically the overlay onKeyDown) when using the global listener.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Escape key handling is now duplicated (document listener + overlay onKeyDown), so onClose() can fire twice for one keypress. This can cause double state updates/unmount side effects. Remove one of the handlers (typically the overlay onKeyDown) when using the global listener.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At client/src/components/Modal.tsx, line 35:

<comment>Escape key handling is now duplicated (document listener + overlay onKeyDown), so `onClose()` can fire twice for one keypress. This can cause double state updates/unmount side effects. Remove one of the handlers (typically the overlay onKeyDown) when using the global listener.</comment>

<file context>
@@ -9,36 +9,67 @@ type ModalProps = {
+    };
+
+    if (isOpen) {
+      document.addEventListener("keydown", handleKeyDown);
+    }
+
</file context>

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/deploy.yml">

<violation number="1" location=".github/workflows/deploy.yml:53">
P1: Interpolating `github.event.head_commit.message` directly inside the shell-quoted `curl` payload enables command injection from crafted commit messages.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/deploy.yml">

<violation number="1" location=".github/workflows/deploy.yml:55">
P2: Escape the commit message before interpolating it into an HTML-formatted Telegram message.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}