Step 3 (production-readiness): PII storage, validated reads, seams

Implement-now:
- G1: keep PII out of persistent storage — never persist BSN (only `naam`);
  move both wizard drafts (address/email, work data) localStorage → sessionStorage
  so they clear on tab close.
- G2: validate storage reads before trusting the cast — shape/tag guard in every
  restore() (mirrors the parse* HTTP boundary); corrupt/foreign shape → start fresh.
- G3: already satisfied (debug-state redacts via mask.ts).

Show-the-seam (hook + doc, not fully built):
- G4: problemFieldErrors() maps a server validation envelope (ASP.NET
  ValidationProblemDetails `errors`) to the field-keyed map the wizards already
  render; returns {} until the backend sends it. +spec.
- G5: documented the retry/backoff seam at the adapter GET loader; reads may
  retry, mutating submits never do.

Out of scope (named): unsaved-changes warning (persistence prevents data loss),
real auth/tokens, axe-core in CI.

Gate green: lint, check:tokens, build, test 79/79.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-27 14:07:10 +02:00
parent 474c040410
commit 9c2a80451f
6 changed files with 69 additions and 18 deletions

View File

@@ -15,6 +15,12 @@ export class DashboardViewAdapter {
// The value is still untrusted JSON — parseDashboardView validates it at the
// boundary and maps DTO → domain before the app uses it.
//
// SEAM (G5): retry-with-backoff for non-mutating reads wraps the loader here —
// e.g. `loader: () => withBackoff(() => this.client.dashboardView())` — since the
// adapter is the single place HTTP lives. Reads are safe to retry; MUTATING calls
// (the submit-* commands) must NEVER auto-retry — and don't. Manual retry
// (resource.reload via <app-async>) covers the UX today, so backoff stays unbuilt.
dashboardViewResource() {
return resource({ loader: () => this.client.dashboardView() });
}