WIP: Claude Code progress on #65

Automated salvage commit — agent session ended (exit 124).
Work in progress, may need continuation.

artifacts/api-server/src/routes/bootstrap.ts

@@ -138,7 +138,7 @@ router.post("/bootstrap", async (req: Request, res: Response) => {
 // ── GET /api/bootstrap/:id ───────────────────────────────────────────────────
 
 router.get("/bootstrap/:id", async (req: Request, res: Response) => {
-  const { id } = req.params; // Assuming ID is always valid, add Zod validation later
+  const id = String(req.params["id"] ?? ""); // cast: Express 5 params are string
 
   try {
     let job = await getBootstrapJobById(id);

artifacts/api-server/src/routes/relay-policy.ts

@@ -1,10 +1,8 @@
-import { type Express, Router } from "express";
-import { z } from "zod";
-import { Status } from "../lib/http.js";
-import { rootLogger } from "../lib/logger.js";
+import { type Request, Router } from "express";
+import { makeLogger } from "../lib/logger.js";
 
 const router = Router();
-const log = rootLogger.child({ service: "relay-policy" });
+const log = makeLogger("relay-policy");
 
 // ── Auth ──────────────────────────────────────────────────────────────────────
 
@@ -14,7 +12,7 @@ if (!RELAY_POLICY_SECRET) {
   log.warn("RELAY_POLICY_SECRET is not set — /api/relay/policy will be unauthenticated!");
 }
 
-function isAuthenticated(req: Express.Request): boolean {
+function isAuthenticated(req: Request): boolean {
   if (!RELAY_POLICY_SECRET) {
     return true; // No secret configured, so no auth.
   }
@@ -29,43 +27,54 @@ function isAuthenticated(req: Express.Request): boolean {
   return true;
 }
 
-// ── POST /api/relay/policy ────────────────────────────────────────────────────
+// ── Request body shape (manual validation — zod not in deps) ──────────────────
 
-const relayPolicyRequestSchema = z.object({
-  event: z.object({
-    id: z.string(),
-    pubkey: z.string(),
-    kind: z.number(),
-    created_at: z.number(),
-    tags: z.array(z.array(z.string())),
-    content: z.string(),
-    sig: z.string(),
-  }),
-  receivedAt: z.number(),
-  sourceType: z.string(),
-  sourceInfo: z.string(),
-});
+interface StrfryEventBody {
+  event?: {
+    id?: unknown;
+    pubkey?: unknown;
+    kind?: unknown;
+    created_at?: unknown;
+    tags?: unknown;
+    content?: unknown;
+    sig?: unknown;
+  };
+  receivedAt?: unknown;
+  sourceType?: unknown;
+  sourceInfo?: unknown;
+}
+
+function parseRelayPolicyBody(body: unknown): { ok: true; eventId: string } | { ok: false } {
+  if (!body || typeof body !== "object") return { ok: false };
+  const b = body as StrfryEventBody;
+  if (!b.event || typeof b.event !== "object") return { ok: false };
+  const id = b.event.id;
+  if (typeof id !== "string" || !id) return { ok: false };
+  return { ok: true, eventId: id };
+}
 
 type StrfryAction = "accept" | "reject" | "shadowReject";
 
 router.post("/relay/policy", (req, res) => {
   if (!isAuthenticated(req)) {
-    return res.status(Status.UNAUTHORIZED).json({
+    res.status(401).json({
       action: "reject",
       msg: "unauthorized",
     });
+    return;
   }
 
-  const parse = relayPolicyRequestSchema.safeParse(req.body);
-  if (!parse.success) {
-    log.warn("invalid /relay/policy request", { error: parse.error.format() });
-    return res.status(Status.BAD_REQUEST).json({
+  const parsed = parseRelayPolicyBody(req.body);
+  if (!parsed.ok) {
+    log.warn("invalid /relay/policy request");
+    res.status(400).json({
       action: "reject",
       msg: "invalid request",
     });
+    return;
   }
 
-  const eventId = parse.data.event.id;
+  const { eventId } = parsed;
 
   // Bootstrap state: reject everything.
   // This will be extended by whitelist + moderation tasks.