v1.5.3 (#346)

* chore: enhance error handling in AddAttendanceDialog

* Improve type safety and fallback logic in isDutyLeaveConstraintError (#347)

* Initial plan

* fix: improve type safety and error handling in isDutyLeaveConstraintError

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>

Author: devakesu

.example.env

@@ -42,7 +42,7 @@
 NEXT_PUBLIC_APP_NAME=GhostClass
 
 # ⚠️ App Version (displayed in health checks and footer)
-NEXT_PUBLIC_APP_VERSION=1.5.2
+NEXT_PUBLIC_APP_VERSION=1.5.3
 
 # ⚠️ Your production domain (without https://)
 # All URL-based variables are derived from this

.github/workflows/pipeline.yml

@@ -146,10 +146,11 @@ jobs:
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image (keyless)
-        env:
-          COSIGN_EXPERIMENTAL: "true"
         run: |
           cosign sign --yes \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.ref }}" \
             ghcr.io/${{ github.repository_owner }}/${{ secrets.IMAGE_NAME }}@${{ steps.build-push.outputs.digest }}
 
       # Trigger deployment in Coolify

.github/workflows/release.yml

@@ -218,16 +218,16 @@ jobs:
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image (keyless)
-        env:
-          COSIGN_EXPERIMENTAL: "true"
         run: |
           cosign sign --yes \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.ref }}" \
+            -a "version=${{ needs.calculate-version.outputs.version }}" \
             ghcr.io/${{ github.repository_owner }}/${{ steps.prep.outputs.image_name }}@${{ steps.build-push.outputs.digest }}
 
       # Sign SBOM file
       - name: Sign SBOM artifact
-        env:
-          COSIGN_EXPERIMENTAL: "true"
         run: |
           cosign sign-blob --yes \
             --bundle sbom.json.bundle \

docs/COSIGN_VERIFICATION.md

@@ -0,0 +1,178 @@
+# Cosign Signature Verification Guide
+
+This document explains how to verify Docker image signatures created by the CI/CD pipeline using Sigstore Cosign.
+
+## Understanding Keyless Signing
+
+Our pipeline uses **keyless signing** with Sigstore Cosign, which means:
+- No private keys to manage or secure
+- Signatures are linked to GitHub Actions OIDC tokens
+- Certificate identity reflects the exact workflow that signed the image
+
+## Certificate Identity Format
+
+When GitHub Actions signs an image, the certificate identity follows this format:
+```
+https://github.com/{OWNER}/{REPO}/.github/workflows/{WORKFLOW}.yml@refs/heads/{BRANCH}
+```
+
+For our main branch pipeline:
+```
+https://github.com/devakesu/GhostClass/.github/workflows/pipeline.yml@refs/heads/main
+```
+
+For releases:
+```
+https://github.com/devakesu/GhostClass/.github/workflows/release.yml@refs/tags/{VERSION}
+```
+
+## Verification Methods
+
+### Method 1: Regex Pattern (Recommended for Automation)
+
+This method is flexible and works across different workflows and tags:
+
+```bash
+cosign verify \
+  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass:main
+```
+
+**Advantages:**
+- Works for both `pipeline.yml` and `release.yml`
+- Works for all branches and tags
+- Simpler to maintain
+
+### Method 2: Exact Identity Match (Strict Verification)
+
+For maximum security when you know the exact workflow:
+
+```bash
+# For main branch (pipeline.yml)
+cosign verify \
+  --certificate-identity="https://github.com/devakesu/GhostClass/.github/workflows/pipeline.yml@refs/heads/main" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass:main
+
+# For releases (release.yml)
+cosign verify \
+  --certificate-identity="https://github.com/devakesu/GhostClass/.github/workflows/release.yml@refs/tags/v1.3.0" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass:v1.3.0
+```
+
+**Advantages:**
+- Most restrictive
+- Ensures signature came from specific workflow and branch
+
+**Disadvantages:**
+- Must update for different workflows or branches
+- Harder to automate
+
+## Deployment System Integration
+
+### Coolify
+
+If you're using Coolify or similar deployment systems that run health checks, update your verification script:
+
+```bash
+#!/bin/bash
+set -e
+
+# Download cosign
+wget -qO /tmp/cosign https://github.com/sigstore/cosign/releases/download/v2.2.4/cosign-linux-amd64
+chmod +x /tmp/cosign
+
+# Verify signature using regex pattern (more flexible)
+/tmp/cosign verify \
+  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass:main
+
+# Verify attestation
+/tmp/cosign verify-attestation \
+  --type cyclonedx \
+  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass:main
+
+echo "✓ Image signature and attestation verified successfully"
+```
+
+### Docker Compose / Kubernetes
+
+Add an init container or pre-deployment job:
+
+```yaml
+# Example init container for Kubernetes
+initContainers:
+  - name: verify-signature
+    image: gcr.io/projectsigstore/cosign:v2.2.4
+    command:
+      - sh
+      - -c
+      - |
+        cosign verify \
+          --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
+          --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+          ghcr.io/devakesu/ghostclass:main
+```
+
+## Troubleshooting
+
+### Error: "no signatures found"
+
+**Possible causes:**
+1. Image was built before signing was implemented
+2. Signing step failed in CI/CD pipeline
+3. Using wrong certificate identity or OIDC issuer
+4. Image digest doesn't match (use `@sha256:...` instead of tags when possible)
+
+**Solutions:**
+```bash
+# Check if signature exists
+cosign tree ghcr.io/devakesu/ghostclass:main
+
+# Verify with more verbose output
+cosign verify \
+  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass:main \
+  --verbose
+```
+
+### Error: "certificate identity mismatch"
+
+Your certificate identity doesn't match what was used during signing.
+
+**Solution:** Use regex pattern instead of exact match:
+```bash
+# ❌ Too specific
+--certificate-identity="https://github.com/devakesu/GhostClass"
+
+# ✅ Flexible regex
+--certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/"
+```
+
+### Verifying Specific Image Digest
+
+For maximum security, verify using the image digest instead of tags:
+
+```bash
+# Get the digest
+docker pull ghcr.io/devakesu/ghostclass:main
+docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/devakesu/ghostclass:main
+
+# Verify the digest
+cosign verify \
+  --certificate-identity-regexp="^https://github.com/devakesu/GhostClass/.github/workflows/" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/devakesu/ghostclass@sha256:abc123...
+```
+
+## Reference
+
+- [Sigstore Cosign Documentation](https://docs.sigstore.dev/cosign/overview/)
+- [GitHub Actions OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
+- [Keyless Signing Explained](https://docs.sigstore.dev/cosign/keyless/)

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "ghostclass",
-  "version": "1.5.2",
+  "version": "1.5.3",
   "private": true,
   "engines": {
     "node": "^20.19.0 || >=22.12.0",

package.json

@@ -5,7 +5,7 @@ openapi: 3.1.0
 
 info:
   title: GhostClass API
-  version: 1.5.2
+  version: 1.5.3
   description: |
     **GhostClass API** provides endpoints for managing attendance synchronization with EzyGo.
     

public/api-docs/openapi.yaml

@@ -356,14 +356,15 @@ export function AddAttendanceDialog({
       onOpenChange(false);
 
     } catch (error: any) {
-      logger.error("Add Record Failed:", error);
-      
       // Check for duty leave constraint violation in catch block as well
       if (isDutyLeaveConstraintError(error)) {
         toast.error(getDutyLeaveErrorMessage(courseId, coursesData));
-        // Expected business constraint violation; do not report to Sentry
+        // Expected business constraint violation; do not report to Sentry or log as error
         return;
-      } 
+      }
+      
+      // Only log and report unexpected errors
+      logger.error("Add Record Failed:", error);
       toast.error("Failed to add record");
 
       Sentry.captureException(error, {

src/components/attendance/AddAttendanceDialog.tsx

@@ -52,6 +52,37 @@ describe('Duty Leave Constraint Error Handling', () => {
     it('should handle undefined error gracefully', () => {
       expect(isDutyLeaveConstraintError(undefined)).toBe(false);
     });
+
+    it('should match P0001 error using message fallback when hint is missing', () => {
+      const error = {
+        code: 'P0001',
+        message: 'Maximum 5 Duty Leaves exceeded for course: 12345'
+      };
+
+      expect(isDutyLeaveConstraintError(error)).toBe(true);
+    });
+
+    it('should match P0001 error when nested in details property', () => {
+      const error = {
+        details: {
+          code: 'P0001',
+          hint: 'Only 5 duty leaves allowed per semester per course',
+          message: 'Maximum 5 Duty Leaves exceeded for course: 72329'
+        }
+      };
+
+      expect(isDutyLeaveConstraintError(error)).toBe(true);
+    });
+
+    it('should still use message fallback when details is a non-object value', () => {
+      const error = {
+        code: 'P0001',
+        message: 'Maximum 5 Duty Leaves exceeded for course: 72329',
+        details: 'Additional error context'
+      };
+
+      expect(isDutyLeaveConstraintError(error)).toBe(true);
+    });
   });
 
   describe('getDutyLeaveErrorMessage', () => {

src/lib/__tests__/duty-leave-error-handling.test.ts

@@ -27,12 +27,39 @@ export interface DatabaseError {
  * }
  * ```
  */
-export function isDutyLeaveConstraintError(error: DatabaseError | null | undefined): boolean {
-  if (!error) return false;
-  return (
-    error.code === "P0001" && 
-    error.hint === "Only 5 duty leaves allowed per semester per course"
+export function isDutyLeaveConstraintError(error: unknown): boolean {
+  if (!error || typeof error !== "object") return false;
+  
+  const errorObj = error as Record<string, unknown>;
+  
+  // Check direct error properties
+  const isDirectMatch = (
+    errorObj.code === "P0001" && 
+    errorObj.hint === "Only 5 duty leaves allowed per semester per course"
   );
+  
+  if (isDirectMatch) return true;
+  
+  // Check if error is wrapped in a details property or other nested structure
+  if (errorObj.details && typeof errorObj.details === "object") {
+    const details = errorObj.details as Record<string, unknown>;
+    const isNestedMatch =
+      details.code === "P0001" &&
+      details.hint === "Only 5 duty leaves allowed per semester per course";
+
+    if (isNestedMatch) {
+      return true;
+    }
+  }
+  
+  // Check error message as fallback
+  if (errorObj.message && typeof errorObj.message === 'string') {
+    return errorObj.message.includes('Maximum') && 
+           errorObj.message.includes('Duty Leaves exceeded') &&
+           errorObj.code === "P0001";
+  }
+  
+  return false;
 }
 
 /**