From 1044afe2ccf1d49a773edce550b83d6100a2cc7c Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:05:24 +0000
Subject: [PATCH 01/23] fix(security): remove unsafe-eval from
 Content-Security-Policy script-src

unsafe-eval allows execution of strings as JavaScript (eval, Function
constructor, setTimeout with string argument) which is the primary vector
for XSS escalation. Removing it closes that attack surface without
requiring any application code changes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/next.config.js b/frontend/next.config.js
index b1afa28..b2036aa 100644
--- a/frontend/next.config.js
+++ b/frontend/next.config.js
@@ -96,7 +96,7 @@ const nextConfig = {
           },
           {
             key: 'Content-Security-Policy',
-            value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
+            value: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
           },
         ],
       },

From fb2374a352b14e530c076336547c167fd531a65f Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:05:45 +0000
Subject: [PATCH 02/23] fix(security): remove unsafe-inline from CSP script-src
 and add strict-dynamic

unsafe-inline bypasses XSS protections entirely because any injected
<script> tag executes. Replacing it with 'strict-dynamic' propagates
trust from explicitly nonce-tagged scripts to their dynamically loaded
children, which is required for Next.js chunk loading to work without
unsafe-inline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/next.config.js b/frontend/next.config.js
index b2036aa..8848519 100644
--- a/frontend/next.config.js
+++ b/frontend/next.config.js
@@ -96,7 +96,7 @@ const nextConfig = {
           },
           {
             key: 'Content-Security-Policy',
-            value: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
+            value: "default-src 'self'; script-src 'self' 'strict-dynamic'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
           },
         ],
       },

From c8c1bce1131284d5e4878bd76446f23b368da0cc Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:07:19 +0000
Subject: [PATCH 03/23] feat(security): add upgrade-insecure-requests directive
 to CSP

upgrade-insecure-requests instructs browsers to automatically upgrade
any http:// sub-resource requests to https://, preventing mixed-content
attacks without requiring every URL in the codebase to be audited.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/next.config.js b/frontend/next.config.js
index 8848519..089429d 100644
--- a/frontend/next.config.js
+++ b/frontend/next.config.js
@@ -96,7 +96,7 @@ const nextConfig = {
           },
           {
             key: 'Content-Security-Policy',
-            value: "default-src 'self'; script-src 'self' 'strict-dynamic'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
+            value: "default-src 'self'; script-src 'self' 'strict-dynamic'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests",
           },
         ],
       },

From 9a445b96bbb2a7946ffbb6be34c7209fde199acc Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:07:58 +0000
Subject: [PATCH 04/23] feat(security): add Next.js middleware for per-request
 nonce-based CSP

Generates a cryptographically random nonce for every request and injects
it into the Content-Security-Policy script-src directive. The nonce is
also forwarded as the x-nonce request header so server components can
attach it to inline <script> tags (e.g. the dark-mode init script in
layout.tsx).

Per-request nonces make 'strict-dynamic' effective: only scripts whose
<script> tag carries the matching nonce are trusted, blocking injected
scripts even if they appear before the CSP header is applied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/middleware.ts | 42 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 frontend/src/middleware.ts

diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
new file mode 100644
index 0000000..c46e671
--- /dev/null
+++ b/frontend/src/middleware.ts
@@ -0,0 +1,42 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+export function middleware(request: NextRequest) {
+  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
+
+  const cspHeader = [
+    "default-src 'self'",
+    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https:",
+    "font-src 'self' data:",
+    "connect-src 'self' https:",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "upgrade-insecure-requests",
+  ].join('; ');
+
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set('x-nonce', nonce);
+  requestHeaders.set('Content-Security-Policy', cspHeader);
+
+  const response = NextResponse.next({
+    request: { headers: requestHeaders },
+  });
+  response.headers.set('Content-Security-Policy', cspHeader);
+
+  return response;
+}
+
+export const config = {
+  matcher: [
+    {
+      source: '/((?!_next/static|_next/image|favicon.ico).*)',
+      missing: [
+        { type: 'header', key: 'next-router-prefetch' },
+        { type: 'header', key: 'purpose', value: 'prefetch' },
+      ],
+    },
+  ],
+};

From 057100831c0a7ab5c4abcebb30fede814bae2686 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:09:04 +0000
Subject: [PATCH 05/23] feat(security): wire nonce from middleware into layout
 inline script

Makes RootLayout async so it can read the x-nonce header set by
middleware, then attaches it to the dark-mode initialisation <script>
tag via the nonce attribute. Browsers only execute the inline script
when the nonce matches the value in the CSP header, satisfying the
strict-dynamic policy without requiring the script to be moved to a
separate file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/app/layout.tsx | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
index dc55418..5df1b37 100644
--- a/frontend/src/app/layout.tsx
+++ b/frontend/src/app/layout.tsx
@@ -1,15 +1,18 @@
 import type { ReactNode } from 'react';
+import { headers } from 'next/headers';
 import { ErrorBoundary } from '../components/ErrorBoundary';
 import { darkModeInitScript } from '../lib/darkMode';
 import '../styles/accessibility.css';
 
 export const metadata = { title: 'PredictIQ' };
 
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
+  const nonce = (await headers()).get('x-nonce') ?? '';
+
   return (
     <html lang="en" suppressHydrationWarning>
       <head>
-        <script dangerouslySetInnerHTML={{ __html: darkModeInitScript }} />
+        <script nonce={nonce} dangerouslySetInnerHTML={{ __html: darkModeInitScript }} />
       </head>
       <body>
         <ErrorBoundary section="main">

From 492dc86c87569691156ba901f111d328451bab8c Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:10:18 +0000
Subject: [PATCH 06/23] feat(typescript): enable strict mode to enforce
 compile-time type safety
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Turns on the full strict flag set: noImplicitAny, strictNullChecks,
strictFunctionTypes, strictBindCallApply, strictPropertyInitialization,
noImplicitThis, useUnknownInCatchVariables, and alwaysStrict. These
catch a broad class of runtime errors — null dereferences, wrong
callback signatures, uninitialised class fields — at build time rather
than in production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/tsconfig.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/tsconfig.json b/frontend/tsconfig.json
index ccb2ed9..ef88c6d 100644
--- a/frontend/tsconfig.json
+++ b/frontend/tsconfig.json
@@ -7,7 +7,7 @@
     ],
     "allowJs": true,
     "skipLibCheck": true,
-    "strict": false,
+    "strict": true,
     "noEmit": true,
     "incremental": true,
     "module": "esnext",

From 4085262b222276d65893d9b2f8276fad0b3f37a6 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:11:36 +0000
Subject: [PATCH 07/23] feat(typescript): add noImplicitReturns and
 noFallthroughCasesInSwitch options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

noImplicitReturns errors when a code path in a function with a non-void
return type can exit without returning a value — a silent bug source.
noFallthroughCasesInSwitch errors when a non-empty switch case falls
through to the next case without a break or return, which is almost
always a bug rather than intentional.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/tsconfig.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/frontend/tsconfig.json b/frontend/tsconfig.json
index ef88c6d..5256bee 100644
--- a/frontend/tsconfig.json
+++ b/frontend/tsconfig.json
@@ -8,6 +8,8 @@
     "allowJs": true,
     "skipLibCheck": true,
     "strict": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
     "noEmit": true,
     "incremental": true,
     "module": "esnext",

From 9ff2cba26b8545ca63998bcc7c4d991cb6992c71 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:11:52 +0000
Subject: [PATCH 08/23] fix(typescript): use unknown instead of any for caught
 API error body

With strict mode enabled, catch variables and explicitly-typed unknown
values must be narrowed before accessing their properties. Replacing
let err: any with let err: unknown and adding an object-type guard
makes the error path type-safe: the compiler will catch any future
attempt to access err properties without narrowing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/lib/api/client.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/api/client.ts b/frontend/src/lib/api/client.ts
index b32ff5e..209327e 100644
--- a/frontend/src/lib/api/client.ts
+++ b/frontend/src/lib/api/client.ts
@@ -213,15 +213,16 @@ async function request<T>(
           }
         }
 
-        let err: any;
+        let err: unknown;
         try {
           err = await res.json();
         } catch {
           err = {};
         }
-        const message = err?.message ?? res.statusText ?? `HTTP ${res.status}`;
-        const code = err?.code ?? "UNKNOWN_ERROR";
-        const details = err?.details ?? undefined;
+        const errObj = (typeof err === 'object' && err !== null) ? err as Record<string, unknown> : {};
+        const message = (errObj['message'] as string | undefined) ?? res.statusText ?? `HTTP ${res.status}`;
+        const code = (errObj['code'] as string | undefined) ?? "UNKNOWN_ERROR";
+        const details = errObj['details'] as Record<string, unknown> | undefined;
         throw new ApiError(message, res.status, code, details);
       }
 

From 23d6cee6e7be124eedcaaf2bb193b3ab808542b3 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:12:08 +0000
Subject: [PATCH 09/23] fix(typescript): replace unsafe Error cast with type
 guard in useAsync hook
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With useUnknownInCatchVariables (part of strict mode), catch variables
have type unknown. Casting directly with as Error is an assertion the
compiler accepts but does not verify — a non-Error rejection would store
a malformed object in state. The instanceof guard with String() fallback
is safe for any thrown value.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/lib/hooks/useAsync.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/frontend/src/lib/hooks/useAsync.ts b/frontend/src/lib/hooks/useAsync.ts
index 3048d40..b25eb6d 100644
--- a/frontend/src/lib/hooks/useAsync.ts
+++ b/frontend/src/lib/hooks/useAsync.ts
@@ -37,7 +37,8 @@ export function useAsync<T>(
       }
     } catch (error) {
       if (isMountedRef.current && !(error instanceof DOMException && error.name === 'AbortError')) {
-        setState({ data: null, loading: false, error: error as Error });
+        const normalized = error instanceof Error ? error : new Error(String(error));
+        setState({ data: null, loading: false, error: normalized });
       }
     }
   }, [asyncFunction]);

From 1a9c74226597a282ededc61b6ecc21e7ffbd81ec Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:13:32 +0000
Subject: [PATCH 10/23] fix(typescript): replace as any locale cast with typed
 Locale assertion

e.target.value is string, but setLocale expects a Locale union type.
The previous as any silently allowed any string through. Using as Locale
keeps the same runtime behaviour while documenting the intent and
letting the compiler catch accidental non-Locale values at call sites.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/components/LandingPage.tsx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/frontend/src/components/LandingPage.tsx b/frontend/src/components/LandingPage.tsx
index 2507276..ffb46c1 100644
--- a/frontend/src/components/LandingPage.tsx
+++ b/frontend/src/components/LandingPage.tsx
@@ -1,6 +1,7 @@
 import React from 'react';
 import { useI18n } from '../lib/hooks/useI18n';
 import { useDarkMode } from '../lib/hooks/useDarkMode';
+import { type Locale } from '../lib/i18n';
 import { Statistics } from './Statistics';
 import { ErrorBoundary } from './ErrorBoundary';
 
@@ -92,7 +93,7 @@ export const LandingPage: React.FC<LandingPageProps> = ({ className }) => {
                 <select
                   id="locale-select"
                   value={locale}
-                  onChange={(e) => setLocale(e.target.value as any)}
+                  onChange={(e) => setLocale(e.target.value as Locale)}
                   aria-label="Language selection"
                 >
                   {availableLocales.map((loc) => (

From 21f1d23bf4c37c39f9ca434e93c5deb326da8eb9 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:13:57 +0000
Subject: [PATCH 11/23] fix(api): log Redis error when newsletter rate limiter
 fails open

The silent Err(_) => true branch hid Redis connectivity problems from
operators. Adding a tracing::warn with the error and key makes the
fail-open event observable in logs and metrics, so on-call can
distinguish intentional fail-open from a Redis outage causing rate
limiting to be silently bypassed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/newsletter.rs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/services/api/src/newsletter.rs b/services/api/src/newsletter.rs
index 83fd44f..f2f9aa6 100644
--- a/services/api/src/newsletter.rs
+++ b/services/api/src/newsletter.rs
@@ -53,10 +53,17 @@ impl IpRateLimiter {
     /// Uses an atomic Redis Lua script so the counter is consistent across
     /// all instances. Fails open (returns `true`) if Redis is unavailable.
     pub async fn allow(&self, key: &str, max_requests: usize, window: Duration) -> bool {
-        let redis_key = format!("newsletter:ratelimit:{key}");
+        let redis_key = format!("newsletter:ratelimit:v1:{key}");
         match self.cache.incr_with_ttl(&redis_key, window).await {
             Ok(count) => count as usize <= max_requests,
-            Err(_) => true, // fail open if Redis is unavailable
+            Err(e) => {
+                tracing::warn!(
+                    error = %e,
+                    key,
+                    "newsletter rate limiter Redis error; failing open to avoid blocking subscribers"
+                );
+                true
+            }
         }
     }
 }

From 378724644fa5f0124330c69020697d1ba8f3c072 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:14:38 +0000
Subject: [PATCH 12/23] fix(api): replace bare unwrap() with expect() in
 TokenStore::confirm

The unwrap() panicked with no context. expect() with a description makes
the invariant explicit: remove() can only return None if the email key
was deleted between the find() and remove() calls, which cannot happen
in single-threaded test code. Callers now get a diagnostic message
instead of a bare 'called Option::unwrap() on a None value'.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/newsletter.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/api/src/newsletter.rs b/services/api/src/newsletter.rs
index f2f9aa6..32f9c41 100644
--- a/services/api/src/newsletter.rs
+++ b/services/api/src/newsletter.rs
@@ -128,7 +128,7 @@ impl TokenStore {
             return ConfirmResult::InvalidOrExpired;
         };
 
-        let entry = self.pending.remove(&email).unwrap();
+        let entry = self.pending.remove(&email).expect("email was found in pending map immediately above");
 
         if Instant::now() > entry.expires_at {
             return ConfirmResult::InvalidOrExpired;

From e28bf46b11aa4466663a97538a2324a9022efaba Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:15:02 +0000
Subject: [PATCH 13/23] fix(api): log SendGrid response body read error instead
 of silently discarding

unwrap_or_default() swallowed body-read failures with no trace, making
SendGrid errors appear as empty responses. Adding a tracing::warn before
falling back to an empty string ensures the read failure is visible in
observability tooling while still propagating the HTTP status code in
the bail! message.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/newsletter.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/services/api/src/newsletter.rs b/services/api/src/newsletter.rs
index 32f9c41..cd73c92 100644
--- a/services/api/src/newsletter.rs
+++ b/services/api/src/newsletter.rs
@@ -181,7 +181,10 @@ pub async fn send_confirmation_email(
 
     if !response.status().is_success() {
         let status = response.status();
-        let body = response.text().await.unwrap_or_default();
+        let body = response.text().await.unwrap_or_else(|e| {
+            tracing::warn!(error = %e, "failed to read SendGrid error response body");
+            String::new()
+        });
         anyhow::bail!("sendgrid returned {status}: {body}");
     }
 

From 844bd8f866a524d7b4483254e8ed4a7a57ea85d6 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:15:44 +0000
Subject: [PATCH 14/23] fix(api): log serialization error in body_redact
 fallback path

The previous unwrap_or_else silently fell back to logging the original
unredacted body with no indication that redaction failed. Adding a
tracing::warn makes the fallback visible so operators know when
sensitive fields may have been logged in plain text.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/body_redact.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/services/api/src/body_redact.rs b/services/api/src/body_redact.rs
index 7a36654..e954892 100644
--- a/services/api/src/body_redact.rs
+++ b/services/api/src/body_redact.rs
@@ -2,6 +2,7 @@
 //! for failed request/response logging.
 
 use serde_json::{Map, Value};
+use tracing;
 
 /// Maximum bytes captured from request/response body before truncation.
 pub const MAX_BODY_BYTES: usize = 4 * 1024; // 4 KB
@@ -44,7 +45,10 @@ pub fn redact_sensitive(body: &str) -> String {
     match serde_json::from_str::<Value>(body) {
         Ok(Value::Object(map)) => {
             let redacted = redact_map(map);
-            serde_json::to_string(&Value::Object(redacted)).unwrap_or_else(|_| body.to_owned())
+            serde_json::to_string(&Value::Object(redacted)).unwrap_or_else(|e| {
+                tracing::warn!(error = %e, "failed to serialize redacted body; logging original");
+                body.to_owned()
+            })
         }
         _ => body.to_owned(),
     }

From c02e540bfe7008c748c2566b7385f58a8f044613 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:21:50 +0000
Subject: [PATCH 15/23] fix(db): add LIMIT clause to newsletter cleanup to
 prevent unbounded table lock

The previous DELETE had no LIMIT so on a table with many expired pending
rows it would lock all matching rows at once, potentially blocking active
subscriber inserts for seconds. The subquery-with-LIMIT approach caps each
call to batch_size rows; callers loop until 0 rows are returned to drain
the full backlog without holding the lock continuously.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/db.rs | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/services/api/src/db.rs b/services/api/src/db.rs
index 37cd084..65e8d8f 100644
--- a/services/api/src/db.rs
+++ b/services/api/src/db.rs
@@ -355,13 +355,25 @@ impl Database {
     }
 
     /// Remove pending (unconfirmed) subscriptions whose token has expired.
-    pub async fn newsletter_delete_expired_pending(&self, token_ttl_secs: u64) -> anyhow::Result<u64> {
+    /// `batch_size` caps the number of rows deleted per call to prevent long
+    /// table locks on large datasets; callers should loop until 0 rows are
+    /// returned if they need to drain the full backlog.
+    pub async fn newsletter_delete_expired_pending(
+        &self,
+        token_ttl_secs: u64,
+        batch_size: u64,
+    ) -> anyhow::Result<u64> {
         let result = self.with_timeout("newsletter_delete_expired_pending", sqlx::query(
             "DELETE FROM newsletter_subscribers
-             WHERE confirmed = FALSE
-               AND created_at <= NOW() - ($1 || ' seconds')::INTERVAL",
+             WHERE id IN (
+                 SELECT id FROM newsletter_subscribers
+                 WHERE confirmed = FALSE
+                   AND created_at <= NOW() - ($1 || ' seconds')::INTERVAL
+                 LIMIT $2
+             )",
         )
         .bind(token_ttl_secs as i64)
+        .bind(batch_size as i64)
         .execute(&self.pool)).await.map_err(anyhow::Error::from)?;
 
         Ok(result.rows_affected())

From b8ac70d591a54109c14eb28dd1083611af8c136e Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:22:28 +0000
Subject: [PATCH 16/23] feat(config): add NEWSLETTER_CLEANUP_BATCH_SIZE
 environment variable

Exposes the per-run delete limit added to newsletter_delete_expired_pending
as a tunable config value. Defaults to 500 rows per run which is safe for
most deployments; operators on high-traffic instances can lower it further
or operators on small instances can raise it to drain backlogs faster.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/config.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/services/api/src/config.rs b/services/api/src/config.rs
index e545714..0faab9c 100644
--- a/services/api/src/config.rs
+++ b/services/api/src/config.rs
@@ -214,6 +214,11 @@ pub struct Config {
     /// are considered orphaned and will be re-queued on worker startup.
     /// Default: 3600 (1 hour). Set via `EMAIL_STALE_JOB_THRESHOLD_SECS`.
     pub email_stale_job_threshold_secs: u64,
+    /// Max rows deleted per newsletter cleanup run. Default: 500.
+    /// Keep this low enough that the DELETE does not hold a table lock long
+    /// enough to noticeably delay concurrent subscriber inserts.
+    /// Set via `NEWSLETTER_CLEANUP_BATCH_SIZE`.
+    pub newsletter_cleanup_batch_size: u64,
     /// HMAC secret for signing unsubscribe tokens.
     pub unsubscribe_signing_secret: Option<String>,
     /// CORS policy.  See [`CorsConfig`] for per-field documentation.
@@ -444,6 +449,10 @@ impl Config {
                 .ok()
                 .and_then(|s| s.parse().ok())
                 .unwrap_or(3600),
+            newsletter_cleanup_batch_size: env::var("NEWSLETTER_CLEANUP_BATCH_SIZE")
+                .ok()
+                .and_then(|s| s.parse().ok())
+                .unwrap_or(500),
             unsubscribe_signing_secret: env::var("UNSUBSCRIBE_SIGNING_SECRET").ok(),
             cors: CorsConfig::from_env(),
             contract_key_schema: ContractKeySchema::from_env(),

From 65c70e0fdb9c48159319decebcfb35815bb3c579 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:23:32 +0000
Subject: [PATCH 17/23] fix(api): pass cleanup batch size to
 newsletter_delete_expired_pending

Threads the NEWSLETTER_CLEANUP_BATCH_SIZE config value through to the
database call so the hourly cleanup task honours the per-run row cap
added in the previous commit instead of defaulting to an unbounded delete.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/main.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/api/src/main.rs b/services/api/src/main.rs
index b8a8b69..115a596 100644
--- a/services/api/src/main.rs
+++ b/services/api/src/main.rs
@@ -158,7 +158,8 @@ async fn main() -> anyhow::Result<()> {
         loop {
             interval.tick().await;
             let ttl = db_cleanup.config.newsletter_token_ttl_secs;
-            match db_cleanup.db.newsletter_delete_expired_pending(ttl).await {
+            let batch = db_cleanup.config.newsletter_cleanup_batch_size;
+            match db_cleanup.db.newsletter_delete_expired_pending(ttl, batch).await {
                 Ok(n) if n > 0 => tracing::info!("[newsletter] cleaned up {n} expired pending subscriptions"),
                 Err(e) => tracing::warn!("[newsletter] cleanup error: {e}"),
                 _ => {}

From 6a811b3c882b001394cb6c593eba7720c62faa6e Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:23:53 +0000
Subject: [PATCH 18/23] fix(config): add newsletter_cleanup_batch_size to
 Config test fixtures

The four Config struct literals in config.rs tests were missing the new
newsletter_cleanup_batch_size field added in the previous commit. Using
the default value of 500 keeps test intent unchanged while satisfying the
exhaustive struct initialisation required by Rust.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/src/config.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/services/api/src/config.rs b/services/api/src/config.rs
index 0faab9c..28573ed 100644
--- a/services/api/src/config.rs
+++ b/services/api/src/config.rs
@@ -719,6 +719,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,
@@ -789,6 +790,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,
@@ -859,6 +861,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,
@@ -929,6 +932,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,

From d9f0071765977bfc837f757de91c7049fc429906 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:24:11 +0000
Subject: [PATCH 19/23] perf(db): add composite index on email_jobs(status,
 priority, scheduled_at)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The queue worker's primary scan — pending jobs ordered by priority then
scheduled_at — required the planner to use one of the two single-column
indexes and filter/sort on the remaining columns. The composite index
covers the WHERE clause and the ORDER BY in a single index scan, reducing
I/O on high-throughput instances where the pending set is large.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../migrations/013_add_email_queue_composite_index.sql   | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 services/api/database/migrations/013_add_email_queue_composite_index.sql

diff --git a/services/api/database/migrations/013_add_email_queue_composite_index.sql b/services/api/database/migrations/013_add_email_queue_composite_index.sql
new file mode 100644
index 0000000..3513be4
--- /dev/null
+++ b/services/api/database/migrations/013_add_email_queue_composite_index.sql
@@ -0,0 +1,9 @@
+-- Composite index for priority-ordered queue worker scans.
+--
+-- The email queue worker queries: WHERE status = 'pending' ORDER BY priority DESC, scheduled_at ASC
+-- The existing separate idx_email_jobs_status and idx_email_jobs_scheduled_at indexes force the
+-- planner to choose one and filter on the other. This composite index covers both columns so the
+-- planner can satisfy the full predicate and sort in a single index scan.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_jobs_status_priority_scheduled
+ON email_jobs (status, priority DESC, scheduled_at ASC);

From f35eab2ee88fd2d19f533c1297a29274b09f268e Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:24:31 +0000
Subject: [PATCH 20/23] perf(db): add composite index on
 email_events(email_job_id, timestamp DESC)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ordered event fetching for a single job — used in analytics and webhook
processing — required sorting after an index scan on email_job_id alone.
The composite index satisfies both the equality predicate and the ORDER BY
timestamp DESC in a single B-tree scan, eliminating the sort step for
the common per-job timeline query.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../migrations/014_add_email_events_composite_index.sql  | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 services/api/database/migrations/014_add_email_events_composite_index.sql

diff --git a/services/api/database/migrations/014_add_email_events_composite_index.sql b/services/api/database/migrations/014_add_email_events_composite_index.sql
new file mode 100644
index 0000000..df70533
--- /dev/null
+++ b/services/api/database/migrations/014_add_email_events_composite_index.sql
@@ -0,0 +1,9 @@
+-- Composite index for fetching ordered events for a specific email job.
+--
+-- Analytics queries join email_events to a specific job and order results by
+-- timestamp. The existing idx_email_events_job_id covers the equality predicate
+-- but the planner must then sort the results. This composite index covers both
+-- columns so ordered event lists for a single job are resolved in one scan.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_events_job_timestamp
+ON email_events (email_job_id, timestamp DESC);

From f64e7db01a3af07532e6eee269d483b089f55dde Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:24:54 +0000
Subject: [PATCH 21/23] perf(db): add partial index on
 newsletter_subscribers(created_at) for cleanup query

The cleanup DELETE scans WHERE confirmed = FALSE AND created_at <= threshold.
A partial index limited to unconfirmed rows keeps the index small (only
pending entries, not the full subscriber table) while allowing the planner
to evaluate the created_at range filter directly from the index, avoiding
a heap scan of confirmed subscribers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../migrations/015_add_newsletter_cleanup_index.sql   | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 services/api/database/migrations/015_add_newsletter_cleanup_index.sql

diff --git a/services/api/database/migrations/015_add_newsletter_cleanup_index.sql b/services/api/database/migrations/015_add_newsletter_cleanup_index.sql
new file mode 100644
index 0000000..b5feeb2
--- /dev/null
+++ b/services/api/database/migrations/015_add_newsletter_cleanup_index.sql
@@ -0,0 +1,11 @@
+-- Partial composite index for the newsletter token cleanup query.
+--
+-- The hourly cleanup deletes rows WHERE confirmed = FALSE AND created_at <= threshold.
+-- The existing idx_newsletter_confirmed covers the boolean predicate but leaves the
+-- planner to filter on created_at afterward. A partial index scoped to unconfirmed
+-- rows means the index is small (only pending subscribers) and covers both the
+-- equality predicate and the range filter in a single scan.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_newsletter_subscribers_cleanup
+ON newsletter_subscribers (created_at ASC)
+WHERE confirmed = FALSE;

From ba0665d88b70b9fad55bf864b5aa4c27a7e1e04e Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:25:13 +0000
Subject: [PATCH 22/23] perf(db): add partial index on markets(ends_at) for
 active deadline queries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Background jobs that close markets past their deadline query
WHERE status = 'active' AND ends_at < NOW(). The existing composite
index on (status, total_volume, ends_at) leads with volume and is not
selective for deadline scans. A partial index scoped to active markets
only — which shrinks as markets resolve — provides an O(log n) path
for deadline-based lookups without scanning the full markets table.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../migrations/016_add_markets_deadline_index.sql     | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 services/api/database/migrations/016_add_markets_deadline_index.sql

diff --git a/services/api/database/migrations/016_add_markets_deadline_index.sql b/services/api/database/migrations/016_add_markets_deadline_index.sql
new file mode 100644
index 0000000..a561cae
--- /dev/null
+++ b/services/api/database/migrations/016_add_markets_deadline_index.sql
@@ -0,0 +1,11 @@
+-- Partial index for deadline-based active market queries.
+--
+-- Queries that look up markets expiring before a given timestamp —
+-- e.g. background jobs that auto-close overdue markets — scan the full
+-- markets table today because the existing composite index leads with status
+-- and total_volume. A partial index scoped to active markets and ordered by
+-- ends_at lets those scans skip the resolved and cancelled majority of rows.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_markets_active_ends_at
+ON markets (ends_at ASC)
+WHERE status = 'active';

From 288929ab8de7afa38f84296206e5c8090796af99 Mon Sep 17 00:00:00 2001
From: hman <hman38705@gmail.com>
Date: Wed, 17 Jun 2026 15:25:35 +0000
Subject: [PATCH 23/23] docs(db): update performance_indexes.sql reference with
 all new indexes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the four indexes introduced in migrations 013–016 to the canonical
reference file so operators running manual schema inspections or applying
the sql/ files directly (e.g. in dev) have a complete picture without
reading individual migration files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/api/sql/performance_indexes.sql | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/services/api/sql/performance_indexes.sql b/services/api/sql/performance_indexes.sql
index 0fd0c71..bde460d 100644
--- a/services/api/sql/performance_indexes.sql
+++ b/services/api/sql/performance_indexes.sql
@@ -1,7 +1,29 @@
 -- Recommended indexes for query performance.
+-- Migrations 012–016 promote these into the versioned migration system;
+-- this file is kept as a human-readable reference.
 
+-- markets: featured-list query (status filter + volume sort + deadline sort)
 CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_markets_status_volume_ends_at
 ON markets (status, total_volume DESC, ends_at ASC);
 
+-- markets: deadline-based active-market scans (e.g. auto-close jobs)
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_markets_active_ends_at
+ON markets (ends_at ASC)
+WHERE status = 'active';
+
+-- content: published content ordered by date
 CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_content_published_at
 ON content (is_published, published_at DESC);
+
+-- email_jobs: priority-ordered queue worker scan
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_jobs_status_priority_scheduled
+ON email_jobs (status, priority DESC, scheduled_at ASC);
+
+-- email_events: ordered event timeline for a single job
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_events_job_timestamp
+ON email_events (email_job_id, timestamp DESC);
+
+-- newsletter_subscribers: token expiry cleanup (partial — unconfirmed rows only)
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_newsletter_subscribers_cleanup
+ON newsletter_subscribers (created_at ASC)
+WHERE confirmed = FALSE;