solutions-plug · hman38705 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
diff --git a/frontend/next.config.js b/frontend/next.config.js
@@ -96,7 +96,7 @@ const nextConfig = {
           },
           {
             key: 'Content-Security-Policy',
-            value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
+            value: "default-src 'self'; script-src 'self' 'strict-dynamic'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests",
           },
         ],
       },

diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
@@ -1,15 +1,18 @@
 import type { ReactNode } from 'react';
+import { headers } from 'next/headers';
 import { ErrorBoundary } from '../components/ErrorBoundary';
 import { darkModeInitScript } from '../lib/darkMode';
 import '../styles/accessibility.css';
 
 export const metadata = { title: 'PredictIQ' };
 
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
+  const nonce = (await headers()).get('x-nonce') ?? '';
+
   return (
     <html lang="en" suppressHydrationWarning>
       <head>
-        <script dangerouslySetInnerHTML={{ __html: darkModeInitScript }} />
+        <script nonce={nonce} dangerouslySetInnerHTML={{ __html: darkModeInitScript }} />
       </head>
       <body>
         <ErrorBoundary section="main">

diff --git a/frontend/src/components/LandingPage.tsx b/frontend/src/components/LandingPage.tsx
@@ -1,6 +1,7 @@
 import React from 'react';
 import { useI18n } from '../lib/hooks/useI18n';
 import { useDarkMode } from '../lib/hooks/useDarkMode';
+import { type Locale } from '../lib/i18n';
 import { Statistics } from './Statistics';
 import { ErrorBoundary } from './ErrorBoundary';
 
@@ -92,7 +93,7 @@ export const LandingPage: React.FC<LandingPageProps> = ({ className }) => {
                 <select
                   id="locale-select"
                   value={locale}
-                  onChange={(e) => setLocale(e.target.value as any)}
+                  onChange={(e) => setLocale(e.target.value as Locale)}
                   aria-label="Language selection"
                 >
                   {availableLocales.map((loc) => (

diff --git a/frontend/src/lib/api/client.ts b/frontend/src/lib/api/client.ts
@@ -213,15 +213,16 @@ async function request<T>(
           }
         }
 
-        let err: any;
+        let err: unknown;
         try {
           err = await res.json();
         } catch {
           err = {};
         }
-        const message = err?.message ?? res.statusText ?? `HTTP ${res.status}`;
-        const code = err?.code ?? "UNKNOWN_ERROR";
-        const details = err?.details ?? undefined;
+        const errObj = (typeof err === 'object' && err !== null) ? err as Record<string, unknown> : {};
+        const message = (errObj['message'] as string | undefined) ?? res.statusText ?? `HTTP ${res.status}`;
+        const code = (errObj['code'] as string | undefined) ?? "UNKNOWN_ERROR";
+        const details = errObj['details'] as Record<string, unknown> | undefined;
         throw new ApiError(message, res.status, code, details);
       }
 

diff --git a/frontend/src/lib/hooks/useAsync.ts b/frontend/src/lib/hooks/useAsync.ts
@@ -37,7 +37,8 @@ export function useAsync<T>(
       }
     } catch (error) {
       if (isMountedRef.current && !(error instanceof DOMException && error.name === 'AbortError')) {
-        setState({ data: null, loading: false, error: error as Error });
+        const normalized = error instanceof Error ? error : new Error(String(error));
+        setState({ data: null, loading: false, error: normalized });
       }
     }
   }, [asyncFunction]);

diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -0,0 +1,42 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+export function middleware(request: NextRequest) {
+  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
+
+  const cspHeader = [
+    "default-src 'self'",
+    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https:",
+    "font-src 'self' data:",
+    "connect-src 'self' https:",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "upgrade-insecure-requests",
+  ].join('; ');
+
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set('x-nonce', nonce);
+  requestHeaders.set('Content-Security-Policy', cspHeader);
+
+  const response = NextResponse.next({
+    request: { headers: requestHeaders },
+  });
+  response.headers.set('Content-Security-Policy', cspHeader);
+
+  return response;
+}
+
+export const config = {
+  matcher: [
+    {
+      source: '/((?!_next/static|_next/image|favicon.ico).*)',
+      missing: [
+        { type: 'header', key: 'next-router-prefetch' },
+        { type: 'header', key: 'purpose', value: 'prefetch' },
+      ],
+    },
+  ],
+};
diff --git a/frontend/tsconfig.json b/frontend/tsconfig.json
@@ -7,7 +7,9 @@
     ],
     "allowJs": true,
     "skipLibCheck": true,
-    "strict": false,
+    "strict": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
     "noEmit": true,
     "incremental": true,
     "module": "esnext",

diff --git a/services/api/database/migrations/013_add_email_queue_composite_index.sql b/services/api/database/migrations/013_add_email_queue_composite_index.sql
@@ -0,0 +1,9 @@
+-- Composite index for priority-ordered queue worker scans.
+--
+-- The email queue worker queries: WHERE status = 'pending' ORDER BY priority DESC, scheduled_at ASC
+-- The existing separate idx_email_jobs_status and idx_email_jobs_scheduled_at indexes force the
+-- planner to choose one and filter on the other. This composite index covers both columns so the
+-- planner can satisfy the full predicate and sort in a single index scan.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_jobs_status_priority_scheduled
+ON email_jobs (status, priority DESC, scheduled_at ASC);
diff --git a/services/api/database/migrations/014_add_email_events_composite_index.sql b/services/api/database/migrations/014_add_email_events_composite_index.sql
@@ -0,0 +1,9 @@
+-- Composite index for fetching ordered events for a specific email job.
+--
+-- Analytics queries join email_events to a specific job and order results by
+-- timestamp. The existing idx_email_events_job_id covers the equality predicate
+-- but the planner must then sort the results. This composite index covers both
+-- columns so ordered event lists for a single job are resolved in one scan.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_events_job_timestamp
+ON email_events (email_job_id, timestamp DESC);
diff --git a/services/api/database/migrations/015_add_newsletter_cleanup_index.sql b/services/api/database/migrations/015_add_newsletter_cleanup_index.sql
@@ -0,0 +1,11 @@
+-- Partial composite index for the newsletter token cleanup query.
+--
+-- The hourly cleanup deletes rows WHERE confirmed = FALSE AND created_at <= threshold.
+-- The existing idx_newsletter_confirmed covers the boolean predicate but leaves the
+-- planner to filter on created_at afterward. A partial index scoped to unconfirmed
+-- rows means the index is small (only pending subscribers) and covers both the
+-- equality predicate and the range filter in a single scan.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_newsletter_subscribers_cleanup
+ON newsletter_subscribers (created_at ASC)
+WHERE confirmed = FALSE;
diff --git a/services/api/database/migrations/016_add_markets_deadline_index.sql b/services/api/database/migrations/016_add_markets_deadline_index.sql
@@ -0,0 +1,11 @@
+-- Partial index for deadline-based active market queries.
+--
+-- Queries that look up markets expiring before a given timestamp —
+-- e.g. background jobs that auto-close overdue markets — scan the full
+-- markets table today because the existing composite index leads with status
+-- and total_volume. A partial index scoped to active markets and ordered by
+-- ends_at lets those scans skip the resolved and cancelled majority of rows.
+
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_markets_active_ends_at
+ON markets (ends_at ASC)
+WHERE status = 'active';
diff --git a/services/api/sql/performance_indexes.sql b/services/api/sql/performance_indexes.sql
@@ -1,7 +1,29 @@
 -- Recommended indexes for query performance.
+-- Migrations 012–016 promote these into the versioned migration system;
+-- this file is kept as a human-readable reference.
 
+-- markets: featured-list query (status filter + volume sort + deadline sort)
 CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_markets_status_volume_ends_at
 ON markets (status, total_volume DESC, ends_at ASC);
 
+-- markets: deadline-based active-market scans (e.g. auto-close jobs)
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_markets_active_ends_at
+ON markets (ends_at ASC)
+WHERE status = 'active';
+
+-- content: published content ordered by date
 CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_content_published_at
 ON content (is_published, published_at DESC);
+
+-- email_jobs: priority-ordered queue worker scan
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_jobs_status_priority_scheduled
+ON email_jobs (status, priority DESC, scheduled_at ASC);
+
+-- email_events: ordered event timeline for a single job
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_email_events_job_timestamp
+ON email_events (email_job_id, timestamp DESC);
+
+-- newsletter_subscribers: token expiry cleanup (partial — unconfirmed rows only)
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_newsletter_subscribers_cleanup
+ON newsletter_subscribers (created_at ASC)
+WHERE confirmed = FALSE;
diff --git a/services/api/src/body_redact.rs b/services/api/src/body_redact.rs
@@ -2,6 +2,7 @@
 //! for failed request/response logging.
 
 use serde_json::{Map, Value};
+use tracing;
 
 /// Maximum bytes captured from request/response body before truncation.
 pub const MAX_BODY_BYTES: usize = 4 * 1024; // 4 KB
@@ -44,7 +45,10 @@ pub fn redact_sensitive(body: &str) -> String {
     match serde_json::from_str::<Value>(body) {
         Ok(Value::Object(map)) => {
             let redacted = redact_map(map);
-            serde_json::to_string(&Value::Object(redacted)).unwrap_or_else(|_| body.to_owned())
+            serde_json::to_string(&Value::Object(redacted)).unwrap_or_else(|e| {
+                tracing::warn!(error = %e, "failed to serialize redacted body; logging original");
+                body.to_owned()
+            })
         }
         _ => body.to_owned(),
     }

diff --git a/services/api/src/config.rs b/services/api/src/config.rs
@@ -214,6 +214,11 @@ pub struct Config {
     /// are considered orphaned and will be re-queued on worker startup.
     /// Default: 3600 (1 hour). Set via `EMAIL_STALE_JOB_THRESHOLD_SECS`.
     pub email_stale_job_threshold_secs: u64,
+    /// Max rows deleted per newsletter cleanup run. Default: 500.
+    /// Keep this low enough that the DELETE does not hold a table lock long
+    /// enough to noticeably delay concurrent subscriber inserts.
+    /// Set via `NEWSLETTER_CLEANUP_BATCH_SIZE`.
+    pub newsletter_cleanup_batch_size: u64,
     /// HMAC secret for signing unsubscribe tokens.
     pub unsubscribe_signing_secret: Option<String>,
     /// CORS policy.  See [`CorsConfig`] for per-field documentation.
@@ -444,6 +449,10 @@ impl Config {
                 .ok()
                 .and_then(|s| s.parse().ok())
                 .unwrap_or(3600),
+            newsletter_cleanup_batch_size: env::var("NEWSLETTER_CLEANUP_BATCH_SIZE")
+                .ok()
+                .and_then(|s| s.parse().ok())
+                .unwrap_or(500),
             unsubscribe_signing_secret: env::var("UNSUBSCRIBE_SIGNING_SECRET").ok(),
             cors: CorsConfig::from_env(),
             contract_key_schema: ContractKeySchema::from_env(),
@@ -710,6 +719,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,
@@ -780,6 +790,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,
@@ -850,6 +861,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,
@@ -920,6 +932,7 @@ mod tests {
             newsletter_rate_limit_max: 5,
             newsletter_rate_limit_window_secs: 3600,
             email_stale_job_threshold_secs: 3600,
+            newsletter_cleanup_batch_size: 500,
             unsubscribe_signing_secret: None,
             cors: CorsConfig {
                 dev_mode: false,

diff --git a/services/api/src/db.rs b/services/api/src/db.rs
@@ -355,13 +355,25 @@ impl Database {
     }
 
     /// Remove pending (unconfirmed) subscriptions whose token has expired.
-    pub async fn newsletter_delete_expired_pending(&self, token_ttl_secs: u64) -> anyhow::Result<u64> {
+    /// `batch_size` caps the number of rows deleted per call to prevent long
+    /// table locks on large datasets; callers should loop until 0 rows are
+    /// returned if they need to drain the full backlog.
+    pub async fn newsletter_delete_expired_pending(
+        &self,
+        token_ttl_secs: u64,
+        batch_size: u64,
+    ) -> anyhow::Result<u64> {
         let result = self.with_timeout("newsletter_delete_expired_pending", sqlx::query(
             "DELETE FROM newsletter_subscribers
-             WHERE confirmed = FALSE
-               AND created_at <= NOW() - ($1 || ' seconds')::INTERVAL",
+             WHERE id IN (
+                 SELECT id FROM newsletter_subscribers
+                 WHERE confirmed = FALSE
+                   AND created_at <= NOW() - ($1 || ' seconds')::INTERVAL
+                 LIMIT $2
+             )",
         )
         .bind(token_ttl_secs as i64)
+        .bind(batch_size as i64)
         .execute(&self.pool)).await.map_err(anyhow::Error::from)?;
 
         Ok(result.rows_affected())

diff --git a/services/api/src/main.rs b/services/api/src/main.rs
@@ -158,7 +158,8 @@ async fn main() -> anyhow::Result<()> {
         loop {
             interval.tick().await;
             let ttl = db_cleanup.config.newsletter_token_ttl_secs;
-            match db_cleanup.db.newsletter_delete_expired_pending(ttl).await {
+            let batch = db_cleanup.config.newsletter_cleanup_batch_size;
+            match db_cleanup.db.newsletter_delete_expired_pending(ttl, batch).await {
                 Ok(n) if n > 0 => tracing::info!("[newsletter] cleaned up {n} expired pending subscriptions"),
                 Err(e) => tracing::warn!("[newsletter] cleanup error: {e}"),
                 _ => {}

diff --git a/services/api/src/newsletter.rs b/services/api/src/newsletter.rs
@@ -53,10 +53,17 @@ impl IpRateLimiter {
     /// Uses an atomic Redis Lua script so the counter is consistent across
     /// all instances. Fails open (returns `true`) if Redis is unavailable.
     pub async fn allow(&self, key: &str, max_requests: usize, window: Duration) -> bool {
-        let redis_key = format!("newsletter:ratelimit:{key}");
+        let redis_key = format!("newsletter:ratelimit:v1:{key}");
         match self.cache.incr_with_ttl(&redis_key, window).await {
             Ok(count) => count as usize <= max_requests,
-            Err(_) => true, // fail open if Redis is unavailable
+            Err(e) => {
+                tracing::warn!(
+                    error = %e,
+                    key,
+                    "newsletter rate limiter Redis error; failing open to avoid blocking subscribers"
+                );
+                true
+            }
         }
     }
 }
@@ -121,7 +128,7 @@ impl TokenStore {
             return ConfirmResult::InvalidOrExpired;
         };
 
-        let entry = self.pending.remove(&email).unwrap();
+        let entry = self.pending.remove(&email).expect("email was found in pending map immediately above");
 
         if Instant::now() > entry.expires_at {
             return ConfirmResult::InvalidOrExpired;
@@ -174,7 +181,10 @@ pub async fn send_confirmation_email(
 
     if !response.status().is_success() {
         let status = response.status();
-        let body = response.text().await.unwrap_or_default();
+        let body = response.text().await.unwrap_or_else(|e| {
+            tracing::warn!(error = %e, "failed to read SendGrid error response body");
+            String::new()
+        });
         anyhow::bail!("sendgrid returned {status}: {body}");
     }
-Original file line number
+Diff line change
@@ Expand Up / @@ -96,7 +96,7 @@ const nextConfig = { @@
               },
               {
                 key: 'Content-Security-Policy',
-                value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
+                value: "default-src 'self'; script-src 'self' 'strict-dynamic'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests",
               },
             ],
           },
@@ Expand Down @@