Phase 4.2: enable strictNullChecks baseline

[rendall]

Summary

• enable strictNullChecks in backend/functions TS config while keeping noImplicitAny enabled
• remediate strict-null surfaced issues in scoped backend runtime files (src/functions, src/lib) with minimal behavior change
• apply minimal strict-null fixes in backend test files surfaced by yarn test:backend
• mark Phase 4.2 checklist items complete and record the Phase 4.3 gate decision

Scope notes

• execution followed docs/plans/phase-4_2-checklist.md
• no TODO(phase-04.3) suppressions were added

Validation

• yarn run typecheck ✅
• yarn test:backend ✅
• yarn test:frontend ✅
• yarn run ci:local ⚠️ fails in this local environment at backend test startup due missing system library libcrypto.so.3 for mongodb-memory-server with pinned Ubuntu 22.04 MongoDB binary

[Copilot]

Pull request overview

Enables strictNullChecks for the Netlify backend/functions TypeScript build and applies targeted null-safety fixes across backend runtime and backend tests, while recording Phase 4.2 completion and the Phase 4.3 gate decision in the plans/docs.

Changes:

• Turn on strictNullChecks in tsconfig.netlify.functions.json (keeping noImplicitAny).
• Apply minimal strict-null remediations in backend runtime (src/functions, src/lib) and backend tests to keep typecheck/tests green.
• Update Phase 4.2/4.3 planning docs and implementation norms to reflect checklist completion and CI-parity expectations.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tsconfig.netlify.functions.json	Enables strictNullChecks for backend functions compilation.
src/tests/backend/setup-env.ts	Adds a type predicate to keep parsed env entries non-optional under strict null checks.
src/tests/backend/crypt.test.ts	Adds explicit JWT secret guard and adjusts typing around jwt.verify.
src/tests/backend/MongodbService.test.ts	Uses Partial<>/casts and non-null assertions to satisfy strict-null in tests.
src/lib/messages.ts	Types 204 response as Success<undefined> to match body: undefined.
src/lib/crypt.ts	Introduces a JWT secret getter guard and uses it for token signing.
src/lib/SendGridNotificationService.ts	Narrows SENDGRID_VERIFIED_SENDER via a guarded local constant.
src/lib/MongodbService.ts	Adjusts auth password compare to satisfy strict-null typing for user.hash.
src/functions/auth.ts	Uses defined/narrowed headers (eventHeaders) when parsing basic auth credentials.
docs/plans/phase-4_2-checklist.md	Marks Phase 4.2 checklist items complete with recorded outcome notes.
docs/plans/phase-04-type-safety-and-env-handling.md	Adds Phase 4.3 gate note and decision.
docs/norms/implementation.md	Updates pre-PR guidance to use ci:local and adds PR readiness checklist.
docs/archive/phase-4_2_1-ci-local-parity-checklist.md	Archives the Phase 4.2.1 CI-local parity checklist.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

user.hash ?? "" will call bcryptjs.compare() with an invalid hash when hash is missing, which typically throws internally and is then caught in comparePassword. Prefer an explicit guard (e.g., if user.hash is missing, immediately reject error401BadCredentials) to avoid relying on exceptions for control flow and to reduce unnecessary work in the auth path.

Suggested change

	const isSame = await comparePassword(password, user.hash ?? "")
	if (!user.hash) {
	reject(error401BadCredentials)
	return
	}
	const isSame = await comparePassword(password, user.hash)

[rendall]

Implemented in 8f4880b. Added an explicit user.hash guard in authPOST that rejects with error401BadCredentials when missing, then compares only when hash is present. Also tightened one flaky test selection to choose comments with non-null userId.