Fix /my-library production errors and show public playlists

[marcodejongh]

Summary

• Fix hydration mismatch (React fix: Fix queue sync validation errors in party mode #418): Added hasMounted state guard in library-page-content.tsx so SSR and initial client render produce identical HTML (loading state)
• Fix playlist fetch error: Switched useClimbActionsData from GET_USER_PLAYLISTS (requires boardType/layoutId) to GET_ALL_USER_PLAYLISTS (no required params), added guards for boardName-dependent queries
• Fix useBoardProvider outside BoardProvider: Added useOptionalBoardProvider() hook that returns null instead of throwing; updated queue-list.tsx, queue-list-item.tsx, and use-queue-data-fetching.tsx
• Show public playlists for non-auth users: Replaced full-page sign-in block with compact banner; Discover section is now always visible
• Migrate Next.js API routes to backend GraphQL: Moved profile, credentials, controllers, favorites, beta links, climb stats, hold classifications, setter stats, and heatmap to GraphQL resolvers. Removed ~30 API route files (~3600 lines)
• Fix stale wsAuthToken closure: Used useRef in use-save-tick, use-logbook, and use-save-climb hooks so async callbacks always access the freshest auth token
• Escape ILIKE wildcards in setter search: User input containing % or _ is now escaped so it's treated literally in the setter name search
• Add test coverage: 20 new frontend tests for LogAscentForm and TickAction; 26 new backend integration tests for data-query GraphQL resolvers (input validation, auth requirements, edge cases)
• Cron jobs removal: Confirmed intentional — all 4 cron routes were deleted with the API migration, empty crons array is correct

Test plan

• Visit /my-library when NOT logged in — see compact sign-in banner + Discover section with public playlists
• Visit /my-library/playlist/[uuid] when NOT logged in — public playlist detail page loads
• Visit /my-library when logged in — see personal playlists + Jump Back In + Discover
• No hydration error (fix: Fix queue sync validation errors in party mode #418) in console
• No useBoardProvider error in console
• On a board page, "Add to Playlist" shows all playlists (not just current board's)
• Queue functionality on board routes still works
• Log a tick — verify auth token is used correctly (no stale token errors)
• Search for setter with % or _ in name — verify literal search works
• Run npx vitest run in packages/web/ — tick-action and logascent-form tests pass
• Run npx vitest run in packages/backend/ — data-queries resolver tests pass (26 tests)

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
boardsesh	Error		Feb 24, 2026 4:35pm

[claude]

Claude Review

Ready to merge - Minor issue noted below, but nothing blocking.

Issues

1. Bug: Inconsistent property name - packages/web/app/components/beta-videos/beta-videos.tsx:173

   The condition uses foreign_username (old snake_case API format) while the value uses foreignUsername (new camelCase GraphQL format). The type is now BetaLink from @boardsesh/shared-schema which uses foreignUsername. This should be fixed to use foreignUsername consistently.

Notes

• Large refactor migrating ~20 REST API routes to GraphQL backend
• Added useOptionalBoardProvider() hook to avoid throwing errors when used outside BoardProvider
• Added hasMounted guard in library page to fix hydration mismatch (React fix: Fix queue sync validation errors in party mode #418)
• Removed Vercel cron jobs for shared-sync and user-sync (these should be handled elsewhere now)
• Tests deleted with validation.test.ts - validation logic moved to backend schemas

[claude]

Claude Review

✅ Ready to merge - Minor issues noted below, but nothing blocking.

Issues

1. Missing tests for new GraphQL resolvers - packages/backend/src/graphql/resolvers/data-queries/ contains new query/mutation resolvers (betaLinks, climbStatsForAllAngles, holdClassifications, setterStats, holdHeatmap, etc.) but no corresponding tests. The deleted hold-classifications/__tests__/validation.test.ts was not replaced with GraphQL resolver tests.

2. Cron jobs removed (vercel.json:6) - The crons array was emptied. Verify this is intentional - if user-sync-cron was running periodically, automatic syncs will no longer occur.

3. ILIKE wildcards not escaped (packages/backend/src/graphql/resolvers/data-queries/queries.ts:266) - The setter search uses ilike(climbs.setterUsername, %${validatedInput.search}%) which does not escape LIKE wildcards (% and ). Users searching for literal "%" or "" will get unexpected results. Minor UX issue, not a security concern since Drizzle parameterizes properly.

Tests Added

The new tick-action.test.tsx and logascent-form.test.tsx tests provide good coverage for those components including happy paths and edge cases.

[claude]

Claude Review

✅ Ready to merge - Minor issues noted below, but nothing blocking.

Issues

1. Accidental empty file committed - packages/web/app/lib/db/queries/climbs/Untitled is an empty file with no extension that should be removed.

2. Inconsistent ILIKE wildcard escaping - packages/backend/src/db/queries/climbs/create-climb-filters.ts:115 doesn't escape % and _ wildcards in name search, unlike setter search which does escape them (queries.ts:267). Not a security issue (parameterized), but allows unintended wildcard matching.

3. Cron job removal without replacement mechanism - The 4 sync cron jobs (shared-sync, user-sync-cron) are removed. PR description confirms intentional, but worth verifying sync still happens elsewhere or is no longer needed.

Test Coverage

Good test coverage added:

• 26 backend integration tests covering validation and auth requirements
• 20 frontend tests for LogAscentForm and TickAction
• Edge cases like invalid inputs and auth requirements are tested

Documentation

No updates needed - changes don't significantly alter documented systems (WebSocket party session architecture remains unchanged).