Hot fix (#376)

* (SP: 3) [Backend] add Nova Poshta shipping foundation + checkout persistence + async label workflow (#364)

* (SP: 2) [Frontend] Reduce Vercel variable costs via caching and analytics cleanup (#367)

* perf(vercel): cut runtime costs via notification, blog cache, and analytics changes

* perf(blog): remove server searchParams usage to preserve ISR

* fix(build): align Netlify Node version and remove SpeedInsights import

* chore(release): bump version to 1.0.4

* (SP: 2) [Frontend] Remove [locale] layout force-dynamic and move auth to client-side (#370)

* refactor(frontend): remove locale layout dynamic auth and move header auth client-side

* fix(frontend): prevent stale auth responses in useAuth and remove redundant dashboard dynamic layout

* (SP: 2) [Frontend] Reduce auth overhead and sync auth state across tabs (#372)

* refactor(frontend): remove locale layout dynamic auth and move header auth client-side

* fix(frontend): prevent stale auth responses in useAuth and remove redundant dashboard dynamic layout

* feat(frontend): sync auth state across tabs via BroadcastChannel

* (SP: 2) [Frontend] Quizzes page ISR + client-side progress + GitHub stars cache (#371)

* perf(quiz-flow): move quiz progress to client-side fetch, enable ISR for quizzes page

- Move user progress fetch from SSR to client-side API (/api/quiz/progress)
- Remove force-dynamic and getCurrentUser() from quizzes page
- Add revalidate=300 for ISR caching
- Use window.history.replaceState for tab URL sync (avoid Next.js navigation)
- Add forceMount to TabsContent to prevent layout shift on tab switch
- Fix nested <main> — use <section> inside DynamicGridBackground
- Cache GitHub stars count in sessionStorage to avoid refetch + re-animation

* perf: replace useRef with useState lazy initializer in GitHubStarButton

Fixes React 19 react-hooks/refs ESLint error — useRef.current cannot
be read during render. Uses useState(getStoredStars) to capture the
sessionStorage value once on mount instead.

* fix: stop star icon trembling on hover in GitHubStarButton

* (SP: 1) [Frontend] Fix quiz timer flash and card layout shift on quizzes page (#373)

* perf(quiz-flow): move quiz progress to client-side fetch, enable ISR for quizzes page

- Move user progress fetch from SSR to client-side API (/api/quiz/progress)
- Remove force-dynamic and getCurrentUser() from quizzes page
- Add revalidate=300 for ISR caching
- Use window.history.replaceState for tab URL sync (avoid Next.js navigation)
- Add forceMount to TabsContent to prevent layout shift on tab switch
- Fix nested <main> — use <section> inside DynamicGridBackground
- Cache GitHub stars count in sessionStorage to avoid refetch + re-animation

* perf: replace useRef with useState lazy initializer in GitHubStarButton

Fixes React 19 react-hooks/refs ESLint error — useRef.current cannot
be read during render. Uses useState(getStoredStars) to capture the
sessionStorage value once on mount instead.

* fix: stop star icon trembling on hover in GitHubStarButton

* fix: eliminate quiz timer flash on language switch

Remove Suspense boundary (loading.tsx) that unmounted QuizContainer
during locale navigation. Synchronous session restore via useReducer
lazy initializer and correct timer initialization via useState lazy
initializer prevent any visible state reset on language switch

* fix: replace quiz card layout shift with skeleton grid during progress load

* chore(release): v1.0.5

* (SP: 3)[Shop][DB] Reduce Neon compute: throttle janitor + relax checkout polling + add sweep indexes (#375)

* (SP: 3) [Backend] add internal janitor (jobs 1-4), claim/lease + runbook (G0-G6)

* (SP: 3) [Backend] add provider selector, fix payments gating, i18n checkout errors

* Add shop category images to public

* (SP: 3) [Shop][Monobank] I1 structured logging: codes + logging safety checks

* (SP: 3) [Shop][Monobank] Fail-closed non-browser origin posture for webhook + janitor (ORIGIN_BLOCKED)

* (SP: 3) [Shop][Monobank] [Shop][Monobank] J gate: add orders status ownership test and pass all pre-prod invariants

* (SP: 3) [Shop][Monobank]  review fixes (tests, logging, success UI)

* (SP: 1) [Shop][Monobank] Tighten webhook log-code typing; harden DB tests; minor security/log/UI cleanups

* (SP: 1) [Shop][Monobank] harden Monobank webhook (origin/PII-safe logs) and remove duplicate sha256 hashing

* (SP: 1) [Cart] adding route for user orders to cart page

* (SP: 1) [Cart] fix after review cart mpage and adding index for orders

* (SP: 1) [Cart] Fix cart orders summary auth rendering and return totalCount for orders badge

* (SP: 1) [Cart] remove console.warn from CartPageClient to satisfy monobank logging safety invariant, namespace localStorage cart by user and reset on auth change

* (SP: 1) [Cart] rehydrate per cartOwnerId (remove didHydrate coupling)

* (SP: 2)[Backend] shop/shipping schema migrations foundation

* (SP: 2)[Backend] shop/shipping public routes + np cache + sync

* (SP: 2)[Backend] shop/shipping: shipping persistence + currency policy

* (SP: 2)[Backend] shop/shipping: webhook apply + psp fields + enqueue shipping

* (SP: 2)[Backend] shop/shipping: shipments worker + internal run + np mock

* (SP: 2)[Backend] shop/shipping: admin+ui shipping actions

* (SP: 2)[Backend] shop/shipping: retention + log sanitizer + metrics

* (SP: 1)[Backend] stabilize Monobank janitor (job1/job3) and fix failing apply-outcomes tests

* (SP: 1) [db]: add shop shipping core migration

* (SP: 1) [FIX] resolve merge artifacts in order details page

* (SP: 1) [FIX] apply post-review fixes for shipping and admin flows

* (SP: 1) [FIX] align cart shipping imports (localeToCountry + availability reason code)

* (SP: 1) [FIX] hard-block checkout when shipping disabled + i18n reason mapping

* (SP: 1) [FIX] harden webhook enqueue + shipping worker + NP catalog + cart fail-closed

* (SP: 1) [FIX] Initialize shippingMethodsLoading to true to avoid premature checkout.

* (SP: 1) [FIX] migration 17

* (SP: 1) [DB] migrarion to testind DB and adjusting tests

* (SP: 1)[DB] slow down restock janitor + enforce prod interval floor

* (SP: 1) [DB] add order status lite view (opt-in) + instrumentation

* (SP: 1) [DB] replace checkout success router.refresh polling with backoff API polling

* (SP: 1) [DB] throttle sessions activity heartbeat + use count(*) (PK invariant)

* (SP: 1)[DB] enforce production min intervals for internal shipping jobs

* (SP: 1) [DB] add minimal partial indexes for orders sweeps + rollout notes

* (SP: 1) [DB] refactor sweep claim step to FOR UPDATE SKIP LOCKED batching

* (SP: 1)[DB]: slow janitor schedule to every 30 minutes

* (SP: 1)[DB] increase polling delays for MonobankRedirectStatus

* (SP: 1)[FIX] harden webhooks + fix SSR hydration + janitor/np gates + sweeps refactor

* (SP: 1)[FIX] harden shipping enqueue gating + apply NP interval floor

---------

Co-authored-by: Liudmyla Sovetovs <milkaegik@gmail.com>
Co-authored-by: Lesia Soloviova <106915140+LesiaUKR@users.noreply.github.com>

Author: 3 people

.github/workflows/shop-janitor-restock-stale.yml

@@ -2,7 +2,7 @@ name: Shop janitor - restock stale orders
 
 on:
   schedule:
-    - cron: "*/5 * * * *"
+    - cron: "*/30 * * * *"
   workflow_dispatch: {}
 
 concurrency:

frontend/app/[locale]/shop/checkout/success/MonobankRedirectStatus.tsx

@@ -69,9 +69,9 @@ const UI_STATE_TO_PAYMENT_STATUS_KEY = {
 const STATUS_TOKEN_KEY_PREFIX = 'shop:order-status-token:';
 const POLL_MAX_ATTEMPTS = 10;
 const POLL_MAX_DURATION_MS = 2 * 60 * 1000;
-const POLL_BASE_DELAY_MS = 1_500;
-const POLL_MAX_DELAY_MS = 12_000;
-const POLL_BUSY_RETRY_DELAY_MS = 250;
+const POLL_BASE_DELAY_MS = 3_000;
+const POLL_MAX_DELAY_MS = 15_000;
+const POLL_BUSY_RETRY_DELAY_MS = 1_000;
 const POLL_STOP_ERROR_CODES = new Set([
   'STATUS_TOKEN_REQUIRED',
   'STATUS_TOKEN_INVALID',
@@ -132,6 +132,27 @@ function normalizeToken(value: string | null | undefined): string | null {
 function parseOrderStatusPayload(payload: unknown): OrderStatusModel | null {
   if (!payload || typeof payload !== 'object') return null;
   const root = payload as Record<string, unknown>;
+
+  if (
+    typeof root.id === 'string' &&
+    root.id.trim() &&
+    root.currency === 'UAH' &&
+    typeof root.totalAmountMinor === 'number' &&
+    Number.isFinite(root.totalAmountMinor) &&
+    typeof root.paymentStatus === 'string' &&
+    root.paymentStatus.trim() &&
+    typeof root.itemsCount === 'number' &&
+    Number.isFinite(root.itemsCount)
+  ) {
+    return {
+      id: root.id,
+      currency: root.currency,
+      totalAmountMinor: root.totalAmountMinor,
+      paymentStatus: root.paymentStatus,
+      itemsCount: root.itemsCount,
+    };
+  }
+
   if (root.success !== true) return null;
 
   const orderRaw = root.order;
@@ -181,6 +202,7 @@ async function fetchOrderStatus(args: {
 }): Promise<StatusResult> {
   try {
     const qp = new URLSearchParams();
+    qp.set('view', 'lite');
     if (args.statusToken) {
       qp.set('statusToken', args.statusToken);
     }

frontend/app/[locale]/shop/checkout/success/OrderStatusAutoRefresh.tsx

@@ -5,38 +5,184 @@ import { useEffect, useRef } from 'react';
 
 type Props = {
   paymentStatus: string;
-  maxMs?: number;
-  intervalMs?: number;
 };
 
-function isTerminal(status: string) {
-  return status === 'paid' || status === 'failed' || status === 'refunded';
+const MAX_ATTEMPTS = 8;
+const MAX_DURATION_MS = 2 * 60 * 1000;
+const BASE_DELAY_MS = 2_000;
+const MAX_DELAY_MS = 15_000;
+const JITTER_RATIO = 0.2;
+const TERMINAL_STATUSES = new Set([
+  'paid',
+  'failed',
+  'refunded',
+  'needs_review',
+]);
+
+type StatusFetchResult =
+  | { ok: true; paymentStatus: string }
+  | { ok: false; status: number; code: string };
+
+function normalizeQueryValue(value: string | null): string | null {
+  if (typeof value !== 'string') return null;
+  const trimmed = value.trim();
+  return trimmed.length ? trimmed : null;
+}
+
+function isTerminal(status: string): boolean {
+  return TERMINAL_STATUSES.has(status);
+}
+
+function shouldStopOnError(status: number, code: string): boolean {
+  if (status === 401 || status === 403) return true;
+  if (status !== 400) return false;
+  const normalized = code.trim().toUpperCase();
+  return (
+    normalized === 'STATUS_TOKEN_INVALID' ||
+    normalized === 'INVALID_STATUS_TOKEN' ||
+    normalized.endsWith('TOKEN_INVALID')
+  );
+}
+
+function getBackoffDelayMs(attempt: number): number {
+  return Math.min(BASE_DELAY_MS * 2 ** Math.max(attempt - 1, 0), MAX_DELAY_MS);
+}
+
+function withJitter(delayMs: number): number {
+  const jitterMultiplier = 1 + (Math.random() * 2 - 1) * JITTER_RATIO;
+  return Math.max(0, Math.floor(delayMs * jitterMultiplier));
+}
+
+function getErrorCode(payload: unknown): string {
+  if (!payload || typeof payload !== 'object') return 'INTERNAL_ERROR';
+  const code = (payload as Record<string, unknown>).code;
+  if (typeof code !== 'string') return 'INTERNAL_ERROR';
+  const trimmed = code.trim();
+  return trimmed.length ? trimmed : 'INTERNAL_ERROR';
+}
+
+function parseLitePaymentStatus(payload: unknown): string | null {
+  if (!payload || typeof payload !== 'object') return null;
+  const root = payload as Record<string, unknown>;
+  const paymentStatus = root.paymentStatus;
+  if (typeof paymentStatus !== 'string') return null;
+  const trimmed = paymentStatus.trim();
+  return trimmed.length ? trimmed : null;
+}
+
+async function fetchLiteOrderStatus(args: {
+  orderId: string;
+  tokenKey: string | null;
+  tokenValue: string | null;
+  signal: AbortSignal;
+}): Promise<StatusFetchResult> {
+  const qp = new URLSearchParams();
+  qp.set('view', 'lite');
+  if (args.tokenKey && args.tokenValue) qp.set(args.tokenKey, args.tokenValue);
+
+  const endpoint = `/api/shop/orders/${encodeURIComponent(args.orderId)}/status?${qp.toString()}`;
+
+  const res = await fetch(endpoint, {
+    method: 'GET',
+    cache: 'no-store',
+    headers: { 'Cache-Control': 'no-store' },
+    credentials: 'same-origin',
+    signal: args.signal,
+  });
+
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return { ok: false, status: res.status, code: getErrorCode(body) };
+  }
+
+  const paymentStatus = parseLitePaymentStatus(body);
+  if (!paymentStatus) {
+    return { ok: false, status: 500, code: 'INVALID_STATUS_RESPONSE' };
+  }
+
+  return { ok: true, paymentStatus };
 }
 
-export default function OrderStatusAutoRefresh({
-  paymentStatus,
-  maxMs = 30_000,
-  intervalMs = 1_500,
-}: Props) {
+export default function OrderStatusAutoRefresh({ paymentStatus }: Props) {
   const router = useRouter();
-  const startedAtRef = useRef<number | null>(null);
+  const didTerminalRefreshRef = useRef(false);
 
   useEffect(() => {
     if (isTerminal(paymentStatus)) return;
 
-    if (startedAtRef.current == null) startedAtRef.current = Date.now();
+    let cancelled = false;
+    let timeoutId: number | null = null;
+    let activeController: AbortController | null = null;
+    const startedAtMs = Date.now();
+    let attempts = 0;
+
+    const params = new URLSearchParams(window.location.search);
+    const orderId = normalizeQueryValue(params.get('orderId'));
+    if (!orderId) return;
+
+    const tokenKey = params.has('statusToken') ? 'statusToken' : null;
+    const tokenValue =
+      tokenKey === null ? null : normalizeQueryValue(params.get(tokenKey));
 
-    const id = window.setInterval(() => {
-      const startedAt = startedAtRef.current ?? Date.now();
-      if (Date.now() - startedAt > maxMs) {
-        window.clearInterval(id);
-        return;
+    const wait = async (delayMs: number) =>
+      new Promise<void>(resolve => {
+        timeoutId = window.setTimeout(resolve, delayMs);
+      });
+
+    const run = async () => {
+      while (!cancelled) {
+        if (attempts >= MAX_ATTEMPTS) return;
+        if (Date.now() - startedAtMs >= MAX_DURATION_MS) return;
+
+        attempts += 1;
+        const controller = new AbortController();
+        activeController = controller;
+        const result = await fetchLiteOrderStatus({
+          orderId,
+          tokenKey,
+          tokenValue,
+          signal: controller.signal,
+        }).catch(
+          (): StatusFetchResult => ({
+            ok: false,
+            status: 500,
+            code: 'INTERNAL_ERROR',
+          })
+        );
+
+        if (cancelled) {
+          return;
+        }
+        activeController = null;
+
+        if (result.ok) {
+          if (isTerminal(result.paymentStatus)) {
+            if (!didTerminalRefreshRef.current) {
+              didTerminalRefreshRef.current = true;
+              router.refresh();
+            }
+            return;
+          }
+        } else if (shouldStopOnError(result.status, result.code)) {
+          return;
+        }
+
+        if (attempts >= MAX_ATTEMPTS) return;
+        if (Date.now() - startedAtMs >= MAX_DURATION_MS) return;
+
+        const delayMs = withJitter(getBackoffDelayMs(attempts));
+        await wait(delayMs);
       }
-      router.refresh();
-    }, intervalMs);
+    };
+
+    void run();
 
-    return () => window.clearInterval(id);
-  }, [paymentStatus, router, maxMs, intervalMs]);
+    return () => {
+      cancelled = true;
+      activeController?.abort();
+      if (timeoutId !== null) window.clearTimeout(timeoutId);
+    };
+  }, [paymentStatus, router]);
 
   return <span className="sr-only" aria-live="polite" />;
 }

frontend/app/api/sessions/activity/route.ts

@@ -8,6 +8,15 @@ import { activeSessions } from '@/db/schema/sessions';
 
 const SESSION_TIMEOUT_MINUTES = 15;
 
+function getHeartbeatThrottleMs(): number {
+  const raw = process.env.HEARTBEAT_THROTTLE_MS;
+  const parsed = raw ? Number.parseInt(raw, 10) : Number.NaN;
+  const fallback = 60_000;
+  const floor = 1_000;
+  if (!Number.isFinite(parsed)) return fallback;
+  return Math.max(floor, parsed);
+}
+
 export async function POST() {
   try {
     const cookieStore = await cookies();
@@ -17,15 +26,21 @@ export async function POST() {
       sessionId = randomUUID();
     }
 
+    const now = new Date();
+    const heartbeatThreshold = new Date(
+      now.getTime() - getHeartbeatThrottleMs()
+    );
+
     await db
       .insert(activeSessions)
       .values({
         sessionId,
-        lastActivity: new Date(),
+        lastActivity: now,
       })
       .onConflictDoUpdate({
         target: activeSessions.sessionId,
-        set: { lastActivity: new Date() },
+        set: { lastActivity: now },
+        setWhere: lt(activeSessions.lastActivity, heartbeatThreshold),
       });
 
     if (Math.random() < 0.05) {
@@ -44,7 +59,7 @@ export async function POST() {
 
     const result = await db
       .select({
-        total: sql<number>`count(distinct session_id)`,
+        total: sql<number>`count(*)`,
       })
       .from(activeSessions)
       .where(gte(activeSessions.lastActivity, countThreshold));