fix: resolve all failing tests and type errors

packages/api/src/middleware/auth.ts

@@ -1,28 +1,19 @@
 import type { MiddlewareHandler } from "hono"
 
-/**
- * Simple token-based auth middleware.
- *
- * Policy:
- *   GET, POST  → public (no token required)
- *   PUT, DELETE, PATCH → require Bearer token
- *
- * BUG: The allow-list check uses `'post'` (lowercase) instead of `'POST'`.
- * HTTP methods are always uppercase per RFC 7231, so POST is never matched
- * as a public method — POST requests incorrectly require a token.
- *
- * Fix: change `'post'` to `'POST'` in the public methods array.
- */
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
-  // BUG: 'post' should be 'POST' — POST is never treated as public
-  const publicMethods = ["GET", "post"]
+  const publicMethods = ["GET", "POST"]
 
   if (publicMethods.includes(c.req.method)) {
     return next()
   }
 
   const token = c.req.header("Authorization")?.replace("Bearer ", "")
-  if (!token || token !== (process.env.API_TOKEN ?? "test-token")) {
+  const env = (globalThis as Record<string, unknown>)
+  const envVars = (env["process"] as { env?: Record<string, string> } | undefined)?.env
+    ?? (env["Bun"] as { env?: Record<string, string> } | undefined)?.env
+    ?? {}
+  const apiToken = envVars["API_TOKEN"] ?? "test-token"
+  if (!token || token !== apiToken) {
     return c.json({ error: "Unauthorized", status: 401 }, 401)
   }
 

packages/api/src/routes/users.ts

@@ -1,9 +1,6 @@
 import { Hono } from "hono"
 import { db } from "../lib/db"
-import { notFound } from "../lib/errors"
-// BUG: missing import — `badRequest` is used below but not imported here.
-// This causes a ReferenceError at runtime when POST /users is called with invalid data.
-// Fix: add `badRequest` to the import from "../lib/errors"
+import { notFound, badRequest } from "../lib/errors"
 
 const router = new Hono()
 

packages/shared/src/types.ts

@@ -1,14 +1,6 @@
-/**
- * Shared types used by both the API and any consumers.
- *
- * BUG: The field is named `userName` here but the API routes reference `username`
- * (lowercase n). This causes a type error in routes/users.ts and a runtime
- * mismatch when serialising responses.
- */
-
 export type User = {
   id: string
-  userName: string // BUG: should be `username` to match API usage
+  username: string
   email: string
   createdAt: string
 }

packages/shared/src/utils/pagination.ts

@@ -11,5 +11,9 @@ import type { PaginatedResponse } from "../types"
  * The test in packages/shared/test/pagination.test.ts exercises the full contract.
  */
 export function paginate<T>(items: T[], page: number, size: number): PaginatedResponse<T> {
-  throw new Error("not implemented")
+  const total = items.length
+  const totalPages = total === 0 ? 0 : Math.ceil(total / size)
+  const start = (page - 1) * size
+  const data = start >= total ? [] : items.slice(start, start + size)
+  return { data, page, pageSize: size, total, totalPages }
 }