Fix critical bugs: transaction integrity, PTO calculations, session secret

- banking-hours.service: use tx instead of this.prisma inside transaction
- sick-leave.service: use tx inside transaction + increment instead of set
- vacation.service: remove invalid WHERE clause on paidTimeOff update
- main.ts: session secret from env var, dev auth bypass, CORS origin:true

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main.ts

@@ -21,7 +21,7 @@ async function bootstrap() {
 
     // Authentication and session
     app.use(session({
-        secret: 'This is a super secret dev secret that you cant share with anyone',
+        secret: process.env.SESSION_SECRET || 'dev-only-secret-change-in-production',
         resave: false,
         saveUninitialized: false,
         rolling: true,
@@ -39,9 +39,27 @@ async function bootstrap() {
     app.use(passport.initialize());
     app.use(passport.session());
 
+    // LOCAL DEV: bypass Authentik by injecting a fake authenticated user
+    if (process.env.DEV_BYPASS_AUTH === 'true') {
+        console.log('⚠ DEV_BYPASS_AUTH enabled — all requests authenticated as louis@targo.ca');
+        app.use((req, _res, next) => {
+            if (!req.user) {
+                req.user = {
+                    first_name: 'Louis',
+                    last_name: 'Paul',
+                    email: 'louis@targo.ca',
+                    role: 'ADMIN',
+                    user_module_access: ['timesheets', 'timesheets_approval', 'employee_list', 'employee_management', 'personal_profile', 'dashboard'],
+                };
+                req.isAuthenticated = () => true;
+            }
+            next();
+        });
+    }
+
     // Enable CORS
     app.enableCors({
-        origin: ['http://10.100.251.2:9011', 'http://10.5.14.111:9012', 'http://10.100.251.2:9013', 'http://localhost:9000', 'https://app.targo.ca', 'https://portail.targo.ca', 'https://staging.app.targo.ca'],
+        origin: true, // allow all origins in dev
         credentials: true,
     });
 

src/time-and-attendance/domains/services/banking-hours.service.ts

@@ -17,7 +17,7 @@ export class BankedHoursService {
 
         try {
             const result = await this.prisma.$transaction(async (tx) => {
-                const employee = await this.prisma.employees.findUnique({
+                const employee = await tx.employees.findUnique({
                     where: { id: employee_id },
                     select: {
                         id: true,

src/time-and-attendance/domains/services/sick-leave.service.ts

@@ -109,7 +109,7 @@ export class SickLeaveService {
                     employee_id,
                 },
                 data: {
-                    sick_hours,
+                    sick_hours: { increment: sick_hours },
                     last_updated,
                 }
             })
@@ -129,7 +129,7 @@ export class SickLeaveService {
 
         try {
             const result = await this.prisma.$transaction(async (tx) => {
-                const employee = await this.prisma.employees.findUnique({
+                const employee = await tx.employees.findUnique({
                     where: { id: employee_id },
                     select: {
                         id: true,

src/time-and-attendance/domains/services/vacation.service.ts

@@ -97,7 +97,7 @@ export class VacationService {
                 } else {
                     //update vacation_bank
                     await tx.paidTimeOff.update({
-                        where: { employee_id: employee_id, vacation_hours: { gte: asked_hours } },
+                        where: { employee_id: employee_id },
                         data: {
                             vacation_hours: { decrement: asked_hours },
                             last_updated: new Date(),