04 — Your first contribution to Someli-admin-api¶
A walkthrough.
1. Pick a small first task¶
Good first tickets:
- Doc fix in
../../audit/Someli-admin-api/. - A
console.logcleanup from../../code-inspect/Someli-admin-api.md. - Add a validator chain to a
routes/routes.jsendpoint that currently accepts unvalidated input. - Sync a byte-identical helper. Open
someli-api/helper/tokenGenerator.jsandSomeli-admin-api/helper/tokenGenerator.js— confirm they're still byte-identical (the audit was at 2026-05-17; they may have drifted since). Open a PR pair if you find drift. - Move the hardcoded session secret to an env var.
server.js:58hardcodessecret: "3eB(2:\srlI+qa5". Change tosecret: conf.SESSION_SECRET || 'change-me', addSESSION_SECRETtoconf.jsand.env.
Avoid for your first PR: anything inside helper/aiLogics.js (drift surface), the Python batch processor, anything spanning the two auth layers.
2. The edit-run-verify loop¶
cd ~/src/someli/Someli-admin-api
# Branch
git checkout dev
git pull origin dev
git checkout -b fix/first-pr
# Run
yarn start # nodemon
# Verify
curl -i http://localhost:5004/<endpoint>
No /health endpoint — pick a known endpoint from ../../audit/Someli-admin-api/API-inventory.md for smoke tests.
3. Entry points to know — a 20-minute reading tour¶
server.js(70 lines). Read entirely.methods.js(16 lines). The Bearer-JWT middleware. Read entirely.middlewares/auth.js. The encrypted-Bearer middleware. Read entirely.routes/routes.js(1400 lines) — scroll through. Note wheremethods.ensureTokenis added and where it's absent.routes/auth.js(957 lines) — scroll. Noticerouter.use(auth)at the top.helper/tokenGenerator.js— short. Read.actions/actions.js— the CRUD layer. Skim.
4. Reading-around your task¶
- Grep:
- Check overlap with
someli-api: - Audit docs:
- Auth →
../../audit/Someli-admin-api/authentication.md - API inventory →
../../audit/Someli-admin-api/API-inventory.md - Code overlap →
../../audit/Someli-admin-api/code-overlap.md
5. Manual testing¶
No test suite.
For a new endpoint:
- Hit it via
curlwith a valid token. - Hit it without a token (expect 401).
- Hit it with a malformed body (expect 400 if you added a validator).
- Use the admin FE (
admin_console_Rrunning locally) pointed at your local backend.
6. Useful local helpers¶
Scratch script¶
// scratch.js (gitignored)
require('dotenv').config();
const { decryptToken } = require('./helper/tokenGenerator');
console.log(decryptToken("..."));
Talking to the DB¶
Same as the rest of the platform. Be careful — admin endpoints typically read/modify all users' data. Don't run experimental SQL on production.
7. Opening the PR¶
git add -p
git commit -m "Add SESSION_SECRET env var; remove hardcoded session secret"
git push -u origin fix/first-pr
# Open PR on github.com/Someli-ai/Someli-admin-api → dev
PR description:
- Why / what
- Manual test plan
- New env vars (if any) — call out at the top
- Whether the change applies to
someli-apitoo — if you touched a byte-identical helper, the answer is yes
8. After merge¶
No in-repo CI. Ask the team how the dev deploy works.
9. Common first-PR mistakes¶
| Mistake | Why it bites | Avoid by |
|---|---|---|
Editing helper/tokenGenerator.js without updating someli-api/helper/tokenGenerator.js |
The two diverge silently — and they're security-critical | Always update both in the same PR pair |
| Mixing the two auth layers in one PR | Easy to forget which auth a new endpoint uses | Decide upfront: encrypted-Bearer (→ routes/auth.js) or plain JWT (→ routes/routes.js + methods.ensureToken) |
| Adding a webhook handler without confirming the bodyparser exemption | Express has already JSON-parsed the body; signature verification fails | The exemption is already in server.js for stripe/paddle paths — confirm yours is on that list |
Forgetting Someli-admin-api shares MySQL with someli-api |
Schema changes break the other repo | Coordinate schema changes |
| Editing the Python file | It's a separate runtime — your Node yarn start won't reflect changes |
Treat the Python file as a separate sub-project |