Commit Graph

47 Commits

Author SHA1 Message Date
1b0013422f feat(28-03): add profile navigation link and extend /me with createdAt
Adds Profile link to UserMenu dropdown (above Settings), extends /me
endpoint to return user's createdAt for member-since display, and
updates AuthState interface with optional createdAt field.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 17:50:36 +02:00
e8207a33f9 feat(28-01): add account management routes for password, email, and deletion
Creates /api/account routes with password change (verifies current first),
email update, has-password check, and account deletion with public setup
anonymization. Adds Zod validation schemas and registers routes in index.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 17:47:17 +02:00
0323e0cd33 feat(26-02): discovery HTTP routes, server registration, and route tests
- Create src/server/routes/discovery.ts with GET /setups, /items, /categories handlers
- Register discoveryRoutes in src/server/index.ts with browseTier rate limiting
- Add auth skip for /api/discovery/* GET requests in auth middleware
- Create tests/routes/discovery.test.ts with 10 tests covering all endpoints and pagination
2026-04-10 14:57:35 +02:00
fc9a9134e8 chore(25-02): apply biome formatter to task 1 and 2 files 2026-04-10 11:06:11 +02:00
6491615b1d feat(25-02): add POST single and bulk upsert routes for global items
- POST /api/global-items upserts single item via upsertGlobalItem service
- POST /api/global-items/bulk upserts up to 100 items via bulkUpsertGlobalItems service
- Zod validation via @hono/zod-validator with upsertGlobalItemSchema and bulkUpsertGlobalItemsSchema
2026-04-10 11:02:49 +02:00
e1afd542ac fix(24): add withImageUrls to public setup endpoint
Public setup view was missing image URL enrichment, causing item images
to be absent for anonymous visitors. Matches the private endpoint pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 10:17:32 +02:00
3b29248845 fix: return database user ID from /api/auth/me instead of Logto sub
Some checks failed
CI / ci (push) Failing after 1m8s
CI / deploy (push) Has been skipped
CI / e2e (push) Has been skipped
The /me endpoint was returning auth.sub (Logto's opaque string) as the
user ID, but the frontend and other API endpoints expect numeric DB IDs.
This caused "can't access property 'id', w[0] is undefined" after login.

Also documents Logto OIDC setup requirements (scopes, env vars) in
CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 22:16:59 +02:00
7dbbfcb915 fix: resolve all 13 remaining test failures
Some checks failed
CI / ci (push) Failing after 56s
CI / e2e (push) Has been skipped
- OAuth: add userId to oauth_codes schema and migration, derive userId
  from stored auth code/token record instead of passing separately
- Auth middleware tests: destructure {db, userId} from createTestDb,
  pass userId to createApiKey, fix error message assertion
- MCP tests: add missing await on getCollectionSummary and
  createSecondTestUser calls

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 20:25:41 +02:00
3638e7b240 fix: resolve all lint errors across source and test files
Some checks failed
CI / ci (push) Failing after 11s
CI / e2e (push) Has been skipped
- Fix unused function parameters (prefix with _)
- Fix unused imports in test files
- Fix import ordering in test files
- Auto-fix formatting issues across 22 files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 19:39:47 +02:00
62249b5b48 Merge branch 'worktree-agent-adbc35a5' into Develop
# Conflicts:
#	.planning/STATE.md
#	drizzle-pg/meta/0002_snapshot.json
#	drizzle-pg/meta/_journal.json
#	src/db/schema.ts
2026-04-06 08:00:04 +02:00
2ec1276849 feat(20-01): add tags table, tag service/route, register global-items route
- Create tags table in schema with id, name (unique), createdAt
- Generate migration for tags table
- Create tag.service.ts with getAllTags (id+name, alphabetical order)
- Create tags.ts route with GET / handler
- Register /api/global-items and /api/tags routes in index.ts
- Add auth skip for GET /api/tags and GET /api/global-items
2026-04-06 07:56:40 +02:00
ecc6ac689a feat(19-03): add tag filtering to global item search and migrate owner count
- searchGlobalItems now accepts tagNames param with AND intersection logic
- Owner count uses items.globalItemId instead of removed itemGlobalLinks
- Removed linkItemToGlobal and unlinkItemFromGlobal functions
- Route handlers now async with tags query param support
- Rewrote tests to async PGlite pattern, added tag filtering tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 20:55:36 +02:00
8a5ee731d0 feat(19-02): add catalog-linked candidates, branched resolution, remove link/unlink routes
- getThreadWithCandidates LEFT JOINs globalItems with COALESCE for name, weight, price, image
- createCandidate accepts and stores globalItemId
- resolveThread branches: reference item (globalItemId set) vs standalone (full data copy)
- Removed link/unlink endpoints from items route (replaced by direct globalItemId FK)
- 6 new tests for catalog-linked candidates and branched resolution
2026-04-05 20:49:56 +02:00
574a12e6fa fix: OIDC auth flow, Vite proxy, and PostgreSQL query compat
- Add auth redirect in root layout for unauthenticated users
- Proxy OIDC routes (/login, /callback, /logout) through Vite dev server
- Strip Secure flag from OIDC cookies in dev mode (HTTP localhost)
- Disable retry on auth query to prevent stale cookie loops
- Fix SQLite .get()/.all()/.run() calls in category and global-item
  services for PostgreSQL compatibility
- Add userId scoping to category service functions
- Add OIDC error logging in auth middleware
- Apply linter auto-formatting across affected files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 18:25:31 +02:00
2843351d90 Merge branch 'worktree-agent-a86c0a6d' into Develop
# Conflicts:
#	.planning/REQUIREMENTS.md
#	.planning/STATE.md
#	src/db/schema.ts
#	src/db/seed.ts
#	src/server/index.ts
#	src/server/routes/setups.ts
#	src/server/services/category.service.ts
#	src/server/services/setup.service.ts
#	src/shared/schemas.ts
#	src/shared/types.ts
2026-04-05 13:13:34 +02:00
465297c398 Merge branch 'worktree-agent-a7e6e4b2' into Develop
# Conflicts:
#	.planning/REQUIREMENTS.md
#	.planning/ROADMAP.md
#	.planning/STATE.md
#	drizzle/meta/_journal.json
#	src/db/schema.ts
#	src/db/seed.ts
#	src/shared/schemas.ts
#	src/shared/types.ts
2026-04-05 13:13:26 +02:00
eb8f4b7cb2 feat(18-03): add profile routes, public setup endpoint, and auth middleware updates
- GET /api/users/:id/profile: public profile with public setups (no auth)
- PUT /api/auth/profile: update own profile (requires auth)
- GET /api/setups/:id/public: public setup view with items (no auth)
- Auth middleware skips public profile and public setup GET endpoints
- Register profileRoutes at /api/users in index.ts
- Add getOrCreateUncategorized to category service (Rule 3 fix)
- 10 route tests covering auth, public access, and 404 cases
2026-04-05 13:10:13 +02:00
d97d5d92ba feat(18-02): add global item routes, item link/unlink endpoints, and route tests
- GET /api/global-items with optional q search parameter
- GET /api/global-items/:id with ownerCount
- POST /api/items/:id/link to link user item to global item
- DELETE /api/items/:id/link to unlink
- Route registered in index.ts
- 10 route tests covering all endpoints
2026-04-05 13:07:26 +02:00
89b0496845 chore(18-03): apply 18-01 schema foundation as dependency baseline 2026-04-05 13:04:09 +02:00
f5d79072f2 feat(17-02): wire storage service into all routes and MCP tools, remove static /uploads/*
- Replace unlink() with deleteImage() in items and threads routes
- Add withImageUrl/withImageUrls to item, thread, setup GET responses
- Enrich MCP tool responses with presigned image URLs
- Remove /uploads/* static file serving from server index
- Update MCP image tool description (local -> storage)
2026-04-05 12:22:41 +02:00
5ce3f92a78 feat(17-02): refactor image service and routes to use S3 storage service
- Replace Bun.write/mkdir with uploadImage() from storage.service
- Remove uploadsDir parameter from fetchImageFromUrl
- Update tests to mock storage service instead of checking filesystem
2026-04-05 12:20:31 +02:00
e78002208a feat(16-03): wire userId from context into all route handlers
- Extract userId via c.get('userId') in every route handler
- Pass userId to all service function calls as second argument
- Update settings routes to use composite key [userId, key]
- Update Env type to include userId in Variables
- Auth routes pass userId to API key management functions
2026-04-05 10:49:51 +02:00
6be9a2b168 fix(15): update oauth routes/tests for async + OIDC session auth
- Add await to all oauth service calls in routes (registerClient, getClient, etc.)
- Rewrite oauth tests to use mocked OIDC session instead of createUser/password
- Test consent-based authorize flow instead of credential-based flow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 21:43:06 +02:00
59e7f4be8a fix(15): convert auth service/tests to async PGlite pattern
The executor agents wrote sync SQLite-style calls (.get(), .all(), .run())
instead of the async Postgres pattern established in Phase 14. Fixed:
- auth.service.ts: use await + destructuring for all DB operations
- auth routes: await listApiKeys
- All auth test files: async createTestDb(), await service calls

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 21:40:12 +02:00
3158274c6a Merge branch 'worktree-agent-a9901af2' into Develop
# Conflicts:
#	.planning/REQUIREMENTS.md
#	.planning/ROADMAP.md
#	.planning/STATE.md
#	bun.lock
#	package.json
#	src/server/middleware/auth.ts
#	src/server/routes/auth.ts
#	src/server/routes/oauth.ts
#	src/server/services/auth.service.ts
2026-04-04 20:48:38 +02:00
c0e6db5aa6 feat(15-02): update MCP OAuth and MCP middleware for OIDC
- Replace verifyPassword with getAuth in OAuth authorize routes
- Replace login form with consent-only form (no credential fields)
- Remove getUserCount bypass from MCP auth middleware
- GET/POST /authorize redirect to /login if no OIDC session
2026-04-04 20:46:23 +02:00
1b6a65b4d5 feat(15-02): rewrite auth routes for OIDC login/callback/logout
- Add top-level /login, /callback, /logout OIDC routes in index.ts
- Strip auth.ts to /me (OIDC claims) and API key CRUD only
- Remove credential-based login, setup, password change routes
- Remove all cookie/session handling from auth routes
2026-04-04 20:44:46 +02:00
22aaed76f2 feat(14-04): convert auth, OAuth, settings routes and auth middleware to async/await
- Add await before all service calls in auth, OAuth routes
- Convert settings.ts direct DB calls: remove .get()/.run(), use await + destructuring
- Auth middleware: await getUserCount, getSession, refreshSession
- Fix formatting in threads.ts for biome compliance
- All files pass lint
2026-04-04 12:43:29 +02:00
5edcc660e4 feat(14-04): convert data route handlers to async/await
- Add await before all service calls in items, categories, threads, setups, totals routes
- Make all handler callbacks async
- Covers getAllItems, createItem, updateItem, deleteItem, duplicateItem,
  getAllCategories, createCategory, updateCategory, deleteCategory,
  getAllThreads, getThreadWithCandidates, createThread, updateThread, deleteThread,
  resolveThread, createCandidate, updateCandidate, deleteCandidate, reorderCandidates,
  getAllSetups, getSetupWithItems, createSetup, updateSetup, deleteSetup,
  syncSetupItems, updateItemClassification, removeSetupItem,
  getCategoryTotals, getGlobalTotals, exportItemsCsv, importItemsCsv
2026-04-04 12:40:55 +02:00
f7c9f3dc94 fix: add Protected Resource Metadata endpoint (RFC 9728)
All checks were successful
CI / ci (push) Successful in 29s
CI / e2e (push) Successful in 1m1s
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 11:17:21 +02:00
5fdf4c3019 docs: add MCP OAuth documentation and fix lint
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 09:27:34 +02:00
1fad25726d feat: add OAuth 2.1 endpoints (register, authorize, token)
Add well-known metadata, dynamic client registration, authorization
flow with PKCE, and token exchange/refresh endpoints with route-level
integration tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 09:22:58 +02:00
15f146ee89 feat: add CSV import/export for gear collection
Some checks failed
CI / ci (pull_request) Failing after 22s
CI / e2e (pull_request) Has been skipped
Adds export (GET /api/items/export) and import (POST /api/items/import) routes
backed by a pure csv.service with no external deps, plus useExportItems/useImportItems
hooks and an Import/Export section in the Settings page.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:12:07 +02:00
b9a06dd244 feat: add item duplication with copy-and-edit workflow
Adds POST /api/items/:id/duplicate endpoint, useDuplicateItem hook, and a
Duplicate button on ItemCard (collection view only) that opens the new item
for editing immediately after creation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:07:20 +02:00
2dddba9a08 feat: add rate limiting on login and setup endpoints
Implement in-memory rate limiter with 5 attempts per 15-minute window per IP address. Protects brute-force attacks on credential endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 15:36:03 +02:00
ecff58500e fix: validate route ID parameters, return 400 for invalid IDs
Adds parseId helper in src/server/lib/params.ts and applies it across
all route files so non-positive-integer IDs return 400 instead of
silently passing NaN to services.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 15:34:06 +02:00
3016eb1a1a fix: add explicit DB context middleware for all API routes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 15:31:11 +02:00
17d76761bb fix: address code review issues — MCP auth, error handling, password route
- MCP auth middleware now rejects requests without API key when users exist
- Image /from-url route distinguishes validation errors (400) from server errors (500)
- Password change route returns 401 when no session cookie instead of crashing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:42:34 +02:00
e0e7bfce3e feat: add auth routes for login, setup, and API key management
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:24:26 +02:00
b3a13fa974 feat: add POST /api/images/from-url route
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:17:10 +02:00
d6acfcb126 feat(11-01): PATCH /api/threads/:id/candidates/reorder route + tests
- Import reorderCandidatesSchema and reorderCandidates into threads route
- Add PATCH /:id/candidates/reorder route with Zod validation
- Returns 200 + { success: true } on active thread, 400 on resolved thread
- Add 5 route tests: success, order persists, resolved guard, empty array, missing field
2026-03-16 22:22:31 +01:00
fb738d7cc2 feat(09-01): add classification API route, client hook, badge component, and setup detail wiring
- Add PATCH /:id/items/:itemId/classification endpoint with Zod validation
- Add apiPatch helper to client API library
- Add useUpdateItemClassification mutation hook
- Add classification field to SetupItemWithCategory interface
- Create ClassificationBadge click-to-cycle component (base/worn/consumable)
- Wire ClassificationBadge into setup detail page item grid
- Add integration tests for PATCH classification route (valid + invalid)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 15:13:08 +01:00
b496462df5 chore: auto-fix Biome formatting and configure lint rules
All checks were successful
CI / ci (push) Successful in 15s
Run biome check --write --unsafe to fix tabs, import ordering, and
non-null assertions across entire codebase. Disable a11y rules not
applicable to this single-user app. Exclude auto-generated routeTree.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 19:51:34 +01:00
0f115a2a4b feat(03-01): implement setup backend with junction table
- Setup service with CRUD, syncSetupItems, removeSetupItem
- SQL aggregation for itemCount, totalWeight, totalCost via COALESCE
- Hono routes for all 7 endpoints with zValidator
- Mount setupRoutes at /api/setups
- All 87 tests pass (24 new setup tests)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 12:43:02 +01:00
add3e3371d feat(02-01): add thread API routes and mount in server
- Thread CRUD: GET /, POST /, GET /:id, PUT /:id, DELETE /:id
- Candidate CRUD: POST /:id/candidates, PUT/DELETE nested candidates
- Resolution: POST /:id/resolve with validation and error handling
- Image cleanup on thread/candidate deletion
- Routes mounted at /api/threads in server index

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 11:39:15 +01:00
9fcbf0bab5 feat(01-04): add onboarding wizard with settings API and persisted state
- Settings API: GET/PUT /api/settings/:key with SQLite persistence
- useSettings hook with TanStack Query for settings CRUD
- OnboardingWizard: 3-step modal overlay (welcome, create category, add item)
- Root layout checks onboarding completion flag before rendering wizard
- Skip option available at every step, all paths persist completion to DB

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 22:51:25 +01:00
029adf4dca feat(01-02): add Hono API routes with validation, image upload, and integration tests
- Item routes: GET, POST, PUT, DELETE with Zod validation and image cleanup
- Category routes: GET, POST, PUT, DELETE with Uncategorized protection
- Totals route: per-category and global aggregates
- Image upload: multipart file handling with type/size validation
- Routes use DI via Hono context variables for testability
- Integration tests: 10 tests covering all endpoints and edge cases
- All 30 tests passing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 22:40:49 +01:00