- Replace verifyPassword with getAuth in OAuth authorize routes
- Replace login form with consent-only form (no credential fields)
- Remove getUserCount bypass from MCP auth middleware
- GET/POST /authorize redirect to /login if no OIDC session
- Install @hono/oidc-auth and jose for OIDC integration
- Rewrite requireAuth middleware with three-way auth: API key, MCP Bearer, OIDC session
- Strip auth.service.ts to API key functions only (remove user/session management)
- Remove all references to getUserCount, getSession, refreshSession from middleware
- All beforeEach now use async/await createTestDb()
- All service calls in tests now awaited
- All direct DB calls (.run()/.all()) replaced with await
- All test callbacks made async
- Fixed PostgreSQL GROUP BY strictness in totals.service.ts (categories.name and categories.icon added to groupBy)
- db type changed to 'any' to accommodate PGlite type differences
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add await before all service calls in auth, OAuth routes
- Convert settings.ts direct DB calls: remove .get()/.run(), use await + destructuring
- Auth middleware: await getUserCount, getSession, refreshSession
- Fix formatting in threads.ts for biome compliance
- All files pass lint
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
verifyAccessToken is async and returns a Promise. Without await,
the Promise object is always truthy, so any Bearer token (even
invalid ones) was accepted. This fixes MCP OAuth authentication.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Required for claude.ai browser-based OAuth flows that make
cross-origin requests to discovery, token, and MCP endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add well-known metadata, dynamic client registration, authorization
flow with PKCE, and token exchange/refresh endpoints with route-level
integration tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The MCP SDK v1.29.0 changed server.tool() to require Zod schemas
(raw shapes) instead of plain JSON Schema objects. The old format
triggered "expected a Zod schema or ToolAnnotations" errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Quantity was missing from three places in item.service.ts:
- getAllItems didn't select it (API returned undefined)
- createItem didn't pass it to insert (always used DB default of 1)
- updateItem type didn't include it (silently stripped from updates)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds export (GET /api/items/export) and import (POST /api/items/import) routes
backed by a pure csv.service with no external deps, plus useExportItems/useImportItems
hooks and an Import/Export section in the Settings page.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds POST /api/items/:id/duplicate endpoint, useDuplicateItem hook, and a
Duplicate button on ItemCard (collection view only) that opens the new item
for editing immediately after creation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- totals.service: multiply weight/cost sums by quantity in category and global totals
- setup.service: multiply by quantity in getAllSetups SQL subqueries; expose quantity in getSetupWithItems item list
- thread.service: explicitly pass quantity: 1 when inserting resolved item
- ItemForm: add Quantity number input (min=1, default=1) after price field
- ItemCard: show ×N badge next to item name when quantity > 1
- CollectionView: pass quantity prop to ItemCard in both filtered and grouped views
- $setupId.tsx: pass quantity to ItemCard; multiply by quantity in client-side per-setup totals
- WeightSummaryCard: multiply by quantity in all chart and legend weight calculations
- useItems / useSetups: add quantity to ItemWithCategory / SetupItemWithCategory interfaces
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implement in-memory rate limiter with 5 attempts per 15-minute window per IP address. Protects brute-force attacks on credential endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds parseId helper in src/server/lib/params.ts and applies it across
all route files so non-positive-integer IDs return 400 instead of
silently passing NaN to services.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The @/ alias resolves via tsconfig but not in production where
Bun runs server files directly. Use relative paths instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- MCP auth middleware now rejects requests without API key when users exist
- Image /from-url route distinguishes validation errors (400) from server errors (500)
- Password change route returns 401 when no session cookie instead of crashing
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wrap existing service layer with MCP-compatible tool handlers for items,
categories, threads/candidates, setups, and image fetching. Add collection
summary resource for overview data. All 14 MCP-specific tests passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sortOrder REAL column to threadCandidates schema (default 0)
- Add sort_order column to test helper CREATE TABLE
- Add reorderCandidatesSchema to shared/schemas.ts
- Add ReorderCandidates type to shared/types.ts
- getThreadWithCandidates now orders candidates by sort_order ASC
- createCandidate appends at max sort_order + 1000 (first = 1000)
- Add reorderCandidates service function (transaction, active-only guard)
- Add 5 new tests: ordering, appending, reorder success, resolved guard, missing thread
- Add classification text column (default 'base') to setupItems schema
- Add classificationSchema and updateClassificationSchema Zod validators
- Add UpdateClassification type inferred from Zod schema
- Implement updateItemClassification service function
- Modify getSetupWithItems to return classification field
- Modify syncSetupItems to preserve classifications across re-sync
- Add tests for classification CRUD, preservation, and cross-setup independence
- Generate and apply Drizzle migration
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Schema: status TEXT NOT NULL DEFAULT 'researching' on thread_candidates
- Zod: candidateStatusSchema enum (researching/ordered/arrived) added to createCandidateSchema
- Service: getThreadWithCandidates selects status, createCandidate sets status, updateCandidate accepts status
- Client hooks: CandidateWithCategory and CandidateResponse types include status field
- Migration generated and applied
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Run biome check --write --unsafe to fix tabs, import ordering, and
non-null assertions across entire codebase. Disable a11y rules not
applicable to this single-user app. Exclude auto-generated routeTree.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename emoji column to icon in schema, Zod schemas, and all services
- Add Drizzle migration with emoji-to-icon data conversion
- Update test helper, seed, and all test files for icon field
- All 87 tests pass with new icon-based schema
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Setup service with CRUD, syncSetupItems, removeSetupItem
- SQL aggregation for itemCount, totalWeight, totalCost via COALESCE
- Hono routes for all 7 endpoints with zValidator
- Mount setupRoutes at /api/setups
- All 87 tests pass (24 new setup tests)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Thread CRUD: GET /, POST /, GET /:id, PUT /:id, DELETE /:id
- Candidate CRUD: POST /:id/candidates, PUT/DELETE nested candidates
- Resolution: POST /:id/resolve with validation and error handling
- Image cleanup on thread/candidate deletion
- Routes mounted at /api/threads in server index
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
