- CatalogSearchOverlay: replace handleAddStub with real openAddToCollection/openAddToThread routing based on catalogSearchMode
- ConfirmDialog + __root.tsx: swap t() for Trans component on deleteItemMessage, deleteCandidateMessage, pickWinnerMessage — fixes <bold> rendering as literal text
- Biome format pass: fix 23 lint/format errors across scripts, services, tests
- Planning: mark all UAT and verification gaps resolved for phases 07, 11, 16, 20, 21, 22, 24, 32, 34; close debug sessions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Items in shared/public setups are now viewable without auth. Clicking
an item in a shared setup navigates to /items/:id?setup=:setupId&share=token
which fetches the item via a public endpoint authorized by the setup's
visibility or share token. Read-only mode hides all owner controls.
- Added getSetupItemById service function
- Added GET /api/shared/:token/items/:itemId endpoint
- Added GET /api/setups/:setupId/items/:itemId/public endpoint
- Added usePublicSetupItem and useSharedSetupItem hooks
- Item detail page detects setup context and switches to public fetch
- Back link returns to setup instead of collection in setup context
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /s/:token route was registered outside the /api/* db middleware
scope, causing db to be undefined and a 500 error on share link access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create community-price.service.ts with ownership validation, upsert, median aggregation
- Create community-prices route (GET stats public, POST requires auth + ownership)
- Register community-prices route with public GET access
- Add priceCurrency to both getSetupWithItems and getSetupWithItemsById
- Aggregation uses PERCENTILE_CONT(0.5) with 3-report minimum threshold
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create market-price.service.ts with getMarketPrices, upsertMarketPrice
- Create exchange-rates route (GET /api/exchange-rates, public)
- Create market-prices route (GET/POST /api/market-prices/global-items/:id/prices)
- Register new routes in server index with public GET access
- Add priceCurrency to item service getAllItems/getItemById/createItem
- Add foundPriceCents/Currency/Date to thread candidate select and create/update
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create share.service.ts with token generation (128-bit base64url),
CRUD operations, validation, and visibility transition side effects.
Add share endpoints under /api/setups/:id/shares, shared access at
/api/shared/:token, and /s/:token short URL redirect.
Plan: 32-02 (Setup Sharing System - Share Link Backend)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Behind a reverse proxy, c.req.url resolves to internal URL which
doesn't match the registered post_logout_redirect_uri in Logto.
Use GEARBOX_URL env var (already required for OAuth) as the
redirect target.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Logto needs client_id to validate the post_logout_redirect_uri and
auto-redirect back to the app. Without it, user gets stuck on
Logto's end-session success page.
Note: post_logout_redirect_uri must be registered in Logto Console
under the app's "Post sign-out redirect URIs".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
After revoking the local session, redirect to Logto's /session/end
so the OIDC session is cleared too. Previously redirected to /login
which immediately re-authenticated via the still-valid Logto session.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Creates /api/account routes with password change (verifies current first),
email update, has-password check, and account deletion with public setup
anonymization. Adds Zod validation schemas and registers routes in index.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create src/server/routes/discovery.ts with GET /setups, /items, /categories handlers
- Register discoveryRoutes in src/server/index.ts with browseTier rate limiting
- Add auth skip for /api/discovery/* GET requests in auth middleware
- Create tests/routes/discovery.test.ts with 10 tests covering all endpoints and pagination
- Import createRateLimit in server index
- Create browseTier (120 req/min) for list/search endpoints
- Create detailTier (60 req/min) for individual resource endpoints
- Apply browseTier to /api/global-items and /api/tags GET routes
- Apply detailTier to /api/global-items/:id, /api/setups/:id/public, /api/users/:id/profile GET routes
- Rate limits placed before auth middleware per D-07, D-08
The @hono/oidc-auth middleware catches all errors and rethrows as
"Invalid session", hiding the real cause. This adds a startup probe
to OIDC discovery endpoint so the actual error appears in logs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add fabMenuOpen, openFabMenu, closeFabMenu to UIStore
- Add catalogSearchOpen, catalogSearchMode, openCatalogSearch, closeCatalogSearch
- openCatalogSearch also closes FAB menu (natural flow)
- Create useTags hook with 5-min staleTime cache
- Add optional tags parameter to useGlobalItems for tag filtering
- Create tags table in schema with id, name (unique), createdAt
- Generate migration for tags table
- Create tag.service.ts with getAllTags (id+name, alphabetical order)
- Create tags.ts route with GET / handler
- Register /api/global-items and /api/tags routes in index.ts
- Add auth skip for GET /api/tags and GET /api/global-items
- Add auth redirect in root layout for unauthenticated users
- Proxy OIDC routes (/login, /callback, /logout) through Vite dev server
- Strip Secure flag from OIDC cookies in dev mode (HTTP localhost)
- Disable retry on auth query to prevent stale cookie loops
- Fix SQLite .get()/.all()/.run() calls in category and global-item
services for PostgreSQL compatibility
- Add userId scoping to category service functions
- Add OIDC error logging in auth middleware
- Apply linter auto-formatting across affected files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- GET /api/users/:id/profile: public profile with public setups (no auth)
- PUT /api/auth/profile: update own profile (requires auth)
- GET /api/setups/:id/public: public setup view with items (no auth)
- Auth middleware skips public profile and public setup GET endpoints
- Register profileRoutes at /api/users in index.ts
- Add getOrCreateUncategorized to category service (Rule 3 fix)
- 10 route tests covering auth, public access, and 404 cases
Required for claude.ai browser-based OAuth flows that make
cross-origin requests to discovery, token, and MCP endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add well-known metadata, dynamic client registration, authorization
flow with PKCE, and token exchange/refresh endpoints with route-level
integration tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Run biome check --write --unsafe to fix tabs, import ordering, and
non-null assertions across entire codebase. Disable a11y rules not
applicable to this single-user app. Exclude auto-generated routeTree.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Setup service with CRUD, syncSetupItems, removeSetupItem
- SQL aggregation for itemCount, totalWeight, totalCost via COALESCE
- Hono routes for all 7 endpoints with zValidator
- Mount setupRoutes at /api/setups
- All 87 tests pass (24 new setup tests)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Thread CRUD: GET /, POST /, GET /:id, PUT /:id, DELETE /:id
- Candidate CRUD: POST /:id/candidates, PUT/DELETE nested candidates
- Resolution: POST /:id/resolve with validation and error handling
- Image cleanup on thread/candidate deletion
- Routes mounted at /api/threads in server index
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Settings API: GET/PUT /api/settings/:key with SQLite persistence
- useSettings hook with TanStack Query for settings CRUD
- OnboardingWizard: 3-step modal overlay (welcome, create category, add item)
- Root layout checks onboarding completion flag before rendering wizard
- Skip option available at every step, all paths persist completion to DB
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Item routes: GET, POST, PUT, DELETE with Zod validation and image cleanup
- Category routes: GET, POST, PUT, DELETE with Uncategorized protection
- Totals route: per-category and global aggregates
- Image upload: multipart file handling with type/size validation
- Routes use DI via Hono context variables for testability
- Integration tests: 10 tests covering all endpoints and edge cases
- All 30 tests passing
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create Drizzle schema with items, categories, and settings tables
- Set up database connection singleton with WAL mode and foreign keys
- Add seed script for default Uncategorized category
- Create shared Zod validation schemas for items and categories
- Export TypeScript types inferred from Zod and Drizzle schemas
- Add in-memory SQLite test helper for isolated test databases
- Wire seed into Hono server startup
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Initialize bun project with all frontend/backend dependencies
- Configure Vite with TanStack Router plugin, React, and Tailwind v4
- Create Hono server with health check and static file serving
- Set up TanStack Router file-based routes with root layout
- Add Drizzle config, Biome linter, and proper .gitignore
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
