The executor agents wrote sync SQLite-style calls (.get(), .all(), .run())
instead of the async Postgres pattern established in Phase 14. Fixed:
- auth.service.ts: use await + destructuring for all DB operations
- auth routes: await listApiKeys
- All auth test files: async createTestDb(), await service calls
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- E2E seed creates API key instead of user for authentication
- Auth service tests cover only API key CRUD (removed user/session tests)
- Auth middleware tests validate three-way auth: API key, Bearer token, OIDC session
- Auth route tests mock getAuth for OIDC session, test /me and /keys endpoints
- Remove all references to createUser, verifyPassword, createSession in auth tests
- Login page redirects to Logto instead of showing credential form
- AuthState uses string id (Logto sub claim) instead of number
- Remove useLogin, useSetup, useChangePassword hooks
- useLogout redirects to /logout (server-side OIDC logout)
- Remove ChangePasswordSection from settings page
- Update UserMenu to use new useLogout API
- Settings page shows API keys section when authenticated
- Add 15-02-SUMMARY.md with execution results
- Update STATE.md with position, decisions, session info
- Update ROADMAP.md with plan progress
- Mark AUTH-01, AUTH-02, AUTH-03 requirements complete
- Replace verifyPassword with getAuth in OAuth authorize routes
- Replace login form with consent-only form (no credential fields)
- Remove getUserCount bypass from MCP auth middleware
- GET/POST /authorize redirect to /login if no OIDC session
- Install @hono/oidc-auth and jose for OIDC integration
- Rewrite requireAuth middleware with three-way auth: API key, MCP Bearer, OIDC session
- Strip auth.service.ts to API key functions only (remove user/session management)
- Remove all references to getUserCount, getSession, refreshSession from middleware
- Create 15-01-SUMMARY.md with execution results
- Update STATE.md with phase 15 position and decisions
- Update ROADMAP.md with plan progress
- Mark AUTH-04 requirement complete
- Delete users and sessions table definitions from src/db/schema.ts
- Generate Drizzle migration to drop both tables
- Retain apiKeys, oauthClients, oauthCodes, oauthTokens tables
- Add Logto OIDC provider to docker-compose.yml and docker-compose.dev.yml
- Create docker/init-logto-db.sql to initialize separate Logto database on Postgres
- Add OIDC env vars (issuer, client ID/secret, auth secret) to app service
- Document all required env vars in .env.example
- All beforeEach now use async/await createTestDb()
- All service calls in tests now awaited
- All direct DB calls (.run()/.all()) replaced with await
- All test callbacks made async
- Fixed PostgreSQL GROUP BY strictness in totals.service.ts (categories.name and categories.icon added to groupBy)
- db type changed to 'any' to accommodate PGlite type differences
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add 14-04-SUMMARY.md documenting async conversion of all 9 route files and auth middleware
- Update STATE.md with progress (83%) and decisions
- Update ROADMAP.md with plan progress
- Add await before all service calls in auth, OAuth routes
- Convert settings.ts direct DB calls: remove .get()/.run(), use await + destructuring
- Auth middleware: await getUserCount, getSession, refreshSession
- Fix formatting in threads.ts for biome compliance
- All files pass lint
- One-time migration script with type conversions (unix timestamps to Date, int to bool)
- Migrates all 13 tables in FK dependency order
- Resets serial sequences after data migration
- Adds db:migrate-from-sqlite npm script
- Remove apt-get install of python3/make/g++ (no longer needed without better-sqlite3)
- Change COPY drizzle to COPY drizzle-pg for PostgreSQL migrations
- Remove mkdir -p data (no SQLite data directory needed)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create docker-compose.dev.yml with Postgres 16 for local development
- Rewrite docker-compose.yml with Postgres service, healthcheck, and app dependency chain
- Production uses externalized POSTGRES_PASSWORD and DATABASE_URL env vars
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Created 14-01-SUMMARY.md with execution results
- Updated STATE.md with plan progress and decisions
- Updated ROADMAP.md progress table (1/6 plans)
- Marked DB-01 and DB-03 requirements complete
- Rewrite tests/helpers/db.ts to use drizzle-orm/pglite with async createTestDb()
- Generate initial migration with 13 CREATE TABLE statements in drizzle-pg/
- Add drizzle-pg to biome ignore list (generated files)
- PGlite smoke test confirms migrations apply and seed works
- Replace all 13 sqliteTable definitions with pgTable (pg-core)
- Convert integer timestamps to native timestamp type with defaultNow()
- Convert real columns to doublePrecision, integer used to boolean
- Rewrite db connection to use postgres.js driver with DATABASE_URL
- Rewrite migrate.ts to use postgres-js migrator targeting drizzle-pg/
- Convert seed.ts to async
- Update drizzle.config.ts to postgresql dialect
- Install postgres and @electric-sql/pglite, remove better-sqlite3
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
verifyAccessToken is async and returns a Promise. Without await,
the Promise object is always truthy, so any Bearer token (even
invalid ones) was accepted. This fixes MCP OAuth authentication.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Required for claude.ai browser-based OAuth flows that make
cross-origin requests to discovery, token, and MCP endpoints.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
