- GET /api/users/:id/profile: public profile with public setups (no auth)
- PUT /api/auth/profile: update own profile (requires auth)
- GET /api/setups/:id/public: public setup view with items (no auth)
- Auth middleware skips public profile and public setup GET endpoints
- Register profileRoutes at /api/users in index.ts
- Add getOrCreateUncategorized to category service (Rule 3 fix)
- 10 route tests covering auth, public access, and 404 cases
- SUMMARY.md with full task/commit/deviation documentation
- STATE.md updated to Phase 18, Plan 2/5
- ROADMAP.md progress updated
- REQUIREMENTS.md: GLOB-01 through GLOB-05 marked complete
- GET /api/global-items with optional q search parameter
- GET /api/global-items/:id with ownerCount
- POST /api/items/:id/link to link user item to global item
- DELETE /api/items/:id/link to unlink
- Route registered in index.ts
- 10 route tests covering all endpoints
- updateProfile: update displayName, avatarUrl, bio for a user
- getPublicProfile: return user info with only public setups
- getPublicSetupWithItems: return setup details only if isPublic is true
- createSetup now accepts and persists isPublic field
- updateSetup can toggle isPublic
- getAllSetups includes isPublic in response
- searchGlobalItems with LIKE-based case-insensitive search and wildcard escaping
- getGlobalItemWithOwnerCount with owner count from junction table
- linkItemToGlobal/unlinkItemFromGlobal for item-global linking
- seedGlobalItems idempotent seed from JSON catalog
- Integrated seed into seedDefaults startup
- 10 test cases covering search, owner count, link/unlink, seed idempotency
- Added globalItems/itemGlobalLinks tables to SQLite schema
- Added Zod schemas and types for global items
- Created 18-item bikepacking gear seed data JSON
- Profile CRUD tests: updateProfile, getPublicProfile, getPublicSetupWithItems
- Setup service isPublic tests: create with isPublic, toggle, list includes isPublic
- Reads all image files from uploads/ directory
- Uploads each to S3 bucket preserving original filenames as object keys
- Handles errors per-file without aborting entire migration
- Preserves original files (manual deletion after verification)
- Replace all /uploads/ path construction with imageUrl presigned URLs
- Add imageUrl prop to ItemCard, CandidateCard, CandidateListItem, ComparisonTable
- Update ImageUpload to use presigned URLs + local preview for new uploads
- Pass imageUrl through from parent components (CollectionView, forms, routes)
- Replace Bun.write/mkdir with uploadImage() from storage.service
- Remove uploadsDir parameter from fetchImageFromUrl
- Update tests to mock storage service instead of checking filesystem
- Add MinIO + mc init container to docker-compose.dev.yml (fixed creds, console on :9001)
- Add MinIO + mc init container to docker-compose.yml (env var creds, no console)
- Add S3 env vars to app service in production compose
- Remove uploads volume from production compose (replaced by MinIO)
- Add S3 configuration section to .env.example
Route and MCP test files were calling createTestDb() without await,
causing db to be a Promise object instead of a Drizzle instance.
Also rewrote auth route tests for OIDC-based auth (merge picked old version).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge conflict resolution picked the old password-based oauth tests.
Restored the OIDC session mock version with proper userId destructuring.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- All 8 route test files destructure { db, userId } from createTestDb()
- All route test middleware sets c.set("userId", userId)
- MCP tools.test.ts passes userId to all registerXTools(db, userId) calls
- MCP tools.test.ts passes userId to getCollectionSummary(db, userId)
- Added 4 cross-user isolation tests for MCP tools (items, item by ID, threads, collection summary)
- OAuth test db type annotation updated for new createTestDb return shape
- Images test now uses createTestDb with userId context
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Destructure { db, userId } from createTestDb() in all 8 service test files
- Pass userId to every service function call
- Add cross-user isolation tests for items, categories, threads, setups
- Add composite unique constraint test for categories
- Update verifyApiKey assertions to check { userId } return
- Update verifyAccessToken assertions to check { userId } return
- Pass userId to exchangeCode and refreshAccessToken calls
- Update createMcpServer signature to accept (db, userId)
- MCP auth middleware resolves userId from API key and Bearer token
- Store userId alongside transport in session map
- All 4 tool registration functions accept and pass userId
- Collection summary resource passes userId to all service calls
- Extract userId via c.get('userId') in every route handler
- Pass userId to all service function calls as second argument
- Update settings routes to use composite key [userId, key]
- Update Env type to include userId in Variables
- Auth routes pass userId to API key management functions
- SUMMARY.md documents 7 service files updated with userId parameter
- STATE.md advanced to plan 2 of 4 in phase 16
- ROADMAP.md updated with plan progress
- Requirements MULTI-01, MULTI-02, MULTI-03, MULTI-06 marked complete
- All functions accept userId, no more prodDb defaults
- Thread operations verify ownership via and(eq(id), eq(userId))
- Candidate operations verify parent thread ownership before proceeding
- resolveThread includes userId in new item insert and verifies category ownership
- Setup operations use and() for composite id+userId conditions
- syncSetupItems validates both setup and item ownership via inArray
- updateItemClassification and removeSetupItem verify setup ownership
- Auth service: reordered createApiKey params to (db, userId, name)
- verifyApiKey unchanged (already returns { userId } from Plan 01)
- All functions accept userId as second parameter, no more prodDb defaults
- All queries filter by eq(table.userId, userId) for data isolation
- Get-by-id, update, delete use and() for composite id+userId conditions
- deleteCategory uses dynamic getOrCreateUncategorized(db, userId) not hardcoded ID
- CSV import scopes category lookup/creation and item creation to userId
- CSV export filters items by userId
- Category service converted from sync SQLite to async Postgres patterns
