Commit Graph

20 Commits

Author SHA1 Message Date
eb8f4b7cb2 feat(18-03): add profile routes, public setup endpoint, and auth middleware updates
- GET /api/users/:id/profile: public profile with public setups (no auth)
- PUT /api/auth/profile: update own profile (requires auth)
- GET /api/setups/:id/public: public setup view with items (no auth)
- Auth middleware skips public profile and public setup GET endpoints
- Register profileRoutes at /api/users in index.ts
- Add getOrCreateUncategorized to category service (Rule 3 fix)
- 10 route tests covering auth, public access, and 404 cases
2026-04-05 13:10:13 +02:00
89b0496845 chore(18-03): apply 18-01 schema foundation as dependency baseline 2026-04-05 13:04:09 +02:00
f7c9f3dc94 fix: add Protected Resource Metadata endpoint (RFC 9728)
All checks were successful
CI / ci (push) Successful in 29s
CI / e2e (push) Successful in 1m1s
The MCP auth spec (2025-06-18+) requires /.well-known/oauth-protected-resource
in addition to /.well-known/oauth-authorization-server. Claude fetches
the protected resource metadata first after receiving a 401, then discovers
the authorization server from it. Also fixes WWW-Authenticate header to
use absolute URL pointing to the protected resource endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 11:17:21 +02:00
5fdf4c3019 docs: add MCP OAuth documentation and fix lint
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 09:27:34 +02:00
1fad25726d feat: add OAuth 2.1 endpoints (register, authorize, token)
Add well-known metadata, dynamic client registration, authorization
flow with PKCE, and token exchange/refresh endpoints with route-level
integration tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 09:22:58 +02:00
15f146ee89 feat: add CSV import/export for gear collection
Some checks failed
CI / ci (pull_request) Failing after 22s
CI / e2e (pull_request) Has been skipped
Adds export (GET /api/items/export) and import (POST /api/items/import) routes
backed by a pure csv.service with no external deps, plus useExportItems/useImportItems
hooks and an Import/Export section in the Settings page.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:12:07 +02:00
b9a06dd244 feat: add item duplication with copy-and-edit workflow
Adds POST /api/items/:id/duplicate endpoint, useDuplicateItem hook, and a
Duplicate button on ItemCard (collection view only) that opens the new item
for editing immediately after creation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 18:07:20 +02:00
2dddba9a08 feat: add rate limiting on login and setup endpoints
Implement in-memory rate limiter with 5 attempts per 15-minute window per IP address. Protects brute-force attacks on credential endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 15:36:03 +02:00
ecff58500e fix: validate route ID parameters, return 400 for invalid IDs
Adds parseId helper in src/server/lib/params.ts and applies it across
all route files so non-positive-integer IDs return 400 instead of
silently passing NaN to services.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 15:34:06 +02:00
3016eb1a1a fix: add explicit DB context middleware for all API routes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 15:31:11 +02:00
17d76761bb fix: address code review issues — MCP auth, error handling, password route
- MCP auth middleware now rejects requests without API key when users exist
- Image /from-url route distinguishes validation errors (400) from server errors (500)
- Password change route returns 401 when no session cookie instead of crashing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:42:34 +02:00
e0e7bfce3e feat: add auth routes for login, setup, and API key management
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:24:26 +02:00
b3a13fa974 feat: add POST /api/images/from-url route
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 13:17:10 +02:00
d6acfcb126 feat(11-01): PATCH /api/threads/:id/candidates/reorder route + tests
- Import reorderCandidatesSchema and reorderCandidates into threads route
- Add PATCH /:id/candidates/reorder route with Zod validation
- Returns 200 + { success: true } on active thread, 400 on resolved thread
- Add 5 route tests: success, order persists, resolved guard, empty array, missing field
2026-03-16 22:22:31 +01:00
fb738d7cc2 feat(09-01): add classification API route, client hook, badge component, and setup detail wiring
- Add PATCH /:id/items/:itemId/classification endpoint with Zod validation
- Add apiPatch helper to client API library
- Add useUpdateItemClassification mutation hook
- Add classification field to SetupItemWithCategory interface
- Create ClassificationBadge click-to-cycle component (base/worn/consumable)
- Wire ClassificationBadge into setup detail page item grid
- Add integration tests for PATCH classification route (valid + invalid)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 15:13:08 +01:00
b496462df5 chore: auto-fix Biome formatting and configure lint rules
All checks were successful
CI / ci (push) Successful in 15s
Run biome check --write --unsafe to fix tabs, import ordering, and
non-null assertions across entire codebase. Disable a11y rules not
applicable to this single-user app. Exclude auto-generated routeTree.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 19:51:34 +01:00
0f115a2a4b feat(03-01): implement setup backend with junction table
- Setup service with CRUD, syncSetupItems, removeSetupItem
- SQL aggregation for itemCount, totalWeight, totalCost via COALESCE
- Hono routes for all 7 endpoints with zValidator
- Mount setupRoutes at /api/setups
- All 87 tests pass (24 new setup tests)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 12:43:02 +01:00
add3e3371d feat(02-01): add thread API routes and mount in server
- Thread CRUD: GET /, POST /, GET /:id, PUT /:id, DELETE /:id
- Candidate CRUD: POST /:id/candidates, PUT/DELETE nested candidates
- Resolution: POST /:id/resolve with validation and error handling
- Image cleanup on thread/candidate deletion
- Routes mounted at /api/threads in server index

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 11:39:15 +01:00
9fcbf0bab5 feat(01-04): add onboarding wizard with settings API and persisted state
- Settings API: GET/PUT /api/settings/:key with SQLite persistence
- useSettings hook with TanStack Query for settings CRUD
- OnboardingWizard: 3-step modal overlay (welcome, create category, add item)
- Root layout checks onboarding completion flag before rendering wizard
- Skip option available at every step, all paths persist completion to DB

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 22:51:25 +01:00
029adf4dca feat(01-02): add Hono API routes with validation, image upload, and integration tests
- Item routes: GET, POST, PUT, DELETE with Zod validation and image cleanup
- Category routes: GET, POST, PUT, DELETE with Uncategorized protection
- Totals route: per-category and global aggregates
- Image upload: multipart file handling with type/size validation
- Routes use DI via Hono context variables for testability
- Integration tests: 10 tests covering all endpoints and edge cases
- All 30 tests passing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 22:40:49 +01:00