proof-of-work

grant/proof-of-work

Fork 0

Commit Graph

Author	SHA1	Message	Date
Keysat	55c17614b8	v1.0.0:7 — exercise library cleanup, photo-import removal, AI-section honesty Library JSON cleanup (proof-of-work/prisma/exercises.seed.json) 19 exercises corrected: - Cycling/Jump Rope/Rowing/Running: type=cardio with proper inputFields (duration/distance/calories — no more reps/weight). - Walking Lunge/Wall Sit/Headstand/Hip Extension: reclassified out of cardio into bodyweight. - Plank/Mace warmup/Hollow Body Landmine/Soccer: inputFields fixed. - Descriptions added for ~10 cryptic exercises (Core, Resistance Band, Stir the pot, Slide Board, Neck Circuit, TGU, Captains of Crush, etc.). Reconcile-on-boot (ensureExerciseLibrary.cjs) Changed from INSERT-OR-IGNORE to INSERT-OR-UPDATE keyed on (userId, name). Existing rows where isCustom = 0 get description/type/muscleGroups/inputFields/defaultWeightUnit refreshed from the curated JSON. Rows where isCustom = 1 are skipped — user customizations always win. Verified end-to-end: applied patches propagate to a copy of the user's snapshot DB; manually-tampered isCustom=1 rows survive a second reconcile pass untouched. PATCH /api/exercises/[id] flips isCustom -> true on user edits Once you edit a library exercise via the in-app UI, the row's isCustom flag becomes 1 and the boot-time reconcile leaves it alone forever. Closes the only failure mode where a maintainer curated-library refresh could overwrite user edits. Photo-import (Claude vision) removed - app/api/workouts/import/route.ts deleted. - components/import/WorkoutImportClient.tsx deleted (orphan component — wasn't referenced anywhere by the live UI). - CSV import (app/main/import → page-csv.tsx → /api/workouts/import/save) is unchanged. The save endpoint stays — it's used by the CSV flow too. Settings UI: "Claude AI Integration" section removed The toggle + API key input promised "personalized workout recommendations" that the codebase never delivered (the only actually-wired use was the photo-import we just removed). Schema columns User.enableClaudeAI / User.claudeApiKey stay as harmless dead fields — they'll get cleaned up or repurposed when the model-agnostic AI work lands. The preferences API no longer accepts or returns those fields. No data migration. /data on existing installs is untouched. v1.0.0:7 promoted to current; :1-:6 in other.	2026-05-09 21:24:00 -05:00
Keysat	a11639cc56	Self-serve password change, admin user management, login/signup rate limit Per-user password change (Settings -> Change password) - changePasswordAction verifies current password before rotating, blocks same-as-current, requires 8+ chars and matching confirm. - Always revokes every other session for the user via deleteOtherSessions(userId, currentToken). If you're rotating because you suspect compromise, the worst-case kicks the attacker off immediately. UI surfaces how many sessions were revoked. - ChangePasswordForm sits between SettingsForm and AdminInstanceSettings on the existing settings page. Available to every user, no admin privileges required. Admin user management (/main/admin/users — admin only) - New page lists every account: email, name, joined date, workout count, role. Linked from the AdminInstanceSettings panel ("Manage users ->"). - Per-row actions: Promote/Demote (toggles isAdmin), Reset password (inline 8+ char input), Delete (cascading delete via Prisma onDelete: Cascade — workouts, exercises, sessions, preferences all go). - Last-admin guard: setUserAdmin and deleteUser refuse if it would leave 0 admins. Self-delete is blocked from the admin UI (preserves the actor's session and forces them to use a "danger zone" flow they set up explicitly elsewhere). - adminResetPassword force-revokes ALL of the target user's sessions — admin reset implies the old credential is no longer trusted. - Server actions all do their own requireAdmin() gate (defense in depth beyond the page-level redirect). Rate limit on /auth/login + /auth/signup - New lib/rateLimit.ts: tiny in-process sliding-window limiter, no deps. Map<key, timestamps[]> with cutoff filtering on each call. Per Node process — fine for the single-replica StartOS deploy shape. - clientIpFromHeaders prefers x-forwarded-for (leftmost), falls back to x-real-ip, then 'unknown' (acts as a global cap in dev). - signup: 5 attempts per IP per 15min. Cuts off automated account spraying without blocking legitimate household-member sign-ups. - login: 10 attempts per IP per 15min. Slows credential stuffing while giving typo-prone users headroom.	2026-05-09 09:01:33 -05:00
Keysat	d9c4e6c4a0	Multi-user: self-serve sign-up gated by admin-toggleable flag Schema - User.isAdmin: Boolean default false (Prisma) - New InstanceSettings singleton (id=1) holding signupsOpen flag Boot-time compat ALTERs (docker_entrypoint.sh) - Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest user to admin if no admin exists yet, so workout-log -> proof-of-work cutover preserves admin functionality with no manual SQL. - Creates InstanceSettings table + singleton row (signupsOpen=0) for any snapshot that doesn't have it. App: sign-up flow - /auth/signup page: server component that reads InstanceSettings upfront. If sign-ups are closed it shows a closed-instance message and a back-to-sign-in link rather than a dead form. If open it renders SignupForm (client) which calls signupAction (server). - signupAction: re-checks the flag (defense in depth), validates email format / 8-char password / matching confirm, blocks duplicate-email enumeration with a generic error, creates the user with isAdmin=false, seeds default UserPreferences, ensures the curated exercise library for the new user (lib/library.ts upserts every entry), then issues a session cookie. - Login page now links to /auth/signup; old "Demo: admin@example.com / password" footer (which was wrong anyway) removed. App: admin in-app toggle - Settings page renders new AdminInstanceSettings component for admins only. Optimistic toggle posts to /api/admin/signups; error rollback on failure. - /api/admin/signups: GET returns current flag (any authed user, so the UI knows whether to show the sign-up CTA later); POST flips it (admin only). StartOS package action - toggle-signups: same setter as the in-app toggle, accessible from the StartOS UI without an admin login. Single boolean input. Asserts the read-back value matches what was written before reporting success. - changeAdminCredentials now keys the UPDATE on `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just ORDER BY createdAt) — correct under multi-user. Release notes / docs - v1.0.0:1 release notes expanded to call out multi-user as part of the cutover release (no separate version needed since this is the first proof-of-work release shipping to anyone). - Root README: short Multi-user section explaining both toggle paths and that new users get the curated library automatically. - README dev setup adds `npx prisma generate` step (required after schema changes for local dev).	2026-05-08 20:59:45 -05:00

Author

SHA1

Message

Date

Keysat

55c17614b8

v1.0.0:7 — exercise library cleanup, photo-import removal, AI-section honesty

Library JSON cleanup (proof-of-work/prisma/exercises.seed.json)
  19 exercises corrected:
  - Cycling/Jump Rope/Rowing/Running: type=cardio with proper
    inputFields (duration/distance/calories — no more reps/weight).
  - Walking Lunge/Wall Sit/Headstand/Hip Extension: reclassified
    out of cardio into bodyweight.
  - Plank/Mace warmup/Hollow Body Landmine/Soccer: inputFields
    fixed.
  - Descriptions added for ~10 cryptic exercises (Core, Resistance
    Band, Stir the pot, Slide Board, Neck Circuit, TGU, Captains
    of Crush, etc.).

Reconcile-on-boot (ensureExerciseLibrary.cjs)
  Changed from INSERT-OR-IGNORE to INSERT-OR-UPDATE keyed on
  (userId, name). Existing rows where isCustom = 0 get
  description/type/muscleGroups/inputFields/defaultWeightUnit
  refreshed from the curated JSON. Rows where isCustom = 1 are
  skipped — user customizations always win.

  Verified end-to-end: applied patches propagate to a copy of the
  user's snapshot DB; manually-tampered isCustom=1 rows survive a
  second reconcile pass untouched.

PATCH /api/exercises/[id] flips isCustom -> true on user edits
  Once you edit a library exercise via the in-app UI, the row's
  isCustom flag becomes 1 and the boot-time reconcile leaves it
  alone forever. Closes the only failure mode where a maintainer
  curated-library refresh could overwrite user edits.

Photo-import (Claude vision) removed
  - app/api/workouts/import/route.ts deleted.
  - components/import/WorkoutImportClient.tsx deleted (orphan
    component — wasn't referenced anywhere by the live UI).
  - CSV import (app/main/import → page-csv.tsx →
    /api/workouts/import/save) is unchanged. The save endpoint
    stays — it's used by the CSV flow too.

Settings UI: "Claude AI Integration" section removed
  The toggle + API key input promised "personalized workout
  recommendations" that the codebase never delivered (the only
  actually-wired use was the photo-import we just removed).
  Schema columns User.enableClaudeAI / User.claudeApiKey stay
  as harmless dead fields — they'll get cleaned up or repurposed
  when the model-agnostic AI work lands. The preferences API
  no longer accepts or returns those fields.

No data migration. /data on existing installs is untouched.
v1.0.0:7 promoted to current; :1-:6 in other.

2026-05-09 21:24:00 -05:00

Keysat

a11639cc56

Self-serve password change, admin user management, login/signup rate limit

Per-user password change (Settings -> Change password)
- changePasswordAction verifies current password before rotating, blocks
  same-as-current, requires 8+ chars and matching confirm.
- Always revokes every other session for the user via
  deleteOtherSessions(userId, currentToken). If you're rotating because
  you suspect compromise, the worst-case kicks the attacker off
  immediately. UI surfaces how many sessions were revoked.
- ChangePasswordForm sits between SettingsForm and AdminInstanceSettings
  on the existing settings page. Available to every user, no admin
  privileges required.

Admin user management (/main/admin/users — admin only)
- New page lists every account: email, name, joined date, workout count,
  role. Linked from the AdminInstanceSettings panel ("Manage users ->").
- Per-row actions: Promote/Demote (toggles isAdmin), Reset password
  (inline 8+ char input), Delete (cascading delete via Prisma onDelete:
  Cascade — workouts, exercises, sessions, preferences all go).
- Last-admin guard: setUserAdmin and deleteUser refuse if it would
  leave 0 admins. Self-delete is blocked from the admin UI (preserves
  the actor's session and forces them to use a "danger zone" flow they
  set up explicitly elsewhere).
- adminResetPassword force-revokes ALL of the target user's sessions —
  admin reset implies the old credential is no longer trusted.
- Server actions all do their own requireAdmin() gate (defense in depth
  beyond the page-level redirect).

Rate limit on /auth/login + /auth/signup
- New lib/rateLimit.ts: tiny in-process sliding-window limiter, no deps.
  Map<key, timestamps[]> with cutoff filtering on each call. Per Node
  process — fine for the single-replica StartOS deploy shape.
- clientIpFromHeaders prefers x-forwarded-for (leftmost), falls back to
  x-real-ip, then 'unknown' (acts as a global cap in dev).
- signup: 5 attempts per IP per 15min. Cuts off automated account
  spraying without blocking legitimate household-member sign-ups.
- login: 10 attempts per IP per 15min. Slows credential stuffing while
  giving typo-prone users headroom.

2026-05-09 09:01:33 -05:00

Keysat

d9c4e6c4a0

Multi-user: self-serve sign-up gated by admin-toggleable flag

Schema
- User.isAdmin: Boolean default false (Prisma)
- New InstanceSettings singleton (id=1) holding signupsOpen flag

Boot-time compat ALTERs (docker_entrypoint.sh)
- Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest
  user to admin if no admin exists yet, so workout-log -> proof-of-work
  cutover preserves admin functionality with no manual SQL.
- Creates InstanceSettings table + singleton row (signupsOpen=0) for any
  snapshot that doesn't have it.

App: sign-up flow
- /auth/signup page: server component that reads InstanceSettings
  upfront. If sign-ups are closed it shows a closed-instance message and
  a back-to-sign-in link rather than a dead form. If open it renders
  SignupForm (client) which calls signupAction (server).
- signupAction: re-checks the flag (defense in depth), validates email
  format / 8-char password / matching confirm, blocks duplicate-email
  enumeration with a generic error, creates the user with isAdmin=false,
  seeds default UserPreferences, ensures the curated exercise library
  for the new user (lib/library.ts upserts every entry), then issues a
  session cookie.
- Login page now links to /auth/signup; old "Demo: admin@example.com /
  password" footer (which was wrong anyway) removed.

App: admin in-app toggle
- Settings page renders new AdminInstanceSettings component for admins
  only. Optimistic toggle posts to /api/admin/signups; error rollback
  on failure.
- /api/admin/signups: GET returns current flag (any authed user, so the
  UI knows whether to show the sign-up CTA later); POST flips it
  (admin only).

StartOS package action
- toggle-signups: same setter as the in-app toggle, accessible from the
  StartOS UI without an admin login. Single boolean input. Asserts the
  read-back value matches what was written before reporting success.
- changeAdminCredentials now keys the UPDATE on
  `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just
  ORDER BY createdAt) — correct under multi-user.

Release notes / docs
- v1.0.0:1 release notes expanded to call out multi-user as part of
  the cutover release (no separate version needed since this is the
  first proof-of-work release shipping to anyone).
- Root README: short Multi-user section explaining both toggle paths
  and that new users get the curated library automatically.
- README dev setup adds `npx prisma generate` step (required after
  schema changes for local dev).

2026-05-08 20:59:45 -05:00

3 Commits