SQLite WAL mode (start9/0.4/docker_entrypoint.sh)
- Switches journal_mode to WAL on every boot. WAL persists in the DB
header so this is effectively a one-shot but rerunning is harmless.
- Crucial for the "background StartOS Backup while users are using the
app" case: under the default rollback journal, a long backup can
capture an inconsistent snapshot. WAL keeps readers and the writer
from blocking each other.
- synchronous=NORMAL paired with WAL: still crash-consistent at every
checkpoint, ~10x faster than FULL.
Security headers (proof-of-work/next.config.js)
- Content-Security-Policy with frame-ancestors 'none', base-uri 'self',
form-action 'self', object-src 'none'. Keeps 'unsafe-inline' for
script/style because Next.js emits inline bootstrap; tightening to
nonce-based CSP is a follow-up.
- Strict-Transport-Security: max-age=31536000; includeSubDomains.
- Referrer-Policy: strict-origin-when-cross-origin (don't leak workout
IDs etc. to third-party sites).
- Permissions-Policy: deny camera, mic, geolocation, USB, etc. across
the board (none of those APIs are used today; explicit deny means
vulnerability scanners have one less thing to flag).
Last-login tracking
- New User.lastLoginAt column. createSession stamps it inside the same
transaction as the new Session row.
- Compat ALTER in entrypoint adds the column to legacy snapshots.
- Admin Users table now shows a relative-age cell (today / Nd ago /
Nmo ago / Ny ago / "never" if the user hasn't signed in since the
column was added). Hover reveals the exact ISO timestamp.
Self-serve delete-my-account (Settings -> Danger Zone)
- Requires both the user's current password AND typing the literal
phrase "delete my account" (defense against a stolen-session
attacker nuking the account in one click).
- Refused for the last admin (instance can't be left with no admin —
the user is told to promote someone first).
- Cascades through Prisma onDelete: Cascade on every relation owned by
User, so workouts, exercises, sessions, preferences all go in one
shot. Session cookie cleared, redirected to /auth/login.
Per-user password change (Settings -> Change password)
- changePasswordAction verifies current password before rotating, blocks
same-as-current, requires 8+ chars and matching confirm.
- Always revokes every other session for the user via
deleteOtherSessions(userId, currentToken). If you're rotating because
you suspect compromise, the worst-case kicks the attacker off
immediately. UI surfaces how many sessions were revoked.
- ChangePasswordForm sits between SettingsForm and AdminInstanceSettings
on the existing settings page. Available to every user, no admin
privileges required.
Admin user management (/main/admin/users — admin only)
- New page lists every account: email, name, joined date, workout count,
role. Linked from the AdminInstanceSettings panel ("Manage users ->").
- Per-row actions: Promote/Demote (toggles isAdmin), Reset password
(inline 8+ char input), Delete (cascading delete via Prisma onDelete:
Cascade — workouts, exercises, sessions, preferences all go).
- Last-admin guard: setUserAdmin and deleteUser refuse if it would
leave 0 admins. Self-delete is blocked from the admin UI (preserves
the actor's session and forces them to use a "danger zone" flow they
set up explicitly elsewhere).
- adminResetPassword force-revokes ALL of the target user's sessions —
admin reset implies the old credential is no longer trusted.
- Server actions all do their own requireAdmin() gate (defense in depth
beyond the page-level redirect).
Rate limit on /auth/login + /auth/signup
- New lib/rateLimit.ts: tiny in-process sliding-window limiter, no deps.
Map<key, timestamps[]> with cutoff filtering on each call. Per Node
process — fine for the single-replica StartOS deploy shape.
- clientIpFromHeaders prefers x-forwarded-for (leftmost), falls back to
x-real-ip, then 'unknown' (acts as a global cap in dev).
- signup: 5 attempts per IP per 15min. Cuts off automated account
spraying without blocking legitimate household-member sign-ups.
- login: 10 attempts per IP per 15min. Slows credential stuffing while
giving typo-prone users headroom.
Session tokens were derived from Math.random() + Date.now() — predictable
enough that a determined attacker could brute-force or guess valid
tokens for other users. Switch to crypto.randomBytes(32) (256 bits of
CSPRNG output, hex-encoded), the standard for opaque bearer tokens.
Also adds deleteOtherSessions(userId, keepToken) so the upcoming
password-change flow can log a user out of every other device when
they rotate their password.
Schema
- User.isAdmin: Boolean default false (Prisma)
- New InstanceSettings singleton (id=1) holding signupsOpen flag
Boot-time compat ALTERs (docker_entrypoint.sh)
- Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest
user to admin if no admin exists yet, so workout-log -> proof-of-work
cutover preserves admin functionality with no manual SQL.
- Creates InstanceSettings table + singleton row (signupsOpen=0) for any
snapshot that doesn't have it.
App: sign-up flow
- /auth/signup page: server component that reads InstanceSettings
upfront. If sign-ups are closed it shows a closed-instance message and
a back-to-sign-in link rather than a dead form. If open it renders
SignupForm (client) which calls signupAction (server).
- signupAction: re-checks the flag (defense in depth), validates email
format / 8-char password / matching confirm, blocks duplicate-email
enumeration with a generic error, creates the user with isAdmin=false,
seeds default UserPreferences, ensures the curated exercise library
for the new user (lib/library.ts upserts every entry), then issues a
session cookie.
- Login page now links to /auth/signup; old "Demo: admin@example.com /
password" footer (which was wrong anyway) removed.
App: admin in-app toggle
- Settings page renders new AdminInstanceSettings component for admins
only. Optimistic toggle posts to /api/admin/signups; error rollback
on failure.
- /api/admin/signups: GET returns current flag (any authed user, so the
UI knows whether to show the sign-up CTA later); POST flips it
(admin only).
StartOS package action
- toggle-signups: same setter as the in-app toggle, accessible from the
StartOS UI without an admin login. Single boolean input. Asserts the
read-back value matches what was written before reporting success.
- changeAdminCredentials now keys the UPDATE on
`WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just
ORDER BY createdAt) — correct under multi-user.
Release notes / docs
- v1.0.0:1 release notes expanded to call out multi-user as part of
the cutover release (no separate version needed since this is the
first proof-of-work release shipping to anyone).
- Root README: short Multi-user section explaining both toggle paths
and that new users get the curated library automatically.
- README dev setup adds `npx prisma generate` step (required after
schema changes for local dev).
Repo cleanup
- Add top-level .gitignore (was missing; node_modules, .next, *.s9pk,
image.tar, seed/data/*.db, log files, etc.) and a root README.
- Delete legacy start9/0.3.5/ package (StartOS 0.3.5 wrapper, no longer
the deploy target).
- Delete start9-example-packaging/ (template from another project).
- Delete planning docs (START9_PACKAGING_LOG.md, VERSIONING.md,
STARTOS_0.4_UPGRADE_PROMPT.md, ICON_FILES_INDEX.md, etc.) — info now
lives in the deploy guide and code comments.
- Drop the standalone Dockerfile, docker-compose.yml, ICON_*, and dev
log/build artifacts from the app dir.
- Drop the v0.1.0:18/19/20 version files (they belonged to the legacy
workout-log package and don't apply to the new id).
Rename + new package
- Rename app dir workout-planner/ -> proof-of-work/.
- Rename StartOS package id workout-log -> proof-of-work; the new id
makes this a brand new StartOS service (clean cutover from the old
one rather than in-place upgrade).
- Reset version graph; v1.0.0:1 is the seeded cutover release. The
Dockerfile bakes a one-time /data snapshot and docker_entrypoint.sh
copies it into the new volume on truly-fresh first boot only (both
/data/app.db missing AND /data/.seeded absent).
- Move start9/0.4-migration/ -> start9/0.4/; the old start9/0.4/ stub
is gone.
Curated exercise library (multi-user-aware)
- proof-of-work/prisma/exercises.seed.json is the canonical library
shipped to every install (164 exercises today, dumped from the live
snapshot).
- proof-of-work/scripts/sync-library.cjs (npm run sync-library) refreshes
the JSON from start9/0.4/seed/data/app.db after refresh_seed.sh.
- proof-of-work/prisma/seed.ts now reads from the JSON instead of a
hardcoded 52-exercise array; runs at Docker build time to seed the
fallback DB and on first boot for fresh installs.
- proof-of-work/prisma/ensureExerciseLibrary.cjs runs on every container
boot (from docker_entrypoint.sh) and INSERT OR IGNOREs every library
entry for every user, keyed on (userId, name). Library updates flow
to existing installs on package upgrade; user-custom exercises
(isCustom=true) and any colliding names are never overwritten;
removed exercises stay on existing installs (additive-only).
Deploy guide (start9/0.4/DEPLOY_040.md)
- Rewritten end-to-end for the workout-log -> proof-of-work cutover:
refresh_seed, sync-library, build, sideload, verify, rotate creds,
stop the old service, then post-cutover cleanup release v1.0.0:2.
Keysat