grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4d1f9126b09221e37b16436817f3c844eb06d5d3
proof-of-work/start9/0.4/startos/versions/index.ts
T
Keysat f540a473ef
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details
v1.2.0:3 — close login timing oracle, enforce exerciseId ownership on workout writes 
Two P3 multi-user hardening fixes from the 2026-06-13 full-eval.

Login timing oracle: both login paths (the UI server action and
POST /api/auth) returned immediately on an unknown email but ran
bcrypt.compare when the email matched a user, so response latency
revealed which emails have accounts. New verifyPasswordOrDummy() in
lib/auth runs bcrypt against a fixed dummy hash when there is no user,
so every attempt spends exactly one bcrypt; the two error branches in
each route collapse into one.

exerciseId ownership: exercises are per-user, but the workout
create / PATCH (set-replace) / add-sets and CSV import-save routes wrote
SetLogs from a client-supplied exerciseId with no ownership check —
letting a user attach another user's exercise to their own workout,
which leaks that exercise's name/notes on fetch and wires up a
cross-user onDelete: Cascade link. All four now reject unowned ids with
400 via the shared lib/exerciseOwnership helper; the pre-existing inline
checks in both programs routes are refactored onto the same helper.

App-code only — no schema, no API contract change, no data migration.
2026-06-15 18:30:08 -05:00

98 lines
4.2 KiB
TypeScript
Raw Blame History

import { VersionGraph } from '@start9labs/start-sdk'
import { v_1_0_0_1 } from './v1.0.0.1'
import { v_1_0_0_2 } from './v1.0.0.2'
import { v_1_0_0_3 } from './v1.0.0.3'
import { v_1_0_0_4 } from './v1.0.0.4'
import { v_1_0_0_5 } from './v1.0.0.5'
import { v_1_0_0_6 } from './v1.0.0.6'
import { v_1_0_0_7 } from './v1.0.0.7'
import { v_1_1_0_1 } from './v1.1.0.1'
import { v_1_1_0_2 } from './v1.1.0.2'
import { v_1_1_0_3 } from './v1.1.0.3'
import { v_1_1_0_4 } from './v1.1.0.4'
import { v_1_1_0_5 } from './v1.1.0.5'
import { v_1_1_0_6 } from './v1.1.0.6'
import { v_1_1_0_7 } from './v1.1.0.7'
import { v_1_1_0_8 } from './v1.1.0.8'
import { v_1_1_0_9 } from './v1.1.0.9'
import { v_1_2_0_1 } from './v1.2.0.1'
import { v_1_2_0_2 } from './v1.2.0.2'
import { v_1_2_0_3 } from './v1.2.0.3'
/**
* Version graph for the `proof-of-work` package.
*
* 1.0.0 line — feature-complete logger + multi-user + library curation.
* 1.1.0 line — Programs (manual + AI) + AI integration.
* 1.2.0 line — platform upgrade (Next.js 15 / React 19).
*
* v1.0.0:1 — initial release, seeded cutover.
* v1.0.0:2 — CSP fix.
* v1.0.0:3 — post-cutover seed strip.
* v1.0.0:4 — removes default admin@local credentials.
* v1.0.0:5 — caloriesBurned raw-SQL workaround removed.
* v1.0.0:6 — paginate workout history (infinite scroll).
* v1.0.0:7 — exercise library cleanup, photo-import removal.
* v1.1.0:1 — Programs UI (manual create / save / follow).
* v1.1.0:2 — AI program generation, 5 providers (Claude / OpenAI /
* OpenAI-compatible / Gemini / Ollama).
* v1.1.0:3 — AI upgrades: history-as-context, test connection,
* cost estimator, streaming preview render.
* v1.1.0:4 — AI integration overhaul: multi-config persistence,
* background generation (survives navigation), Ollama
* auto-detect + installed-model dropdown, curated model
* dropdowns for Claude / OpenAI / Gemini with current
* 2026 model names, system-prompt overhaul forcing library
* exerciseIds + suggested weights, sidebar sub-navigation,
* history detail view.
* v1.1.0:5 — Gemini menu correctness: adds gemini-3.1-pro (short),
* gemini-3.1-flash, gemini-3.1-flash-lite, gemini-3-pro,
* gemini-3-flash + pricing entries.
* v1.1.0:6 — Exercise-history popup max-height bumped from ~320px
* (5 rows) to 70vh (~15+ rows). Users with deep history
* can scroll without fighting a tiny inner scrollbar.
* v1.1.0:7 — Exercise-history popup auto-loads more rows on scroll
* (switched from a flaky IntersectionObserver-in-popup to
* a plain scroll listener with 300px lookahead).
* v1.1.0:8 — Multi-user authz hardening: whole-instance DB export/import
* admin-only; custom-URL AI providers (Ollama / OpenAI-compatible)
* admin-only + SSRF guard; dead legacy /api/ai/config removed.
* v1.1.0:9 — P2 hardening: malformed-body/invalid-date/bad-pagination ->
* 400 (not 500); POST /api/auth rate-limited; rate-limiter XFF
* anti-spoof (rightmost entry); container drops root via su-exec.
* v1.2.0:1 — Next.js 14 -> 15 / React 18 -> 19 upgrade. Closes the Next
* framework RSC + middleware-bypass CVEs; async-params migration
* across all [id] routes + server pages. No schema/data change.
* v1.2.0:2 — Login/signup first-tap retry: iOS Safari drops the first
* server-action POST on a stale keep-alive socket
* (NSURLErrorNetworkConnectionLost); retry once on transport
* failure. Client-only, no schema/data change.
* v1.2.0:3 — P3 hardening: close the login timing oracle (dummy-hash
* bcrypt on unknown email) and enforce exerciseId ownership on
* workout create/PATCH/add-sets + CSV-import-save (shared
* lib/exerciseOwnership). No schema/data change.
*/
export const versionGraph = VersionGraph.of({
current: v_1_2_0_3,
other: [
v_1_0_0_1,
v_1_0_0_2,
v_1_0_0_3,
v_1_0_0_4,
v_1_0_0_5,
v_1_0_0_6,
v_1_0_0_7,
v_1_1_0_1,
v_1_1_0_2,
v_1_1_0_3,
v_1_1_0_4,
v_1_1_0_5,
v_1_1_0_6,
v_1_1_0_7,
v_1_1_0_8,
v_1_1_0_9,
v_1_2_0_1,
v_1_2_0_2,
],
})
Reference in New Issue View Git Blame Copy Permalink