Keysat
d51400c2a9
SQLite WAL mode (start9/0.4/docker_entrypoint.sh) - Switches journal_mode to WAL on every boot. WAL persists in the DB header so this is effectively a one-shot but rerunning is harmless. - Crucial for the "background StartOS Backup while users are using the app" case: under the default rollback journal, a long backup can capture an inconsistent snapshot. WAL keeps readers and the writer from blocking each other. - synchronous=NORMAL paired with WAL: still crash-consistent at every checkpoint, ~10x faster than FULL. Security headers (proof-of-work/next.config.js) - Content-Security-Policy with frame-ancestors 'none', base-uri 'self', form-action 'self', object-src 'none'. Keeps 'unsafe-inline' for script/style because Next.js emits inline bootstrap; tightening to nonce-based CSP is a follow-up. - Strict-Transport-Security: max-age=31536000; includeSubDomains. - Referrer-Policy: strict-origin-when-cross-origin (don't leak workout IDs etc. to third-party sites). - Permissions-Policy: deny camera, mic, geolocation, USB, etc. across the board (none of those APIs are used today; explicit deny means vulnerability scanners have one less thing to flag). Last-login tracking - New User.lastLoginAt column. createSession stamps it inside the same transaction as the new Session row. - Compat ALTER in entrypoint adds the column to legacy snapshots. - Admin Users table now shows a relative-age cell (today / Nd ago / Nmo ago / Ny ago / "never" if the user hasn't signed in since the column was added). Hover reveals the exact ISO timestamp. Self-serve delete-my-account (Settings -> Danger Zone) - Requires both the user's current password AND typing the literal phrase "delete my account" (defense against a stolen-session attacker nuking the account in one click). - Refused for the last admin (instance can't be left with no admin — the user is told to promote someone first). - Cascades through Prisma onDelete: Cascade on every relation owned by User, so workouts, exercises, sessions, preferences all go in one shot. Session cookie cleared, redirected to /auth/login.
Proof of Work
Self-hosted multi-user workout planner and logger. Plan training cycles, log daily workouts, search your history, and curate a shared exercise library across everyone on the instance. Distributed as a StartOS 0.4 sideload package.
Repo layout
proof-of-work/ Next.js app (TypeScript, Prisma + SQLite, Tailwind, PWA)
start9/0.4/ StartOS 0.4 package wrapper (manifest, Dockerfile,
entrypoint, version graph, change-credentials action)
Everything else is generated at build time.
Local development
cd proof-of-work
npm install
npx prisma generate # important after schema changes
npx prisma db push # create the dev DB at prisma/data/app.db
npm run db:seed # admin@local / workout123 + curated library + admin flag
npm run dev # http://localhost:3000
Multi-user
Every install starts with one admin user (admin@local) and sign-ups
closed. To open the instance to additional users:
- In-app: log in as admin -> Settings -> Instance Settings -> Allow new sign-ups.
- StartOS: Services -> Proof of Work -> Actions -> Set new signups.
Both write to the same InstanceSettings row; either path works.
When sign-ups are open, anyone reaching the URL can create an account at
/auth/signup. New users start with no admin privileges and are
automatically seeded the full curated exercise library.
Building the StartOS package
See start9/0.4/DEPLOY_040.md for the full deployment / cutover guide. Short version:
cd start9/0.4
npm ci
make clean
make x86 # produces proof-of-work_x86_64.s9pk
make install # sideload to the host in ~/.startos/config.yaml
Curated exercise library
proof-of-work/prisma/exercises.seed.json is the canonical library
shipped to every install. It seeds fresh installs (via prisma/seed.ts)
and is re-applied on every boot to existing installs (via
docker_entrypoint.sh + ensureExerciseLibrary.cjs) so updates flow to
all users on package upgrade.
Refresh the JSON from the maintainer's live host:
./start9/0.4/refresh_seed.sh <ssh-target> # pull a fresh /data snapshot
cd proof-of-work && npm run sync-library # extract Exercise table -> JSON
git diff prisma/exercises.seed.json
The system is additive only — removing an exercise from the JSON does
not delete it from existing installs (users may have logged sets against
it). Users' own custom exercises (isCustom = true) are never touched.
Privacy
start9/0.4/seed/data/app.db is your live /data snapshot. It contains
real workout history and a bcrypt'd password hash. The top-level
.gitignore keeps it out of git; do NOT commit it to any public repo.