The API contract requires hasPassword in user responses but it was
missing from toUserResponse helper and meAuthStatus handler.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace non-null assertions with runtime checks in org layout queries
- Add handleUnseenRoutes: "ignore" for dynamic dashboard routes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add superuser admin interface for managing organizations and users:
- Admin layout with access control (redirects non-superusers)
- Admin dashboard with org/user counts and quick actions
- Org management: list, create, view/edit details, manage sites
- User management: list, view details, toggle superuser, confirm email
- SuperuserBadge component for consistent superuser indication
- Sidebar shows admin link (shield icon) for superusers only
- Centralized date formatting utility at $lib/utils/format-date.ts
- Test plan documentation at docs/test-plans/admin.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use executeBootstrap helper from @reviq/db for CLI bootstrap
- Update @reviq/db to use @reviq/utils for PBKDF2-SHA256 password hashing
(Cloudflare Workers compatible)
- Keep @scure/base for base58 token encoding
- Remove redundant password.ts from @reviq/db (import directly from @reviq/utils)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create @reviq/utils package with PBKDF2-SHA256 password hashing
compatible with Cloudflare Workers (uses crypto.subtle)
- Update api-server and CLI to use new utils package for consistent
password hashing format across the codebase
- Add pino logging to api-server for better request debugging
- Make login request tokens cryptographically secure base58 strings
instead of database IDs
- Add migration to make login_requests.token non-nullable with unique
constraint
- Fix RPCLink URL construction for client-side API calls
- Add db:codegen script to root package.json
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly
Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper
Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add organization management UI pages:
- /dashboard: Org list with grid cards
- /dashboard/[slug]: Org overview with stats and previews
- /dashboard/[slug]/members: Member management with invites
- /dashboard/[slug]/settings: Org settings, leave, delete
- /invite/accept: Token-based invite acceptance flow
Includes shared org context layout for role detection, reusable
components (role-badge, confirm-dialog), and sidebar nav update.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Sort imports alphabetically in helpers.ts and router.ts
- Simplify boolean comparison in users/update.ts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename api-server package to @reviq/api-server
- Add --compile flag to bun build for both packages
- Output standalone executables instead of bundled JS
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `reviq completions bash/zsh` command with dynamic shell completions:
- Create bash-complete.ts entry point using stricli's proposeCompletions API
- Add completions command with bash and zsh support (fish planned)
- Extract app export to separate app.ts for shared imports
- Add @stricli/auto-complete dependency and __reviq_bash_complete bin entry
Also fix lint/type errors in api-server tests and helpers.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add missing reqHeaders/resHeaders to webauthn test context
- Fix Session.id type from number to string in test
- Remove unnecessary Number() conversion in countOwners
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract admin procedures from router.ts into dedicated files under
procedures/admin/ with consolidated exports via _routes.ts. Adds shared
helper functions for response transformation and includes race condition
fixes via transaction-scoped existence checks.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Enhanced createRegistrationOptions to look up existing users
- Added virtual-authenticator testing package
- Added WebAuthn e2e and unit tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create @reviq/virtual-authenticator package with cryptographically valid
WebAuthn credential generation for testing
- Add e2e tests for WebAuthn registration, authentication, passkey management
- Add unit tests for passkey-helpers and VirtualAuthenticator
- Add security tests for counter replay and tampered responses
- Configure test database environment in devenv.nix
- Add turbo.json test tasks and workspace configuration
Test results: 98 tests passing (54 virtual-authenticator, 25 e2e, 19 unit)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Resolve conflicts in router.ts by adopting master's modular architecture
for me.* procedures while keeping meGet and setupProfile inline.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add me.get procedure returning user profile with needsSetup flag
- Add me.setupProfile procedure for initial profile setup after signup
- Add nonEmptyString/optionalString schema helpers with tests
- Use Web Crypto API (SubtleCrypto) for Cloudflare Workers compatibility
- Use @formatjs/intl-durationformat for duration formatting
- Remove node:crypto dependency from crypto utilities
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix silent failures: add 404 NOT_FOUND for invalid resources in
passkeysRename, revokeSession, trustDevice, untrustDevice
- Fix race condition in passkeysDelete using transaction
- Extract helper functions: requireDeviceFingerprint, defaultDeviceName
- Improve type safety in updateProfile with Kysely's Updateable<Users>
- Extract me.* procedures to separate files under procedures/me/
- Standardize naming to verb-first: listPasskeys, renamePasskey, deletePasskey
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change Session.id from number to string to match DB bigint type
- Restore me.passkeys.{list,rename,delete} nested route structure
- Remove unnecessary String() conversion in logout procedure
- Auto-formatted procedure files
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add postmark dependency and email configuration constants
- Implement sendVerificationEmail, sendPasswordResetEmail,
sendLoginConfirmationEmail, and sendOrgInviteEmail helpers
- Add HTML + text email templates with inline CSS
- Support dev mode (EMAIL_DEV_MODE=true) for console logging
- Use URL constructor for proper URL building
- Add XSS protection with HTML escaping in templates
- Create .env file with email environment variables
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add procedures/base.ts with typed os implementer and middlewares
- Refactor router to use authMiddleware and loginRequestMiddleware
- Flatten passkey routes to me.listPasskeys/createPasskey/renamePasskey/deletePasskey
- Stub admin procedures with NOT_IMPLEMENTED (to be reimplemented with superuser middleware)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use implement(contract).$context<APIContext>() for proper type safety
in all procedure handlers. Create authMiddleware and loginRequestMiddleware
using os.middleware() and apply with .use() on routes requiring auth.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Vite proxy to forward /api/v1/rpc to API server (port 9861)
- Create oRPC client in src/lib/api/client.ts
- Add @orpc/client and @orpc/contract dependencies
- Add @reviq/api-contract workspace dependency
- Extract DEFAULT_PORT constant to api-server/src/constants.ts
- Change API server default port from 3001 to 9861
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
ESLint:
- Add @macalinao/eslint-config and eslint to all packages/apps
- Add lint scripts to all package.json files
- Create eslint.config.js for all apps
- Add lint task to turbo.json
- Add @macalinao/eslint-config and @types/bun to catalog
Biome:
- Exclude docs/ from biome checks
CLI Reorganization:
- Restructure CLI to use route maps with one command per file
- Move commands to routes/ directory structure
- Use func property instead of async loaders
- Route maps in _command.ts files for each directory
Environment:
- Use Bun.env instead of process.env for env vars
- Add DATABASE_URL and PORT to turbo.json globalEnv
Lint Fixes:
- Fix nullish coalescing operator usage
- Update deprecated Zod API (z.email() instead of .string().email())
- Fix import sorting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add api-server process to devenv.nix
- Add dbmate and kysely-codegen scripts
- Configure PostgreSQL with localhost listener
- Update publisher-dashboard package to @apps/publisher-dashboard
- Fix deprecated asChild prop in mobile-nav component
- Remove unused publisher-utils package
- Update bun.lock with new dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create api-server with Bun.serve:
- oRPC router with stub handlers for all procedures
- Auth middleware placeholder
- CORS configuration
- Create CLI tool with stricli:
- bootstrap command for initial superuser creation
- Placeholder commands for auth, user, org management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Set up @tanstack/svelte-query and devtools in root layout
- Configure QueryClient with 5-minute stale time
- Update dashboard card to match Figma: regular font weight, no border
- Add .playwright-mcp to gitignore
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Overlay bars instead of positioning side by side, with transparent
hatched "Last month" bars on top of solid "This month" bars. Update
legend icons to circular. Add CLAUDE.md with dev server notes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create reusable DashboardCard component with title and content slot
- Redesign PeakTrafficChart to match Figma design:
- Vertical bar chart showing peak hours by day of week
- Y-axis: hours (0:00 to 21:00)
- X-axis: days (Mon-Sun)
- Two data series: "This month" (solid) and "Last month" (hatched)
- Diagonal stripe pattern for last month bars using SVG
- Legend at bottom
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
