Shows a warning banner at the top of dashboard pages when the user's email
is not verified, with a button to resend the verification email.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Backend:
- Add me.invites endpoints (list, get, accept, decline) to API contract
- Create invites procedures for fetching user's pending invites
- Only show invites if email matches and is verified
- Refactor me routes into me/_routes.ts for consistency
Frontend:
- Add pending invitations section to /dashboard page
- Create /account/org-invites/[inviteId] page for accept/decline
- Show invite details (org, role, inviter, dates)
- Redirect to org dashboard after accepting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After login, email verification, trust device, and profile setup,
users are now redirected to / which handles routing to their first
org's dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove hardcoded "This month", "6 countries", "3 domains" filter chips
- Change dropdown menu items from cursor-default to cursor-pointer
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add maxmind library for GeoIP database lookups when not behind Cloudflare
- Extract client IP from multiple header sources (CF, X-Real-IP, X-Forwarded-For, etc.)
- Change device fingerprints from UUID to base58 with device_ prefix
- Add isValidDeviceFingerprint() that accepts both new and legacy formats
- Colocate unit tests with source files, remove __tests__/unit directory
- Add test coverage reporting to test script
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Delete unused /settings route
- Update root page to redirect authenticated users to their first org
- Falls back to /dashboard if user has no orgs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add successResponseSchema to common.ts for explicit success responses
- Update all auth, me, orgs, and admin procedures to return { success: true }
- Update contract.ts to use successResponseSchema instead of z.void()
- Add ast-grep rule to prevent future z.void() usage in contracts
- Add build:packages script to root package.json
- Fix test file lint errors with eslint-disable comments
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add test:e2e:coverage script with Bun's built-in coverage support
- Create bunfig.toml with coverage configuration (text + lcov reporters)
- Fix webauthn tests to create real database sessions/login requests
instead of mock context objects that bypass auth middleware
- Add createUserAPIContext helper for cleaner test code
- Update security tests to expect NOT_FOUND when accessing other
user's passkeys
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Uses AsYouType for real-time phone number formatting as user types.
Implements digit-based cursor positioning to handle formatting changes
without cursor jumping.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Navigation changes:
- Add org-switcher dropdown to sidebar showing user's orgs
- Add user-menu dropdown with account settings and sign out
- Make nav items dynamic based on org context
- Move performance page to /dashboard/[slug]/performance
- Add reports placeholder page at /dashboard/[slug]/reports
- Remove admin link from sidebar (separate layout)
- Update mobile nav to match sidebar changes
- Install shadcn dropdown-menu and popover components
Auth fix:
- Mark login request as completed after passkey verification
- Previously passkey auth didn't complete the login flow, requiring
unnecessary email verification
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Install 8 shadcn components: select, skeleton, checkbox, switch, avatar,
dropdown-menu, tooltip, textarea
- Replace raw <select> elements with Select component in members page
- Replace raw checkbox with Checkbox component in admin user details
- Add Skeleton loading states to admin pages (users list, orgs list,
user details) for better UX
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create packages/utils/src/generate-base58-token.ts with typed prefix support
- Function returns `${TPrefix}${string}` for type-safe prefixed tokens
- Add isBase58() validator and parseBase58Token() helper
- Add comprehensive tests (13 test cases)
- Update login request tokens to use "login_" prefix
- Fix login-password.ts to not replace token (cookie/DB mismatch bug)
- Migrate all token generation from generateSecureToken (hex) to
generateSecureBase58Token (base58)
- Remove duplicate token generation from api-server/utils/crypto.ts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Wrap error.code with String() in CLI complete-login command
- Apply formatting fixes from linter
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CLI changes:
- Use official oRPC client instead of manual HTTP requests
- Add admin complete-login command for dev workflow
- Remove type assertions, use proper ContractRouterClient typing
- Add @orpc/client and @orpc/contract dependencies
API changes:
- Use oRPC cookie helpers from @orpc/server/helpers
- Improve admin complete-login error messages (expired, already completed)
Dashboard changes:
- Add AuthGuard component to redirect unauthenticated users to /auth/login
- Update confirm page with correct CLI command and copy button
- Remove duplicate auth redirect from dashboard layout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Allows re-running bootstrap to delete and recreate the superuser and
reviq org. Deletes all related records (tokens, sessions, passkeys, etc.)
before recreating.
Also configures stricli to use kebab-case for CLI flags globally.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The API contract requires hasPassword in user responses but it was
missing from toUserResponse helper and meAuthStatus handler.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace non-null assertions with runtime checks in org layout queries
- Add handleUnseenRoutes: "ignore" for dynamic dashboard routes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add superuser admin interface for managing organizations and users:
- Admin layout with access control (redirects non-superusers)
- Admin dashboard with org/user counts and quick actions
- Org management: list, create, view/edit details, manage sites
- User management: list, view details, toggle superuser, confirm email
- SuperuserBadge component for consistent superuser indication
- Sidebar shows admin link (shield icon) for superusers only
- Centralized date formatting utility at $lib/utils/format-date.ts
- Test plan documentation at docs/test-plans/admin.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use executeBootstrap helper from @reviq/db for CLI bootstrap
- Update @reviq/db to use @reviq/utils for PBKDF2-SHA256 password hashing
(Cloudflare Workers compatible)
- Keep @scure/base for base58 token encoding
- Remove redundant password.ts from @reviq/db (import directly from @reviq/utils)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create @reviq/utils package with PBKDF2-SHA256 password hashing
compatible with Cloudflare Workers (uses crypto.subtle)
- Update api-server and CLI to use new utils package for consistent
password hashing format across the codebase
- Add pino logging to api-server for better request debugging
- Make login request tokens cryptographically secure base58 strings
instead of database IDs
- Add migration to make login_requests.token non-nullable with unique
constraint
- Fix RPCLink URL construction for client-side API calls
- Add db:codegen script to root package.json
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly
Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper
Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add organization management UI pages:
- /dashboard: Org list with grid cards
- /dashboard/[slug]: Org overview with stats and previews
- /dashboard/[slug]/members: Member management with invites
- /dashboard/[slug]/settings: Org settings, leave, delete
- /invite/accept: Token-based invite acceptance flow
Includes shared org context layout for role detection, reusable
components (role-badge, confirm-dialog), and sidebar nav update.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Sort imports alphabetically in helpers.ts and router.ts
- Simplify boolean comparison in users/update.ts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename api-server package to @reviq/api-server
- Add --compile flag to bun build for both packages
- Output standalone executables instead of bundled JS
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `reviq completions bash/zsh` command with dynamic shell completions:
- Create bash-complete.ts entry point using stricli's proposeCompletions API
- Add completions command with bash and zsh support (fish planned)
- Extract app export to separate app.ts for shared imports
- Add @stricli/auto-complete dependency and __reviq_bash_complete bin entry
Also fix lint/type errors in api-server tests and helpers.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add missing reqHeaders/resHeaders to webauthn test context
- Fix Session.id type from number to string in test
- Remove unnecessary Number() conversion in countOwners
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract admin procedures from router.ts into dedicated files under
procedures/admin/ with consolidated exports via _routes.ts. Adds shared
helper functions for response transformation and includes race condition
fixes via transaction-scoped existence checks.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Enhanced createRegistrationOptions to look up existing users
- Added virtual-authenticator testing package
- Added WebAuthn e2e and unit tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create @reviq/virtual-authenticator package with cryptographically valid
WebAuthn credential generation for testing
- Add e2e tests for WebAuthn registration, authentication, passkey management
- Add unit tests for passkey-helpers and VirtualAuthenticator
- Add security tests for counter replay and tampered responses
- Configure test database environment in devenv.nix
- Add turbo.json test tasks and workspace configuration
Test results: 98 tests passing (54 virtual-authenticator, 25 e2e, 19 unit)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
