UMBRA

Author	SHA1	Message	Date
Kyle Pope	e7cb6de7d5	Add admin delete-user with full cascade cleanup Migration 036 adds ondelete rules to 5 transitive FKs that would otherwise block user deletion (calendar_events via calendars, project_tasks via projects, todos via projects, etc.). DELETE /api/admin/users/{user_id} with self-action guard, last-admin guard, session revocation, and audit logging. Frontend gets a red two-click confirm button in the IAM actions menu. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-27 19:20:47 +08:00
Kyle Pope	d8bdae8ec3	Implement multi-user RBAC: database, auth, routing, admin API (Phases 1-6) Phase 1: Add role, mfa_enforce_pending, must_change_password to users table. Create system_config (singleton) and audit_log tables. Migration 026. Phase 2: Add user_id FK to all 8 data tables (todos, reminders, projects, calendars, people, locations, event_templates, ntfy_sent) with 4-step nullable→backfill→FK→NOT NULL pattern. Migrations 027-034. Phase 3: Harden auth schemas (extra="forbid" on RegisterRequest), add MFA enforcement token serializer with distinct salt, rewrite auth router with require_role() factory and registration endpoint. Phase 4: Scope all 12 routers by user_id, fix dependency type bugs, bound weather cache (SEC-15), multi-user ntfy dispatch. Phase 5: Create admin router (14 endpoints), admin schemas, audit service, rate limiting in nginx. SEC-08 CSRF via X-Requested-With. Phase 6: Update frontend types, useAuth hook (role/isAdmin/register), App.tsx (AdminRoute guard), Sidebar (admin link), api.ts (XHR header). Security findings addressed: SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06, SEC-07, SEC-08, SEC-12, SEC-13, SEC-15. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-26 19:06:25 +08:00
Kyle Pope	250cbd0239	Address remaining QA items: indexes, validation, UX improvements Backend: - [W1] Add server_default=func.now() on created_at/updated_at - [W2] Add index on reset_at column (migration 016) - [W7] Document weekly reset edge case in code comment Frontend: - [W4] Extract shared isTodoOverdue() utility in lib/utils.ts, used consistently across TodosPage, TodoItem, TodoList - [W5] Delete requires double-click confirmation (button turns red for 2s, second click confirms) with optimistic removal - [W6] Stat cards now reflect filtered counts, not global - [S3] Optimistic delete with rollback on error - [S4] Add "None" to priority segmented filter - [S7] Sort todos within groups by due date ascending Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 21:24:59 +08:00
Kyle Pope	8e0af3ce86	Add optional due time to todos, fix date not being optional Backend: - Add due_time (TIME, nullable) column to todos model + migration 015 - Add due_time to Create/Update/Response schemas Frontend: - Add due_time to Todo type - TodoForm: add time input, convert empty strings to null before sending (fixes date appearing required — Pydantic rejected '' as date) - TodoItem: display clock icon + time when due_time is set Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 19:59:38 +08:00
Kyle Pope	46d4c5e28b	Implement todo recurrence logic with auto-reset scheduling Backend: - Add reset_at (datetime) and next_due_date (date) columns to todos - Toggle endpoint calculates reset schedule when completing recurring todos: daily resets next day, weekly resets start of next week (respects first_day_of_week setting), monthly resets 1st of next month - GET /todos auto-reactivates recurring todos whose reset_at has passed, updating due_date to next_due_date and clearing completion state - Alembic migration 014 Frontend: - Add reset_at and next_due_date to Todo type - TodoItem shows recurrence badge (Daily/Weekly/Monthly) in purple - Completed recurring todos display reset info: "Resets Mon 02/03/26 · Next due 06/03/26" Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 17:04:12 +08:00
Kyle Pope	1f6519635f	Initial commit	2026-02-15 16:13:41 +08:00

6 Commits