CI/CD fixes (from debugger + docker specialist review):
- Add explicit GITEA_TOKEN for checkout auth
- Add act_runner_config.yaml with container.network: host so job
containers can reach git.sentinelforest.xyz (root cause of 0s
silent checkout failure)
- Mount config into act_runner container
UI: Enlarge save/close/edit/delete icons in all detail panels
(EventDetailPanel, TodoDetailPanel, ReminderDetailPanel,
TaskDetailPanel, EntityDetailPanel) from h-7/h-3.5 to h-8/h-4
for better visibility and click targets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SELinux in enforcing mode blocks container access to the Docker
socket. The :z flag relabels the socket for shared container access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
group_add didn't resolve the permission issue. Running the runner
as root (user 0:0) is the standard approach for CI runners that
need Docker socket access on internal/single-user deployments.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The runner process runs as non-root but needs access to the Docker
socket owned by root:docker (GID 971). group_add grants it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The act_runner container couldn't find the Docker socket despite the
volume mount. Adding DOCKER_HOST=unix:///var/run/docker.sock explicitly
tells the runner where to find it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When both image: and build: are present, docker compose up --build
builds locally and tags with the image name. This allows the stack
to start before registry images exist, solving the bootstrap problem.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds a workflow that triggers on push to main: builds backend/frontend
Docker images, pushes to Gitea container registry, pulls and restarts
on the host, health checks, prunes old images, and sends ntfy notifications.
docker-compose.yaml updated to pull pre-built images from registry and
includes act_runner as a 4th service.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
S-02: Extract extract_credential_raw_id() helper in services/passkey.py
— replaces 2 inline rawId parsing blocks in passkeys.py
S-03: Add PasskeyLoginResponse type, use in useAuth passkeyLoginMutation
S-04: Add Cancel button to disable-passwordless dialog
W-03: Invalidate auth queries on disable ceremony error/cancel
Perf-2: Session cap uses ID-only query + bulk UPDATE instead of loading
full ORM objects and flipping booleans individually
Perf-3: Remove passkey_count from /auth/status hot path (polled every
15s). Use EXISTS for has_passkeys boolean. Count derived from passkeys
list query in PasskeySection (passkeys.length).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
C-01: Initialize config=None before conditional in auth/status to
prevent NameError on fresh instance (setup_required=True path)
C-02: Use generic "Authentication failed" on passkey lockout trigger
instead of leaking lockout state (consistent with F-02 remediation)
W-01: Add nginx rate limit for /api/auth/passkeys/passwordless
endpoints (enable accepts password — brute force protection)
W-02: Call record_successful_login in passkey unlock path to reset
failed_login_count (prevents unexpected lockout accumulation)
W-05: Auto-clear must_change_password on passkey login — user can't
provide old password in forced-change form after passkey auth
S-01: Pin webauthn to >=2.1.0,<3 (prevent major version breakage)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add relative z-10 to the Users Card so its stacking context sits above
the sibling System Settings Card. Without this, the absolutely-positioned
dropdown menu was painted behind the later sibling in DOM order.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Revert fixed-positioning approach (caused z-index and placement issues).
Instead fix the root cause: parent containers with overflow that clipped
absolutely-positioned dropdowns.
- IAMPage: Remove overflow-x-auto on table wrapper (columns already
hide via responsive classes, no horizontal scroll needed)
- AlertBanner: Remove max-h-48 overflow-y-auto on alerts list
(alerts are naturally bounded, constraint clipped SnoozeDropdown)
- Revert UserActionsMenu and SnoozeDropdown to simple absolute positioning
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
UserActionsMenu and SnoozeDropdown were clipped by parent containers
with overflow-x-auto/overflow-y-auto. Switch from absolute to fixed
positioning — compute viewport-relative coordinates on open via
getBoundingClientRect. Dropdowns now render above all overflow
boundaries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
F-01 (passkeys.py): Add constant-time DB no-op on login/begin when username not
found. Without it the absent credential-fetch query makes the "no user" path
measurably faster, leaking username existence via timing.
F-02 (session.py, auth.py, passkeys.py, totp.py): Change check_account_lockout
from HTTP 423 to 401 — status-code analysis can no longer distinguish a locked
account from an invalid credential. record_failed_login now returns remaining
attempt count; callers use it for progressive UX warnings (<=3 attempts left,
and on the locking attempt) without changing the 401 status code visible to
attackers. Session-lock 423 path in get_current_user is unaffected.
F-03 (nginx.conf): Replace set_real_ip_from 0.0.0.0/0 with RFC 1918 ranges
(172.16.0.0/12, 10.0.0.0/8) to prevent external clients from spoofing
X-Forwarded-For to bypass rate limiting.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Login errors now distinguish between wrong-password (red), progressive
lockout warnings (amber, Lock icon), and temporary lockout (amber, Lock
icon) based on the backend detail string. Removes the dead 423 branch
from handleCredentialSubmit — account lockout is now returned as 401
with a descriptive detail message.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1. Passwordless toggle in Settings is now hidden when admin hasn't
enabled allow_passwordless in system config (or when user already
has it enabled — so they can still disable it). Backend exposes
allow_passwordless in /auth/status response.
2. Remove auto-trigger passkey ceremony on lock screen — previously
fired immediately when session locked for passwordless users.
Now waits for user to click "Unlock with passkey" button.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
RegistrationCredential and AuthenticationCredential are plain dataclasses,
not Pydantic models — model_validate_json() does not exist on them.
Replace with parse_registration_credential_json() and
parse_authentication_credential_json() from webauthn.helpers, which
correctly parse the camelCase JSON from @simplewebauthn/browser and
convert base64url fields to bytes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move `request: Request` (no default) before parameters with defaults
to fix 'parameter without default follows parameter with default'.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
W-04: Replace inline lockout logic in totp.py (3 occurrences of
manual failed_login_count/locked_until manipulation) with shared
session service calls: check_account_lockout, record_failed_login,
record_successful_login. Also fix TOTP replay prevention to use
flush() not commit() for atomicity with session creation.
S-1: Add "Set up" action button to the post-login passkey prompt
toast, navigating to /settings?tab=security (already supported by
SettingsPage search params).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Show a one-time toast suggesting passkey setup after login when:
- User has no passkeys registered
- Browser supports WebAuthn
- Prompt hasn't been shown this session (sessionStorage gate)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract _create_db_session, _set_session_cookie, _check_account_lockout,
_record_failed_login, and _record_successful_login from auth.py into
services/session.py. Update totp.py to use shared service instead of
its duplicate _create_full_session (which lacked session cap enforcement).
Also fixes:
- auth/status N+1 query (2 sequential queries -> single JOIN)
- Rename verify_password route to verify_password_endpoint (shadow fix)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
W-01: Use functional updater in handleDayClick to remove displayedMonth
from dependency array, eliminating stale closure risk
S-02: Add aria-label with full date string to day buttons for screen readers
S-04: Close mobile sidebar sheet when clicking a date in mini calendar,
matching existing onUseTemplate behavior
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
datesSet fires but currentDate stays the same value when already on
the current month, so the useEffect didn't re-run. Added navKey counter
that increments on every datesSet call — MiniCalendar watches it in a
separate useEffect to reliably clear selectedDate.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Clicking Today/prev/next on the toolbar now clears the selected day
in the mini calendar, so only the today highlight remains visible.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
selectedDate now only set by user clicks in mini calendar, not by
external currentDate prop (which is always 1st of displayed month
from FullCalendar's view.currentStart). Restore h-16 "Calendars"
header above mini calendar for consistent top-of-page alignment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
W-01: Wrap handlePrev/handleNext/handleDayClick in useCallback
W-02: Use date-fns parse() instead of new Date() for timezone-safe parsing
W-03: Change default firstDayOfWeek from 1 to 0 to match CalendarPage
S-01: Use format(day, 'yyyy-MM-dd') as React key instead of toISOString()
S-02: Remove dead Tailwind color classes overridden by inline styles
Perf: Guard setSelectedDate with comparison to skip no-op re-renders
Perf: Memoize selectedDateObj via useMemo to avoid re-parsing each render
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New MiniCalendar component with independent month browsing, today/selected
highlights, firstDayOfWeek support, and month sync with main calendar.
Replaces old "Calendars" header with the mini-cal + "MY CALENDARS" heading.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
C-01: Strip is_starred/recurrence_rule from payload for invited editors
(not in backend allowlist → would 403). Hide Star checkbox from
invited editor edit mode entirely.
W-01: Wrap auto-resize in requestAnimationFrame to batch with paint
cycle and avoid forced reflow on every keystroke.
S-01: Add comment documenting belt-and-suspenders scroll prevention.
S-02: Remove resize-y from textarea (conflicts with auto-grow which
resets height on keystroke, overriding manual resize).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents accidental month changes (and lost edits) while scrolling
anywhere on the calendar page with the detail panel visible.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
max-h-[200px] CSS and the 200px JS cap both prevented the resize
handle from expanding the textarea. Removed both constraints so
auto-grow and manual resize work without ceiling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
P0 - Scroll bleed: onWheel stopPropagation on panel root prevents
wheel events from navigating calendar months while editing.
P1 - Description textarea: auto-grows with content (min 80px, max
200px), manually resizable via resize-y handle. Applied to both
EventDetailPanel and EventForm.
P2 - Space utilization: moved All Day checkbox inline above date row,
combined Recurrence + Star into a 2-col row, description now
fills remaining vertical space with flex-1.
P3 - Removed duplicate footer Save/Cancel buttons from edit mode
(header icon buttons are sufficient).
P4 - Description field now shows dash placeholder in view mode when
empty, consistent with other fields.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Name now uses the Nominatim place/building label (e.g. "The Quadrant")
when available, falling back to street address. Address field now
contains the full formatted address (house number, road, suburb, city,
state, postcode, country) instead of just the city/state portion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Many addresses resolve to just the road in Nominatim (no house_number
in response). Now extracts the leading number from the user's original
search query and prepends it to the road name, so "123 Adelaide Terrace"
stays as "123 Adelaide Terrace" instead of just "Adelaide Terrace".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use addressdetails=1 to get structured address components and build
the name as "123 Example St" instead of splitting display_name on
the first comma (which isolated the house number from the road).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The view-only banner checked canEdit (hardcoded to isOwner) instead
of canEditTasks (which includes create_modify members). Editors saw
the banner incorrectly. Removed stale canEdit variable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adding lazy='raise' to relationships with cascade='all, delete-orphan'
broke db.delete() — SQLAlchemy tried to lazy-load related objects for
Python-side cascade but lazy='raise' blocked it with MissingGreenlet.
Fix: Add passive_deletes=True to subtasks, comments, assignments, tasks,
and members relationships. This tells SQLAlchemy to defer cascade to
PostgreSQL's ondelete=CASCADE FK constraint instead of loading objects
in Python. Both the FK and ORM cascade are now aligned.
Also added onError handler to deleteTaskMutation so failures are visible
via toast instead of failing silently.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
P-01: Clamp delta poll since param to max 24h in the past (projects +
calendars) to prevent expensive full-table scans from malicious timestamps.
P-02: Validate individual user_id elements in ProjectMemberInvite and
TaskAssignmentCreate with Annotated[int, Field(ge=1, le=2147483647)].
P-04: Only enable delta polling for shared projects (member_count > 0).
Solo projects skip the 5s poll entirely.
P-05: Remove fragile 200ms onBlur timeout in ProjectShareSheet search.
The onMouseDown preventDefault on dropdown items already prevents blur
from firing before click registers.
P-06/S-04: Replace manual dict construction in model_validators with
__table__.columns iteration so new fields are auto-included.
S-01: Replace bare except in ProjectResponse.compute_member_count with
logger.debug to surface errors in development.
S-03: Consolidate cascade_projects_on_disconnect from 2 project ID
queries into 1 using IN clause with both user IDs.
S-05: Send version in toggleTaskMutation, updateTaskStatusMutation,
and toggleSubtaskMutation for full optimistic locking coverage. Handle
409 with refresh toast.
S-07: Replace window.location.href with React Router navigateRef in
task_assigned toast for client-side navigation.
S-08: Already fixed in previous commit (subtask comment selectinload).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
