Show a one-time toast suggesting passkey setup after login when:
- User has no passkeys registered
- Browser supports WebAuthn
- Prompt hasn't been shown this session (sessionStorage gate)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract _create_db_session, _set_session_cookie, _check_account_lockout,
_record_failed_login, and _record_successful_login from auth.py into
services/session.py. Update totp.py to use shared service instead of
its duplicate _create_full_session (which lacked session cap enforcement).
Also fixes:
- auth/status N+1 query (2 sequential queries -> single JOIN)
- Rename verify_password route to verify_password_endpoint (shadow fix)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
W-01: Use functional updater in handleDayClick to remove displayedMonth
from dependency array, eliminating stale closure risk
S-02: Add aria-label with full date string to day buttons for screen readers
S-04: Close mobile sidebar sheet when clicking a date in mini calendar,
matching existing onUseTemplate behavior
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
datesSet fires but currentDate stays the same value when already on
the current month, so the useEffect didn't re-run. Added navKey counter
that increments on every datesSet call — MiniCalendar watches it in a
separate useEffect to reliably clear selectedDate.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Clicking Today/prev/next on the toolbar now clears the selected day
in the mini calendar, so only the today highlight remains visible.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
selectedDate now only set by user clicks in mini calendar, not by
external currentDate prop (which is always 1st of displayed month
from FullCalendar's view.currentStart). Restore h-16 "Calendars"
header above mini calendar for consistent top-of-page alignment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
W-01: Wrap handlePrev/handleNext/handleDayClick in useCallback
W-02: Use date-fns parse() instead of new Date() for timezone-safe parsing
W-03: Change default firstDayOfWeek from 1 to 0 to match CalendarPage
S-01: Use format(day, 'yyyy-MM-dd') as React key instead of toISOString()
S-02: Remove dead Tailwind color classes overridden by inline styles
Perf: Guard setSelectedDate with comparison to skip no-op re-renders
Perf: Memoize selectedDateObj via useMemo to avoid re-parsing each render
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New MiniCalendar component with independent month browsing, today/selected
highlights, firstDayOfWeek support, and month sync with main calendar.
Replaces old "Calendars" header with the mini-cal + "MY CALENDARS" heading.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
C-01: Strip is_starred/recurrence_rule from payload for invited editors
(not in backend allowlist → would 403). Hide Star checkbox from
invited editor edit mode entirely.
W-01: Wrap auto-resize in requestAnimationFrame to batch with paint
cycle and avoid forced reflow on every keystroke.
S-01: Add comment documenting belt-and-suspenders scroll prevention.
S-02: Remove resize-y from textarea (conflicts with auto-grow which
resets height on keystroke, overriding manual resize).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents accidental month changes (and lost edits) while scrolling
anywhere on the calendar page with the detail panel visible.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
max-h-[200px] CSS and the 200px JS cap both prevented the resize
handle from expanding the textarea. Removed both constraints so
auto-grow and manual resize work without ceiling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
P0 - Scroll bleed: onWheel stopPropagation on panel root prevents
wheel events from navigating calendar months while editing.
P1 - Description textarea: auto-grows with content (min 80px, max
200px), manually resizable via resize-y handle. Applied to both
EventDetailPanel and EventForm.
P2 - Space utilization: moved All Day checkbox inline above date row,
combined Recurrence + Star into a 2-col row, description now
fills remaining vertical space with flex-1.
P3 - Removed duplicate footer Save/Cancel buttons from edit mode
(header icon buttons are sufficient).
P4 - Description field now shows dash placeholder in view mode when
empty, consistent with other fields.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Name now uses the Nominatim place/building label (e.g. "The Quadrant")
when available, falling back to street address. Address field now
contains the full formatted address (house number, road, suburb, city,
state, postcode, country) instead of just the city/state portion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Many addresses resolve to just the road in Nominatim (no house_number
in response). Now extracts the leading number from the user's original
search query and prepends it to the road name, so "123 Adelaide Terrace"
stays as "123 Adelaide Terrace" instead of just "Adelaide Terrace".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use addressdetails=1 to get structured address components and build
the name as "123 Example St" instead of splitting display_name on
the first comma (which isolated the house number from the road).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The view-only banner checked canEdit (hardcoded to isOwner) instead
of canEditTasks (which includes create_modify members). Editors saw
the banner incorrectly. Removed stale canEdit variable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adding lazy='raise' to relationships with cascade='all, delete-orphan'
broke db.delete() — SQLAlchemy tried to lazy-load related objects for
Python-side cascade but lazy='raise' blocked it with MissingGreenlet.
Fix: Add passive_deletes=True to subtasks, comments, assignments, tasks,
and members relationships. This tells SQLAlchemy to defer cascade to
PostgreSQL's ondelete=CASCADE FK constraint instead of loading objects
in Python. Both the FK and ORM cascade are now aligned.
Also added onError handler to deleteTaskMutation so failures are visible
via toast instead of failing silently.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
P-01: Clamp delta poll since param to max 24h in the past (projects +
calendars) to prevent expensive full-table scans from malicious timestamps.
P-02: Validate individual user_id elements in ProjectMemberInvite and
TaskAssignmentCreate with Annotated[int, Field(ge=1, le=2147483647)].
P-04: Only enable delta polling for shared projects (member_count > 0).
Solo projects skip the 5s poll entirely.
P-05: Remove fragile 200ms onBlur timeout in ProjectShareSheet search.
The onMouseDown preventDefault on dropdown items already prevents blur
from firing before click registers.
P-06/S-04: Replace manual dict construction in model_validators with
__table__.columns iteration so new fields are auto-included.
S-01: Replace bare except in ProjectResponse.compute_member_count with
logger.debug to surface errors in development.
S-03: Consolidate cascade_projects_on_disconnect from 2 project ID
queries into 1 using IN clause with both user IDs.
S-05: Send version in toggleTaskMutation, updateTaskStatusMutation,
and toggleSubtaskMutation for full optimistic locking coverage. Handle
409 with refresh toast.
S-07: Replace window.location.href with React Router navigateRef in
task_assigned toast for client-side navigation.
S-08: Already fixed in previous commit (subtask comment selectinload).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Perf-1: Eliminate duplicate permission query on task update.
get_effective_task_permission now returns (effective, project_level)
tuple so the SEC-P02 allowlist check reuses the project-level
permission from the first call instead of querying again.
Perf-2: Memoize member permission lookup in ProjectDetail. Replace
3 inline acceptedMembers.find() calls with useMemo-derived
myPermission and canEditTasks.
S-06: Pass members/currentUserId/ownerId/canAssign to mobile
TaskDetailPanel (was missing — AssignmentPicker never appeared on
mobile).
S-08: Add missing selectinload(TaskComment.user) to subtask comments
chain in _task_load_options. Subtask comment author_name was always
null.
W-01: useDeltaPoll stores queryKeyToInvalidate in a ref to prevent
infinite re-render if caller passes inline array literal.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root causes of the jitter:
1. No DragOverlay — card transformed in-place via translate(), causing
parent column layout reflow as siblings shifted around the gap.
2. transition-all on cards fought with drag transforms on slow moves.
3. closestCorners collision bounced rapidly between column boundaries.
Fixes:
- DragOverlay renders a floating copy of the card above everything,
with a subtle 2deg rotation and shadow for visual feedback.
- Original card becomes a ghost placeholder (accent border, 40% opacity)
so the column layout stays stable during drag.
- Switched to closestCenter collision detection (less boundary bounce).
- Increased PointerSensor distance from 5px to 8px to reduce accidental
drag activation.
- Removed transition-all from card styles (no more CSS vs drag fight).
- dropAnimation: null for instant snap on release.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TaskDetailPanel now shows an interactive AssignmentPicker (click to
open dropdown, select members, remove with X) when the user has
create_modify permission or is the owner. Read-only users see static
chips. Owner is included as a synthetic entry in the picker so they
can self-assign. Both assign and unassign mutations invalidate the
project query for immediate UI refresh.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- TaskRow: Show 'unassigned' label (muted) instead of invisible dash
so the assigned column is always visible in the task list.
- TaskDetailPanel: Replace old person_id dropdown with assignment chips
showing avatar + name for each assignee. Unassigned shows muted text
instead of a dash.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- TaskRow: Replace tiny avatar-only display with proper assigned column
showing avatar + name (single assignee) or avatar + "N people" (multi).
Hidden on mobile, right-aligned, 96px width matching other columns.
- Load options: Chain selectinload(ProjectTaskAssignment.user) so the
user relationship is available for serialization.
- TaskAssignmentResponse: Add model_validator to resolve user_name from
eagerly loaded user relationship (same pattern as TaskCommentResponse).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add member_count to ProjectResponse via model_validator (computed from
eagerly loaded members relationship). Shows on ProjectCard for both
owners ("2 members") and shared users ("Shared with you").
- Fix share button badge positioning (add relative class).
- Add dedicated showTaskAssignedToast with blue ClipboardList icon,
"View Project" action button, and 15s duration.
- Wire task_assigned into both initial-load and new-notification toast
dispatch flows in NotificationToaster.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The notifications table CHECK constraint did not include project_invite,
project_invite_accepted, project_invite_rejected, or task_assigned.
This caused 500 errors on invite_members and assign_users_to_task
because create_notification violated ck_notifications_type.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The invite_members handler called create_notification with type="project_invite", which
is not in the ck_notifications_type CHECK constraint. The db.flush() inside the handler
flushed both the ProjectMember and Notification INSERTs atomically, causing a
CheckViolationError → 500. Added "project_invite", "project_invite_accepted",
"project_invite_rejected" to the model tuple and migration 060 drops/recreates the
constraint to include them.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both endpoints accessed ORM object IDs after db.commit(), which
expires all loaded objects in async SQLAlchemy. Added db.flush()
before commit to assign IDs while objects are still live.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The ix_project_tasks_parent_task_id index already existed on the
production DB, causing migration 057 to fail with DuplicateTableError.
Switched all CREATE INDEX statements to raw SQL with IF NOT EXISTS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
W-04: Add showProjectInviteToast with Accept/Decline buttons in
NotificationToaster, matching the connection/calendar/event invite
toast pattern. Wired into both initial-load and new-notification flows.
W-06: Delete rejected ProjectMember rows on rejection instead of
accumulating them with status='rejected'. Prevents indefinite growth.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Enables multi-user project collaboration mirroring the shared calendar
pattern. Includes ProjectMember model with permission levels, task
assignment with auto-membership, optimistic locking, field allowlist
for assignees, disconnect cascade, delta polling for projects and
calendars, and full frontend integration with share sheet, assignment
picker, permission gating, and notification handling.
Migrations: 057 (indexes + version + comment user_id), 058
(project_members), 059 (project_task_assignments)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reduces the security section to a brief summary without exposing
specific middleware names, rate limit thresholds, lockout parameters,
or implementation details that could aid threat actors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds event invitations with RSVP, per-occurrence overrides for recurring
events, display calendar assignment, can_modify toggle for granting
invitees edit access, active-invitee icon on owner's calendar, and
in-app notification integration. Three QA reviews and two penetration
tests passed. Includes field allowlist for invited editors, connection
validation, 20-invitation cap, and can_modify reset on decline.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
C-01: Use func.count() for invitation cap instead of loading all rows
C-02: Remove unused display_calendar_id from EventInvitationResponse
F-01: Add field allowlist for invited editors (blocks is_starred,
recurrence_rule, calendar_id mutations)
W-02: Memoize existingInviteeIds Set in EventDetailPanel
W-03: Block per-occurrence overrides on declined/pending invitations
S-01: Make can_modify non-optional in EventInvitation TypeScript type
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds has_active_invitees flag to the events GET response. The Users icon
now appears on the owner's calendar view when an event has accepted or
tentative invitees, giving visual feedback that the event is actively
shared. Single batch query with set lookup — no N+1.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reverts the AW-3 optimization that increased polling from 5s to 30s.
The faster interval is needed for shared calendar edits and invited
editor changes to appear promptly on other users' views.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allows event owners to grant individual invitees edit permission via a
toggle in the invitee list. Invited editors can modify event details
(title, description, time, location) but cannot change calendars, manage
invitees, delete events, or bulk-edit recurring series (scope restricted
to "this" only). The can_modify flag resets on decline to prevent silent
re-grant.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SQLAlchemy 2.0's select().union_all() returns a CompoundSelect which
cannot chain another .union_all(). Use the standalone union_all()
function to combine all three queries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
C-01: Remove nginx rate limit on event invitations endpoint — was
blocking GET (invitee list) on rapid event switching. Backend
already caps at 20 invitations per event with connection validation.
C-02: respondingRef uses string prefixes (conn-, cal-, event-) instead
of fragile numeric offsets (+100000/+200000) to prevent collisions.
W-01: get_accessible_event_scope combined into single UNION ALL query
(3 DB round-trips → 1) for calendar IDs + invitation IDs.
W-02: Dashboard and upcoming endpoints now include is_invited,
invitation_status, and display_calendar_id on event items.
W-04: LeaveEventDialog closes on error (.finally) instead of staying
open when mutation rejects.
S-01: Migration 055 FK constraint gets explicit name for consistency.
S-02: InviteSearch dropdown dismisses on blur (150ms delay for clicks).
S-03: Display calendar picker shows only owned calendars, not shared.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
