UMBRA

rohskiddo/UMBRA

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Pope	e4b45763b4	Phase 1: Schema and models for shared calendars Migrations 047-051: - 047: Add is_shared to calendars - 048: Create calendar_members table (permissions, status, constraints) - 049: Create event_locks table (5min TTL, permanent owner locks) - 050: Expand notification CHECK (calendar_invite types) - 051: Add updated_by to calendar_events + updated_at index New models: CalendarMember, EventLock Updated models: Calendar (is_shared, members), CalendarEvent (updated_by), Notification (3 new types) New schemas: shared_calendar.py (invite, respond, member, lock, sync) Updated schemas: calendar.py (is_shared, sharing response fields) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 03:22:44 +08:00
Kyle Pope	d8bdae8ec3	Implement multi-user RBAC: database, auth, routing, admin API (Phases 1-6) Phase 1: Add role, mfa_enforce_pending, must_change_password to users table. Create system_config (singleton) and audit_log tables. Migration 026. Phase 2: Add user_id FK to all 8 data tables (todos, reminders, projects, calendars, people, locations, event_templates, ntfy_sent) with 4-step nullable→backfill→FK→NOT NULL pattern. Migrations 027-034. Phase 3: Harden auth schemas (extra="forbid" on RegisterRequest), add MFA enforcement token serializer with distinct salt, rewrite auth router with require_role() factory and registration endpoint. Phase 4: Scope all 12 routers by user_id, fix dependency type bugs, bound weather cache (SEC-15), multi-user ntfy dispatch. Phase 5: Create admin router (14 endpoints), admin schemas, audit service, rate limiting in nginx. SEC-08 CSRF via X-Requested-With. Phase 6: Update frontend types, useAuth hook (role/isAdmin/register), App.tsx (AdminRoute guard), Sidebar (admin link), api.ts (XHR header). Security findings addressed: SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06, SEC-07, SEC-08, SEC-12, SEC-13, SEC-15. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-26 19:06:25 +08:00
Kyle Pope	093bceed06	Add multi-calendar backend support with virtual birthday events - New Calendar model and calendars table with system/default flags - Alembic migration 006: creates calendars, seeds Personal+Birthdays, migrates existing events - CalendarEvent model gains calendar_id FK and calendar_name/calendar_color properties - Updated CalendarEventCreate/Response schemas to include calendar fields - New /api/calendars CRUD router (blocks system calendar deletion/rename) - Events router: selectinload on all queries, default-calendar assignment on POST, virtual birthday event generation from People with birthdays when Birthdays calendar is visible Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-21 19:07:35 +08:00

Author

SHA1

Message

Date

Kyle Pope

e4b45763b4

Phase 1: Schema and models for shared calendars

Migrations 047-051:
- 047: Add is_shared to calendars
- 048: Create calendar_members table (permissions, status, constraints)
- 049: Create event_locks table (5min TTL, permanent owner locks)
- 050: Expand notification CHECK (calendar_invite types)
- 051: Add updated_by to calendar_events + updated_at index

New models: CalendarMember, EventLock
Updated models: Calendar (is_shared, members), CalendarEvent (updated_by),
  Notification (3 new types)
New schemas: shared_calendar.py (invite, respond, member, lock, sync)
Updated schemas: calendar.py (is_shared, sharing response fields)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-06 03:22:44 +08:00

Kyle Pope

d8bdae8ec3

Implement multi-user RBAC: database, auth, routing, admin API (Phases 1-6)

Phase 1: Add role, mfa_enforce_pending, must_change_password to users table.
Create system_config (singleton) and audit_log tables. Migration 026.

Phase 2: Add user_id FK to all 8 data tables (todos, reminders, projects,
calendars, people, locations, event_templates, ntfy_sent) with 4-step
nullable→backfill→FK→NOT NULL pattern. Migrations 027-034.

Phase 3: Harden auth schemas (extra="forbid" on RegisterRequest), add
MFA enforcement token serializer with distinct salt, rewrite auth router
with require_role() factory and registration endpoint.

Phase 4: Scope all 12 routers by user_id, fix dependency type bugs,
bound weather cache (SEC-15), multi-user ntfy dispatch.

Phase 5: Create admin router (14 endpoints), admin schemas, audit
service, rate limiting in nginx. SEC-08 CSRF via X-Requested-With.

Phase 6: Update frontend types, useAuth hook (role/isAdmin/register),
App.tsx (AdminRoute guard), Sidebar (admin link), api.ts (XHR header).

Security findings addressed: SEC-01, SEC-02, SEC-03, SEC-04, SEC-05,
SEC-06, SEC-07, SEC-08, SEC-12, SEC-13, SEC-15.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-26 19:06:25 +08:00

Kyle Pope

093bceed06

Add multi-calendar backend support with virtual birthday events

- New Calendar model and calendars table with system/default flags
- Alembic migration 006: creates calendars, seeds Personal+Birthdays, migrates existing events
- CalendarEvent model gains calendar_id FK and calendar_name/calendar_color properties
- Updated CalendarEventCreate/Response schemas to include calendar fields
- New /api/calendars CRUD router (blocks system calendar deletion/rename)
- Events router: selectinload on all queries, default-calendar assignment on POST, virtual birthday event generation from People with birthdays when Birthdays calendar is visible

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-21 19:07:35 +08:00

3 Commits