Fix/feedback pass 2026 06 23#15
Open
jawi-lab wants to merge 57 commits into
Open
Conversation
- Created docs/PRD.md with vision, target users, roadmap, constraints, and non-goals - Added 11 features to features/INDEX.md (PROJ-1 through PROJ-11) - Build order: Web-App complete first, Capacitor last (P1) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…and generated types - Replace null-export placeholder in supabase.ts with typed createClient<Database>() - Hard-fail on missing env vars with explicit error messages - Add auto-generated database.types.ts from Supabase schema (profiles table) - Add unit tests for env-var validation behavior (3 tests, all pass) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 12/13 acceptance criteria pass - 3 bugs documented (2 HIGH fixed in prev commit, 1 LOW pending manual fix) - Security audit: clean - Status updated: In Progress → In Review Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ers, update PRD status to Approved - .env.local.example: replace generic starter-kit template with ZUSAMMEN-specific vars + Supabase Dashboard link - docs/PRD.md: update PROJ-1 status Planned → Approved - STYLEGUIDE.md, Konzept_Freundes-Planungs-App.md: add project documentation files Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…r Accounts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…private MVP test Google, Apple, Facebook shown as disabled placeholder buttons. OAuth setup deferred until App Store release (PROJ-9). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… casts - DB migration: profiles.status TEXT NOT NULL DEFAULT 'pending' CHECK (pending|active) - database.types.ts: add status field with narrowed union type - AuthContext: status now required (non-optional), remove as-cast - auth/callback: remove Record<string,unknown> cast on status update - Includes all frontend auth pages and components from /frontend Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ng redirect - BUG-01 (HIGH): Add signOut() to AuthContext; add profile dropdown with logout button to home page - BUG-02 (HIGH): Add timeout + URL error parsing to /auth/callback for expired/used links - BUG-03 (MEDIUM): Show error screen when profile status update fails in callback - BUG-04 (LOW): Direct redirect to /signup/pending for pending users on /signup page - Mark PROJ-2 as Approved in INDEX.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://qt-voting-app.vercel.app - Deployed: 2026-06-22 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Create groups + group_members tables with RLS (8 policies total) - Add is_group_member / is_group_admin helper functions - Add join_group_by_invite_code RPC (SECURITY DEFINER) so non-members can look up groups by invite code without bypassing member-only SELECT - Deploy generate-invite-code Edge Function (JWT-verified, service role) - Update useGroups.joinGroup to use RPC instead of direct table query - Add RPC/function types to database.types.ts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…Mitglieder-Management Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…rd, rollback, sanitizer, vitest
- CRIT-1: deleteGroup() now deletes group first; ON DELETE CASCADE removes members (was orphaning groups)
- CRIT-2: "Gruppe löschen" button now only shown when isLastMember (was shown to all admins)
- HIGH-1: Removed broken rollback in createGroup that silently failed due to RLS
- MED-1: Extracted generateInviteCode() to group-types.ts (was duplicated in both hooks)
- LOW-1: LeaveGroupDialog now always rendered; disabled={isLastMember} per spec
- LOW-2: JoinGroupForm sanitizer now also strips O/0/I/1 to match invite code charset
- LOW-3: vitest.config.ts excludes tests/ dir to prevent Playwright specs from breaking npm test
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit.vercel.app - Deployed: 2026-06-22 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tion, hooks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…s-Vorschläge & Voting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…oved Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit.vercel.app - Deployed: 2026-06-22 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- SignupForm: pass display_name via user metadata, remove broken client-side profile INSERT (no session exists before email confirmation) - Auth callback: replace UPDATE with UPSERT so profile is created at email-confirmation time when a real session is active - DB: backfilled missing profile for existing user (status=active) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Frontend: KanbanBoard, KanbanColumn, KanbanCard, MoveToPlanningDialog, ConfirmStatusDialog, useKanbanActivities (Realtime), useUpdateActivityStatus. Activates the Planung tab in GroupMainSheet. Backend (Supabase migration add_kanban_fields_and_fix_rls): - Adds start_date + end_date columns to activities - Expands status CHECK constraint with in_planung + planung_abgeschlossen - Fixes UPDATE RLS policy to allow Kanban transitions (was blocked to vorschlag only) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…UTC date parsing, stale E2E test Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app - Deployed: 2026-06-22 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…spec Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…s-Detail - 25 new Vitest unit tests across 3 hook test files (useActivityDetail, useActivityComments, useActivityPhotos) — all 92 unit tests pass - 23 Playwright E2E tests covering opening the sheet, hero, comments (toolbar, empty state, send-disabled), status-based sections, edit validation, responsibility form, photo gallery visibility - Feature spec updated with full QA results: 35/35 ACs pass, 4 bugs documented (1 Medium, 3 Low), no Critical/High - Status updated to Approved in spec and INDEX.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…on order, loading skeletons - BUG-6-M1: Comment delete button now visible on mobile (opacity-100 on <md, hover-reveal only on md+) — fixes touch devices where hover never fires - BUG-6-L1: Remove abgeschlossen guard from canEdit — admin/initiator can now edit activity name/description/location/url at any status - BUG-6-L2: deletePhoto now deletes DB record first, then Storage — orphaned storage files are safer than broken image references in the DB - BUG-6-L3: Added loading skeletons to Verantwortlichkeiten (2 rows) and Erinnerungsfotos (3-tile grid) sections during initial fetch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nt updates - Add useActivityDetail, useActivityComments, useActivityResponsibilities hooks - Add ActivityWithInitiator types and UpdateActivityDetailInput in activity-types.ts - Extend database.types.ts with activity_responsibilities and comment tables - Wire GroupMainSheet, KanbanCard, KanbanColumn, ProposalCard to open detail sheet - Add globals.css rich-text editor styles for Tiptap Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app - Deployed: 2026-06-22 - Git tag: v1.6.0-PROJ-6 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…fil & Archiv Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…, calendar connection, date blocks, archive - ProfileSheet with Profil + Archiv tabs replacing avatar dropdown - Avatar upload (native file picker, 5 MB guard, Supabase Storage) - Display name inline edit with validation (max 50 chars) - Google Calendar OAuth flow via Supabase Edge Function (client_secret server-side only) - Manual date blocks CRUD (day-level unavailability for PROJ-7) - Archive tab: paginated completed activities with readOnly ActivityDetailSheet - AuthContext extended with refreshProfile(); database.types.ts updated for new tables Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app - Deployed: 2026-06-23 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…dung & Kalender-Export Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- BUG-1 (HIGH): ical-export.ts DTEND now uses UTC arithmetic (Date.UTC)
to avoid off-by-one day in UTC+ timezones (Germany UTC+1/+2)
- BUG-2 (LOW): MissingCalendarBanner grammar fix ("Mitglieder" → "Mitgliedern")
- BUG-3 (LOW): PROJ-5 E2E tests updated to match DateFinderSheet UI
("Termin finden" / "Termin bestätigen" replaces old dialog labels)
All 152 unit tests pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add DateFinderSheet with availability overlay (green/yellow/red/grey) - Add iCal export (RFC 5545) with DTEND timezone fix - Add get-group-availability Edge Function - Add useGroupAvailability hook - Wire up "Termin finden" in KanbanCard ⋯-menu and KanbanBoard - Wire up "Termin anpassen" and "Zum Kalender hinzufügen" in ActivityDetailSheet - Update database.types.ts with start_date/end_date fields Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app - Edge Function get-group-availability deployed (Version 2) - Deployed: 2026-06-23 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- SignupForm: check identities.length === 0 to detect already-registered emails (Supabase returns no error by default) - OnboardingScreen: add logout button so users are not trapped on the page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Navigate to /login only after Supabase fires SIGNED_OUT in onAuthStateChange, ensuring localStorage is fully cleared before the new page calls getSession(). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Creating a group failed with "new row violates row-level security policy for table groups". The client insert used .insert().select(); the RETURNING needs the groups SELECT policy (is_group_member), which fails before the membership row exists (chicken-and-egg). No group was ever created. New SECURITY DEFINER RPC create_group_with_membership() inserts the group and the creator's admin membership atomically and generates the invite code server-side. useGroups.createGroup now calls the RPC. Also removes the prior orphan-group risk. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Logout: signOut() only redirected via the SIGNED_OUT event, with no error handling or fallback. With the default global scope the network revoke could fail and the event never fired, so the button appeared dead. Now uses scope: 'local' in try/catch with a guaranteed window.location redirect. Email confirmation: the callback page only waited for the SIGNED_IN event, but detectSessionInUrl often establishes the session before the React listener attaches, so the event was missed and the page timed out with a generic error despite a successful server-side confirmation. The page now actively resolves the session via getSession() (plus a PKCE code exchange fallback); recovery links are still routed to /reset-password via the pre-read type param. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… triggers Previously handle_new_user inserted profiles as 'active' immediately, so the pending->active gate (AuthGuard / /signup/pending) was effectively bypassed. Migration profile_status_follows_email_confirmation: - handle_new_user now inserts 'pending' (or 'active' if already confirmed) - new on_auth_user_confirmed trigger flips status to 'active' when email_confirmed_at is set — fully server-side, in sync with real confirmation - backfills existing profiles to match their confirmation state The auth callback no longer upserts the profile status (now redundant); it just resolves the session and redirects. Removes the dead 'network' error branch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…irect Reading groups/memberships always failed with "stack depth limit exceeded": the is_group_member / is_group_admin helpers were SECURITY INVOKER, so the internal group_members SELECT inside them re-triggered the same RLS policy -> infinite recursion. fetchGroups errored, groups stayed empty, and /groups bounced the user back to /onboarding right after creating a group. Migration rls_helpers_security_definer_fix_recursion recreates both helpers as SECURITY DEFINER with a fixed search_path (standard Supabase pattern) so the internal lookup bypasses RLS. Applied to the remote project. Defensive client change: /groups now only redirects to /onboarding when there is genuinely no group AND no fetch error — never silently bounce on an error. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…mages & photos
The comment-image / activity-photo storage policies extracted the activity id
from storage.foldername(activities.name) instead of the uploaded object's path.
Inside the FROM activities a subquery an unqualified `name` rebinds to
activities.name, so is_group_member(NULL) => false and every upload/read was
denied ("Upload fehlgeschlagen"). Qualify it explicitly as storage.objects.name.
Applied to production 2026-06-23 and verified (no remaining activities.name refs).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…sfehler" Auth logs showed 429 over_email_send_rate_limit (Supabase built-in email rate limit) being masked as "Verbindungsfehler". Map rate-limit/429 and password errors to specific messages and fall back to the actual error otherwise. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…t-off
- useGroups refetches on focus/visibilitychange so cross-device joins show up
without a manual reload (group_members is not in the realtime publication).
- Global overflow-x:hidden / max-width:100% guard stops iOS Safari from shifting
fixed sheets off-screen ("Fenster abgeschnitten").
- Harden the date-block row against overflow (min-w-0 + truncate).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rag-and-drop
- New routes /groups/[groupId]/{vorschlaege,planung,archiv} with a shared layout
(header, tab nav, settings + activity-detail sheets) and GroupShellContext.
Opening a group navigates instead of opening a narrow right-side sheet; the
Kanban now has full width for its 4 columns. Removed GroupMainSheet.
- Groups list, onboarding success and ?group= param now navigate to the routes.
- PROJ-4: removed the nonsensical proposal cap (proposals >= members) and the
redundant "Ersten Vorschlag erstellen" empty-state button; the + Vorschlag FAB
is the single create entry point. Unlimited backlog suggestions.
- PROJ-5: added desktop drag-and-drop (native HTML5). Cards are draggable when
manageable; columns highlight valid drops; only single forward steps allowed,
each routed through the same gated action as the buttons.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.