Skip to content

Fix/feedback pass 2026 06 23#15

Open
jawi-lab wants to merge 57 commits into
AlexPEClub:mainfrom
jawi-lab:fix/feedback-pass-2026-06-23
Open

Fix/feedback pass 2026 06 23#15
jawi-lab wants to merge 57 commits into
AlexPEClub:mainfrom
jawi-lab:fix/feedback-pass-2026-06-23

Conversation

@jawi-lab

Copy link
Copy Markdown

No description provided.

Janusz Wickbold and others added 30 commits June 21, 2026 19:58
- Created docs/PRD.md with vision, target users, roadmap, constraints, and non-goals
- Added 11 features to features/INDEX.md (PROJ-1 through PROJ-11)
- Build order: Web-App complete first, Capacitor last (P1)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…and generated types

- Replace null-export placeholder in supabase.ts with typed createClient<Database>()
- Hard-fail on missing env vars with explicit error messages
- Add auto-generated database.types.ts from Supabase schema (profiles table)
- Add unit tests for env-var validation behavior (3 tests, all pass)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 12/13 acceptance criteria pass
- 3 bugs documented (2 HIGH fixed in prev commit, 1 LOW pending manual fix)
- Security audit: clean
- Status updated: In Progress → In Review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ers, update PRD status to Approved

- .env.local.example: replace generic starter-kit template with ZUSAMMEN-specific vars + Supabase Dashboard link
- docs/PRD.md: update PROJ-1 status Planned → Approved
- STYLEGUIDE.md, Konzept_Freundes-Planungs-App.md: add project documentation files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…r Accounts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…private MVP test

Google, Apple, Facebook shown as disabled placeholder buttons. OAuth setup
deferred until App Store release (PROJ-9).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… casts

- DB migration: profiles.status TEXT NOT NULL DEFAULT 'pending' CHECK (pending|active)
- database.types.ts: add status field with narrowed union type
- AuthContext: status now required (non-optional), remove as-cast
- auth/callback: remove Record<string,unknown> cast on status update
- Includes all frontend auth pages and components from /frontend

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ng redirect

- BUG-01 (HIGH): Add signOut() to AuthContext; add profile dropdown with logout button to home page
- BUG-02 (HIGH): Add timeout + URL error parsing to /auth/callback for expired/used links
- BUG-03 (MEDIUM): Show error screen when profile status update fails in callback
- BUG-04 (LOW): Direct redirect to /signup/pending for pending users on /signup page
- Mark PROJ-2 as Approved in INDEX.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://qt-voting-app.vercel.app
- Deployed: 2026-06-22

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Create groups + group_members tables with RLS (8 policies total)
- Add is_group_member / is_group_admin helper functions
- Add join_group_by_invite_code RPC (SECURITY DEFINER) so non-members
  can look up groups by invite code without bypassing member-only SELECT
- Deploy generate-invite-code Edge Function (JWT-verified, service role)
- Update useGroups.joinGroup to use RPC instead of direct table query
- Add RPC/function types to database.types.ts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…Mitglieder-Management

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…rd, rollback, sanitizer, vitest

- CRIT-1: deleteGroup() now deletes group first; ON DELETE CASCADE removes members (was orphaning groups)
- CRIT-2: "Gruppe löschen" button now only shown when isLastMember (was shown to all admins)
- HIGH-1: Removed broken rollback in createGroup that silently failed due to RLS
- MED-1: Extracted generateInviteCode() to group-types.ts (was duplicated in both hooks)
- LOW-1: LeaveGroupDialog now always rendered; disabled={isLastMember} per spec
- LOW-2: JoinGroupForm sanitizer now also strips O/0/I/1 to match invite code charset
- LOW-3: vitest.config.ts excludes tests/ dir to prevent Playwright specs from breaking npm test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit.vercel.app
- Deployed: 2026-06-22

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tion, hooks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…s-Vorschläge & Voting

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…oved

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit.vercel.app
- Deployed: 2026-06-22

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- SignupForm: pass display_name via user metadata, remove broken
  client-side profile INSERT (no session exists before email confirmation)
- Auth callback: replace UPDATE with UPSERT so profile is created at
  email-confirmation time when a real session is active
- DB: backfilled missing profile for existing user (status=active)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Frontend: KanbanBoard, KanbanColumn, KanbanCard, MoveToPlanningDialog,
ConfirmStatusDialog, useKanbanActivities (Realtime), useUpdateActivityStatus.
Activates the Planung tab in GroupMainSheet.

Backend (Supabase migration add_kanban_fields_and_fix_rls):
- Adds start_date + end_date columns to activities
- Expands status CHECK constraint with in_planung + planung_abgeschlossen
- Fixes UPDATE RLS policy to allow Kanban transitions (was blocked to vorschlag only)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…UTC date parsing, stale E2E test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jawi-lab and others added 27 commits June 22, 2026 20:45
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app
- Deployed: 2026-06-22

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…spec

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…s-Detail

- 25 new Vitest unit tests across 3 hook test files (useActivityDetail,
  useActivityComments, useActivityPhotos) — all 92 unit tests pass
- 23 Playwright E2E tests covering opening the sheet, hero, comments
  (toolbar, empty state, send-disabled), status-based sections,
  edit validation, responsibility form, photo gallery visibility
- Feature spec updated with full QA results: 35/35 ACs pass,
  4 bugs documented (1 Medium, 3 Low), no Critical/High
- Status updated to Approved in spec and INDEX.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…on order, loading skeletons

- BUG-6-M1: Comment delete button now visible on mobile (opacity-100 on <md,
  hover-reveal only on md+) — fixes touch devices where hover never fires
- BUG-6-L1: Remove abgeschlossen guard from canEdit — admin/initiator can
  now edit activity name/description/location/url at any status
- BUG-6-L2: deletePhoto now deletes DB record first, then Storage — orphaned
  storage files are safer than broken image references in the DB
- BUG-6-L3: Added loading skeletons to Verantwortlichkeiten (2 rows) and
  Erinnerungsfotos (3-tile grid) sections during initial fetch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nt updates

- Add useActivityDetail, useActivityComments, useActivityResponsibilities hooks
- Add ActivityWithInitiator types and UpdateActivityDetailInput in activity-types.ts
- Extend database.types.ts with activity_responsibilities and comment tables
- Wire GroupMainSheet, KanbanCard, KanbanColumn, ProposalCard to open detail sheet
- Add globals.css rich-text editor styles for Tiptap

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app
- Deployed: 2026-06-22
- Git tag: v1.6.0-PROJ-6

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…fil & Archiv

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…, calendar connection, date blocks, archive

- ProfileSheet with Profil + Archiv tabs replacing avatar dropdown
- Avatar upload (native file picker, 5 MB guard, Supabase Storage)
- Display name inline edit with validation (max 50 chars)
- Google Calendar OAuth flow via Supabase Edge Function (client_secret server-side only)
- Manual date blocks CRUD (day-level unavailability for PROJ-7)
- Archive tab: paginated completed activities with readOnly ActivityDetailSheet
- AuthContext extended with refreshProfile(); database.types.ts updated for new tables

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app
- Deployed: 2026-06-23

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…dung & Kalender-Export

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- BUG-1 (HIGH): ical-export.ts DTEND now uses UTC arithmetic (Date.UTC)
  to avoid off-by-one day in UTC+ timezones (Germany UTC+1/+2)
- BUG-2 (LOW): MissingCalendarBanner grammar fix ("Mitglieder" → "Mitgliedern")
- BUG-3 (LOW): PROJ-5 E2E tests updated to match DateFinderSheet UI
  ("Termin finden" / "Termin bestätigen" replaces old dialog labels)
All 152 unit tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add DateFinderSheet with availability overlay (green/yellow/red/grey)
- Add iCal export (RFC 5545) with DTEND timezone fix
- Add get-group-availability Edge Function
- Add useGroupAvailability hook
- Wire up "Termin finden" in KanbanCard ⋯-menu and KanbanBoard
- Wire up "Termin anpassen" and "Zum Kalender hinzufügen" in ActivityDetailSheet
- Update database.types.ts with start_date/end_date fields

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Production URL: https://ai-coding-starter-kit-ebon.vercel.app
- Edge Function get-group-availability deployed (Version 2)
- Deployed: 2026-06-23

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- SignupForm: check identities.length === 0 to detect already-registered emails (Supabase returns no error by default)
- OnboardingScreen: add logout button so users are not trapped on the page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Navigate to /login only after Supabase fires SIGNED_OUT in onAuthStateChange,
ensuring localStorage is fully cleared before the new page calls getSession().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Creating a group failed with "new row violates row-level security policy
for table groups". The client insert used .insert().select(); the RETURNING
needs the groups SELECT policy (is_group_member), which fails before the
membership row exists (chicken-and-egg). No group was ever created.

New SECURITY DEFINER RPC create_group_with_membership() inserts the group
and the creator's admin membership atomically and generates the invite code
server-side. useGroups.createGroup now calls the RPC. Also removes the prior
orphan-group risk.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Logout: signOut() only redirected via the SIGNED_OUT event, with no error
handling or fallback. With the default global scope the network revoke could
fail and the event never fired, so the button appeared dead. Now uses
scope: 'local' in try/catch with a guaranteed window.location redirect.

Email confirmation: the callback page only waited for the SIGNED_IN event,
but detectSessionInUrl often establishes the session before the React
listener attaches, so the event was missed and the page timed out with a
generic error despite a successful server-side confirmation. The page now
actively resolves the session via getSession() (plus a PKCE code exchange
fallback); recovery links are still routed to /reset-password via the
pre-read type param.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… triggers

Previously handle_new_user inserted profiles as 'active' immediately, so the
pending->active gate (AuthGuard / /signup/pending) was effectively bypassed.

Migration profile_status_follows_email_confirmation:
- handle_new_user now inserts 'pending' (or 'active' if already confirmed)
- new on_auth_user_confirmed trigger flips status to 'active' when
  email_confirmed_at is set — fully server-side, in sync with real confirmation
- backfills existing profiles to match their confirmation state

The auth callback no longer upserts the profile status (now redundant); it just
resolves the session and redirects. Removes the dead 'network' error branch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…irect

Reading groups/memberships always failed with "stack depth limit exceeded":
the is_group_member / is_group_admin helpers were SECURITY INVOKER, so the
internal group_members SELECT inside them re-triggered the same RLS policy ->
infinite recursion. fetchGroups errored, groups stayed empty, and /groups
bounced the user back to /onboarding right after creating a group.

Migration rls_helpers_security_definer_fix_recursion recreates both helpers as
SECURITY DEFINER with a fixed search_path (standard Supabase pattern) so the
internal lookup bypasses RLS. Applied to the remote project.

Defensive client change: /groups now only redirects to /onboarding when there
is genuinely no group AND no fetch error — never silently bounce on an error.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…mages & photos

The comment-image / activity-photo storage policies extracted the activity id
from storage.foldername(activities.name) instead of the uploaded object's path.
Inside the FROM activities a subquery an unqualified `name` rebinds to
activities.name, so is_group_member(NULL) => false and every upload/read was
denied ("Upload fehlgeschlagen"). Qualify it explicitly as storage.objects.name.

Applied to production 2026-06-23 and verified (no remaining activities.name refs).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…sfehler"

Auth logs showed 429 over_email_send_rate_limit (Supabase built-in email rate
limit) being masked as "Verbindungsfehler". Map rate-limit/429 and password
errors to specific messages and fall back to the actual error otherwise.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…t-off

- useGroups refetches on focus/visibilitychange so cross-device joins show up
  without a manual reload (group_members is not in the realtime publication).
- Global overflow-x:hidden / max-width:100% guard stops iOS Safari from shifting
  fixed sheets off-screen ("Fenster abgeschnitten").
- Harden the date-block row against overflow (min-w-0 + truncate).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rag-and-drop

- New routes /groups/[groupId]/{vorschlaege,planung,archiv} with a shared layout
  (header, tab nav, settings + activity-detail sheets) and GroupShellContext.
  Opening a group navigates instead of opening a narrow right-side sheet; the
  Kanban now has full width for its 4 columns. Removed GroupMainSheet.
- Groups list, onboarding success and ?group= param now navigate to the routes.
- PROJ-4: removed the nonsensical proposal cap (proposals >= members) and the
  redundant "Ersten Vorschlag erstellen" empty-state button; the + Vorschlag FAB
  is the single create entry point. Unlimited backlog suggestions.
- PROJ-5: added desktop drag-and-drop (native HTML5). Cards are draggable when
  manageable; columns highlight valid drops; only single forward steps allowed,
  each routed through the same gated action as the buttons.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant