792d4639d1
fix(06.2): CR-03 serialize metadata_ with json.dumps in CSV export instead of Python repr
2026-06-01 14:25:29 +02:00
50859bb430
fix(06.2): CR-02 add MinIOBackend guard in download_daily_export before accessing _client
2026-06-01 14:25:06 +02:00
a3ad36cc82
fix(06.2): CR-01 event-type filter uses prefix LIKE match instead of exact equality
2026-06-01 14:24:50 +02:00
7e549b6312
docs(02-06): complete UAT gap closure plan summary
...
- SUMMARY.md for plan 02-06 (5 UAT gaps closed)
- Backend fix verified; frontend auth layout, admin guard, Account tab, QR code implemented
2026-05-31 20:41:36 +02:00
c08ea42b1b
feat(02-06): Account tab in SettingsView + QR code in TotpEnrollment (GAPs 3, 5)
...
- frontend/package.json: add qrcode@1.5.4 to runtime dependencies
- TotpEnrollment.vue: import QRCode; generate data URL in startSetup(); render img tag
- SettingsAccountTab.vue: new component with all AccountView content (2FA, password, sessions)
- SettingsView.vue: add Account tab rendering SettingsAccountTab; import SettingsAccountTab
2026-05-31 20:40:28 +02:00
97314ce486
docs(06.2): add code review report
2026-05-31 20:38:59 +02:00
aa957d6c50
feat(02-06): auth layout switching + admin role guard (GAPs 2, 3, 4)
...
- App.vue: conditionally renders AuthLayout for auth routes, app shell otherwise
- router/index.js: meta.layout='auth' on all four auth routes
- router/index.js: meta.requiresAdmin=true on /admin route
- router/index.js: beforeEach role check redirects non-admin to /
- router/index.js: /account redirects to /settings
2026-05-31 20:37:46 +02:00
579c8366e9
docs(06.2): update phase verification report after plan-05 gap closure
2026-05-31 20:30:43 +02:00
b2488c91c8
docs(02): add root causes from diagnosis
2026-05-31 20:28:57 +02:00
52d6efb8a2
docs(06.2): add code review report
2026-05-31 20:23:32 +02:00
33697f2713
test(02): complete UAT — 10 passed, 6 issues, 2 blocked
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 20:21:16 +02:00
8cc46a8d8d
docs(phase-06.2): resolve UAT gaps after 06.2-05 gap closure
2026-05-31 20:16:43 +02:00
c3c7030e91
docs(phase-06.2): update tracking after wave 3 — all 5 plans complete
2026-05-31 20:16:08 +02:00
8a078e4040
chore: merge executor worktree (worktree-agent-ad4015e9fb03e9447)
2026-05-31 20:13:19 +02:00
e30401ddff
docs(06.2-05): complete plan summary — 4 UAT gaps closed
...
- Task 1: @handle in AccountView + AdminUsersTab
- Task 2: actionable cloud error (Settings link) + audit log @ prefix
- Task 3: clearFilters() + activeFilterCount + Clear filters button + filter count badge
2026-05-31 20:12:27 +02:00
5d457d68bf
feat(06.2-05): clear filters button and active filter count in AuditLogTab
...
- Add clearFilters() function that resets all filter fields and refetches
- Add activeFilterCount computed property (counts non-empty filter fields)
- Add "Clear filters" button (visible only when activeFilterCount > 0)
- Wrap Export CSV button with filter count indicator (amber text below button)
- Add computed to vue import
2026-05-31 20:11:02 +02:00
f5e111bfa2
feat(06.2-05): actionable cloud error + audit log @ prefix
...
- CloudFolderView: detect no-connection error and show actionable message
directing user to Settings; add router-link to /settings and Retry button
- AuditLogTab: prefix user handles with @ in the User column
2026-05-31 20:10:22 +02:00
045e723f7a
feat(06.2-05): show @handle in AccountView and AdminUsersTab
...
- Add Username row (@handle) to Account information section in AccountView.vue
- Add Handle column (th + td with @prefix) to users table in AdminUsersTab.vue
- Both use existing data already present in API responses (no backend changes)
2026-05-31 20:09:50 +02:00
6307d9dd86
test(06.2): update UAT with root cause diagnoses for all 4 gaps
2026-05-31 20:01:56 +02:00
1d8c7dba91
test(06.2): complete UAT — 3 passed, 4 issues, 2 skipped, 2 blocked
2026-05-31 16:10:54 +02:00
77263bd569
docs(phase-06.2): mark validation strategy nyquist-compliant
...
All 11 Wave 0 test stubs verified green (50 passed, 4 xfailed).
Updated per-task map, wave 0 checklist, sign-off, and audit trail.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:44:25 +02:00
73b180ac9d
docs(phase-06.2): add security threat verification report
...
16/16 threats CLOSED — mitigate dispositions verified in code with exact file:line citations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:41:33 +02:00
f037d2be45
docs(06.2): add phase verification report
2026-05-31 15:36:08 +02:00
758d1a687e
docs(06.2): add code review report
2026-05-31 15:29:57 +02:00
abb964531f
docs(phase-06.2): update tracking after wave 2 — plan 06.2-04 complete
2026-05-31 15:24:44 +02:00
46f7505e36
chore: merge executor worktree (worktree-agent-af66944050628b0e4)
2026-05-31 15:23:36 +02:00
893da5b9ba
docs(06.2-04): complete ADMIN-06 audit enrichment + daily exports — 10 tests pass
...
- Handle-enriched audit log (user_handle, actor_handle via aliased double-JOIN)
- user_handle filter with handle-to-UUID resolution, empty result for unknown handles
- fetch+Blob CSV export replacing window.location.href (T-06.2-04-03)
- GET /audit-log/daily-exports and /daily-exports/{date} with date regex validation
- Daily exports section in AuditLogTab with date dropdown + Download button
- Full audit test suite: 10 passed; backend suite: 337 passed, 1 pre-existing failure
2026-05-31 15:22:46 +02:00
0647e6e9bf
feat(06.2-04): frontend — user_handle filter, fetch+Blob export, daily-export section
...
- adminListAuditLog: rename user_id param to user_handle (backend API change)
- adminExportAuditLogCsv(): fetch+Blob pattern — sends Bearer header (D-13, T-06.2-04-03)
- adminListDailyExports(): raw fetch returning JSON for daily export listing (D-17)
- adminDownloadDailyExport(date): fetch+Blob download with audit-{date}.csv filename (D-17)
- AuditLogTab: rename filters.user_id to filters.user_handle + label 'User handle' (D-12, C-5)
- AuditLogTab: exportCsv() replaced with async fetch+Blob call, exportingCsv loading state
- AuditLogTab: daily exports section below pagination — date dropdown + Download button (D-17, C-4)
- window.location.href removed from AuditLogTab (broken auth bypass closed)
- Build exits 0, full backend suite: 337 passed, 1 pre-existing failure
2026-05-31 15:21:23 +02:00
f176235ee8
docs(phase-04): update VALIDATION.md — Nyquist-compliant (all gaps resolved)
...
Mark nyquist_compliant: true. All 22 tasks now have automated coverage.
4 gaps resolved: FOLD-04 sort, FOLD-05 FTS, SEC-08 credentials_enc, SEC-09
MinIO cleanup. 1 impl bug logged and fixed (FTS try/except misplacement).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:21:08 +02:00
62daf0d750
test(phase-04): fill Nyquist validation gaps — FOLD-04, FOLD-05, SEC-08, SEC-09
...
Add 6 new tests covering document sort (name/size), FTS search cross-user
isolation, credentials_enc exclusion from all responses, and MinIO object
cleanup on user deletion.
Fix FTS try/except misplacement in api/documents.py — was wrapping the ORM
statement builder (never raises) instead of the execute call, causing HTTP 500
on SQLite test env. Now falls back to unfiltered results when @@ unsupported.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:21:02 +02:00
839bfe0ffe
feat(06.2-04): backend — handle enrichment, user_handle filter, two daily-export endpoints
...
- Add _audit_to_dict_with_handles() with user_handle + actor_handle fields
- Add _build_filtered_query_with_handles() with aliased User double-JOIN
- Change list_audit_log user_id param to user_handle string with handle→UUID resolution
- Change export_audit_log user_id param to user_handle (Pitfall 7 — both endpoints enriched)
- Add GET /audit-log/daily-exports — lists MinIO audit-logs bucket, asyncio.to_thread
- Add GET /audit-log/daily-exports/{date} — streams CSV, date regex validation (T-06.2-04-01)
- Move daily-export endpoints before viewer to ensure specific path registration order
- Update test_audit_log_export_csv to match enriched CSV header (user_handle, actor_handle)
- All 10 test_audit.py tests pass
2026-05-31 15:17:53 +02:00
d7cfc5ccee
test(06.2-04): add failing tests for handle enrichment, user_handle filter, daily exports
...
- test_audit_log_includes_user_handle: asserts user_handle/actor_handle in items
- test_audit_log_filter_by_handle: asserts filtering by handle works correctly
- test_audit_log_filter_unknown_handle: asserts 200+empty for unknown handle
- test_daily_exports_list: mocks MinIO list_objects, asserts sorted items
- test_daily_export_download: mocks MinIO get_object, asserts CSV response + 404 on bad date
2026-05-31 15:15:46 +02:00
eab5f124f6
docs(06.2-03): complete cloud-delete gap closure — 24 tests pass
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:11:51 +02:00
cce8586235
feat(06.2-03): frontend — CloudDeleteWarningModal + remove_only path in DocumentView
...
- api/client.js: deleteDocument gains removeOnly param; deleteDocumentRemoveOnly wrapper added
- DocumentView.vue: confirmDelete inspects response.cloud_delete_failed, shows modal on failure
- DocumentView.vue: inline CloudDeleteWarningModal (C-3 contract) with Remove from app / Cancel
- confirmRemoveOnly() calls DELETE ?remove_only=true and navigates to /
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:11:31 +02:00
95c7ed786a
feat(06.2-03): backend — cloud-aware delete routing + skip_quota + remove_only param
...
- storage.delete_document gains skip_quota=False param; quota decrement gated on it
- DELETE /api/documents/{id} gains remove_only=bool query param
- Cloud docs (storage_backend != minio): attempt cloud backend delete_object first
- On failure: return HTTP 200 {success: false, cloud_delete_failed: true} (not 4xx)
- On success or remove_only: delete DB row with skip_quota=True
- Cloud creds/exception message never included in response body (T-06.2-03-02)
- Promote 3 xfail stubs to real tests (propagates, failure, remove_only)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:09:44 +02:00
e812922a26
docs(06.2-02): complete SHARE-05 + SHARE-03 gap closure — 12 tests pass
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:07:26 +02:00
3cc4a5335d
docs(phase-03): update VALIDATION.md — Nyquist-compliant (partial)
...
15 automated tests green, 4 manual-only (PostgreSQL/migration infra).
Added 4 previously unlisted passing tests to task map (D-15, D-16, D-09×2).
Audit trail appended. Status: nyquist_compliant: true, status: partial.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:07:23 +02:00
1ee27da332
test(phase-03): remove stale xfail markers from quota tests
...
test_quota_increment_atomic and test_quota_exceeded_response were marked
xfail for PostgreSQL but pass on SQLite — markers removed, tests now PASSED.
Concurrent race and delete decrement keep xfail; they require real PG locking.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:07:18 +02:00
34b18a9f08
feat(06.2-02): frontend — is_shared badge fix + permission dropdown + View/Edit toggle
...
- DocumentCard.vue: fix Shared pill to read doc.is_shared (was doc.share_count > 0)
- ShareModal.vue: add permission select between handle input and submit button
- ShareModal.vue: replace static "view" span with View/Edit toggle group per share row
- ShareModal.vue: add handlePermissionChange with optimistic update + rollback on error
- documents.js: update shareDocument(docId, handle, permission='view') signature
- documents.js: add updateSharePermission(shareId, permission) action
- api/client.js: pass permission in createShare POST body
- api/client.js: add updateSharePermission PATCH helper
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:07:04 +02:00
ea231853e9
feat(06.2-02): backend — ShareCreate.permission field + PATCH /{share_id} endpoint
...
- Add permission field (default "view") with field_validator to ShareCreate
- Add SharePermissionPatch model with same validator
- Wire body.permission into grant_share() Share constructor
- Add PATCH /{share_id} endpoint with IDOR protection (T-06.2-02-01)
- Promote 3 xfail stubs to real tests (create_with_permission, patch_permission, patch_idor)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:04:53 +02:00
7e62868fea
docs(phase-02): add VALIDATION.md — Nyquist-compliant, all 24 tasks mapped, 4 manual-only
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 12:04:28 +02:00
d98e3ab7a1
test(phase-02): add Nyquist validation tests — fill SEC-05, AUTH-08, SEC-03 and frontend gaps
...
8 test files, 60 new tests (14 backend + 46 frontend). All green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 12:04:21 +02:00
6c79f92d70
chore: merge executor worktree (worktree-agent-a3dd74026d1efb9af)
2026-05-31 12:01:28 +02:00
21fde406e7
docs(06.2-01): complete Wave 0 Nyquist scaffold — 11 xfail stubs across 3 test files
...
- 3 stubs in test_shares.py (SHARE-03 permission field, PATCH, IDOR)
- 3 stubs in test_documents.py (cloud delete propagation, failure, remove_only)
- 5 stubs in test_audit.py (handle enrichment, handle filter x2, daily exports x2)
- All 11 reported as XFAIL; full 3-file suite: 35 passed, 15 xfailed, exits 0
2026-05-31 11:58:58 +02:00
7271eeb53c
test(06.2-01): add xfail stubs for ADMIN-06 audit enrichment + daily exports (Task 3)
...
- test_audit_log_includes_user_handle: user_handle and actor_handle in audit items (D-11)
- test_audit_log_filter_by_handle: user_handle query param filters entries (D-12)
- test_audit_log_filter_unknown_handle: unknown handle returns empty list, not 422 (D-12)
- test_daily_exports_list: daily-exports listing endpoint returns {items} (D-15)
- test_daily_export_download: daily export download returns CSV bytes with Content-Disposition (D-16)
2026-05-31 11:58:05 +02:00
bbf5355edb
test(06.2-01): add xfail stubs for cloud-delete document tests (Task 2)
...
- test_delete_cloud_document_propagates: cloud backend delete_object called for non-minio docs (D-01)
- test_delete_cloud_document_failure: structured JSON error when provider raises (D-03)
- test_delete_cloud_remove_only: remove_only=true skips cloud delete, removes DB row only (D-02)
2026-05-31 11:57:55 +02:00
ecdeffb63d
test(06.2-01): add xfail stubs for SHARE-03 permission tests (Task 1)
...
- test_share_create_with_permission: POST /api/shares permission field (SHARE-03, D-08, D-10)
- test_share_patch_permission: PATCH /api/shares/{id} permission change (SHARE-03, D-09)
- test_share_patch_idor: PATCH by non-owner returns 404 IDOR protection (SHARE-03, T-IDOR)
2026-05-31 11:54:52 +02:00
708fd7fad0
docs(phase-6.2): record planning complete — 4 plans verified, state updated
...
- ROADMAP.md: progress table → Planned; wave annotations already added by planner
- STATE.md: phase 6.2 row → Planned (4 plans, 3 waves); session note added
- 06.2-03-PLAN.md: remove incorrect SHARE-03/SHARE-05 from requirements field
- 06.2-RESEARCH.md: mark Open Questions section as RESOLVED
- 06.2-UI-SPEC.md: add to version control (was untracked)
Verification: 0 blockers, 2 cosmetic warnings fixed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 11:41:32 +02:00
4adc77d8cc
docs(06.2): create 4-plan phase covering SHARE-03, SHARE-05, cloud-delete, ADMIN-06
...
Wave 0: 11 xfail stubs across test_shares/test_documents/test_audit
Wave 1 (parallel): SHARE-05 badge + SHARE-03 permission control; cloud-delete propagation
Wave 2: audit handle enrichment, user_handle filter, CSV fetch+Blob, daily-export UI
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 11:36:33 +02:00
67f0c01540
docs(phase-6.2): add validation strategy
2026-05-31 11:12:23 +02:00
curo1305