Bugs fixed:
- minio_backend.py: generate_presigned_put_url and presigned_get_url used internal
_client (minio:9000) instead of _public_client (localhost:9000). Browser received
ERR_NAME_NOT_RESOLVED. Fixed by using _public_client with region='us-east-1' to
skip region-discovery HTTP request from inside the container.
- docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN was set from CORS_ORIGINS which
uses pydantic JSON list format '["http://localhost:5173"]'. MinIO expected a plain
string and never matched the origin. Fixed to use FRONTEND_URL instead.
- admin.py: All write handlers (create_user, update_user_status, update_user_quota,
update_ai_config) used session.flush() without session.commit(). Changes appeared
to succeed (response reflected in-memory state) but rolled back on session close.
Fixed by replacing flush() with commit() in all four write handlers.
- auth.js: Concurrent refresh() calls from QuotaBar and App.vue on page reload caused
a token rotation race — first call rotated the cookie, second arrived with stale
cookie and cleared accessToken. Fixed by deduplicating with a shared in-flight
promise (_refreshInFlight).
Phase 3 UAT: 9/10 pass. UAT-3 (QuotaBar visual) pending browser confirmation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Includes planning artifacts (03-CONTEXT, 03-DISCUSSION-LOG, 03-02-SUMMARY),
integration test script, MinIO/auth/docker fixes, and local dev account reference.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 03-04-SUMMARY.md: Plan complete — classifier signature, env var defaults, security
mitigations T-03-17/18/19/21 all resolved; DOC-03, DOC-05 requirements completed
- STATE.md: Advance to Plan 4/5 complete, add 5 key decisions from this plan
- ROADMAP.md: Mark 03-04-PLAN.md complete (Wave 4)
- REQUIREMENTS.md: Mark DOC-03 and DOC-05 as complete
- 03-03-SUMMARY.md: documents all endpoint auth guards, ownership assertions, namespace isolation pattern, and SQLite compat deviations
- STATE.md: advance to Plan 3/5 complete, add 6 key decisions (get_regular_user, 404-not-403, CASE WHEN, or_/is_(None), AI user namespace)
- ROADMAP.md: mark 03-03-PLAN.md complete
- REQUIREMENTS.md: mark SEC-04 and DOC-04 complete
- Create 03-01-SUMMARY.md with all 19 new test IDs, task commits, and decisions
- Update STATE.md: phase 3 in progress, plan 1/5 complete, 3 new key decisions
- Update ROADMAP.md: mark 03-01-PLAN.md as complete (2026-05-23)
5 plans across 5 sequential waves covering: Alembic migration 0003 (null-user
cleanup, NOT NULL constraint, quota reconciliation), presigned MinIO PUT upload
flow with atomic quota enforcement, auth guards on all document/topic endpoints,
flat-file settings retirement + per-user AI classification, and frontend quota bar
with 3-step XHR upload progress.
Verification passed across all 12 dimensions. All 8 phase requirements covered
(STORE-03/04/05/06, SEC-04, DOC-03/04/05).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
4/5 success criteria verified; 1 blocker gap identified: admin JWT
does not return 403 on document content endpoints because api/documents.py
has no auth enforcement (Phase 1 legacy state, deferred to Phase 3 per D-03).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 02-04-SUMMARY.md: admin API plan complete (18 tests, 7 endpoints, all security checks pass)
- STATE.md: advanced to plan 4/5, updated metrics and session continuity
- Create 01-02-SUMMARY.md: 19 total xfail tests across 5 files, 3 task
commits documented, no deviations
- STATE.md: advance to plan 3/5, update progress to 40%, record decisions
for async_client naming and xfail(strict=False) pattern
- ROADMAP.md: mark 01-02-PLAN.md complete, update progress table to 2/5
- Create 01-01-SUMMARY.md with full execution record (3 tasks, 6 files)
- Update STATE.md: advance to plan 2 of 5, record key decisions, update session
- Update ROADMAP.md: mark 01-01 complete, update progress table (1/5 plans)
curo1305