7 Commits

Author SHA1 Message Date
Julien Calixte
7c755740b9 feat(push): notify on defect filed without delaying the response
Send fire-and-forget via event.waitUntil after the row is created, so
filing latency is unaffected. (T11/F7)
2026-05-28 01:51:41 +02:00
Julien Calixte
ea7384591c feat(push): owner-only subscribe/unsubscribe endpoints + VAPID config (T10)
POST/DELETE /api/subscriptions gated to the configured owner; runtime
config carries the public VAPID key, owner email and the signing secret.
2026-05-28 01:20:20 +02:00
Julien Calixte
82ac540909 feat(auth): Google OAuth, sealed session and default-deny gating (T9)
Gate the app behind Google sign-in restricted to verified @theodo.com
identities, and record the real reporter on filed defects (F9).

- nuxt-auth-utils for sealed cookie sessions + the Google OAuth handler,
  mounted at /auth/google/callback to match the registered redirect URI.
- isAllowedGoogleUser re-derives the domain from Google's verified email;
  the spoofable `hd` claim is deliberately ignored (DESIGN T9).
- Default-deny: server middleware 401s unauthenticated /api calls (health
  and the session endpoint excepted); a global route middleware redirects
  unauthenticated page navigations to /login.
- getReporter() now reads the session email instead of the dev stub.
- Env contract moves to nuxt-auth-utils names (NUXT_SESSION_PASSWORD,
  NUXT_OAUTH_GOOGLE_*); .env.example, compose and README updated.

Unit-tested: domain check (incl. hd-spoof + look-alike) and public-path
matching. Live OAuth round-trip pending manual verification.
2026-05-28 01:09:48 +02:00
Julien Calixte
999593b426 feat(defects): read API — feed, per-section counts and history (T6)
GET /api/defects returns a newest-first feed joined to the project name,
bounded by limit; ?section=ID narrows to one section's history. GET
/api/defects/counts returns { sectionId: n } for the weak-point map. Adds a
(section_id, created_at) index and a db:seed script; ~2k rows query in ~20ms.
2026-05-28 00:18:18 +02:00
Julien Calixte
cb19b2df55 feat(defects): file a defect via a board-section modal (T5)
POST /api/defects validates the body with arktype (known section, uuid
project, non-empty trimmed verbatim) and resolves the reporter through a dev
seam (getReporter, ADR 0002) until OAuth lands. DefectForm is a DaisyUI modal
opened by a section click — pick a project, describe the problem, submit.
2026-05-27 23:53:49 +02:00
Julien Calixte
1194edcf75 feat(projects): list + create API and creatable ProjectAutocomplete (T4)
- GET /api/projects returns the shared global list; POST /api/projects
  creates a project, deduped case-insensitively (F3).
- Repository find-or-create trims and matches on lower(name); a unique index
  on lower(name) enforces the same rule at the DB (replacing the case-
  sensitive column unique constraint) — migration 0001.
- ProjectAutocomplete: creatable autocomplete that lists projects, offers to
  create an unknown name inline, and selects it without reload.
- Integration test (dedupe/list against Postgres) + component test.
2026-05-27 23:28:03 +02:00
Julien Calixte
c13f3deeff chore: scaffold Nuxt 4 app with Postgres, tooling and health route
Nuxt 4 (app/ structure) + TypeScript, ESLint, Vitest + @nuxt/test-utils,
Drizzle + pg, a /api/health route with a DB ping, and a dev docker-compose
(app + Postgres). Verified: pnpm test, lint, and build pass; the built
server answers /api/health.
2026-05-27 22:16:46 +02:00