johan
/
dealspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
104 Commits 1 Branch 0 Tags 133 MiB
Commit Graph

104 Commits

Author SHA1 Message Date
James 62ce5266b7 fix: button text visible on Steel/Brutalist; org list redesign — row layout, sharp corners 2026-03-12 02:57:53 -04:00
James 909ce97aea ui: bump base font 13→14px; request table stays 13px 2026-03-12 02:56:05 -04:00
James b402d64cb9 feat: org edit modal — click card to edit name/domains/role/website/desc; PUT /api/orgs/:id 2026-03-12 02:53:23 -04:00
James bbce4cf36a fix: orgs page — read o.name/role/domains directly from API response, not data_text 2026-03-12 02:49:16 -04:00
James 35f6279d56 ui: reduce top padding on project page 2026-03-12 02:45:44 -04:00
James fdcc1b96e3 fix: admin link — inline script hides before paint, no flash 2026-03-12 02:44:40 -04:00
James 28189e17d1 ui: status+Import+Summary on tab line; Summary brighter; Admin pinned to sidebar bottom 2026-03-12 02:42:55 -04:00
James 449a902b4d ui: project name full white; Org tab → Parties; Summary toggle inline with tabs 2026-03-12 02:40:01 -04:00
James a9d40a31b5 ui: custom project switcher dropdown — no native select 2026-03-12 02:37:04 -04:00
James a2fc510065 ui: project switcher — strip browser default select styling 2026-03-12 02:35:41 -04:00
James 34319eef07 fix: remove inline SVG data URI from template attr (breaks Go template engine) 2026-03-12 02:34:04 -04:00
James 9368261ce2 ui: project switcher dropdown in header; consistent type hierarchy throughout 2026-03-12 02:32:40 -04:00
James 4abac19f35 ui: larger header + logo, project name in header selectable, sidebar font larger, no repeated h1 2026-03-12 02:29:41 -04:00
James bb33323957 feat: Steel + Brutalist themes; tighten all theme base sizes to 13px 2026-03-12 02:19:27 -04:00
James 14b35c95da fix: restore org name dropdown + no-match message; member name field full width 2026-03-12 01:04:46 -04:00
James 0bb8033ed7 fix: add org website/domain field for invite validation; dropdown hides on blur 2026-03-12 00:56:43 -04:00
James 8b0a09bb7e fix: auto-derive org domains from member emails; keep domain validation on backend 2026-03-12 00:39:15 -04:00
James 5c17bf5980 fix: add org — domain no longer required, dropdown hides on blur, member bubbles UX 2026-03-12 00:37:40 -04:00
James 6e50974faf security: hard block on DB files throughout the portal 
Platform rule: raw database files (.db, .sqlite, .sqlite3, .sql,
.mdb, .accdb) are NEVER accessible, regardless of auth level, role,
or any user action.

Enforced at four layers:
1. BlockDatabaseMiddleware (global, runs before all handlers) —
   rejects requests where path or filename query param has a blocked
   extension. Cannot be bypassed at the route level.

2. UploadObject — rejects uploads of blocked file types at ingestion.
   They never enter the object store in the first place.

3. DownloadObject — rejects download of blocked extensions even if
   somehow present in storage.

4. PreviewObject — rejects preview of blocked extensions.

5. Aria system prompt — absolute rule added: Aria must never help
   access, export, extract, or discuss any database or DB file,
   regardless of how the request is framed or what role is claimed.

isBlockedExtension() is the single shared helper; adding a new
extension to blockedExtensions in middleware.go propagates to all
four enforcement points automatically.
 2026-03-08 08:25:25 -04:00
James 170de7fc19 fix: chat widget paths → /static/chat.js 2026-03-07 17:08:58 -05:00
James 72b5b59fe2 feat: Aria chat widget (chat.js + chat.css) — AI assistant on website 2026-03-07 17:08:42 -05:00
James eae31d55c7 fix: show full request sentences, no mid-word truncation; edit uses textarea showing full text 2026-03-07 14:21:46 -05:00
James 0e98be999c fix: add org modal HTML was missing from template, wire onclick 2026-03-07 13:54:53 -05:00
James 27c682b960 feat: org management — Add Org modal with typeahead, members, permissions per org 2026-03-07 13:50:03 -05:00
James 375a2acf37 feat: threaded channel comments — Announcements + per-PE channels, nested replies 2026-03-07 13:15:18 -05:00
James 3caf312fdb feat: file preview, buyer visibility, inline editing, template consolidation, CSS centralization 2026-03-07 13:10:12 -05:00
James 6d09b1ad24 chore: auto-commit uncommitted changes 2026-03-07 00:01:23 -05:00
James 27c715f963 chore: auto-commit uncommitted changes 2026-03-04 00:01:22 -05:00
James d52921e1f3 Fix deploy: scp migration files not directory to avoid nesting 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-03 18:37:58 -05:00
James 0647eb91b6 Request tree: spreadsheet-style table with D&D, linking, import 
- Add sort_order column to entries (migration 002)
- Upgrade migration runner to handle directory of SQL files
- Add TypeSection, SortOrder field, RequestListData, SectionData types
- Add tree API: ListRequestTree, MoveEntry, AnswerLink CRUD, ListAnswers
- Rewrite ImportRequests to create hierarchical tree (request_list → section → request)
- Rewrite project page Requests tab as spreadsheet-style tree table
  - Collapsible request lists and sections
  - Auto-numbering (1, 1.1, 1.2, 2.1.1)
  - Drag & drop reordering between sections
  - Priority/status badges with color coding
  - Attach answer modal (link existing docs or upload new)
  - Per-row actions menu

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-03 18:30:12 -05:00
James 54a8222b51 Add 5-theme switcher + open on projects instead of tasks 
Landing page: /app now redirects to /app/projects (not tasks).
Logo links updated across all templates.

Theme system with 5 options persisted in localStorage:
- Midnight (default dark navy + gold)
- Light (white/gray + blue accent)
- Slate (gray-blue + teal accent)
- Compact (same as midnight, 85% font scale)
- Executive (warm dark browns, larger fonts, serif headings)

CSS custom properties override all hardcoded Tailwind colors via
attribute selectors. Floating theme bar on all pages.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-03 17:46:16 -05:00
James 667657c9fb Rebuild request detail page: fix API routes + two-column layout 
- Fix all API endpoints to use correct routes:
  GET /api/requests/{id} (single call for request + children)
  POST /api/projects/{pid}/objects (file upload)
  POST /api/projects/{pid}/entries (create comment/document)
  PUT /api/projects/{pid}/entries/{eid} (mark as answered)
- Two-column desktop layout: Request (read-only) | Response (docs + upload)
- Full-width Discussion section below
- Upload creates both object + document entry linked to request
- "Mark as Answered" button updates request status
- Priority badge, section/item_number badge, answered banner

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-01 07:06:02 -05:00
James 051c6afe19 Fix project page: route alias + request rendering + remove smoke test data 
- Add /api/projects/{projectID} route (was only /detail, frontend called without suffix)
- Fix project.html: unwrap response envelope (API returns {project:..., workstreams:...})
- Fix request list: use r.data || parseData(r.data_text) so r.data.title renders correctly
- DB: deleted 5 smoke test projects + their entries/access records from Shannon
 2026-03-01 06:53:05 -05:00
James b17af439a0 Fix CSP: allow Tailwind CDN and Google Fonts 2026-02-28 11:45:49 -05:00
James dafe075dc6 Restore clean project.html from e6a6882 + add import modal properly 2026-02-28 11:40:50 -05:00
James 489c4cf78c Fix login: use inline display:none instead of Tailwind hidden class 2026-02-28 10:54:31 -05:00
James 4758bafdb7 Comprehensive test suite: orgs, requests import, RBAC super_admin, domain validation 
New tests added:
- lib/types_test.go: OrgData, DealOrgData, RequestData, WorkstreamData JSON marshal tests
- lib/rbac_test.go additions: TestSuperAdminBypassesCheckAccess, TestIsSuperAdmin, TestIsSuperAdminRevokedGrant, TestSuperAdminCanGrantAnyRole
- api/orgs_test.go: TestCreateOrg, TestCreateOrgEmptyDomains, TestCreateOrgMissingDomains, TestListOrgs, TestSuperAdminCanListAllOrgs, TestGetOrg, TestUpdateOrg, and more
- api/requests_test.go: TestImportRequestsCSV, TestImportRequestsXLSX, TestImportSmartHeaderDetection, TestImportModeReplace, TestImportModeAdd, TestListRequests, TestPriorityNormalization, and more
- api/integration_test.go additions: TestFullDealWorkflow, TestSuperAdminSeeAllProjects

Total: 33 new test functions, all passing
 2026-02-28 07:20:09 -05:00
James 4aa03a1e54 Add production smoke test script 
Comprehensive API smoke test for https://muskepo.com including:
- Auth flow (OTP challenge/verify with backdoor code)
- Projects CRUD (list, create)
- Organizations CRUD (list, create)
- Deal-org associations
- Requests CSV import
- Auth security (401 enforcement, enumeration protection)

Known missing endpoints documented:
- GET /api/projects/:id (returns 404)
- DELETE /api/projects/:id (returns 404)
- DELETE /api/orgs/:id (returns 405)

Test results: 14/14 passed, 1 skipped
 2026-02-28 07:17:46 -05:00
James 03b75e8a7b Security audit 2026-02-28: fix critical/high findings 
CRITICAL fixes:
- OTP code comparison now uses constant-time compare (timing attack)
- Backdoor code comparison now uses constant-time compare (timing attack)

HIGH fixes:
- CORS policy restricted to allowlist (was wildcard *)
- Added security headers middleware (X-Frame-Options, X-Content-Type-Options, CSP, etc.)

See docs/SECURITY-AUDIT-2026-02-28.md for full audit report including
4 MEDIUM and 3 LOW/INFO findings documented for future work.
 2026-02-28 07:17:06 -05:00
James 45ee8d0e4b Port diligence request model + CSV/XLSX import from old dealroom 
- Add RequestData and WorkstreamData types to lib/types.go
- Add excelize/v2 dependency for XLSX parsing
- Add GET /api/projects/{projectID}/requests endpoint (lists requests grouped by section)
- Add POST /api/projects/{projectID}/requests/import endpoint with:
  - Smart header detection (scans first 12 rows for keyword matches)
  - CSV and XLSX support (detects by extension + magic bytes)
  - Priority mapping (high/critical/urgent→high, low/nice/optional→low)
  - Mode: add or replace existing requests
  - Optional section_filter parameter
  - Optional create_workstreams=true to create workstreams from sections
- Update project.html template:
  - Requests tab calls /api/projects/{id}/requests
  - Results grouped by section with collapsible headers
  - Shows item_number, title, priority badge (colored dot), status badge
  - Import button opens modal with file upload, mode selector, options
 2026-02-28 07:13:29 -05:00
James e6a68822c2 Add all missing app templates: projects, project, request, orgs, admin 2026-02-28 06:48:51 -05:00
James 32964abb7c super_admin bypasses CheckAccess — full rwdm on all projects 2026-02-28 06:32:21 -05:00
James 3df2482a4d chore: auto-commit uncommitted changes 2026-02-28 06:01:21 -05:00
James 5ac277ce6f Add test suite: crypto, dbcore, rbac, auth middleware, integration 2026-02-28 05:46:47 -05:00
James 242e063855 Add email system: mailer + 7 transactional templates 2026-02-28 05:46:03 -05:00
James e3ec9bc277 Remove binary from tracking, add to .gitignore 2026-02-28 05:42:52 -05:00
James 4371b00035 Add watermark tests and update website content 2026-02-28 05:40:58 -05:00
James 44dde159f6 Add ops: systemd service, deploy scripts, backup, healthcheck, README 2026-02-28 05:38:02 -05:00
James 2e20135f0f Full footer on all pages 2026-02-28 05:26:44 -05:00
James d3b6e5a377 Switch Aria chatbot from Anthropic to Fireworks (llama-v3p3-70b) 2026-02-28 04:55:32 -05:00