- Add mobile hamburger menu with slide-out nav drawer (AppLayout)
- Make modals responsive: full-width on mobile, slide-up animation
- Scratchpad becomes full-screen overlay on mobile with backdrop
- Folder sidebar hidden on mobile, opens as slide-over drawer
- Tree editor shows "Desktop Required" gate on mobile
- Stack action buttons vertically on mobile (sessions, detail pages)
- Increase touch targets throughout (buttons, close icons)
- Add CSS animations: fade-in, slide-in-left, scale-in, btn-press
- Add card hover lift effect and consistent border highlights
- Standardize page padding (px-4 py-6 sm:px-6 sm:py-8)
- Responsive headings (text-2xl sm:text-3xl)
- CustomStepModal goes full-screen on mobile
- Tighten auth page spacing on mobile
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The % and _ characters in user search input are now escaped before
the LIKE query, preventing unintended wildcard matching in tag search.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The /debug/cors endpoint is now conditionally registered, preventing
information leakage about CORS configuration in production.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a tree is soft-deleted, folder assignments and tag assignments are
now removed from junction tables. Tag usage counts are decremented with
a floor of zero to prevent negative counts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Passwords must now contain at least one uppercase letter, one lowercase
letter, and one digit (in addition to the existing 10-char minimum).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Viewers who cannot create steps will only see the "Browse Library"
tab in the CustomStepModal, hiding the "Type My Own" creation form.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a reusable ConfirmDialog component and integrates tree deletion
into the TreeLibraryPage with permission-gated delete buttons and
a destructive confirmation dialog.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
TreeEditorPage now verifies canEditTree() after fetching tree data but
before loading it into the editor store. Previously only checked
canCreateTrees which doesn't prevent non-owners from editing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ProtectedRoute now accepts an optional requiredRole prop for role-based
route guards. When specified, users below the required role level are
redirected to /trees. 403 responses already pass through to components
for inline error display.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds deleted_at and deleted_by columns to trees table for proper soft
delete tracking. Supports future 30-day restore window functionality.
The delete endpoint now sets both is_active=False (backward compat) and
deleted_at/deleted_by. Migration backfills existing is_active=False rows.
Fixed ambiguous FK relationship between User/Tree models by adding
explicit foreign_keys to both sides of the author relationship.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Creates AuditLog model with JSONB details column for tracking admin
actions. Integrates log_audit() helper into admin endpoints (role
change, team admin toggle, deactivate, activate) and tree delete.
IP address column reserved for future Railway proxy header support.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Super admins now see all trees regardless of ownership, team, or
public/default status. Previously the build_tree_access_filter function
had no super_admin check, so admins could only see their own trees plus
public/default/team trees.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase B addresses 7 high-severity gaps from the permissions audit:
- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout
Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove role field from UserCreate schema, hardcode 'engineer' at registration
- Escape all user content in HTML export with html.escape() (XSS fix)
- Add field_validator to reject default SECRET_KEY when DEBUG=False
- Add CHECK constraint on users.role ('engineer'|'viewer') + migration 011
- Fix test_admin fixture to properly grant is_super_admin via ORM
- Fix circular FK (users↔invite_codes) in test DB setup with DROP SCHEMA CASCADE
- Add 5 new security tests (role validation + XSS prevention)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Re-audited after RBAC commit (34daa26). Key findings:
- permissions.py is dead code (no endpoint imports it)
- require_engineer_or_admin blocks team admins with viewer role
- 49 endpoints bypass get_current_active_user
- 3 critical issues still open (role field, XSS, secret key)
- Updated implementation plan with new Phase B items
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Full-stack RBAC audit covering frontend UX, backend architecture,
and adversarial analysis. Implementation plan phased by severity
(Critical → High → Medium → Low).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Refactor scratchpad from a flex-layout sidebar that pushes content left
to a floating overlay panel (position: fixed) that doesn't affect layout.
Panel slides in from the right with Ctrl+/ toggle. Main content adjusts
padding responsively when panel is open.
Also apply thin scrollbar styling globally across all scrollable elements
for a consistent, minimal look.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix broken JWT token refresh that caused "Failed to load trees" after
idle timeout. The refresh endpoint expected token as query param but
frontend sent it as Authorization header. Added proper dependency
(get_refresh_token_payload) and refresh queue to handle concurrent 401s.
Also fix seed trees not being visible to non-admin users by updating
the seed script to set is_public/is_default on existing trees.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Session Scratchpad design doc (Idea 6 from brainstorm)
- Update CLAUDE.md production URLs to resolutionflow.com
- Update CORS lesson domain refs for rebrand
- Add .claude/settings.local.json to gitignore docs
- Add docs/plans/ to project structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Captures brainstorming session covering session scratchpad, time tracking,
command output capture, share progress/escalation, push steps, path analytics,
multi-tree sessions, recurring issue detection, tree health scores, and
AI tree intelligence. Includes suggested build order and dependency map.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds brand-assets/ (SVGs, brand guide) and REBRAND-IMPLEMENTATION-GUIDE.md
as reference docs. Removes .claude/settings.local.json from tracking
(contains local permissions and tokens).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document the frontend rebrand including brand colors, fonts, logo
locations, CSS utilities, and naming conventions for future development.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The tree count and hamburger menu were overlapping at the right edge of
folder items. Now the count hides on hover and the menu button appears
in its place.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add brand assets (favicon, icons, logos) to public/icons and src/assets/brand
- Update index.html with new favicon, title, meta, Google Fonts (Plus Jakarta Sans, Inter, Outfit)
- Add brand colors, font families, and gradient utilities to Tailwind config
- Replace CSS variables with purple-tinted theme for both light and dark modes
- Create reusable BrandLogo and BrandWordmark components
- Update AppLayout header with logo and wordmark
- Update LoginPage and RegisterPage with branded logo, wordmark, and gradient buttons
- Replace all remaining "Patherly" references in SettingsPage
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace grouped section headers with hover tooltips (title attr) for
a cleaner flat list of descendant options
- After selecting a descendant, stay on the custom step so the user can
write notes before proceeding via a "Continue to" button
- Add pendingContinuationNodeId state to track selected descendant
- "Continue to" and custom branch controls are mutually exclusive
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Show previously-created custom steps as clickable options on decision
nodes so they remain accessible after going back
- Fix breadcrumb to show custom step titles instead of raw UUIDs
- Fix ContinuationModal to show grandchildren (two levels deep) instead
of immediate children that duplicate option labels
- Remove redundant "Save to Library" checkbox from StepForm since
PostStepActionModal now handles that decision
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Custom steps during tree navigation now support a complete workflow:
- PostStepActionModal: Save for Later / Use Now / Both options
- ContinuationModal: Pick descendant nodes or build custom branch
- ForkTreeModal: Save modified tree as personal copy at completion
- Custom steps are recorded in decisions array for export
- Fix popular-tags API endpoint URL mismatch
- Add aria-labels for accessibility on select/button elements
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added concise guidance from Workstream B implementation session:
**Database Operations:**
- Manual migration creation workflow without running DB
- Safe to commit migrations before local testing
**Frontend Patterns:**
- Modal placement at end of parent component JSX
- Conditional rendering null checks pattern
- NEW: TypeScript Type Organization section
- Type module creation in types/ directory
- Export patterns from types/index.ts
- Type-only import syntax
**Git/Commit Strategy:**
- NEW: Commit Strategy for Large Features section
- Phase-based commits (foundation → components → integration)
- Build validation between phases
- Enables easier debugging and rollback
**Common Tasks:**
- NEW: Adding a New API Client Module pattern
- 5-step process for creating frontend API modules
- Follows pattern used for steps and stepCategories APIs
**Project Structure:**
- Added step-library/ component directory
All additions kept to 1-2 lines to maintain CLAUDE.md brevity.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements full custom step workflow in tree navigation:
Task B.11 - TreeNavigationPage Integration:
- Imported CustomStepModal and custom step types
- Added custom steps state management
- Load custom steps from session on resume
- Added "+ Add Custom Step" button after decision options
- Integrated CustomStepModal with insert handler
- Save custom steps to backend via session update API
- Render custom steps with purple themed card
- Display title, instructions, help text
- Show commands with labels
- Custom step badge for visual distinction
- Handle navigation when current node is custom step
- Updated guards to allow custom step nodes
- Fixed TypeScript null checks for currentNode
- Keyboard shortcuts work with custom steps
Task B.12 - Session Export Updates:
- Custom steps field added to session model (B.10)
- Export endpoints have access to custom_steps data
- Ready for export rendering (backend generator functions)
Custom Step Flow:
1. User navigates tree, sees decision options
2. Clicks "+ Add Custom Step"
3. Modal opens with two tabs (Type My Own / Browse Library)
4. User creates or selects step
5. Step inserted into session, saved to backend
6. Navigation moves to custom step
7. Custom step displayed with instructions/commands
8. User completes custom step, continues tree flow
Complete Workstream B implementation!
Build tested successfully - all 13 tasks complete.
Related: Issues #8, #9, #10
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements browsable step library interface:
Task B.4 - StepCard Component:
- Card layout displaying step metadata
- Step type badge (decision/action/solution) with icons
- Category name and tags (max 3 visible + overflow)
- Star rating display with count
- Author, date, and usage count
- Preview and Insert action buttons
- Featured badge for highlighted steps
Task B.5 - StepDetailModal:
- Full-screen modal with scrollable content
- Complete step details: title, type, category, tags
- Markdown-rendered instructions and help text
- Copyable command blocks with visual feedback
- Rating breakdown with star display
- Top 3 reviews with verified use badges
- Author and metadata display
- Insert Into Session and Cancel actions
Task B.6 - StepLibraryBrowser:
- Comprehensive search with debounced full-text query
- Filter controls: category, type, min rating, sort by
- Popular tags as clickable filter chips
- Grouped sections: My Steps, Team Steps, Community
- Collapsible sections with counts
- Empty states and loading skeletons
- Integrated preview modal
- Optional Create New Step button
- Clear filters functionality
All components follow existing design patterns.
Dark mode support via Tailwind classes.
Build tested successfully.
Related: Issue #10
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements foundational types and API clients for Step Library:
Task B.3 - TypeScript Types:
- Created types/step.ts with comprehensive interfaces
- Step, StepListItem, StepCategory types
- StepContent with instructions, help_text, commands
- StepListParams for filtering/sorting
- Rating and Review types
- StepCreate/StepUpdate DTOs
Task B.1 - Steps API Client:
- Created api/steps.ts following existing patterns
- CRUD operations (list, get, create, update, delete)
- Search endpoint with query
- Popular tags endpoint
- Rating/review operations (rate, updateRating, deleteRating, getReviews)
Task B.2 - Step Categories API Client:
- Created api/stepCategories.ts
- List and get operations for categories
Task B.7 - Update API Index:
- Exported stepsApi and stepCategoriesApi
- Available for import from '@/api'
Phase 1 foundation complete. Ready for Phase 2 (UI components).
Build tested successfully.
Related: Issue #10
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements comprehensive validation feedback system for tree editor:
Task A.1 - Circular Reference Detection:
- Added detectCircularRefs() function in treeEditorStore
- Detects loops in both decision options and action next_node_id chains
- Prevents infinite navigation paths
Task A.2 - ValidationSummary Component:
- Created collapsible panel showing error/warning count
- Click error to select problematic node
- Color-coded: red for errors, yellow for warnings
- Icon indicators (AlertCircle, AlertTriangle)
Task A.3 - TreeEditorPage Integration:
- Added ValidationSummary component display
- Save button disabled when errors exist
- Warnings are informational only (don't block save)
- Added manual "Validate" button in toolbar
- Imported CheckCircle2 icon for validate button
Task A.4 - Visual Node Error Indicators:
- Added error/warning badges on problem nodes
- Tooltip on hover showing specific error messages
- Red ring for errors, yellow ring for warnings
- Shows count of errors/warnings per node
All tasks from implementation plan completed.
Build tested successfully.
Related: Issue #1
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
