Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
48 check-ins
|
2026-03-06
| ||
| 21:37 | Add rstash.cloud infrastructure and update site for release distribution Pulumi + Caddy infrastructure for deploying the static site to a DigitalOcean droplet. Restructure Taskfiles: site tasks moved to site/Taskfile.yml, infra tasks in infra/Taskfile.yml, both included from root. Release task updated for cross-platform compatibility with per-command env vars. Add unversioned task for pushing binaries to Fossil. Fix download URLs to use Fossil /uv/ paths. Add screenshots section with lightbox to the marketing site. Update getting-started docs to reference fossil clone instead of git. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Leaf check-in: 0fc9021863 user: curti tags: trunk | |
| 19:40 | Rewrite README to match current project state Remove references to deleted CLI commands (init, user, config, audit, doctor), web mode gating, and env vars that are now runtime settings. Document the setup wizard flow, minimal CLI (serve/env/check), TLS configuration, and link to the new Fossil repository. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 7432a7d8da user: curti tags: trunk | |
| 19:27 | Rename gosilo to rstash Rebrand the project from gosilo to rstash. Replace all three case variants (GOSILO→RSTASH, Gosilo→rstash, gosilo→rstash) across Go source, templates, CSS, docs, build config, and site sources. Update the code host URL from code.lag.dev/gosilo to fossil.klutch.software/rstash. Go module is now "rstash", env var prefix is RSTASH_*, binary output is rstash.exe. Breaking changes: all GOSILO_* env vars become RSTASH_*, cookie names change (sessions invalidated), default DB filenames change, binary name changes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: c3ab97ec2b user: curti tags: trunk | |
| 18:20 | Update documentation to reflect simplified CLI and setup flow Rewrite all Astro site docs and CLAUDE.md to match the current state of the app. Remove references to deleted CLI commands (init, user, config, doctor, audit, licenses), GOSILO_WEB_MODE, and gosilo serve. Document the new setup wizard, gosilo env, and gosilo check. Update the landing page quickstart section. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 4a897d01aa user: curti tags: trunk | |
| 18:02 | Simplify CLI, remove web mode, add setup review page Add gosilo env and gosilo check commands. Remove GOSILO_WEB_MODE setting and always serve the full web UI. Consolidate blob store initialization into blob.OpenStore(). Fix pre-existing CSRF bug in setup handler. Add a settings review step to the setup wizard that shows database and storage backend types with warnings when using SQLite defaults. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: d274fe7fd8 user: curti tags: trunk | |
| 17:20 | Merge simplify branch to trunk Integrate the simplify branch which removes ~4,300 lines of Go code. Strips the JSON admin API, CLI subcommands, old file browser, admin help viewer, and legacy redirects. The server is now managed entirely through the web UI — just run gosilo to start. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 6a30ffe643 user: curti tags: trunk | |
| 16:54 | Remove JSON API, CLI subcommands, old file browser, and admin help viewer Strip ~4,300 lines of Go code (18k → 13.7k): - Remove entire JSON admin API (json_api.go, json_api_docs.go, generated.go, openapi.yaml, oapi-codegen config, redoc.standalone.js) - Remove CLI subcommands: user, audit, config, doctor, init, env, licenses (gosilo now just runs the server — all management via web UI) - Remove old /files/ and /settings/ handlers (replaced by /~username/ profile) - Remove admin CLI help viewer (admin_help.go, cmdinfo package) - Remove legacy URL redirects (/files/*, /settings, admin user redirects) - Remove deprecated Routes() wrapper (use FullRoutes directly) - Remove json_api setting from config, settings, and settingdef - Remove oapi-codegen/runtime dependency - Move shared types (tokenRow, sessionRow, breadcrumb, fileItem, etc.) into profile.go where they are used All tests pass. Build clean. Leaf check-in: a1c225afd5 user: curti tags: simplify | |
| 16:42 | Create new branch named "simplify" check-in: b685431864 user: curti tags: simplify | |
|
2026-03-05
| ||
| 17:17 | Add CSRF protection to pre-auth forms and reduce metrics DB contention Pre-auth POST routes (login, setup, register, abuse report) now have CSRF protection via double-submit cookies — a gosilo_csrf HttpOnly cookie is set on every request and validated against the csrf_token form field. Session-based CSRF continues to be used for authenticated routes. Metrics gauge updater now runs all DB reads in a single transaction, acquiring the connection once instead of competing for it 4 separate times. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 92889fc9eb user: curti tags: trunk | |
| 16:32 | Harden server for production: health endpoint, body limits, session security Add GET /health endpoint that pings the database and returns 200/503 for load balancer probes. Add 1MB request body size limit middleware for all non-upload POST routes to prevent memory exhaustion. Add PRAGMA busy_timeout=5000 to both metadata and blob SQLite databases to handle lock contention gracefully. Add blob store pool settings (MaxOpenConns=1) to the blob SQLite backend. Terminate all user sessions on admin status toggle and account re-enable; regenerate session token on password change. Add blob consistency check to doctor command comparing blob store count against metadata document nodes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 2b31ca6d3b user: curti tags: trunk | |
| 16:06 | Add panic recovery, DB connection pooling, and eliminate blob double-buffering Add Recovery middleware that catches panics, logs stack traces, and returns 500. Configure database connection pool parameters (SQLite: single conn, network DBs: 25 open / 5 idle / 5m lifetime). Change blob.Store.Put from io.Reader to []byte to eliminate a redundant io.ReadAll copy in every blob backend — the caller (storage.Service) already buffers the full content for ETag computation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 2e870a2910 user: curti tags: trunk | |
|
2026-03-04
| ||
| 23:43 | Replace init --profile with interactive setup questions and add site docs Remove the opaque --profile flag (personal/team/hardened) from gosilo init and replace it with two direct yes/no prompts: public registration (default no) and rate limiting (default yes). Non-interactive mode uses the same defaults. Add promptYesNo() helper to prompt.go. Add Astro-based documentation site with getting-started, setup, CLI reference, configuration, deployment, and web-ui pages. Add site build/deploy tasks to Taskfile and ignore site/dist/. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 5d2148ef9d user: curti tags: trunk | |
| 20:09 | Enforce path and username validation per remoteStorage spec Add spec-compliant storage path validation (ValidatePath) that checks for null bytes, empty segments, literal "." and ".." segments, and a 512-char limit — replacing the overly broad substring check that rejected valid filenames like "my..file.txt". Add centralized username validation (ValidateUsername) with lowercase normalization, applied consistently across CLI, web UI, JSON API, and registration flows. Normalize WebFinger subject to lowercase. Ticket: [0ac707dc99] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 07081dacf7 user: curti tags: trunk | |
|
2026-03-03
| ||
| 23:24 | Add third-party license display (CLI + web) Collect open source dependency licenses at build time and embed them into the binary. Add gosilo licenses CLI command with table, --json, and --module output modes. Add public /legal/licenses web page with collapsible license texts. The build-time collector uses go mod download and go list to scan 184 dependencies, classifying licenses by keyword matching with manual override support. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 3830bdeab2 user: curti tags: trunk | |
| 22:23 | Redesign OAuth consent screen and ignore client_id per RS spec Redesign the consent UI with an identity card, pill-style read/write scope indicators, and a dedicated redirect section. Remove all client_id query parameter usage from the authorize flow — the server now derives client identity solely from the redirect_uri origin per draft-dejong-remotestorage-26, preventing spoofing of trusted domains in the consent screen. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: b93d76a609 user: curti tags: trunk | |
| 19:57 | Add GORM ORM migration and S3-compatible blob storage backend Replace database/sql with GORM ORM across the entire codebase, enabling multi-dialect support (SQLite, PostgreSQL, MySQL, SQL Server). All DB access now goes through *db.Repository wrapping *gorm.DB. Schema is managed by GORM AutoMigrate. Add GORM-based blob store for non-SQLite database backends. Add S3-compatible blob storage backend using minio-go, supporting AWS S3, MinIO, DigitalOcean Spaces, Backblaze B2, and any S3-compatible service. DSN format: s3:bucket?region=...&endpoint=...&prefix=... Bucket must exist before server start. Credentials via DSN params or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY env vars. Update README with blob store DSN table, S3 configuration section, and provider examples. Add CONTRIBUTING.md with dev setup, integration test instructions, and MinIO smoke testing guide. Ticket: [0513575de4] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 65fd232242 user: curti tags: trunk | |
|
2026-02-27
| ||
| 21:12 | Improve dashboard/files UX and add admin activity feed Dashboard and search file links now navigate to the parent folder with an anchor highlight on the target file row, so users land in context instead of downloading the file directly. Removed the duplicated RS Address section from the dashboard (lives on Settings) and the Storage meter from Settings (lives on Dashboard). The public/ module shows a globe icon in root listings and a warning banner when browsing public paths. The admin overview page now includes a recent activity feed showing the last 15 audit entries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 3494f56bc9 user: curti tags: trunk | |
| 20:51 | Enforce public_writes in web UI, move log level to Monitoring, track session IPs Add a public_writes setting (on/off) that controls writes to /public/ paths. When off, the storage API rejects PUT/DELETE with 403 and the web file browser replaces the upload form with a hint message. Server- side guards prevent bypassing the hidden form via crafted POST. Move the log_level setting from the "Access" group to "Monitoring" where it belongs alongside metrics_mode and log_file. Add an ip column to the sessions table so each login records the client IP. The activity feed on user profiles now shows "Logged in from <ip>" instead of just "Logged in". Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 8ae6800218 user: curti tags: trunk | |
| 20:23 | Add "approval" registration mode Users can self-register when the server is in approval mode, but their accounts remain pending until an admin approves them. Unapproved users are blocked from login, OAuth token exchange, and storage API access. Admins can approve or reject pending users from the web UI, JSON API, or CLI. Switching from approval to open mode auto-approves all pending users. All existing users are unaffected (approved by default). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: fe86333983 user: curti tags: trunk | |
| 19:10 | Add instance safety features: legal pages, abuse reporting, content scanning, TLS autocert Introduce a comprehensive set of safety and compliance features for self-hosted instances. TOS and Privacy Policy pages are configurable (off/text/url) with registration acceptance checkboxes. An abuse reporting system lets visitors report content, with admin review workflow and open-report counts in the admin nav. Disabled user accounts are now fully blocked at the API and OAuth token exchange layers, with all tokens and sessions revoked on disable. A pluggable content scanner rejects uploads matching blocked MIME types. TLS supports auto mode via Let's Encrypt autocert. The doctor command gains TLS and legal settings consistency checks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 36a73e8d7d user: curti tags: trunk | |
| 17:00 | Refine dashboard layout with two-column grids and largest files pane Simplify the Recent Files table to show just filename and date instead of full path, size, type, and date. Add a Largest Files pane alongside it. On wide screens (768px+), both the RS Address/Storage section and the Recent/Largest Files section display side-by-side via CSS grid. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 64f5d467f9 user: curti tags: trunk | |
| 16:48 | Consolidate user routes under /~{username}/ and enrich dashboard Unify all user-facing pages (dashboard, settings, files, search) under a single /~{username}/ route prefix, replacing separate /home, /files, /settings, and /admin/users/{id} paths. Admins can now view any user's profile at /~{username}/ with extra admin controls. Enrich the user dashboard: replace the Data Modules table with a Recent Files table (always shown, with linked paths), add a quick-reference card showing the remoteStorage address and WebFinger URL, and add a stats summary with connected apps count and active sessions. Remove the embedded Scalar API docs viewer in favor of the lighter ReDoc bundle. Add favicon and web manifest assets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 9eb3f9c32f user: curti tags: trunk | |
|
2026-02-26
| ||
| 18:29 | Improve file browser UX and add glob search Redesign the file browser with inline folder creation (including sub-folders), streamlined upload in the table footer, and a fixed-layout table with truncation for long names. Add glob pattern support (* and ?) to file search, falling back to substring matching for plain queries. Infer MIME types from file extensions on upload when the browser sends application/octet-stream. Enable case-sensitive LIKE across all SQLite databases for correct path prefix queries. Add conditional API Docs link to admin nav. Ticket: [954a315c08] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: a76e563aad user: curti tags: trunk | |
| 13:00 | Use oapi-codegen to enforce spec-code parity for JSON API Generated ServerInterface from the OpenAPI spec provides a compile-time guarantee that handler signatures match the spec. Routing is now generated via HandlerWithOptions instead of hand-maintained route tables. Spec downgraded to OpenAPI 3.0.3 for oapi-codegen compatibility (functionally identical). Per-route JSONApiGuard replaced with a single global middleware. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: d03bab7062 user: curti tags: trunk | |
| 12:48 | Add JSON management API, admin log viewer, and metrics mode setting Programmatic admin API at /json/* with 14 endpoints for user management, configuration, and audit log access. OpenAPI 3.1 spec with embedded Scalar docs UI. Runtime-editable json_api setting (off/admin) and metrics_mode setting (public/admin/off). Log file support with admin log viewer at /admin/logs. Reset button cleanup in settings template. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 35368974e1 user: curti tags: trunk | |
|
2026-02-25
| ||
| 21:18 | Add refresh tokens, token revocation, Prometheus metrics, and login tracking OAuth refresh token support with rotation and configurable lifetime. RFC 7009 /oauth/revoke endpoint with cascading token cleanup. Prometheus metrics at /metrics (admin-only): HTTP request counters, storage/session/token/user gauges, and disk space monitoring. User last-login timestamp and IP tracking shown in admin UI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 39a4beb5ad user: curti tags: trunk | |
| 01:54 | Add Fossil-inspired introspectable admin pages Single-source setting registry (SettingDef) eliminates duplicated metadata across 5+ files. Admin settings page now renders as grouped two-column cards with each setting name linking to an auto-generated documentation page. CLI command reference pages at /admin/help are built from cobra's command tree. Env vars stripped from runtime-editable settings — only boot-critical settings (addr, base_url, DSNs, TLS, log_level, web_mode) retain env var support; everything else uses sane defaults managed via CLI or admin UI. Enriched Long descriptions on all CLI subcommands. Site width set to 58rem. Header nav items vertically centered with login/logout anchored right. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 49c1f31b96 user: curti tags: trunk | |
| 01:06 | Implement post-refactor roadmap (M1-M4) Security hardening: remove invite mode references, add default OAuth token expiry with configurable lifetime, add CSP and conditional HSTS headers, set Secure cookie flag over HTTPS, enforce admin auth via middleware instead of per-handler checks. Audit completeness: extend audit logging to storage API, auth events, CLI operations, and OAuth grants. Add 48 HTTP-level protocol compliance tests covering storage, token exchange, and WebFinger. Expand doctor command from 5 to 11 health checks. CLI polish: add --json output to all data commands, add --password flag for non-interactive user management, add CLI test suite (17 tests), add help examples and command grouping, implement consistent exit codes. Deployment: add --profile flag to init (personal/team/hardened presets), enhance OAuth consent screen with scope descriptions and root-scope warning, add optional built-in TLS support, add cross-compilation release task and multi-stage Dockerfile. Ticket: [a066203cd0] Ticket: [ee41c90b7e] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: bcffbf126b user: curti tags: trunk | |
|
2026-02-24
| ||
| 23:29 | Refactor to CLI-first architecture with Cobra Remove invite codes — registration is now open or closed only. Separate metadata and blob storage into independent SQLite files using connection-string DSN config (GOSILO_DB, GOSILO_BLOB). Add web mode gating (full/oauth/off) via GOSILO_WEB_MODE. Replace the ad-hoc command dispatch in main.go with a full Cobra CLI providing init, user, config, audit, and doctor commands. Update README to reflect the new CLI-first workflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 2120bab3c4 user: curti tags: trunk | |
| 22:46 | Add runtime settings and split admin into focused sub-pages Introduce a settings table and internal/settings package that lets admins change registration mode, log level, rate limits, quotas, and upload size from the web UI without restarting the server. Changes propagate via OnChange callbacks to the rate limiter, quota checker, and slog level. Break the monolithic admin page into 6 sub-pages (overview, users, settings, invites, audit log, OAuth test) with a shared horizontal sub-nav. Each handler now only queries the data it needs, and POST actions redirect to their relevant sub-page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: e860de4ea3 user: curti tags: trunk | |
| 21:04 | Add flash error styling, responsive tables, and module creation Distinguish success vs error flash messages with FlashData struct and alert-error CSS class. Make all admin/settings/files tables responsive on mobile with data-label attributes and hidden bulk checkboxes. Add create-module form at file browser root with CreateFolder storage method, blocking uploads to root. Fix settings page to show hostname instead of full URL in user address and WebFinger fields. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: e9e8d9571c user: curti tags: trunk | |
| 19:17 | Add admin user management, audit logging, settings page, and file browser enhancements Four-phase QoL improvement: admin can now create users, toggle admin/disabled status, and manage per-user sessions. All admin actions are recorded in an audit log with analytics (active users, top users by storage). User-facing settings extracted to a dedicated /settings page with session management. Dark mode support via CSS custom properties with manual toggle. File browser gains upload (multipart + drag-and-drop), search, and bulk delete operations. Mobile navigation improved with hamburger menu. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: fd6df9acf9 user: curti tags: trunk | |
| 18:44 | Add OAuth PKCE code flow, upload limits, and security hardening Implement the OAuth 2.0 authorization code flow with PKCE (S256) alongside the existing implicit grant. New authorization_codes table, token exchange endpoint at POST /oauth/token, and a PKCE-capable CLI upload tool (cmd/rs-upload-pkce). Add configurable max upload size (GOSILO_MAX_UPLOAD, default 50 MB) enforced via http.MaxBytesReader. Harden the HTTP server with security response headers and read/write/idle timeouts. Block invite code creation when registration mode is closed, showing an explanatory message in the admin UI. Change the default registration mode from closed to invite. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 302ee42b2c user: curti tags: trunk | |
| 16:57 | Consolidate UI into fewer pages with minimal stylesheet Replace the multi-page admin and settings UI with consolidated single-page views: user dashboard at / (storage meter, modules, connected apps, activity, account info, inline password change) and combined admin page at /admin (server stats, users, invites, OAuth test). Adopt a minimal ~175-line CSS stylesheet with system-ui fonts, max-width 64ch, native <meter>, and simple tables. Extract header/footer into reusable template partials. Remove 6 old templates and 5 GET routes (/settings, /settings/password, /admin/users, /admin/invites, /admin/oauth-test). Fix OAuth test callback URL to point to /admin. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 917869261d user: curti tags: trunk | |
| 15:06 | Add per-user and global storage quota enforcement Configurable via GOSILO_QUOTA_MODE (off/total/user), GOSILO_QUOTA_TOTAL, and GOSILO_QUOTA_USER. Per-user overrides settable by admin. Enforced on PUT with HTTP 413 response, using mutex to prevent race conditions. Admin dashboard and user list show storage usage and quota info. Settings and home pages display quota progress bars when user mode is active. Ticket: [5479192965] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: a7d7308550 user: curti tags: trunk | |
| 14:32 | Add project README Document features, installation, configuration, CLI usage, development commands, and project architecture. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 9cf0e013f1 user: curti tags: trunk | |
| 14:26 | Add per-IP rate limiting middleware Token bucket rate limiter with configurable rate (GOSILO_RATE_LIMIT, default 10 req/s) and burst (GOSILO_RATE_BURST, default 20). Returns 429 with Retry-After header when limits are exceeded. Background goroutine sweeps stale entries every 5 minutes. Set GOSILO_RATE_LIMIT=0 to disable entirely. Ticket: [3dc1077a37] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: d3c68c09c4 user: curti tags: trunk | |
| 14:11 | Add CLI subcommands, config validation, and filesystem blob backend Add a lightweight CLI with serve (default), env, version, and help subcommands. Config.Validate() now checks all env vars at startup and reports every error at once via errors.Join, so previously-silent misconfigurations (e.g. GOSILO_LOG_LEVEL=trace) cause immediate failure with clear messages. The env command generates a documented .env template. Implement blob.Store backed by the local filesystem (GOSILO_BLOB_BACKEND=fs), storing blobs at GOSILO_BLOB_PATH/{user_id}/{path}. Generalize the Store interface with Querier-aware methods and wire up backend selection in main.go. Ticket: [d7f1f3901d] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 2df306d388 user: curti tags: trunk | |
| 13:42 | Refactor handler package into api, web, and auth packages Split internal/handler/ (16 files) along its natural architectural seam: internal/api/ for remoteStorage protocol handlers (storage, WebFinger, CORS, scope checking, request logging) and internal/web/ for server- rendered UI handlers (login, setup, admin, files, OAuth authorize) with session middleware and CSRF. Extract internal/auth/ as a service interface wrapping user, session, and invite operations. Consolidate duplicate randomHex helpers into a single exported function. Add shared node scan helpers in db package. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 4a542efc14 user: curti tags: trunk | |
| 03:26 | Add account dashboard, folder sizes, and recursive folder delete Home page now shows an account overview for logged-in users: storage stats, per-module breakdown with file counts and sizes, and a recent activity feed (file changes, logins, OAuth grants) with timestamps displayed in the user's local timezone. Logged-out visitors see server info with registration mode and login/register links. File browser now shows recursive total size for folders and supports deleting entire folders with all their contents via a single transactional operation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: d47df65e9f user: curti tags: trunk | |
| 03:09 | Add web file browser and CLI upload tool File browser at /files/ lets authenticated users browse folders, download documents, and delete files from their storage. Upload is intentionally omitted from the web UI — the new rs-upload CLI tool (cmd/rs-upload) handles file upload via the full remoteStorage client flow: WebFinger discovery, OAuth implicit grant through the browser, and PUT to the storage API. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 285d5d1a59 user: curti tags: trunk | |
| 01:59 | Add CORS middleware and remove OpenAPI docs endpoint Replace scattered inline CORS headers in storage, WebFinger, and docs handlers with a single CORS middleware applied at the route level. The middleware sets all headers required by the remoteStorage spec (Allow-Origin, Allow-Methods, Allow-Headers including Content-Length and X-Requested-With, Expose-Headers, Max-Age) and handles OPTIONS preflight. WebFinger route drops its GET method restriction so preflight requests reach the middleware. OAuth token endpoint also gets CORS wrapping. Remove the Redoc documentation page (/docs/) and embedded OpenAPI spec (api/openapi.yaml, handler/docs.go). Ticket: [61846f2da7] Ticket: [d52d8dcd7e] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 79601a0905 user: curti tags: trunk | |
| 01:51 | Add account settings page with password change and token management Users can now change their password (with current-password verification and session invalidation) and view/revoke OAuth tokens granted to applications. Settings link added to the nav bar for authenticated users. Ticket: [787e17dfa7] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: dae9ffae60 user: curti tags: trunk | |
| 01:38 | Implement web UI, auth system, and OAuth 2.0 (Batch 2) Add complete server-rendered web UI with setup wizard, login/logout, registration (open/invite/closed modes), and admin dashboard with user management, invite codes, and OAuth test client. Implement OAuth 2.0 implicit grant flow with a polished consent screen that shows requested permissions before login, Bearer token auth on the storage API with scope enforcement and ownership checks, and public path access for /public/ documents without auth. Add request logging middleware, session management with CSRF protection, and hourly cleanup of expired sessions and tokens. Ticket: [d9adc8d738] Ticket: [cf7b29035d] Ticket: [68644e33b8] Ticket: [ce77f3e72a] Ticket: [17d51bd70c] Ticket: [778d491fd2] Ticket: [70f4913420] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: fc60943ad0 user: curti tags: trunk | |
|
2026-02-23
| ||
| 22:26 | Implement storage API and user management (Batch 1) Add full remoteStorage document CRUD (PUT/GET/DELETE/HEAD) with ETag-based conditional requests, JSON-LD folder listings, folder ETag propagation, and user management with bcrypt passwords. Includes transactional blob+node operations, OpenAPI spec with Redoc docs at /docs/, and 13 passing tests. Ticket: [138328530b] Ticket: [30bea76b00] Ticket: [d379cc9bdd] Ticket: [0320a2c670] Ticket: [da767a2917] Ticket: [ec009d6d26] Ticket: [845c1dc401] Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 47e0fc9226 user: curti tags: trunk | |
| 21:25 | Add initial remoteStorage server implementation Core project structure with HTTP server, SQLite-backed storage, WebFinger discovery, OAuth stubs, and storage API routing. Includes embedded web UI templates, Taskfile for build/test/run, and CLAUDE.md project documentation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> check-in: 84fe6896d5 user: curti tags: trunk | |
| 21:22 | Setup basic fossil settings check-in: ca6aee0860 user: curti tags: trunk | |
| 21:20 | initial empty check-in check-in: 3c65c57711 user: curti tags: trunk | |