"Claude Code Review workflow"

"Claude PR Assistant workflow"
2026-01-20 10:55:24 -08:00 · 2026-01-20 10:55:22 -08:00
146 changed files with 4771 additions and 30375 deletions
@@ -7,9 +7,3 @@ dist
 .env
 .DS_Store
 *.log
-backend
-frontend/node_modules
-frontend/dist
-frontend/coverage
-frontend/test-results
-frontend/playwright-report
@@ -0,0 +1,44 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+
@@ -0,0 +1,50 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'
+
@@ -108,7 +108,7 @@ jobs:
        run: |
          # Start backend server in background
          cd backend
-          DATABASE_URL="file:${{ github.workspace }}/backend/prisma/e2e-test.db" FRONTEND_URL="http://localhost:6767" npm run dev &
+          DATABASE_URL="file:${{ github.workspace }}/backend/prisma/e2e-test.db" FRONTEND_URL="http://localhost:5173" npm run dev &
          BACKEND_PID=$!
          cd ..
          
@@ -132,7 +132,7 @@ jobs:
          # Wait for frontend to be ready
          echo "Waiting for frontend server..."
          for i in {1..30}; do
-            if curl -s http://localhost:6767 > /dev/null; then
+            if curl -s http://localhost:5173 > /dev/null; then
              echo "Frontend is ready!"
              break
            fi
@@ -1 +0,0 @@
-../../../frontend
@@ -1,69 +0,0 @@
-# Fork Summary
-
-This fork adds optional security features and UX improvements with **zero breaking changes** and **minimal migration overhead**. All security features are **disabled by default** via feature flags.
-
-## Security Features Added
-
-1. **Password Reset** - Token-based password reset flow (`/auth/password-reset-request`, `/auth/password-reset-confirm`)
-2. **Refresh Token Rotation** - Prevents token reuse by rotating refresh tokens on each use
-3. **Audit Logging** - Logs security events (logins, password changes, deletions) for compliance
-
-## UX Improvements Added
-
-1. **Profile Page** - View and edit personal information, change password (`/profile`)
-2. **Select All Button** - Quick selection of all drawings in current view
-3. **Sort Dropdown** - Improved sort controls with icons and separate direction toggle
-4. **Auto-hide Header** - Editor header auto-hides to maximize drawing space (with toggle)
-
-## Backward Compatibility
-
-✅ All security features disabled by default  
-✅ No breaking changes to existing code  
-✅ Graceful degradation (missing tables don't cause errors)  
-✅ Optional database migration  
-
-## Enable Security Features
-
-Set in `backend/.env`:
-```bash
-ENABLE_PASSWORD_RESET=true
-ENABLE_REFRESH_TOKEN_ROTATION=true
-ENABLE_AUDIT_LOGGING=true
-```
-
-Then run migration:
-```bash
-cd backend && npx prisma migrate deploy
-```
-
-## Migration Strategy
-
-**For base project:** Keep features disabled (default) - no migration needed, zero risk.
-
-**For this fork:** Enable features via environment variables when ready.
-
-## Database Changes
-
-Migration adds 3 optional tables (only used when features enabled):
- `PasswordResetToken` - For password reset flow
- `RefreshToken` - For token rotation tracking
- `AuditLog` - For security event logging
-
-## Code Changes
-
-### Backend
- Feature flags in `backend/src/config.ts`
- Conditional logic in auth endpoints
- Graceful error handling for missing tables
- New endpoints: `/auth/profile` (PUT), `/auth/change-password` (POST)
- Audit logging utility (`backend/src/utils/audit.ts`)
-
-### Frontend
- Password reset pages (`/reset-password`, `/reset-password-confirm`)
- Profile page (`/profile`)
- Select All button in Dashboard
- Sort dropdown with icons
- Auto-hide header in Editor with toggle
- Updated API client for token rotation
-
-All changes are backward compatible and optional.
@@ -511,17 +511,6 @@ release-docker: ## Build and push release Docker images
 pre-release-docker: ## Build and push pre-release Docker images
 	./publish-docker-prerelease.sh

-dev-release: ## Build and push custom dev release (usage: make dev-release NAME=issue38)
-	@if [ -z "$(NAME)" ]; then \
-		echo "$(RED)ERROR: NAME parameter is required!$(NC)"; \
-		echo "$(YELLOW)Usage: make dev-release NAME=<custom-name>$(NC)"; \
-		echo "$(YELLOW)Example: make dev-release NAME=issue38$(NC)"; \
-		echo "$(YELLOW)  This will create tags like: 0.3.1-dev-issue38$(NC)"; \
-		exit 1; \
-	fi
-	@echo "$(BLUE)Building custom dev release: $(NAME)$(NC)"
-	@./publish-docker-dev.sh $(NAME)
-
 #===============================================================================
 # DATABASE
 #===============================================================================
@@ -6,8 +6,6 @@
 ![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)
 [![Docker](https://img.shields.io/badge/docker-ready-blue.svg)](https://hub.docker.com)

-_Original repo can be found [here](https://github.com/ZimengXiong/ExcaliDash)_
-
 A self-hosted dashboard and organizer for [Excalidraw](https://github.com/excalidraw/excalidraw) with live collaboration features.

 ## Screenshots
@@ -101,10 +99,6 @@ docker compose -f docker-compose.prod.yml up -d
 # Access the frontend at localhost:6767
 ```

-For single-container deployments, `JWT_SECRET` can be omitted and will be auto-generated and persisted in the backend volume on first start. For portability and all multi-instance deployments, set a fixed `JWT_SECRET` explicitly.
-
-By default, the provided Compose files set `TRUST_PROXY=false` for safer setup. Only set `TRUST_PROXY` to a positive hop count (for example, `1`) when requests always pass through a trusted reverse proxy that correctly sets forwarded headers.
-
 ## Docker Build

 [Install Docker](https://docs.docker.com/desktop/)
@@ -126,20 +120,14 @@ docker compose up -d

 When running ExcaliDash behind Traefik, Nginx, or another reverse proxy, configure both containers so that API + WebSocket calls resolve correctly:

- `FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks. **Supports multiple comma-separated URLs** for accessing from different addresses.
- `TRUST_PROXY` (backend) should be set to `1` when requests pass through one trusted reverse proxy hop (for example: frontend nginx -> backend) and forwarded headers are sanitized. This ensures rate limiting and logging use the real client IP from trusted proxy headers.
+- `FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks.
 - `BACKEND_URL` (frontend) tells the Nginx container how to reach the backend from inside Docker/Kubernetes. Override it if your reverse proxy exposes the backend under a different hostname.

 ```yaml
 # docker-compose.yml example
 backend:
  environment:
-    # Single URL
    - FRONTEND_URL=https://excalidash.example.com
-    # Trust exactly one reverse-proxy hop
-    - TRUST_PROXY=1
-    # Or multiple URLs (comma-separated) for local + network access
-    # - FRONTEND_URL=http://localhost:6767,http://192.168.1.100:6767,http://nas.local:6767
 frontend:
  environment:
    # For standard Docker Compose (default)
@@ -150,7 +138,7 @@ frontend:

 ### Multi-Container / Kubernetes Deployments

-When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set both `JWT_SECRET` and `CSRF_SECRET` to the same values across all instances.
+When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set the `CSRF_SECRET` environment variable to the same value across all instances.

 ```bash
 # Generate a secure secret
@@ -161,37 +149,11 @@ openssl rand -base64 32
 # docker-compose.yml or k8s deployment
 backend:
  environment:
-    - JWT_SECRET=your-generated-jwt-secret-here
    - CSRF_SECRET=your-generated-secret-here
 ```

 Without this, each container generates its own ephemeral CSRF secret, causing token validation failures when requests are routed to different replicas. Single-container deployments work without this setting.

-### Authentication Modes (Local + OIDC)
-
-ExcaliDash supports three auth modes via backend `AUTH_MODE`:
-
- `local` (default): native email/password login only.
- `hybrid`: native login + OIDC login.
- `oidc_enforced`: OIDC-only login (native login/register disabled).
-
-For OIDC modes (`hybrid` or `oidc_enforced`), set:
-
-```yaml
-backend:
-  environment:
-    - AUTH_MODE=oidc_enforced
-    - OIDC_PROVIDER_NAME=Authentik
-    - OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
-    - OIDC_CLIENT_ID=your-client-id
-    - OIDC_CLIENT_SECRET=your-client-secret
-    - OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
-    - OIDC_SCOPES=openid profile email
-```
-
-In `oidc_enforced` mode, unauthenticated users are automatically redirected to `/api/auth/oidc/start`.
-Users are linked by `(issuer, sub)` first, then by verified email, and optionally auto-provisioned.
-
 # Development

 ## Clone the Repository
@@ -232,27 +194,6 @@ npx prisma db push
 npm run dev
 ```

-### Simulate Auth Onboarding (Development)
-
-To simulate first-run authentication choice flows in local development:
-
-```bash
-cd ExcaliDash/backend
-
-# Preview what would change (no data modifications)
-npm run dev:simulate-auth-onboarding:dry-run
-
-# Simulate "fresh install" onboarding state
-# (wipes drawings/collections/libraries and removes non-bootstrap users)
-npm run dev:simulate-auth-onboarding:fresh
-
-# Simulate "migration" onboarding state (ensures legacy data exists)
-npm run dev:simulate-auth-onboarding:migration
-```
-
-After running a simulation while the backend is already running, wait about 5 seconds
-(auth mode cache TTL) or restart the backend before refreshing the UI.
-
 ## Project Structure

 ```
@@ -1,9 +1,43 @@
-Multi user setup is opt-in, single user by default
+CSRF Protection (8a78b2b)

-Multi-user support for excalidash
- Admin dashboard
- Password reset, force user password reset (admin only), account lockout recovery
- Rate limits
+  - Implemented comprehensive CSRF (Cross-Site Request Forgery) protection for enhanced security
+  - Added new backend/src/security.ts module for security utilities
+  - Frontend API layer now handles CSRF tokens automatically
+  - Added integration tests for CSRF validation

-Deprecates .json and .sqlite database backups in favor of .excalidash archives (user scoped, prevents exporting of senstive information). Legacy import is maintained.
+  Upload Progress Indicator (8f9b9b4)

+  - Added a visual upload progress bar when users upload files
+  - New UploadContext for managing upload state across components
+  - New UploadStatus component displaying real-time upload progress
+  - Save status indicator when navigating back from the editor
+  - Improved error handling and recovery for failed uploads
+
+  Bug Fixes
+
+  - Fixed broken e2e tests (cae8f3c)
+  - Replaced deprecated substr() with substring()
+  - Fixed stale state issues in error handling
+  - Fixed missing useEffect dependencies
+  - Fixed CSS class conflicts in progress bar styling
+  - Added error recovery for save state in Editor
+
+  Infrastructure
+
+  - Updated docker-compose configurations with new environment variables
+  - E2E test suite improvements and reliability fixes
+  - Added Kubernetes deployment note in README
+
+### Kubernetes
+
+  A `CSRF_SECRET` environment variable is now required for CSRF protection. Generate a secure 32+ character random string:
+
+  ```bash
+  openssl rand -base64 32
+
+  Add it to your deployment:
+  - Docker Compose: Add CSRF_SECRET=<your-secret> to the backend service environment
+  - Kubernetes: Add to your ConfigMap/Secret and reference in the backend deployment
+
+  If not set, the backend will refuse to start.
+  ```
@@ -1 +1 @@
-0.4.6
+0.3.0
@@ -9,7 +9,3 @@ dist
 *.log
 prisma/dev.db
 prisma/dev.db-journal
-src/generated
-coverage
-*.test.ts
-*.spec.ts
@@ -2,28 +2,4 @@
 PORT=8000
 NODE_ENV=production
 DATABASE_URL=file:/app/prisma/dev.db
-FRONTEND_URL=https://draw.louiscreates.com
-API_BASE_PATH=/api
-# Keep disabled unless traffic always comes through a trusted reverse proxy.
-TRUST_PROXY=false
-AUTH_MODE=local
-JWT_SECRET=change-this-secret-in-production-min-32-chars
-
-# Optional Feature Flags (all default to false for backward compatibility)
-# Set to "true" or "1" to enable:
-# ENABLE_PASSWORD_RESET=false
-# ENABLE_REFRESH_TOKEN_ROTATION=false
-# ENABLE_AUDIT_LOGGING=false
-
-# OIDC Configuration (required when AUTH_MODE=hybrid or AUTH_MODE=oidc_enforced)
-# OIDC_PROVIDER_NAME=Authentik
-# OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/
-# OIDC_CLIENT_ID=your-client-id
-# OIDC_CLIENT_SECRET=your-client-secret
-# OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback
-# OIDC_SCOPES=openid profile email
-# OIDC_EMAIL_CLAIM=email
-# OIDC_EMAIL_VERIFIED_CLAIM=email_verified
-# OIDC_REQUIRE_EMAIL_VERIFIED=true
-# OIDC_JIT_PROVISIONING=true
-# OIDC_FIRST_USER_ADMIN=true
+FRONTEND_URL=http://localhost:6767
@@ -3,15 +3,12 @@ FROM node:20-alpine AS builder

 WORKDIR /app

-# Native build deps for modules that may compile from source (e.g., better-sqlite3 on arm64)
-RUN apk add --no-cache python3 make g++
-
 # Copy package files
 COPY package*.json ./
 COPY tsconfig.json ./

 # Install dependencies
-RUN npm ci && npm cache clean --force
+RUN npm ci

 # Copy prisma schema
 COPY prisma ./prisma/
@@ -28,7 +25,7 @@ RUN npx tsc
 # Production stage
 FROM node:20-alpine

-# Install runtime packages and create non-root user
+# Install OpenSSL for Prisma and su-exec, create non-root user
 RUN apk add --no-cache openssl su-exec && \
    addgroup -g 1001 -S nodejs && \
    adduser -S nodejs -u 1001
@@ -39,10 +36,7 @@ WORKDIR /app
 COPY package*.json ./

 # Install production dependencies only
-RUN apk add --no-cache --virtual .build-deps python3 make g++ && \
-    npm ci --omit=dev && \
-    npm cache clean --force && \
-    apk del .build-deps
+RUN npm ci --only=production

 # Copy prisma schema and migrations for runtime and hydration template
 COPY prisma ./prisma/
@@ -54,6 +48,9 @@ COPY --from=builder /app/dist ./dist
 # Copy the generated Prisma Client from builder to maintain the same structure
 COPY --from=builder /app/src/generated ./dist/generated

+# Generate Prisma Client in production (updates node_modules)
+RUN npx prisma generate
+
 # Create necessary directories (ownership will be set in entrypoint)
 RUN mkdir -p /app/uploads /app/prisma

@@ -1,52 +1,6 @@
 #!/bin/sh
 set -e

-JWT_SECRET_FILE="/app/prisma/.jwt_secret"
-CSRF_SECRET_FILE="/app/prisma/.csrf_secret"
-
-# Ensure JWT secret exists for production startup.
-# Backward compatibility: older installs may not have JWT_SECRET configured.
-if [ -z "${JWT_SECRET:-}" ]; then
-    echo "JWT_SECRET not provided, resolving persisted secret..."
-    if [ -f "${JWT_SECRET_FILE}" ]; then
-        JWT_SECRET="$(tr -d '\r\n' < "${JWT_SECRET_FILE}")"
-    fi
-
-    if [ -z "${JWT_SECRET}" ]; then
-        echo "No persisted JWT secret found. Generating a new secret..."
-        JWT_SECRET="$(openssl rand -hex 32)"
-        umask 077
-        printf "%s" "${JWT_SECRET}" > "${JWT_SECRET_FILE}"
-    fi
-else
-    # Persist explicitly provided secret to support future restarts without env injection.
-    umask 077
-    printf "%s" "${JWT_SECRET}" > "${JWT_SECRET_FILE}"
-fi
-
-export JWT_SECRET
-
-# Ensure CSRF secret exists for stable token validation across restarts.
-# (Still recommend setting explicitly for multi-instance deployments.)
-if [ -z "${CSRF_SECRET:-}" ]; then
-    echo "CSRF_SECRET not provided, resolving persisted secret..."
-    if [ -f "${CSRF_SECRET_FILE}" ]; then
-        CSRF_SECRET="$(tr -d '\r\n' < "${CSRF_SECRET_FILE}")"
-    fi
-
-    if [ -z "${CSRF_SECRET}" ]; then
-        echo "No persisted CSRF secret found. Generating a new secret..."
-        CSRF_SECRET="$(openssl rand -base64 32)"
-        umask 077
-        printf "%s" "${CSRF_SECRET}" > "${CSRF_SECRET_FILE}"
-    fi
-else
-    umask 077
-    printf "%s" "${CSRF_SECRET}" > "${CSRF_SECRET_FILE}"
-fi
-
-export CSRF_SECRET
-
 # 1. Hydrate volume if empty (Running as root)
 if [ ! -f "/app/prisma/schema.prisma" ]; then
    echo "Mount is empty. Hydrating /app/prisma..."
@@ -64,13 +18,11 @@ echo "Fixing filesystem permissions..."
 chown -R nodejs:nodejs /app/uploads
 chown -R nodejs:nodejs /app/prisma
 chmod 755 /app/uploads
-chmod 600 "${JWT_SECRET_FILE}"
-chmod 600 "${CSRF_SECRET_FILE}"

 # Ensure database file has proper permissions
 if [ -f "/app/prisma/dev.db" ]; then
    echo "Database file found, ensuring write permissions..."
-    chmod 600 /app/prisma/dev.db
+    chmod 666 /app/prisma/dev.db
 fi

 # 3. Run Migrations (Drop privileges to nodejs)
@@ -1,15 +1,10 @@
 {
  "name": "backend",
-  "version": "0.4.6",
+  "version": "0.3.0",
  "description": "",
  "main": "index.js",
  "scripts": {
-    "predev": "node scripts/predev-migrate.cjs",
    "dev": "nodemon src/index.ts",
-    "admin:recover": "node scripts/admin-recover.cjs",
-    "dev:simulate-auth-onboarding:fresh": "node scripts/simulate-auth-onboarding.cjs --scenario fresh",
-    "dev:simulate-auth-onboarding:migration": "node scripts/simulate-auth-onboarding.cjs --scenario migration",
-    "dev:simulate-auth-onboarding:dry-run": "node scripts/simulate-auth-onboarding.cjs --scenario migration --dry-run",
    "test": "vitest run",
    "test:watch": "vitest",
    "test:coverage": "vitest run --coverage"
@@ -20,39 +15,27 @@
  "type": "commonjs",
  "dependencies": {
    "@prisma/client": "^5.22.0",
+    "@types/archiver": "^7.0.0",
+    "@types/jsdom": "^21.1.7",
+    "@types/multer": "^2.0.0",
+    "@types/socket.io": "^3.0.1",
    "archiver": "^7.0.1",
-    "bcrypt": "^6.0.0",
    "better-sqlite3": "^12.4.6",
    "cors": "^2.8.5",
    "dompurify": "^3.3.0",
    "dotenv": "^17.2.3",
    "express": "^5.1.0",
-    "express-rate-limit": "^8.2.1",
-    "helmet": "^8.1.0",
    "jsdom": "^22.1.0",
-    "jsonwebtoken": "^9.0.3",
-    "jszip": "^3.10.1",
-    "ms": "^2.1.3",
    "multer": "^2.0.2",
-    "openid-client": "^5.7.1",
    "prisma": "^5.22.0",
    "socket.io": "^4.8.1",
-    "uuid": "^13.0.0",
    "zod": "^4.1.12"
  },
  "devDependencies": {
-    "@types/archiver": "^7.0.0",
-    "@types/bcrypt": "^6.0.0",
    "@types/cors": "^2.8.19",
    "@types/express": "^5.0.5",
-    "@types/jsdom": "^21.1.7",
-    "@types/jsonwebtoken": "^9.0.10",
-    "@types/ms": "^2.1.0",
-    "@types/multer": "^2.0.0",
    "@types/node": "^24.10.1",
-    "@types/socket.io": "^3.0.1",
    "@types/supertest": "^6.0.3",
-    "@types/uuid": "^10.0.0",
    "nodemon": "^3.1.11",
    "supertest": "^7.1.4",
    "ts-node": "^10.9.2",
@@ -1,96 +0,0 @@
-- NOTE:
-- This migration assigns all pre-existing data to a bootstrap admin user so that
-- upgrading an existing (non-empty) database doesn't fail and the data remains accessible.
-- The bootstrap admin user starts inactive and must be activated via the app's
-- initial registration flow.
-
-- Constants
-- Keep in sync with backend/src/auth.ts
-- (SQLite doesn't support variables; we inline the values instead.)
--   BOOTSTRAP_USER_ID = 'bootstrap-admin'
--   BOOTSTRAP_LIBRARY_ID = 'user_bootstrap-admin'
-
-- CreateTable
-CREATE TABLE "User" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "username" TEXT,
-    "email" TEXT NOT NULL,
-    "passwordHash" TEXT NOT NULL,
-    "name" TEXT NOT NULL,
-    "role" TEXT NOT NULL DEFAULT 'USER',
-    "mustResetPassword" BOOLEAN NOT NULL DEFAULT false,
-    "isActive" BOOLEAN NOT NULL DEFAULT true,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL
-);
-
-- CreateTable
-CREATE TABLE "SystemConfig" (
-    "id" TEXT NOT NULL PRIMARY KEY DEFAULT 'default',
-    "registrationEnabled" BOOLEAN NOT NULL DEFAULT false,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL
-);
-
-- Bootstrap state:
-- - Insert a singleton config row (registration disabled by default)
-- - Insert an inactive bootstrap admin user and assign all existing data to it
-INSERT INTO "SystemConfig" ("id", "registrationEnabled", "createdAt", "updatedAt")
-VALUES ('default', false, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP);
-
-INSERT INTO "User" ("id", "username", "email", "passwordHash", "name", "role", "mustResetPassword", "isActive", "createdAt", "updatedAt")
-VALUES ('bootstrap-admin', NULL, 'bootstrap@excalidash.local', '', 'Bootstrap Admin', 'ADMIN', true, false, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP);
-
-- RedefineTables
-PRAGMA defer_foreign_keys=ON;
-PRAGMA foreign_keys=OFF;
-CREATE TABLE "new_Collection" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "name" TEXT NOT NULL,
-    "userId" TEXT NOT NULL,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL,
-    CONSTRAINT "Collection_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
-);
-INSERT INTO "new_Collection" ("createdAt", "id", "name", "userId", "updatedAt")
-SELECT "createdAt", "id", "name", 'bootstrap-admin', "updatedAt" FROM "Collection";
-DROP TABLE "Collection";
-ALTER TABLE "new_Collection" RENAME TO "Collection";
-CREATE TABLE "new_Drawing" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "name" TEXT NOT NULL,
-    "elements" TEXT NOT NULL,
-    "appState" TEXT NOT NULL,
-    "files" TEXT NOT NULL DEFAULT '{}',
-    "preview" TEXT,
-    "version" INTEGER NOT NULL DEFAULT 1,
-    "userId" TEXT NOT NULL,
-    "collectionId" TEXT,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL,
-    CONSTRAINT "Drawing_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
-    CONSTRAINT "Drawing_collectionId_fkey" FOREIGN KEY ("collectionId") REFERENCES "Collection" ("id") ON DELETE SET NULL ON UPDATE CASCADE
-);
-INSERT INTO "new_Drawing" ("appState", "collectionId", "createdAt", "elements", "files", "id", "name", "preview", "userId", "updatedAt", "version")
-SELECT "appState", "collectionId", "createdAt", "elements", "files", "id", "name", "preview", 'bootstrap-admin', "updatedAt", "version" FROM "Drawing";
-DROP TABLE "Drawing";
-ALTER TABLE "new_Drawing" RENAME TO "Drawing";
-CREATE TABLE "new_Library" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "items" TEXT NOT NULL DEFAULT '[]',
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL
-);
-- Migrate the singleton library to the bootstrap user's library key.
-INSERT INTO "new_Library" ("createdAt", "id", "items", "updatedAt")
-SELECT "createdAt", 'user_bootstrap-admin', "items", "updatedAt" FROM "Library" WHERE "id" = 'default';
-DROP TABLE "Library";
-ALTER TABLE "new_Library" RENAME TO "Library";
-PRAGMA foreign_keys=ON;
-PRAGMA defer_foreign_keys=OFF;
-
-- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
-
-- CreateIndex
-CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
@@ -1,40 +0,0 @@
-- CreateTable
-CREATE TABLE "PasswordResetToken" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "userId" TEXT NOT NULL,
-    "token" TEXT NOT NULL,
-    "expiresAt" DATETIME NOT NULL,
-    "used" BOOLEAN NOT NULL DEFAULT false,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    CONSTRAINT "PasswordResetToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
-);
-
-- CreateTable
-CREATE TABLE "RefreshToken" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "userId" TEXT NOT NULL,
-    "token" TEXT NOT NULL,
-    "expiresAt" DATETIME NOT NULL,
-    "revoked" BOOLEAN NOT NULL DEFAULT false,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    CONSTRAINT "RefreshToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
-);
-
-- CreateTable
-CREATE TABLE "AuditLog" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "userId" TEXT,
-    "action" TEXT NOT NULL,
-    "resource" TEXT,
-    "ipAddress" TEXT,
-    "userAgent" TEXT,
-    "details" TEXT,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    CONSTRAINT "AuditLog_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE SET NULL ON UPDATE CASCADE
-);
-
-- CreateIndex
-CREATE UNIQUE INDEX "PasswordResetToken_token_key" ON "PasswordResetToken"("token");
-
-- CreateIndex
-CREATE UNIQUE INDEX "RefreshToken_token_key" ON "RefreshToken"("token");
@@ -1,5 +0,0 @@
-- Add authEnabled flag to SystemConfig to support single-user mode by default.
-
-- SQLite supports simple ADD COLUMN for non-null with default.
-ALTER TABLE "SystemConfig" ADD COLUMN "authEnabled" BOOLEAN NOT NULL DEFAULT false;
-
@@ -1,5 +0,0 @@
-- AlterTable
-ALTER TABLE "SystemConfig" ADD COLUMN "authLoginRateLimitEnabled" BOOLEAN NOT NULL DEFAULT 1;
-ALTER TABLE "SystemConfig" ADD COLUMN "authLoginRateLimitWindowMs" INTEGER NOT NULL DEFAULT 900000;
-ALTER TABLE "SystemConfig" ADD COLUMN "authLoginRateLimitMax" INTEGER NOT NULL DEFAULT 20;
-
@@ -1,9 +0,0 @@
-- Improve dashboard query performance for user-scoped collection and drawing listings.
-CREATE INDEX IF NOT EXISTS "Collection_userId_updatedAt_idx"
-ON "Collection" ("userId", "updatedAt");
-
-CREATE INDEX IF NOT EXISTS "Drawing_userId_updatedAt_idx"
-ON "Drawing" ("userId", "updatedAt");
-
-CREATE INDEX IF NOT EXISTS "Drawing_userId_collectionId_updatedAt_idx"
-ON "Drawing" ("userId", "collectionId", "updatedAt");
@@ -1,2 +0,0 @@
-- Track whether initial auth mode choice has been explicitly completed.
-ALTER TABLE "SystemConfig" ADD COLUMN "authOnboardingCompleted" BOOLEAN NOT NULL DEFAULT false;
@@ -1,22 +0,0 @@
-- CreateTable
-CREATE TABLE "AuthIdentity" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "userId" TEXT NOT NULL,
-    "provider" TEXT NOT NULL,
-    "issuer" TEXT NOT NULL,
-    "subject" TEXT NOT NULL,
-    "emailAtLink" TEXT NOT NULL,
-    "lastLoginAt" DATETIME,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL,
-    CONSTRAINT "AuthIdentity_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
-);
-
-- CreateIndex
-CREATE UNIQUE INDEX "AuthIdentity_issuer_subject_key" ON "AuthIdentity"("issuer", "subject");
-
-- CreateIndex
-CREATE UNIQUE INDEX "AuthIdentity_provider_userId_key" ON "AuthIdentity"("provider", "userId");
-
-- CreateIndex
-CREATE INDEX "AuthIdentity_userId_idx" ON "AuthIdentity"("userId");
@@ -1,42 +0,0 @@
-- CreateTable
-CREATE TABLE "DrawingShareLink" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "drawingId" TEXT NOT NULL,
-    "role" TEXT NOT NULL,
-    "token" TEXT NOT NULL,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL,
-    CONSTRAINT "DrawingShareLink_drawingId_fkey" FOREIGN KEY ("drawingId") REFERENCES "Drawing" ("id") ON DELETE CASCADE ON UPDATE CASCADE
-);
-
-- CreateTable
-CREATE TABLE "DrawingShareGrant" (
-    "id" TEXT NOT NULL PRIMARY KEY,
-    "drawingId" TEXT NOT NULL,
-    "userId" TEXT NOT NULL,
-    "shareLinkId" TEXT NOT NULL,
-    "role" TEXT NOT NULL,
-    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" DATETIME NOT NULL,
-    CONSTRAINT "DrawingShareGrant_drawingId_fkey" FOREIGN KEY ("drawingId") REFERENCES "Drawing" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
-    CONSTRAINT "DrawingShareGrant_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
-    CONSTRAINT "DrawingShareGrant_shareLinkId_fkey" FOREIGN KEY ("shareLinkId") REFERENCES "DrawingShareLink" ("id") ON DELETE CASCADE ON UPDATE CASCADE
-);
-
-- CreateIndex
-CREATE UNIQUE INDEX "DrawingShareLink_token_key" ON "DrawingShareLink"("token");
-
-- CreateIndex
-CREATE INDEX "DrawingShareLink_drawingId_idx" ON "DrawingShareLink"("drawingId");
-
-- CreateIndex
-CREATE UNIQUE INDEX "DrawingShareLink_drawingId_role_key" ON "DrawingShareLink"("drawingId", "role");
-
-- CreateIndex
-CREATE INDEX "DrawingShareGrant_drawingId_userId_idx" ON "DrawingShareGrant"("drawingId", "userId");
-
-- CreateIndex
-CREATE INDEX "DrawingShareGrant_userId_createdAt_idx" ON "DrawingShareGrant"("userId", "createdAt");
-
-- CreateIndex
-CREATE UNIQUE INDEX "DrawingShareGrant_drawingId_userId_shareLinkId_key" ON "DrawingShareGrant"("drawingId", "userId", "shareLinkId");
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Zimeng Xiong	0ba96c47a8	"Claude Code Review workflow"	2026-01-20 10:55:24 -08:00
Zimeng Xiong	0f93f1ab76	"Claude PR Assistant workflow"	2026-01-20 10:55:22 -08:00
@@ -1 +1 @@
 .4.6
 .3.0