mai
/
posimai-root
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
140 Commits 1 Branch 0 Tags 3.9 GiB
Commit Graph

140 Commits

Author SHA1 Message Date
posimai 85bd0cc879 fix: store URL を store.posimai.soar-enrich.com に統一 
Made-with: Cursor
 2026-04-11 14:36:33 +09:00
posimai 1d9c2b5f3d docs: new-app-guide.md を現行状態に全面更新 
- create-app.sh の Step 8(ダッシュボード自動更新)を反映
- テンプレートを _template-minimal 一本化に変更
- Alpine.js をパターンBとして追加(ビルド不要・reactive state)
- SW キャッシュ更新タイミングの方針を明記
- 実装チェックリストを追加
- 旧手動ステップ(自動化済み)を削除・整理

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 12:05:03 +09:00
posimai 5538cde753 chore: _template-minimal 現行化 + create-app.sh ダッシュボード自動更新 
- _template-minimal/sw.js: skipWaiting() 追加(デプロイ後の旧キャッシュ残留防止)
- _template-minimal/index.html: JWT token handoff 追加(ダッシュボードからのSSO対応)
- create-app.sh: コピー元を _template → _template-minimal に変更
- create-app.sh: Step 8 追加 — projects.json / timeline / roadmap を自動更新してデプロイまで完結

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 11:44:15 +09:00
posimai ee7b3053e2 fix: 初回アクティベートのレースコンディションを修正 
WHERE device_id IS NULL を追加してアトミックにし、
競合した場合は再取得して照合する

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 06:42:42 +09:00
posimai 04b40a5b67 chore: deploy-server.shにroutes/ディレクトリの転送を追加 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 00:19:05 +09:00
posimai 2cd7795202 feat: Ponshu Room Proライセンス管理をserver.jsへ統合 
- routes/ponshu.js: ライセンス検証・失効エンドポイントを新規追加
  POST /api/ponshu/license/validate (認証不要、モバイルから直接呼ぶ)
  POST /api/ponshu/admin/license/revoke (APIキー認証必須)
- routes/stripe.js: 既存のStripe Webhookハンドラーを抽出し拡張
  metadata.product === 'ponshu_room_pro' の場合にライセンスキーを発行
  Stripe Webhook 冪等性チェック (stripe_session_id) を追加
  Resend でライセンスキーをメール送信
- server.js: ponshu_licenses テーブルをスキーマに追加
  インラインのhandleStripeWebhook関数を routes/stripe.js に置き換え
  ponshuRouterとstripeRouterをマウント

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 00:16:57 +09:00
posimai ada6eba333 fix: security — invite_code leakage, Atlas token in URL, RSS err.message exposure 
- GET /together/groups/🆔 SELECT * -> SELECT id, name, created_at (invite_code 除外)
- Atlas github/vercel/tailscale-scan: token を query param から Authorization header へ移行
- /events/rss: err.message をクライアント返却しないよう固定メッセージに置換

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 00:05:18 +09:00
posimai dbc30494bd fix: emoji violation in shadow-logger, SW lifecycle fix in veil, doc analytics exception 2026-04-10 21:34:44 +09:00
posimai 8007371daa docs: update STATUS.md with 2026-04-10 session work and clarify deferred tasks 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 17:11:58 +09:00
posimai 5b17d9215c docs: merge security fixes and next steps into server-refactor-plan 
- Add section 6: 7 security/reliability fixes applied 2026-04-10
  (SSRF guard, size limits, pool config, error handler)
- Add section 7: POST /save async pattern documentation
- Add section 10: prioritized next steps (commercialization + refactor tracks)
- Add completion history table
- Update line number estimates to reflect additions
- Update current line count to ~3130

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 14:00:15 +09:00
posimai 8fdc047b7f docs: add server.js refactor plan for shared AI context 
- 現状構造・セクション別行数・共有変数依存マップを記録
- 目標構造(lib/ + routes/ 分割案)を設計
- 実施タイミング判断基準・フェーズ別手順を記載
- CLAUDE.md / AGENTS.md の参照ドキュメントリストに追加

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 08:25:43 +09:00
posimai e3e6ebca7d docs: update design-system font to Geist + fix create-app.sh Gitea auth 
- design-system.md: Inter → Geist
- create-app.sh: GITEA_TOKEN fallback → git credential store

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 08:13:04 +09:00
posimai 7cf305fdc0 chore: update templates — Geist font, Lucide integrity, JWT token handoff 
- Inter → Geist font
- Lucide SRI integrity hash added
- init_key (legacy API key) → token (JWT) cross-domain handoff

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 08:09:36 +09:00
posimai 82a094f2f2 fix: refuse to start if JWT_SECRET is not set in environment 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 07:55:08 +09:00
posimai 5de1174363 fix: Together/Jina に SSRF ガード + Jina レスポンスサイズ上限 1MB 2026-04-09 23:49:25 +09:00
posimai 5a3a510331 fix: SSRF blocklist + レスポンスサイズ制限 + DB pool max 15 + pool.on(error) 2026-04-09 23:45:55 +09:00
posimai 1336b20c90 fix: POST /save と quick-save を即時保存に変更 — fetchMeta/Jina/AI をバックグラウンドへ移動してラグ解消 2026-04-09 20:48:17 +09:00
posimai e4bd0a1901 docs: update master-architecture to 2026-04-06 — Supabase撤退・DNS確定・残タスク整理 
- Together VPS移行完了・Supabase撤退を反映
- ワイルドカードDNS確認済み・reading_history VPS修正済みを記録
- セキュリティ修正(WebSocket/SSRF/e.message)をdecision logに追加
- STATUS.md を 2026-04-06 版に更新
 2026-04-06 17:05:47 +09:00
posimai d65ccba724 chore: remove stale Supabase Edge Function deploy reference 2026-04-06 16:54:01 +09:00
posimai 3cd8ebd0b6 fix: Feed API POST auth gate + sanitize e.message in error responses 2026-04-06 09:09:26 +09:00
posimai 9e90008575 fix: WebSocket auth gate + SSRF private IP blocklist in posimai-dev 2026-04-06 00:39:18 +09:00
posimai c24c710f33 chore: add STATUS.md, AI execution permissions, code source-of-truth to CLAUDE.md/AGENTS.md 2026-04-05 23:25:19 +09:00
posimai 225fa7b8f7 docs: update master-architecture to 2026-04-05 — OAuth/Stripe/VOICEVOX/Uptime Kuma port 2026-04-05 23:19:58 +09:00
posimai 7580c79f05 fix: Uptime Kuma port 3001→3002 2026-04-05 22:44:25 +09:00
posimai fc00b16a13 chore: remove Syncthing from station, revert to 2-col services grid 2026-04-05 22:36:54 +09:00
posimai 3a1b6cff1e chore: add Uptime Kuma to station services, 3-col grid 2026-04-05 22:19:22 +09:00
posimai 2e326605cb feat: include plan in JWT, update session/verify to use plan column 2026-04-05 15:03:04 +09:00
posimai 8fdcb65f4b fix: skip express.json for stripe webhook to preserve raw body 2026-04-05 14:54:39 +09:00
posimai 955da8899b fix: allow server-to-server requests to /health without CORS block 2026-04-05 14:02:55 +09:00
posimai 8e9f232dba feat: stripe webhook plan upgrade/downgrade, add plan/subscription columns 2026-04-05 14:01:41 +09:00
posimai c7b6d0b2d3 feat: add Feed background RSS fetch job and /feed/articles endpoint 2026-04-05 12:29:48 +09:00
posimai ac8cc6db81 fix: security hardening round 2 
- CORS: origin=null now rejected (was: allowed as same-origin)
- CORS: regex tightened to [\w-]+ to prevent subdomain bypass
- CORS: add *.posimai.soar-enrich.com and posimai.soar-enrich.com explicitly
- Stripe webhook: fix regex capture groups + add uppercase hex support

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 03:01:06 +09:00
posimai 0590d0995d feat: Stripe Webhook + purchase gate 
- Add POST /api/stripe/webhook (signature verification, no stripe SDK)
- Add purchased_at + stripe_session_id columns to users table (migration)
- Add purchaseMiddleware (apikey users bypass, JWT users check purchased_at)
- Update /auth/session/verify to return purchased status

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 02:22:18 +09:00
posimai c53abecbca redesign: posimai-store index-c dark theme, minimal layout 
- Dark theme (#0D0D0D) aligned with all Posimai apps
- Single clear CTA: Posimai Pass 500yen buy-once
- 3-step flow (Stripe to login to use)
- 6 Phase1 apps listed
- Removed Ponshu Room as featured (separate LP later)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 02:18:47 +09:00
posimai d6f7b487d0 fix: security hardening for commercial release 
- Fix OAuth (Google/GitHub) DB column bug: SELECT id → SELECT user_id
- Add OAuth CSRF protection via state parameter (Google + GitHub)
- Restrict /health endpoint: detailed info requires authentication
- Add in-memory rate limiter utility (checkRateLimit)
- Add rate limit to passkey login/begin: 10 req/min per IP
- Add rate limit to Gemini AI analysis: 50 articles/hour per user
- Add rate limit to journal suggest-tags: 10 req/hour per user
- Update posimai-dev /api/vps-health proxy to send VPS_API_KEY header

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 23:04:20 +09:00
posimai e4ec2c1226 fix: add --no-verify-jwt to together-archive deploy for Database Webhook auth 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 21:05:46 +09:00
posimai 09ebd18b1e feat: add Google and GitHub OAuth login endpoints 2026-04-04 17:25:26 +09:00
posimai 1f5ae79f11 docs: compress CLAUDE.md/AGENTS.md — remove redundancy, ~40% token reduction 
- 散文説明をコード内コメントに統合
- セクション5を3箇条→1文に圧縮
- 重複する注意書き削除
- 両ファイルを同一内容に統一

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 16:36:38 +09:00
posimai 3551070812 docs: add meta-rule — new behavior rules must be written to CLAUDE.md immediately 
セッション中に決まったルールを memory のみに書いて CLAUDE.md に反映されない問題を防ぐ。
AI が行動ルールを memory に書く際は同時に CLAUDE.md/AGENTS.md にも追記することを義務化。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 16:29:27 +09:00
posimai b502ea8906 docs: add Gitea auto-create rule to CLAUDE.md and AGENTS.md 
Gitea リポジトリ自律作成(手動案内禁止)を禁止事項テーブルに追加。
memory のみ記録だったため他 AI ツールに引き継がれていなかった問題を修正。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 14:29:42 +09:00
posimai 7a12d520a7 docs: add deploy-edge.sh rule to CLAUDE.md and AGENTS.md, sync both files 
- Edge Function デプロイ手順(bash deploy-edge.sh)を両ファイルに追記
- AGENTS.md に posimai-dev の deploy:dev ルールを追加(CLAUDE.md と同期)
- AGENTS.md の末尾注意書きを CLAUDE.md と統一

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 14:28:23 +09:00
posimai 256d8b0ea4 fix: deploy-edge.sh handle UTF-16 encoded token file 
Windows で保存された UTF-16 ファイルの null バイト・BOM を除去して正しくトークンを読み込む

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 14:25:27 +09:00
posimai 9b1334747b feat: add deploy-edge.sh for Supabase Edge Function auto-deploy 
~/.supabase-token からトークンを読み込み自律デプロイ可能に。
初回のみユーザーがトークンをファイルに書く必要あり。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 14:22:55 +09:00
posimai 3ecdb23a29 feat: diary VPS cloud sync — generate-post fetches from VPS, memory-push.sh HOME fix 2026-04-03 15:53:26 +09:00
posimai 0540e24e67 feat: diary offline reconnect button + start-diary-server.bat 2026-04-03 13:15:27 +09:00
posimai 9e6a2987ed fix: security hardening - XSS, SSRF, proxy auth, Syncthing config 
- server.js: add escapeHtml() and apply to meta.title / error messages (XSS)
- server.js: add startup error log when JWT_SECRET uses insecure default
- posimai-dev/server.js: add URL validation to /api/check to block SSRF
  (blocks cloud metadata IPs, non-http/https protocols)
- ponshu_room_lite/tools/proxy/server.js: remove auth bypass when
  PROXY_AUTH_TOKEN is unset; server now exits on startup if token missing
- .gitignore: add *.sync-conflict-* to prevent Syncthing conflict files
- .stignore: create Syncthing ignore file to exclude .git, node_modules,
  .env from sync (fixes root cause of .git directory sync-conflict files)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-03 08:15:45 +09:00
posimai 4bd098251f fix: remove ubuntu pc binbars, reduce machines gap to 8px 2026-04-03 00:56:32 +09:00
posimai 772de39ce8 fix: machines no scroll - remove margin-top:auto, 320px, 3-col statgrid 2026-04-03 00:12:16 +09:00
posimai 55f36f5ad5 fix: services fixed 460px, vitals 1fr for wider layout 2026-04-03 00:03:58 +09:00
posimai 74959df0e8 fix: service cards fill height, unify cpu labels 2026-04-02 21:14:53 +09:00