mai
/
posimai-root
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
175 Commits 1 Branch 0 Tags 3.9 GiB
Commit Graph

36 Commits

Author SHA1 Message Date
posimai e960b9e2ac fix(brain): comprehensive review fixes — placeholder persistence, count accuracy, dead code 
- Gemini null 時: プレースホルダーを NULL で上書き(永続化バグ解消)
- /articles カウント: LIMIT後rows.filter()→専用COUNTクエリで正確化
- genAITogether 削除(genAI の alias で不要)
- quick-save: e.message のクライアント露出を固定メッセージに置換

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:11:27 +09:00
posimai 47f82586d2 fix(brain): retry 503 once, don't persist failure message to DB 
- analyzeWithGemini: 503(一時高負荷)は4秒後に1回リトライ
- 失敗時は null を返し、呼び出し側で DB を更新しない
  → 「AI分析に失敗しました」がsummaryとして永続化されなくなる

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-14 23:39:46 +09:00
posimai b25b3f640e fix(brain): switch analyzeWithGemini from gemini-2.0-flash-lite to gemini-2.5-flash 
gemini-2.0-flash-lite のフリー枠日次クォータが枯渇し AI 分析が全件失敗していた。
gemini-2.5-flash に統一してクォータ問題を解消する。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-14 23:12:50 +09:00
posimai 7aa79f4a7d fix: station VPS Users/Node ハイフン・CPU リング 0% 表示修正 
Made-with: Cursor
 2026-04-12 08:13:58 +09:00
posimai 47c75cae4f fix: Together API に投稿前グループメンバー確認を追加 
/together/share, /together/react, /together/comments の各書き込みエンドポイントに
together_members テーブルでのメンバーチェックを追加。
非メンバーによる投稿・リアクション・コメントを 403 で拒否する。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 23:03:49 +09:00
posimai 10402464c5 feat: 購入後マジックリンクメール自動送信 + TTS に purchaseMiddleware 接続 
Made-with: Cursor
 2026-04-11 15:05:23 +09:00
posimai 85bd0cc879 fix: store URL を store.posimai.soar-enrich.com に統一 
Made-with: Cursor
 2026-04-11 14:36:33 +09:00
posimai 2cd7795202 feat: Ponshu Room Proライセンス管理をserver.jsへ統合 
- routes/ponshu.js: ライセンス検証・失効エンドポイントを新規追加
  POST /api/ponshu/license/validate (認証不要、モバイルから直接呼ぶ)
  POST /api/ponshu/admin/license/revoke (APIキー認証必須)
- routes/stripe.js: 既存のStripe Webhookハンドラーを抽出し拡張
  metadata.product === 'ponshu_room_pro' の場合にライセンスキーを発行
  Stripe Webhook 冪等性チェック (stripe_session_id) を追加
  Resend でライセンスキーをメール送信
- server.js: ponshu_licenses テーブルをスキーマに追加
  インラインのhandleStripeWebhook関数を routes/stripe.js に置き換え
  ponshuRouterとstripeRouterをマウント

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 00:16:57 +09:00
posimai ada6eba333 fix: security — invite_code leakage, Atlas token in URL, RSS err.message exposure 
- GET /together/groups/🆔 SELECT * -> SELECT id, name, created_at (invite_code 除外)
- Atlas github/vercel/tailscale-scan: token を query param から Authorization header へ移行
- /events/rss: err.message をクライアント返却しないよう固定メッセージに置換

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-11 00:05:18 +09:00
posimai 82a094f2f2 fix: refuse to start if JWT_SECRET is not set in environment 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 07:55:08 +09:00
posimai 5de1174363 fix: Together/Jina に SSRF ガード + Jina レスポンスサイズ上限 1MB 2026-04-09 23:49:25 +09:00
posimai 5a3a510331 fix: SSRF blocklist + レスポンスサイズ制限 + DB pool max 15 + pool.on(error) 2026-04-09 23:45:55 +09:00
posimai 1336b20c90 fix: POST /save と quick-save を即時保存に変更 — fetchMeta/Jina/AI をバックグラウンドへ移動してラグ解消 2026-04-09 20:48:17 +09:00
posimai 3cd8ebd0b6 fix: Feed API POST auth gate + sanitize e.message in error responses 2026-04-06 09:09:26 +09:00
posimai 2e326605cb feat: include plan in JWT, update session/verify to use plan column 2026-04-05 15:03:04 +09:00
posimai 8fdcb65f4b fix: skip express.json for stripe webhook to preserve raw body 2026-04-05 14:54:39 +09:00
posimai 955da8899b fix: allow server-to-server requests to /health without CORS block 2026-04-05 14:02:55 +09:00
posimai 8e9f232dba feat: stripe webhook plan upgrade/downgrade, add plan/subscription columns 2026-04-05 14:01:41 +09:00
posimai c7b6d0b2d3 feat: add Feed background RSS fetch job and /feed/articles endpoint 2026-04-05 12:29:48 +09:00
posimai ac8cc6db81 fix: security hardening round 2 
- CORS: origin=null now rejected (was: allowed as same-origin)
- CORS: regex tightened to [\w-]+ to prevent subdomain bypass
- CORS: add *.posimai.soar-enrich.com and posimai.soar-enrich.com explicitly
- Stripe webhook: fix regex capture groups + add uppercase hex support

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 03:01:06 +09:00
posimai 0590d0995d feat: Stripe Webhook + purchase gate 
- Add POST /api/stripe/webhook (signature verification, no stripe SDK)
- Add purchased_at + stripe_session_id columns to users table (migration)
- Add purchaseMiddleware (apikey users bypass, JWT users check purchased_at)
- Update /auth/session/verify to return purchased status

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 02:22:18 +09:00
posimai d6f7b487d0 fix: security hardening for commercial release 
- Fix OAuth (Google/GitHub) DB column bug: SELECT id → SELECT user_id
- Add OAuth CSRF protection via state parameter (Google + GitHub)
- Restrict /health endpoint: detailed info requires authentication
- Add in-memory rate limiter utility (checkRateLimit)
- Add rate limit to passkey login/begin: 10 req/min per IP
- Add rate limit to Gemini AI analysis: 50 articles/hour per user
- Add rate limit to journal suggest-tags: 10 req/hour per user
- Update posimai-dev /api/vps-health proxy to send VPS_API_KEY header

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-04 23:04:20 +09:00
posimai 09ebd18b1e feat: add Google and GitHub OAuth login endpoints 2026-04-04 17:25:26 +09:00
posimai 9e6a2987ed fix: security hardening - XSS, SSRF, proxy auth, Syncthing config 
- server.js: add escapeHtml() and apply to meta.title / error messages (XSS)
- server.js: add startup error log when JWT_SECRET uses insecure default
- posimai-dev/server.js: add URL validation to /api/check to block SSRF
  (blocks cloud metadata IPs, non-http/https protocols)
- ponshu_room_lite/tools/proxy/server.js: remove auth bypass when
  PROXY_AUTH_TOKEN is unset; server now exits on startup if token missing
- .gitignore: add *.sync-conflict-* to prevent Syncthing conflict files
- .stignore: create Syncthing ignore file to exclude .git, node_modules,
  .env from sync (fixes root cause of .git directory sync-conflict files)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-03 08:15:45 +09:00
posimai 8d9f4e22b0 feat: extend /health endpoint with OS metrics for Station cockpit 2026-04-02 19:18:14 +09:00
posimai b61831d3a2 feat: posimai-dev — aurora terminal, systemd service, atlas sync, master-architecture update 2026-03-31 00:25:44 +09:00
posimai 8902828a5d fix: update public URL log to api.soar-enrich.com 2026-03-26 23:06:06 +09:00
posimai 7454b0eda5 feat: add Magic Link + Passkey (WebAuthn) authentication to server.js 
- Add JWT session auth (jsonwebtoken v9) alongside legacy API key auth
- Magic Link: POST /auth/magic-link/send + GET /auth/magic-link/verify
- Passkey: register/begin+finish, login/begin+finish endpoints
- Session: GET /auth/session/verify, DELETE /auth/session
- Passkey management: GET/DELETE /auth/passkeys
- New DB tables: magic_link_tokens, passkey_credentials, auth_sessions,
  magic_link_rate_limit, webauthn_user_handles
- Users table: add email + email_verified columns (migration)
- Rate limiting on magic link sends (3 per 10min per email)
- Resend email integration (stubbed until DNS verified)
- SimpleWebAuthn v13 (ESM) loaded via dynamic import
- authMiddleware: JWT-first, fallback to API key (backward compat)
- WEBAUTHN_RP_ID/ORIGINS/JWT_SECRET configurable via env vars

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 08:31:11 +09:00
posimai db4674df36 fix: update public URL to posimai.soar-enrich.com in server.js log 2026-03-25 23:23:02 +09:00
posimai df0e1b66ad fix: TTS pre-warm — prioritize user requests, fix cache key mismatch 
- Split preWarmBusy from ttsBusy so user requests are never blocked by pre-warm
- /tts endpoint waits up to 6s for pre-warm synthesis then proceeds
- Pre-warm skips articles when user is actively using TTS
- Fix text format to match Brief exactly (remove substring(60), fix source fallback)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 18:23:29 +09:00
posimai c73f4f3180 feat: add /feed/media CRUD endpoints to server.js 
Adds GET/POST/PATCH/DELETE for feed_media table, bringing git in sync
with the deployed Synology version. Safe to deploy-server.sh after this.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 17:06:14 +09:00
posimai e7ccd829f6 fix: Pulse UPSERT COALESCE — prevent partial POST from wiping other metrics 
ON CONFLICT DO UPDATE now uses COALESCE($3, pulse_log.mood) etc.
so sending only {mood:3} no longer sets energy/focus to NULL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-20 23:01:18 +09:00
posimai b8b26373dd chore: update claude-settings.json (memory-push hook) and server.js backup 2026-03-18 00:07:40 +09:00
posimai 9c892e723a chore: remove emoji from server.js comments and startup log 2026-03-17 18:10:55 +09:00
posimai a60dda9528 fix: add URL protocol validation and reaction type validation 2026-03-17 17:26:59 +09:00
posimai 9e1a817ed6 chore: initial backup of root config, templates, and server source 
Backs up CLAUDE.md, _template/, deploy-server.sh, scripts/, server.js
to posimai-root repository for disaster recovery.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 17:19:20 +09:00