feat: multi-user support, goals editing, shared food library
Multi-user: - Madiha account with per-user nav visibility - Dashboard greeting uses actual user display name - Navbar and MobileTabBar accept visibleApps prop - Madiha sees: Dashboard, Trips, Fitness, Budget, Media (no Inventory, Reader) Goals editing: - Goals page now has Edit Goals mode with inline number inputs - Saves via PUT /api/fitness/goals - Shows "No goals set" state for new users Food library: - Default view shows all shared foods (not just user's recent) - Both users see the same food database - Cleaned up duplicates: archived Eggs (kept Egg), Green Grapes (kept Grapes), duplicate Bellwether Yogurt, Latte Macchiato (kept Madiha's Caramel Latte) Add to meal buttons: - "Add to breakfast/lunch/dinner/snack" now focuses the resolve input and sets the meal type so AI logs to the correct meal
This commit is contained in:
Yusuf Suleman
97
claude_code_partials_detailed_prompt.txt
Normal file
97
claude_code_partials_detailed_prompt.txt
Normal file
@@ -0,0 +1,97 @@
|
||||
Work in the `platform` repo and continue from the current remediation state.
|
||||
|
||||
Use Gitea issues as the source of truth:
|
||||
- `#1` umbrella
|
||||
- `#5` Gateway Trust Model
|
||||
- `#8` Dependency Security
|
||||
- `#9` Performance Hardening
|
||||
|
||||
Important instruction:
|
||||
- Do NOT rotate or change the admin password during this pass.
|
||||
- Treat admin password rotation as a final manual ops step after all code and config fixes are complete and verified.
|
||||
- If you mention password rotation in comments or summaries, explicitly mark it as "LAST STEP".
|
||||
|
||||
First, re-verify the repo state before changing anything. Do not trust prior summaries blindly.
|
||||
|
||||
Current verified status:
|
||||
- Completed: `#2`, `#3`, `#4`, `#6`, `#7`, `#10`
|
||||
- Partial: `#5`, `#8`, `#9`
|
||||
|
||||
Remaining work by issue:
|
||||
|
||||
`#5 Gateway Trust Model`
|
||||
Current state:
|
||||
- Token validation is improved and uses protected endpoints.
|
||||
- Inventory `/debug-nocodb` has been removed.
|
||||
- Inventory search sanitization is better.
|
||||
- The gateway still has a service-global trust model for gateway-key services.
|
||||
|
||||
What remains:
|
||||
- Re-check whether the current gateway-key service model is acceptable as-is or should be narrowed further.
|
||||
- If it stays, document it precisely and avoid claiming it was eliminated.
|
||||
- Review inventory and similar internal services for any remaining permissive/debug/admin-style surfaces.
|
||||
- Review whether service-global access should be limited at route level, method level, or by explicit allowlist.
|
||||
- Make sure issue comments and final summary describe the trust model accurately, not optimistically.
|
||||
|
||||
Acceptance bar:
|
||||
- No remaining accidental debug endpoint exposure.
|
||||
- Remaining gateway-key trust assumptions are explicit, minimal, and documented.
|
||||
- No false claim that per-user auth exists where it does not.
|
||||
|
||||
`#8 Dependency Security`
|
||||
Current state:
|
||||
- Budget dependency audit is clean.
|
||||
- `.gitea/workflows/security.yml` exists.
|
||||
|
||||
What remains:
|
||||
- Review the workflow for correctness and realism.
|
||||
- Tighten the workflow if needed so repo-side enforcement is actually meaningful.
|
||||
- Verify whether secret scanning and dependency checks cover the important paths.
|
||||
- Do not mark this issue complete if a Gitea Actions runner is still required for execution.
|
||||
- Clearly separate "repo-side complete" from "operationally active".
|
||||
|
||||
Acceptance bar:
|
||||
- Workflow file is committed and sane.
|
||||
- Remaining runner dependency is clearly documented.
|
||||
- Issue remains partial or blocked if execution infrastructure is missing.
|
||||
|
||||
`#9 Performance Hardening`
|
||||
Current state:
|
||||
- Gateway dashboard response is cached.
|
||||
- Budget summary is cached.
|
||||
- Inventory `/issues` and `/needs-review-count` no longer full-scan all rows.
|
||||
|
||||
What remains:
|
||||
- Re-check inventory endpoints for any other repeated full-table fetches.
|
||||
- Re-check budget endpoints for repeated account fan-out, especially `/transactions/recent`.
|
||||
- If Actual Budget API forces per-account queries, document that constraint explicitly.
|
||||
- Prefer targeted improvements such as short-TTL caching, narrower query windows, or reused lookups over broad refactors.
|
||||
- Do not mark this issue complete unless the remaining hot paths are either fixed or clearly bounded and documented.
|
||||
|
||||
Acceptance bar:
|
||||
- The worst remaining repeated-scan or repeated-fan-out paths are either reduced or documented with clear justification.
|
||||
- Final status does not overstate completion.
|
||||
|
||||
Instructions:
|
||||
- Make minimal, production-oriented fixes.
|
||||
- Preserve unrelated user changes.
|
||||
- After each issue-sized change:
|
||||
- verify it with direct checks
|
||||
- comment on the relevant Gitea issue with:
|
||||
- what changed
|
||||
- files touched
|
||||
- verification performed
|
||||
- what remains
|
||||
- Do not close `#5`, `#8`, or `#9` unless the actual code and behavior support it.
|
||||
- If an issue is still partial, say so directly.
|
||||
- Avoid renaming something and then claiming the underlying architectural concern is solved.
|
||||
|
||||
Manual ops note:
|
||||
- Admin password rotation is intentionally deferred.
|
||||
- If referenced, mark it exactly as: `LAST STEP: rotate admin password after all remaining fixes are complete and verified.`
|
||||
|
||||
Final output format:
|
||||
- `Completed:`
|
||||
- `Partial:`
|
||||
- `Blocked:`
|
||||
- `Manual ops actions:`
|
||||
Reference in New Issue
Block a user