Sweep 98 `transition-all` occurrences across 62 files and replace with
targeted Tailwind transition utilities. Motivation:
1. `transition-all` animates every property, including CSS custom-
property-backed colours. On first paint the vars may not have
resolved yet, producing the P5 "white-on-white until first
interaction" rendering bug. The same bug hit food/moodlit ListViews
in the earlier theme migration.
2. Specific transitions also perform better — no layout-property
interpolation overhead.
Codemod scripts/migrate-transition-all.mjs classifies each class
attribute by its sibling classes and picks one of:
- `transition-opacity` — icon fade on group-hover
- `transition-[width]` — progress-bar width anim
- `transition-[transform,colors,box-shadow]` — scaled buttons/cards
- `transition-[border-color,box-shadow]` — card hover:border+shadow
- `transition-colors` — default (card/row hover)
91 / 98 auto-classified, 7 hand-migrated:
- EntryItem → transition-[box-shadow] (ring fade)
- NutritionProgressWidget → transition-[stroke-dashoffset,stroke]
- OnboardingModal → transition-[width,background-color]
- times/reports (3×) → transition-[width] / -[height] (bar anims)
- presi/present → transition-[width,background-color] (dots)
svelte-check clean with 0 errors; validate:all green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reader page is now a proper distraction-free reading surface instead
of a padded card inside the (app) layout.
Layout:
- .detail-shell breaks out of the (app) layout's padded + max-width
container via the 100vw + negative-margin-X trick, and additionally
cancels the vertical padding (<main pt-2> + inner py-2) plus the
bottom-chrome reservation. The reader theme therefore paints
edge-to-edge including behind the PillNav. No more island-in-a-sea
look.
- Initial theme (light/sepia/dark) mirrors the global Mana theme at
mount time by checking document.documentElement.classList.dark — so
opening an article from a dark-mode app no longer flashes a white
reader. User can still override per-article via the swatches.
Toolbar unification:
- Old two-bar layout (top: back + typography, bottom: actions) fused
into one floating pill-bar at the bottom. Three groups divided by
vertical rules: nav | typography | actions. flex-wrap handles narrow
screens gracefully.
- position: fixed + bottom: calc(--bottom-chrome-height + 1rem) so the
bar floats above Mana's PillNav without overlap. The CSS var comes
from <main>'s style attribute and cascades even into fixed
descendants.
- backdrop-filter: blur(10px) + theme-specific semi-transparent
background so the bar feels aerial, not docked.
- Custom CSS tooltips on every button (data-tip attribute + ::after
pseudo). Replaces the native `title` attribute which has a ~1s delay
and inherits OS chrome. Tooltip bubble colors adapt to the active
reader theme. aria-label stays for screen-readers.
- Active-state swatches get an outline-ring instead of a background-
swap so the chip color stays visible as a theme-preview.
Spacing:
- meta-bar margin-top: 1.5rem → 4rem — clearer separation between the
viewport edge and the article title.
- ReaderView padding-bottom: 4rem → 14rem — last paragraph no longer
visually attaches to the floating bar when scrolled to the end;
there's a proper "you've reached the end" gap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three intertwined improvements so the "save an article" flow actually
works on real-world sites, not just bloggy happy-path URLs.
=== Consent-wall detection ===
apps/api/src/modules/articles/routes.ts: the /extract response now
includes `warning: 'probable_consent_wall'` when the extracted text
is both short (<300 words) AND contains cookie-dialog vocabulary
(Cookies zustimmen / cookie consent / Zustimmung / accept all cookies
/ enable javascript / privacy center / Datenschutzeinstellungen). The
server still returns whatever it got so the client can decide; it just
flags it as probably-not-the-article.
Frontend surfaces that warning prominently instead of silently
persisting a "Cookies zustimmen…" blob as the article body.
=== Browser-HTML extract path ===
Server-side: new POST /api/v1/articles/extract/html endpoint accepting
{ url, html }, running @mana/shared-rss's extractFromHtml on the
caller-supplied HTML. 10 MiB payload cap. Same response shape as
/extract, including the consent-wall warning (in case the bookmarklet
fires before the user dismisses the dialog).
Client-side: new extractFromHtml() in api.ts with the same 25s
timeout + typed network-error mapping as extractArticle.
AddUrlForm gains a postMessage handshake: when loaded with
?source=bookmarklet, it posts `mana-ready` to window.opener and
listens one-shot for `mana-html` with { url, html, title } from the
opener's tab. The HTML goes straight to our own /extract/html
endpoint — same-origin, carries the user's auth cookie. No CORS, no
form-submission CSP tango, no cross-origin token smuggling. If
nothing arrives within 30s we surface a clear error instead of
hanging.
Settings page adds a second "browser-HTML" bookmarklet (marked as
"Empfohlen") alongside the legacy URL bookmarklet. New snippet opens
/articles/add?source=bookmarklet in a new tab, waits for mana-ready,
then postMessages the tab's documentElement.outerHTML over. 15s
safety timeout.
This bypasses cookie-consent walls and soft paywalls because the
HTML already comes from the user's own authenticated, consented
browser tab.
=== Auto-save after successful extract ===
Previously every save path had a two-click UX: preview → confirm.
Now on clean extract the preview skips straight to persist + navigate
to the reader. Consent-wall warning is the only fallback that pauses
the flow — the user gets a "Trotzdem speichern" button to opt into
saving a teaser anyway.
Button in the manual input row is renamed "Vorschau abrufen" → "Speichern"
since it's now the commit action, not the inspect action. Loading-block
messaging distinguishes "Server extrahiert…" vs "Speichere in deine
Leseliste… Gleich weiter zum Reader."
Net click count:
Bookmarklet v1/v2 on working site: 2 clicks → 1 click
Manual paste: 2 clicks → 1 click
Consent-wall fallback: 2 clicks (explicit "Trotzdem")
Duplicate: 2 clicks ("Zum gespeicherten
Artikel")
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace raw white-alpha Tailwind utilities across the last 12 module
ListViews that were flagged by validate-theme-tokens: citycorners,
guides, inventory, memoro, picture, plants, playground, presi,
questions, times, uload, who. Also replace semantic color hex/names
(bg-yellow-500/20, bg-green-400, text-blue-400, bg-teal-600, etc.)
with success/warning/error/primary tokens.
Per-deck brand colors in who/ListView (#a855f7 purple/historical,
#ec4899 pink/women, #f59e0b amber/antiquity, #0ea5e9 blue/inventors)
stay as hex — those are domain semantics, not theme intent.
Wire validate:theme-tokens into validate:all so future regressions
fail the local pre-push gate. All 76 module ListViews now pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace raw white-alpha Tailwind utilities (text-white/x, bg-white/x,
border-white/x) with canonical theme tokens (text-foreground, bg-muted,
border-border, etc.) in cards, context, food, moodlit, storage, music
ListViews. Replace hardcoded hex badge/dot/phase colors in ai-missions
with success/warning/error/primary tokens.
Fix two transition-all bugs (food:160, moodlit:223) that prevented CSS
custom property colors from resolving on first paint under theme switches.
Add scripts/validate-theme-tokens.mjs to prevent regression; run via
pnpm run validate:theme-tokens. Not yet in validate:all — 12 modules
still use raw white utilities (citycorners, guides, inventory, memoro,
picture, plants, playground, presi, questions, times, uload, who).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
User feedback: four separate admin cards (admin-users, admin-system,
admin-user-data + admin) bloated the scene-picker without adding value
— they're one logical power-user surface split four ways. Fuse them
into a single admin card with an internal tab switcher.
- lib/modules/admin/tabs/{Overview,Users,System,UserData}Tab.svelte —
each tab owns its own data + styles
- lib/modules/admin/ListView.svelte is now a tabbed container: one
role-guard, one pill-row, deep-linkable via `initialTab` prop
- /admin, /admin/users, /admin/system, /admin/user-data routes pass
the corresponding initialTab so direct URLs still land on the right
section
- Delete lib/modules/admin-{users,system,user-data}/ + three
registerApp entries
- Complexity stays a separate card (different shape — iframe-heavy,
was already its own card before this batch)
Smoketest: all 5 /admin/* routes respond 200; type-check clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
User feedback: per-module settings/preferences as separate workbench
cards bloats the scene-picker with rarely-used configuration surfaces.
Cards are for daily workflows; one-time config belongs in routes that
open from the parent module's ⚙ button.
- Inline the ListView content back into each /settings route
- Delete lib/modules/{broadcast-settings,invoices-settings,uload-settings,news-preferences}/
- Remove the four registerApp entries
Kept: spaces card (operative member management, daily use).
Deferred: admin-* cards will fuse into a single admin card with tabs
in a follow-up commit, since merging 4 power-user surfaces into tabs
is a different shape than deleting settings cards.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Back-navigating from an article detail view to the list and into the
same article again crashed with
TypeError: Cannot read properties of null (reading 'removeEventListener')
Sequence that triggered it:
1. ReaderView unmounts, its own $effect cleanup calls onscroller(null).
2. DetailView sets readerScroller = null.
3. HighlightLayer's prop `scroller` becomes null.
4. The old $effect's teardown fires and reads `scroller` — which now
points at null instead of the element it had attached listeners to.
5. null.removeEventListener(...) throws, Svelte can't finish tearing
down the tree, and the re-mount never happens.
Fix: snapshot the element reference at setup time so the teardown uses
the same element the setup used, regardless of what the reactive prop
is currently pointing at. Comment block in the file explains the trap
so a future cleanup doesn't re-introduce it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Now that every /admin/* page is a thin wrapper over a workbench card,
the layout's nav tabs are redundant with the workbench's own scene
navigation. The heading + tab strip were also duplicating chrome that
each card now owns.
- Layout shrinks to an auth guard: redirect non-admins, gate-screen if
the session is not yet initialized.
- /admin/+page.svelte now wraps the existing admin module ListView
instead of duplicating its stats/security/quick-links grid.
Smoketested: all 11 /admin/* and settings routes respond 200 with
clean SSR output; type-check clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
useStats() live-query aggregates total / per-status / savedThisWeek /
finishedThisWeek / topSites / totalHighlights in one scoped Dexie pass.
useAllHighlights() joins cross-article highlights with article-header
info (title, siteName, originalUrl) for rendering.
/articles/highlights — HighlightsView groups chronologically-sorted
highlights per article with color-accented stripes, click-to-reader
jumps, and two export actions:
- Copy as Markdown (clipboard)
- Download .md (file)
Export logic lives in lib/markdown-export.ts as a pure function
(renderHighlightsMarkdown) so future snapshot tests don't need the
render tree.
Dashboard widget: ArticlesUnreadWidget mirrors NewsUnreadWidget's
pattern — self-contained live query, top-3 unread/reading, stats
strip ("N ungelesen · M diese Woche gespeichert"), empty state
CTA to /articles/add. Registered in:
- lib/types/dashboard.ts (WidgetType union + WIDGET_REGISTRY)
- lib/components/dashboard/widget-registry.ts (component map)
- lib/i18n/locales/dashboard/{de,en}.json (translations)
fr/it/es intentionally left untranslated — consistent with how
invoices_open and broadcasts are handled.
ListView gains a pencil button next to the settings gear linking
to /articles/highlights.
Also: plan doc marks M7 + M8 done with commit refs; M1–M8 scope is
now complete.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mana/shared-pwa gains PWAShareTarget + PWAShareTargetParams types
plus ManifestConfig.share_target pass-through. createPWAConfig now
accepts an optional `shareTarget` and threads it into the generated
manifest. Other apps keep working unchanged — the field is omitted
unless set.
Web app wiring:
- vite.config.ts passes shareTarget: { action: '/articles/add',
method: 'GET', params: { title, text, url } } so the installed PWA
shows up as a destination in the Android / Chromium share sheet.
- AddUrlForm reads ?url / ?text / ?title in onMount; falls back to
the first URL-shaped token in ?text because some senders (Chrome
Android, WhatsApp) put the shared link there instead of ?url. When
a URL is pre-filled the Readability preview auto-triggers, so the
user just hits "In Leseliste speichern" to confirm.
- New /articles/settings route hosts the bookmarklet (drag-to-
bookmarks-bar button + copy-to-clipboard + expandable snippet
viewer) and a short Share-Target explainer with an iOS-Safari
caveat. Linked from the ListView via a new gear button next to
"+ Neu speichern".
Bookmarklet form (origin-prefixed so it works across tenants):
javascript:void(window.open('${origin}/articles/add?url='+…))
Not in scope (plan marked optional): _pendingUrls offline queue.
Share without internet shows the existing error + retry state today;
can slot in as M7b if users hit it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shared-types/src/index.ts re-exports with explicit .ts extensions
(Tailwind v4 module resolver needs them). TS 5.7 requires consumers
to opt in via allowImportingTsExtensions. The flag only type-checks
when noEmit:true; the NestJS builder also needs
rewriteRelativeImportExtensions so tsc still emits valid JS.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Convert 8 admin/settings subroutes into scene-droppable workbench cards
so users can arrange them alongside other modules instead of navigating
to dedicated subroutes.
Admin cards (admin-role-gated inline, fallback gate-screen for non-admins):
- admin-users: user search + paginated table
- admin-system: service-health grid + monitoring links + env info
- admin-user-data: API-backed user browser (detail route stays)
- admin-complexity: route now wraps the existing complexity card
Module-settings cards (wrap existing form components where available):
- broadcast-settings, invoices-settings: wrap SettingsForm / SenderProfileForm
- uload-settings: data-stats + JSON export + clear-local-data danger zone
- news-preferences: topics/languages/weights/onboarding reset
All 8 subroutes reduced to 10-line ListView wrappers; admin layout
keeps the role guard so the routes are still gated on direct access.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Extract member management from /spaces/members into a reusable
workbench-card ListView so users can drop the surface into any scene.
- lib/modules/spaces/ListView.svelte — hint + invite + members + pending
invitations, all theme-token driven
- APP_ICONS.spaces icon (three-silhouette cluster, teal→indigo)
- MANA_APPS entry id=spaces (beta tier, shared-space management)
- registerApp({ id: 'spaces' }) so the card is scene-droppable
- /spaces/+page.svelte as the new canonical route wrapper
- /spaces/members/+page.svelte kept as legacy alias
- SpaceSwitcher menu now links to /spaces
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Five new entries in AI_TOOL_CATALOG (shared-ai/src/tools/schemas.ts):
list_articles auto Read-only listing with status +
query filter. Default hides
archived; 'all' includes them.
save_article propose URL → Readability → encrypted save.
Delegates to articlesStore.saveFromUrl
which already handles scope-aware
dedupe. Duplicates surface as
success:true with duplicate:true.
archive_article propose setStatus('archived') after
scoped existence check.
tag_article propose Case-insensitive dedupe over
globalTags; tagMutations.createTag
fills in when missing. Junction
write via articleTagOps.addTag.
add_article_highlight propose Snaps to the first verbatim
occurrence of `text` in the
decrypted article.content. Fails
cleanly when the snippet isn't
found — no orphan highlights.
Policy, client executor, and server planner derive automatically from
the catalog (see root CLAUDE.md §"AI Tool Catalog") so no manual
registration in policy.ts / services/mana-ai is needed.
Skipped from the M6 plan: <AiProposalInbox module="articles" />. The
component doesn't exist in the current codebase — after the
pendingProposals-table drop in Dexie v29 the inbox surface moved to
the mission-detail cross-module view, and articles proposals show up
there automatically. Documented in docs/plans/articles-module.md.
Also updated: plan doc now marks M1–M6 as DONE with commit refs and
the next-step pointer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
M4 — Tags + Filter:
- queries.ts: useArticleTagIds(id) + batched useArticleTagMap(ids)
live queries against articleTagOps (the junction into globalTags).
- DetailView: TagField from @mana/shared-ui with the global tag pool +
this article's selected ids; onChange fans out through
articleTagOps.setTags, which diffs add/remove internally.
- ListView: 6 filter chips (Alle | Ungelesen | In Arbeit | Gelesen |
Favoriten | Archiv) with live counts. Archived articles are hidden
from the "Alle" view and only surface under the Archiv filter. Tag
chips render inline on each card using the batched tag map + the
global tag pool for colour lookup.
M5 — Migration + news deprecation:
- modules/articles/migrations/from-news.ts: boot-gated migration (per-
device localStorage sentinel). Reads newsArticles with type='saved',
decrypts under the newsArticles allowlist, re-encrypts under the
articles allowlist, and copies into the articles table. Status maps
isArchived→archived, isRead→finished, else unread. Source rows get
soft-deleted so the sync engine removes them from other devices.
Ran after crypto init (from (app)/+layout.svelte boot block), not
in the Dexie .upgrade() hook, because the decrypt→re-encrypt round-
trip needs Web Crypto + the master key.
- news/stores/articles.svelte.ts: removed saveFromUrl — ad-hoc URL
saves now live in the articles module.
- news/api.ts: removed extractFromUrl helper + ExtractedArticleDto.
The /api/v1/news/extract/* routes stay in apps/api for now because
news-research still hits them for RSS discovery.
- news/index.ts: dropped the extractFromUrl re-export.
- news/tools.ts: the save_news_article AI tool keeps its name (so
historic Mission iterations in the DB still resolve) but its
execute body now routes through the articles module's saveFromUrl.
- routes/(app)/news/add + /news/saved: replaced with single-shot
redirects to /articles/add and /articles respectively.
- news-research ListView + page: "Speichern" buttons now route to
the articles module and navigate to /articles/[id] on success.
Plan: docs/plans/articles-module.md. M6 (AI tools + proposal inbox),
M7 (share target + bookmarklet), M8 (highlights view + stats) open.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three modules move from "dedicated route only" to "first-class
apps in the launcher". After this they show up in the AppDrawer
pill, can be pinned to workbench scenes, and get a direct URL from
the app switcher.
MANA_APPS entries added:
- agents (/agents) — AI agent management. Icon: smiling robot head
with antenna dot. violet→fuchsia gradient, status
beta, requiredTier beta.
- timeline (/timeline) — Chronological view across modules. Icon: vertical
event dots with connecting axis. amber→orange,
status beta, requiredTier beta.
Plus: broadcast's MANA_APPS entry already existed but had no URL
override, so the auto-derived /broadcast didn't match the real route
at /broadcasts. Added an APP_URL_OVERRIDES entry mapping
id='broadcast' → '/broadcasts' so the app switcher lands the user on
the right page. Icon + module.config stay singular.
Route wiring:
- /agents previously only had /agents/templates/ as a subroute. Added
/agents/+page.svelte that renders the existing ai-agents ListView
(at $lib/modules/ai-agents/), so the top-level URL works from the
AppDrawer.
- /timeline already had a root +page.svelte — no work there.
- /broadcasts already had a root +page.svelte — no work there.
/spaces/members page chrome:
- Swapped the hand-rolled header for @mana/shared-ui PageHeader with
backHref="/", breadcrumb "Workbench › Mitglieder verwalten", and the
space name + type as the description. Feels like a native Mana page
now instead of an orphaned admin route.
- Dropped the ~60 lines of unused .type-chip CSS (moved the chip info
into the PageHeader description string).
- Container bumped to 720px max-width to match other admin pages.
0 errors across 7236 files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pocket-style module for saving arbitrary web URLs, extracting readable
content server-side via @mana/shared-rss (Readability + JSDOM), and
storing it AES-GCM encrypted in IndexedDB for offline reading.
M1 skeleton: Dexie v33 (articles, articleHighlights, articleTags),
crypto registry entries, module registration, app-registry entry with
orange icon, empty-state ListView. articleTags is a pure junction
into the existing globalTags system (appId 'tags') — same pattern as
noteTags, eventTags, placeTags.
M2 URL save + reader: POST /api/v1/articles/extract (one endpoint,
not two — client caches the preview payload to avoid a double
server fetch). AddUrlForm with scope-aware dedupe, DetailView with
ReaderView typography shell (serif/sans, light/sepia/dark, size
slider), auto-tracked reading progress with scroll restore.
M3 highlights: TreeWalker-based plain-text offset resolution
(lib/offsets.ts), highlights store, floating HighlightMenu with
create + edit modes, HighlightLayer orchestrator that wraps/unwraps
highlight spans whenever highlights or htmlVersion changes. Four
colours (yellow/green/blue/pink), optional notes, click-to-edit,
dark-mode-aware overlay colours.
Drive-by: removed stale 'pendingProposals' entry from the plaintext
allowlist — the table was dropped in Dexie v29 and the allowlist
audit was flagging it as a dead entry.
Plan: docs/plans/articles-module.md. M4 (tags + filter + progress),
M5 (news:type='saved' migration), M6 (AI tools), M7 (share target),
M8 (highlights view + stats) still open.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Members page had the same bug as SpaceCreateDialog before its rewrite:
var(--color-surface-1, white) and friends with hardcoded white
fallbacks meant the panels, inputs, and member rows rendered as
blazing-white boxes in dark mode, with the member name going invisible
(white-on-white) and the header chips losing contrast.
Rewrote the stylesheet to mirror @mana/shared-ui Pill conventions:
- hsl(var(--color-card|background|foreground|border|muted)) throughout
- per-type chip colors get a :global(.dark) variant with inverted
lightness so Memoro's MARKE badge reads in both themes
- panels use --color-card + border + subtle shadow (matches Pill)
- inputs use --color-input with --color-background fallback + a
primary-tinted focus ring (box-shadow color-mix)
- buttons use --color-primary with --color-primary-foreground
- member rows use --color-muted with a half-opacity border
- remove-btn hover uses color-mix so the red accent matches the theme
- error / success messages get dark-mode color pairs
Also tightened the page:
- Container padding bumped to breathe against the PillNav chrome.
- h2 "Einladen" / "Mitglieder" are small uppercase labels now — they
were invisible before and the chunky headline size competed with
the page title.
- Member row min-width + ellipsis so long names don't push the role
badge off the right edge.
0 errors across 7234 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switching to a non-personal space then refreshing reverted to Personal:
GET http://localhost:3001/api/auth/organization/get-active-member
→ 400 Bad Request (NO_ACTIVE_ORGANIZATION)
Dev-mode cross-origin + SameSite=Lax means the Set-Cookie from Better
Auth's /organization/set-active response is quietly dropped by the
browser. The server's session record never gets activeOrganizationId
updated, so on the next page load get-active-member throws BAD_REQUEST
with NO_ACTIVE_ORGANIZATION — and my fallback promoted Personal,
reverting the user's explicit choice.
Fix: client-side localStorage hint that mirrors the server preference.
loadActiveSpace():
1. Ask the server (get-active-member) — trust it if it knows the org.
2. Otherwise fetch the org list + read the hint from localStorage.
If the hint matches an org the user is actually a member of, call
set-active again to re-sync the server and use that org.
3. Only fall back to Personal when there's no hint (truly fresh
session or first-login).
writeActiveSpaceHint() is called from:
- SpaceSwitcher.switchTo() — on explicit switch.
- SpaceCreateDialog — on successful create (the user just chose it).
- accept-invitation — on accept (user opted in to the new space).
- loadActiveSpace() itself — after any successful resolve, so the
hint stays current.
Exported from $lib/data/scope so additional flows (admin tools,
future delete-space) can keep it in sync.
Production impact: once COOKIE_DOMAIN=.mana.how is set with
SameSite=None+Secure, the server cookie takes precedence and the
hint is redundant but harmless.
0 errors across 7234 files.
Plan: docs/plans/spaces-foundation.md
SSR 500'd on every (app)/* route with:
TypeError: Cannot read properties of undefined (reading 'table')
at apps/mana/apps/web/src/lib/modules/meditate/collections.ts:13:39
at async eval (.../meditate/stores/meditate.svelte.ts:...)
Root cause: ai/missions/setup.ts had static side-effect imports of
meditate/habits/goals seed modules. Each seed module transitively
imports its module's collections.ts, which does `db.table(...)` at
module-eval time. During SSR, Vite's module-runner evaluates imports
depth-first — the seed imports race database.ts's own eager
dependency eval, observe `db` as still-undefined (live-binding in
the middle of a circular chain), and crash.
Fix: replace the three `import '$lib/modules/<X>/seed'` side-effect
imports with a single async `ensureSeedsRegistered()` that dynamic-
imports them, guarded by the `browser` flag so SSR never touches
them. Called fire-and-forget from `startMissionTick` (which is
itself client-only via the onMount wrapping in +layout.svelte), so
template applicators still see the registry populated before they
need it.
Net effect:
- SSR chain for any (app)/* route no longer touches meditate/habits/
goals collections.ts → no db-undefined race.
- Browser behavior unchanged: seeds register at the first mission
tick, just like before, before any template applier runs.
Verified: after HMR/manual cache-bust, curl / returns 200 in place
of the previous 500. Type-check 0 errors across 7230 files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the last plan milestone. Users can verify their sending-domain
setup without leaving the broadcast settings page.
Server (mana-mail)
- services/dns-check.ts: parseSpf / parseDkim / parseDmarc are pure
functions. SPF accepts include:<mailDomain>, flags weak (+all) and
wrong (include missing) and multi-record (RFC 7208 §3.2). DKIM
needs v=DKIM1 + a p= public-key segment. DMARC requires v=DMARC1,
flags p=none as weak (monitoring only), ok on quarantine/reject.
All three are case-insensitive.
- lookupTxt(): DNS-over-HTTPS against Cloudflare 1.1.1.1 — avoids
the Bun/container udp-resolver flakiness and works everywhere.
Multi-string TXT (`"a" "b"`) get concatenated before parsing.
- checkDomain(): one call, three parallel DoH lookups, returns a
structured result with suggested copy-paste records scoped to the
user's actual mail domain from config.
- Route: GET /v1/mail/dns-check?domain=&selector= (JWT auth). Zod
validates the domain looks sensible before hitting DoH.
- 16 unit tests covering all three parsers + multi-record edge case.
Client
- api.ts: runDnsCheck(domain, selector?) helper with typed result.
- components/DnsCheckBanner.svelte: derives domain from the default
from-email (after @), calls the check on-demand, renders per-record
status chips (ok / weak / wrong / missing) with messages, exposes
copy-pasteable SPF + DMARC records when anything's off. DKIM setup
is provider-specific so we show a hint rather than a canned record.
Last-check timestamp persists to settings.dnsCheck so the banner
survives a reload without re-hitting the API.
- Wired into SettingsForm between Impressum and Standard-Footer —
where the user is already thinking about "what's required to
actually send".
All checks clean:
- webapp pnpm check: 0 broadcast errors (4 pre-existing articles errors
from parallel Spaces work, unrelated)
- mana-mail tests: 36/36 across tracking-token + link-rewriter + dns-check
- mana-mail build: 2.51 MB (+8 KB for juice — dns-check itself is ~3 KB)
Plan: docs/plans/broadcast-module.md §M8. All 10 milestones now done.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the M7/M9/M10 plan items in one pass since they share patterns.
ListView (M7)
- 4 stats cards at the top: versendet YTD, Ø Öffnungsrate, Ø Klickrate,
Entwürfe. Same layout pattern as invoices for consistency.
- Status filter chips with live counts per status.
- Search across name + subject.
- Row now shows open-rate per-campaign when available.
- Settings gear in the header matches the invoices polish.
Dashboard widget (M10)
- BroadcastsWidget.svelte: 2x stats (sent YTD + avg open rate), next
scheduled link, last sent link with open-rate badge. Empty state
nudges toward creating a first campaign.
- Registered as 'broadcasts' in WIDGET_REGISTRY and the component map.
- Medium default size, no requiredBackend (reads from Dexie only;
stats are mirrored from the last DetailView poll so no server
round-trip for the widget).
AI tools (M9)
- 3 tools added to @mana/shared-ai's AI_TOOL_CATALOG:
- create_campaign_draft (propose) — generates HTML body from a
topic, lands as a draft; user picks audience + sends via UI
- list_campaigns (auto) — id/name/subject/status/recipients
- get_campaign_stats (auto) — rates as 0..1 floats
- broadcast/tools.ts: execute handlers with an HTML→CampaignContent
shim (stores both html and a minimal Tiptap JSON placeholder so
ListView renders without the editor having to remount). stripHtml
helper derives plaintext.
- Registered in data/tools/init.ts after library.
Suggest-style tools (suggest_subject_lines) deliberately omitted —
they're pure generative and don't need an executor. The LLM can
produce subject ideas without a tool call.
Verified:
- pnpm check: 0 broadcast errors (4 pre-existing errors in articles
module from parallel work, not mine)
- shared-ai test suite: 44/44 green (function-schema roundtrips the
expanded catalog cleanly)
- mana-ai drift guard: 41/41 green
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two visible bugs on the Neuer-Space dialog in dark mode:
1. Type cards were invisible except for the active one. The CSS used
`var(--color-border, hsl(0 0% 88%))` — a CSS variable without HSL
wrapping. The theme system actually uses shadcn-style raw values
(e.g. `--color-border: 0 0% 88%`) that need to be wrapped with
`hsl(...)` at use-site. Without the wrap the border was undefined,
and the card fell back to "no border and no background" = loose
text on the dialog.
2. Input fields (Name, URL-Kürzel, Brand-Voice) rendered with a
hard-coded white fallback because `var(--color-surface-1, white)`
ignored the theme token in dark mode. Same wrapping issue as #1.
Rewrote the dialog stylesheet to use the `hsl(var(--color-X))` pattern
consistently — mirroring @mana/shared-ui Pill.svelte, which does work
in both modes. Adjacent polish:
- Every type card now has border + subtle background in all states;
hover lifts it; active uses color-mix with --pill-primary-color so
it picks up the current theme variant's accent.
- Input fields use --color-input (shadcn standard) with --color-background
fallback, with a primary-tinted focus ring.
- Section labels (legend, field > span) styled as small uppercase
labels matching other form conventions.
- Backdrop is a bit darker and gets an extra alpha bump in dark mode.
- Error panel uses color-mix so it blends into dark mode instead of
showing a bright light-red panel.
- Buttons use --color-primary with --color-primary-foreground for the
text, with a small brightness filter on hover.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the "could actually dogfood" gap: legal address can be set,
sent campaigns have a proper view with live stats, and the send path
respects DSGVO.
Webapp
- components/SettingsForm.svelte: sender defaults + Impressum (required,
highlighted amber until filled) + footer. Matches the invoices
SenderProfileForm pattern — immediate save, dedicated section per
concern.
- /broadcasts/settings/+page.svelte: mounts the form. ComposeView step
3's "Einstellungen öffnen" CTA now lands somewhere.
- views/DetailView.svelte: read-only view for sent/scheduled/cancelled
campaigns. 5-card stats grid (sent, open, click, bounce, unsub) with
rate percentages. Polls mana-mail every 30s for up to 30 min after
mount, persists back to Dexie via applyServerStatus so the list view
+ widget catch up. Includes a preview of the actual rendered campaign
so "what went out" is visible after the fact.
- /broadcasts/[id]/+page.svelte: DetailView for non-drafts; drafts
bounce to /edit via $effect-triggered goto.
- ListView row-click now routes by status (draft → edit, else → detail).
mana-mail compliance
- Orchestrator loadUnsubscribedEmails(): queries broadcast.sends WHERE
status='unsubscribed' scoped to the user, filters the recipient list
BEFORE any send rows get written. Campaign's totalRecipients reflects
the post-skip count so open rates aren't inflated by "virtual sends".
Skipped count surfaces in result.errors for the UI to show.
- jmap-client.submitEmail: new extraHeaders param. Sets custom headers
via JMAP's `header:<Name>:asText` property convention.
- Orchestrator sets RFC 8058 headers per recipient:
List-Unsubscribe: <https://.../track/unsubscribe/{token}>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
This is what makes Gmail / Apple Mail show their native "Abmelden"
button in the message header (not just a body link).
All checks clean: 0 TS errors, 37/37 webapp tests, 9/9 tracking-token
tests, mana-mail bun build = 2.50 MB.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Opening the Space-Switcher threw "process is not defined" because the
missing-injection fallback inside the browser branch returned early
only when the injected URL was truthy, then fell through to a
`process.env.PUBLIC_MANA_AUTH_URL` read. `process` doesn't exist in
the browser, so empty injection = ReferenceError.
Fix: the browser branch now always returns (injected or localhost:3001
fallback) without touching `process`. The env-var read stays inside
the SSR path and is further guarded by `typeof process !== 'undefined'`
so a future change can't regress.
0 errors across 7203 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
End-to-end send path lives: click "Jetzt senden" in step 4 → client
resolves recipients → POST /v1/mail/bulk-send → mana-mail loops through
JMAP with per-recipient signed URLs → status flips draft → sent.
mana-mail (backend)
- New Postgres schema `broadcast.{campaigns,sends,events}` in Drizzle.
Campaigns + sends keyed on the webapp's local ids so joins are free;
events append-only with send_id FK, dedup at query-time not write-time
so tracking pixel hits don't contend on a transaction.
- tracking-token.ts: HMAC-SHA256 over JSON({campaignId, sendId, nonce}),
base64url.base64url encoded. JSON inner payload instead of delimiter
splits so IDs can contain any character. timingSafeEqual for the HMAC
comparison. 9 unit tests covering roundtrip / tamper / malformed.
- broadcast-orchestrator.ts: takes pre-resolved recipient list, inlines
CSS once via juice (webResources.images=false so no external fetches
slow the loop), per-recipient substitutes `{{unsubscribe_url}}` /
`{{web_view_url}}` + injects open pixel, submits each mail through
the user's own JMAP account. Writes sends rows first (status=queued)
so a crash mid-loop leaves truthful DB state. Returns aggregate
stats + per-email errors.
- Routes: POST /v1/mail/bulk-send (JWT, cap at 5000 recipients via
zod + config), GET /v1/mail/campaigns/:id/events (JWT, aggregates
opens + clicks + unsubscribes with COUNT DISTINCT for the "unique"
metric), GET/POST /v1/track/{open,click,unsubscribe}/:token (public,
no auth, signed URL is the only gate).
- Track routes mounted OUTSIDE /api/v1/mail/* because the JWT
middleware guards that subtree — recipients aren't logged in.
- Config: BROADCAST_TRACKING_SECRET (separate from SERVICE_KEY so the
blast radius of a leak stays narrow),
BROADCAST_MAX_RECIPIENTS_PER_CAMPAIGN (default 5000),
BROADCAST_MAX_RECIPIENTS_PER_HOUR (default 500, not yet enforced).
- Added juice@^11 dependency.
Webapp (client)
- api.ts: sendCampaign() resolves the audience from Dexie contacts,
renders the full email HTML + plaintext with placeholders, POSTs to
mana-mail. Contacts NEVER leave the client decrypted — the server
only sees the flat recipient list the user's client produced.
- fetchCampaignStats() for M7 dashboard/detail polling.
- ComposeView step 4 replaced: confirmation modal with "sicher?"
question, sending state with spinner, done state with delivered
count + expandable per-email error list + "Zur Übersicht" button.
- Status transitions to 'sent' with cached stats after successful
send via applyServerStatus.
Known M4 gaps (fill in M5)
- Open/click/unsubscribe track endpoints return valid responses but
event dedup is rough — one insert per hit, dedup at query time
only. M5 adds windowed IP-hash dedup.
- Synchronous send loop. 100 recipients ≈ 15s blocking. M5/M6 moves
this to an async job queue with SSE progress.
- Each recipient generates a "Sent" folder entry in the user's
Stalwart mailbox. Fine for 50-recipient newsletters, silly for
5000. Phase 2 carves out a dedicated broadcast mailbox.
Plan: docs/plans/broadcast-module.md §M4.
Next: M5 open/click tracking with dedup + rate-limits.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
All the Space-UI fetches were using relative `/api/auth/...` paths,
which hit the SvelteKit dev server (port 5173) — where those routes
don't exist — and 404'd. The web app has no `/api/auth` proxy; every
Better Auth call must go direct to mana-auth (port 3001 in dev).
Root cause parallels how packages/shared-auth/authService already
works: it builds `${authBaseUrl}/api/auth/...` against
window.__PUBLIC_MANA_AUTH_URL__ or the env fallback.
Fix:
- New helper $lib/data/scope/auth-fetch.ts exposes authFetch(path, init)
that prepends the auth base URL and includes credentials by default.
Same resolution order as shared-auth's authService (injected global,
env, localhost:3001 fallback).
- Updated every organization-endpoint caller to use authFetch:
active-space.svelte.ts (list, get-active-member, set-active)
SpaceSwitcher (list, set-active)
SpaceCreateDialog (create, set-active)
accept-invitation page (get-invitation, accept, reject)
/spaces/members page (list-members, list-invitations, invite-member,
cancel-invitation, remove-member)
- active-space now treats Better Auth's 400 as "no active org" too
(not just 404) so the bootstrap falls through to auto-activation.
Trusted origins already include http://localhost:5173 — no CORS change.
0 errors across 7203 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Library module had no AI tool coverage post the M1 skeleton. Adds
four tools so the agent can curate the reading/watch list alongside
other modules:
- create_library_entry (propose) — books/movies/series/comics with
creators, year, status, rating, tags, genres. Default status
"planned" covers the most common flow ("add to watchlist").
- update_library_entry_status (propose) — status transitions
planned → active → completed (also paused / dropped). Auto-
stamps startedAt/completedAt on the matching transitions so the
existing Dexie projections (streaks, progress) fire correctly.
- rate_library_entry (propose) — 1-5 stars, thin wrapper over the
store's rate() method.
- list_library_entries (auto) — id/kind/title/status/rating/year,
filterable by kind + status.
Coverage table in apps/mana/CLAUDE.md updated (+library, +invoices
row that wasn't listed). Total now 67 tools / 21 modules.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two problems made the switcher unusable inside the PillNav:
1. Menu was getting clipped — .pill-nav-container has overflow-x: auto,
which hides any position: absolute child that extends past the bar.
Switched to position: fixed with getBoundingClientRect coordinates
(same pattern @mana/shared-ui PillDropdown uses). Menu now escapes
the bar container cleanly and opens upward on the viewport.
2. Trigger and menu didn't match Pill design tokens. Rewrote the
styles to mirror Pill.svelte: pill-shaped 36px height, box-shadow,
hsl(var(--color-card)) background, hsl(var(--color-border)) border,
active-state color-mix with --pill-primary-color, dark-mode variant.
Other polish:
- Replaced per-type colored backgrounds with a small type-dot + a
proper type-label chip inside each menu row. Matches the tone of the
type chips used elsewhere, and the chip adapts to dark mode.
- Full-viewport backdrop button captures click-outside at z=1500.
- Menu z=1501, create dialog z=1601 so the stack is well-ordered
(PillNav=1000, menu=1501, dialog=1601).
- Chevron rotates on open (matches other PillDropdown affordances).
- Resize/scroll listeners reposition the menu while it's open so the
anchoring survives layout changes.
- SpaceCreateDialog's backdrop + dialog z-index bumped from 200/201
to 1600/1601 so it sits above the menu that spawned it.
0 errors across 7201 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The timeline is now the primary AI-review surface post function-
calling migration — a handful of ergonomics tweaks so scanning a
day's AI activity is less friction.
- Time-range toggle (24h / 7T / alle) right-aligned in the filter
row. Default stays `alle` so nothing changes for users who want
everything. Client-side filter — over-fetch already caps at 500.
- Each bucket shows an event-count pill next to the mission title
("8 Änderungen in dieser Iteration"), so the reader sees the
weight of an iteration before expanding.
- Revert button: slightly bigger, label reads "Rückgängig" instead
of "Revert" (matches the rest of the German UI), bold icon, hover
highlights with a softer red tuned to the theme-token palette.
No logic changes to the revert or bucketing code.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Repositions the switcher from its floating spot in the top right of
the workbench into the bottom-fixed PillNav so it sits with the rest
of the nav chrome. Matches how every other persistent nav control
(app switcher, AI tier, sync status) lives in the PillNav.
Mechanics:
- @mana/shared-ui PillNavigation gains a `startSlot?: Snippet` prop
rendered inside .pill-nav-container, before AppDrawer. Generic slot
— any host component drops in.
- (app)/+layout.svelte passes the existing <SpaceSwitcher /> as the
snippet (authenticated only). The old .space-bar wrapper above
<main> is removed along with its CSS.
- SpaceSwitcher trigger is restyled to match Pill conventions: pill
radius 999px, 32px height, 0.8125rem text, tighter paddings, shorter
name cap (7rem). Visually merges with the surrounding Pills.
- Dropdown menu flips upward (bottom: calc(100% + 4px)) because the
PillNav is position:fixed bottom — opening downward would land
off-screen.
Type-check: 0 errors across 7200 files.
Scope tests: 10/10 pass.
Go tests + bun tests (mana-auth): all pass.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Step 3 of the compose wizard (Preflight) now shows a real preview +
pre-send checks. User sees exactly what the recipient gets, minus the
substituted tracking URLs.
Render (render/email-html.ts)
- renderEmailHtml(): wraps Tiptap HTML in an email-client-compatible
shell — inline style="" throughout, single-cell table layout,
preheader block (hidden from body, visible in inbox preview), sender
banner, footer with unsubscribe + legal address
- HTML-escapes subject / sender name / address (Tiptap body stays
verbatim since its schema already forbids <script> / on* handlers)
- Placeholders for {{unsubscribe}} / {{web_view}} URLs — mana-mail's
orchestrator substitutes the HMAC-signed per-recipient URL at send
time; preview uses #unsubscribe-preview so nothing 404s
Render (render/plain-text.ts)
- renderPlainText(): mandatory multipart/alternative counterpart that
keeps SpamAssassin happy. Soft-wraps at 72 chars (honours the old
78-char RFC limit with a bit of quote-prefix headroom). Same footer
signals as HTML so the "why am I getting this" info travels with
text-only clients too.
Preview (preview/)
- EmailPreview.svelte: iframe with srcdoc (no blob-URL revocation
overhead) + macOS-style device chrome, width 640/375 for desktop/
mobile. sandbox="allow-same-origin" only — no top navigation, no
script execution.
- PreviewTabs.svelte: Desktop / Mobile / Nur-Text switcher, derives
html + plaintext reactively so edits in step 2 reflect immediately
when the user hops back to step 3.
Preflight checks (ComposeView step 3)
- Subject set? Audience > 0? Sender valid? Legal address filled?
- Legal-address warning is actionable — links straight to
/broadcasts/settings. Unblocks the user instead of just scolding.
Tests (20 new, 57 total for broadcast)
- email-html: subject in title, XSS-escape, preheader hidden, body
verbatim, empty-body fallback, sender name, unsubscribe default vs
override, legal address line breaks, optional footer, web-view link
- plain-text: sender, body, 72-char wrapping, paragraph preservation,
unsubscribe placeholder vs override, legal at end, optional footer
Still client-side only; server-side juice inlining lands in M4 when we
add richer CSS (currently everything inline already, so juice just
passes through).
Plan: docs/plans/broadcast-module.md §M3.
Next: M4 bulk-send via mana-mail (synchronous loop, HMAC tokens).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the gap between "invite flow UI exists" and "two users in the
same space actually see each other's data". Three pieces land together
because they're meaningless without each other.
mana-auth — new internal endpoint:
GET /api/v1/internal/users/:userId/memberships
Returns [{organizationId, role}, ...] for the user. mana-sync uses
this to populate the multi-member RLS session config.
mana-sync — membership lookup:
new internal/memberships package with an HTTP client + 5 min
per-user cache, fail-open (empty list = pre-Spaces behavior).
Config gets MANA_AUTH_URL (default http://localhost:3001).
Handler.NewHandler takes the Lookup. Every Push/Pull/Stream call
now passes spaceIDsFor(userID) to Store methods.
GetChangesSince + GetAllChangesSince extend their WHERE clause:
WHERE (user_id = $1 OR space_id = ANY($memberSpaces))
so co-members see each other's rows, not just the author.
apps/web — encryption skip for shared-space records:
encryptRecord now checks record.spaceId:
- `_personal:<userId>` sentinel OR no active shared space → encrypt
with user master key (E2E as today).
- Active space resolves to non-personal type AND spaceId matches
that space → skip encryption; write lands plaintext.
decryptRecord is unchanged because its per-field isEncrypted() guard
already passes plaintext through.
Phase-1 compromise: shared-space data is protected by server RLS
only, not E2E. Phase 2 adds per-Space shared keys with per-member
wrap — tracked in docs/plans/spaces-foundation.md.
Plus docs/plans/shared-space-smoketest.md: step-by-step Zwei-User-Test
mit erwarteten Ergebnissen und Debugging-Hinweisen bei Problemen.
Build + go test + web check all green.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Core authoring loop works end-to-end: create a draft, filter an audience
from contacts, write content in a rich-text editor, save. Send is still
stubbed (M4 gets mana-mail's bulk endpoint).
Dependencies
- @tiptap/core + starter-kit + image + link + placeholder (3.22.4)
- shared-auth/tsconfig: allowImportingTsExtensions +
rewriteRelativeImportExtensions so tsc accepts shared-types' explicit
.ts imports. Was blocking EVERY pnpm install postinstall hook in the
repo — fixing it here unblocks everyone, not just broadcast.
Module
- queries.ts: useAllCampaigns / useAllTemplates with scoped-db + crypto,
computeStats (counts + open/click rates per year), formatRate helper
- stores/settings.svelte.ts: singleton with ensure/get/update, same
pattern as invoices settings
- stores/campaigns.svelte.ts: createCampaign (pulls sender defaults from
settings), updateCampaign / updateContent / updateAudience (draft-only
edit guard), schedule / cancel / duplicate / deleteCampaign, plus an
applyServerStatus hook for M4's orchestrator to write back progress
Audience
- audience/segment-builder.ts: pure matchContact / filterAudience /
countAudience / describeAudience. AND semantics across filters. Drops
contacts without a usable email so estimatedCount never inflates.
- audience/AudienceBuilder.svelte: tag-chip UI with live count, dedup
(same tag twice toggles op instead of stacking), greys out already-
referenced tags in the picker
Editor
- editor/Editor.svelte: Tiptap wrapper with onMount / onDestroy, toolbar
(bold/italic/H1/H2/lists/link/image), bind on content (Tiptap JSON +
derived HTML/plaintext). Image upload reuses invoices' mana-media
uploader pragmatically; extract to @mana/shared-uload later.
Compose wizard
- views/ComposeView.svelte: 4-step stepper (Audience → Content →
Preflight → Send). Steps 3+4 stubbed pragmatically. Autosave on step
change so content survives navigation. Step 3/4 gated on earlier
readiness so the user can't skip.
Routes
- /broadcasts/new: bootstraps a draft + redirects to edit
- /broadcasts/[id]/edit: guarded on status=='draft'
- ListView: working "+ Neue Kampagne" button, rows open edit
Tests
- 17 unit tests for segment-builder covering tag has/not-has/AND,
email eq/contains case-insensitivity, no-email filtering, no-mutation,
describeAudience resolver + fallback
Plan: docs/plans/broadcast-module.md §M2.
Next: M3 HTML-render with email-safe inlining + preview.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First user-facing surface for multi-tenant Space sharing. Two new routes:
/spaces/members — Space member management (inside app gate)
- Lists current members with role chips + avatars.
- Einladen-Form for owners/admins: email + role (member/admin) →
POST /api/auth/organization/invite-member. Better Auth's existing
sendInvitationEmail handler (wired in better-auth.config.ts) mails
the invitee a link to /accept-invitation?id=X.
- Pending-invitations list with Stornieren button.
- Personal Spaces show a hint panel instead — they can't have members
by design.
- Remove Mitglied button (not for owner-role).
/accept-invitation — landing page for the invite email link (outside
(app) guard so logged-out invitees can see it).
- Fetches invitation details via /organization/get-invitation.
- If unauthenticated: "Einloggen & annehmen" routes through /login
with a callbackURL back to the landing — the flow resumes after
sign-in.
- Accept: POST /organization/accept-invitation + /set-active so the
newly-joined space is active when the user lands in the app.
- Decline: POST /organization/reject-invitation.
- Already-accepted / expired / canceled states each get their own copy.
SpaceSwitcher gets a "Mitglieder verwalten …" entry in the dropdown,
visible only when the active Space isn't personal.
What this does NOT do yet (separate commits):
- Membership-Lookup in mana-sync — Users A and B can now be in the
same space on paper, but mana-sync's RLS only lets members see
their own authored records until the lookup is wired.
- Encryption skip for shared-space rows — records in an encrypted
table still get wrapped with the author's user key, so member B
can't decrypt member A's writes.
Both follow in the next two commits.
0 errors across 7194 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New 1:N email-campaign module (newsletters / announcements). M1 scope:
- types (LocalCampaign / LocalBroadcastTemplate / LocalBroadcastSettings),
constants (STATUS_LABELS, BROADCAST_SETTINGS_ID, rate-limit hints)
- collections.ts: Dexie table refs, no guest seed (a demo campaign that
might accidentally hit real SMTP felt wrong)
- module.config registered in module-registry
- Dexie v32 wired in (already in tree from a parallel Spaces commit
picking it up via lint-staged — matches what the module expects)
- encryption registry entries for all three tables (type-safe via
entry<T>), content + audience always encrypted because the recipient
graph is a leakable business secret
- app entry (requiredTier: alpha) + megaphone gradient icon
(indigo→cyan, sits between mail and invoices in the comm family)
- route /broadcasts mounts ListView with empty-state placeholder
Status machine defined: draft → scheduled → sending → sent, with
cancelled as the off-ramp from draft/scheduled. No CRUD yet — that's M2.
Plan: docs/plans/broadcast-module.md.
Next: M2 AudienceBuilder + Tiptap editor.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Migration from user-level tier to Space-level tier, following the
Spaces foundation plan. User-visible effect: the tier that gates
module access now belongs to the active Space, not the user account.
Personal Spaces inherit the user's old tier on signup so nothing
downgrades.
shared-types:
- New SpaceTier type ('guest' | 'public' | 'beta' | 'alpha' | 'founder').
- New spaceTierMeets(actual, required) helper.
- SpaceMetadata gains an optional `tier` field.
mana-auth:
- createPersonalSpaceFor reads user.accessTier and stamps it into the
personal Space's metadata.tier. A founder-tier user setting up their
first Space keeps founder access in that Space.
- databaseHooks.user.create.after now forwards accessTier into the
personal-space creator.
apps/web (scope layer):
- ActiveSpace gains a required `tier: SpaceTier`; rawToActiveSpace
reads it from organization.metadata, defaulting to 'public' if
missing or invalid.
- New getEffectiveTier(userFallback) helper resolves the tier to use
for gating: prefers the active Space's tier, falls back to the
caller-supplied user tier during the boot window.
apps/web ((app) layout):
- `effectiveTier` $derived replaces every authStore.user?.tier reference
in the layout's access-gating logic (appItems, routeBlocked,
routeTierLabels). AuthGate deeper in the UI keeps using user.tier as
its own fallback — the tier move is additive, not destructive.
What this does NOT do yet:
- The user.accessTier column still exists and is still the initial
source for personal-space tier. Removing it is a later cleanup once
every code path reads through the Space primitive.
- No admin API for setting tier on a Space (PUT /api/v1/admin/spaces/
:id/tier). Follow-up when admin tooling needs it — today admins still
set user.accessTier, which flows to the personal space on next
signup.
Resolves the MANA_APPS-tier-patch workaround memory: future sessions
can adjust tier per Space instead of per User.
0 errors across 7151 files. 10/10 scope tests pass.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves the name collision flagged in the Spaces RFC: four tables
owned the term "spaceId" before the multi-tenancy Spaces foundation
landed in v28 (conversations, documents, spaceMembers, memoSpaces
— chat's context-folder reference, context's parent context-space,
and memoro's membership/join tables). After v28, the scope wrapper
started filtering on a field that meant something different in these
tables, which would have hidden their records from the UI.
Dexie v31 migration:
- Renames the index from spaceId → contextSpaceId on all four tables.
- upgrade() copies each existing `spaceId` value to `contextSpaceId`
(when it's a real context-space reference and not already the v28
`_personal:<userId>` sentinel), then resets `spaceId` to the
personal-space sentinel so the scope wrapper picks the row up on the
active-space boot pass.
Type changes:
- LocalConversation, Conversation: spaceId → contextSpaceId
- LocalDocument: spaceId → contextSpaceId
- LocalSpaceMember, LocalMemoSpace (memoro): spaceId → contextSpaceId
Code updates:
- chat/queries.ts: toConversation + filterBySpace renamed to
filterByContextSpace (exports updated in chat/index.ts).
- chat/stores/conversations.svelte.ts: create() param + write site.
- context/queries.ts: toDocument + useSpaceDocuments signature.
- context/collections.ts: seed data.
- context/ListView.svelte + route pages: form data.
- dashboard/widgets/ContextDocsWidget.svelte: read site.
Table names stay: `spaceMembers` and `memoSpaces` still carry their old
names because they belong to the memoro module's context-space concept
and table renames also require sync-routing updates. A dedicated
cleanup can rebrand those once memoro's data model is revisited.
0 errors across 7148 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mass rollout of the scope wrapper to every module that had a simple
db.table('X').toArray() or .orderBy('k').toArray() pattern. The
calendar/todo/notes/contacts pilots stay as the original templates;
this commit adds the rest in one pass so the scope layer is the
universal read path.
Modules migrated (43):
Batch A (health/tracking): body, mood, sleep, period, habits,
dreams, journal, meditate, drink, food
Batch B (content/media): recipes, plants, places, firsts, who,
library, quotes, music, photos, picture,
presi, cards, wishes
Batch C (productivity): events, finance, invoices, times, storage,
uload, inventory, skilltree, citycorners,
guides, questions, quiz
Batch D (AI/tools): chat, context, kontext, memoro, mail,
companion, moodlit, wetter, playground,
calc, stretch
Pattern:
- db.table<T>('n').toArray() → scopedForModule<T,string>('mod','n').toArray()
- db.table<T>('n').orderBy('k').toArray() → same, replacing .toArray()
with .sortBy('k') so the sort
runs in-memory on the scope-
filtered result
Also adds scopedAnd() to the scope barrel — wraps an existing indexed
Collection (e.g. `.where('date').aboveOrEqual(x)`) with the scope filter
via Collection.and(). Lets indexed queries keep their index hit while
still honouring scope. ~27 remaining db.table<>.where() calls will move
to scopedAnd() in a follow-up once the active-space-indexed compound
indexes land.
Visibility filtering (applyVisibility) is opt-in: the calendar/todo/
notes/contacts pilots call it; the mass-migrated modules skip it until
private records actually show up in a shared space. The default
visibility='space' makes it a no-op anyway — worth adding later when
records with visibility='private' exist in practice.
Type-check: 0 errors across 7143 files.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bulk-migration script swapped db.table() → scopedForModule() in queries.ts
but the import line wasn't added, leaving the file broken. Restores type-
check by importing from \$lib/data/scope (same path calendar/contacts/todo
use).
Invoice reads now flow through the Spaces scope wrapper like other
migrated modules — queries only return rows from the active space.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three items from docs/plans/invoices-module.md §"Offene Punkte" that
actually block real-world dogfooding:
1. Bezahlte Rechnung → Finance-Einnahme
- financeStore.upsertTransactionFromInvoice(): deterministic id
(invoice-tx-{invoiceId}) so marking the same invoice paid twice
updates instead of duplicating. Uses table.put for the upsert.
- invoicesStore.markPaid() calls it after the status transition,
decrypts to get the gross + snapshot, converts minor→major for
the finance row, formats description as "Rechnung {number} — {client}".
- Best-effort: the call is try/catched so the invoice write (the
thing the user initiated) never fails because of a finance bridge
hiccup. Logs a warning instead.
- Multi-currency caveat: finance's bare-number model loses the
currency — documented in the upsert helper's comment. Works for
single-currency freelancers (the 95% case).
2. Strukturierte Adressen für QR-Bill
- LocalInvoiceSettings gains senderStreet/Zip/City/Country (nullable,
so existing rows don't need a migration). Encryption registry
updated to cover the new fields — same sensitivity tier as the
legacy senderAddress blob.
- InvoiceClientSnapshot gains street/zip/city/country, same shape
as Debtor.
- qr-bill.buildQRBillData prefers structured fields; falls back to
parseAddress(senderAddress) for users who haven't touched the new
settings form. Same preference chain on the client/debtor side.
- PDF header + DetailView recipient block prefer structured too —
stays in lockstep with what the QR-Bill reads.
- SenderProfileForm replaces the single textarea with four labeled
inputs. Legacy free-text address moves behind a <details> as a
"weird edge case" escape hatch (Postfach, c/o etc.).
- ClientPicker: same split, with contacts-source mapping using
structured fields directly (contacts already have street/postalCode/
city so no info loss).
- Three new qr-bill tests cover the preference order: structured
wins, legacy falls back, malformed snapshot omits debtor.
3. MODULE_REGISTRY.md
- Added `invoices` under "Finanzen" with the cross-link note.
Tests: 48/48 green (up from 45), 0 type errors. Open Phase-2/3 items
still parked: camt.053 bank reconciliation, number-sequence multi-
device collision, unfreezing the paid→void edge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When mana-ai plans a mission tick in the background, it writes an
iteration with source='server' and plan[].status='planned' — the
server itself has no Dexie access, so those planned tool_calls have
to run on the user's device. This commit adds the missing half.
- server-iteration-executor.ts subscribes via Dexie liveQuery to
server-sourced iterations with planned steps. For each one it
reconstructs the AI actor (mission + agent + iteration), runs every
step through executeTool, and writes the result status (approved /
failed) back into the iteration.
- Idempotency: a new local-only Dexie table
`_serverIterationExecutions` (v30) marks iterations we've already
run, so sync replays and page reloads don't re-execute. Also guarded
by an in-flight Set because liveQuery fires rapidly during the
execution's own writes.
- Wired into (app)/+layout.svelte alongside startMissionTick — lives
for the whole session, stops on teardown.
This is the mirror of the old server-iteration-staging.ts but direct-
execute instead of proposal-stage — no manual approval step. Same
user-facing behaviour as foreground mission runs: they show up in the
Workbench Timeline, revertable per iteration.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three more modules now use the scope wrapper. Pattern matches the
calendar pilot:
db.table<T>('X').toArray() → scopedForModule<T>('mod','X').toArray()
db.table<T>('X').orderBy('k').toArray → scopedForModule<T>(...).sortBy('k')
db.table<T>('X').get(id) → scopedGet<T>('X', id)
Added scopedGet() to the scope barrel — a primary-key fetch with a
post-read scope check so URL-manipulated deep links can't peek at
records from another space. Dexie's fast-path index read still happens;
the scope check is one field comparison on the single row.
Modules migrated:
- todo/queries.ts: useAllTasks, useAllBoardViews, useAllReminders,
useAllProjects (4 queries; sortBy replaces orderBy-via-index)
- notes/queries.ts: useAllNotes (list), useNote (by id via scopedGet)
- contacts/queries.ts: useAllContacts
goals module lives in companion/goals with a different layout (not a
standard modules/*/queries.ts) — skipped this pass, will migrate in a
targeted follow-up.
Scope + visibility filters run BEFORE decrypt where possible so the
vault-locked UI path stays cheap: plaintext spaceId + visibility + deletedAt
metadata filters the decrypt workload before crypto gets invoked.
Performance note: sortBy() is an in-memory O(n) sort. Fine for a user's
task list, but if a hot path surfaces (e.g. a thousands-of-tasks view),
we add a [spaceId+order] compound index in a follow-up Dexie version.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The last open item from the plan. Missions can now draft invoices from
chat context, mark customer payments, and read status for autonomous
follow-up cadences.
Tool catalog (packages/shared-ai/src/tools/schemas.ts)
- create_invoice (propose) — clientName + lines[] + currency + due
- mark_invoice_paid (propose) — by id, optional back-dated paidAt
- list_invoices (auto) — with status + limit filter
- get_invoice_stats (auto) — open/overdue/YTD per currency
Had to widen the tool-parameter type vocabulary so create_invoice can
declare lines as a typed array. Touched three places:
- ToolSchema-side: the catalog's `type` string is already free-form so
'array' / 'object' just pass through
- ModuleTool-side (apps/mana/apps/web/src/lib/data/tools/types.ts): added
'array' | 'object' to the union so TS doesn't narrow the executor's
param signatures
- function-schema translator (packages/shared-ai): mapParamType +
JsonSchemaProperty both gained the two new types; the catalog-typo
guard test now uses 'fruit' as its sentinel (array no longer unknown)
Executor (apps/mana/apps/web/src/lib/modules/invoices/tools.ts)
- coerceLines accepts either a real array or a JSON-stringified array
(planners vary), skips malformed entries, converts major→minor units
- create_invoice pulls the generated number back from Dexie so the
success message shows "Entwurf 2026-0042 …" — the user recognises it
- mark_invoice_paid normalises YYYY-MM-DD → ISO so the store's timestamp
invariant (ISO throughout) stays intact
- list_invoices derives overdue on read (consistent with useAllInvoices),
returns major-unit amounts so the LLM reasons in user-facing numbers
- get_invoice_stats returns counts + open/overdue/YTD per currency
Registration: invoicesTools added to tools/init.ts. mana-ai drift guard
is happy (41/41 green); webapp + shared-ai type-check 0 errors; full
invoice test suite 59/59 green.
Closes: docs/plans/invoices-module.md §M8. All plan milestones now DONE.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Carries per-round token counts from the mana-llm response body
(prompt_tokens + completion_tokens) back through LlmCompletionResponse
→ PlannerLoopResult. The loop sums across rounds and exposes a single
aggregate on result.usage.
Lets mana-ai's tick re-activate per-agent daily-token budget tracking
— tokensUsed was stubbed to 0 in the migration commit (6) because the
loop didn't surface usage yet. Now recordTokenUsage + agentTokenUsage24h
get real numbers again, and the mana_ai_tokens_used_total Prometheus
counter is accurate.
Additive only: consumers without usage needs ignore the new field,
and providers that don't return usage produce zeros (not undefined —
the loop still exposes the object so downstream branches stay trivial).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First user-visible surface for the Spaces foundation. Two components:
SpaceSwitcher (header dropdown)
- Shows the active space name + type badge
- Opens a dropdown listing all user's spaces with per-type color chips
(brand / club / family / team / practice / personal)
- Click on a space → /organization/set-active + full page reload so
every liveQuery re-evaluates against the new active space
- "+ Neuer Space" entry at the bottom opens the Create dialog
SpaceCreateDialog (modal)
- Type picker with description per type (excluding personal — that one
is auto-created at signup and never chosen manually)
- Name input + live slug preview (same slugifier as the server)
- Conditional fields: voiceDoc for brand/club, uid + legalEntity for
brand/club/practice
- POSTs to /api/auth/organization/create with metadata.type, then
/set-active and reload. beforeCreateOrganization hook rejects
malformed metadata server-side.
Placement: compact bar at the top of the (app) max-w-7xl wrapper, only
rendered when authenticated. Zero changes to PillNavigation so the rest
of the nav surface stays untouched.
Reactivity note: the switcher full-reloads on set-active because the
scoped-db wrapper doesn't yet invalidate liveQueries on active-space
change. A reactive-invalidation path can replace the reload once the
wrapper is used across enough modules to make the UX friction matter.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Calls loadActiveSpace() + reconcileSentinels() in the Phase-B critical
boot block, right after the user identity is bound to the ambient actor
and before sync starts. This means:
- Pending-change rows pushed to mana-sync carry the real organization
id, not the `_personal:<userId>` sentinel the v28 migration uses
as a placeholder.
- Sentinel records (written pre-boot or by the v28 upgrade on an
existing db) get rewritten to the real personal-space id in a single
pass once Better Auth responds.
- The scope wrapper in module queries now partitions by the active
space instead of degrading to sentinel-only filtering.
Failure is non-fatal — an offline boot or a Better Auth hiccup just
means the sentinel path stays live and the next boot retries. A count
log surfaces the reconciliation count so migrations are visible in
devtools.
Plan: docs/plans/spaces-foundation.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Completes the Settings polish item left open after M2.
pdf/logo.ts
- loadLogo(mediaId): fetches the large variant from mana-media, sniffs
content-type to pick 'png' vs 'jpg', returns null on any failure so
the PDF still renders without a logo
- uploadLogo(file): multipart POST to /api/v1/media/upload with
app=invoices, returns the new mediaId (or throws a user-facing msg)
- logoPreviewUrl(mediaId): thin helper so the settings form doesn't
have to know the media-URL lookup pattern
Renderer wiring
- loadLogo runs in the same Promise.all as font embedding so it doesn't
add a serial wait
- embedPng / embedJpg based on the sniffed kind; errors degrade silently
- renderHeader takes a PDFImage|null and, when present, draws it top-
left above the sender name, max 25mm × 45% content-width, aspect
preserved, 3mm breathing room below
Settings UI (SenderProfileForm)
- Logo slot at the top of the Absender section: preview when set,
"Ersetzen" / "Entfernen" actions; "+ Logo hochladen" drop-style
button when empty
- Upload persists immediately (no separate "Speichern" click for logo
changes) — keeps the interaction one-handed
- Accepts PNG / JPEG; invalid types rejected client-side before the
network round-trip
Closes one of the open items from docs/plans/invoices-module.md §M3.
Next open: M8 AI-tools (create_invoice / mark_paid / list / stats).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
