1. SecurityEventsService: Centralized audit logging for all auth events
(login, register, logout, password changes, API key operations, SSO
token exchange, etc.). Fire-and-forget pattern ensures auth flows
are never blocked by logging failures.
2. AccountLockoutService: Locks accounts after 5 failed login attempts
within 15 minutes. 30-minute lockout duration. Fails open on DB
errors. Clears attempts on successful login. Email-not-verified
does not count as a failed attempt.
3. API Key validation endpoint secured with rate limiting (10 req/min
per IP via ThrottlerGuard) and audit logging. Key prefixes logged
for forensics, never full keys.
New schema: auth.login_attempts table for tracking failed logins.
174 tests passing across all auth and security modules.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adding a new app to cross-app SSO requires updating trustedOrigins,
CORS_ORIGINS, and running SSO contract tests. Documented in both
root CLAUDE.md and mana-core-auth CLAUDE.md to prevent future regressions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Several apps (mukke, photos, planta, questions, todo, traces, context,
docs, manadeck, zitare) were missing from Better Auth's trustedOrigins,
causing SSO session cookie exchange to fail for those apps. Also synced
CORS_ORIGINS in docker-compose.macmini.yml.
Added 47 SSO contract tests to prevent regressions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Assign version numbers based on app maturity: Calendar/Contacts/Todo (1.0.0),
Chat/Picture (0.3.0), 11 beta apps (0.2.0), Context/Planta/Questions (0.1.0),
Traces (0.0.1). Set up @changesets/cli for future version management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use --filter to only install mana-core-auth and shared-storage deps,
avoiding missing workspace package errors from root package.json.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pnpm resolves patch references from root package.json even for
partial workspace installs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The partial workspace copy causes lockfile mismatches since not all
referenced packages are present in the Docker build context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Better Auth may return error objects instead of throwing for unverified
emails. Now checks result.error before hasUser(), uses case-insensitive
matching, and re-throws NestJS HTTP exceptions to avoid masking them.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add 22 E2E tests across 5 test suites covering auth, calendar views,
settings, event CRUD, and calendar management. Tests that require the
calendar backend gracefully skip when it's not running.
Also fixes: hooks.server.ts env fallbacks, ThrottlerGuard DI error,
and auth metrics service TypeScript error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Better Auth throws APIError("FORBIDDEN") when email is not verified,
but the signIn catch block didn't handle this case, causing a 500.
Now returns ForbiddenException with EMAIL_NOT_VERIFIED code so the
client can show the resend verification link.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The ResetPasswordDto required 12 characters while registration and
change-password only required 8, causing a mismatch with frontend UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restructure standalone traces app into monorepo pattern with mobile + backend + shared types.
Add NestJS backend with Drizzle ORM schema for locations, cities, places, POIs, and AI guides.
Add mobile sync layer, cities tab, and guide generation UI. Fix pre-existing type errors across
mobile codebase, matrix-mana-bot (sendDirectMessage), llm-playground, and all web auth stores
(signUp call signature).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Same fix as planta-bot - I18nService injection was failing because
the service couldn't be resolved in the BotModule context despite
I18nModule having global: true.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add shared-pwa, qr-export, and wallpaper-generator packages
to the Docker build context for manacore-web.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Also restore @Global() decorator to I18nModule while keeping
global: true in DynamicModule config for consistency with other
modules like CreditModule.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add configurable morning summaries that aggregate data from multiple sources:
- Weather forecast via Open-Meteo API (free, no API key needed)
- Today's calendar events
- Today's tasks + overdue tasks
- Birthdays from contacts
- Plants needing water from Planta
New commands:
- !morning / !morgen - Get summary now
- !morning-on/off - Enable/disable automatic delivery
- !morning-time HH:MM - Set delivery time
- !morning-location [city] - Set weather location
- !morning-timezone [zone] - Set timezone
- !morning-format [kompakt|ausfuehrlich] - Set format
- !morning-settings - Show current settings
New shared services in @manacore/bot-services:
- WeatherService - Open-Meteo integration with geocoding
- ContactsApiService - Birthday fetching
- PlantaApiService - Watering schedule
- MorningSummaryService - Aggregates all sources
- MorningPreferencesService - User preferences storage
Includes scheduler for automatic daily delivery at user-configured time.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use node:20-slim like other bots
- Copy and build shared packages (bot-services, matrix-bot-common)
- Use pnpm instead of npm
- Add non-root user for security
- Fix healthcheck port to 4022
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add handleImageMessage() to BaseMatrixService for image support
- Implement photo upload and Gemini Vision analysis in PlantaService
- Add image handler in MatrixService that downloads, uploads, and analyzes
- Format analysis results with health status, care tips, and confidence
- Update CLAUDE.md documentation with new feature
- Fix type mismatch in onboarding-bot (fullName → displayName)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The manual bodyParser.json() middleware conflicts with NestJS rawBody mode.
When rawBody: true is enabled, NestJS consumes the body stream first, then
the manual parser tries to read it again causing "stream is not readable".
NestJS handles JSON parsing internally, so the manual middleware was redundant
and causing 500 errors on login requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add all new organization management endpoints to API table
- Add new Invitations section for invitation endpoints
- Update controller JSDoc with complete endpoint list
- Update last updated date
Add missing organization features for Teams functionality:
- PUT /auth/organizations/:id - update organization
- DELETE /auth/organizations/:id - delete organization
- PATCH /auth/organizations/:orgId/members/:memberId/role - update member role
- GET /auth/organizations/:id/invitations - list org invitations
- GET /auth/invitations - list user invitations
- DELETE /auth/invitations/:id - cancel or reject invitation
- Add sepa_debit to payment_method_types for credit purchases
- Add sepa_debit to subscription checkout sessions
- Handle payment_intent.processing webhook for SEPA status tracking
- Add blueprint article analyzing payment options (Stripe vs LSV+/FinTS)
SEPA offers lower fees (0.8% vs 1.5%+€0.25) for DACH customers.
Payments are confirmed 3-14 days after checkout (bank processing).
The JSON body parser was consuming the request body before NestJS
could access the rawBody needed for Stripe webhook signature
verification. Now webhooks to /api/v1/webhooks/stripe skip the
body parser middleware.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove free credits system (signup bonus, daily credits) and B2B organization
credits to simplify the codebase. Credits now only come from purchases or gifts.
Changes:
- Remove freeCreditsRemaining, dailyFreeCredits, lastDailyResetAt from balances
- Remove organizationBalances and creditAllocations tables from schema
- Simplify transaction types to: purchase, usage, refund, gift
- Remove B2B endpoints from credits controller
- Remove checkDailyReset, allocateCredits, deductCredits from service
- Add redeemPendingGifts method to auto-redeem gifts on registration
- Update frontend to remove free credits display
- Add database migration for the changes
- Update all related tests to match simplified system
Widget module now uses Redis storage mode to share sessions with
the bot module. This enables Matrix-SSO-Link auto-login for widget.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New bot that transcribes voice messages to text
- Uses mana-stt service (Whisper/Voxtral) for transcription
- Supports German and English with auto-detection
- Commands: !language, !model, !status, !help
- Runs on port 3024
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add looksLikeMealDescription() heuristic to detect meal descriptions
- Add autoAnalyzeText() to handle automatic text analysis
- Text messages with food keywords or numbers are now auto-analyzed
- Skip greetings and questions to avoid false positives
Drizzle ORM requires explicit null values for optional fields instead of
leaving them undefined. Added explicit null for organizationId,
idempotencyKey, portionNumber, and creditTransactionId.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Drizzle ORM throws "UNDEFINED_VALUE" error when inserting undefined values.
Convert dto.sourceAppId to null using nullish coalescing operator.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Store original room topic when timer starts
- Update room topic with timer progress every 10 seconds
- Show status icon, remaining time, percentage, and label
- Restore original topic when timer finishes or is deleted
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use transparent background to adapt to Element theme
- Remove min-height and centering (content starts at top)
- Reduce font sizes and spacing for compact display
- Use semi-transparent backgrounds for theme compatibility
- Add flex-wrap for narrow panels
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add matrix-onboarding-bot service that guides users through profile setup
- Extend mana-core-auth GlobalSettings with displayName, interests, onboardingCompleted fields
- Implement state machine for onboarding flow (NAME → INTERESTS → LANGUAGE → SUMMARY)
- Support commands: !start, !profile, !edit, !skip, !help
- Add German and English localization
- Integrate with mana-core-auth Settings API for profile persistence
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
NestJS matches routes in declaration order. The dynamic :code route was
matching before me/created and me/received, treating 'me' as a gift code.
Moved specific routes before the dynamic parameter route.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- !stats now shows personal stats (requires login)
- !global now shows global Umami analytics
- Update keywords and help text accordingly
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Piper TTS section to mana-tts CLAUDE.md
- Document available German voices (local and cloud)
- Update matrix-tts-bot CLAUDE.md with new default voice
- Add language auto-detection documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
