release/v1.11.2 — Coach-memory controls, privacy hardening, more pinnable metrics#253
Merged
Conversation
Add a 'What the Coach remembers' settings section: lists the user's durable facts grouped by category with a learned-when stamp, forgets a single fact or clears all (behind a confirm), and notes the rolling conversation summary. Consumes the v1.11.1 CoachFact routes via the query-key factory; gated on the Coach feature; localised in all six locales. Closes the API-only gap from v1.11.1. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add requirePublicHost to the three outbound safeFetch sites whose host is user- or operator-controlled and lacked the connect-time pin: the OpenAI and Anthropic clients (BYO base-URL override) and the IP-geo lookup (IP_GEO_LOOKUP_URL env). A base URL resolving to a private/metadata address is now rejected. The LOCAL AI client intentionally stays conditional (LAN escape hatch). Redirect-follow is already closed by the safeFetch defaults. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Source-grep guard asserting the openai/anthropic/geo outbound sites keep the unconditional DNS-rebinding pin and the local AI client keeps its conditional LAN escape hatch — so a future edit can't silently re-open the SSRF surface. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t path Load the source-priority blob once and pass it into the three readRollupBuckets calls instead of letting each re-query the user. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t path Load the source-priority blob once and pass it into both BP readers instead of letting each re-query the user. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ders Load the source-priority blob once and pass it into both readBestGranularityRollups calls. Completes the B3 fast-path threading. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add eight widget ids (cardio recovery, six-minute walk, stair ascent/descent speed, breathing disturbances, wrist temperature, falls, walking steadiness) to the dashboard widget catalogue + default layout (hidden by default) so they can be pinned via the layout PUT. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Drop the unused `now` field from the coach `ExtractOpts` type; fact extraction never read it (conversation-summary keeps its own `now`). - Correct the no-ladder tiebreak docstring in measurement-read: the collapse picks the alphabetically smallest source name, matching the live-SQL `ORDER BY … source` tiebreak, not max count. - Replace the hand-inlined canonical-source subquery in the summaries rollup-path narrows query with `canonicalMeasurementsFrom(rank, "90 days")` for live/rollup parity with its siblings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The synchronous DAY rollup hook carries no pg-boss singleton, so two measurement writes landing on the same (user, type, day) can interleave their delete-then-insert and the losing createMany trips the per-source unique index. The peer rewrote the identical source-collapsed partition — the aggregate is a pure function of the same underlying rows — so the rollup is already correct. Catch the P2002 in the single-chunk transactional path, annotate it, and return rather than failing the recompute. Any other Prisma error still bubbles. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…; pair coach-memory spinner with motion-reduce Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The eight v1.10 additive HealthKit signals (cardio recovery, six-minute walk, stair ascent/descent speed, breathing disturbances, wrist temperature, falls, walking steadiness) are writable dashboard widget ids so the native client's Home-pin PUT validates them, but the web dashboard renders strip tiles via hardcoded per-id blocks and has no render path for them. Left as-is, the web Settings -> Dashboard list would offer eight toggles that do nothing on web. Name them in a new IOS_PIN_ONLY_WIDGET_IDS set (writable-but-not- web-rendered) and filter that set out of the rendered settings list, so the toggles never appear on web while the ids stay accepted by the widgets PUT enum for the native client. Add tests asserting the eight remain writable (catalogue membership) yet are absent from the web list. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A single shared forgetOne mutation meant forgetOne.isPending disabled every per-fact forget button during one delete, so the whole list read as frozen. Track the in-flight fact id via the mutation variables so only the row being deleted disables and shows the spinner. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Prisma unique-constraint (P2002) narrowing predicate had been hand-copied into five call sites. Fold them into a single isP2002 in src/lib/prisma-errors.ts and import it everywhere (the two step-drain sites keep their local isUniqueConstraintViolation name via an import alias). Behaviour-identical; one place to chase a future P2002-semantics change instead of five. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Extend the SSRF pin inventory to also assert the requirePublicHost pins already present on the user/operator-supplied moodLog push/sync webhooks and the ntfy sender, so the full set of overridable-host egress points is CI-guarded and a future edit that drops one reds here. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… pinnable metrics Coach-memory management UI (review/forget durable facts), connect-time DNS-rebinding pins on user/operator-overridable outbound hosts, eight additional pinnable dashboard metrics, plus a rollup write-race fix and fast-path source-priority amortisation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the v1.11.1 Coach-memory API-only gap (management UI), adds DNS-rebinding SSRF hardening, 8 pinnable dashboard metrics (iOS-requested), + rollup write-race fix. Full suite green (6908), W10 QA reconciled (0 open Crit/High/Medium).
🤖 Generated with Claude Code