When passkey auth succeeds but user's email doesn't match the OIDC
client's allowedEmails, show an inline email verification form instead
of a dead-end error. Sends a branded verification email with a single-use
30-minute token, then updates users.email on callback and lets the user
retry sign-in.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Notification routes: wrap GET / and GET /count in try-catch, return
graceful fallbacks instead of 500s when DB table is missing/unavailable
- getUnreadCount: add null safety (row?.count ?? 0) and catch DB errors
- Service worker: add .catch(() => {}) to all cache.put() calls to
suppress NetworkError on quota-exceeded or corrupted cache entries
- On-ramp error display: coerce err.error to string so alerts show the
actual message instead of [object Object]
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Listmonk newsletter management proxy API with role-based auth,
newsletter manager component, password setting type support, and
new backlog task files. Update newsletter subscribe URL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add three alternative views to the campaign planner canvas:
- Timeline: horizontal chronological layout with day columns and phase bars
- Platform: kanban columns grouped by platform with post cards
- Table: compact sortable table with status, platform, content, dates
View switcher in toolbar preserves canvas state when switching. Clicking
any post in alt views navigates back to canvas with that node selected
and centered. Keyboard shortcuts guarded to canvas-only view.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace text abbreviation badges (rN, rPh, etc.) with r+emoji format
(r📝, r📸, etc.), remove duplicate emoji from item rows, and add a
"Recently Used" section at the top of the sidebar persisted via
localStorage.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extension gets Clipper/Cart mode tabs, space/cart picker with persistence,
JSON-LD product detection, "Add to rCart" context menu, and badge count.
Web UI shows a dismissible indigo banner prompting extension install when
not detected. Content script sets detection marker on rspace.online pages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Previously the planner restored a stale zoomed-out viewport from
localStorage, and fitView() could fail silently if the SVG had zero
dimensions during shadow DOM layout. Now: skip viewport restore on
initial load, retry fitView up to 3 rAFs, and clamp min zoom to 50%.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace flat source cards with pipe/valve/spigot faucet SVG. Click opens a
centered purchase modal (label, amount, payment method) instead of the cramped
side panel. Adds MetaMask as a new payment option alongside Card and rIdentity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds "Automation Canvas" CTA button in hero and "Your Automations" section
that fetches workflows from API and displays as grid cards or compact list.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add /demo route, Vite build entry for trips-demo.ts, and demo page
CSS (hero, toolbar, 2×3 card grid, calendar, polls, funds, cart).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add reply, reply-all, and forward endpoints with proper RFC 5322 threading
headers (In-Reply-To, References). SMTP send executes automatically when
approval threshold is met via nodemailer. Personal inbox CRUD lets users
connect their own IMAP accounts. Agent inbox system with regex-based rules
for auto-classify/auto-reply (drafts go through approval workflow).
Multi-sig email canvas shape (folk-multisig-email) with draft/pending/sent
states and 5s polling. Per-space auto-provisioning via onSpaceCreate.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The /campaigns route was serving folk-campaign-manager (simple list view)
instead of folk-campaign-planner (the drag-and-drop flow canvas). The
planner was fully built but had no route.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add 3 interactive D3 visualizations (Balance River Timeline, Multi-Chain
Flow Map, Single-Chain Sankey) as tabbed views alongside the existing
balance table. D3 loaded lazily from CDN on first viz tab click. Demo
mode shows all visualizations with mock TEC Commons Fund data.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rsocials had defaultScope: "global" but client components passed the raw
space slug, creating threads in space-specific docs (e.g. commonshub).
Server routes then looked in the non-existent "global" doc → 404.
Changed to defaultScope: "space" to match how client actually works.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Reddit-style vote column: prominent up/down chevrons flanking the score
on each ranking proposal card, with x² cost indicator
- Quadratic weight picker: compact inline buttons for +2/+3/+5 and -2
below the proposal description (supplements chevron ±1)
- Priority Trends chart: SVG line chart showing how proposal scores
evolve over time, with color-coded lines per proposal, end dots,
grid lines, time labels, and a toggleable legend
- Score history tracking: records snapshots on each vote, seeds 7 days
of simulated history for demo mode
- Orange for upvotes, blue for downvotes (matching rvote.online palette)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace the map room placeholder with a real MapLibre GL dark map (CartoDB
dark_all tiles). Port RoomSync from rmaps-online for WebSocket-based
participant/waypoint sync. Add localStorage room history with thumbnail
capture, participant sidebar with ping buttons, continuous GPS sharing
via watchPosition, and waypoint drop. Demo mode unchanged.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Links on subdomain routing (e.g. jeff.rspace.online) were including
the space in the path (/demo/rsocials/campaigns) instead of just
/rsocials/campaigns. Added basePath getter to all components and
detect subdomain in the server-rendered hub page.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces minimal feed mode with a polished scroll-through view: shapes wrapped
in card containers with icon/title/type headers, grouped by section (type, date,
position, alpha) with dividers, sticky scroll summary bar with item counter and
clickable section chips for quick navigation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace inline SVG emoji (🌌) favicons with /favicon.png in all four
shell renderers and both landing page renderers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a visible spatial zoom slider (teal) below the existing temporal slider
(indigo) with a coupling toggle between them. When coupled, dragging either
track moves both; when decoupled, spatial slider controls map zoom independently.
Fix T_TO_S mapping gaps (Season→Region, Decade→Planet).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Previously the map rendered ALL events regardless of which time period
the calendar was displaying. Now markers, transit lines, and map bounds
are filtered to the visible date range (day/week/month/season/year).
The map auto-fits to the bounds of visible located events when zoom
coupling is active.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Shapes that overlap now drift apart gently over ~1 second via an
ambient requestAnimationFrame loop, instead of snapping instantly
when dragged. folk-slide and folk-arrow are exempt.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Root cause: scale/panX/panY were declared with let at line 5014, but
event handlers referencing them were registered before line 2771. Since
the module has top-level awaits (offlineStore.open, sync.initFromCache),
execution yields and events can fire before the let declarations,
causing "Cannot access variable before initialization" TDZ errors.
Fix: hoist scale/panX/panY declarations to before any await statements.
Also add Cache-Control: no-cache for HTML files and immutable for
Vite content-hashed assets to prevent stale bundle caching.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When the last tab is closed, a dashboard appears showing the user's
spaces (sorted by most recent visit), notifications, and quick actions.
Clicking any item creates a new tab and hides the dashboard. Browser
back/forward handles dashboard state correctly.
Also adds proper cache headers for HTML and Vite-hashed assets.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Labels now appear as floating tags outside the toolbar on hover/open
instead of expanding the button width inside the narrow toolbar.
Toolbar overflow changed to visible so labels aren't clipped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Mobile toolbar shows compact 48x48 icon grid instead of full-width rows
- Labels hidden on mobile, title shown in popout panel header
- Separators hidden on mobile to save space
- Tap icon to open bottom-sheet panel with title + sub-tools
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add tg-icon + tg-label spans inside toolbar group toggle buttons
- Label hidden by default, revealed on hover/open via CSS
- Panel header uses title attribute instead of emoji-only textContent
- Plus menu headings also use title attribute for group names
- Mobile: labels always visible alongside icons
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add if (!this.shadowRoot) guard in history panel and space settings
connectedCallback to prevent error on element reconnection
- Null-check toggleMemoryBtn before addEventListener since #toggle-memory
element was removed
- Import and register RStackSpaceSettings + RStackHistoryPanel in
canvas.html so settings gear and history panel work on canvas page
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rich landing page for rspace.online/rmeets with sections on self-hosted
infrastructure, data sovereignty, ecosystem integrations, and roadmap
(local transcription, BYOS, data integrations).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace folk-video-chat toolbar button with rMeets (Jitsi) rApp
embed in the Connect group. Add rmeets, rschedule, rsocials to
folk-rapp MODULE_META. Add rMeets entry to MI tool schema.
The old folk-video-chat shape remains available for direct use
but is no longer in the toolbar.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds rMeets module with hub page (Quick Meet, Join Room, Jitsi Lobby)
and room pages that embed jeffsi.localvibe.live via renderExternalAppShell.
Jitsi URL configurable via JITSI_URL env var.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix rFlows light/dark theme: change CSS selectors from :root /
[data-theme] to :host / :host([data-theme]) so they work inside
shadow DOM. Mirror data-theme attribute from <html> onto the
folk-flows-app host element via MutationObserver.
- Canvas toolbar: icons only (no text labels), hover opens group
name header + submenu flyout. Minimize button moved to top with
chevron icon, collapses to wrench icon. Mobile gets emoji + text
via ::after pseudo-element for touch accessibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The main server's Related Origins list was stale — it listed 5 generic
r*.online domains instead of the priority domains where passkey ceremonies
actually happen. This caused p2pf socials (socials.p2pfoundation.net) and
other external domains to fail WebAuthn authentication because browsers
couldn't verify them as related origins for RP ID rspace.online.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move settings gear to header right (next to identity) on all pages.
Add history clock button in header left that opens a new slide-out
history panel with Activity feed and Time Machine tabs. Embed author
identity (DID, username, timestamp) in Automerge change messages via
JSON envelope, with backward-compatible parsing for old plain strings.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Prevent foreignObject HTML clicks from starting node drag (select + inline edit instead)
- New source nodes get personalized "{username}'s stream to {flowName}" label
- Replace source type <select> dropdowns with clickable "Pay by" button grid
in ICP panel, editor panel, and source modal
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- L-1: Remove internal error details from SIWE verify response
- L-2: Stop forwarding raw Safe API error bodies to clients (log server-side)
- L-3: Evict stale keys from nonce rate limiter to prevent memory leak
- L-4: Add input length/type guards on wallet-link verify body fields
- L-5: Sanitize and cap limit query param on Safe transfers route (max 200)
- L-6: Server recomputes addressHash from SIWE address instead of trusting
client-supplied value for dedup
- L-7: Reset LinkedWalletStore singleton on logout to clear cached keys
- I-1: Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers
- I-9: Build EIP712Domain type array dynamically from domain fields in
ExternalSigner.signTypedData (was hardcoded to empty, dropping fields)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- H-3: Rate limit wallet-link nonce to 5 per user per 5 minutes (429)
- H-4: Verify sender address matches JWT walletAddress in add-owner-proposal;
also include walletAddress in JWT eid claims
- M-1: Sanitize EIP-6963 provider icons — only allow https: and safe
data:image/(png|jpeg|gif|webp), block SVG and javascript: URIs
- M-2: Validate threshold is a positive integer ≤ newOwnerCount, fetch
actual Safe owner list for bounds checking
- M-3: Add VALID_ETH_ADDR regex validation to all 9 routes that accept
address params (Safe proxy, EOA proxy, propose, confirm, execute,
add-owner-proposal) to prevent SSRF via path traversal
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- C-1: Replace Base64 fake encryption with real AES-256-GCM server-side
encryption for linked wallet data (HKDF-derived key from JWT_SECRET)
- H-1: Escape token name/symbol in balance table to prevent XSS
- H-2: Salt address hash with user ID to prevent cross-user correlation
- M-4: Remove cleartext sessionStorage cache for linked wallets
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett
Jeff Emmett