The demo Automerge doc had visibility: "private" from initial creation.
ensureDemoCommunity now forces visibility to "public" on every startup
if it drifted.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Was reading `auth_token`, should be `encryptid-token`. Also removes
the premature client-side auth guard that blocked signed-in users.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. Add GET /rvote/api/* to public endpoint whitelist so proposal
listings work on private/permissioned spaces without auth.
2. Campaign wizard now checks for auth token before POSTing,
showing "Please sign in" instead of a cryptic 401.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The sub-path middleware (/:space/:moduleId/*) already blocked disabled
modules, but the root path (/:space/:moduleId) didn't. Now both paths
consistently check enabledModules before allowing access.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. Remove all rvote/proposals fetching from rstack-user-dashboard.
rApp-specific data (proposals) should stay within the rVote module,
not leak into the space-level dashboard.
2. Fix url.protocol in bare-domain redirects — TLS is terminated by
Cloudflare/Traefik so url.protocol is always http: internally.
Use https: for production domains.
3. Rewrite /{space}/api/... paths internally on bare domain instead
of redirecting to subdomain (avoids CORS + mixed content issues).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two fixes:
1. Bare-domain routing used url.protocol (always http: behind TLS
termination) for redirects, causing mixed-content blocks. Added
proto helper that uses https: on production domains. Also rewrite
/{space}/api/... calls internally instead of redirecting to the
subdomain.
2. rDesign SSE stream reader now catches QUIC protocol errors on
stream close gracefully.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add .catch() to the ReadableStream reader loop so Cloudflare QUIC
protocol resets on stream close don't surface as uncaught errors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Scribus --python-script flag requires GUI initialization which
blocks in headless environments. Instead, run the runner as a separate
supervisor-managed Python process (always-on socket server). The bridge
server now simply verifies the socket exists rather than launching
Scribus.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Scribus 1.5 --no-gui mode doesn't execute --python-script properly.
Remove the flag and let Scribus use the Xvfb display, which also
enables the runner to create the bridge socket.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Canvas now uses the same rstack-collab-overlay component as all other
rApps instead of its own custom #people-online-badge. Header restructured
to match renderShell() layout (history/settings in dropdown-wraps on left).
Bridge API (updatePeer/removePeer/setConnState/clearPeers) lets canvas
feed CommunitySync peers into the shared component.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bridge's /start endpoint was returning "already running" even when
the runner script had crashed (socket gone). Now kills zombie Scribus
and restarts. Agent route also verifies runner connectivity after start.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When no known accounts exist in localStorage, show a username/email
input field instead of immediately triggering the unscoped passkey
picker. User types their username, then gets a scoped passkey prompt
for only that account's credentials.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Non-demo space dashboards now redirect logged-out visitors to
rspace.online/ instead of showing another user's rApp grid. Private
space module pages redirect to rspace.online/{moduleId} instead of
showing the sign-in gate overlay.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rewrite rDesign UI from cramped textarea+step-log to proper split-screen:
left = chat conversation with bubbles, right = interactive SVG editor
with click-to-select, drag-to-move, and corner-handle resize.
SSE keepalive pings every 15s prevent Cloudflare QUIC stream drops.
Tool calls now show human-readable descriptions in collapsible details.
Gemini reasoning text included in thinking events.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Logout no longer removes the account from the picker — users see
"Sign in as [username]" on next visit. fetchScopedCredentials now
returns full PublicKeyCredentialDescriptor with transports so the
browser can locate the right authenticator without showing a picker.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Scoped passkey prompts via /api/auth/start so the browser only shows
matching credentials for the selected account. Known accounts stored
in localStorage and surfaced as a picker (1 account = named button,
multiple = list). "Use a different account" falls back to unscoped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Simplify FunnelNodeData from 4-tier thresholds to 2 fields (overflowThreshold + capacity),
replace 3-tier spending multiplier with flat drainRate. Rewrite folk-flow-river.ts as clean
Sankey-style SVG renderer (~580 lines, was ~1043). Add migrateFunnelNodeData() for backward
compat with saved flows. Net -616 lines.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
After logout, reload the page so the server re-renders the current rApp
in logged-out/demo mode instead of showing a blank screen. Cross-tab
logout also triggers a reload. Space dashboard now redirects logged-in
users to the rSpace canvas instead of showing the rApp grid.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Changed syncTabsFromServer to replace local tabs with server tabs
instead of merging (union). This prevents tabs closed in browser A
from being resurrected when browser B refreshes. Also added server
sync to the iframe module landing path which was localStorage-only.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
rstack-identity is the actual sign-out component used in production.
clearSession() now calls /api/session/logout, and connectedCallback
validates the session with the server to detect revocation. Also
updated the auth.rspace.online profile page handleLogout().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bare-domain router redirects /demo/... paths to demo.rspace.online
with http:// protocol, causing mixed content errors. Use the current
page path as the base URL instead of constructing an absolute path.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The actual logout UI is in rspace-header.ts (not the encryptid login
button component). clearSession() now calls /api/session/logout, and
on page load the header validates the session with the server to detect
revocation from another browser session.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The write-method middleware was returning 403 for POST /api/design-agent
because the module lacked publicWrite: true.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a user logs out in one browser, all other sessions are now revoked
on their next page load or token refresh. Adds logged_out_at column to
users table, server-side revocation checks on verify/refresh endpoints,
and a new /api/session/logout endpoint.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The demo space auth middleware was blocking POST requests with 403.
Add /rdesign/api/ to isPublicEndpoint list, matching rwallet pattern.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pass encryptid auth token in design-agent API requests. Replace
non-existent --rs-bg-elevated with real theme variables and remove
hardcoded dark fallbacks so the UI works in both light and dark mode.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three fixes for S-curve appearance:
- Constant width throughout each waterfall (no taper between source/river)
- Stack inflow waterfalls side-by-side at funnel top proportionally
- Widen spending drain to 80% of vessel bottom width
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Forward Automerge change that overwrites content fields with snapshot data,
preserving meta and full history. Also fixes pre-existing TS errors in
folk-flow-river (undefined exitX) and test-full-loop (StepResult type).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- ZIP import: Google Takeout + generic FeatureCollection ZIP via JSZip
- Route requests: "Ask to navigate" sends WebSocket route_request, toast notification with Navigate/Dismiss in other tab
- Chat: Automerge-backed persistent messages with MapChatMessage schema (v2), sidebar tab toggle, unread badge
- Indoor maps: <map-indoor-view> with c3nav raster tile proxy, level selector, Easter egg on Level 0 triple-click
- Indoor/outdoor toggle in controls bar and mobile FAB
- Cache bust v2→v3
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The "N online" collab badge was position:fixed at top:8px, overlapping
the header login area. Move it into the tab bar slot (main shell) or
header-right section (standalone shells) so it flows inline with other
chrome elements.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix USD estimation: add NATIVE_APPROX_USD price table for ETH, MATIC,
BNB, AVAX, xDAI, CELO, GNO; unknown tokens fall back to $0 instead of
raw token amounts (fixes wildly wrong river widths)
- Fix scroll hijacking: only intercept Ctrl+wheel (pinch-to-zoom) on
timeline, flow chart, and sankey; normal two-finger scroll passes through
- Collapse address bar to compact chip after wallet loads with Save/Change
- Promote watchlist as horizontal chip selector above dashboard; merge
example wallets as dashed "suggested" chips when watchlist is empty
- Default to timeline view after wallet detection (auto-loads transfers)
- Move balance/transaction tables to Details modal (pill button, overlay
with backdrop blur) — stats cards hidden in viz views since D3 shows them
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace raw Automerge change messages (e.g. "Update shape abc-123-uuid")
with human-readable text and contextual icons. Add per-entry timestamps
for clearer chronology within author groups.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multi-day event span bars used grid-row/grid-column inside the same
CSS grid as auto-placed day cells. The grid auto-placement algorithm
skipped cells occupied by explicitly-placed spans, pushing day numbers
to wrong positions.
Fix: make .ev-span position:absolute with .grid position:relative.
Absolutely-positioned grid children still use grid-row/column for
their containing block but don't participate in layout flow. Also
account for expanded day-detail rows when calculating span grid rows.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Balance queries, Safe detection, and chain analysis are blockchain
reads that should work for any authenticated user regardless of
space membership. The route handlers enforce their own auth.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Compute overflow/spending pipe widths as proportional shares of
outflowWidthPx (matching edge formula: outflowWidthPx * flow/total)
instead of independent globalMaxFlow scaling.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The JS import and define() were added but the actual
<rstack-comment-bell> element was missing from canvas.html's
header HTML (which is separate from server/shell.ts).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Scale source stream, funnel inflow/overflow/spending, and outcome
inflow/overflow pipes using the same 8-80px global Sankey scale as
edges, replacing fixed-width cosmetic pipes with flow-consistent ones.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace the global "Your Spaces" grid with a space-centric dashboard showing
members, previously open tools, recent activity, active votes, and quick
actions. Fix layout cut-off by positioning dashboard fixed below header+tab
row (top: 92px) with sidebar-push support.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
AES-256-GCM encryption for 18 PII fields across 6 tables (users,
guardians, identity_invites, space_invites, notifications, fund_claims).
HMAC-SHA256 hash indexes for email/UP address lookups. Keys derived from
JWT_SECRET via HKDF with dedicated salts. Dual-write to both plaintext
and _enc columns during transition; row mappers decrypt with plaintext
fallback. Includes idempotent backfill migration script.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett