v1.3.0 — Custom Multi-Chapter Test Builder

What's New

Features

• Custom Test Builder — Students can now build a personalised test by selecting chapters across multiple subjects in a 3-step wizard:
  • Step 1 — Select Board & Grade
  • Step 2 — Browse subjects, add chapters to a basket (removable chips); freely switch subjects to pick across subjects
  • Step 3 — Review AI-generated chapter summaries before starting the test
• Multi-Chapter Question Merging — Questions from all selected chapters are merged by mark-band: Section A (1-mark) → Section B (3-mark) → Section C (5-mark), shuffled within each section
• Chapter Summaries — AI-generated 3–5 sentence summaries for each chapter, cached after first generation (GET /api/chapter-summary/<id>)
• New API Endpoint — POST /api/start-custom-test accepts multiple chapter IDs and builds a combined test session

Bug Fixes

• Fixed 500 error on Admin → Students tab when a student record had a NULL created_at timestamp

v1.2.1

What's New

Features

• Bulk PDF Upload — Upload multiple chapter PDFs at once with live per-file progress
• Student Login & Progress — Student accounts with session tracking and progress dashboard
• PDF Viewer — In-app PDF viewer on the student side
• Chapter Rename — Admins can rename chapters directly from the dashboard
• AI Model Selection — Admins can switch Claude models from the settings panel (60s cache + instant invalidation)

Improvements

• Hint API moved to /api/student/hint namespace with 30 hints/session rate limit
• Cross-platform pdftotext binary resolution via shutil.which()
• Null-safe chapter fields in student progress (handles deleted chapters gracefully)
• Subject validation on upload; unique chapter name deduplication

Bug Fixes

• Fixed pdftotext path self-reference bug in pdf_service.py
• Fixed module-level imports in admin.py (previously inside function scope)
• Added null guard for questions_json in student sessions

v1.2.0 — Tabs, Security Hardening & PDF Reliability

What's New

Admin Panel

• Tabbed dashboard — Admin panel now has four tabs: Upload, Content, Students, and Progress, replacing the previous single scrolling page
• Predefined subject dropdown — Subjects are now selected from a fixed list (Maths, Physics, Chemistry, Biology, History, Civics, Geography, Hindi, English) in both single and bulk upload forms

Bulk Upload

• Sequential file processing — Files are uploaded one at a time to avoid 32 MB limits and 504 gateway timeouts on large PDFs
• Live progress indicator — Each file row updates in real time as it is processed; the button shows "Processing N of M…"
• Automatic duplicate handling — If a chapter name already exists, a numeric suffix is appended automatically (e.g. Chapter 1 (2))

PDF Extraction

• 3-strategy cascade — Text extraction now tries pdftotext (poppler C binary) first, then pypdf, then pdfplumber as a final fallback
• Eliminates 504 Gateway Timeout errors caused by Python-based parsers hanging on complex or large PDFs

Security Hardening (pen-test fixes)

• Login rate limit tightened — /api/admin/login and /api/student/login are now limited to 5 requests/minute with burst=2 (previously shared the general 30 r/m zone)
• Username enumeration fixed — Student login now returns the same generic error for both "name not found" and "wrong PIN" cases
• Retry-After: 60 header — All 429 responses now include a Retry-After header and a JSON body instead of nginx HTML
• HTTP bare-IP redirect — Direct HTTP access via IP now returns a 301 redirect to the HTTPS hostname
• API error handling — Frontend gracefully handles non-JSON nginx error responses (429, 502, 503) instead of throwing a parse error

Fixes

• Fixed pdftotext not found in gunicorn process due to systemd PATH restriction — now uses absolute path /usr/bin/pdftotext

---

Upgrade Notes

• Install poppler-utils on the server if not already present: sudo apt install poppler-utils
• No database migrations required
• Rebuild frontend: cd frontend && npm run build

v1.1.3

What's New

Bulk PDF Upload

• Upload multiple chapter PDFs at once for the same board/grade/subject
• Chapter names are automatically extracted from the first page of each PDF
• Results table shows per-file status, extracted name, character count, and any warnings

Chapter Rename

• Inline rename directly in the bulk upload results table after upload (✏ button)
• Inline rename in the Uploaded Content table for any existing chapter
• Duplicate name check within the same board/grade/subject — rejected with a clear error
• Enter to save, Escape to cancel

PDF Viewer

• Click any chapter name in the Uploaded Content table to open the original PDF in a full-screen modal viewer
• Close by clicking × or anywhere on the backdrop

API Changes

Method	Endpoint	Description
POST	/api/admin/bulk-upload	Upload multiple PDFs in one request
GET	/api/admin/chapter/<id>/pdf	Serve chapter PDF inline
PATCH	/api/admin/chapter/<id>/rename	Rename a chapter

v1.1.2 — AI Model Selection

What's New

✨ AI Model Selection

Admins can now switch between Claude models directly from the Settings page — no server restart required.

• Claude Haiku (claude-haiku-4-5-20251001) — Fast and economical; ideal for most classrooms
• Claude Sonnet (claude-sonnet-4-5-20251015) — More capable; richer question generation and deeper answer feedback

The active model is stored in the database and takes effect immediately for all new question generation and answer evaluation. Previously cached questions are unaffected until manually regenerated.

🛠 Fixes & Improvements

• Fixed vite-frontend dev launcher to use an absolute cwd path (resolves startup issues when Claude Code is run from a different working directory)
• Updated README: AI model selection docs, corrected SECRET_KEY requirement, added new API endpoints, updated tech stack

New API Endpoints

Method	URL	Description
GET	/api/admin/model-config	Returns available models and the currently active model
POST	/api/admin/save-model	Switches the active Claude model

Upgrade Notes

No database migrations required. The model selection defaults to claude-haiku-4-5-20251001 until changed via Admin Panel → Settings → AI Model.

Commits

• 0efc831 — Add Claude model selection to Admin Settings
• 7cf23cb — Fix absolute cwd path for vite-frontend in launch.json
• 70b2c17 — Docs: update README for AI model selection feature

Full Changelog: v1.1.1...v1.1.2

v1.1.1 — Security Hardening

Security Hardening Patch

This patch release addresses security findings from a full deployment audit of the production server.

🔒 Server-Side Fixes (applied directly to production)

Fix	Detail
UFW Firewall	Installed and configured — only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) allowed inbound. Port 111 (rpcbind) and all other ports blocked.
fail2ban	Installed with SSH jail (3 failed attempts → 24h ban) and nginx bot-search jail (2 attempts → 24h ban) to mitigate active brute-force attacks.
HTTP Security Headers	Added Strict-Transport-Security, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, and Content-Security-Policy to all nginx responses.
Nginx Rate Limiting	API endpoints limited to 30 req/min (burst 10); general routes limited to 60 req/min (burst 20). Returns HTTP 429 on excess.
Nginx Version Hidden	server_tokens off added — response header now shows Server: nginx with no version number.
.env Permissions	Changed from 0664 (group-readable) to 0600 (owner-only).
opc User Locked	Oracle Cloud default opc user shell changed from /bin/sh to /usr/sbin/nologin.

🔒 Code Fixes (in this release)

Strict SECRET_KEY Validation (config.py)

• Removed the hardcoded fallback value 'chapterwise-secret-change-in-prod-2024'
• App now raises a RuntimeError at startup if SECRET_KEY is missing or empty — prevents silent use of a known insecure default

CORS Origin Scoping (app.py)

• Added PRODUCTION_ORIGIN environment variable support
• Set PRODUCTION_ORIGIN=https://your-domain.com in .env to allow your production domain
• localhost origins remain for local development only

⚙️ Upgrade Notes

If upgrading from v1.1.0:

1. Ensure your .env file has a SECRET_KEY set — the app will refuse to start without it:

   python3 -c "import secrets; print(secrets.token_hex(32))"

2. For production deployments, add your domain to .env:

   PRODUCTION_ORIGIN=https://your-domain.com
   

3. Restart the service after updating:

   sudo systemctl restart chapterwise

No database migrations required.

---

Full Changelog

• 08e4941 Security hardening: SECRET_KEY validation and CORS scoping

v1.1.0 — Question Shuffling, Student Progress & Node.js 24

What's New in v1.1.0

✨ New Features

🔀 Question Shuffling

• Questions are now randomised on every new test attempt — students see a different order each time they take the same chapter test
• The question bank is generated once and cached as before; only the presentation order changes per session

📊 Student Progress (Admin Panel)

• New Student Progress section in the Admin Dashboard
• See every student's test attempts in one searchable, paginated table (10 rows per page)
• Columns: Student · Chapter · Grade/Board · Questions answered/total · Score · Time taken · Date · Status
• Click View on any row to open a detailed breakdown — score summary, percentage, time, and per-question view with covered/missed points and feedback
• Filter by student name/chapter and by status (active, completed, expired)

🖼️ Logo

• ChapterWise logo is now committed to the repository (frontend/public/logo.png) — no manual file copy needed after cloning
• Logo is displayed in the header of every page (student login, selection, test, admin)

⚙️ Infrastructure & Fixes

Node.js 24 LTS

• Project now requires Node.js 24.14.0+ (upgraded from 18+)
• .nvmrc added at root and frontend/ — run nvm use to automatically switch to the correct version
• engines field added to frontend/package.json enforcing Node ≥24.14.0 and npm ≥10

Production Deployment Fix

• Added module-level app = create_app() to app.py so gunicorn can locate the application object correctly
• Increased gunicorn worker timeout to 120 seconds (from default 30s) to accommodate Anthropic API response times
• Added matching proxy_read_timeout 120s to nginx config

Developer Experience

• .claude/launch.json added — defines flask-backend and vite-frontend server configurations for one-click local startup

📝 Documentation

• README updated: React 19, React Router v7, Node.js 24.14.0+
• Student Progress and question shuffling documented in features list
• GET /api/admin/student-progress added to API reference
• Removed manual logo setup step (logo now in repo)
• Corrected project structure descriptions

---

Upgrade Notes

If you are running v1.0.0 on a server:

1. Pull the latest code
2. Run npm install && npm run build in the frontend/ directory
3. Restart the gunicorn service
4. Update your gunicorn service to include --timeout 120 if you experience timeouts during question generation

No database migrations are required — all new features use existing tables.

---

Full Changelog

• 5f27097 Shuffle questions on each new test attempt
• d178c54 Add student progress section to admin panel
• 6ce32ea Add logo image files to fix missing logo across all pages
• 01046cd Add module-level app = create_app() for gunicorn compatibility
• 07ab31d Upgrade Node.js requirement to v24.14.0 LTS
• 9057200 Add launch.json for local dev server configuration
• fbd623d Update README to reflect Node.js 24.14.0+ requirement
• e461a7a Update README with accurate versions and new features

ChapterWise v1.0.0 — Initial Release

AI-powered chapter-wise test platform for Indian school students (Grade 6–10). Students practise by answering CBSE-pattern questions verbally; Claude evaluates key-point coverage and gives instant encouraging feedback.

Highlights

Student Portal

• PIN-based login (teacher-assigned name + 4-digit PIN, no self-registration)
• Board → Grade → Subject → Chapter cascading selection
• CBSE-pattern question paper: Section A (1-mark), Section B (3-mark), Section C (5-mark)
• Questions scaled to chapter size — 20 to 35 questions covering every subtopic
• Marks-aware hints showing how much detail is expected per question
• Voice answers via Web Speech API with real-time transcription
• Text-to-Speech question playback with replay button
• Per-question AI feedback: covered points shown in green, missed points in amber
• Full test summary with total score, section-wise breakdown, and per-question detail
• 30-minute inactivity session timeout with automatic expiry

Admin Panel

• Student account management — create, delete, and reset PINs
• PDF upload with board, grade, subject, and chapter metadata
• Content management — view, organise, and delete uploaded chapters
• Question cache with Refresh button to force regeneration
• Anthropic API key management via UI (no server restarts needed)
• Admin password change from the settings page

UI & Branding

• ChapterWise logo displayed on every page
• Blue-to-green gradient colour scheme
• Fully responsive layout for phones and tablets

Tech Stack

Layer	Technology
Backend	Python 3.9+, Flask 3.0, SQLAlchemy, SQLite
AI	Anthropic Claude API (claude-haiku-4-5)
PDF Extraction	pdfplumber
Frontend	React 18, Vite, React Router v6
Voice Input	Browser Web Speech API (en-IN)
Text-to-Speech	Browser speechSynthesis API
Auth	bcrypt, Flask sessions, PIN-based student login

Getting Started

See the README for full installation and setup instructions.

Voice input requires Google Chrome or a Chromium-based browser. Students on unsupported browsers can type their answers instead.