feat: full platform implementation — security, Mukoko compliance, features#17
Merged
bryanfawcett merged 6 commits intomainfrom Mar 25, 2026
Merged
Conversation
The backend was restructured from a single ~3400-line index.ts to a modular Hono-based architecture with 14 route modules, middleware layer, and utils. Updated all sections to match: routing docs, key files table with line counts, tech stack versions, middleware/utils docs, expanded database schema details (14 tables), frontend structure breakdown, and added test file inventory. https://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
mukoko-nhimbe-api | b7cc458 | Commit Preview URL Branch Preview URL |
Mar 25 2026, 11:03 PM |
…iance, and new features Security fixes (17 vulnerabilities): - Add writeAuth to unprotected routes (users, reviews, referrals) - Restrict CORS to trusted origins (nyuchi.com, mukoko.com, nhimbe.com) - Timing-safe API key comparison, 10MB upload limit, generic error messages - Remove auth fallback user creation, add JWT to write API calls - Redirect URL validation, search log truncation, pagination fix Mukoko registry compliance: - Structured logging with [mukoko] prefix (frontend + backend) - Section error boundary with retry (3-layer pattern) - Circuit breaker for external services (stytch, vectorize, ai, r2) - Retry with exponential backoff and jitter - AI safety middleware (prompt injection detection) New platform features: - Email notifications via Resend (5 templates, queue-based) - Social sharing (WhatsApp-first share button, invite friends with referral) - Recurring events & series (RRULE support) - Waitlists with auto-promotion - QR-based check-in and attendance tracking - Payment infrastructure (Paynow provider abstraction) - Host analytics endpoints - CSV data export for registrations - Event cancellation workflow - User account deletion with PII anonymization - Audit logging for destructive operations - Categories moved to database with seed endpoint - i18n infrastructure (English + Shona) - PWA with service worker (cache-first static, network-first API) - FTS5 full-text search migration Test coverage: 370 tests (160 frontend + 210 backend) New test files: events, registrations, users routes https://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz
bryanfawcett
changed the title
…components UI primitive layer (34 shadcn/Radix components): - Installed: button, card, badge, input, dialog, drawer, tabs, select, dropdown-menu, separator, sheet, label, textarea, switch, toggle, scroll-area, skeleton, avatar, popover, tooltip, form, checkbox, radio-group, progress, calendar, sonner, spinner, collapsible, hover-card, navigation-menu, breadcrumb, pagination, table, toggle-group - All use data-slot attributes, CVA variants, Radix primitives - Added success/warning/error variants to Badge for domain needs - Created ResponsiveModal (Drawer on mobile / Dialog on desktop) - Refactored BottomSheetModal to use ResponsiveModal underneath Component decomposition: - create-event-form.tsx: 639 → ~270 lines Extracted: CoverImageUpload, ThemeSelector, EventOptionsCard, FormFieldRow - event-detail-content.tsx: 512 → ~200 lines Extracted: EventCover, EventSidebar (with StatBox) Compatibility fixes: - variant="primary" → variant="default" across all consumers - size="large" → size="lg" - Removed custom badge/icon/variant props from Tabs, Input, Progress - Added use-mobile hook from registry https://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz
…-bar, status-indicator, timeline, copy-button, file-upload, share-dialog, lazy-section, detail-layout Adds 10 Mukoko registry components that go beyond standard shadcn primitives, providing domain-specific building blocks with mineral branding, data-slot attributes, and full TypeScript support. https://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz
- Replace duplicate renderStars() in event-ratings and host-reputation with Rating primitive - Replace inline stat boxes in community-insights with StatsCard primitive - Refactor share-button to use DropdownMenu + CopyButton primitives - Refactor invite-friends to use Input + CopyButton primitives - Refactor referral-leaderboard to use Button primitive - Replace inline star in event-detail-content with Rating primitive - Add use-toast hook (sonner wrapper) - Add use-memory-pressure hook (Pressure Observer + deviceMemory fallback) - Add fallback-chain utility (cascading data source pattern) https://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz
…wiring Phase 1-2: Critical security fixes - Fix SQL injection in payments webhook (parameterized queries + status whitelist) - Fix authorization bypass in registrations (JWT auth instead of body.user_id) - Add audit logging to event deletion and cancellation - Add payment amount validation and env var checks Phase 3: HTTP security headers - Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS, Permissions-Policy, X-DNS-Prefetch-Control to next.config.ts Phase 4: Accessibility - Add prefers-reduced-motion media query to globals.css - Add role="alert" to error boundary for screen reader announcements - Replace raw button in error boundary with Button primitive Phase 5: SEO - Add page-level metadata to about, privacy, terms, events pages - Add layout.tsx metadata for client pages (search, my-events, profile, calendar, help) - Fix hardcoded JSON-LD eventStatus to use dynamic event status Phase 6: Registry primitive wiring (46 instances across 21 files) - Modals: capacity, category, date-time, description, location, ticketing - Prompts: name, interests, location - Pages: search, profile, profile/edit, help, home-client, events-client, my-events, event-actions - Admin: events, users, support - UI: theme-toggle, ai-description-wizard, event-ratings All raw <button>, <input>, <textarea> replaced with Button, Input, Textarea, Label, Switch primitives from @/components/ui/. https://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz
bryanfawcett
pushed a commit
that referenced
this pull request
Apr 9, 2026
#16: FilterBar scroll affordance - edge fade gradients that appear when content overflows left/right (ResizeObserver + scroll listener) #17: Search result images use lazy loading (img loading="lazy" instead of inline background-url CSS) #32: FAQ open state persisted to localStorage, restored on page load #35: Signage auto-refresh pause/resume toggle button (pause/play icons) #36: Calendar month/year quick-select dropdowns replace plain heading #37: Admin pagination page number buttons (up to 5 visible pages with sliding window) for both events and users tables #38: Admin sidebar shows all nav items - inaccessible ones greyed out with lock icon and "Requires X role" tooltip instead of hidden #39: Cmd+K / Ctrl+K keyboard shortcut navigates to /search from anywhere https://claude.ai/code/session_01GBDmHPeMz4FCeN4fn5Ujnx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
[mukoko]logging (frontend + backend), section error boundary with retry, circuit breaker for external services, retry with exponential backoff, AI safety middleware (prompt injection detection)47 files changed, 3587 insertions, 175 deletions. 370 tests passing (160 frontend + 210 backend).
Test plan
npx vitest runcd worker && npx vitest runcd worker && npx tsc --noEmitnpm run lintnpm run buildRESEND_API_KEYconfiguredhttps://claude.ai/code/session_01VoNT9jtzVApFrV1ahA6pgz