You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Added
Pregnancy test day field. An always-shown day field (none / negative / positive) in the dashboard and calendar day editors. A positive test with no later cycle start pauses cycle predictions until a new period is logged. The field is part of the /api/v1/days payload (docs/openapi.yaml) and the owner CSV and JSON exports (docs/export.md); the CSV column is appended at the end so existing column positions stay stable.
Security
All /api/v1 read endpoints are now owner-gated.GET /users/current, /days, /days/:date, and /stats/overview chain handler.OwnerOnly after AuthRequired, matching every mutation. Behavior-neutral for the single-role (owner) product — AuthRequired already rejects any non-owner role — closing a defense-in-depth uniformity gap.
Security documentation corrected to match the code. Recovery codes are 12 base32-style characters (~60 bits of entropy), not "12 hex / 48 bits"; the documented CSP now includes manifest-src 'self'; the /auth/oidc rate-limit row and the companion security headers (COOP, X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, HSTS) are documented; the web product is clarified as single-role (owner).
Internal
Raised internal/security OIDC config-validation and internal/db repository test coverage (token/state TTL, daily-log read whitelist, symptom owner-scoping).
