Deduplicate tag validation and regex escaping into shared auto-imported
utils. Add tag validation to wiki patch/batch-tag routes. Remove
duplicate tags field from event schema.
The Skills Exchange + Peer Support feature was replaced by Community
Connections on 2026-04-05, but several files and code paths were left
in place as backward-compat. None are reachable from the live UI:
- usePeerSupport.js composable: not imported anywhere
- PeerSupportBadge.vue: not imported anywhere
- peer-support.vue: stub redirect with no incoming links
- /api/peer-support.get.js: only consumed by usePeerSupport
- /api/members/me/peer-support.patch.js: same
- profile.patch.js offering/lookingFor write branches: profile form
no longer sends these fields (only writes communityConnections.*)
- PEER_SUPPORT_ENABLED/DISABLED activity types and renderers: only
written by the deleted peer-support.patch endpoint. The activityText
formatter has a fallback for unknown types so existing records
still display ("peer support enabled" with a generic icon).
Tests updated to drop peerSupportUpdateSchema coverage and the
offering/lookingFor passthrough assertion.
schemas.js cleanup deferred — concurrent communityConnections →
communityEcology rename is in flight in the working tree.
Admins can now surface dismissed alert types without waiting for the
underlying data to change. Adds a collapsible "Restore dismissed"
section below the active alerts with per-type checkboxes.
- ALERT_METADATA map in adminAlerts.js as the single source of truth
for slug → title/severity; detectors refactored to reference it
- GET /api/admin/alerts/dismissed returns this admin's dismissals
joined with metadata (title, severity, dismissedAt)
- POST /api/admin/alerts/restore deletes dismissals by alertType[],
returns the deleted count
- AdminAlertsPanel fetches both active + dismissed; stays visible
when either is non-empty; checkboxes + "Restore selected" button
- adminAlertRestoreSchema validates the POST body against the enum
- Auth guards test covers both new routes
Admin interface to review, filter, and batch-invite the 95 pre-registrants
from Baby Ghosts. Accept-invitation page pre-fills their data and collects
circle, pronouns, motivation, contribution tier, and agreement before
creating their member record.
Adds COMMUNITY_CONNECTIONS_UPDATED, CONNECTION_REQUESTED, CONNECTION_CONFIRMED,
and TAG_SUGGESTED to ACTIVITY_TYPES, ACTIVITY_TYPE_DEFAULTS, the Mongoose enum,
and activityText formatters. All four default to member visibility.
- GET /api/tags — public, filterable by ?pool=craft|cooperative, active only, sorted by label
- POST /api/tags/suggest — auth-required, creates TagSuggestion doc
- Add tagSuggestionSchema and communityConnectionsUpdateSchema to schemas.js
- Extend memberProfileUpdateSchema with craftTags, craftTagsPrivacy, communityConnectionsPrivacy
Adds memberInviteSchema and bulkMemberImportSchema needed by the invite
and CSV import endpoints. Adds inviteEmailSent/inviteEmailSentAt fields
to member model. Adds the bulk import API route.
The oidc-provider generates form actions using http:// despite proxy
trust settings, causing an insecure form submission warning. Rewrite
the form action URL to https:// before rendering.
The OIDC provider was falling back to config.public.appUrl for its
issuer, which could resolve to an http:// URL. This caused the logout
form action to use http://, violating the CSP form-action directive.
Hardcode the issuer fallback to https://ghostguild.org.
- Simplified the magic link email format to plain text for better compatibility.
- Updated the welcome email to use plain text and changed the sender address to match the domain.
- Enhanced event registration email format to plain text, removing HTML styling for a cleaner approach.
Add guild-styled HTML templates for OIDC logout confirmation, post-logout
success, and error pages. Update wiki login heading to brand convention
(candlelight + warm-text). Restyle magic link email from blue to guild
colour tokens.
Adds schema-based input validation across helcim, events, members,
series, admin, and updates API endpoints. Removes the peer-support
debug test endpoint. Adds validation test coverage.
Configure oidc-provider routes with explicit /oidc prefix so the
discovery document and token endpoints resolve correctly. Previously
the catch-all stripped the prefix, causing the provider to generate
URLs without it.
Add oidc-provider with MongoDB adapter so ghostguild.org can act as
the identity provider for the self-hosted Outline wiki. Members
authenticate via the existing magic-link flow, with automatic SSO
when an active session exists. Includes interaction routes, well-known
discovery endpoint, and login page.
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
passed to new Member(), only validated fields (email, name, circle,
contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.
CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.
Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.
Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.
XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.
Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.
Mass assignment: Remove helcimCustomerId from profile allowedFields.
Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.
Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.
