Migrate the entire admin section from the dark guild-* Tailwind theme
to the zine design system (dashed borders, CSS custom properties,
Brygada 1918 + Commit Mono, cream/dark mode palette).
- Replace admin top-nav layout with sidebar matching default layout
- Reskin dashboard, members, events, series management pages
- Reskin events/create and series/create form pages
- Add dev-only test login endpoint (GET /api/dev/test-login)
- Redirect duplicate admin/dashboard.vue to /admin
- Update CLAUDE.md design system docs
Wrap auth-dependent sidebar navigation and meta in ClientOnly with
SSR fallback slots to prevent hydration mismatch that caused all
authenticated nav links to point to wrong pages. Fix admin events
page crash by replacing empty string USelect values with 'all'.
Move sign out below wiki button, tweak hover color, remove email
field label, rename 'Join Ghost Guild' to 'Pre-Register', and
remove 'Don't have an account?' text from login modal.
Hide 'Coming Soon' text when authenticated, change greeting to
'Welcome, Name' with inline underlined sign-out link, and force
Inter (font-sans) on all text.
Remove redundant checkMemberStatus() from coming-soon page since the
auth-init plugin already handles it. Add in-flight request deduplication
to prevent concurrent calls from any source. Strip debug console.logs.
The .woff2 files are missing from public/fonts/, causing failed requests
that 302 redirect and stall page load (16+ seconds). Swap display font
to Georgia as a fallback until Quietism files are available.
Instead of sending members directly to the wiki (where they hit
Outline's login page and have to click again), land them on the
coming-soon page which shows a welcome message and wiki link.
Adds memberInviteSchema and bulkMemberImportSchema needed by the invite
and CSV import endpoints. Adds inviteEmailSent/inviteEmailSentAt fields
to member model. Adds the bulk import API route.
Native <input type="checkbox"> elements were invisible in production
because @tailwindcss/forms is not installed. UCheckbox renders properly
with the Nuxt UI theme.
Coming-soon page now shows a magic link login form for unauthenticated
visitors and a wiki link + sign out for logged-in members. The
coming-soon middleware allows /admin routes through (still protected by
admin middleware). A /login redirect page ensures invite email links work.
Invite tokens now include a redirect claim so the verify endpoint
can distinguish them from regular login tokens. Only invite links
redirect to wiki.ghostguild.org; normal logins go to /members.
Invite emails now include both plain text and HTML versions. The
{loginLink} placeholder renders as a styled button in HTML email
clients. Other URLs in the template are auto-linked. The auth verify
endpoint redirects to wiki.ghostguild.org instead of /members.
Remove auth bypass from coming-soon middleware so no one can access
the in-development site in production. Remove unused login button
from coming-soon page since wiki has its own OIDC login flow.
Replace generic card layout with editorial-style login gate using
display typography, gradient divider, scoped CSS with design system
tokens, and smooth form-to-confirmation transitions.
The oidc-provider generates form actions using http:// despite proxy
trust settings, causing an insecure form submission warning. Rewrite
the form action URL to https:// before rendering.
The oidc-provider generates form actions with http:// URLs that
conflict with the CSP form-action directive. OIDC routes serve
self-contained HTML outside Nuxt, so CSP is not needed there.
The OIDC provider was falling back to config.public.appUrl for its
issuer, which could resolve to an http:// URL. This caused the logout
form action to use http://, violating the CSP form-action directive.
Hardcode the issuer fallback to https://ghostguild.org.
- Simplified the magic link email format to plain text for better compatibility.
- Updated the welcome email to use plain text and changed the sender address to match the domain.
- Enhanced event registration email format to plain text, removing HTML styling for a cleaner approach.
Add guild-styled HTML templates for OIDC logout confirmation, post-logout
success, and error pages. Update wiki login heading to brand convention
(candlelight + warm-text). Restyle magic link email from blue to guild
colour tokens.
Add JWT-verified session check to coming-soon middleware so logged-in
members can access the full site. Add member login link and modal to
the coming-soon page so members can sign in before launch.
The /oidc/[...] server catch-all was intercepting /oidc/login before
the Nuxt page router could render it. Moving the page outside /oidc/
avoids the conflict entirely.
The server catch-all route was intercepting /oidc/login and passing
it to oidc-provider, which returned 404. Now it falls through to
the Vue page router instead.
Adds schema-based input validation across helcim, events, members,
series, admin, and updates API endpoints. Removes the peer-support
debug test endpoint. Adds validation test coverage.
Configure oidc-provider routes with explicit /oidc prefix so the
discovery document and token endpoints resolve correctly. Previously
the catch-all stripped the prefix, causing the provider to generate
URLs without it.
Add oidc-provider with MongoDB adapter so ghostguild.org can act as
the identity provider for the self-hosted Outline wiki. Members
authenticate via the existing magic-link flow, with automatic SSO
when an active session exists. Includes interaction routes, well-known
discovery endpoint, and login page.
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
passed to new Member(), only validated fields (email, name, circle,
contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)
