- AtelierBrainPage.svelte with full CRUD UI
- Capture bar: paste URL or type note, saves instantly
- Folder signal cards with counts
- Hybrid search (keyword + semantic)
- Item feed with metadata, tags, confidence indicators
- Detail slide-over sheet with summary, metadata, actions
- Added to AppShell nav, legacy Navbar, and layout allApps
- Route at /brain
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Gateway proxies /api/brain/* to brain-api:8200/api/* via pangolin network
- User identity injected via X-Gateway-User-Id header
- Brain app registered in gateway database (sort_order 9)
- Added to GATEWAY_KEY_SERVICES for dashboard integration
- Tested: health, config, list, create all working through gateway
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Full backend service with:
- FastAPI REST API with CRUD, search, reprocess endpoints
- PostgreSQL + pgvector for items and semantic search
- Redis + RQ for background job processing
- Meilisearch for fast keyword/filter search
- Browserless/Chrome for JS rendering and screenshots
- OpenAI structured output for AI classification
- Local file storage with S3-ready abstraction
- Gateway auth via X-Gateway-User-Id header
- Own docker-compose stack (6 containers)
Classification: fixed folders (Home/Family/Work/Travel/Knowledge/Faith/Projects)
and fixed tags (28 predefined). AI assigns exactly 1 folder, 2-3 tags, title,
summary, and confidence score per item.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dashboard surface now renders at 1280px matching the React mockup exactly.
All 9 pages verified: zero mobile overflow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from
5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode).
All external calls now use default TLS verification.
2. Internal CORS: Removed permissive cors() from inventory and budget.
Both are internal services accessed only via gateway.
3. App visibility: Documented as cosmetic-only in layout.server.ts.
Nav hiding is intentional UX, not access control.
4. Disconnect safety: Added confirm() dialog before service disconnect
in Settings. Prevents accidental disconnects.
5. Inventory cleanup: Removed stale /test startup log message.
Replaced with API key status indicator.
6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit.
Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.
- Removed fitness sub-pages from mobile More sheet (Food Library and
Quick Meals are already tabs on the fitness page)
- Added Fitness Goals section to Settings page with inline editing
- Goals show current values with Edit Goals button
- Edit mode: 2x2 grid with calorie/protein/carbs/fat inputs
- Save calls PUT /api/fitness/goals
- Works for both users independently
Multi-user:
- Madiha account with per-user nav visibility
- Dashboard greeting uses actual user display name
- Navbar and MobileTabBar accept visibleApps prop
- Madiha sees: Dashboard, Trips, Fitness, Budget, Media (no Inventory, Reader)
Goals editing:
- Goals page now has Edit Goals mode with inline number inputs
- Saves via PUT /api/fitness/goals
- Shows "No goals set" state for new users
Food library:
- Default view shows all shared foods (not just user's recent)
- Both users see the same food database
- Cleaned up duplicates: archived Eggs (kept Egg), Green Grapes (kept Grapes),
duplicate Bellwether Yogurt, Latte Macchiato (kept Madiha's Caramel Latte)
Add to meal buttons:
- "Add to breakfast/lunch/dinner/snack" now focuses the resolve input
and sets the meal type so AI logs to the correct meal
- Disable open /api/auth/register endpoint (gateway)
- Require gateway session auth on Immich and Karakeep hooks proxies
- Replace SHA-256 with bcrypt in fitness service (auth + seed)
- Remove hardcoded Telegram user IDs from fitness seed
- Add Secure flag to session cookie
- Add domain allowlist and content-type validation to image proxy
- Strengthen .gitignore (env variants, runtime data, test artifacts)
