feat: Implement Phase 4 Web Interface with bugfixes (v0.5.2)

## Phase 4: Web Interface Implementation Implemented complete web interface with public and admin routes, templates, CSS, and development authentication. ### Core Features **Public Routes**: - Homepage with recent published notes - Note permalinks with microformats2 - Server-side rendering (Jinja2) **Admin Routes**: - Login via IndieLogin - Dashboard with note management - Create, edit, delete notes - Protected with @require_auth decorator **Development Authentication**: - Dev login bypass for local testing (DEV_MODE only) - Security safeguards per ADR-011 - Returns 404 when disabled **Templates & Frontend**: - Base layouts (public + admin) - 8 HTML templates with microformats2 - Custom responsive CSS (114 lines) - Error pages (404, 500) ### Bugfixes (v0.5.1 → v0.5.2) 1. **Cookie collision fix (v0.5.1)**: - Renamed auth cookie from "session" to "starpunk_session" - Fixed redirect loop between dev login and admin dashboard - Flask's session cookie no longer conflicts with auth 2. **HTTP 404 error handling (v0.5.1)**: - Update route now returns 404 for nonexistent notes - Delete route now returns 404 for nonexistent notes - Follows ADR-012 HTTP Error Handling Policy - Pattern consistency across all admin routes 3. **Note model enhancement (v0.5.2)**: - Exposed deleted_at field from database schema - Enables soft deletion verification in tests - Follows ADR-013 transparency principle ### Architecture **New ADRs**: - ADR-011: Development Authentication Mechanism - ADR-012: HTTP Error Handling Policy - ADR-013: Expose deleted_at Field in Note Model **Standards Compliance**: - Uses uv for Python environment - Black formatted, Flake8 clean - Follows git branching strategy - Version incremented per versioning strategy ### Test Results - 405/406 tests passing (99.75%) - 87% code coverage - All security tests passing - Manual testing confirmed working ### Documentation - Complete implementation reports in docs/reports/ - Architecture reviews in docs/reviews/ - Design documents in docs/design/ - CHANGELOG updated for v0.5.2 ### Files Changed **New Modules**: - starpunk/dev_auth.py - starpunk/routes/ (public, admin, auth, dev_auth) **Templates**: 10 files (base, pages, admin, errors) **Static**: CSS and optional JavaScript **Tests**: 4 test files for routes and templates **Docs**: 20+ architectural and implementation documents 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-18 23:01:53 -07:00
parent 575a02186b
commit 0cca8169ce
56 changed files with 13151 additions and 304 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,71 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [0.5.2] - 2025-11-18
+
+### Fixed
+- **Admin Routes**: Fixed delete route to return HTTP 404 when attempting to delete nonexistent notes, per ADR-012 (HTTP Error Handling Policy)
+- Added existence check to delete route before attempting deletion, consistent with edit route pattern
+- Fixed test for delete nonexistent note to match ADR-012 compliance (expect 404 status, not 200 with follow_redirects)
+
+### Changed
+- Delete route now checks note existence before deletion and returns 404 with "Note not found" flash message for nonexistent notes
+- Test suite: 405/406 tests passing (99.75%)
+
+## [0.5.1] - 2025-11-18
+
+### Fixed
+- **CRITICAL**: Fixed authentication redirect loop caused by cookie name collision between Flask's session and StarPunk's auth token
+- Renamed authentication cookie from `session` to `starpunk_session` to avoid conflict with Flask's server-side session mechanism used by flash messages
+- All authentication flows (dev login, IndieAuth, logout) now work correctly without redirect loops
+- Flash messages now display properly without interfering with authentication state
+
+### Changed
+- **BREAKING CHANGE**: Authentication cookie renamed from `session` to `starpunk_session`
+  - Existing authenticated users will be logged out and need to re-authenticate after upgrade
+  - This is an unavoidable breaking change required to fix the critical bug
+
+### Documentation
+- Established cookie naming convention standard (starpunk_* prefix for all application cookies)
+- Created implementation report documenting the root cause and fix
+
+## [0.5.0] - 2025-11-19
+
+### Added
+- Development authentication module (`starpunk/dev_auth.py`) for local testing
+- `is_dev_mode()` function to check development mode status
+- `create_dev_session()` function for authentication bypass in development
+- Web interface templates with Microformats2 markup
+- Admin dashboard, note editor, and login pages
+- Public note display and RSS feed support
+
+### Fixed
+- Phase 4 test suite now passing (400/406 tests, 98.5% pass rate)
+- Template encoding issues (removed corrupted Unicode characters)
+- Test database initialization using tmp_path fixtures
+- Route URL patterns (trailing slash consistency)
+- Template variable naming (g.user_me → g.me)
+- Function name mismatches in tests (get_all_notes → list_notes)
+- URL builder endpoint name (auth.login → auth.login_form)
+- Session verification return type handling in tests
+- Flake8 code quality issues (unused imports, f-strings)
+
+### Security
+- Development authentication includes prominent warning logging
+- DEV_MODE validation ensures DEV_ADMIN_ME is set
+- Production mode validation ensures ADMIN_ME is set
+
+### Testing
+- 87% overall test coverage
+- All Phase 4 route and template tests functional
+- Proper test isolation with temporary databases
+- Fixed test context usage (test_request_context)
+
+### Code Quality
+- All code formatted with Black
+- Passes Flake8 validation
+- Removed unused imports and fixed f-string warnings
+
 ## [0.4.0] - 2025-11-18

 ### Added