- Remove leading slash when constructing URLs with SITE_URL
- SITE_URL already includes trailing slash per IndieAuth spec
- Fixes malformed Location header in Micropub responses
- Fixes malformed URLs in Microformats2 query responses
Changes:
- starpunk/micropub.py line 312: f"{site_url}notes/{note.slug}"
- starpunk/micropub.py line 383: f"{site_url}notes/{note.slug}"
- Added comments explaining SITE_URL trailing slash convention
- Updated version to 1.0.1 in starpunk/__init__.py
- Updated CHANGELOG.md with v1.0.1 release notes
Fixes double slash issue reported after v1.0.0 release.
Per ADR-039 and docs/releases/v1.0.1-hotfix-plan.md
Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
First production-ready release of StarPunk - a minimal, self-hosted
IndieWeb CMS with full IndieAuth and Micropub compliance.
Changes:
- Update version to 1.0.0 in starpunk/__init__.py
- Update README.md version references and feature descriptions
- Finalize CHANGELOG.md with comprehensive v1.0.0 release notes
This milestone completes all V1 features:
- W3C IndieAuth specification compliance with endpoint discovery
- W3C Micropub specification implementation
- Robust database migrations with race condition protection
- Production-ready containerized deployment
- 536 tests passing with 87% code coverage
StarPunk is now ready for production use as a personal IndieWeb
publishing platform.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive architectural documentation for the migration race
condition fix, including:
- ADR-022: Architectural decision record for the fix
- migration-race-condition-answers.md: All 23 Q&A answered
- migration-fix-quick-reference.md: Implementation checklist
- migration-race-condition-fix-implementation.md: Detailed guide
These documents guided the implementation in v1.0.0-rc.5.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This major architectural change removes the built-in IndieAuth
authorization server in favor of external provider delegation.
Key changes:
- Remove authorization and token endpoints
- Remove token storage and management code
- Implement external token verification via configured endpoint
- Drop auth_codes and auth_tokens database tables
- Simplify security model by delegating to external providers
Breaking Changes:
- Existing tokens issued by StarPunk will no longer work
- Users must configure TOKEN_ENDPOINT in settings
- Micropub clients must obtain tokens from external providers
Benefits:
- Reduces codebase by ~500 lines of security-critical code
- Eliminates token storage and cryptographic responsibilities
- Maintains full IndieAuth specification compliance
- Simpler security model focused on verification only
Implements: ADR-050 (Remove Authorization Server)
Implements: ADR-030 (External Token Verification)
Migration: Database migrations 003 and 004 included
See docs/reports/indieauth-removal-implementation-report.md for
complete implementation details and migration guide.
Version: 1.0.0-rc.4
Fixed 5 failing tests related to code_verifier column which was
added by migration 001 but removed by migration 003.
Changes:
- Renamed legacy_db_without_code_verifier to legacy_db_basic
- Updated column_exists tests to use 'state' column instead of 'code_verifier'
- Updated test_run_migrations_legacy_database to test with generic column
- Replaced test_actual_migration_001 with test_actual_migration_003
- Fixed test_dev_mode_requires_dev_admin_me to explicitly override DEV_ADMIN_ME
All 551 tests now passing.
Part of Phase 1 completion: IndieAuth authorization server removal
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixes database migration detection for partially migrated databases.
This hotfix resolves an issue where migration 002 would fail to detect
existing migrated tables, causing conflicts on databases that had been
partially migrated.
CRITICAL HOTFIX for production deployment failure
Problem:
- Production database had migration 001 applied but not migration 002
- Migration 002's tables (tokens, authorization_codes) already existed from SCHEMA_SQL
- Smart detection only checked when migration_count == 0 (fresh database)
- For partially migrated databases (count > 0), tried to run full migration
- This failed with "table already exists" error
Solution:
- Always check migration 002's state, regardless of migration_count
- If tables exist with correct structure, skip table creation
- Create missing indexes only
- Mark migration as applied
Testing:
- Manual verification with production scenario: SUCCESS
- 561 automated tests passing
- test_run_migrations_partial_applied confirms fix works
Impact:
- Fixes deployment on partially migrated production databases
- No impact on fresh or fully migrated databases
- Backwards compatible with all database states
Version: 1.0.0-rc.2 → 1.0.0-rc.3
Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
Hotfix 1.0.0-rc.2: Critical database migration fix
Resolves index conflict issue where migration 002 would fail on existing
databases due to duplicate index definitions in SCHEMA_SQL.
Fixes critical issue where migration 002 indexes already existed in SCHEMA_SQL,
causing 'index already exists' errors on databases created before v1.0.0-rc.1.
Changes:
- Removed duplicate index definitions from SCHEMA_SQL (database.py)
- Enhanced migration system to detect and handle indexes properly
- Added comprehensive documentation of the fix
Version bumped to 1.0.0-rc.2 with full changelog entry.
Refs: docs/reports/2025-11-24-migration-fix-v1.0.0-rc.2.md
- Update version to 0.9.5 throughout README
- Clarify Micropub as coming in v1.0 (currently in development)
- Add note that database auto-initializes on first run
- Fix deployment documentation link to standards location
- Add .gitignore entry for test.ini temporary file
All changes approved by architect agent.
Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Updated 42 references from indieauth.spec.indieweb.org to www.w3.org/TR/indieauth
- Ensures consistency across all documentation
- Points to the authoritative W3C specification
- No functional changes, documentation update only
Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
Implements token security and management as specified in ADR-029:
Database Changes (BREAKING):
- Add secure tokens table with SHA256 hashed storage
- Add authorization_codes table for IndieAuth token exchange
- Drop old insecure tokens table (invalidates existing tokens)
- Update SCHEMA_SQL to match post-migration state
Token Management (starpunk/tokens.py):
- Generate cryptographically secure tokens
- Hash tokens with SHA256 for secure storage
- Create and verify access tokens
- Create and exchange authorization codes
- PKCE support (optional but recommended)
- Scope validation (V1: only 'create' scope)
- Token expiry and revocation support
Testing:
- Comprehensive test suite for all token operations
- Test authorization code replay protection
- Test PKCE validation
- Test parameter validation
- Test token expiry
Security:
- Tokens never stored in plain text
- Authorization codes single-use with replay protection
- Optional PKCE for enhanced security
- Proper UTC datetime handling for expiry
Related:
- ADR-029: Micropub IndieAuth Integration Strategy
- Migration 002: Secure tokens and authorization codes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This agent helps maintain documentation organization and ensures
README.md stays current with the codebase.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add comprehensive Micropub endpoint design document
- Define token management approach for IndieAuth
- Specify minimal V1 feature set (create posts, queries)
- Defer media endpoint and advanced features to post-V1
- Add ADR-028 documenting implementation strategy
- 8-10 day implementation timeline to unblock V1
The Micropub endpoint is the final blocker for V1.0.0 release.
Added "Documentation Navigation" section with:
- Clear explanation of docs/ folder structure and purpose of each subdirectory
- Guidelines for finding existing documentation before implementing features
- Practical rules for when to create ADRs, design docs, reports, or standards
- File naming conventions for different document types
This improves agent and developer ability to navigate the documentation
system and maintain proper organization standards.
Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Switched from GitLab CI to Gitea Actions for container builds.
Triggers on version tags, pushes to Gitea Container Registry.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Builds and pushes container images to GitLab Container Registry
when version tags (v*.*.*) are pushed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
os.getenv() returns empty string instead of using default when env var
is set but empty. This caused SECRET_KEY to be empty when FLASK_SECRET_KEY=""
was in .env, breaking Flask sessions/flash messages.
Now treats empty string same as unset, properly falling back to SESSION_SECRET.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
IndieAuth authentication-only flows should redeem the code at the
authorization endpoint, not the token endpoint. The token endpoint
is only for authorization flows that need access tokens.
- Remove grant_type parameter (only needed for token flows)
- Change endpoint from /token to /authorize
- Update debug logging to reflect code verification flow
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The token exchange request was missing the required grant_type parameter
per OAuth 2.0 RFC 6749. IndieAuth providers that properly validate this
were rejecting the request with a 422 error.
- Add grant_type=authorization_code to token exchange data
- Add ADR-022 documenting the spec compliance requirement
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The auth routes were registered under /admin/* but the IndieAuth
redirect_uri was configured as /auth/callback, causing 404 errors
when providers redirected back after authentication.
- Change auth blueprint url_prefix from "/admin" to "/auth"
- Update test expectations for new auth route paths
- Add ADR-022 documenting the architectural decision
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Shows the exact GET request URL being sent to IndieLogin.com's
/authorize endpoint, including all query parameters in their
encoded form. This helps debug authentication flow issues.
- Added debug log after auth_url construction in initiate_login()
- Logs complete URL with all parameters before redirect
- Version remains 0.9.1 (debugging enhancement only)
This fixes critical IndieAuth authentication by implementing PKCE (Proof Key
for Code Exchange) as required by IndieLogin.com API specification.
Added:
- PKCE code_verifier and code_challenge generation (RFC 7636)
- Database column: auth_state.code_verifier for PKCE support
- Issuer validation for authentication callbacks
- Comprehensive PKCE unit tests (6 tests, all passing)
- Database migration script for code_verifier column
Changed:
- Corrected IndieLogin.com API endpoints (/authorize and /token)
- State token validation now returns code_verifier for token exchange
- Authentication flow follows IndieLogin.com API specification exactly
- Enhanced logging with code_verifier redaction
Removed:
- OAuth metadata endpoint (/.well-known/oauth-authorization-server)
Added in v0.7.0 but not required by IndieLogin.com
- h-app microformats markup from templates
Modified in v0.7.1 but not used by IndieLogin.com
- indieauth-metadata link from HTML head
Security:
- PKCE prevents authorization code interception attacks
- Issuer validation prevents token substitution attacks
- Code verifier securely stored, redacted in logs, and single-use
Documentation:
- Version: 0.8.0
- CHANGELOG updated with v0.8.0 entry and v0.7.x notes
- ADR-016 and ADR-017 marked as superseded by ADR-019
- Implementation report created in docs/reports/
- Test update guide created in TODO_TEST_UPDATES.md
Breaking Changes:
- Users mid-authentication will need to restart login after upgrade
- Database migration required before deployment
Related: ADR-019
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
