Features implemented:
- Story 4.1: View Registration Page
- Story 4.2: New Participant Registration
- Story 4.3: Returning Participant Detection
- Story 5.1: Magic Link Request
- Story 5.2: Magic Link Login
- Story 5.3: Participant Session (Dashboard + Logout)
- Story 10.1: DEV Mode Email Logging
Technical changes:
- Alembic migrations with auto-apply on container start
- Filesystem-based sessions (avoids SQLAlchemy race conditions)
- Magic link authentication with SHA-256 hashed tokens
- Rate limiting for registration and magic link requests
- CSRF protection for all forms
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch from SQLAlchemy sessions to filesystem sessions to avoid race
conditions with multiple gunicorn workers trying to create the sessions
table simultaneously
- Update Alembic env.py to use a minimal Flask app without Flask-Session
to prevent session table creation during migrations
- Add data directory creation to entrypoint.sh for clean container starts
- Configure test environment to use filesystem sessions with temp directory
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Logger.info wasn't visible in gunicorn container logs. Using print
with flush=True ensures magic link URLs are visible in container
logs for QA testing.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The budget field is stored as a string (e.g., '$25-50'), not a number.
Updated EmailService.send_registration_confirmation() to accept budget
as a string and display it directly in the email.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Previous migrations were empty (just 'pass'). Regenerated a single
migration that includes all models: Admin, Exchange, Participant,
MagicToken, and RateLimit tables with proper indexes and constraints.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixed return type annotations in EmailService to use Any instead of dict[str, Any] to properly handle Resend API's SendResponse type.
The Resend library returns a SendResponse object in production mode and a dict in dev mode. Using Any allows both return types while maintaining type safety for callers.
Changes:
- Updated send_email() return type from dict[str, Any] to Any
- Updated send_magic_link() return type from dict[str, Any] to Any
- Updated send_registration_confirmation() return type from dict[str, Any] to Any
- Removed unnecessary type annotation on result variable
This resolves mypy type checking errors while preserving the existing dev/production mode behavior.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implemented complete participant authentication flow with magic link login and session management.
Story 5.2 - Magic Link Login:
- Participants can click magic links to securely access their dashboard
- Single-use tokens that expire after 1 hour
- Session creation with participant_id, user_type, and exchange_id
- Error handling for expired, used, or invalid tokens
- Fixed timezone-aware datetime comparison for SQLite compatibility
Story 5.3 - Participant Session:
- Authenticated participants can access their exchange dashboard
- participant_required decorator protects participant-only routes
- Participants can only access their own exchange (403 for others)
- Logout functionality clears session and redirects appropriately
- Unauthenticated access returns 403 Forbidden
Technical changes:
- Added magic_login() route for token validation and session creation
- Added dashboard() route with exchange and participant data
- Added logout() route with smart redirect to request access page
- Added participant_required decorator for route protection
- Enhanced MagicToken.is_expired for timezone-naive datetime handling
- Added participant.logout to setup check exclusions
- Created templates: dashboard.html, magic_link_error.html, 403.html
- Comprehensive test coverage for all user flows
Acceptance Criteria Met:
✓ Valid magic links create authenticated sessions
✓ Invalid/expired/used tokens show appropriate errors
✓ Authenticated participants see their dashboard
✓ Participants cannot access other exchanges
✓ Unauthenticated users cannot access protected routes
✓ Logout clears session and provides feedback
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Allow participants to request magic links for dashboard access:
- POST /exchange/<slug>/request-access handles form submission
- Accept email, look up participant in database
- Generate token (secrets.token_urlsafe(32)), store SHA-256 hash
- Send magic link email via EmailService.send_magic_link()
- Rate limit: 3 requests per hour per email
- Always show generic success message (prevent enumeration)
- Only send email if participant exists
- Case-insensitive email lookup
- Comprehensive test suite with 7 tests
Includes:
- MagicLinkRequestForm with email validation
- request_access.html template
- GET endpoint to display request form
All tests passing (97 total), 91% coverage maintained.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Prevent duplicate registrations for the same exchange:
- Check for existing participant with same email (case-insensitive)
- Show friendly message if already registered
- Offer link to request new magic link for access
- Allow same email to register for different exchanges
- Comprehensive test suite with 4 tests
All tests passing (90 total), 91% coverage maintained.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement participant registration with the following features:
- POST handler for /exchange/<slug>/register
- Create Participant record with lowercased email
- Generate magic token and send confirmation email
- Redirect to success page after registration
- Rate limiting: 10 registrations per hour per IP
- Validation for exchange state (must be registration_open)
- Form validation for required fields (name, email)
- Email format validation
- Optional fields support (gift_ideas, reminder_enabled)
Also includes:
- Registration success page template
- 429 error handling template
- Flash message support in base template
- Test config update for email service dev mode
- Comprehensive test suite with 8 tests
All tests passing (86 total), 91% coverage maintained.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Allows potential participants to view exchange details and access
the registration form via unique slug URLs.
Implementation:
- Added ParticipantRegistrationForm with name, email, gift_ideas, and reminder fields
- Created GET /exchange/<slug>/register route
- Built responsive registration template with exchange details
- Exempted participant routes from admin setup requirement
- Comprehensive test coverage for all scenarios
Acceptance Criteria Met:
- Valid slug displays registration form with exchange details
- Invalid slug returns 404
- Form includes all required fields with CSRF protection
- Registration deadline is displayed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements a flexible email service that integrates with Resend API
and supports development mode for easier testing.
Features:
- Resend API integration for production email delivery
- Development mode that logs emails instead of sending
- Magic link URL logging in dev mode for testing
- Helper methods for magic link and registration emails
- Comprehensive test coverage (100% for service)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements Phase 2 infrastructure for participant registration and authentication:
Database Models:
- Add Participant model with exchange scoping and soft deletes
- Add MagicToken model for passwordless authentication
- Add participants relationship to Exchange model
- Include proper indexes and foreign key constraints
Migration Infrastructure:
- Generate Alembic migration for new models
- Create entrypoint.sh script for automatic migrations on container startup
- Update Containerfile to use entrypoint script and include uv binary
- Remove db.create_all() in favor of migration-based schema management
This establishes the foundation for implementing stories 4.1-4.3, 5.1-5.3, and 10.1.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Containerfile with multi-stage build for minimal image
- Add .containerignore to exclude unnecessary files
- Add /health endpoint for container health checks
- Update main.py to expose Flask app for gunicorn
Uses Python 3.12-slim base, runs as non-root user, exposes port 8000.
Add complete implementation with tests:
- New route POST /admin/exchange/<id>/state/open-registration
- State validation (only from draft state)
- Success/error messages
- Authentication required
- Update exchange detail template with "Open Registration" button
- 8 comprehensive integration tests
All acceptance criteria met:
- "Open Registration" action available from Draft state
- Exchange state changes to "Registration Open"
- Registration link becomes active
- Participants can now access registration form
- Success message displayed
- Only admin can perform action
- Redirects to exchange detail after completion
Story: 3.1
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add integration tests covering all acceptance criteria:
- Unique link generated for each exchange
- Link is copyable to clipboard
- Link is displayed when exchange is in appropriate state
- Link leads to registration page for that specific exchange
- Link uses slug instead of numeric ID for security
- Link contains full URL for easy sharing
Story: 2.6
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add integration tests covering all acceptance criteria:
- Clicking an exchange opens detail view
- Shows all exchange information
- Shows list of registered participants
- Shows current state
- Shows registration link (when applicable)
- Handle missing optional fields gracefully
- Navigation back to dashboard
Story: 2.3
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add integration tests covering all acceptance criteria:
- Dashboard shows list of all exchanges
- Each exchange displays name, state, participant count, exchange date
- Exchanges sorted by exchange date (upcoming first)
- Visual indicator for exchange state
- Summary counts for draft, active, completed
- Empty state handling
Story: 2.2
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add Exchange model, API endpoint, and form validation
for creating new gift exchanges.
- Create ExchangeForm with timezone validation
- Add admin routes for creating and viewing exchanges
- Generate unique 12-char slug for each exchange
- Validate registration/exchange dates
- Display exchanges in dashboard
- All tests passing with 92% coverage
Story: 2.1
- Rename master to main
- Add release branch workflow (release/vX.Y.Z)
- Feature branches now created from release branches
- Release branches merge to main when confirmed good
Add logout button to admin dashboard and test to verify its presence.
This completes the missing acceptance criterion for Story 1.4:
"Logout option available from admin interface"
Changes:
- Add logout form with CSRF protection to dashboard header
- Add integration test to verify logout button is present
- All tests pass (24/24)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implement Story 1.2 (Admin Login) with full TDD approach including:
- RateLimit model for tracking authentication attempts
- LoginForm for admin authentication with email, password, and remember_me fields
- Rate limiting utility functions (check, increment, reset)
- admin_required decorator for route protection
- Login route with rate limiting (5 attempts per 15 minutes)
- Logout route with session clearing
- Admin dashboard now requires authentication
- Login template with flash message support
- 14 comprehensive integration tests covering all acceptance criteria
- Email normalization to lowercase
- Session persistence with configurable duration (7 or 30 days)
All acceptance criteria met:
- Login form accepts email and password
- Invalid credentials show appropriate error message
- Successful login redirects to admin dashboard
- Session persists across browser refreshes
- Rate limiting after 5 failed attempts
Test coverage: 90.67% (exceeds 80% requirement)
All linting and type checking passes
Story: 1.2
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add complete initial admin setup functionality including:
- SetupForm with email, password, and password confirmation fields
- Password validation (minimum 12 characters) and confirmation matching
- Email format validation
- Setup route with GET (display form) and POST (process setup) handlers
- bcrypt password hashing before storing admin credentials
- Auto-login after successful setup with session management
- First-run detection middleware that redirects to /setup if no admin exists
- Setup page returns 404 after admin account is created
- Base HTML template with Pico CSS integration
- Admin dashboard placeholder template
- 404 error template
All tests pass with 90.09% code coverage (exceeds 80% requirement).
Code passes ruff linting and mypy type checking.
Story: 1.1
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
