release: v1.4.2 — resurrect v1.4.1 work + bug-fix triple

.github/workflows/e2e.yml

@@ -0,0 +1,83 @@
+name: e2e
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+# Cancel in-progress runs when a new commit lands on the same PR.
+concurrency:
+  group: e2e-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: healthlog
+          POSTGRES_PASSWORD: healthlog
+          POSTGRES_DB: healthlog
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U healthlog"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+
+    env:
+      DATABASE_URL: postgresql://healthlog:healthlog@localhost:5432/healthlog?schema=public
+      ENCRYPTION_KEYS: '{"v1":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}'
+      ENCRYPTION_ACTIVE_KEY_ID: v1
+      API_TOKEN_HMAC_KEY: ci-hmac-key-32-bytes-min-padding-x
+      AUTH_RP_NAME: HealthLog
+      AUTH_RP_ID: localhost
+      AUTH_RP_ORIGIN: http://localhost:3000
+      NODE_ENV: production
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm db:generate
+
+      - run: pnpm db:migrate:deploy
+
+      - name: Cache Playwright browsers
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+          restore-keys: |
+            playwright-${{ runner.os }}-
+
+      - run: pnpm exec playwright install --with-deps chromium
+
+      - run: pnpm exec next build
+
+      - run: pnpm exec playwright test
+        env:
+          E2E_BASE_URL: http://localhost:3000
+
+      - name: Upload Playwright HTML report on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7

.github/workflows/integration.yml

@@ -0,0 +1,34 @@
+name: Integration tests
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm db:generate
+
+      - run: pnpm test:integration
+        env:
+          # The integration suite boots a Postgres testcontainer and points
+          # Prisma at it via DATABASE_URL set inside `tests/integration/setup.ts`.
+          # These env vars satisfy code paths that read them at module load.
+          API_TOKEN_HMAC_KEY: integration-tests-do-not-use-in-prod
+          ENCRYPTION_KEY: 0000000000000000000000000000000000000000000000000000000000000000
+          SESSION_SECRET: integration-tests

.gitignore

@@ -11,6 +11,11 @@
 # testing
 /coverage
 
+# playwright e2e
+/test-results
+/playwright-report
+/playwright/.cache
+
 # next.js
 /.next/
 /out/

AGENTS.md

@@ -6,16 +6,19 @@ Instructions for AI coding agents (OpenAI Codex, Claude Code, Cursor, etc.) work
 
 **HealthLog** — a personal health-tracking web app (weight, blood pressure, pulse, mood, medication compliance) with Withings integration, moodLog.app sync, Dracula-themed UI, mobile-first PWA design.
 
-**Status**: v1.4.0 — UI guidelines + reusable Skeleton/EmptyState
-primitives, medical citations consolidated under
-`src/lib/medical-citations.ts` (BP_DIA hypotension floor, ESH 2023
-alignment, "WHO 8000 steps" hallucination removed, ACE body-fat bands
-corrected), localised medication reminders + dashboard greeting +
-Zod validations, two more N+1 queries closed, Berlin-TZ-aware weekly
-buckets, single-row dashboard tile strip, public `/api/version`
-endpoint, AI provider connection-test honours unsaved selection,
-health-data inputs block password-manager autofill by default. See
-GitHub Releases + CHANGELOG.md for the full feature timeline.
+**Status**: v1.4.0 (released) → v1.4.1 in progress. v1.4.0 shipped
+the UI guidelines + Skeleton/EmptyState primitives, medical-citations
+consolidation, the per-route `/settings/[section]` split, the
+status-first admin grid + aggregator endpoint, five new "Test
+connection" buttons, AI insights with inline charts via allowlisted
+metric tokens, off-host encrypted S3 backup, encryption-key
+versioning + rotation CLI, optional `HEALTHLOG_PROCESS_TYPE` worker /
+web split, and short-lived 24h access tokens with refresh-token
+rotation for native API clients. v1.4.1 follows up with per-section
+admin component extraction (the inner monolith into one file per
+panel), a Postgres testcontainers integration test suite, and a
+Playwright + axe-core E2E foundation. See GitHub Releases +
+CHANGELOG.md for the full feature timeline.
 
 ## Tech Stack
 
@@ -75,7 +78,7 @@ src/
 │   ├── layout.tsx                # Root layout (viewport-fit: cover for PWA)
 │   ├── page.tsx                  # Dashboard (/) with quick entry dropdown
 │   ├── globals.css               # Dracula theme CSS variables
-│   ├── admin/page.tsx            # Admin panel
+│   ├── admin/page.tsx            # Admin shell — 77 LOC, mounts the per-section components from src/components/admin/
 │   ├── auth/login/page.tsx       # Login
 │   ├── auth/register/page.tsx    # Registration
 │   ├── achievements/page.tsx     # Gamification achievements
@@ -85,7 +88,8 @@ src/
 │   ├── medications/page.tsx      # Medications management
 │   ├── notifications/page.tsx    # Notification preferences matrix
 │   ├── onboarding/page.tsx       # 4-step guided onboarding
-│   ├── settings/page.tsx         # All settings (8 top-level sections, ~3150 lines — split tracked for 1.4.0)
+│   ├── settings/page.tsx         # 308-redirects /settings → /settings/account
+│   ├── settings/[section]/page.tsx  # Per-section route shell (account, integrations, notifications, dashboard, ai, api, advanced, about)
 │   ├── mood/page.tsx             # Mood tracking
 │   ├── targets/page.tsx          # Target values dashboard
 │   └── api/                      # 100+ API route files (admin, auth, measurements, medications, mood, insights, integrations, ingest, dashboard, feedback, tokens, notifications, monitoring, …)
@@ -104,7 +108,8 @@ src/
 │   ├── charts/                   # Recharts wrappers, compliance charts
 │   ├── insights/                 # AI insights cards (status, advisor)
 │   ├── gamification/             # Achievement cards, progress
-│   ├── settings/                 # Settings-page section components
+│   ├── settings/                 # Per-route Settings section components (one per /settings/[section])
+│   ├── admin/                    # Per-route Admin section components (system-status, integrations, monitoring, reminders, users, audit, danger-zone, feedback)
 │   └── monitoring/               # Umami, GlitchTip bootstrap
 ├── lib/
 │   ├── db.ts                     # Prisma client singleton
@@ -135,8 +140,8 @@ messages/
 ├── de.json                       # German translations (primary UI language)
 └── en.json                       # English translations
 prisma/
-├── schema.prisma                 # Database schema (25 models)
-└── migrations/                   # Migration files (0001–0024; latest: oxygen_saturation)
+├── schema.prisma                 # Database schema (26 models)
+└── migrations/                   # Migration files (0001–0025; latest: refresh_tokens + user_locale_drift_fix)
 prisma.config.ts                  # Prisma config (DB URL lives here, NOT in schema)
 public/
 ├── sw.js                         # Service worker (Web Push + offline caching)
@@ -183,11 +188,11 @@ These are hard-won lessons. Ignoring them will cause errors:
 - **Zod v4**: Import from `"zod/v4"`, not `"zod"`.
 - **jsPDF**: Client-side only. Import dynamically in browser context. Used with `jspdf-autotable` plugin.
 
-### Settings Page
+### Settings & Admin (per-route layout, v1.4)
 
-- One large file (~3150 lines), 8 top-level sections. Sidebar switches to "settings mode" showing section shortcuts. Splitting into per-section files is tracked for 1.4.0 — until then, ESLint `react-hooks/set-state-in-effect` stays non-blocking because of the long-standing violations in this file.
-- Sections scroll-to with highlight animation (`section-highlight` CSS class).
-- Top-level section IDs: `section-allgemein`, `section-sicherheit`, `section-benachrichtigungen`, `section-personalization`, `section-integration`, `section-api`, `section-export`, `section-danger-zone`. Sub-anchors inside those sections include `profil`, `passwort`, `passkeys`, `telegram`, `ntfy`, `web-push`, `insights`, `dashboard-layout`, `thresholds`, `withings`, `moodlog`, `api-tokens`, `api-endpoints`.
+- **Settings**: 8 routes under `/settings/[section]` — `account`, `integrations`, `notifications`, `dashboard`, `ai`, `api`, `advanced`, `about`. The legacy `/settings` 308-redirects to `/settings/account`. Sidebar deep-links and the `<a href="/settings#anchor">` patterns from 1.3 still resolve via the redirect.
+- **Admin**: `src/app/admin/page.tsx` is now a 77-LOC shell that mounts the per-section components in `src/components/admin/`. Status-card grid lives in `status-card-grid.tsx`. The aggregator endpoint `/api/admin/status-overview` returns the six-card summaries in one batched query.
+- ESLint `react-hooks/set-state-in-effect` is **strict** now (was non-blocking when the settings monolith carried inline-effect state-setters). Use lazy `useState(() => …)` for localStorage reads, TanStack Query for data fetches.
 
 ### Insights Page
 
@@ -225,7 +230,7 @@ These are hard-won lessons. Ignoring them will cause errors:
 
 ## Database Models (Prisma)
 
-25 models: `User`, `Passkey`, `Session`, `AuthChallenge`, `Measurement`, `Medication`, `MedicationSchedule`, `MedicationIntakeEvent`, `ReminderPhaseConfig`, `TelegramReminderMessage`, `TelegramScheduledDeletion`, `ApiToken`, `WithingsConnection`, `MoodEntry`, `AppSettings`, `Feedback`, `AuditLog`, `NotificationChannel`, `NotificationPreference`, `PushSubscription`, `DataBackup`, `UserAchievement`, `RateLimit`, `Device`, `IdempotencyKey`.
+26 models: `User`, `Passkey`, `Session`, `AuthChallenge`, `Measurement`, `Medication`, `MedicationSchedule`, `MedicationIntakeEvent`, `ReminderPhaseConfig`, `TelegramReminderMessage`, `TelegramScheduledDeletion`, `ApiToken`, `RefreshToken`, `WithingsConnection`, `MoodEntry`, `AppSettings`, `Feedback`, `AuditLog`, `NotificationChannel`, `NotificationPreference`, `PushSubscription`, `DataBackup`, `UserAchievement`, `RateLimit`, `Device`, `IdempotencyKey`. (`RefreshToken` added in v1.4.0 alongside the native-client 24h access-token / refresh-token rotation flow.)
 
 ## When Making Changes
 

CHANGELOG.md

@@ -1,5 +1,140 @@
 # Changelog
 
+## [1.4.2] — 2026-05-08
+
+### Fixed — Production deploy hotfixes
+
+- **Dashboard and Insights pages no longer crash for users without
+  weight data.** `data?.summaries.WEIGHT` only protected the outer
+  object — the optional chain stopped one level too early, so
+  brand-new users (where `summaries` is undefined) hit
+  `TypeError: undefined is not an object (evaluating 'E?.summaries.WEIGHT')`
+  on first load. Now `data?.summaries?.WEIGHT`.
+- **Container healthcheck uses `127.0.0.1` instead of `localhost`.**
+  busybox-`wget` in Alpine resolves `localhost` to IPv6 `::1` first,
+  but Next.js standalone listens on IPv4 `0.0.0.0:3000` only — so the
+  healthcheck always returned ECONNREFUSED, Docker marked the
+  container unhealthy, and Traefik returned 503 from the public URL
+  even though the app was actually running. The Dockerfile-level
+  `HEALTHCHECK` already used 127.0.0.1; the `docker-compose.yml`
+  override was the one that drifted to `localhost`. Fixed.
+
+### Notes
+
+- The 1.4.1 GHCR image never published cleanly (the docker-publish
+  workflow reported success in GH Actions but the
+  `ghcr.io/mbombeck/healthlog:1.4.1` tag returned `manifest unknown`
+  when Coolify tried to pull). The 1.4.2 release supersedes 1.4.1
+  and includes everything 1.4.1 was supposed to ship — the v1.4.1
+  source on `main` was always healthy; only the Coolify deploy
+  surface was broken.
+
+## [1.4.1] — 2026-05-08
+
+### Security
+
+- **moodLog integration no longer accepts internal-network URLs.** A
+  user could previously save `http://169.254.169.254/` (cloud-metadata)
+  or any RFC1918 address as their moodLog instance; the daily sync
+  worker would then fetch from that target with the user's API key in
+  the Authorization header. The credentials write path now refuses
+  non-public hosts, the sync worker re-checks the URL at the actual
+  fetch site (so legacy rows stored before the guard are also
+  refused), and the fetch is now `redirect: "manual"` so a public
+  host cannot 302 to an internal target with the bearer on the
+  redirect hop.
+- **Error reports never echo bearer tokens, Telegram bot tokens, or
+  query-string secrets.** `WideEventBuilder.setError()` and the
+  Glitchtip incident path now run every error message and stack
+  trace through a central `redactSecrets()` filter that scrubs
+  `Bearer …`, Telegram `bot<digits>:<token>` URLs, and `?secret=`,
+  `?code=`, `?token=`, `?api_key=` query strings. The substitution
+  is generic `[REDACTED]` so partial entropy is never revealed.
+
+### Fixed — Citation accuracy
+
+- **Blood-pressure classification now cites ESH 2023.** The dashboard
+  tile, the doctor-report PDF, and the inline analytics comments
+  used to label the band as "ESC/ESH 2018". The numbers haven't
+  changed (the 2023 ESH update kept the 2018 thresholds), but the
+  joint authoring did — ESC withdrew from the 2023 document, so the
+  correct citation is "ESH 2023" alone.
+- **Steps target source label is `Saint-Maurice JAMA 2020`** instead
+  of `WHO`. Every other surface in the app (AI prompts, inline
+  comments, drift tests) already enforced this attribution; the
+  insights/targets surface was the last "WHO" label in the tree.
+  WHO publishes physical-activity _time_, not a step quota.
+- **Saint-Maurice "mortality plateau 8000–12000" attribution
+  softened.** The original JAMA 2020 paper reports continued
+  dose-response benefit (HR 0.49 at 8k, HR 0.35 at 12k) — not a
+  plateau. The plateau-shaped finding belongs to Paluch 2022
+  _Lancet Public Health_ (PMID 35247352), not Saint-Maurice. The
+  inline comments and AI prompts now say "continued dose-response
+  benefit through ~12,000 steps/day" instead.
+
+### Added — CI safety nets
+
+- **Postgres-backed integration test suite is now executable.** The
+  testcontainers infrastructure shipped in 1.4.0; this release wires
+  the per-test boilerplate through vitest's `globalSetup` so all
+  four files share one container. `pnpm test:integration` runs ten
+  tests (rate-limit race, idempotency replay-attack contract, GDPR
+  Article-17 cascade delete, session create / read / expire) against
+  a real Postgres in under four seconds. CI runs the suite on every
+  PR.
+- **Playwright + axe-core E2E foundation.** A new `pnpm e2e` runs
+  five public-surface specs (version endpoint, proxy auth-redirect,
+  login form autofill hints, DE/EN locale switch, axe-core
+  accessibility gate) against the production build in CI. Authenticated
+  flow specs (quick-entry, doctor-report, settings round-trip,
+  test-buttons, onboarding) ride a follow-up release because they
+  need a seeded test user; the foundation makes adding them a
+  one-PR step.
+
+### Changed — Admin internals
+
+- **Admin page is now per-section components.** The status-card grid
+  shipped in 1.4.0 sat on top of a 2,700-line monolith; that monolith
+  is now 14 focused files in `src/components/admin/` with a 77-line
+  `src/app/admin/page.tsx` shell that mounts them. Every section
+  keeps the same DOM, ids, query keys, and i18n keys — no
+  user-visible change.
+
+### Fixed
+
+- **Final ESLint error is gone.** The medications page's "API
+  endpoint" dialog ran its initial-load fetch through a `useCallback`
+  paired with `useEffect` and triggered the strict
+  `react-hooks/set-state-in-effect` rule. Refactored to TanStack
+  Query — same network calls, no effect, lint count is now zero on
+  `main`.
+
+### Documentation
+
+- **Repo-internal docs synced for v1.4.** README adds the
+  Multi-tenant ready and Test connection buttons feature blocks, the
+  API reference table includes the eleven new v1.4 endpoints, and
+  the model count is corrected to 26 (RefreshToken). AGENTS.md and
+  CLAUDE.md reflect the per-route `/settings/[section]` layout and
+  the per-section admin layout. `docs/api/openapi.yaml` documents
+  the new endpoints (version, refresh, refresh/revoke,
+  status-overview, backup/test, the five test-connection probes).
+  `docs/migration/v1.3-to-v1.4.md` corrects the now-wrong "no
+  migrations" claim and adds full env-var sections for the
+  worker/web split, encryption-key versioning, and off-host backup
+  target.
+
+### Notes
+
+- No database migration in 1.4.1.
+- No environment-variable change required to upgrade.
+- No API contract change — every route added in 1.4.0 is still
+  there; no shapes or status codes flipped.
+- The audit pass that drove this release identified five medium
+  security items and three P0 performance items that warrant
+  deeper architectural work; those are tracked in
+  `docs/ops/v141-followup-issues.md` and ride a future release.
+
 ## [1.4.0] — 2026-05-08
 
 ### Added — Foundation, safer ranges, and a faster dashboard
@@ -41,7 +176,7 @@
   now cites "ESH 2023" with the published source URL. Numbers
   unchanged.
 - **"WHO ≥ 8 000 steps/day" hallucination fully removed.** WHO
-  publishes activity *time* (150–300 min/wk moderate), not a step
+  publishes activity _time_ (150–300 min/wk moderate), not a step
   quota. The v1.3.3 fix only landed in `effective-range.ts`; four AI
   prompt strings and the `getStepsRange()` helper carried the old
   wording forward. Saint-Maurice et al., JAMA 2020 (mortality plateau
@@ -50,7 +185,7 @@
   to AASM 2015.
 - **Body-fat ACE bands corrected and three-way drift resolved.** The
   classifier used `essential = 6 (M) / 14 (F)` as the floor — but
-  that's actually ACE's *Athletes* lower bound. Readings below were
+  that's actually ACE's _Athletes_ lower bound. Readings below were
   mislabelled "Essential" instead of "Below essential" (a danger
   band). Six-band classifier now mirrors the ACE table, and the three
   sites that had three different green-band numbers
@@ -221,7 +356,7 @@
   via `prisma db push` to dev/prod). Any environment built strictly
   from `prisma/migrations/` (CI testcontainers, brand-new self-host
   installs) is now consistent. Migration is `ADD COLUMN IF NOT
-  EXISTS`, so it's a clean add on a fresh database and a safe no-op
+EXISTS`, so it's a clean add on a fresh database and a safe no-op
   against any environment that was already kept in sync.
 
 ### Notes