breakpilot-core

Benjamin_Boenisch/breakpilot-core

Fork 0

Commit Graph

Author	SHA1	Message	Date
Sharang Parnerkar	41bc522b5b	fix(pitch-deck): close auth gaps, isolate finanzplan scenario access, enforce TS Some checks failed Build pitch-deck / build-push-deploy (push) Failing after 1m4s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / test-go-consent (push) Successful in 57s Details CI / test-python-voice (push) Successful in 42s Details CI / test-bqas (push) Successful in 42s Details D1: Remove /api/admin/fp-patch from PUBLIC_PATHS — it was returning live financial data (fp_liquiditaet rows) to any unauthenticated caller; middleware admin gate now applies as it does for all /api/admin/* paths. D2: Add PITCH_ADMIN_SECRET bearer guard to POST /api/financial-model (create scenario) and PUT /api/financial-model/assumptions (update assumptions) — any authenticated investor could previously create/modify global financial model data. D3: Add PITCH_ADMIN_SECRET bearer guard to POST /api/finanzplan/compute — any investor could trigger a full DB recomputation across all fp_* tables. Also replace String(error) in error response with a static message. D4: GET /api/finanzplan/[sheetName] now ignores ?scenarioId= for non-admin callers; investors always receive the default scenario only. Previously any investor could enumerate UUIDs and read any scenario's financials including other investors' plans. D9: Remove `name` from the non-admin /api/finanzplan response — scenario names like "Wandeldarlehen v2" reveal internal versioning to investors. D10: Remove hardcoded postgres://breakpilot:breakpilot123@localhost fallback from lib/db.ts — missing DATABASE_URL now fails loudly instead of silently using stale credentials that are committed to the repository. D6: Fix all 4 TypeScript errors that were masked by ignoreBuildErrors:true; bump tsconfig target to ES2018 (regex s flag in ChatFAB), type lang as 'de'\|'en' in chat route, add 'as string' assertion in adapter.ts. Remove ignoreBuildErrors:true from next.config.js so future type errors fail the build rather than being silently shipped. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-24 09:08:50 +02:00
Sharang Parnerkar	27ef21a4f0	feat: git SHA version badge in admin, fix finanzplan caching, drop gitea remote All checks were successful Build pitch-deck / build-push-deploy (push) Successful in 1m4s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / test-go-consent (push) Successful in 28s Details CI / test-python-voice (push) Successful in 28s Details CI / test-bqas (push) Successful in 26s Details - AdminShell: shows NEXT_PUBLIC_GIT_SHA in sidebar footer - Dockerfile + build-pitch-deck.yml: pass --build-arg GIT_SHA at build time - FinanzplanSlide: fetch with cache:no-store to always show current DB values - finanzplan routes: Cache-Control: no-store to prevent CDN/proxy staling - CLAUDE.md: remove dead gitea remote (only origin exists) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-17 10:47:51 +02:00
Benjamin Admin	a58cd16f01	feat: Finanzplan Phase 1-4 — DB + Engine + API + Spreadsheet-UI Phase 1: DB-Schema (12 fp_* Tabellen) + Excel-Import (332 Zeilen importiert) Phase 2: Compute Engine (Personal, Invest, Umsatz, Material, Betrieblich, Liquiditaet, GuV) Phase 3: API (/api/finanzplan/ — GET sheets, PUT cells, POST compute) Phase 4: Spreadsheet-UI (FinanzplanSlide als Annex mit Tab-Leiste, editierbarem Grid, Jahres-Navigation) Zusaetzlich: - Gruendungsdatum verschoben: Feb→Aug 2026 (DB + Personalkosten) - Neue Preisstaffel: Startup/<10 MA ab 3.600 EUR/Jahr (14-Tage-Test, Kreditkarte) - Competition-Slide: Pricing-Tiers aktualisiert Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 19:26:46 +01:00

Author

SHA1

Message

Date

Sharang Parnerkar

41bc522b5b

fix(pitch-deck): close auth gaps, isolate finanzplan scenario access, enforce TS

Build pitch-deck / build-push-deploy (push) Failing after 1m4s

Details

CI / go-lint (push) Has been skipped

Details

CI / python-lint (push) Has been skipped

Details

CI / nodejs-lint (push) Has been skipped

Details

CI / test-go-consent (push) Successful in 57s

Details

CI / test-python-voice (push) Successful in 42s

Details

CI / test-bqas (push) Successful in 42s

Details

D1: Remove /api/admin/fp-patch from PUBLIC_PATHS — it was returning live financial
data (fp_liquiditaet rows) to any unauthenticated caller; middleware admin gate now
applies as it does for all /api/admin/* paths.

D2: Add PITCH_ADMIN_SECRET bearer guard to POST /api/financial-model (create scenario)
and PUT /api/financial-model/assumptions (update assumptions) — any authenticated
investor could previously create/modify global financial model data.

D3: Add PITCH_ADMIN_SECRET bearer guard to POST /api/finanzplan/compute — any
investor could trigger a full DB recomputation across all fp_* tables. Also replace
String(error) in error response with a static message.

D4: GET /api/finanzplan/[sheetName] now ignores ?scenarioId= for non-admin callers;
investors always receive the default scenario only. Previously any investor could
enumerate UUIDs and read any scenario's financials including other investors' plans.

D9: Remove `name` from the non-admin /api/finanzplan response — scenario names like
"Wandeldarlehen v2" reveal internal versioning to investors.

D10: Remove hardcoded postgres://breakpilot:breakpilot123@localhost fallback from
lib/db.ts — missing DATABASE_URL now fails loudly instead of silently using stale
credentials that are committed to the repository.

D6: Fix all 4 TypeScript errors that were masked by ignoreBuildErrors:true; bump
tsconfig target to ES2018 (regex s flag in ChatFAB), type lang as 'de'|'en' in
chat route, add 'as string' assertion in adapter.ts. Remove ignoreBuildErrors:true
from next.config.js so future type errors fail the build rather than being silently
shipped.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-24 09:08:50 +02:00

Sharang Parnerkar

27ef21a4f0

feat: git SHA version badge in admin, fix finanzplan caching, drop gitea remote

Build pitch-deck / build-push-deploy (push) Successful in 1m4s

Details

CI / go-lint (push) Has been skipped

Details

CI / python-lint (push) Has been skipped

Details

CI / nodejs-lint (push) Has been skipped

Details

CI / test-go-consent (push) Successful in 28s

Details

CI / test-python-voice (push) Successful in 28s

Details

CI / test-bqas (push) Successful in 26s

Details

- AdminShell: shows NEXT_PUBLIC_GIT_SHA in sidebar footer
- Dockerfile + build-pitch-deck.yml: pass --build-arg GIT_SHA at build time
- FinanzplanSlide: fetch with cache:no-store to always show current DB values
- finanzplan routes: Cache-Control: no-store to prevent CDN/proxy staling
- CLAUDE.md: remove dead gitea remote (only origin exists)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-17 10:47:51 +02:00

Benjamin Admin

a58cd16f01

feat: Finanzplan Phase 1-4 — DB + Engine + API + Spreadsheet-UI

Phase 1: DB-Schema (12 fp_* Tabellen) + Excel-Import (332 Zeilen importiert)
Phase 2: Compute Engine (Personal, Invest, Umsatz, Material, Betrieblich, Liquiditaet, GuV)
Phase 3: API (/api/finanzplan/ — GET sheets, PUT cells, POST compute)
Phase 4: Spreadsheet-UI (FinanzplanSlide als Annex mit Tab-Leiste, editierbarem Grid, Jahres-Navigation)

Zusaetzlich:
- Gruendungsdatum verschoben: Feb→Aug 2026 (DB + Personalkosten)
- Neue Preisstaffel: Startup/<10 MA ab 3.600 EUR/Jahr (14-Tage-Test, Kreditkarte)
- Competition-Slide: Pricing-Tiers aktualisiert

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-26 19:26:46 +01:00

3 Commits