asa.news - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	fix: P0 correctness and security fixes	Fuwn	2026-02-09	1	-1/+1
\| \| \| \| \| \|	- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1) - Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS) - Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)
*	security: harden API routes	Fuwn	2026-02-08	1	-1/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	- Add rate limiting to /api/share (30/min), /api/export (5/hr), /api/account/data (3/day) - Add client-side 30s throttle to forgot-password form - Remove immediate tier upgrade on plan change; let invoice.paid webhook handle tier promotion to prevent free upgrades on payment failure - Add SSRF validation to webhook URLs: block localhost, private IPs, link-local, and metadata endpoints - Log Stripe webhook signature verification errors instead of swallowing silently - Mask webhook secret in GET response (show first/last 4 chars only) - Add error logging to API key last_used_at update - Remove internal error message leaking from checkout session route
*	fix: invoice.paid handler now retrieves subscription for correct tier resolution	Fuwn	2026-02-08	1	-16/+13
\|
*	debug: add webhook signature verification logging	Fuwn	2026-02-08	1	-1/+5
\|
*	fix: resolve 6 pre-ship audit bugs	Fuwn	2026-02-07	1	-23/+37
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	- Webhook entry identifier: use entry GUID instead of feed identifier - Optimistic rollback: add previousTimeline snapshot and onError handler to both useToggleEntryReadState and useToggleEntrySavedState - Rate limiter memory leak: delete Map entries when window expires, use else-if to avoid re-setting after delete - Entries API limit param: use Number.isFinite guard instead of falsy coercion that treats 0 as default - PWA manifest: add PNG raster icon routes (192x192, 512x512) for devices that don't support SVG icons - Billing webhook: throw on DB errors and return 500 so Stripe retries failed events instead of silently losing them
*	style: lowercase all user-facing strings and add custom eslint rule	Fuwn	2026-02-07	1	-4/+4
\| \| \| \| \| \| \| \|	Comprehensive sweep of all user-facing text to enforce lowercase convention, including acronyms (api, rest, http, opml, json, totp, mfa, qr, hmac). Added asa-lowercase/lowercase-strings eslint rule that reports uppercase in notify() calls, error messages, jsx text, and checked attributes (placeholder, alt, title).
*	feat: asa.news RSS reader with developer tier, REST API, and webhooks	Fuwn	2026-02-07	1	-0/+181
	Full-stack RSS reader SaaS: Supabase + Next.js + Go worker. Includes three subscription tiers (free/pro/developer), API key auth, read-only REST API, webhook push notifications, Stripe billing with proration, and PWA support.