| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | security: remove unsafe-eval CSP, fix host header injection, harden API routes | Fuwn | 2026-02-07 | 2 | -12/+19 |
| | | | | | | | | | - Remove unsafe-eval from script-src CSP (not needed in production) - Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share and checkout routes to prevent host header injection - Add .catch() to request.json() in share POST and PATCH routes - Add rate limiting (3/min) to account deletion endpoint | ||||
| * | style: lowercase all user-facing strings and add custom eslint rule | Fuwn | 2026-02-07 | 2 | -8/+8 |
| | | | | | | | | | Comprehensive sweep of all user-facing text to enforce lowercase convention, including acronyms (api, rest, http, opml, json, totp, mfa, qr, hmac). Added asa-lowercase/lowercase-strings eslint rule that reports uppercase in notify() calls, error messages, jsx text, and checked attributes (placeholder, alt, title). | ||||
| * | feat: asa.news RSS reader with developer tier, REST API, and webhooks | Fuwn | 2026-02-07 | 2 | -0/+217 |
| Full-stack RSS reader SaaS: Supabase + Next.js + Go worker. Includes three subscription tiers (free/pro/developer), API key auth, read-only REST API, webhook push notifications, Stripe billing with proration, and PWA support. | |||||