| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Uses pg_trgm % operator instead of ILIKE for title/summary matching,
enabling the existing GIN trigram indexes. Results are now ranked by
similarity score. Threshold lowered to 0.1 for inclusive matching.
Also adds owner_id filter that was previously missing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Root cause: cleanup_stale_entries deleted read-but-unsaved entries from
active feeds, then the Go worker re-inserted them with new UUIDs,
orphaning the user_entry_states rows and making entries appear unread.
- cleanup_stale_entries: skip feeds with active subscribers and preserve
entries that have been read (not just saved)
- Go parser: normalize GUIDs by trimming whitespace and stripping
tracking query parameters from URL-based identifiers
- Go writer: preserve original published_at on upsert instead of
overwriting, preventing old entries from jumping to timeline top
- get_unread_counts: apply same time boundary as get_timeline so
ancient re-inserted entries don't inflate counts
- Realtime listener: ignore INSERT events for entries older than 48h
to suppress misleading "new entries" notifications from re-inserts
|
| | |
|
| |
|
|
|
|
| |
Reverts the DB-level filter so individual hidden feeds still show
their own unread badge. Filters client-side in totalUnreadCount
and getFolderUnreadCount instead.
|
| |
|
|
|
|
| |
get_unread_counts() now filters on hidden_from_timeline = false,
so feeds hidden from the timeline no longer inflate the total
unread badge or appear in aggregated counts.
|
| |
|
|
|
|
|
|
|
| |
- Make webhook URL tests deterministic with injectable DNS resolver
- Wire tier parity checker into CI and root scripts
- Add rate_limits cleanup cron job (hourly, >1hr retention)
- Change rate limiter to fail closed on RPC error
- Add Go worker tests: parser, SSRF protection, error classification,
authentication, and worker pool (48 test functions)
|
| |
|
|
|
|
|
|
|
| |
- Mark all as read now scopes to current feed/folder instead of all
- Added undo button to mark-all-read toast notification
- Share notes can be toggled between public and private visibility
- Track share view count and display in shares list
- Activity-based share expiry: views reset the expiry timer
- Fixed notification panel z-index layering behind content area
|
| |
|
|
|
|
| |
Migrate existing display names from user_profiles to auth.users
user_metadata. Drop display_name column from user_profiles. Frontend
now reads from auth user metadata and updates via auth.updateUser().
|
| |
|
|
|
|
| |
Enable RLS on rate_limits table (accessed only via SECURITY DEFINER).
Fix api_keys delete policy to use (select auth.uid()) subquery to
avoid per-row re-evaluation. Refresh schema dump from live database.
|
| |
|
|
|
|
| |
- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1)
- Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS)
- Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Add SET search_path TO '' on 4 SECURITY DEFINER functions
(update_feed_url, check_subscription_limit, check_folder_limit,
check_muted_keyword_limit) to prevent search path injection
- Add DELETE policy to api_keys table for GDPR compliance
- Escape ILIKE/LIKE wildcards (%, _, \) in search_entries and
get_custom_feed_timeline RPCs to prevent wildcard injection
- Fix get_custom_feed_timeline missing developer tier in retention
check (was only checking 'pro', developer users got 14-day limit)
- Fully qualify table references in update_feed_url
|
| |
|
|
|
|
|
|
|
| |
Add "share" button to text selection toolbar so users can share an entry
with a highlighted passage visible to visitors. The public share page
renders the highlight and scrolls to it on load.
Also fix magic link and password reset redirects to use NEXT_PUBLIC_APP_URL
instead of window.location.origin so emails link to the production domain.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix subscribe_to_feed overload ambiguity by dropping old 4-param version
- Fix vault permission error by using vault.create_secret instead of direct INSERT
- Add duplicate subscription check with clear error message
- Add unmute confirmation dialog matching unsubscribe pattern
- Add feed button in subscriptions settings page
- Add inline rename for feeds, folders, and custom feeds from reader header
- Add drag and drop feeds between folders in sidebar
- Add credential management UI (add/update) for pro/developer tier
- Add add_feed_credentials RPC to convert public feeds to authenticated
- Enable pgsodium extension for vault crypto operations
|
| |
|
|
| |
functions
|
|
|
All tables, indexes, RLS policies, functions, triggers, and pg_cron
jobs extracted from live instance. Removed empty functions/ and
migrations/ scaffolding directories.
|