auth: lift oidc test stub into internal/testutil/oidcstub
docs(lethe-oidc-stub): design + plan
docs: track tooling DX and lethe-oidc-stub follow-up (#10)
- TODO.md: mark task #5 (lethe-web-ui-aggregates) Reviewed; add task
#10 lethe-oidc-stub (promote the in-test oidcTestServer to an
exported testutil package, optionally a cmd/oidc-stub binary, to
unblock real-browser smoke without standing up Authelia locally).
New sections: Repo hygiene / Tooling DX (with the four tooling items
now landed) and Deferred operational follow-ups (sourcecraft push +
browser smoke for #5).
- tasks/lethe-web-ui-aggregates.md: cross-ref the deferred browser
smoke to task #10 in Future work.
tooling: adopt go tool directives; rename air→dev; bundle fmt drift
- Justfile: rename `air:` to `dev:`, body uses `go tool air`; the three
migrate recipes use `go tool migrate`; `fmt` adds `go fix ./...`.
Stale `brew install golang-migrate` comment block replaced with the
one-line `go get -tool` bootstrap hint.
- README.md: quickstart says `just dev`.
- go.mod: declare github.com/air-verse/air and golang-migrate's cmd
in the `tool` block (Go 1.24+) so contributors never need a separate
install step. Updates go.sum accordingly.
- internal/domain/stats/repository.go: pre-existing `HostSplit` indent
drift + trailing newline, surfaced by goimports inside the new fmt
recipe.
docs(lethe-web-ui-aggregates): record execute, verify, review
Mark task Reviewed. Conclusion captures the eight active
deviations, the four Important review findings (all
resolved in 3fbbfc8 and 1818fac), the verify checklist
(positive / negative / invariant / interface checks all
passing), and the deferred items needing user smoke
through the new SPA routes in a real browser.
project: drop unreachable rawHosts/rawTools fields on Project
The struct literal carried two unexported fields with
db:"raw_hosts" / db:"raw_tools" tags, but the actual scan
target is the local rawRow struct in List() that does the
GROUP_CONCAT split + dedupe before assigning Hosts/Tools.
sqlx silently ignores the unexported fields, so they never
held any data; they just confused the next reader of the
type definition.
web: review fixes for projects/stats SPA routes
- ProjectsTable: drop the inner navigate call from handleOpen;
the parent route already navigates via the onOpen callback,
so the second push was creating a duplicate history entry
on every row click. Matches the SessionsTable pattern.
- HorizontalBars: replace href:string with onActivate(row)
callback. The earlier shape passed a pre-encoded path
string straight into TanStack <Link to={...}>; routing the
navigation through the typed (to, params) form via the
caller avoids any double-encoding ambiguity around splat
params and decouples the primitive from a specific route.
- stats.css: drop duplicated .card / .card-head / .card-body
blocks. The same rules already live in shell.css (loaded
globally), so any future divergence between the two copies
would silently desync.
web: regenerate embedded SPA bundle for stats route
Vite stamps content-hash asset filenames; the Phase 5 source changes
flipped both bundle hashes. The Phase 5 commit (e048bdf) shipped the
source but not the regenerated index.html, which the Go server embeds
via embed.FS to serve the SPA. Re-stage so the embedded asset path
matches the actual bundle on disk.
web: stats route with backend-driven chart primitives
web: project detail route scoped via ?cwd= sessions filter
web: projects index route with real /projects data
stats: add /api/v1/stats aggregate endpoint
Implements Phase 2 of lethe-web-ui-aggregates: a single-round-trip
/api/v1/stats endpoint that bundles per-tool rollup, daily time-series,
84-cell activity heatmap, top-cwd ranking, hour-of-day distribution, and
host split. All six aggregations run fresh per request; no server cache.
- internal/domain/stats/buckets.go: pure helpers DailyWindow, FillDaily,
HeatmapWindow, HourWindow — fully deterministic, tested independently.
- internal/domain/stats/repository.go: Filter/Stats types and Repository.Stats
— six SQL queries joined via sessions+turns, owner scope via OwnerScope
(AllOwners / SpecificOwner / default), sparkline capped at 60 buckets.
- internal/domain/stats/handler.go: Handler.List — ?range=7d|30d|90d|all
(default 30d); ?range=<other> → 400 INVALID; ?owner= non-admin → 403.
- internal/server/server.go: register *stats.Handler alongside project/sessions.
- cmd/lethe/main.go: add statsRepo/statsHnd to var block and steward graph.
- cmd/lethe/main_e2e_test.go: add stats.Repository/Handler to e2e graph.
project: add /api/v1/projects aggregation; sessions: add ?cwd= filter
- session.ListFilter gains Cwd *string; List appends working_dir = ?
clause between Host and Since in fixed order (parameterised, column
name is a literal)
- session.Handler reads ?cwd= and threads it to filter.Cwd; empty
string treated as absent, consistent with other optional filters
- new package internal/domain/project:
- Repository.List groups sessions by non-NULL working_dir in a single
SQL round-trip; correlated subquery picks top_tool with tie-broken
by tool ASC; Hosts/Tools deduped and sorted in Go after
GROUP_CONCAT
- Handler mounts GET /projects; resolveScope/clampLimit/clampOffset
duplicated from session handler; ?owner= admin gating identical
- server.Server gains Projects *project.Handler inject field; mounted
in /api/v1 Route block
- main.go and e2e test register projectRepo + projectHnd with steward
docs(lethe-web-ui-aggregates): add implementation plan
docs: add roadmap TODO and lethe-web-ui-aggregates design
TODO.md indexes all 9 task specs (4 done/in-progress, 5 deferred or
blocked) plus the carry-overs from the foundation Conclusion. New task
file lethe-web-ui-aggregates covers the backend /projects + /stats
endpoints and the three frontend screens (Projects index, Project
detail, Stats), replacing three of the foundation's stub routes.
docs(lethe-web-ui-foundation): record review conclusion, mark Reviewed
Two Important findings from the independent review pass were resolved:
keyboard g-leader / palette-input interference (4ef7a02), and Dockerfile
web-builder path fragility plus uncovered Go-1.26 requirement (0cf348a).
Future work captured: composite-id URL, aggregates absent on Get, Turn
meta-line timestamp, stray flatted/ Go package. CI config remains
deferred pending user choice between .github/ and .sourcecraft/.
docker: stabilize web-builder paths and bump builder Go to 1.26
Two related Dockerfile correctness fixes uncovered while validating the
review pass:
1. The web-builder stage used WORKDIR /web with vite's relative
outDir ../internal/server/web/dist resolving to /internal/server/web/dist
at the container root — working only by relative-path coincidence.
Mirror the host repo layout inside /src so the path is /src/internal/server/web/dist
in both stages, making the COPY --from explicit and stable against any
future WORKDIR or outDir change.
2. golang:1.25-alpine no longer compiles the codebase: the auxilia/culpa
dep uses errors.AsType which is in 1.26+. Bump the builder image to
golang:1.26-alpine and the go.mod directive from 1.25.0 to 1.26.0
so they agree on the actual minimum.
Verified: docker build (full multi-stage) green; produced binary runs.
keyboard: guard g-leader and j/k against palette and editable targets
Add an early return after the ⌘K and Esc handlers so the g-prefix
dispatch, g-start, j/k cursor, and Enter activation skip when the
palette is open or the focused element is an input/textarea/contenteditable.
Without it, typing "gh" into the palette search input fires go("home")
mid-query, navigating away while the palette stays open.
Two regression tests added: g+h with palette open → no navigation; g
on a focused input → no pending state, follow-up h does nothing.
docs(lethe-web-ui-foundation): record verify section, mark Verified
End-to-end browser smoke confirmed shell, Home (with real ingested data
showing all aggregate columns), Session view (markdown rendering, role
glyphs, breadcrumb), ⌘K palette, tab navigation. Three minor follow-ups
captured in Notes (composite-id URL encoding, zero aggregates on Get
path, stray flatted Go package in npm dep).
docs(lethe-web-ui-foundation): record execute deviations across all 6 phases
All six phases implemented, signed, and tested green. Backend aggregates
(Phase 1) ship a strict superset of the prior /api/v1/sessions response.
Web SPA (Phases 2-6) is embedded into the Go binary; vite dev mode
proxies the API with a Remote-User header injection so forward-auth
passes without a real reverse proxy. Status flipped to "Execute (verify
pending)" pending up:uverify.