- Add GET /api/admin/verify — side-effect-free code check used by the
admin unlock flow; registered before reset-auth-code in the router
- Remove "Reset auth code" section from admin panel (UI + dead API code);
rotation is now CLI-only via `wrangler secret put ADMIN_AUTH_CODE`
- Add rotate-admin-code justfile recipe using pwgen for local key rotation
- Add pwgen to Nix dev shell
- Update OpenAPI spec with /api/admin/verify definition
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add CREATE_REPORTS migration constant (was unused — now wired in)
- Wire CREATE_REPORTS into run_migrations for both NativeRepository and D1Repository
- Add create_report to QuoteRepository trait with NotFound semantics
- Implement create_report in NativeRepository (two-step: existence check then insert)
- Implement create_report in D1Repository (two-step: COUNT check then insert)
- Add report_handler: POST /api/quotes/{id}/report, 201/400/404/500
- Register route before /{id} in router so static /report suffix wins
- Add create_report to MockRepo in handler tests
- Add handler tests: test_report_success, test_report_quote_not_found, test_report_reason_too_long
- Add DB tests: test_create_report_success, test_create_report_not_found
- Add ReportInput schema and /api/quotes/{id}/report path to openapi.yaml
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add `hidden` (boolean, required) to the Quote response schema so all
GET responses reflect the field. Add `hidden` (boolean, optional) to
QuoteUpdateRequest so callers can toggle visibility via POST /api/quotes/:id.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds handler, route registration, request/response types, and five unit
tests for the admin auth-code rotation endpoint. Updates openapi.yaml
with the new path and a ResetAuthCodeResponse component schema.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a pre-flight check at the top of create_handler that calls
get_submissions_locked() before processing the request. Returns
423 Locked with {"error": "submissions are closed"} when locked.
Update openapi.yaml to document the 423 response on PUT /api/quotes.
Add three unit tests: locked → 423, unlocked → 201, unlock-then-create → 201.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Clarify verify_admin_code docstring to say "standard string equality"
instead of leaving comparison method implicit
- Add missing "500" response entries to /api/admin/lock and
/api/admin/unlock in openapi.yaml
- Remove pub from lock_submissions and unlock_submissions to match all
other handlers in the file
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add two admin-protected endpoints that toggle the global submissions lock:
- POST /api/admin/lock — sets submissions_locked = true
- POST /api/admin/unlock — sets submissions_locked = false
Both require the X-Admin-Code header and return { "submissions_locked": bool }
on success, or 403 on missing/wrong code. Operation is idempotent.
Shared helper verify_admin_code() fetches and compares the stored admin code.
Routes registered in the router() function. Five unit tests added covering
correct code, wrong code, missing header, and idempotent lock behaviour.
OpenAPI spec updated with AdminCode security scheme, LockResponse schema,
/api/admin/lock and /api/admin/unlock path entries, and an admin tag.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add GET /api/status path and StatusResponse schema. The endpoint
returns { "submissions_locked": bool } with 200 or 500, requires
no auth, and is tagged under the existing `meta` group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add 6 optional query parameters to GET /api/quotes:
date_after_year/month/day and date_before_year/month/day
Changes:
- QuoteRepository::list_quotes gains date_after and date_before params
- NativeRepository and D1Repository build ISO date prefix WHERE clauses;
quotes with NULL date are excluded when any bound is set
- list_handler validates component ordering (month requires year, etc.)
and returns 400 on invalid combinations
- build_date_bound helper converts y/m/d components to ISO prefix strings
- UI api::list_quotes and browse page gain From/To year filter inputs
- author page call updated to pass None for the new date params
- openapi.yaml extended with 6 new query parameter entries
- 6 new integration tests covering after, before, range, and 400 cases
- 1 new native DB unit test covering all filter combinations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Elijah Voigt