H0-01: Reject Apple login mock fallback in production
H0-02: Protect /internal/* with InternalAuthGuard (X-Internal-API-Key)
H0-03: JwtAuthGuard check user status (deletedAt, status)
H0-04: Refresh token check user status + revoke all on deleted
H0-05: User/admin JWT isolation (type=user/admin, enforce ADMIN_JWT_ACCESS_SECRET)
H0-06: Add DTOs for import/source/learning-session controllers
H0-07: 22 E2E tests (h0.e2e-spec.ts), 5 iOS integration docs
Tests: 47/47 (H0 22 + M0 25), no regression.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
UploadedFile.sizeBytes is BigInt → JSON.stringify throws TypeError.
Add BigInt.prototype.toJSON to convert to Number globally.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- GiteaService: use /repos/search?q= with fallback to /user/repos, remove slow per-repo API calls
- Frontend: add RepoSelector dropdown to Issues/Milestones/Releases tabs
- Fix Gitea panel tab (was filtered out by conditional undefined)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Only fetch display-needed columns, skip backText TEXT column
- Reduces data transfer and query time significantly
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add scope field to Notification model (user/admin)
- AdminNotificationsController: list, send, mark read
- Generate endpoints: cost-alert, import-failure, key-expiring
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add AgentTask and AgentArtifact Prisma models
- HermesAgentController: list tasks, approve/reject, list artifacts
- AAPI: GET /admin-api/hermes/tasks, POST approve/reject, GET /admin-api/hermes/artifacts
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add CleanupJob Prisma model
- Create BackupService with backup/cleanup job tracking
- Create BackupController (AAPI: GET jobs, POST trigger backup, GET cleanup, POST cleanup)
- Supports cleanup types: soft-delete, api-metrics, task-logs
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add ServiceHealth Prisma model for health check records
- Add getHealthChecks() with local + remote service checks
- Add GET /admin-api/servers/health endpoint
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add AdminLearningController with 3 endpoints:
GET /admin-api/learning/sessions — learning sessions list
GET /admin-api/learning/analysis — AI analysis results
GET /admin-api/learning/ai-usage — AI usage logs
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- import-candidate: explicit any[] type for safeCandidates
- growth: date→activityDate (actual DailyLearningActivity field name)
- review: Number(rating) for SM-2 math, remove easeFactor from updateCard call
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- GrowthService: streak calculation from DailyLearningActivity
- Recommendations: focus items, due review cards, new knowledge items
- New API: GET /api/activity/streak, GET /api/activity/recommendations
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Publish AIAnalysisCompleted domain event after each AI analysis
- Auto-generate FocusItems from AI-identified weaknesses
- Review Engine subscribes to AIAnalysisCompleted to create ReviewCards
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- SystemKnowledgeBaseSeed: auto-creates built-in 新手引导知识库
- Content Safety check on candidate accept() and createCandidates()
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Same issue as KnowledgeBaseService — NestJS can't resolve
ContentSafetyService in RagChatModule without @Optional().
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Artifact base model for future FlashcardSet/Quiz/StudyGuide
- KnowledgeItem.learnable boolean (default true) for M3 LearningSession
- Admin AAPI: GET candidates (by status/kbId), GET items (by kbId)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- ImportStepLog model for tracking each import pipeline step
- Admin AAPI: import list, detail with step logs, retry failed
- Admin page: ImportMonitor with drawer detail view
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
VectorService.onModuleInit() was blocking NestJS startup trying to
connect to Qdrant, causing systemd restart timeout. Changed to lazy
initialization: Qdrant client connects on first actual request only.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
NestJS couldn't resolve ContentSafetyService because ContentSafetyModule
is not imported in KnowledgeBaseModule, causing app startup crash.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- SourceReference model for artifact→chunk→source citation chain
- Admin source list + reference tracing endpoints
- Existing KnowledgeSource already covers Material status/version
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- GET /admin-api/metrics/ai — AI调用耗时按provider/模型分组
- GET /admin-api/metrics/worker — Worker任务按队列统计成功率
- Admin page: AI performance + Worker performance tabs
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add ViolationRecord table (Prisma + migration)
- CAPI POST /api/reports for user report submission
- AAPI reports list + handle, violations list + penalty apply
- Admin page: reports management + violation records tabs
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Changed getMasterKey() from throwing Error at module load time to logging
a critical console.error, so the app can still start without the env var.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add keys() method to RedisService for WorkerHeartbeat
- Wrap eventBus.publish() calls in try/catch (returns void)
- Fix Qdrant createPayloadIndex API signature (2 args, not 3)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
