Full deployment history for this project.
🎨 Palette: [UX improvement] Add loading spinners to async buttons - Added Spinner component to BibleActions buttons - Expanded loading state to BibleForm action buttons - Added Spinner to Login page - Created unit test for Spinner accessibility - Logged UX learning in .jules/palette.md Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add loading states to bible actions - Added Loader2 spinners to toggle status and delete buttons - Disabled buttons during async operations to prevent double clicks - Replaced ambiguous "..." loading text with descriptive action text Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix overly permissive CORS configuration This commit addresses a High Priority security vulnerability where the API endpoints were configured with an overly permissive CORS policy (`Access-Control-Allow-Origin: "*"` and `Access-Control-Allow-Methods: "GET, POST, PUT, DELETE, OPTIONS"`). By allowing any origin to perform state-changing HTTP methods, the application was susceptible to Cross-Origin Resource Sharing (CORS) abuse and Cross-Site Request Forgery (CSRF) if an attacker hosted a malicious webpage that interacted with these endpoints using the victim's session. The fix introduces dynamic origin validation. It explicitly trusts all external GET requests but restricts all other methods to a whitelist of domains configured via `ALLOWED_CORS_ORIGIN` environment variable or the predefined list of trusted domains. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL] Fix missing authentication on MCP endpoint The `app/api/mcp/route.ts` file contained an unauthenticated `POST` route that allowed users to add, edit, and delete items from the database. Added an `x-api-key` validation function. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL] Fix Missing authentication on sensitive endpoint - Added `validateApiKey` helper function to `app/api/mcp/route.ts` which correctly enforces the `x-api-key` header against `process.env.API_KEY` for the `POST` handler. - Prevents unauthenticated users from mutating/querying data via the MCP endpoint (which was completely open previously). - Added an entry for this CRITICAL learning to `.jules/sentinel.md`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [High] Fix overly permissive CORS configuration Modified app/api/mcp/route.ts, app/api/v1/bibles/route.ts, and app/api/v1/bibles/[id]/route.ts to tighten CORS. Allows all methods for platphormnews.com domain and subdomains, but restricts external origins to GET and OPTIONS methods only. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #6 from mbarbine/sentinel-fix-hardcoded-api-key-8472584424216871976 🛡️ Sentinel: [CRITICAL] Fix hardcoded API key fallback
🛡️ Sentinel: [CRITICAL] Fix hardcoded fallback API key Removes hardcoded fallback API key ("your-secret-api-key") from API routes (orders, stats, bibles, bibles/[id]). The endpoints now fail securely (return 401 Unauthorized) if the API_KEY environment variable is not explicitly set. Adds a security journal entry in .jules/sentinel.md documenting the vulnerability. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #4 from mbarbine/jules-14213692878355392199-86fc57b5 Fix discovery files, UI, MCP routing and Tests
Fix discovery files, UI, MCP routing and Tests Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #3 from mbarbine/palette-aria-label-delete-bible-11335115618059908501 🎨 Palette: Add aria-label to delete bible button
🎨 Palette: Add aria-label to delete bible button Added `aria-label="Delete Bible"` to the icon-only trash button in `components/bible-actions.tsx` to improve accessibility for screen readers. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Rename project to 'Reliable Bibles' and clean README Updated project name and removed deployment details.
Merge pull request #2 from mbarbine/v0/mbarbine-5f84f52d Launch Catholic NAB Bible platform with SEO and API support
fix: defensive Supabase client creation and env var handling Add checks for missing env vars and clearer error messages. Co-authored-by: Michael Barbine <3211492+mbarbine@users.noreply.github.com>
fix: upgrade Next.js to patch critical security vulnerability Update Next.js to 16.0.10 to fix CVE-2025-66478. Co-authored-by: Michael Barbine <3211492+mbarbine@users.noreply.github.com>