ActaLog TODO

Last Updated: 2026-04-02 Current Version: 1.2.1 (Build 44)

Claude Instructions

This is the canonical TODO file for ActaLog. All task tracking should be done here.

Guidelines for Claude Code:

Only track TODOs here - Do not create TODO sections in other documentation files
Active Tasks - Items currently being worked on (move here when starting)
Backlog - Planned features, known bugs, and improvements not yet started
Completed Releases - Keep only the last 5 releases here; older releases are in CHANGELOG.md
Periodic Cleanup - When starting a new session, clean up completed items and archive old releases
Technical Details - Include file paths and implementation notes for completed work
Priority Markers - Use [HIGH], [MEDIUM], [LOW] for backlog items
Bug Format - [BUG] prefix for bug reports

Code TODOs - Periodically scan codebase for TODO/FIXME comments:

grep -rn "TODO\|FIXME" --include="*.go" --include="*.vue" --include="*.js" .

File Relationships:

TODO.md - Active task tracking (this file)
CHANGELOG.md - Release history and change documentation
ROADMAP.md - High-level version planning and feature roadmap
Do NOT duplicate TODO content in ROADMAP.md or CHANGELOG.md

Active Tasks

Items currently being worked on. Move items here from Backlog when starting.

Class Scheduling System (Completed)

Status: Phase 1-4 Complete

Phase 1-3 (v0.26.0 migration):

Gym locations, class templates, schedule slots
Class sessions with capacity management
Coach assignments (per-gym role)
Reservations with check-in flow

Phase 4 (v0.27.0 migration):

Documents - Required documents (waivers, liability forms) per gym
User Documents - Track document completion status per user
Class Packages - Credit packages (e.g., "10-Class Pack")
User Credits - Credit balances with expiration tracking
Waitlist - Queue management when classes are full
Class Notifications - Reminders and waitlist promotions

Frontend Views:

ScheduleView.vue - Browse sessions, reserve, join/leave waitlist
MyCreditsView.vue - User's credits, documents, waitlist entries
MyReservationsView.vue - User's upcoming reservations
AdminPackagesView.vue - Admin management for packages, documents, user credits
AdminSchedulingView.vue - Admin session/template management

API Endpoints (Phase 4):

Documents: GET/POST/PUT/DELETE /api/admin/gyms/{id}/documents
Packages: GET/POST/PUT/DELETE /api/admin/gyms/{id}/packages
Credits: POST /api/admin/gyms/{id}/users/{id}/credits, GET /api/gyms/{id}/users/me/credits
Waitlist: POST/DELETE /api/sessions/{id}/waitlist, GET /api/users/me/waitlist
User documents: GET /api/gyms/{id}/users/me/documents

Database Tables (6 new in v0.27.0):

documents, user_documents, class_packages, user_class_credits, waitlist_entries, class_notifications

Bug Fix: PurchaseCredits now correctly uses package credits when package_id is provided without explicit credits value.

Tested on: SQLite, MariaDB (192.168.1.234), PostgreSQL (192.168.1.143)

Delete Class with Sessions (Completed)

Status: Complete (Build 31)

Three delete modes for class templates:
- template_only - Delete template only, sessions orphaned
- with_future_sessions - Delete template + future sessions, keep past
- with_all_sessions - Delete template + all sessions
Cascade deletion (coaches, reservations, waitlist, notifications)
Credit refunds for unconfirmed reservations
User notifications for cancelled sessions
New UI dialog with mode selection and session counts
API: DELETE /api/admin/scheduling/templates/{id}?mode=<mode>

Files Modified:

internal/domain/scheduling.go, internal/domain/phase4.go - Interface methods
internal/repository/class_session_repository.go - Bulk delete methods
internal/repository/session_coach_repository.go - DeleteBySessionIDs
internal/repository/reservation_repository.go - GetBySessionIDs, DeleteBySessionIDs
internal/repository/waitlist_repository.go - DeleteBySessionIDs
internal/repository/credits_repository.go - RefundCredit
internal/service/scheduling_service.go - DeleteTemplateWithMode
internal/handler/scheduling_handler.go - Mode parameter handling
web/src/views/AdminSchedulingView.vue - Delete dialog UI

Tested on: SQLite, MariaDB, PostgreSQL

Test Suite Cleanup (Completed)

Status: Phase 1 Complete, Phase 2 Complete Tracking: See docs/TEST_CLEANUP.md for detailed summary

Phase 1 - Removed ~31 low-value tests:

Struct field assignment tests (19)
Language feature tests (10)
Trivial helper tests (2)

Phase 2 - Removed ~267 panic-expectation tests:

All handler test files cleaned (24 files total)
Panic tests that created nil dependencies removed
Validation tests and mock-based tests preserved
All tests pass with proper coverage

CI/Lint Fixes (Deferred)

Status: golangci-lint set to continue-on-error in .github/workflows/ci.yml:37

The following lint issues need to be resolved to re-enable strict linting:

goconst warnings - Repeated strings in SQL queries (LIMIT, OFFSET, ORDER BY)
- Files: internal/repository/movement_repository.go, others
- Decision: Either make constants or add exclusion
Remaining gofmt issues - Some files may still have formatting issues
- Run: gofmt -w ./... and review changes
Other minor issues - Review full golangci-lint output for any remaining items

To re-enable strict linting:

Fix or exclude remaining issues
Remove continue-on-error: true from .github/workflows/ci.yml:37

Backlog

High Priority

Comprehensive Benchmark Endpoint (Completed v0.22.0)

Subscription System (Backend Complete - v0.14.0, Frontend Complete - v0.17.0)

Front end Improvements

Security (closed in v1.2.4 hardening branch)

[HIGH] Security Response Headers Middleware (Completed v1.2.4) — Added pkg/middleware/security_headers.go setting X-Frame-Options, X-Content-Type-Options, Referrer-Policy, HSTS, and a project-tuned CSP. Wired after CORS in cmd/actalog/main.go. Tests in security_headers_test.go assert per-header values and that script-src stays free of 'unsafe-inline'/'unsafe-eval'.
[HIGH] Avatar Upload Magic-Byte Validation (Completed v1.2.4) — Replaced trust-the-header check with http.DetectContentType() over the first 512 bytes plus a .jpg/.jpeg/.png/.gif/.webp extension allowlist. Negative tests cover spoofed-Content-Type and disallowed-extension cases.

Backend Improvements

Documentation Website
- Build a dedicated user and admin guide website from Markdown documents
- Use a static site generator (e.g., MkDocs, Docusaurus, VitePress, Hugo) to convert existing Markdown docs into an attractive HTML site with navigation, search, and theming
- Separate user guide (workout logging, schedules, PRs, leaderboards) and admin guide (user management, scheduling config, backups, subscriptions)
- Host alongside the app or as a standalone site

Future Enhancements (Post-MVP)

These features can be added after the core frontend is complete:

Stripe Integration (v0.15.0+)
- Replace manual admin control with automated billing webhooks
- Credit card payment processing
- Automatic subscription renewal
Email Notifications (v0.15.0+)
- Notify users 7/3/1 days before expiration
- Notify users when subscription expires
- Notify admins of failed payments
Self-Service Portal (v0.16.0+)
- Users can upgrade/downgrade themselves
- View payment history
- Update payment method
Usage Limits (v0.16.0+)
- Track API usage for free tier
- Enforce limits on free subscriptions
- Display usage metrics
Bulk Operations (v0.17.0+)
- Admin can bulk-update subscriptions
- Bulk extend expiration dates
- Bulk cancel subscriptions
Grace Period Configuration (v0.17.0+)
- Make grace period configurable per organization
- Different grace periods for different subscription tiers

Testing Coverage (81.6% Service Layer)

Admin Features

High Priority

Documentation & Marketing

Performance & Analytics

[MEDIUM] Calendar View - WorkoutCalendarView.vue with workout dots and month navigation
[MEDIUM] Timeline View - WorkoutTimelineView.vue with chronological history
[MEDIUM] Progress Charts - WeightProgressChart.vue and WorkoutFrequencyChart.vue components (not yet integrated into views)
[MEDIUM] Admin Metrics Dashboard - User stats, workout counts, system health (v0.22.0)
[MEDIUM] 1RM Percentage Display - Performance page 1RM percentage tops out at 95%; needs to also show 100% of the maximum weight lifted
[MEDIUM] PR Leaderboards - Opt-in community leaderboards (migration 0.33.0, leaderboard_opt_in setting, movement/WOD leaderboard API endpoints, LeaderboardView.vue)

Testing

[MEDIUM] Add backup_service tests - backup_service_test.go with 10 test functions covering create/restore/export
[MEDIUM] Add wodify_import_service tests - wodify_import_service_test.go with duplicate handling
[MEDIUM] Add export/import_service tests - Currently at 60-83% coverage
[MEDIUM] Add admin_handler tests

PWA Enhancements (Audited v0.24.0)

[MEDIUM] Lighthouse PWA audit completed (Jan 2026)
- Performance: 56/100 (throttled network), Best Practices: 100/100, SEO: 92/100
- PWA features verified: service worker, offline caching, installable manifest
- Issues found: color contrast, meta viewport user-scalable, touch target sizes
[MEDIUM] Service worker cache analysis completed
- Total precache: 6.9MB (150+ entries)
- Material Design Icons: 3.5MB (4 formats) → Optimization: remove ttf/eot, keep woff2 only (394KB)
- Self-hosted accessibility fonts: 848KB (9 families, 22 files)
- JavaScript: 1.5MB (properly chunked), CSS: 848KB
- Runtime caching: API responses (NetworkFirst), fonts (CacheFirst), uploads (StaleWhileRevalidate)
[MEDIUM] Offline sync implementation reviewed
- IndexedDB storage for workouts, movements, pending sync queue
- Axios interceptor saves POST/PUT /api/workouts offline when network unavailable
- syncWithServer() replays pending operations when back online
- User-controlled updates via UpdatePrompt.vue and pwa.js store
- Status: Fully implemented, works for workout logging

Remaining PWA optimizations (deferred):

[LOW] Remove unused MDI font formats - Custom Vite plugin mdiWoff2Only() strips ttf/eot/woff
- Dist size: 6.9MB → 3.8MB (45% reduction)
- Precache: 6.9MB → 3.4MB (50% reduction)
- Only woff2 (394KB) shipped to production
[LOW] Lazy-load accessibility fonts - Fonts loaded on-demand when user selects them
- Split fonts.css into 9 separate font family CSS files
- Font store dynamically imports CSS via Vite's dynamic import
- Fonts excluded from precache via globIgnores
- Runtime caching (CacheFirst) caches fonts on first use
- Precache: 3.4MB → 2.6MB (additional 24% reduction)
[LOW] Fix accessibility issues (color contrast, touch targets) - Fixed label contrast (#666666 for 5.74:1 ratio), touch target sizes (24x24px min)

Roles & Permissions

[HIGH] Coach Role (Completed Build 36) - Added dedicated coach role (migration 0.32.0). Renamed "user" to "athlete". Three-tier role system: athlete < coach < admin. CoachOrAdmin middleware protects /api/coaches/ routes. Coaches bypass subscription checks. Coach Dashboard uses dedicated /api/coaches/sessions/ endpoints with org-level access verification. Bottom nav shows Coach button for coach/admin roles when scheduling enabled.
- Admin all-sessions visibility: Admins see ALL upcoming sessions across all gyms on Coach Dashboard (not limited to coach assignments). Added GetAllUpcoming repo method and GetAllUpcomingSessions service method; handler branches on role.
- Comprehensive role/access middleware tests: 14 new test functions in pkg/middleware/auth_test.go and pkg/middleware/subscription_test.go covering all role permutations for AdminOnly, CoachOrAdmin, and RequireActiveSubscription middleware. Includes full JWT→middleware integration tests.
- Files modified: internal/domain/scheduling.go, internal/repository/class_session_repository.go, internal/service/scheduling_service.go, internal/handler/scheduling_handler.go, pkg/middleware/auth_test.go, pkg/middleware/subscription_test.go
- Docker images pushed: ghcr.io/johnzastrow/actalog:dev, :latest, :1.1.0-beta (Build 36)

Low Priority

Testing

[LOW] Add audit_log_service tests - 100% coverage achieved
[LOW] Add wodify_import_service tests - 100% coverage achieved

Features

[MEDIUM] Admin Screen Consolidation (Partial) - Grouped Profile screen's 16 admin links into 5 labeled categories (Users & Access, Scheduling, Communication, Data & System, Organizations) using v-list-subheader dividers. Removed disabled "System Reports" placeholder. Full tab consolidation of admin screens into complex tabbed views remains for future work.
[MEDIUM] Consistency Achievement Notifications - Daily scheduler checks all users for milestones (50/100/200/300 workouts, 4+/week, day streaks 4/7/14/21/30, inactivity warnings). Migration 0.34.0 consistency_achievements table, dedup via UNIQUE constraint, notification icons in NotificationsView.
[LOW] Push Notifications - Workout reminders
[LOW] Data Visualization - Charts for PR progression
[LOW] Social Features - Share workouts (opt-in)
[MEDIUM] UI Styling Consistency Review (Partial) - Replaced hardcoded #2c3e50 inline color styles with Vuetify theme classes (text-h6, text-subtitle-1) in AdminDataQualityView (4 occurrences), AdminDataCleanupView (3), and AdminView (1) for dark mode compatibility. Remaining screens (WorkoutCalendarView, WorkoutTimelineView fixed headers; PerformanceView Chart.js config) flagged for future review.
[MEDIUM] Admin Breadcrumbs & Navigation Consistency (Partial) - Fixed AdminSchedulingView to use shared AdminHeader component instead of custom gradient header, adding breadcrumb navigation (Admin > Scheduling) consistent with all other 17 admin views. Full audit of remaining admin views for navigation consistency remains for future work.

Technical Debt

[LOW] Multiple Save Issue - TemplateEditDialog save() is being called 3x instead of 1x; investigate root cause (possibly related to Vue reactivity with Schedule tab slots)

Known Bugs

Report bugs here with reproduction steps.

(none currently)

Code TODOs

TODOs found in source code comments. These should be addressed or promoted to Backlog.

Backend (Go)

File	Line	Description
`internal/service/workout_service.go`	396	Add proper authorization through workout template ownership
~~`internal/service/import_service.go`~~	~~587, 701~~	~~Add duplicate detection using userWorkoutRepo.ListByUserAndDateRange~~ DONE (v0.17.0)
`internal/handler/movement_handler.go`	141	Get user ID from context when auth middleware is added

Frontend (Vue)

File	Line	Description
`web/src/views/WorkoutsView.vue`	372	Navigate to template detail page

Last scanned: 2026-01-09

Note: Calendar view (WorkoutCalendarView.vue) and PR notification system are implemented.

Completed Releases

v1.2.4 (2026-04-28 — Security Hardening, part two)

Status: Released from security/headers-and-uploads-2026-04-28. Closes the two items deferred from v1.2.3.

Completed:

Security — Security response headers middleware (pkg/middleware/security_headers.go) sets X-Frame-Options, X-Content-Type-Options, Referrer-Policy, HSTS, and a project-tuned CSP on every response; wired after CORS in cmd/actalog/main.go
Security — Avatar upload no longer trusts client Content-Type; uses http.DetectContentType over first 512 bytes plus extension allowlist (internal/handler/user_handler.go)
CI — CI Failure Notify workflow now deduplicates issues per (workflow, branch) and auto-closes when a subsequent run on the same branch succeeds (.github/workflows/ci-failure-notify.yml)
Maintenance — 8 Dependabot bumps merged (deploy-pages, setup-buildx, lib/pq, x/crypto, pgx, vue-ecosystem, go-sqlite3, dev-dependencies group); 2 closed with policy comments (Vuetify 4.0.5 watch-and-wait, axios 1.14.0 supply-chain)

v1.2.3 (2026-04-03 — Security Hardening)

Status: Released from security/hardening-2026-04-03.

Completed:

v1.2.1 (2026-04-01)

Status: Patch release — security fixes, dependency maintenance, CI hardening.

Completed:

Known issues:

vite-plugin-pwa dependency chain (serialize-javascript CVE) — fix requires major downgrade to 0.19.8; deferred to next release

v1.2.0-beta (2026-02-19)

Status: PR Leaderboards, configurable beta logo, nav and UI polish.

Completed:

PR leaderboards and consistency achievement notifications
Configurable beta logo via LOGO_VARIANT env variable
Leaderboard search API response parsing fix and header nav icon
Improved avatar upload UX

v1.1.0-beta (2026-01-22)

Status: Coach role, three-tier permissions, class deletion modes, scheduling UX.

Completed:

Three-tier role system: athlete < coach < admin (migration 0.32.0)
CoachOrAdmin middleware; dedicated /api/coaches/ routes
Delete class template with configurable cascade (template only / future sessions / all sessions)
Credit refunds and notifications on session cancellation
Coach Dashboard — admins see all sessions across all gyms

v0.24.0-beta (2026-01-14)

Status: Data Quality & Duplicate Detection system with merge functionality.

Completed:

Files Created: internal/service/data_quality_service.go, internal/handler/data_quality_handler.go, web/src/views/AdminDataQualityView.vue

Files Modified: cmd/actalog/main.go (routes), web/src/router/index.js (route), web/src/views/ProfileView.vue (admin menu link), .env.example (demo mode)

API Endpoints:

GET /api/admin/data-quality/duplicates - Scan all entities for duplicates
GET /api/admin/data-quality/duplicates/summary - Quick duplicate summary
GET /api/admin/data-quality/duplicates/{entity} - Scan specific entity type
POST /api/admin/data-quality/duplicates/merge/preview - Preview merge operation
POST /api/admin/data-quality/duplicates/merge/confirm - Execute merge
GET /api/admin/data-quality/issues - Scan for data quality issues

v0.22.0-beta (2026-01-09)

Status: Comprehensive benchmark endpoint with configurable stress testing.

Completed:

Files Created: internal/domain/benchmark.go, internal/repository/benchmark_repository.go, internal/service/benchmark_service.go, internal/handler/benchmark_handler.go

Files Modified: internal/repository/migrations.go (0.22.0, 0.23.0), configs/config.go, .env.example, site/tech.html, site/index.html

For releases prior to v0.24.0, see CHANGELOG.md

Future Considerations

These are longer-term ideas that may or may not be implemented:

Kubernetes manifests - For larger deployments
Mobile native apps - React Native or Flutter wrappers
API rate limiting - For multi-tenant deployments
Webhook integrations - Connect to external services
Multi-language support - i18n framework

Technical Debt

Items to address when time permits:

Refactor large view components (DashboardView, PerformanceView) into smaller sub-components
Add comprehensive API documentation (OpenAPI/Swagger)
Improve error handling consistency across handlers (centralized in internal/handler/errors.go)
Add structured logging throughout the codebase (JSON format support in pkg/logger)
Review and optimize database queries with EXPLAIN (audit_logs indexes, N+1 fixes)

Dependency Upgrade Watch

Vuetify 4 Migration — Watch & Wait

Current: Vuetify ^3.12.1 (pinned after accidental bump to 4.0.0 in Dependabot commit 039084d)

Trigger conditions — upgrade when ANY of these are true:

Vuetify 4.1.x or later is released (indicates post-launch stabilization)
Vuetify 3.x enters security-only or end-of-life maintenance
A feature we need is only available in Vuetify 4

Watch:

Vuetify GitHub releases: https://github.com/vuetifyjs/vuetify/releases
Vuetify 3 EOL announcement (none as of 2026-04-03)

Known breaking changes for this app (catalogued 2026-04-03):

Area	Change	Fix Required
CSS cascade	All Vuetify 4 CSS is in `@layer vuetify-components` — unlayered app CSS wins	Wrap `main.css` reset in `@layer reset { }` and remove `p, span, div { font-size: 14px }` from App.vue
`v-main` padding	CSS reset `* { padding: 0 }` kills layout top/bottom padding	Keep existing `paddingTop`/`paddingBottom` in `mainStyle` (already fixed)
`fill-height`	No longer sets `display: flex` or `align-items: center` — only `height: 100%`	Add `d-flex align-center` to 47 views using `v-container class="fill-height"`
`app` prop	Removed from `v-app-bar`, `v-bottom-navigation` — layout registration is now automatic	Remove `app` prop from both (harmless but dead code)
`v-bottom-navigation`	`v-model` controls selected tab only; `active` prop controls visibility separately	Audit any code that passed `v-model` expecting visibility control

Full plan: See memory file vuetify4-upgrade-plan.md

This file is maintained by Claude Code. See CHANGELOG.md for complete release history.

FilesExpand file tree

TODO.md

Latest commit

History

TODO.md

File metadata and controls

ActaLog TODO

Claude Instructions

Guidelines for Claude Code:

File Relationships:

Active Tasks

Class Scheduling System (Completed)

Delete Class with Sessions (Completed)

Test Suite Cleanup (Completed)

CI/Lint Fixes (Deferred)

Backlog

High Priority

Comprehensive Benchmark Endpoint (Completed v0.22.0)

Subscription System (Backend Complete - v0.14.0, Frontend Complete - v0.17.0)

Front end Improvements

Security (closed in v1.2.4 hardening branch)

Backend Improvements

Future Enhancements (Post-MVP)

Testing Coverage (81.6% Service Layer)

Admin Features

High Priority

Documentation & Marketing

Performance & Analytics

Testing

PWA Enhancements (Audited v0.24.0)

Roles & Permissions

Low Priority

Testing

Features

Technical Debt

Known Bugs

Code TODOs

Backend (Go)

Frontend (Vue)

Completed Releases

v1.2.4 (2026-04-28 — Security Hardening, part two)

v1.2.3 (2026-04-03 — Security Hardening)

v1.2.1 (2026-04-01)

v1.2.0-beta (2026-02-19)

v1.1.0-beta (2026-01-22)

v0.24.0-beta (2026-01-14)

v0.22.0-beta (2026-01-09)

Future Considerations

Technical Debt

Dependency Upgrade Watch

Vuetify 4 Migration — Watch & Wait