- Add token refresh logic in Auth.js JWT callback with 60s expiry buffer
- Fix JWKS cache thundering herd with Mutex + double-checked locking
- Make trustHost conditional (dev-only) via SvelteKit's $app/environment
- Make devMode conditional on ZITADEL_PRODUCTION env var in setup script
- Replace fragile grep/cut JSON parsing with jq in setup-zitadel.sh
- Add OIDC_GRANT_TYPE_REFRESH_TOKEN to Zitadel OIDC app grant types
- Update TODO_SECURITY.md: mark resolved items, add RefreshAccessTokenError frontend handling
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add federated logout endpoint that clears Auth.js session AND ends
Zitadel SSO session via OIDC end_session endpoint
- Move sign-in page from /auth/signin to /login to avoid Auth.js
route conflict causing ERR_TOO_MANY_REDIRECTS
- Add callbackUrl to all signIn calls so users land on /dashboard
- Store id_token in session for federated logout id_token_hint
- Fix Zitadel healthcheck using binary ready command (no curl needed)
- Update post_logout_redirect_uri in setup script
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add setup-zitadel.sh: idempotent script that creates PVM project
and OIDC app via Zitadel Management API using machine user PAT
- Add machine user + PAT auto-generation to docker-compose via
FIRSTINSTANCE env vars with bind-mounted machinekey directory
- Add SMTP configuration for email sending (verification, password reset)
- Fix JWT algorithm confusion attack: restrict to RS256/384/512 only
- Add docs/TODO_SECURITY.md tracking review findings
- Update .env.example files with correct local dev URLs
- Add docker/machinekey/ to .gitignore
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Switch image to ghcr.io/zitadel/zitadel:latest (v4.x)
- Disable login v2 (LOGINV2_REQUIRED: false) to use built-in login v1
- Add curl-based healthcheck for reliable container readiness
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Demoscene vibes with block letters and shade borders.
Because every project deserves a proper .nfo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The previous placeholder was 33 chars. Use a proper 32-char
placeholder and note the constraint in the example.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Swapped the non-existing logo SVG and badge soup for a light-hearted
ASCII card table with poker suits. Added "No rake required." tagline.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comprehensive evaluation of 11 auth frameworks for PVM's
split-brain architecture. Recommends self-hosted Zitadel v3
for its Rust crate, OIDC JWKS for offline JWT validation on
RPi5 nodes, and zero-cost self-hosting on existing Hetzner PVE.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Resolve all open questions from tech stack review:
- Self-hosted on Hetzner PVE (LXC + Docker)
- Event-based sync via NATS JetStream
- Generic display system with Android client (no Cast SDK dep)
- Docker-based RPi5 provisioning
- No money handling, 72h offline limit, REST + OpenAPI
- PVM signup-first for player accounts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1,190-line research covering all 18 technology areas for PVM:
Rust/Axum backend, SvelteKit frontend, Postgres + libSQL databases,
NATS + JetStream messaging, DragonflyDB caching, and more.
Includes recommended stack summary and open questions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Establish PVM (Poker Venue Manager) project with product vision
document covering all feature domains and a clean README with
project overview.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
