damir
e07292ba44
logout() proper fix: revoke backend + clear ALL session keys
...
Old logout() was demo placeholder:
- only cleared 'app-role' + 'jwt' (NOT pgz_access/refresh/user)
- did NOT call POST /auth/logout to revoke JWT
- redirected to /static/sport2.html (wrong)
New logout() now:
1. POST /auth/logout to revoke JWT server-side
2. Clear ALL keys: pgz_access, pgz_refresh, pgz_user, app-role, jwt, access_token, refresh_token, pgz_session_id (both localStorage + sessionStorage)
3. Redirect to /login
Verified by Playwright E2E: token absent after logout.
2026-05-05 09:24:12 +02:00
damir
a0fb328029
Playwright E2E: better logout selector chain + JS fallback
...
Test now tries (in order):
1. .sb-foot .lo (topbar logout in sidebar foot)
2. .lo (any logout class)
3. #pgz-menu-logout (sidebar.js menu link)
4. a/button :has-text('Odjava')
5. JS fallback: window.logout() or PGZSidebar.logout()
Also: dialog handler accepts confirm() automatically.
2026-05-05 09:23:13 +02:00
damir
dd2f7daaf8
CRISIS V3: definitive apiAuth + mobile hamburger + Playwright E2E test
...
apiAuth in app.html:
- Pre-checks JWT exp client-side BEFORE making request
- On expired: clears localStorage + redirects /login?reason=expired
- On 401 from server: clears + redirects /login?reason=unauthorized
- Single-flight redirect via window.__pgz_redirecting flag
login.html:
- Toast for ?reason=expired (red) / ?reason=unauthorized (orange)
app.html mobile:
- Hamburger button injected into topbar (.tb)
- Mobile CSS: sidebar slide-in -280→0, backdrop overlay, full-width drill-down
- toggleMobileSidebar() global function
- @media (max-width:768px) display:inline-flex, sidebar fixed pos
scripts/playwright_e2e.py:
- Desktop test (1280x800): login, JWT persist, profile, logo, logout
- Mobile test (375x812 iPhone X): viewport, login flow, hamburger, no h-scroll
- Output: _audit/playwright_<TS>/results.json + screenshots/*.png
Reproducible: TS=YYYYmmdd_HHMM python3 scripts/playwright_e2e.py
2026-05-05 09:21:39 +02:00
damir
8e136351f9
CRISIS FIX: login flow + mobile responsive + token expiry handling
...
ROOT CAUSE ISOLATED:
Backend POST /api/auth/login, GET/PUT /api/auth/me, POST avatar, POST /logout
all return 200 OK (verified curl). Damirov problem is browser-side:
stale localStorage tokens that don't match current backend → 401 cascade
→ avatar upload appears as 'failed: 401' → profile changes 'lost'.
FIXES:
1. apiAuth() in app.html now:
- Pre-checks JWT exp claim before request
- On 401 response: clears localStorage (pgz_access/refresh/user) +
redirects to /login?reason=unauthorized
- On JWT expired: redirects to /login?reason=expired
2. login.html displays toast for ?reason=expired/unauthorized
3. Mobile responsive CSS (max-width: 768px):
- app.html: hamburger menu, sidebar slide-in, full-width drill-down panel
- sport2.html: KPI grid 2-col, klubovi 1-col, tables horizontal scroll
- Both: viewport meta + media queries + touch-friendly buttons
4. Mobile menu toggle button + backdrop overlay added
VERIFIED E2E (curl):
- POST /auth/login → 200 + JWT
- GET /auth/me → 200 + telefon persisted
- PUT /auth/me → 200, DB row updated
- POST /auth/me/avatar → 200, file saved + avatar_url returned
- POST /auth/logout → 200, token revoked (next /me returns 401)
2026-05-05 09:14:46 +02:00
31e0374465
Dashboard top primatelji wired to live endpoint (default 2025, year filter)
...
- Frontend (sport2.html): refreshDashNositelji() koristi /api/dashboard/top-primatelji
umjesto /v2/potpore/by-year (koji je za 2025 vraćao samo 1 agregirani redak).
Dropdown proširen na "Sve godine" + 2021..2026. Dodana kolona "Platitelj".
- Backend (pgz_sport_api.py): top-primatelji endpoint sada parsira napomena
'doc_id=N' i JOIN-a pgz_sport.dokumenti za pdf_url; godina<=0 → sve godine;
dodane kolone vrsta + pdf_url + doc_title.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-05 09:11:47 +02:00
49ac2c0dc8
Data integrity sweep: clanovi clean — 3 HNS dups merged, 1 trim normalized, 4 constraints active
...
Subagent A: merged 3 HNS profile/roster duplicate pairs (3243 → 3240 rows).
Authoritative auths preferred /igraci/ source_url over /klubovi/ roster scrape.
Manuel Boras Mandić (id=481) reconciled — pozicija=Vratar, hns_igrac_id=436387.
Subagent B: 1 trim auto-applied (id=634); 4 ALL CAPS held for manual review.
Subagent C: 0 strict cross-klub transfers; 56 soft groups in review queue.
Subagent D: 4 constraints applied (no_camelcase, trimmed, hns_uniq partial, normalize trigger);
2 skipped (length>=2 — 22 historical violators; klub+name+dob unique — 68 NULL-DOB groups).
Backup: pgz_sport.clanovi_backup_20260505_0836 (3243 rows untouched).
Audit: 5 sys_audit rows (3 PURGE, 1 NORMALIZE, 1 C_DETECTION_RUN).
Smoke: 5/5 endpoints 200; HNK Lovran 31 → 30 clanovi confirmed.
Full report: _audit/data_integrity_20260505_0836/CONSOLIDATED.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-05 09:08:35 +02:00
damir
4e4d69c04a
DI exec: applied CC-DI Subagent A+B SQL — 3245 clanovi, Manuel Boras merged
2026-05-05 09:04:14 +02:00
damir
e7102c720d
Dashboard top-primatelji: psycopg2 LIKE escape fix (%% in CASE WHEN)
...
CASE WHEN ... ILIKE '%X%' patterns conflicted with %s param placeholder.
Escaped to %%X%%. Endpoint now returns 200 with full klubovi list +
inferred davatelj_naziv (RSS / Županijski / Grad Rijeka / fallback).
2026-05-05 09:01:25 +02:00
damir
b95b2e8423
BIG FIX: profile save + sport classification + KUD separation
...
1) auth/auth_v2.py — update_me bug fix:
PUT /auth/me return value was 'return me(user)' but me() is a
FastAPI route handler, not callable directly. Replaced with explicit
re-fetch returning correct JSON shape. Profile changes now persist
in UI after save.
2) DB: HNK Goranin Delnice (id 782) sport='skijanje' → 'nogomet'
+ napomena cross-contamination cleaned (id 782, 192, 347, 2280)
+ general rule: NK/HNK/Nogometni klub → nogomet
+ RK/Rukometni klub → rukomet
+ OK/Odbojkaški klub → odbojka
3) DB: KUD/folklorne/lovačke/vatrogasne udruge marked as
sport='kulturno-umjetnicko' + razina='NE-sportsko' so frontend
can filter them out of sportski savezi list
4) Backup: pgz_sport.klubovi_backup_20260505_0857
Verified: PUT /auth/me with damir@pgz.hr persists telefon change to DB
and returns fresh data
2026-05-05 08:57:09 +02:00
7adcec3309
CC1: 3-subagent deep audit — Frontend / API gap / DB integrity
...
Reports in _audit/:
audit_FRONTEND_COVERAGE.md — SA-1 (Explore): 9 HTML files, 0 orphan handlers (clean)
audit_API_GAP.md — SA-2 (Explore): 356 backend routes vs 54 frontend paths
23 missing routes / 39 call sites
audit_DB_INTEGRITY.md — SA-3 (general-purpose): 8 SQL probes, FKs/NULLs clean,
48 dup-OIB clusters, 518 low-cov klubovi
audit_CONSOLIDATED.md — top 10 critical with owner matrix (cc1/cc4/cc5/cc6)
Headlines:
Frontend: clean (post-R3 refactors landed)
API gap: CRM module systemic — 16 of 23 missing routes need /crm prefix in crm.html
6 missing routes are trailing-slash bugs in crm.html
DB: 48 OIB dup clusters in klubovi (~100 rows) need merge+unique-index
518/2244 klubovi (23%) <33% coverage → enrichment_worker target list
14 scoreboard-string klubovi rows (RK ... HRL Zapad od X) → DELETE
~30 backup tables (~97k rows) cluttering pgz_sport schema
Owner allocation:
cc1 → #6 backup-table archival, #8 verify, #9 sportas trailing-slash
cc4 → #1 OIB dedup script, #4 scoreboard DELETE, #10 schema CHECKs
cc5 → #2 /crm prefix sweep on crm.html, #3 trailing-slash sweep, #7 notif endpoint
cc6 → #5 enrichment_worker batch on filled<4 klubovi
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-05 08:29:04 +02:00
3e5b98a935
CC4: 3-subagent backend hardening done + CRM audit_log fix
...
Sub1 (commit eb1b49fnoreply@anthropic.com >
2026-05-05 08:28:49 +02:00
eb1b49f0db
CC4 sub1: add missing v2 listing/discovery endpoints + fix kategorizirani SQL
...
- GET /api/v2/klubovi (v2 alias for /api/klubovi listing)
- GET /api/v2/savezi (v2 alias for /api/savezi listing)
- GET /api/v2/sport[/] (namespace discovery index)
- FIX /api/v2/kategorizirani/list (column alias used in WHERE -> 500 -> 200)
Source audit: _audit/audit_20260505_023639/errors.json
Smoke (anon+auth+public): 200 OK on all five endpoints.
Backup: _backups/r3_cc4/pgz_sport_v2_router.py.bak.1777962063
2026-05-05 08:23:28 +02:00
damir
4fc8327789
R7+ orchestrator + CC3 logo home: combined patches
...
Orchestrator-side:
- routers/img_proxy_router.py: 4xx/5xx → 1x1 transparent PNG (eliminates cascade <img onerror>)
- static/sport2.html: removed standalone three.min.js (3d-force-graph bundles), bumped to 1.73.4
CC3 (before limit hit):
- Logo home link applied to ALL HTML pages (admin.html, admin_users.html, audit.html, crm.html, erp.html, kpi.html, login.html)
- Backups in _backups/*.cc3_pre_logo.$ts
CC4 R3 (before plan mode):
- _backups/r3_cc4/ocr.py.pre_S2.$ts
Audit screenshots (80 pages) committed to _audit/audit_20260505_023639/shots/
2026-05-05 08:20:07 +02:00
662f448590
CC1: Playwright audit 20260505_023639 — 57 errors across 80 pages
...
Outputs in _audit/audit_20260505_023639/:
ERROR_REPORT.md — markdown grouped by category & page
errors.json — structured 57 findings
shots/ — 80 full-page PNG screenshots (ignored by git)
run.log — verbose trace
Sweep: 10 anonymous public URLs + 3 demo accounts (pgz_admin, savez_admin,
klub_admin) × 22 sidebar sections each (PORTAL/OPERATIVA/CRM/ERP/ANALITIKA;
ADMIN only for pgz_admin).
Categories:
console_error 29
console_warning 16
http_4xx_5xx 8
page_error 3
empty_page 1
Hot spots (top 20 in flag file):
ANALITIKA/an_mreza — 8 errors per role × 3 roles = 24 total (CDN/init issue)
anon/public/erp — 3
PORTAL/portal_dashboard, portal_sportasi, CRM/crm_clanarine,
ANALITIKA/an_financije — 2 errors per role × 3 = stable across roles
Flag: _audit/CC1_DONE_20260505_023639.flag with summary YAML for cc2-6 to consume.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-05 08:05:18 +02:00
damir
Damir Radulić