Skip to content

Prepare MyCastle MVP for production delivery#10

Open
jojopeligroso wants to merge 3 commits intomainfrom
claude/mycastle-mvp-delivery-011CUz5jxCuoMbBWjiUSYkqT
Open

Prepare MyCastle MVP for production delivery#10
jojopeligroso wants to merge 3 commits intomainfrom
claude/mycastle-mvp-delivery-011CUz5jxCuoMbBWjiUSYkqT

Conversation

@jojopeligroso
Copy link
Owner

@jojopeligroso jojopeligroso commented Nov 10, 2025

This commit addresses all 12 tasks required for MyCastle MVP production readiness:

  1. Replace root landing with MyCastle MVP shell

    • Created branded landing page with auto-redirect for authenticated users
    • Added feature highlights and clear call-to-action buttons

  2. Implement functioning Supabase sign-out flow

    • Added /api/auth/signout route with proper session cleanup
    • Redirects to login page after sign-out

  3. Normalize Supabase user metadata for APIs

    • Created getNormalizedUser() helper to properly extract role and tenant_id
    • Updated all API routes to use normalized user data
    • Fixed authorization checks across attendance, timetable, and lesson APIs

  4. Enforce tenant scoping on attendance mutations

    • Updated all attendance endpoints to use normalized tenant_id
    • Removed direct access to undefined user.tenant_id property

  5. Remove default-tenant fallback in lesson generation

    • Changed to requireTenant() which throws error if no tenant context
    • Removed 'default-tenant' fallback that violated isolation

  6. Harden OpenAI client configuration

    • Added validation to throw error if OPENAI_API_KEY is not set
    • Removed insecure 'test-key' fallback

  7. Validate Supabase configuration and narrow middleware scope

    • Added environment variable validation in middleware and server client
    • Scoped middleware to only run on protected routes (/dashboard, /teacher, /admin, /student, /api)
    • Excluded public routes (/, /login) and static assets

  8. Persist MCP host sessions

    • Added session cleanup mechanism to prevent memory leaks
    • Documented in-memory limitation with production recommendations
    • Added automatic cleanup every 5 minutes and graceful shutdown

  9. Feed AttendanceRegister with teacher classes

    • Created /api/teacher/classes endpoint to fetch teacher's classes
    • Updated AttendanceRegister component to fetch classes on mount
    • Removed TODO placeholder

  10. Backfill timetable data pipeline

    • Created seed-timetable.ts script to generate sample session data
    • Added npm script: npm run seed:timetable
    • Generates 4 weeks of sessions for all active classes

  11. Align dependencies with supported releases

    • Downgraded Next.js from 16.0.1 to 15.1.6 (stable)
    • Downgraded React from 19.2.0 to 18.3.1 (stable)
    • Downgraded Tailwind from v4 to 3.4.17 (stable)
    • Downgraded Zod from v4 to 3.24.1 (stable)
    • Updated Tailwind config and CSS to v3 syntax

  12. Scope middleware to protected routes only

    • Updated middleware matcher to only run on authenticated routes
    • Prevents unnecessary Supabase calls for static assets and public pages

Breaking Changes:

  • Removed default-tenant fallback (will now throw error if tenant is missing)
  • Removed test-key fallback for OpenAI (will now throw error if not configured)
  • Dependencies downgraded to stable versions (may require npm install)

Migration Notes:

  • Run npm install to install updated dependencies
  • Ensure OPENAI_API_KEY is configured in environment
  • Ensure all users have tenant_id in app_metadata or user_metadata
  • Run npm run seed:timetable to populate timetable with sample data

@claude
feat: Complete MyCastle MVP delivery with 12 critical fixes
b8611d8 
This commit addresses all 12 tasks required for MyCastle MVP production readiness:

1. **Replace root landing with MyCastle MVP shell**
   - Created branded landing page with auto-redirect for authenticated users
   - Added feature highlights and clear call-to-action buttons

2. **Implement functioning Supabase sign-out flow**
   - Added /api/auth/signout route with proper session cleanup
   - Redirects to login page after sign-out

3. **Normalize Supabase user metadata for APIs**
   - Created getNormalizedUser() helper to properly extract role and tenant_id
   - Updated all API routes to use normalized user data
   - Fixed authorization checks across attendance, timetable, and lesson APIs

4. **Enforce tenant scoping on attendance mutations**
   - Updated all attendance endpoints to use normalized tenant_id
   - Removed direct access to undefined user.tenant_id property

5. **Remove default-tenant fallback in lesson generation**
   - Changed to requireTenant() which throws error if no tenant context
   - Removed 'default-tenant' fallback that violated isolation

6. **Harden OpenAI client configuration**
   - Added validation to throw error if OPENAI_API_KEY is not set
   - Removed insecure 'test-key' fallback

7. **Validate Supabase configuration and narrow middleware scope**
   - Added environment variable validation in middleware and server client
   - Scoped middleware to only run on protected routes (/dashboard, /teacher, /admin, /student, /api)
   - Excluded public routes (/, /login) and static assets

8. **Persist MCP host sessions**
   - Added session cleanup mechanism to prevent memory leaks
   - Documented in-memory limitation with production recommendations
   - Added automatic cleanup every 5 minutes and graceful shutdown

9. **Feed AttendanceRegister with teacher classes**
   - Created /api/teacher/classes endpoint to fetch teacher's classes
   - Updated AttendanceRegister component to fetch classes on mount
   - Removed TODO placeholder

10. **Backfill timetable data pipeline**
    - Created seed-timetable.ts script to generate sample session data
    - Added npm script: npm run seed:timetable
    - Generates 4 weeks of sessions for all active classes

11. **Align dependencies with supported releases**
    - Downgraded Next.js from 16.0.1 to 15.1.6 (stable)
    - Downgraded React from 19.2.0 to 18.3.1 (stable)
    - Downgraded Tailwind from v4 to 3.4.17 (stable)
    - Downgraded Zod from v4 to 3.24.1 (stable)
    - Updated Tailwind config and CSS to v3 syntax

12. **Scope middleware to protected routes only**
    - Updated middleware matcher to only run on authenticated routes
    - Prevents unnecessary Supabase calls for static assets and public pages

Breaking Changes:
- Removed default-tenant fallback (will now throw error if tenant is missing)
- Removed test-key fallback for OpenAI (will now throw error if not configured)
- Dependencies downgraded to stable versions (may require npm install)

Migration Notes:
- Run `npm install` to install updated dependencies
- Ensure OPENAI_API_KEY is configured in environment
- Ensure all users have tenant_id in app_metadata or user_metadata
- Run `npm run seed:timetable` to populate timetable with sample data
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Nov 10, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

app/src/app/api/auth/signout/route.ts Outdated
Comment on lines +28 to +29
// Redirect to login page after successful sign-out
return NextResponse.redirect(new URL('/login', request.url));
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Redirect replays POST and breaks sign-out

The sign-out route redirects with NextResponse.redirect(new URL('/login', request.url)), which defaults to HTTP 307. A 307 redirect preserves the original method, so submitting the <form method="post"> causes the browser to POST to /login. Because /login only supports GET, users will hit a 405 error instead of being redirected to the login page and the logout flow appears broken. Use a 303 (or 302) status when redirecting after a POST so the browser follows the redirect with a GET.

Useful? React with 👍 / 👎.

@jojopeligroso
Copy link
Owner Author

jojopeligroso commented Nov 11, 2025

make sure to update supabase with an admin before pulling

jojopeligroso added a commit that referenced this pull request Mar 3, 2026
@jojopeligroso @claude
feat(profile): add LLM Tutor Architecture Hooks (Task #10)
980589f 
STUDENT PROFILE FEATURE 100% COMPLETE (23/23 tasks)

- Add AI Tutor tab to StudentProfilePage with "Coming Soon" UI
- Create /api/student/tutor-context endpoint for LLM prompt construction
- Create spec/STUDENT_MCP_SPEC.md with 10 tool signatures
- Return profile, class, progress, assessments, vocabulary, objectives

Files added:
- app/src/app/api/student/tutor-context/route.ts
- spec/STUDENT_MCP_SPEC.md

Updated STATUS.md and STUDENT_PROFILE_ROADMAP.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jojopeligroso @claude