v1.31.0 - Auth Bypass Architecture & UI Fixes

v1.31.0 - Auth Bypass Architecture & UI Fixes

Release Date: 2026-04-09
PR: #199
Issue: #200 (created for image restoration)

🔒 Architecture Improvements

Environment-Based Auth Bypass

Refactored authentication bypass from container-baked configuration to environment-file based injection:

• Development: Auth bypass enabled via ~/.rotv/environment when running ./run.sh start (localhost only)
• Testing: Normal authentication used in ./run.sh test to validate auth endpoints properly
• Production: Container is now production-ready with no hardcoded test configuration
• CI: Auth bypass injected via environment variables in GitHub Actions test workflow

This separation ensures:

• Production containers never have test credentials baked in
• Tests can properly validate authentication and authorization
• Development experience remains smooth with automatic auth bypass
• Self-healing initialization script (rotv-init.sh) still works correctly

🐛 Bug Fixes

POI Edit White Screen Crash

Fixed critical bug where clicking "Edit" on any POI caused a white screen crash due to missing showImage prop in the EditView component.

PostGIS RHEL 10 Dependency Regression

Added graceful fallback for PostGIS installation failures on RHEL 10 due to missing libboost_serialization.so.1.83.0 (regression introduced to RHEL 10 repos after 2026-04-05). Container build now continues with PostgreSQL-only if PostGIS dependencies are unavailable.

Test Isolation

Fixed serperService unit tests that were calling real Serper API instead of mocks. Properly configured vi.mock('node-fetch') to ensure test isolation.

🛠️ Technical Details

• Removed getGeographicContext as standalone export (inlined into searchNewsUrls to eliminate Gourmand single-use helper violation)
• Cleaned up verbose comments and test file structure per code quality standards
• Fixed syntax errors introduced during comment removal (stray semicolons)

📊 Implementation Stats

• 10 commits on feature branch
• 5 files changed: run.sh, systemd service file, Containerfile, serperService.js, test files
• Multiple CI iterations to resolve Gourmand violations and test failures
• 259 tests passing (7 pre-existing flaky tests remain)

🔄 Deployment Instructions

Container already built and pushed to quay.io/crunchtools/rotv:latest

On lotor (production):

podman pull quay.io/crunchtools/rotv:latest
systemctl restart rootsofthevalley.org
curl https://rootsofthevalley.org/api/health

🙏 Acknowledgments

• Claude Opus 4.6 - Implementation and CI troubleshooting
• Gourmand - Code quality enforcement (verbose comments, single-use helpers)

---

Full Changelog: v1.30.1...v1.31.0

v1.30.0 - Multi-Image POI Support

v1.30.0 - Multi-Image POI Support

Release Date: 2026-04-04
Issue: #181
PR: #182

🎉 Major Features

Multi-Image POI Support

Points of Interest now support multiple images, videos, and YouTube embeds with a beautiful Facebook-style mosaic display and full-screen lightbox viewer.

What's New:

• 📸 Multiple media per POI - Upload images, videos, or YouTube links
• 🖼️ Mosaic display - Shows primary image + 2 most liked in compact layout
• 🔍 Lightbox viewer - Full-screen media viewer with keyboard navigation (←/→ arrows, ESC)
• 👥 User submissions - Community members can submit media for any POI
• ✅ Moderation workflow - Admin approval queue for user-submitted content
• ❤️ Like system - Users can like media to influence mosaic display

Admin Features

• Moderation dashboard - Review pending media submissions
• Role management - Set primary image, approve/reject submissions
• Bulk operations - Manage multiple submissions efficiently

🔒 Security Enhancements

• Rate limiting - 100 requests per 15 minutes per IP on asset proxy endpoints
• SSRF protection - Asset ID validation prevents server-side request forgery
• Path traversal prevention - Filename sanitization blocks directory attacks
• Race condition prevention - Unique constraint ensures only one primary image

⚡ Performance Improvements

• In-memory caching - Mosaic data cached for 5 minutes with automatic invalidation
• Database indexes - Optimized queries for moderation queue and media retrieval
• Streaming proxy - Efficient asset delivery from image server

🗄️ Database Changes

Migration 015 - Core multi-image support

• New poi_media table with support for images, videos, YouTube embeds
• Indexes for performance (poi_id, role, moderation_status, likes)
• Moderation workflow states (pending, published, auto_approved, rejected)

Migration 016 - Data integrity constraints

• CHECK constraint for moderation_status enum
• FK ON DELETE SET NULL for user references
• Caption length constraint (200 chars max)
• Moderation queue index for performance

📊 Implementation Stats

• 35 commits (21 MVP + 10 optimizations + 4 quality fixes)
• 33 files changed (+7,807 lines, -41 lines)
• 15 new integration tests (all passing)
• Zero regressions (237/237 tests passing)

🛠️ Technical Details

Backend:

• New API endpoints: /api/pois/:id/media, /api/admin/moderation/media
• Asset proxy: /api/assets/:assetId/thumbnail, /api/assets/:assetId/original
• Rate limiting via express-rate-limit
• In-memory caching with auto-invalidation

Frontend:

• New React components: Mosaic, Lightbox, MediaUploadModal
• Keyboard navigation support (←/→/ESC)
• Responsive mosaic layouts (1-3 images)
• Admin moderation interface

Quality:

• Gourmand code quality compliance
• Gemini 2.5 Pro security review (9/10 issues resolved)
• Comprehensive integration test suite

🐛 Bug Fixes

• OAuth graceful degradation - Returns 501 instead of crashing when OAuth not configured
• Improved error handling - Asset proxy returns proper HTTP status codes (404, 503)

📚 Documentation

• Complete specification in .specify/specs/004-multi-image-poi/
• Implementation plan and journey documentation
• Gemini security review findings and resolutions
• Localhost testing validation report

🔄 Upgrade Instructions

Automatic Migrations:
Both migrations are applied automatically on container startup.

Manual Migration (if needed):

podman exec rootsofthevalley.org psql -U postgres -d rotv -f /app/migrations/015_add_poi_media.sql
podman exec rootsofthevalley.org psql -U postgres -d rotv -f /app/migrations/016_fix_poi_media_constraints.sql

🙏 Acknowledgments

• Code Review: Gemini 2.5 Pro, Gatehouse AI
• Implementation: Claude Sonnet 4.5
• Product Owner: Scott McCarty (@fatherlinux)

---

Full Changelog: v1.29.2...v1.30.0