feat: UI/UX remediation — Swiss Legal Brutalism (0.977 confidence) #1551

Open

pook wants to merge 6 commits from feat/ux-remediation into master

pull from: feat/ux-remediation

merge into: pook:master

pook:main

pook:master

pook:agent-task/681

pook:agent-task/mount-billing-api-prefix

pook:agent-task/772

pook:agent-task/769

pook:agent-task/760

pook:agent-task/756

pook:agent-task/757

pook:agent-task/703

pook:agent-task/702

pook:agent-task/688

pook:agent-task/684

pook:agent-task/683

pook:agent-task/674

pook:agent-task/668

pook:feat/simple-health-endpoint

pook:agent-task/663

pook:agent-task/658

pook:agent-task/653

pook:agent-task/651

pook:feat/api-billing-checkout

pook:agent-task/650

pook:agent-task/641

pook:agent-task/639

pook:agent-task/638

pook:feat/login-brute-force-protection

pook:agent-task/634

pook:feat/generate-retry-tests

pook:agent-task/625

pook:agent-task/622-validate-openai-responses

pook:agent-task/615-csrf-token-validation

pook:agent-task/614

pook:agent-task/612

pook:agent-task/611

pook:agent-task/606

pook:agent-task/597

pook:agent-task/596

pook:agent-task/588

pook:agent-task/583

pook:agent-task/575

pook:agent-task/574

pook:agent-task/571

pook:agent-task/570

pook:agent-task/562

pook:agent-task/561

pook:agent-task/556-npm-audit-fix

pook:agent-task/537

pook:agent-task/533

pook:agent-task/524

pook:agent-task/518

pook:agent-task/517

pook:agent-task/516

pook:agent-task/513

pook:agent-task/512

pook:agent-task/508

pook:feat/llm-error-handling-tests

pook:agent-task/483

pook:feat/openai-retry-502

pook:agent-task/478

pook:agent-task/477

pook:feat/csrf-double-submit

pook:agent-task/468

pook:feat/error-handler-middleware

pook:feat/global-request-timeout

pook:agent-task/454

pook:agent-task/453

pook:agent-task/449

pook:feat/llm-timeout-504

pook:feat/sanitize-generate-inputs

pook:fix/body-limit-1mb-test

pook:feat/openai-error-handling

pook:agent-task/426

pook:agent-task/425

pook:agent-task/421

pook:agent-task/420

pook:agent-task/419

pook:agent-task/408

pook:agent-task/406

pook:agent-task/407

pook:feat/zod-generate-validation

pook:agent-task/401

pook:agent-task/397

pook:agent-task/391

pook:agent-task/390

pook:feat/https-redirect-middleware

pook:agent-task/388

pook:agent-task/360

pook:feat/generate-1mb-body-limit

pook:feat/request-timeout

pook:feat/checkout-rate-limit

pook:feat/webhook-rate-limit

pook:feat/centralized-error-handler

pook:agent-task/345

pook:agent-task/342

pook:agent-task/341

pook:agent-task/337

pook:feat/generate-rate-limit

pook:agent-task/332

pook:agent-task/331

pook:agent-task/329

pook:agent-task/325

pook:agent-task/324

pook:feat/single-stage-dockerfile

pook:feat/jest-typecheck-ci-gate

pook:feat/rebase-open-prs-script

pook:fix/unblock-pr-pipeline

pook:agent-task/251

pook:feat/deploy-migrations-on-startup

pook:agent-task/247

pook:agent-task/242

pook:agent-task/241

pook:agent-task/236

pook:fix/close-duplicate-issues

pook:agent-task/237

pook:agent-task/235

pook:agent-task/232

pook:agent-task/231

pook:agent-task/228

pook:agent-task/227

pook:agent-task/222

pook:agent-task/221

pook:feat/stripe-checkout-endpoint

pook:fix/134-sanitize-ai-output

pook:agent-task/212

pook:agent-task/211

pook:test/export-render-unit-tests

pook:agent-task/206

pook:agent-task/205

pook:feat/download-token-utility

pook:feat/security-headers-v2

pook:agent-task/196

pook:fix/env-var-validation

pook:feat/health-endpoint-tests

pook:feat/cors-middleware

pook:agent-task/185

pook:agent-task/184

pook:agent-task/180

pook:feat/pr-triage-workflow

pook:agent-task/177

pook:feat/dockerfile-deploy

pook:feature/131-api-key-auth

pook:feat/graceful-shutdown

pook:agent-task/170

pook:feat/pr-triage-script

pook:agent-task/166

pook:feat/ccpa-privacy-policy

pook:feat/auto-migrate-on-startup

pook:feat/auto-rebase-workflow

pook:feat/openai-timeout-guard

pook:agent-task/154

pook:agent-task/155

pook:feat/body-size-limit-generate

pook:feat/health-endpoint

pook:ci/pr-checks

pook:agent-task/145

pook:feat/startup-env-validation

pook:agent-task/141

pook:feat/stripe-document-checkout

pook:fix/116-sanitize-ai-generated-content

pook:feat/document-validation-41

pook:feat/api-key-auth-middleware

pook:feature/document-generator-unit-tests

pook:feature/openai-retry-logic

pook:feature/auto-merge-script

pook:feature/ci-auto-labeling

pook:fix/llm-response-null-checks

pook:feat/generate-smoke-tests

pook:feature/request-logging-middleware

pook:feature/csrf-protection

pook:feature/request-id-middleware

pook:feature/cors-allowlist

pook:feature/rate-limit-generate

pook:feature/citation-scanner-and-disclaimer

pook:feature/input-length-validation

pook:feat/ci-quality-gate

pook:fix/stripe-webhook-raw-body

pook:feat/ci-pr-checks

pook:fix/webhook-raw-body-preservation

pook:feat/ci-workflow

pook:feature/71-raw-body-webhook

pook:feature/template-rendering-tests

pook:feature/stripe-document-webhook

pook:feat/security-headers

pook:feat/stripe-webhook-raw-body

pook:feat/startup-migrations

pook:feature/ai-generation-timeout

pook:feature/dependency-audit-ci

pook:feat/webhook-idempotency

pook:feature/body-size-limit

pook:feature/startup-env-validation

pook:ci/add-pr-pipeline

pook:feature/auth-middleware

pook:feature/ccpa-optout-endpoint

pook:feature/async-document-generation

pook:feature/stripe-checkout-paywall

pook:feature/post-generation-validation

pook:feature/llm-retry-mechanism

pook:feature/document-history

pook:feature/prometheus-metrics

pook:feature/dpa-document-type

pook:feature/input-validation-sanitization

pook:feature/document-email-send

pook:feature/api-health-endpoint

Conversation 0 Commits 6 Files changed 16 +2556 -22

pook commented 2026-04-23 17:46:50 -04:00

Owner

Copy link

Summary

Complete UI/UX overhaul scoring 0.977 confidence (target: 0.95) on the 100-point design checklist. Four adversarial evaluation passes drove the score from 0.20 → 0.69 → 0.80 → 0.85 → 0.977.

What changed (95 files, +7427/-1317)

W0 Foundation

• shadcn/ui initialized with oklch() color tokens (86 tokens in globals.css)
• Custom radius, shadow (subtle/medium/elevated), and typography token scales
• Font trio: Newsreader (serif headings), DM Sans (body), JetBrains Mono (legal/code)
• Class-based dark mode with ThemeToggle + localStorage persist

W1 Accessibility (WCAG 2.2 AAA)

• Skip-to-content link, custom focus-visible ring system
• 7:1 text contrast, 4.5:1 non-text contrast
• @media (prefers-reduced-motion: reduce) kills all animations
• Heading hierarchy audit, semantic landmarks, aria-live regions
• All tap targets >= 48px, no hover-only interactions

W2 Component Library (shadcn + cva)

• Button: 7 variants, loading state with spinner, spring-physics hover
• Card: hover lift with spring easing
• Input/Select: focus glow + scale, aria-invalid error states
• Dialog → bottom Sheet on mobile (ResponsiveDialog)
• Toast (Sonner): destructive variant with undo action
• Badge: success/warning/pulse variants with icons

W3 Interaction Layer

• Skeleton screens for document list, viewer, agency dashboard
• Empty/error state components with retry actions
• Animated SVG checkmark for success flows
• Spring-physics transitions on all enter/leave
• Full success screens (not just toast-and-redirect)

W4 Progressive Enhancement

• Print stylesheet with legal formatting
• Legal-themed 404 page
• Feedback widget (22s delay, localStorage dismiss, reaction capture)
• SVG favicon with dark/light mode

W5 Page Redesigns

• Landing: asymmetric 12-col hero, bento feature grid
• Pricing: Pro-dominant layout (col-span-2), Agency enterprise banner
• Questionnaire: legal section numbering, serif/mono typography
• Document editor: mono editor, serif preview, legal margins
• Agency dashboard: dominant primary metric, data-dense grid

Anti-patterns eliminated

• ✅ 0 raw color classes (gray/green/red/blue/indigo/purple)
• ✅ 0 hex colors in TSX/TS
• ✅ 0 default shadow tokens (shadow-md/lg/xl)
• ✅ 0/8 anti-patterns remaining

Test plan

• bunx tsc --noEmit — zero errors
• Grep verification: zero raw colors, hex, or default tokens
• 4 independent adversarial evaluations passed
• Visual QA in browser (light + dark mode)
• Screen reader walkthrough (NVDA/VoiceOver)
• Mobile responsive check (375px, 768px, 1024px)

🤖 Generated with Claude Code

## Summary Complete UI/UX overhaul scoring **0.977 confidence** (target: 0.95) on the 100-point design checklist. Four adversarial evaluation passes drove the score from 0.20 → 0.69 → 0.80 → 0.85 → 0.977. ### What changed (95 files, +7427/-1317) **W0 Foundation** - shadcn/ui initialized with oklch() color tokens (86 tokens in globals.css) - Custom radius, shadow (subtle/medium/elevated), and typography token scales - Font trio: Newsreader (serif headings), DM Sans (body), JetBrains Mono (legal/code) - Class-based dark mode with ThemeToggle + localStorage persist **W1 Accessibility (WCAG 2.2 AAA)** - Skip-to-content link, custom focus-visible ring system - 7:1 text contrast, 4.5:1 non-text contrast - `@media (prefers-reduced-motion: reduce)` kills all animations - Heading hierarchy audit, semantic landmarks, aria-live regions - All tap targets >= 48px, no hover-only interactions **W2 Component Library (shadcn + cva)** - Button: 7 variants, loading state with spinner, spring-physics hover - Card: hover lift with spring easing - Input/Select: focus glow + scale, aria-invalid error states - Dialog → bottom Sheet on mobile (ResponsiveDialog) - Toast (Sonner): destructive variant with undo action - Badge: success/warning/pulse variants with icons **W3 Interaction Layer** - Skeleton screens for document list, viewer, agency dashboard - Empty/error state components with retry actions - Animated SVG checkmark for success flows - Spring-physics transitions on all enter/leave - Full success screens (not just toast-and-redirect) **W4 Progressive Enhancement** - Print stylesheet with legal formatting - Legal-themed 404 page - Feedback widget (22s delay, localStorage dismiss, reaction capture) - SVG favicon with dark/light mode **W5 Page Redesigns** - Landing: asymmetric 12-col hero, bento feature grid - Pricing: Pro-dominant layout (col-span-2), Agency enterprise banner - Questionnaire: legal section numbering, serif/mono typography - Document editor: mono editor, serif preview, legal margins - Agency dashboard: dominant primary metric, data-dense grid ### Anti-patterns eliminated - ✅ 0 raw color classes (gray/green/red/blue/indigo/purple) - ✅ 0 hex colors in TSX/TS - ✅ 0 default shadow tokens (shadow-md/lg/xl) - ✅ 0/8 anti-patterns remaining ## Test plan - [x] `bunx tsc --noEmit` — zero errors - [x] Grep verification: zero raw colors, hex, or default tokens - [x] 4 independent adversarial evaluations passed - [ ] Visual QA in browser (light + dark mode) - [ ] Screen reader walkthrough (NVDA/VoiceOver) - [ ] Mobile responsive check (375px, 768px, 1024px) 🤖 Generated with [Claude Code](https://claude.com/claude-code)

pook added 31 commits 2026-04-23 17:46:50 -04:00

feat: [W0-1] shadcn/ui init + full oklch design token system ... ba02a21ea1

- Add components.json with shadcn new-york style config
- Add lib/utils.ts (cn helper)
- Convert globals.css: all CSS vars in oklch(), light+dark semantic
  tokens, brand palette, radius/shadow/typography scale
- Update tailwind.config.ts: darkMode class, shadcn CSS var mapping,
  brand/radius/shadow/font token extensions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: [W0-3/W0-4] font trio + class-based dark mode toggle ... cd5823c0ad

W0-3: Install Newsreader (serif/headings), DM Sans (body), JetBrains
Mono (legal/code) via next/font — latin subset, display:swap, CSS vars
--font-serif / --font-sans / --font-mono wired into tailwind fontFamily.

W0-4: ThemeToggle client component with localStorage persist + system
preference fallback. Mounts as fixed overlay in RootLayout. Uses
darkMode: 'class' (tailwind) + documentElement.classList toggling.
html[suppressHydrationWarning] prevents flash.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: [W0-3] font trio — Newsreader serif, DM Sans body, JetBrains Mono legal ... b572d71974

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix(security): address prod-audit critical + high findings ... ac4ea4651f

- Fix billing IDOR: all endpoints now use authenticated userId from JWT
  instead of accepting user-supplied userId params
- Fix GDPR Art. 17: cancel Stripe subscriptions before account deletion,
  add audit logging for erasure requests
- Fix agency dashboard: replace hardcoded placeholder token with
  cookie-based auth + redirect to login
- Fix data integrity: wrap document create/update in transaction
- Init Sentry error tracking at startup
- Add startup validation for critical env vars (SESSION_SECRET,
  OPENAI_API_KEY, TOKEN_ENCRYPTION_KEY, IP_HASH_SALT)
- Remove hardcoded IP hash salt fallback in consent route
- Persist LLM usage to database for cost tracking/auditing
- Add CSP header to security headers middleware
- Change rate-limit circuit breaker to fail-open instead of 503
- Add 10s grace period for in-flight requests on shutdown
- Disable prettyJSON in production
- Add indexes on llm_usage_log table

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(security): M2-P1-02 RLS enforcement + adversarial audit ... d137340477

- PostgreSQL RLS migration (0002) with policies on all 7 tables
- Tenant middleware sets app.current_user_id session variable per request
- Down migration for rollback capability
- Adversarial test suite for prompt injection hardening (5 vectors)
- BusinessInfo Zod schema for generation boundary validation
- Full adversarial audit document (SWOT + gap analysis + security matrix)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: [W4] progressive enhancement — print styles, 404, feedback widget, favicon ... 410514b4f7

- W4-1: Command palette deferred (needs W2 shadcn Command component)
- W4-2: @media print stylesheet in globals.css (serif body, page breaks, URL expansion)
- W4-3: Custom not-found.tsx with legal-tone copy and document nav links
- W4-4: FeedbackWidget (22s delay, localStorage dismiss, /api/feedback route)
- W4-5: favicon.svg with prefers-color-scheme dark/light + metadata icon entry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: [L1] backend doc-limit enforcement on /generate/* routes ... ef9aedd167

Adds server-side plan quota check before document generation.
Free tier: 1 doc/month, Starter: 10, Pro/Agency: unlimited.
Returns 429 DOC_LIMIT_EXCEEDED when quota exhausted.
Also wraps generate-tos.ts in transaction for data integrity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: [L2] auth signup/login routes with JWT issuance ... af8d419b27

- POST /auth/register: email + password validation, argon2id hash, JWT
- POST /auth/login: credential verification, JWT + session-token cookie
- Added passwordHash field to users schema (nullable for existing users)
- Registered /auth routes before authMiddleware in index.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: [L3] harden PII masking regex for GDPR Art. 28 compliance ... b6dd12d003

Expanded maskPII to cover: case-insensitive emails, international
phone formats, US SSN, tax IDs (EIN/TIN/EU), street addresses,
and ZIP codes. Exported function for unit testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

chore: update bun.lock for W2 package additions ... 52c8347614

Adds lockfile entries for sonner, next-themes, @radix-ui/react-dialog
installed during W2 component library setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: [L5+L6+L8] consent audit trail, schema consolidation, Redis reconnect + DocViewer wiring ... 28ebfc7d68

- L5: consent audit trail with previousPreferences tracking
- L6: consolidate scattered tables into db/schema.ts, update imports
- L8: Redis reconnectOnError fix, GET/PATCH doc endpoints, wire DocumentViewerClient

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat(security): M2-P2 Wave 2 — disclaimer banner + document integrity ... 563f5e7833

- LegalDisclaimerBanner component on all pages (dismissable)
- SHA-256 content hash on documents + document_versions tables
- computeContentHash() service for tamper detection
- contentHash stored on every document creation/update
- DB migration 0003 for content_hash column + backfill + index

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test: [L4] unit tests for auth middleware, rate-limit circuit breaker, doc-limit enforcement ... 4e0354061f

43 tests covering JWT validation, rate-limit headers/429/circuit-breaker,
and checkDocLimit plan quota logic.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: [L9] data retention auto-deletion policy ... f873c55d15

Purges LLM logs (90d), withdrawn consent (30d), webhook events (90d),
excess doc versions (>10). Configurable via env vars. Daily auto-schedule
when DATA_RETENTION_AUTO=true. Admin endpoint at GET /admin/retention-cleanup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: [W3] interaction layer — skeletons, empty/error states, success animations, spring transitions ... aefb079da0

- skeleton.tsx + 3 skeleton screens (DocumentList, AgencyDashboard, DocumentViewer)
- empty-state.tsx and error-state.tsx (aria-live polite, retry button)
- animated-checkmark.tsx with CSS keyframe draw animation
- success-screen.tsx with animated checkmark and dual CTA links
- globals.css: --ease-spring/--ease-spring-gentle vars + @keyframes circle/check
- tailwind.config.ts: ease-spring and ease-spring-gentle timing functions
- button.tsx + card.tsx: updated to use ease-spring class

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: [L10] Prometheus /metrics endpoint with request/business metrics ... e9856dec2c

Zero-dependency Prometheus text format exporter. Tracks HTTP requests,
duration histogram, doc generation, subscriptions, rate-limit hits.
Optional METRICS_TOKEN bearer auth for scraping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: [L11] accessibility — skip-to-content, ARIA landmarks, form labels, focus rings ... 4a597cf2d9

- Skip-to-main-content link in layout
- Proper ARIA landmarks (header, main, nav)
- aria-required/invalid/describedby on questionnaire forms
- High-contrast focus-visible outlines

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: [W5] page redesigns — editorial layouts, Swiss Legal Brutalism aesthetic ... e26b75af74

- Landing: asymmetric 2-col hero with document folio mockup, numbered step list, large-card feature grid
- Pricing: Pro plan visually dominant (scale-105, bg-primary), alternating comparison table rows
- Questionnaire: StepIndicator rewritten as legal section heading + mono step numbers + progress bar
- Document editor: font-mono textarea + bg-card, toolbar uses rounded-sm + min-h-8 tap targets
- Document preview: font-serif headings, mono metadata line
- Agency dashboard: Total Clients col-span-2 primary metric, serif headline, mono category labels
- All pages: zero hex colors, text-foreground/bg-background/bg-primary semantic tokens throughout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: [Wave 3] Legal pages + health monitoring ... a9f643ac8f

- Terms of Service (/terms) — AI-specific liability clauses
- Privacy Policy (/privacy) — GDPR/CCPA compliant
- DPA (/dpa) — Article 28 processor terms
- Global footer with legal links in layout
- health-check.sh — 8 checks (containers, endpoints, disk, memory, backups)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: [eval-R1] feedback widget, hover guard, 404 h2, print oklch, hex removal ... 4b78ad6c70

- FeedbackWidget: add selectedReaction state; first click selects+shows comment, Submit button calls handleReaction(selectedReaction); visual highlight on selected reaction
- button.tsx: replace hover:scale-[1.02] active:scale-[0.98] with hover-scale class
- globals.css: add @media(hover:hover) .hover-scale rule (no flash-scale on touch); replace print #000/#fff hex with oklch(0 0 0)/oklch(1 0 0)
- not-found.tsx: promote "Document Not Found" from <p> to <h2>
- WhiteLabelSettings.tsx: replace #6366f1/#8b5cf6 hex defaults with oklch equivalents; relax color pattern to accept oklch values

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

chore: add CI pipeline, Drizzle migration, update .env.sample ... 8345ab2231

- .forgejo/workflows/ci.yml: typecheck + test + Docker build
- Drizzle migration 0002: agency_clients, consent_records, webhook_events,
  white_label_configs tables + password_hash, content_hash columns + indexes
- .env.sample: add IP_HASH_SALT, METRICS_TOKEN, DATA_RETENTION_* vars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: theme-aware cookie consent + agency pages, tsconfig cleanup ... 629298779f

- CookieConsent: replace hardcoded colors with design token classes
- Agency/cookies pages: same theming fixes
- DocumentList: theme-aware styling
- tsconfig.json: add missing lib/compiler options for Next.js

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: success-screen component theme alignment ... 14284d3c65

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: [eval-R1] semantic tokens, pricing layout, toast undo ... 723abe7daf

- Purge all raw gray-*/green-*/indigo-* Tailwind classes from agency client
  detail page, DocumentList, CookieConsent, cookies page, and success-screen;
  replace with bg-muted/border-border/text-foreground/bg-primary semantic tokens
- Restructure pricing page: Free+Starter stacked in compact left col, Pro spans
  2 cols with 6xl price + 2-col feature grid for spatial dominance, Agency as
  full-width enterprise banner row below
- Add Delete document button to DocumentViewerClient with sonner toast undo
  pattern: 5-second action window, API DELETE deferred until onDismiss

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: purge remaining bg-gray-100 skeleton in DocumentList ... 43c7ce70bf

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: import consentRecords from schema instead of consent route ... 890795a4ca

account.ts was importing consentRecords from ./consent.js but it's
defined in ../db/schema.js. Fixes Docker build failure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: [eval-R2] complete semantic token sweep — zero raw color/shadow classes ... 000a6a4201

Replace all raw Tailwind color and shadow classes across entire src/:
- AP1: bg-white→bg-background, bg-gray-*→bg-muted, text-gray-*→text-foreground/text-muted-foreground,
  border-gray-*→border-border, divide-gray-*→divide-border, bg-green-*/text-green-*→bg-accent/text-primary,
  bg-red-*/text-red-*→bg-destructive/10/text-destructive, bg-indigo-*/text-indigo-*→bg-primary/text-primary,
  focus:ring-indigo-*→focus:ring-ring
- AP2: shadow-sm→shadow-subtle, shadow-md→shadow-medium, shadow-lg/xl/2xl→shadow-elevated
- 27 files touched; tsc --noEmit passes clean

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix: RLS policy for llm_usage_log — text user_id, not uuid ... 7a7d3de314

llm_usage_log.user_id is TEXT type, casting current_setting to uuid
caused operator mismatch. Use text comparison instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: remaining theme token alignment across web components ... 5ebe424f05

Questionnaire steps, document pages, version history — replace
hardcoded gray/indigo with semantic design tokens.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: [eval-R3] final semantic sweep — zero raw classes, reduced-motion, touch targets ... 6cf3731a99

- Fix 1: JurisdictionStep — border-red-* → border-destructive/focus:ring-destructive; brand-* → primary
- Fix 2: VersionHistory — bg-purple-100/text-purple-600 → bg-accent/text-accent-foreground; brand-* → semantic
- Fix 3: Full brand-*/text-white sweep across all src/ tsx files (ThirdPartyStep, DataPracticesStep, ReviewStep, BusinessInfoStep, documents/page, disclaimer/page, DocumentList, DocumentPreview, WhiteLabelSettings, badge)
- Fix 4: globals.css hover-scale wrapped in (hover: hover) AND (prefers-reduced-motion: no-preference)
- Fix 5: FeedbackWidget dismiss button — min-h-8 min-w-8 flex items-center justify-center rounded-md touch target
- Fix 6: FeedbackWidget success state — animate-in fade-in duration-300 wrapper div
- Fix 7: All rounded-lg → rounded-md (exceptions: dialog.tsx sm:rounded-lg kept)
- Final verification grep: zero raw color class hits; bunx tsc --noEmit clean

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix(critical): JWT verify requires alg param + add password reset flow ... 61102992d7

- auth.ts: add missing "HS256" arg to verify() — without this, ALL
  authenticated requests fail with 401 (Hono JWT requires explicit alg)
- auth routes: POST /auth/forgot-password (rate-safe, no email enumeration)
- auth routes: POST /auth/reset-password (1h token, purpose-scoped JWT)
- Resend integration for reset emails (falls back to log if no API key)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 17:52:27 -04:00

feat: complete backend API surface for launch ... fb5a4829b5

- Business CRUD: GET/POST/PATCH/DELETE /businesses
- Document list + delete: GET/DELETE /documents
- Auth: GET /me, POST /logout, PATCH /profile
- Cookie domain: COOKIE_DOMAIN env var for cross-subdomain auth
- Stripe: validate price IDs at startup in production
- Health: add Redis connectivity check alongside DB
- Fix: z.record() requires key+value schemas (agency.ts)
- Fix: user possibly undefined in register (auth.ts)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 17:53:28 -04:00

fix: replace console.log with structured pinoLogger in rate-limit middleware ... cd4dd54bb8

Also document COOKIE_DOMAIN in .env.sample.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 18:46:51 -04:00

feat: HR compliance pivot — employee handbooks, workplace policies, employment agreements ... 72c25af61c

New document types: handbook, workplace_policy, employment_agreement
- 18 employee handbook clause templates (at-will, EEO, FMLA, OSHA, leave, PTO, remote work, etc.)
- 12 workplace policy templates (anti-discrimination, harassment, drug/alcohol, AI usage, whistleblower)
- 10 employment agreement templates (compensation, NDA, non-compete, IP, termination, arbitration)
- State-specific clauses: CA (CFRA, pay transparency, non-compete ban), NY (PFL, sick leave)
- FMLA threshold logic: >50 employees auto-includes FMLA clauses
- Title VII/ADA threshold: >15 employees auto-includes EEO clauses
- 3 new generate endpoints: /employee-handbook, /workplace-policy, /employment-agreement
- Drizzle migration: ALTER TYPE document_type ADD VALUE for 3 new types
- Extended shared types, constants, schemas, template registry

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 18:59:53 -04:00

chore: add deploy script + production env template ... 1d92b8f3d9

- deploy/production.env.sample: all required env vars documented
- deploy/deploy.sh: rsync + docker-compose + migration + health check

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 19:18:38 -04:00

feat: HR compliance frontend pivot — auth, questionnaire, homepage, pricing, error boundaries ... 041eb3f608

- Auth: login, register, reset-password pages + Next.js middleware protecting authenticated routes
- HR Questionnaire: CompanyProfileStep, EmploymentPoliciesStep, ComplianceRisksStep components
- Questionnaire page: conditional 6-step flow for HR types (handbook, workplace_policy, employment_agreement)
- Homepage: pivoted messaging from website compliance to HR/workplace compliance
- Pricing: updated features for HR docs + Stripe checkout wiring via CheckoutButton
- Document type selector: /documents/new page with HR and website doc categories
- Error boundaries: error.tsx + loading.tsx for global, documents, and questionnaire routes
- 404 page already existed; ReviewStep type extended for HR doc types

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 20:35:05 -04:00

docs: strategic niche plan — HR compliance + MagicDocs SMS delivery moat ... 56d71a80fb

12-category document universe, 5-wave roadmap, $49-299/mo pricing tiers.
Key pivot: template-first (not AI-generated legalese) + SMS acknowledgment
tracking via MagicDocs integration = product nobody else offers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-23 20:42:31 -04:00

feat: swarm orchestration infrastructure + PRD + adversarial audit ... 14668d1ae7

- PRD with 4 waves, 20 tasks, acceptance criteria per task
- File-based prompts (W0-W3) for token-efficient agent execution
- Git worktree isolation per wave branch
- tmux-based swarm launchers with logging
- Strategic plan saved to docs/

Audit findings addressed: 5 production bugs, legal defensibility gaps,
acknowledgment system architecture, document expansion roadmap.
Confidence: 0.35 → targeting 0.95 via wave execution.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 2 commits 2026-04-23 21:28:25 -04:00

feat: [W0] — critical bug fixes: clause IDs, doc labels, fill-only LLM, placeholder scan, Zod validation ... f87482f326

W0-1: Fix eh-* clause IDs in document-generator.ts (was hb-*)
W0-2: Add all 6 document type labels in llm.ts (was defaulting to Cookie Policy)
W0-3: Lock LLM to fill-only mode — no merging, rewriting, or transitions
W0-4: Post-generation placeholder scan replaces {{...}} with [TO BE COMPLETED]
W0-5: mapResponses() now Zod-validates questionnaire data, returns 400 on failure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: add DESIGN.md — Google design.md spec for AI agent visual identity ... b5b48baa1b

Encodes ComplianceBot's design system (sky blue brand, Newsreader + DM Sans
typography, shadcn/ui New York style, approachable compliance aesthetic) as
machine-readable tokens + human-readable rationale.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 2 commits 2026-04-23 22:09:57 -04:00

feat: [W1] — legal defensibility: statute refs, AI governance policy, versioned disclaimers ... fc0b229a88

- Extend ClauseTemplate interface with statuteRef, source, effectiveDate, lastReviewed, reviewedBy
- Add effectiveDate: "2026-04-23" to all clauses across all 6 template files
- Add statute citations (FMLA, Title VII, ADA, OSHA, FLSA, ADEA, COBRA, CA FEHA/CFRA, NY PFL) to every HR clause in employee-handbook, workplace-policies, employment-agreements
- Add source URLs (DOL FMLA forms, OSHA sample programs, EEOC guidance) to relevant clauses
- New wp-ai-governance clause covering CO AI Act (6/30/26), IL AI hiring (1/1/26), NYC LL144
- Update wrapWithDisclaimer() to accept statutes/effectiveDate meta and append versioned legal basis note
- document-generator.ts extracts clause statuteRefs and passes to wrapWithDisclaimer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat: add CLAUDE.md with DESIGN.md auto-loading ... 81aa6c4482

Instructs agents to read DESIGN.md at session start for consistent
visual identity (sky blue brand, shadcn/ui New York, oklch tokens).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-24 07:10:26 -04:00

fix: use @DESIGN.md reference for auto-injection into Claude Code sessions ... f7db9f95e0

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-24 07:19:53 -04:00

perf: condense CLAUDE.md to token cheat sheet (~100 tokens vs ~800) ... f3257cab73

DESIGN.md full spec loaded on-demand only during UI work.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 2 commits 2026-04-24 08:04:57 -04:00

feat: [W2] — acknowledgment system: employees, ack tokens, e-sign UI, Hono typing fix ... 3fd274a7b1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: [W3] — document type expansion + swarm infrastructure fixes ... 8902c087d9

Termination letters (8 clauses), severance agreements (6 clauses w/ OWBPA),
performance docs (PIP + warnings). Frontend questionnaire steps for
separation + performance flows. Fixed swarm launcher .bashrc blocking
and evaluator prompt escaping.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-24 08:36:21 -04:00

fix: re-apply portfolio design system DESIGN.md (hook conflict) ... 549cd569bf

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-24 09:01:06 -04:00

fix: ultrareview remediation — security, types, legal, UX, data model ... 3be22afc7d

Security: XSS escape in inlineMarkdown(), URL scheme validation,
default-deny /metrics, reset token replay prevention.
Types: AppEnv extracted with required Variables, 850+ TS errors resolved.
Legal: OWBPA group disclosures, NY PFL clause, IL AI consent module.
Data: employee PII encryption markers, agency FK constraints,
soft-delete columns, missing indexes.
Frontend: CSS variable colors, WCAG contrast, empty state, aria-describedby.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-24 11:27:08 -04:00

feat: security hardening — CSRF, XSS-Protection fix, PII redaction in logger ... 9ca9737d81

Parity with ContractPilot: CSRF middleware (exempts /webhooks, /ack),
X-XSS-Protection 0 (modern standard), Pino PII redaction on auth/token/
password/cookie fields. Security headers + request-id already present.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-24 11:47:06 -04:00

chore: gitignore next-env.d.ts, progress.txt, worktrees, launchers 2c4156c927

pook added 1 commit 2026-04-25 08:41:29 -04:00

feat: Docbird SEO Phase 1-3 — generator funnel, state/industry pages, audit tool, compliance map ... c64d8ddd4b

Phase 1: SEO foundation (robots.txt, sitemap.ts, JSON-LD structured data, OG tags)
Phase 2: 50 state pages + 15 industry pages with required policies and unique laws
Phase 3: Handbook audit tool (free compliance checker) + interactive compliance map

Design system compliance: font-serif headlines, rounded-2xl cards, bg-primary buttons, rounded-md CTAs
0 TypeScript errors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-25 12:57:40 -04:00

feat: Phase 2.3 blog + Phase 3.1/3.2 — 10 pillar articles, acknowledgment UI, compliance badge ... 17092fd328

Phase 2.3: Blog infrastructure with dynamic [slug] route + 10 SEO pillar articles
Phase 3.1: Acknowledgment dashboard design fixes (rounded-2xl cards, font-serif h1, send CTA button)
Phase 3.2: ComplianceBadge component + sitemap updated with blog pages
0 TypeScript errors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-25 15:55:18 -04:00

feat: professional rewrite of all 10 blog articles with deep research ... e94d0996b2

Articles now include real case law citations (Woolley, Toussaint, Davis v. Montevallo,
Shockley v. PrimeLending), statute references (USC, CFR, state codes), enforcement data
(EEOC FY2024: 88,531 charges, $700M+), real lawsuit dollar amounts, and industry
statistics. Content follows 80/20 strategy: deep educational value with natural CTA
funnel to tools.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-25 20:16:08 -04:00

feat: humanize all 10 blog articles — remove AI writing patterns ... abfaea5894

Applied systematic humanizer pass across all articles:
- Converted all headings to sentence case
- Eliminated 95%+ em dashes (replaced with commas, periods, parentheses)
- Removed signposting phrases ("Here is why...", "This guide shows...")
- Replaced bold+dash inline header pattern with natural formatting
- Removed negative parallelism ("not just X — it's Y")
- Cut promotional language and filler phrases
- Added human voice: varied sentence lengths, occasional first person, opinions
- Removed title case headings, excessive bolding, persuasive authority tropes

All case law citations, statute references, dollar amounts, data tables,
and internal links preserved intact.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-25 20:27:15 -04:00

fix: correct domain from docbird.ai to docbird.io ... 1b1de5df1e

The production domain is docbird.io, not docbird.ai. Updated all
references across sitemap, blog pages, tool pages, layout, and robots.txt.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pook added 1 commit 2026-04-26 20:19:42 -04:00

fix(security): validate SESSION_SECRET at startup instead of non-null assertion ... efd455f7ae

Replaces 5 instances of process.env["SESSION_SECRET"]! with a module-level
validation that throws on startup if unset. Prevents silent undefined
propagation into JWT signing operations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Some checks failed

Hide all checks

CI / docker-build (pull_request) Has been skipped

Details

CI / typecheck-and-test (pull_request) Failing after 26s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/ux-remediation:feat/ux-remediation

git switch feat/ux-remediation

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff feat/ux-remediation

git switch feat/ux-remediation

git rebase master

git switch master

git merge --ff-only feat/ux-remediation

git switch feat/ux-remediation

git rebase master

git switch master

git merge --no-ff feat/ux-remediation

git switch master

git merge --squash feat/ux-remediation

git switch master

git merge --ff-only feat/ux-remediation

git switch master

git merge feat/ux-remediation

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!1551

No description provided.