- Fix proxy body forwarding, round-robin load balancing, response streaming
- Pool reqwest::Client in proxy, control, and gateway (no per-request alloc)
- Harden CORS in gateway/main.rs (was allow_origin(Any), now uses ALLOWED_ORIGINS)
- Add common/src/error.rs: ApiError type with structured JSON responses
- Add common/src/rls.rs: RlsTransaction extractor for deduplicated RLS setup
- Fix tracing in all standalone binaries (EnvFilter instead of unused var)
- Dockerfile multi-stage: separate worker-runtime, control-runtime, proxy-runtime targets
- docker-compose.yml: split into worker/system/proxy services with health checks
- Fix Grafana port mapping in pillar-system (3030:3000)
- Add config/prometheus.yml and config/vmagent.yml
- Add .env.example with all required variables
- 55 tests pass (49 run + 6 ignored integration tests requiring external services)
Made-with: Cursor
- Fix 5 source files corrupted with markdown formatting by previous AI
- Remove secret logging from auth middleware, signup, and recovery handlers
- Add role validation (ALLOWED_ROLES allowlist) to all 10 data_api + storage handlers
- Fix JavaScript injection in Deno runtime via double-serialization
- Add UUID validation to TUS upload paths to prevent path traversal
- Gate token issuance on email confirmation (AUTH_AUTO_CONFIRM env var)
- Reject unconfirmed users on login with 403
- Prevent OAuth account takeover (409 on email conflict with different provider)
- Replace permissive CORS (allow_origin Any) with ALLOWED_ORIGINS env var
- Wire session-based admin auth into control plane, add POST /platform/v1/login
- Hide secrets from list_projects API via ProjectSummary struct
- Add missing deps (redis, uuid, chrono, tower-http fs feature)
- Fix http version mismatch between reqwest 0.11 and axum 0.7 in proxy
- Clean up all unused imports across workspace
Build: zero errors, zero warnings. Tests: 10 passed, 0 failed.
Made-with: Cursor
