Note

    CHANGELOG

    Chronological list of notable changes

    Document Metadata

    • title: Changelog
    • description: Chronological list of notable changes
    • status: stable
    • lastUpdated: "2026-03-22 12:07 ET (America/New_York)"
    • owner: Engineering

    Changelog All notable changes to this project will be documented in this file. <!

    Changelog

    All notable changes to this project will be documented in this file.

    <!-- NEW CHANGELOG ENTRIES START BELOW -->

    2026-03-22 12:07 ET (America/New_York) - [1009] Add a provider-aware live smoke lane for Better Auth and Neon rehearsals

    • Reworked the browser smoke spec to capture the app's real authenticated API request and reuse that bearer header for direct API assertions, removing the old dependency on Better Auth's project-compass.auth-token storage key and making the smoke lane work for both better-auth and neon-auth provider modes (/Users/maggielerman/.codex/worktrees/17aa/project-compass/tests/smoke/live-auth-api.smoke.spec.ts).
    • Extended the shared Live Smoke workflow with an auth_provider input and made the backend live-pack conditional, so intentional Neon-authenticated rehearsals can run as browser-only verification without pretending the existing Better-Auth-specific backend bootstrap already supports Neon (/Users/maggielerman/.codex/worktrees/17aa/project-compass/.github/workflows/smoke-live.yml, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/live-backend-docs.test.ts).
    • Updated env templates and runbooks to document the new verification boundary clearly: browser smoke is provider-aware, while api:test:live remains Better-Auth-only until a Neon-native backend live-pack bootstrap exists (/Users/maggielerman/.codex/worktrees/17aa/project-compass/.env.example, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/development/testing.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/deployment/RELEASE_CHECKLIST.md).

    2026-03-22 11:48 ET (America/New_York) - [1009] Add the frontend Neon Auth scaffold behind the bridge

    • Added a dormant Neon Auth frontend provider behind the shared auth bridge, so VITE_AUTH_PROVIDER=neon-auth can now resolve session state, sign in/out, and supply bearer headers for API requests without rewriting page-level auth consumers (/Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/auth/neon-auth-provider.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/app-auth.ts).
    • Installed the official Neon SDK and updated the bridge contract/env surface so the frontend can point at VITE_NEON_AUTH_URL when the provider switch is intentionally enabled, while leaving Better Auth as the current live default (/Users/maggielerman/.codex/worktrees/17aa/project-compass/package.json, /Users/maggielerman/.codex/worktrees/17aa/project-compass/.env.example).
    • Added deterministic frontend provider-selection tests and refreshed auth/deployment docs so the repo now clearly distinguishes between the active Better Auth runtime and the new Neon Auth scaffold (/Users/maggielerman/.codex/worktrees/17aa/project-compass/src/test/app-auth.test.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/development/ARCHITECTURE.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/deployment/SELF_HOSTING.md).

    2026-03-22 11:36 ET (America/New_York) - [1009] Lock Neon cutover to JWT/JWKS verification and scaffold the API path

    • Chose direct Neon JWT verification against JWKS as the standalone API cutover strategy, avoiding a cross-origin dependency on provider-hosted session cookies at the Render API boundary and recording that decision in the active 1009 plan (/Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1009_auth_modernization_neon_target.md).
    • Added the first inactive backend scaffold for that path:
      • generic auth-principal resolution now receives bearer-token context,
      • the API can be configured later for Neon JWT verification via explicit JWKS/issuer/audience envs,
      • auth posture/status now exposes the planned verification target and whether Neon JWT verification is enabled (/Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/auth.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/neon-auth.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/config.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/app.ts).
    • Expanded verification/docs coverage for the new strategy with dedicated JWT tests plus updated contracts/runbooks/env templates so the migration path is concrete instead of implied (/Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/neon-auth.test.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/config.test.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/api/contracts.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/api/standalone-api.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/.env.example).

    2026-03-22 11:23 ET (America/New_York) - [1009] Add provider/principal migration seam for Neon Auth cutover

    • Replaced Better Auth-specific frontend coupling with a shared auth-provider bridge, keeping the live runtime on Better Auth while making the future provider swap target the bridge implementation instead of every page and backend client (/Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/app-auth.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/auth/better-auth-provider.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/backend-client.ts).
    • Reworked backend auth resolution to carry explicit provider principal details (provider, subjectId, email) before mapping requests onto the current single-user app bridge, which keeps 1009 aligned with 1010 instead of baking Better Auth assumptions deeper into production code (/Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/auth.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/better-auth.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/app.ts).
    • Expanded the auth posture contract and Settings UI so operators can inspect the active provider, resolved auth subject, principal-mapping mode, and the Neon Auth migration target while leaving the hosted login experience unchanged (/Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/types.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/src/pages/Settings.tsx, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1009_auth_modernization_neon_target.md).

    2026-03-22 11:00 ET (America/New_York) - [1010] Open multi-user authorization and data-isolation program

    • Opened project 1010 to scope the full multi-user safety program separately from 1009, including ownership modeling, schema/database changes, API authorization, data migration/backfill, and leakage-prevention testing requirements (/Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1010_multi_user_authorization_and_data_isolation.md).
    • Updated the roadmap, master plan, and project index so 1010 is now the explicit source of truth for multi-user authorization and data-isolation work, while 1009 remains focused on auth-provider modernization toward Neon Auth (/Users/maggielerman/.codex/worktrees/17aa/project-compass/ROADMAP.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/project-master.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/README.md).
    • Clarified project boundaries by linking 1009 to 1010, preventing auth-provider migration work from being mistaken for a complete multi-user safety implementation (/Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1009_auth_modernization_neon_target.md).

    2026-03-22 10:39 ET (America/New_York) - [1009] Start auth modernization with Neon Auth as the target

    • Opened project 1009 to separate deeper auth/provider work from the existing dashboard/actionability stream and documented Neon Auth as the recommended long-term target for this Neon-backed product (/Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1009_auth_modernization_neon_target.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/ROADMAP.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/project-master.md).
    • Started the first hardening slice on the current Better Auth deployment by disabling public signup by default, removing the client-side auto-signup login fallback, and surfacing signup posture in the auth status/runtime checks (/Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/app.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/api/src/config.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/src/lib/app-auth.ts, /Users/maggielerman/.codex/worktrees/17aa/project-compass/src/pages/Settings.tsx).
    • Updated auth runbooks/contracts so hosted smoke and live backend verification now assume an intentionally provisioned account instead of relying on sign-up fallback behavior (/Users/maggielerman/.codex/worktrees/17aa/project-compass/.env.example, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/api/contracts.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/api/standalone-api.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/deployment/SELF_HOSTING.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/development/testing.md).

    2026-03-22 10:25 ET (America/New_York) - [1007] Close out monorepo restoration stream and reconcile governance docs

    • Closed project 1007 after confirming the three-way comparison had already been completed during the monorepo period, the standalone repository remains the canonical working/deploy surface, the legacy Vercel project has been retired, and the stale hosted LIVE_APP_PASSWORD env was removed from the standalone frontend project (/Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/completed/1007_monorepo-consolidation-adr-and-migration.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/development/monorepo-consolidation-adr.md).
    • Reconciled roadmap/master-plan surfaces so 1007 no longer appears as active execution work and the current active stream register is aligned across roadmap, project master, and project index docs (/Users/maggielerman/.codex/worktrees/17aa/project-compass/ROADMAP.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/project-master.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/README.md).
    • Completed a governance catch-up pass on active project docs so 1001, 1002, 1006, and 1008 now reflect their current checkpoint state instead of lagging behind roadmap/changelog history (/Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1001_neon_migration.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1002_testing_expansion.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1006_docs_intelligence_workflow_ux_elevation.md, /Users/maggielerman/.codex/worktrees/17aa/project-compass/docs/PROJECTS/active/1008_strategy_adoption_dashboard_actionability_and_auth_hardening.md).

    2026-03-21 08:35 ET (America/New_York) - [1007] Upgrade GitHub workflow actions to Node 24-compatible majors

    • Confirmed the rerun hosted Live Smoke workflow still passes end-to-end on the standalone baseline, including both browser-smoke and backend-live-pack against https://project-compass-standalone.vercel.app and the standalone Render API (https://github.com/maggielerman/project-compass/actions/runs/23379717139).
    • Upgraded the GitHub workflow dependencies from deprecated actions/*@v4 lines to current Node 24-compatible ma

    ...[truncated for intake]

    Provenance