Replace semantic wait for enabled button with 500ms timeout to allow
Angular form initialization. The previous approach of waiting for
button[type=submit]:enabled to be visible created a timeout because
the button only becomes enabled after filling the form input.
Fixes 5 failing tests in context-switching.spec.ts and 1 in notes-crud.spec.ts
that were timing out after commit 6a5c5f722.
Prevents race condition where upload attempts happen before sync config
is loaded from IndexedDB, eliminating 404 errors to default baseUrl
during app startup and E2E tests.
- Update peter-evans/find-comment to v4.0.0 (pinned SHA)
- Update peter-evans/create-or-update-comment to v5.0.0 (pinned SHA)
Fixes GitHub Actions failure where v4 tag pointed to unavailable commit.
Uses commit SHAs instead of version tags for supply chain security.
Add strategic waits to ensure operations are created and flushed in the
correct sequence:
- 50ms wait after DELETE to ensure operation is created
- 500ms wait after UPDATE to ensure operation is flushed before sync
This ensures UPDATE has a later timestamp than DELETE, allowing LWW
conflict resolution to correctly recreate the updated task.
Verified with 15 consecutive successful test runs.
Add a trust badge displaying EU flag stars and "Data hosted in EU" text to the SuperSync server login/register page. The badge uses official EU flag colors (blue #039 and gold #fc0) with the circle of 12 stars from public domain SVG.
Internal compliance documentation has been moved to a private location.
These documents contain sensitive operational procedures and security
analysis that should not be public.
Files moved:
- GDPR compliance analysis
- Incident response playbooks
- Data subject request procedures
- DPIA screening decisions
- Records of processing activities
- Infrastructure verification documents
Increases max-height of mat-mdc-dialog-content from default to 90vh on
mobile viewports (≤599px) to better utilize available screen space and
reduce unnecessary scrolling in dialogs like the schedule task dialog.
Update incident response, data subject request, and DPIA procedures to
accurately reflect that database encryption at rest is NOT implemented
for non-E2EE users.
Changes:
- INCIDENT-RESPONSE-PLAYBOOK.md: Clarify E2EE is optional throughout,
add physical server compromise scenarios, update risk assessments to
differentiate E2EE vs non-E2EE users, document encryption gap in
prevention measures
- DATA-SUBJECT-REQUEST-PROCEDURES.md: Add encryption status disclosure
to access responses, clarify data export formats, add security notice
about unencrypted storage for non-E2EE users
- DPIA-SCREENING-DECISION.md: Document encryption gap as additional
consideration, update risk level to LOW-MEDIUM, add encryption gap
to conclusion and re-assessment triggers
All procedures now consistently acknowledge 85% compliance score and
risk variance based on E2EE usage, while maintaining that DPIA is not
required per Art. 35.
Update GDPR compliance documentation to accurately reflect that database
encryption at rest is NOT implemented for non-E2EE users. This critical
finding required:
- Update compliance score from 92% to 85% (10% deduction for encryption gap)
- Add comprehensive encryption disclosure to privacy policies (German & English)
- Document risk: unencrypted PostgreSQL data on disk
- Update GDPR analysis with compensating controls (optional E2EE)
- Revise Records of Processing Activities with encryption status
- Add context to Alfahosting verification tracker
Changes prioritize GDPR transparency by honestly documenting security
limitations rather than overstating compliance.
- Fix tag assignment by waiting for tag to appear on task after assignment
- Fix project/tag dialog forms by adding initialization delay (300ms)
- Fix issue provider panel by handling auto-closing dialogs
- Replace arbitrary timeouts with proper element visibility checks
All 4 previously failing tests now pass consistently:
- menu-touch-submenu: tag toggling via submenu
- context-switching: project navigation and TODAY tag switching
- issue-provider-panel: dialog opening without errors
Test results: 191 passed, 0 failed (previously 4 failed)
Create schedule.constants.ts and schedule-constants.scss with named
constants for viewport thresholds, breakpoints, column widths, and
scrollbar dimensions. Update components to use constants for better
maintainability and documentation.
Add integration test verifying that when a remote DELETE is applied first
but a local UPDATE wins LWW conflict resolution, the entity can be
extracted from the DELETE payload and the UPDATE applied on top of it.
- Add active state CSS reusing magic side nav theme variables
- Switch to routerLinkActive directive for declarative route matching
- Remove manual currentRoute signal tracking
There is no reason to run certain checks on simple documentation
updates. These Actions showed up during the initial v0.1 PR and added
noise to the PR process.
Add automated preview deployments for pull requests using Cloudflare Pages.
Each PR gets a unique preview URL that updates on every push.
Requires configuring these repository secrets:
- CLOUDFLARE_API_TOKEN
- CLOUDFLARE_ACCOUNT_ID
The font budget was set to 260KB before the Material Icons to Material
Symbols upgrade. Material Symbols font is ~456KB, causing Lighthouse CI
to fail. Increase budget to 520KB to accommodate the larger font with
headroom for future updates.
When a remote DELETE is applied before LWW resolution and the local UPDATE
wins (newer timestamp), extract the entity from the DELETE operation payload
to recreate it, preventing data loss from the race condition.
