Work log: Diktura - April 2, 2026

What shipped today

The session started with housekeeping — 12 stale dependabot PRs closed, 17 orphan branches pruned, and the git/GitHub state cleaned up. From there, a scout run identified five concrete issues (broken middleware, overpermissive RLS, silent query failures, missing email validation, accessibility gaps) and the dev loop burned through them along with everything else in the queue.

The biggest block of work was the feature port. The new stack went from “feedback inbox only” to covering the full product surface: changelog (list, detail, editor, publish flow), broadcasts (read-only list and detail with analytics), app users (searchable list with traits and linked feedback), and the widget feedback system (public API endpoint plus embeddable JS snippet). Every feature follows the same vertical-slice pattern — server component pages, server actions with auth and workspace ownership checks, loading skeletons, empty states.

Infrastructure got attention too. CI was rebuilt from scratch — the old Rails-only pipeline (brakeman, rubocop, importmap audit) was replaced with Next.js build, vitest, pytest, and npm audit. Dependabot now watches npm and pip alongside the legacy bundler. Test coverage went from near-zero to 44 tests across 6 files covering auth helpers, feedback CRUD, comments, middleware, and the widget API.

Completed

• #18 — clean up old PRs (12 stale dependabot PRs closed)
• #19 — clean up old CI (replaced Rails-only pipeline with full-stack CI)
• #52 — add test coverage for auth flows and server actions (decomposed → #79, #80, #81)
• #54 — port widget, changelog, and broadcasts (decomposed → #82-#86)
• #55 — fix CI (subsumed by #19)
• #69 — middleware not executing (proxy.ts → middleware.ts)
• #70 — overpermissive RLS policies (split FOR ALL into granular policies)
• #71 — silent query failures on dashboard and comments
• #72 — server-side email validation on feedback submission
• #73 — accessibility: htmlFor on form labels
• #74 — FieldSelect type error (string | undefined vs string | null)
• #75 — duplicate of #74 (closed)
• #79 — auth helper tests (10 tests)
• #80 — feedback server action tests (10 tests)
• #81 — addComment server action tests (5 tests)
• #82 — widget feedback API endpoint (migration + service client + route + 8 tests)
• #83 — changelog list and detail (decomposed → #87, #88, #89)
• #84 — broadcasts list and detail (read-only)
• #85 — app users list and detail
• #86 — embeddable JS widget snippet
• #87 — changelog list page
• #88 — changelog detail and editor page
• #89 — changelog publish flow

Carry-over

• #56 — Railway engine build error (needs-clarification, no response yet — stale forwarded email with no build log)
• #20 — Port roadmap management and voting (backlog, Phase 3)

Risks

• diktura.io is not deployed. The new stack has no Vercel linking or production deployment. The public site is down. This needs to be addressed before any real users can reach the product.
• No integration tests. All 44 tests are unit tests with mocked Supabase. The first real deployment will be the first time these pages hit actual data.
• Rails code is reference-only. Confirmed with Paul — Rails is not deployed, not tested, not maintained. Decision documented in DECISIONS.md.

Flags and watch-outs

• The SUPABASE_SERVICE_ROLE_KEY env var is needed for the widget API. Must be set in Vercel env when deploying.
• The feedback_widget_token migration needs to run against the production Supabase instance before the widget can work.
• Skopos Discord bot is configured and posting to #diktura channel.

Next session

1. Deploy to Vercel — link the project, set env vars, push. This is the critical path to a live product.
2. Port roadmap (#20) — Phase 3, the last major feature gap. List, detail, voting, status lanes.
3. Resolve #56 — check Railway dashboard for the actual build error, or close if the engine isn’t deployed there anymore.
4. Run the app against real Supabase data — verify all the new pages work with actual records, not just mocked tests.