Non-public documents (internal, archived, confidential) were accessible
to unauthenticated users via direct slug/ID lookup. List and search
endpoints already filtered for visibility: 'public', but the individual
document endpoints did not. Added optionalAuth middleware and visibility
checks so non-public docs return 404 to public users while remaining
accessible to admin users.
Also adds Guardian Agents translations to village-case-study locale
files (DE, FR, MI) — 8 new keys per locale, flow step renumbered
6→7→8 with new Guardian Agents verification step at position 6.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security:
- Add authentication to /api/documents/archived endpoint (admin-only)
- Prevent public exposure of 108 archived/internal documents
Documentation UI:
- Remove duplicate hardcoded Resources section from docs.html
- Add Resources category to docs-app.js for implementation guides
- Move 3 implementation guides from Getting Started to Resources
- Move Glossary from Technical Reference to Getting Started
- Set Research & Theory section to collapsed by default
- Update service worker cache version to 0.1.4
Migration Scripts:
- Add scripts for document category reorganization
- Add scripts for research document migration to production
- Add scripts for glossary verification and comparison
Files changed:
- public/docs.html: Remove duplicate Resources section
- public/js/docs-app.js: Add Resources category, collapse Research
- public/service-worker.js: Bump cache to v0.1.4
- src/routes/documents.routes.js: Secure /archived endpoint
- scripts/*: Add 10 migration/diagnostic scripts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Create Economist SubmissionTracking package correctly:
* mainArticle = full blog post content
* coverLetter = 216-word SIR— letter
* Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge
Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150
Next: Enhanced modal with tabs, validation, export
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SECURITY IMPROVEMENTS:
- Change default visibility from 'public' to 'internal' (prevents accidental exposure)
- Add visibility validation (public/internal/confidential/archived)
- Require valid category for public documents
- Add workflow_status tracking (draft/review/published)
PUBLISH WORKFLOW:
- New Document.publish(id, options) method with comprehensive validation
- New Document.unpublish(id, reason) method with audit trail
- New Document.listByWorkflowStatus(status) for workflow management
API ENDPOINTS (Admin only):
- POST /api/documents/:id/publish - Explicit publish with category validation
- POST /api/documents/:id/unpublish - Revert to internal with reason
- GET /api/documents/drafts - List unpublished documents
WORLD-CLASS UX:
- Clear validation messages with actionable guidance
- Lists available categories in error messages
- Tracks publish/unpublish history for audit trail
BACKWARD COMPATIBLE:
- Existing public documents unaffected
- Migration scripts automatically use safer defaults
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
**Cache-Busting Improvements:**
- Switched from timestamp-based to semantic versioning (v1.0.2)
- Updated all HTML files: index.html, docs.html, leader.html
- CSS: tailwind.css?v=1.0.2
- JS: navbar.js, document-cards.js, docs-app.js v1.0.2
- Professional versioning approach for production stability
**systemd Service Implementation:**
- Created tractatus-dev.service for development environment
- Created tractatus-prod.service for production environment
- Added install-systemd.sh script for easy deployment
- Security hardening: NoNewPrivileges, PrivateTmp, ProtectSystem
- Resource limits: 1GB dev, 2GB prod memory limits
- Proper logging integration with journalctl
- Automatic restart on failure (RestartSec=10)
**Why systemd over pm2:**
1. Native Linux integration, no additional dependencies
2. Better OS-level security controls (ProtectSystem, ProtectHome)
3. Superior logging with journalctl integration
4. Standard across Linux distributions
5. More robust process management for production
**Usage:**
# Development:
sudo ./scripts/install-systemd.sh dev
# Production:
sudo ./scripts/install-systemd.sh prod
# View logs:
sudo journalctl -u tractatus -f
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implemented complete backend API foundation with authentication, document
management, blog operations, and admin functionality. Added migration tools
for database seeding and document import.
**Controllers (4 files):**
- auth.controller.js: User authentication (login, getCurrentUser, logout)
- documents.controller.js: Document CRUD operations
- blog.controller.js: Blog post management with admin/public access
- admin.controller.js: Admin dashboard (stats, moderation queue, activity)
**Routes (5 files):**
- auth.routes.js: Authentication endpoints
- documents.routes.js: Document API endpoints
- blog.routes.js: Blog API endpoints
- admin.routes.js: Admin API endpoints
- index.js: Central routing configuration with API documentation
**Migration Tools (2 scripts):**
- seed-admin.js: Create admin user for system access
- migrate-documents.js: Import markdown documents with metadata extraction,
slug generation, and dry-run support. Successfully migrated 8 documents
from anthropic-submission directory.
**Server Updates:**
- Integrated all API routes under /api namespace
- Updated homepage to reflect completed API implementation
- Maintained security middleware (Helmet, CORS, rate limiting)
**Testing:**
✅ Server starts successfully on port 9000
✅ Authentication flow working (login, token validation)
✅ Document endpoints tested (list, get by slug)
✅ Admin stats endpoint verified (requires authentication)
✅ Migration completed: 8 documents imported
**Database Status:**
- Documents collection: 8 technical papers
- Users collection: 1 admin user
- All indexes operational
This completes the core backend API infrastructure. Next steps: build
Tractatus governance services (InstructionClassifier, CrossReferenceValidator,
BoundaryEnforcer).
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
