- User is also a native MongoDB class, not Mongoose model
- Removed all .populate() calls for createdBy, lastUpdatedBy, notes.author
- These were causing MissingSchemaError for User model
- Submissions can be returned without populated user data
- Updated to v0.1.1 to force browser refresh
- Ensures users get fixed submissions controller code
- Removed BlogPost populate() calls that caused 500 errors
- Line 49 has sessionId with unique: true (creates index automatically)
- Line 75 had redundant SessionSchema.index({ sessionId: 1 })
- Removed explicit index to eliminate Mongoose duplicate warning
- PageViewSchema had 'index: true' on sessionId field (line 16)
- AND compound index PageViewSchema.index({ sessionId: 1, timestamp: -1 })
- Compound index already covers sessionId queries (leftmost prefix)
- Removed redundant single-field index to eliminate Mongoose warning
- SessionSchema had both 'unique: true' and 'index: true'
- unique already creates an index, making index redundant
- Resolves Mongoose warning about duplicate schema index
- BlogPost uses native MongoDB (not Mongoose), causing MissingSchemaError
- Removed all .populate('blogPostId') calls that tried to reference non-existent Mongoose model
- Manually fetch blog post data in controllers when needed
- Updated getSubmissions, getSubmissionById, getSubmissionByBlogPost, exportSubmission
- Updated SubmissionTracking static methods: getByStatus, getByPublication
- Standalone submissions (like Le Monde) now display without errors
- Changed populate to use options object with strictPopulate: false
- Allows submissions without blogPostId (standalone packages) to be returned
- Fixes 500 error on /api/submissions endpoint
- Le Monde package should now be visible in UI after server restart
- Added detailed console logs to track submission loading
- Check if API response is ok
- Log all submissions found
- Log filtering logic for standalone submissions
- Cache version updated
- Modified loadValidationArticles() to load standalone submissions (no blogPostId)
- Updated rendering to handle both blog posts and standalone packages
- Fixed API endpoint from /api/blog/posts/:id to /api/blog/admin/:id
- Standalone packages show with purple 'STANDALONE PACKAGE' badge
- Button text changes to 'View Package' for standalone submissions
- Cache version bumped to 0.1.1
- Enhanced update-cache-version.js to update service worker and version.json
- Added inst_075 governance instruction (HIGH persistence)
- Integrated cache check into deployment script (Step 1/5)
- Created CACHE_MANAGEMENT_ENFORCEMENT.md documentation
- Bumped version to 0.1.1
- Updated all HTML cache parameters
BREAKING: Deployment now blocks if JS changed without cache update
- Create Economist SubmissionTracking package correctly:
* mainArticle = full blog post content
* coverLetter = 216-word SIR— letter
* Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge
Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150
Next: Enhanced modal with tabs, validation, export
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Extends SubmissionTracking model to support complete bilingual submission
packages with version control for multiple languages.
Schema additions:
- documents.coverLetter.versions[] - Language-versioned content
- documents.mainArticle.versions[] - With translation metadata
- documents.authorBio.versions[]
- documents.technicalBrief.versions[]
Helper methods:
- getDocument(docType, language, fallbackToDefault)
- setDocumentVersion(docType, language, content, metadata)
- getAvailableLanguages(docType)
- isPackageComplete(language)
- exportPackage(language)
Scripts:
- load-lemonde-package.js - Loads complete Le Monde submission package
Le Monde Package:
- Publication target: Rank 10, high-value French intellectual publication
- Theme: Post-Weberian organizational theory for AI age
- Content: Wittgenstein + Weber critique + indigenous data sovereignty
- Format: 187-word letter (within 150-200 requirement)
- Languages: English (original) + French (translated)
- Database ID: 68fa2abd2e6acd5691932150
- Status: Ready for submission
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add missing space after comma in SubmissionTracking model
- Replace string concatenation with template literal in blog controller
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive About page emphasizing moral philosophy foundation over organizational theory. PluralisticDeliberationOrchestrator positioned as primary research focus. Te Tiriti o Waitangi content integrated to establish indigenous data sovereignty principles.
Also implements auto-compact tracking system to gather empirical data on Claude Code context compression events, enabling future heuristic predictions.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Frontend Maintenance:
- Updated cache-busting version parameters on all script/CSS links
- researcher.html: Version updates for navbar, i18n, scroll-animations
- implementer.html: Version updates for components
- leader.html: Version updates for components
- i18n-simple.js: Updated internationalization utility
These version updates ensure users get fresh content after website
audit deployment and prevent stale cache issues.
All changes deployed to production and verified working.
Major project restructuring to separate framework from website implementation:
Package Changes:
- name: "tractatus-framework" v3.5.0 → "tractatus-website" v0.1.0
- description: Updated to reflect website platform purpose
- Added website-specific scripts (build:css, migrate:docs, etc.)
- Added website dependencies (puppeteer, stripe, i18n, etc.)
README Changes:
- Rewritten to focus on research framework and website
- Updated badges and links
- Added "What is Tractatus?" section
- Removed framework-specific deployment instructions
.gitignore Changes:
- Drastically simplified (189 line reduction)
- Removed public repository protection rules
- This is now the primary development repository
.env Changes:
- Updated examples to reflect website configuration
- Removed framework-specific environment variables
This commit documents that this repository is the WEBSITE implementation,
separate from the tractatus-framework package repository at
github.com/AgenticGovernance/tractatus-framework.
Production deployment remains via manual rsync, NOT GitHub.
Three scripts to support blog system improvements:
1. fix-blog-dates.js
- Fixes empty {} published_at values in database
- Sets proper ISODate values for 3 blogs
- Also updates moderation.approved_at for consistency
2. add-blog-categories.js
- Adds category field to all blog posts
- Maps content to standardized categories (Framework Updates,
Implementation, Case Studies)
- Enables category filtering functionality
3. add-vetting-notice-to-architectural-boundaries.js
- Adds comprehensive human vetting notice
- Documents AI-curated content review process
- Shows governance working end-to-end with inst_017 compliance
Applied to both tractatus_dev and tractatus_prod databases.
Ref: SESSION_HANDOFF_2025-10-23_WEBSITE_AUDIT.md
Problem: All MongoDB Date objects were being serialized as empty {} in API
responses, breaking blog date display across entire site.
Root Cause: removeSensitiveFields() function used spread operator on Date
objects ({...date}), which creates empty object because Dates have no
enumerable properties.
Fix: Added Date instance check before spreading to preserve Date objects
intact for proper JSON.stringify() serialization.
Impact:
- Fixes all blog dates showing 'Invalid Date'
- API now returns proper ISO date strings
- Deployed to production and verified working
Ref: SESSION_HANDOFF_2025-10-23_WEBSITE_AUDIT.md
- Converted all 9 accordion divs to semantic <button> elements
- Added ARIA attributes: aria-expanded, aria-controls, id for each button
- Accordion content: role="region" and aria-labelledby for screen readers
- Keyboard support: Enter and Space keys toggle accordions (WAI-ARIA pattern)
- Mobile optimization: 44px/48px touch targets, touch-action: manipulation
- iOS tap feedback: -webkit-tap-highlight-color
- Footer i18n: No footer object in leader.json (uses common.json correctly)
- Updated leader-page.js with keyboard handlers and ARIA state management
- Version 1.5.0
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added diagrams from public tractatus-framework repo: architecture-main-flow.svg (6.6KB), trigger-decision-tree.svg (6.7KB)
- Diagram sizing: max-width 600px for readable display, responsive width 100%
- Fixed skip link: Added <main id="main-content"> wrapper for proper accessibility
- Quick navigation: 44px touch targets, flex-wrap for mobile, aria-label="Page sections"
- Download buttons: Descriptive ARIA labels, 44px minimum height
- Code blocks: Added role="region" and descriptive ARIA labels to all 6 service examples
- Mobile optimization: -webkit-overflow-scrolling, 11px code font on small screens, 16px body prevents iOS zoom
- API examples verified accurate against actual BoundaryEnforcer.service.js implementation
- CSP compliance: Moved diagram sizing to CSS class instead of inline styles
- Version 1.4.0
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Full WCAG accessibility: ARIA attributes (aria-expanded, aria-controls), keyboard navigation (Enter/Space)
- Reframed research context: Berlin/Weil as primary intellectual foundation (moral pluralism, categorical imperative)
- Bibliography with proper academic citations: Weil (The Need for Roots, Gravity and Grace), Berlin (Four Essays on Liberty)
- Fixed footer i18n: Implemented recursive deepMerge() to preserve nested translation objects
- Root cause: Shallow merge {...obj1, ...obj2} was overwriting entire footer object from common.json
- Consolidated all footer translations in common.json, removed from page-specific files
- Mobile optimization: 44px/48px touch targets, touch-action: manipulation, responsive design
- Progressive enhancement: <noscript> fallback for JavaScript-disabled users
- Version 1.3.0
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
IMPLEMENTER PAGE (public/implementer.html):
- Complete rewrite from 761 to 635 lines (developer-focused)
- Added both framework architecture diagrams (SVGs)
- Replaced fake @tractatus/framework npm package with real code examples
- Removed all marketing disclaimers and verbose filler
- Added technical specs for all 6 core services with real API examples
- Fixed GitHub repository links to match package.json
FOOTER FIXES (researcher.html, leader.html):
- Fixed script loading order (version-manager before i18n)
- Removed duplicate <!-- Footer --> comment in researcher.html
- Now matches index.html script structure for consistency
Result: Implementer page now shows actual framework documentation with real code examples and architecture diagrams
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
SECURITY CHANGES:
- Removed .github/workflows/sync-public-docs.yml (auto-synced to public repo)
- Removed 'public' git remote (tractatus-framework)
REASON:
Auto-syncing from private to public repository is inherently dangerous:
- Risks exposing internal files, credentials, or sensitive data
- No human review gate before public exposure
- Created the Stripe key exposure incident
GOING FORWARD:
- tractatus (private) = internal development repository
- tractatus-framework (public) = manually curated framework releases
- No automated sync between them
- Manual review required before any public release
This prevents automatic exposure of internal project files.
Removed files:
- SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md (internal security doc)
- .claude/instruction-history.json (project-specific governance rules)
- scripts/add-security-rules-2025-10-21.js (dated, project-specific)
- scripts/apply-governance-audit-2025-10-21.js (dated, project-specific)
- docs/governance/GOVERNANCE_LEARNINGS_2025-10-21.md (internal learnings)
- docs/governance/GOVERNANCE_RULES_AUDIT_2025-10-21.md (internal audit)
These are internal to the tractatus project, not framework resources.
Public repo should contain only framework implementation code and docs.
Updated .gitignore to prevent future commits of similar files.
DECISION:
Maintain separate internal (tractatus) and public (tractatus-framework)
repositories with distinct purposes and content.
RATIONALE:
- Security: Internal research and strategy must not be public
- Clarity: Developers need implementation docs, not governance theory
- Professionalism: Public repo must appear world-class
- Prevent Misuse: "Bad actor bias" incident showed AI misrepresentation risk
PROCESS DOCUMENTED:
- 8-phase cleanup (615 → 96 files, 84% reduction)
- Professional documentation suite (CHANGELOG, SECURITY, README badges)
- GitHub Release v3.5.0 with downloadable packages
- Community features (Discussions enabled)
GOVERNANCE RULE CREATED:
- inst_063_CONSOLIDATED: Public GitHub Management
- Prohibits: Governance research, deliberation guides, theoretical frameworks
- Allows: Technical docs, API guides, code examples
- Requires: Weekly README review
BAD ACTOR BIAS INCIDENT:
AI suggested converting implementation docs to "governance guide for preventing
bad actors" - exact opposite of framework's pluralistic deliberation purpose.
inst_063_CONSOLIDATED now prevents this misrepresentation.
METRICS:
- Repository reduction: 84% fewer files
- README growth: +73% (215 → 372 lines)
- Documentation quality: Publication-ready
- Community ready: Discussions enabled, professional appearance
File: docs/architecture/ADR-001-public-repository-release-process.md (610 lines)
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
Added community-ready documentation and policies:
CHANGELOG.md:
- Keep a Changelog format with semantic versioning
- Complete v3.5.0 release notes
- All 6 core services documented
- 4 support services listed
- Installation instructions
- Upgrade guide section
- Links to documentation and releases
SECURITY.md:
- Vulnerability reporting policy (security@agenticgovernance.digital)
- Supported versions table
- Security best practices for implementers
- Environment, network, deployment, database, API security
- Known security considerations
- Compliance information (OWASP Top 10)
- Security audit history
README.md improvements:
- Added release badge (v3.5.0)
- Added Node.js and MongoDB version badges
- Links to CHANGELOG.md and SECURITY.md at top
- Improved structure with clear sections
- Better code examples with context
- Added citation section (BibTeX format)
- Removed references to deleted files (systemd/, ADR-001)
- Corrected test counts (17 tests, not 625)
- Added Discussions link
- Professional status indicator
GitHub Discussions:
- Enabled via API for community engagement
Result: Repository now has professional documentation suite suitable
for public release and community adoption.
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
BEFORE: 609-line research manifesto with:
- Research questions and theoretical framing
- "When the Framework Failed" case studies
- "Critical Open Problems" sections
- Extensive academic citations
- Audience: Researchers studying AI governance
AFTER: 215-line implementation guide with:
- Quick start (install, configure, run)
- Basic usage code examples
- API documentation links
- Deployment instructions
- Testing commands
- Clear website reference for background/research
- Audience: Developers implementing Tractatus
REMOVED:
- All research framing ("Research Question:", theoretical discussion)
- Case studies and failure documentation
- Academic positioning
- Fabrication incident disclosure
FOCUSED ON:
- Install/configure/deploy workflow
- Code examples developers can copy-paste
- Links to API docs and architecture docs
- Testing and contribution
Website (agenticgovernance.digital) now single source for background,
research, and general information. Public GitHub repository focused
exclusively on implementation.
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
CRITICAL SECURITY:
- Removed 3,019 pptx-env Python virtualenv files from public tracking
- Added pptx-env/ to .gitignore
- Note: Stripe live key ALREADY removed in previous commit a6dc277
NEW CONTRIBUTING.md (world-class):
- Research-quality standards matching README
- Honest about alpha status (108 failing tests)
- Correct contact: research@agenticgovernance.digital
- No fabricated features or cultural positioning
- Rigorous testing/documentation standards
- Clear research ethics section
RESULT: Public GitHub now properly cleaned and documented
SECURITY INCIDENT:
- Stripe detected exposed live API key sk_live_***tMjIK
- Found hardcoded in create-live-prices.js and create-live-stripe-prices.js
- Files were pushed to public GitHub in previous commit
- Removing immediately and adding to .gitignore
ACTION REQUIRED:
User MUST rotate Stripe API keys immediately in Stripe Dashboard:
https://dashboard.stripe.com/apikeys
Files removed:
- scripts/create-live-prices.js
- scripts/create-live-stripe-prices.js
