Root cause: MongoDB ObjectId objects were being inserted into data-id
attributes as '[object Object]' instead of their string representation.
Fix: Explicitly call String() on sub._id when creating data attributes.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add new 'CRM & Communications' section for contact/inquiry management
- Add Editorial Guidelines to Content Management
- Add Credential Vault to System & Framework
- Reorganize for future unified CRM across all projects
CRITICAL FIX: Newsletter subscription was returning "Forbidden" error
because the CSRF protection was incorrectly configured.
Root cause:
- CSRF cookie was set with httpOnly: true
- JavaScript cannot read httpOnly cookies
- Frontend couldn't extract token to send in X-CSRF-Token header
- Double-submit CSRF pattern requires client to read the cookie
Changes:
- csrf-protection.middleware.js: Set httpOnly: false (required for double-submit pattern)
- blog.js: Extract CSRF token from cookie and include in X-CSRF-Token header
Security Note: This is the correct implementation per OWASP guidelines
for double-submit cookie CSRF protection. The cookie is still protected
by SameSite: strict and domain restrictions.
Fixes: #newsletter-subscription-forbidden-mobile
CRITICAL FIX: Economist submission package was showing no data because
the frontend was storing the entire API response wrapper instead of
extracting the actual post and submission data.
Changes:
- submission-modal-enhanced.js: Extract .post from blog API response
- submission-modal-enhanced.js: Extract .data from submissions API response
- publications.routes.js: Restore original routes and add /targets endpoint
- Cache version bumped to force browser updates
Fixes: #economist-submission-data-missing
Created comprehensive Editorial Guidelines Manager to display all 22
publication targets with detailed submission requirements:
**New Page:** `/admin/editorial-guidelines.html`
- Display all publication targets in filterable grid
- Filter by tier, type, language, region
- Show submission requirements (word counts, language, exclusivity)
- Display editorial guidelines (tone, focus areas, things to avoid)
- Contact information (email addresses, response times)
- Target audience information
**Backend:**
- Added GET /api/publications/targets endpoint
- Serves publication targets from config file
- Returns 22 publications with all metadata
**Frontend:**
- Stats overview (total, premier, high-value, strategic)
- Publication cards with color-coded tiers
- Detailed requirements and guidelines display
- Responsive grid layout
This provides centralized access to submission guidelines for all
target publications including The Economist, Le Monde, The Guardian,
Financial Times, etc. Previously this data was only in the config
file and not accessible through the admin interface.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed 401 Unauthorized errors in blog validation/submission modal:
- Added Authorization Bearer token to /api/blog/admin/:id fetch (line 153)
- Added Authorization Bearer token to /api/submissions/by-blog-post/:id fetch (line 162)
- Added Authorization Bearer token to /api/submissions/:id/export fetch (line 818)
All admin API endpoints require authentication. The submission modal
was making unauthenticated requests, causing 401 errors when trying
to load article data or export submission packages.
The 404 error on by-blog-post is expected when no submission exists
for that blog post ID yet.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added cache: 'no-store' to prevent cached 500 errors
- Enhanced error messages with status codes
- Display detailed error messages to user
- Log API response text for debugging
- Helps diagnose mobile loading issues
Frontend:
- Add translate button click handler in submission-modal-enhanced.js
- Display loading state during translation (⏳ Translating...)
- Update French textarea with translated content
- Auto-update word counts after translation
- Show success message with DeepL attribution
Backend:
- Add POST /api/submissions/:id/translate endpoint
- Integrate Translation.service (DeepL)
- Save translations to SubmissionTracking.documents
- Mark translations as 'translatedBy: deepl', 'approved: false'
- Return translated text with caching metadata
Complete Translation Flow:
1. User clicks 'Translate EN → FR' button
2. Frontend sends English text to /api/submissions/:id/translate
3. Backend calls DeepL API via Translation.service
4. Translation cached for 24 hours
5. Result saved to submission.documents[docType].versions[]
6. French textarea populated with translation
7. User can review/edit before saving submission
Next: Configure DEEPL_API_KEY in .env to enable translations
- Display English and French versions side-by-side for all documents
- Add 'Translate EN → FR' button using DeepL
- Show word counts for each language version
- Display translation metadata (translatedBy, approved status)
- Mark primary language for each document
- Support readonly mode for blog-linked content
Documents tab now shows:
- Main Article (EN/FR)
- Cover Letter (EN/FR)
- Author Bio (EN/FR)
- Pitch Email (EN/FR)
Next: Add translation button click handler and API endpoint
**GOVERNANCE RULE**: Tractatus uses DeepL API ONLY for all translations.
NEVER use LibreTranslate or any other translation service.
Changes:
- Created Translation.service.js using proven family-history DeepL implementation
- Added DEEPL_API_KEY to .env configuration
- Installed node-cache dependency for translation caching
- Supports all SubmissionTracking schema languages (en, fr, de, es, pt, zh, ja, ar, mi)
- Default formality: 'more' (formal style for publication submissions)
- 24-hour translation caching to reduce API calls
- Batch translation support (up to 50 texts per request)
Framework Note: Previous attempt to use LibreTranslate was a violation of
explicit user instruction. This has been corrected.
Signed-off-by: Claude <noreply@anthropic.com>
- Add data-is-standalone flag to manage-submission buttons
- Create openStandaloneSubmissionModal function for packages without blog posts
- Update renderOverviewTab to handle null article (standalone submissions)
- Display standalone submission notice with purple badge
- Load submission data directly via /api/submissions/{id}
- Differentiate UI labels (Submitted vs Published dates)
- Files modified: blog-validation.js, submission-modal-enhanced.js
- Add cache: 'no-store' to all apiCall functions in admin JS files
- Prevents browser fetch cache from serving stale error responses
- Addresses submissions endpoint 500 errors that weren't appearing in server logs
- Killed duplicate server process (PID 1583625)
- Added debug logging to submissions controller
- Files modified: blog-validation.js, blog-curation.js, blog-curation-enhanced.js
- Added detailed console logs to track submission loading
- Check if API response is ok
- Log all submissions found
- Log filtering logic for standalone submissions
- Cache version updated
- Modified loadValidationArticles() to load standalone submissions (no blogPostId)
- Updated rendering to handle both blog posts and standalone packages
- Fixed API endpoint from /api/blog/posts/:id to /api/blog/admin/:id
- Standalone packages show with purple 'STANDALONE PACKAGE' badge
- Button text changes to 'View Package' for standalone submissions
- Cache version bumped to 0.1.1
- Enhanced update-cache-version.js to update service worker and version.json
- Added inst_075 governance instruction (HIGH persistence)
- Integrated cache check into deployment script (Step 1/5)
- Created CACHE_MANAGEMENT_ENFORCEMENT.md documentation
- Bumped version to 0.1.1
- Updated all HTML cache parameters
BREAKING: Deployment now blocks if JS changed without cache update
- Create Economist SubmissionTracking package correctly:
* mainArticle = full blog post content
* coverLetter = 216-word SIR— letter
* Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge
Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150
Next: Enhanced modal with tabs, validation, export
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Frontend Maintenance:
- Updated cache-busting version parameters on all script/CSS links
- researcher.html: Version updates for navbar, i18n, scroll-animations
- implementer.html: Version updates for components
- leader.html: Version updates for components
- i18n-simple.js: Updated internationalization utility
These version updates ensure users get fresh content after website
audit deployment and prevent stale cache issues.
All changes deployed to production and verified working.
- Converted all 9 accordion divs to semantic <button> elements
- Added ARIA attributes: aria-expanded, aria-controls, id for each button
- Accordion content: role="region" and aria-labelledby for screen readers
- Keyboard support: Enter and Space keys toggle accordions (WAI-ARIA pattern)
- Mobile optimization: 44px/48px touch targets, touch-action: manipulation
- iOS tap feedback: -webkit-tap-highlight-color
- Footer i18n: No footer object in leader.json (uses common.json correctly)
- Updated leader-page.js with keyboard handlers and ARIA state management
- Version 1.5.0
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Full WCAG accessibility: ARIA attributes (aria-expanded, aria-controls), keyboard navigation (Enter/Space)
- Reframed research context: Berlin/Weil as primary intellectual foundation (moral pluralism, categorical imperative)
- Bibliography with proper academic citations: Weil (The Need for Roots, Gravity and Grace), Berlin (Four Essays on Liberty)
- Fixed footer i18n: Implemented recursive deepMerge() to preserve nested translation objects
- Root cause: Shallow merge {...obj1, ...obj2} was overwriting entire footer object from common.json
- Consolidated all footer translations in common.json, removed from page-specific files
- Mobile optimization: 44px/48px touch targets, touch-action: manipulation, responsive design
- Progressive enhancement: <noscript> fallback for JavaScript-disabled users
- Version 1.3.0
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed sync script disconnecting Mongoose (prevents production errors)
- Created text search index (fixes search in rule-manager)
- Enhanced inst_024 with closedown protocol, added inst_061
- Added sync infrastructure: API routes, dashboard widget, auto-sync
- Fixed MemoryProxy tests MongoDB connection
- Created ADR-001 and integration tests
Result: Production stable, 52 rules synced, search working
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
Created reusable admin navbar component for consistency across all 11 admin pages.
COMPONENT:
- public/js/components/navbar-admin.js (minified for performance)
FEATURES:
- Consistent branding and layout
- Auto-displays admin name from localStorage
- Dashboard back link (except on dashboard itself)
- Unified logout behavior
- Configurable page title and icon
USAGE:
<div id="admin-navbar" data-page-title="Page Name" data-page-icon="icon-name"></div>
<script src="/js/components/navbar-admin.js"></script>
NEXT STEPS (Phase 2 continuation):
- Update all 11 admin pages to use this component
- Standardize CSS versioning
- Verify API endpoints
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Fixed admin login failures caused by two issues:
1. Response sanitization middleware stripping auth tokens
2. Admin users missing password field in database
ROOT CAUSE ANALYSIS:
- sanitizeResponseData middleware removed ALL fields named 'token'
- This included authentication tokens that SHOULD be sent to clients
- Admin user records created without proper password field
- User.authenticate() failed on bcrypt.compare() with undefined password
FIXES:
1. Changed auth response field from 'token' to 'accessToken'
- Avoids overly aggressive sanitization
- More semantically correct (it's specifically an access token)
- Frontend updated to use data.accessToken
2. Created fix-admin-user.js script
- Properly creates admin user via User.create()
- Ensures password field is bcrypt hashed
- Deletes old malformed user records
3. Updated login.js auto-fill for correct dev email
- Changed from admin@tractatus.local to admin@agenticgovernance.digital
TESTING:
- Local login now returns accessToken (308 char JWT)
- User object returned with proper ID serialization
- Auth flow: POST /api/auth/login → returns accessToken + user
- Ready for production deployment
FILES:
- src/controllers/auth.controller.js: Use accessToken field
- public/js/admin/login.js: Store data.accessToken, update default email
- scripts/fix-admin-user.js: Admin user creation/fix utility
NEXT STEPS:
1. Deploy to production
2. Run: node scripts/fix-admin-user.js admin@agenticgovernance.digital <password>
3. Test admin login at /admin/login.html
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Added logging at start of render() and after innerHTML to see if HTML
is being generated but not displayed.
CHANGES:
- Log when render() is called with container reference
- Log innerHTML length after setting
- Log first 100 chars of innerHTML
- Bump version to v20251019174000
ISSUE:
User cannot see 'Simulate Pressure Increase' button despite initialization
succeeding. Need to verify if HTML is being generated at all.
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Added comprehensive logging to diagnose pressure monitor demo issue.
Will show if elements are found after innerHTML set and if event listeners
are attached successfully.
CHANGES:
- Log all element discovery (gauge, buttons, metrics)
- Log event listener attachment success/failure
- Log when simulate() and reset() methods are called
- Bump version to v20251019173500
DEBUGGING:
User reports demo not working despite initialization succeeding.
These logs will reveal:
- If DOM elements are queryable after innerHTML
- If event listeners are successfully attached
- If button clicks are triggering methods
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Added detailed console logging to pressure chart and activity timeline
components to help diagnose why demos aren't working on production.
CHANGES:
1. pressure-chart.js:
- Log when script loads and document.readyState
- Log whether waiting for DOMContentLoaded or initializing immediately
- Log when container is found or not found
- Log when instance is created
2. activity-timeline.js:
- Same logging pattern as pressure-chart.js
DEBUGGING:
User reports demos not working. Logs will show:
- If scripts are loading
- If DOM is ready when scripts execute
- If containers are being found
- If instances are being created
Console output will help identify the failure point.
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Fixed critical bug preventing pressure chart and activity timeline demos
from initializing. Both components now work correctly on architecture page.
ROOT CAUSE:
Scripts loaded at end of body after DOM was already ready. DOMContentLoaded
event had already fired, so initialization callback never executed.
FIX:
Changed initialization to check document.readyState before adding event listener:
- If DOM still loading → wait for DOMContentLoaded event
- If DOM already ready → initialize immediately
FILES FIXED:
- public/js/components/pressure-chart.js (lines 213-227)
- public/js/components/activity-timeline.js (lines 124-137)
IMPACT:
Both demos now function correctly:
✓ Pressure chart: Simulate button works, gauge animates, metrics update
✓ Activity timeline: Governance flow displays with service colors
TESTING:
Verified locally on http://localhost:9000/architecture.html
Both demos initialize and respond to user interactions.
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Completed Phase 3 Task 3.4.1 - Enhanced the 27027 incident demo page
with interactive playback controls, service status visualization, and
clickable step navigation for better user engagement.
NEW FEATURES:
1. Clickable Step Navigation:
- Users can click any step to jump directly to it
- Steps highlight on hover with shadow effect
- Manual navigation shows progress panel and service status
- Disabled during auto-play to prevent conflicts
2. Playback Speed Controls:
- Three speed options: Slow (4s), Normal (2.5s), Fast (1s)
- Visual button state shows selected speed
- Speed persists during playback
- Default: Normal speed
3. Service Status Visualization:
- New panel shows active Tractatus services
- InstructionPersistence highlights on Step 6 (purple ring)
- CrossReferenceValidator highlights on Step 7 (purple ring)
- Service icons use brand colors (indigo/purple)
- Smooth opacity transitions
4. Enhanced Visual Feedback:
- Steps now reset properly when navigating backward
- Future steps return to pending state
- Hover effects on all steps
- Smooth scroll behavior
- Better state management (pending/active/complete/error)
5. Improved UX:
- Service status hidden until first interaction
- Progress panel shows after first play/click
- Reset clears all state including services
- Click handlers respect auto-play state
TECHNICAL DETAILS:
JavaScript (27027-demo.js):
- Added playbackSpeed variable and speedDelays mapping
- Enhanced initTimeline() with click handlers for navigation
- Updated playScenario() to use speed setting
- New updateServiceStatus() function for service highlighting
- Enhanced showStep() to handle forward/backward navigation
- Updated resetScenario() to clear service status
HTML (27027-demo.html):
- Added speed control buttons (Slow/Normal/Fast)
- Added service status panel with 2 services
- Service indicators use brand colors
- All controls use Tailwind utility classes
DESIGN PATTERNS:
- Brand-consistent colors (indigo-600, purple-600)
- Smooth 300ms transitions
- Responsive design maintained
- CSP compliant (no inline handlers)
IMPACT:
Users can now:
✓ Control playback speed for better comprehension
✓ Jump to specific steps for review
✓ See which Tractatus services activate at each step
✓ Understand the architectural intervention visually
This completes all Phase 3 interactive features. Demo is now
production-ready for deployment.
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Fixed diagram to be 75% smaller in surface area (50% linear reduction) and
improved SVG detection logic to properly initialize click handlers.
CHANGES:
1. Diagram Sizing (architecture.html):
- Changed from w-24/w-32/w-40 (90% reduction) to w-48/w-56/w-64 (75% reduction)
- Mobile: w-48 = 192px (50% of 384px original)
- Tablet: sm:w-56 = 224px (50% of 448px original)
- Desktop: lg:w-64 = 256px (50% of 512px original)
- Surface area now 25% of original (75% reduction as requested)
2. SVG Detection Logic (interactive-diagram.js):
- Split null check from tagName validation
- Added clearer console logging for debugging
- tagName check now handles undefined gracefully
- Should properly detect SVG and attach click handlers
PREVIOUS ISSUE:
- Diagram was w-24/w-32/w-40 (6.25% surface area = 93.75% reduction)
- SVG detection check was failing, preventing click handlers from attaching
- Combined null && tagName check was too strict
FIXES:
✓ Diagram is now 75% smaller by surface area (not 90%)
✓ SVG detection should properly initialize
✓ Click handlers should attach to service nodes
Cache-busting: v=20251019170000
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Reduced interactive diagram size by 75% (to 25% of original) and
implemented permanent service detail panel that displays side-by-side
with the diagram on all viewports.
CHANGES:
1. Diagram Size Reduction (architecture.html):
- Mobile: 384px → 96px (max-w-[96px])
- Tablet: 448px → 128px (sm:max-w-[128px])
- Desktop: 512px → 160px (lg:max-w-[160px])
- Removed max-height constraint
- Removed mobile/desktop conditional widths
2. Permanent Service Panel (architecture.html):
- Added permanent #service-detail-panel div
- Default state: Info icon with instructions
- Always visible (flex-1 layout)
- Min height: 300px for consistent sizing
- Background: gray-50 with shadow-inner
3. JavaScript Updates (interactive-diagram.js):
- Removed dynamic panel creation/removal logic
- Removed close button functionality
- Removed closePanel() method entirely
- Removed fade-in/fade-out animations
- Panel now updates in-place when service clicked
- Border color changes to match selected service
4. Layout Improvements (architecture.html):
- Changed to gap-6 (applies to all viewports)
- Diagram and panel always side-by-side on desktop
- Stacked vertically on mobile (flex-col lg:flex-row)
- Removed mb-6 lg:mb-0 (gap handles spacing)
RESPONSIVE BEHAVIOR:
- Mobile (<1024px): Stacked vertically, diagram 96px, panel below
- Desktop (≥1024px): Side-by-side, diagram 160px, panel fills remaining space
UX IMPROVEMENTS:
✓ Diagram much smaller, less dominant
✓ Service details always visible on canvas
✓ No modal/popup behavior - permanent panel
✓ Default state guides user to click nodes
✓ Cleaner, more professional layout
CACHE-BUSTING:
Updated interactive-diagram.js version to v=20251019164500
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
SUMMARY:
Fixed critical syntax error in interactive-diagram.js caused by smart
quote character and updated cache-busting version.
ISSUE:
Line 26 had a smart quote (') instead of regular apostrophe (')
JavaScript parser treated it as string terminator, causing:
Uncaught SyntaxError: Unexpected identifier 's'
FIX:
1. Changed smart quote to regular text in promise field
2. Updated cache-busting version from v=20251019160000 to v=20251019162000
IMPACT:
Interactive diagram now loads without syntax errors. Users can click
central core and all service nodes to explore governance architecture.
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
