📄 2026-04-24.md 5,843 bytes Apr 24, 2026 📋 Raw

2026-04-24 — Sprint Day 1

Sprint Kicked Off

Matt cleared the sprint brief. Board: Socrates 🧠 (backend), Daedalus 🎨 (frontend), Wadsworth 📋 (coordination)
Sprint brief: shared/project-docs/sprint-brief-2026-04-24.md

dashboard/templates/family_login.html — warm, branded, mobile-first login page
dashboard/router.py — added /family/login/ route + updated GET / and GET /dashboard/ redirects
Auth router has a redirect_url referenced-before-assignment bug (Socrates' domain, flow still works via client-side redirect)
Handoff doc: dashboard/FAMILY-LOGIN-HANDOFF.md

Matt cleared the sprint brief. Board: Socrates 🧠 (backend), Daedalus 🎨 (frontend), Wadsworth 📋 (coordination)
Sprint brief: shared/project-docs/sprint-brief-2026-04-24.md

dashboard/templates/family_login.html — warm, branded, mobile-first login page
dashboard/router.py — added /family/login/ route + updated GET / and GET /dashboard/ redirects
Auth router has a redirect_url referenced-before-assignment bug (Socrates' domain, flow still works via client-side redirect)
Handoff doc: dashboard/FAMILY-LOGIN-HANDOFF.md

Matt's call: Session cookies for browsers, Bearer tokens for API/webhooks
Documented in shared/project-docs/auth-unification.md
Blog admin: X-Admin-Token → session cookie ✅ DONE
Content generation: ?token= → session cookie ✅ DONE
Login page: now uses /auth/login, session cookie, redirect param ✅ DONE
Family admin: session cookie (wire the login route)
Removed events API: Bearer token (machine-to-machine)
Webhooks/bots: keep as-is
Aundrea logs in once, never sees a token
Credentials: matt/hoffdesk-matt-2026, aundrea/hoffdesk-aundrea-2026
Socrates delivered: session middleware, /auth/login, /auth/me, /auth/logout
Daedalus completed: removed all X-Admin-Token, ?token=, API_TOKEN refs from all templates
Token-free templates: admin_base.html.j2, admin_editor.html.j2, admin_login.html.j2, magic_wand.html.j2, admin_dashboard.html.j2, admin_post_list.html.j2, pipeline_brief_form.html.j2, pipeline_brief_review.html.j2
401 redirect handler added to admin_base.html.j2 (HTMX auto-redirects to /auth/login)
Synced shared/project-docs/ copies with production paths

Built frontend widget in dashboard/templates/index.html
Polls GET /family/events/removed?hours=24&limit=5 every 60s via JS fetch (not HTMX, since response is JSON)
Hidden by default, only appears when count > 0
Socrates spec updated with cross-references to Daedalus' dashboard/REMOVED-WIDGET-SPEC.md
Updated auth to proxy pattern per Socrates' recommendation — no cookie in JS
Handoff spec: dashboard/REMOVED-WIDGET-SPEC.md

Problem: Dashboard router at prefix="" intercepts root, so notes.hoffdesk.com shows family dashboard
Solution (Socrates): Starlette Host() routing — separate sub-apps per subdomain
Plan: shared/research/subdomain-routing-implementation.md (Socrates' workspace)
Daedalus' recommendations:
Do both: separate port tonight (quick fix) + host-based routing (proper fix)
Move blog/dashboard static files to shared/ so neither workspace is production source of truth
Convert dashboard to Jinja2 before host routing goes live
Add acceptance criteria: unauthenticated users see branded dashboard login, not generic /auth/login

Live: notes.hoffdesk.com, api.hoffdesk.com, cal.hoffdesk.com, hook.hoffdesk.com
Zombie: blog.hoffdesk.com (in tunnel config, no DNS CNAME)
Dev-only: proto.hoffdesk.com (manual startup, mock data — retire when family. is live)
Not configured: hoffdesk.com (bare domain), family.hoffdesk.com
Hardcoded URLs to fix post-routing:
magic_wand.html.j2 line 98: const API_BASE = 'https://notes.hoffdesk.com/admin/content' → make relative
admin_base.html.j2 line 30: Dashboard link → update to https://family.hoffdesk.com/
Blog SEO URLs at hoffdesk.com/blog/ → keep (correct for permalinks)

Switched to deepseek-v4-flash:cloud (added to openclaw.json ollama models list, allowed in daedalus agent config)
Model provider: ollama-pro (cloud via OpenRouter/Ollama Pro)