name the LLM-default constructs this project forbids in
explicit before/after tables. catching the trap by pattern
match is more reliable than expecting a general rule to be
applied at write time. backend table covers PHP traps
(arrow fns, inline FQCNs, default params, stored refs, em
dashes, short names); frontend table covers JS/template/
cypress traps.
AGENTS.md gains a non-negotiable session start protocol that
forces reading the context files and checking the current
branch before any edits. shared.md gains a pre-commit
checklist covering branch/scope, code rules, mechanical
checks, and commit metadata. both additions exist because
this branch's history shows what happens when the rules are
treated as background information rather than active
checklists.
two type hints introduced earlier on this branch referenced
classes by their fully-qualified names inline. hoist them to
the top-of-file use block per backend-context.md PHP rules.
the seeded text already has nested nodes, so 'li.first()'
matched multiple buttons. scope the selectors to top-level
li children to match the working pattern in adminText.cy.js.
FastRoute rejected /api/texts/all because the previously
declared variable route /api/texts/{textId} would shadow it,
crashing the app on boot. move the admin all-texts endpoint
to /api/admin/texts to clear the conflict; admin texts.js
follows the new URL.
loginAsSecondUser helper backs new specs that cover the
/texts list (own-only scoping, create form, link to
/texts/{id}) and /texts/{id} detail (own access, 403 on
another user's text, owner can add a child node).
new /texts page lets a user manage their own texts (list +
create form linking to /texts/{id}); /texts/{id} reuses
text.js for the node tree, with a back link to /texts. home
gains a 'My texts' link in the header. the admin texts page
now sources its cross-user list from /api/texts/all.
getNodesOfText, createNode, and bulkCreateNodes now require
the session user, look up the target text, and respond 403
unless the user owns the text or is an admin. paves the way
for moving these endpoints out of the admin-only group.
add failing tests asserting 403 when a non-owner tries to
read or write nodes on another user's text, plus admin
bypass. existing tests now attach a session user to mirror
the new controller signature.
open POST /api/texts and node create endpoints to any
authenticated user; expose new /texts and /texts/{id} pages
plus admin-only GET /api/texts/all. ViewController gains
userTexts and userText methods. seed gives Tanach to the
regular user and adds a second non-admin user.
TextRepository gains findByUser; JsonTextRepository and the
fake implement filtering by stored userId. TextController
splits the list endpoint into getMyTexts (own) and
getAllTexts (admin), and getText now requires the session
user, returning 403 to non-owners while admins bypass.
add failing tests for getMyTexts (own-only), getAllTexts
(admin), getText 403 for non-owner, and admin bypass on
getText. existing test_get_one_text updated to pass the
session user via the new request signature.
Text now requires a User on construction. seed a user in
each test setUp that creates a Text directly or through the
fake repository so the suite remains green.
cover that the created Text carries the supplied User, that
the controller persists the user from the session attribute,
and that any userId in the request body is ignored.
include the user when rebuilding Text instances in find and
getAll, preserving the rule that lookup methods return new
instances rather than stored references.
drop UserRepository dependency; controller now passes the
authenticated User directly via CreateTextRequest, eliminating
a redundant repository lookup.
introduce closeAllAddForms which strips every add-child and
bulk-add input/button from the tree, and call it at the start of
toggleAddForm and toggleBulkAddForm (after the same-li toggle-off
short-circuit, so clicking the same trigger still closes its own
form). enforces a single open add form across the whole tree.
assert that opening any add-child or bulk-add form closes any
other open add form across the tree. currently fails: each toggle
function only checks for an open form on its own li.
extract the save-bulk handler into a submit closure shared by the
save button click and a keydown listener on both the title and
count inputs. focus the title input as soon as the form opens.
assert that pressing enter from either the bulk-title or
bulk-count input submits the bulk add form. currently fails:
only the save-bulk button click triggers the post.
extract the save-child handler into a submit closure shared by
the save button click and a keydown listener on the input. also
focus the input as soon as the form opens so the user can type
and hit enter without touching the mouse.
introduce a module-level expandedNodeIds set that tracks which
nodes the user has manually expanded. renderTree consults the set
when deciding initial visibility (falling back to the depth-based
default for a fresh load), the toggle click handler keeps the set
in sync, and both add-child save handlers add the parent's id
before triggering the re-fetch. on a fresh load the set starts
empty so root-only-open behavior is unchanged and the existing
toggle tests keep passing.
assert that a non-root parent that the user expanded stays expanded
after adding a child. currently fails: fetchAndRenderNodes wipes
and rebuilds the tree with depth-based default visibility, so any
manually expanded non-root collapses on every save.
reuse the centered auth-card shell for the 403 page so the error
state matches the visual language of the rest of the app, with a
primary back-to-home action.
apply the shared auth-shell + auth-card layout to the register
template, mirroring the login page. ids and the #register-error
element are preserved for the existing cypress auth tests.
introduce .auth-shell and .auth-card classes for the centered,
narrow-card layout shared by login and register, then apply them
to the login template. form ids and the #login-error element are
preserved so the existing cypress auth flows still target them.
wrap the admin page in the shared header (with the logout button)
and present the texts entry-point as a card-link in a list-cards
list. the #texts and #logout id hooks used by cypress are
preserved.
apply the page shell to the text detail page and add a scoped
.node-tree style block to app.css. the tree dom rendered by text.js
must keep ul/li with buttons and inputs as direct children of each
li (cypress relies on > selectors), so styling is applied entirely
via descendant selectors without wrapping the rendered nodes.
apply the page shell to the admin texts page and present each
existing text as a card-link plus the new-text form as a card with
a primary submit button. ids (#texts-list, #newTextName, #submit,
#back) and the name attribute on the input are preserved so the
existing cypress flows continue to work.
