- Bulk-load recent price points per item and render a sparkline in
the items list (new LoadRecentPriceHistory query avoids N+1).
- Add retro.css visual layer and refreshed login/items/layout styling.
- Swap the logo from webp to avif.
- Pin htmx/Chart.js/Tailwind/templ versions in the Makefile with
vendor / tools / update-deps targets; README documents the
dependency-bump flow and the hardened systemd deploy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Auction handling:
- Capture itemEndDate from eBay Browse API and ending_date from ZenMarket
(Yahoo JP); plumb through results.ends_at column. Permissive ZenMarket
parser (multiple layouts, JST when offset missing).
- Per-row "Ends" countdown column + "Ending soon" banner on results pages,
live-ticked by flair.js with urgent/critical tinting under 1h/5m.
- Backfill ends_at for known auctions when their URL reappears in a poll
(dedup hit no longer drops the new end time).
- Hide ended auctions from result listings by default via
ResultsQuery.ExcludeEnded; rows stay in the DB.
Visual flair:
- Glassy backdrop-blur v-cards with gradient-mask borders and hover-lift.
- htmx swap fade-in via transient .v-just-swapped class.
- Count-up animation on dashboard stats. All animations gated behind
prefers-reduced-motion.
eBay condition + region filters (auctions-style scoping):
- items.condition and items.region columns; threaded through item form,
CreateItem/UpdateItem, scheduler eBay plan input, and previewKey so
cache invalidates when these change.
- ebay.SearchParams gains conditionIds and itemLocationCountry filters.
Run Now reload + countdown engine:
- Run Now now sets HX-Refresh: true (non-htmx fallback: 303 redirect) so
the entire results view — best price, chart, badge, last polled —
reflects the new poll, instead of swapping just one partial.
Pre-launch hardening (P1 set):
- auth.EqualizeLoginTiming on no-such-user branch.
- (*App).serverError centralizes 500s; replaces err.Error() leaks across
results/settings/items/users/dashboard handlers.
- main.go server: ReadTimeout 30s / WriteTimeout 60s / IdleTimeout 120s
alongside the existing ReadHeaderTimeout.
- noListFS wrapper blocks static directory listings.
- Credential fields in settings no longer render value=; blank submission
preserves the saved value, with per-field "Saved in settings / Set in
config.toml / Not set" status indicator.
Misc:
- -debug flag wires slog to LevelDebug; raw ZenMarket items logged for
format diagnosis.
- /healthz public endpoint for reverse-proxy probes.
- deploy/veola.service systemd unit template (hardening flags, single
ReadWritePaths=/var/lib/veola).
- handlers_test.go covers /healthz, setup-gate redirect, auth gate, and
/login render with httptest + in-memory sqlite.
- best_price_currency on items; templates pick the right symbol per row.
- .gitignore now excludes *.log / veola-debug.log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Dashboard auto-refresh rendered the full layout into its own
refresh container, producing a duplicate sidebar every 60s; it now
renders only the body partial.
- 'Run Now' runs synchronously with a bounded timeout and returns
refreshed results plus success/error feedback, instead of
firing-and-forgetting with no signal.
- Price-history chart data moved from a <script> block to a data-
attribute: templ does not interpolate expressions inside <script>
element content, so the JSON was emitted literally.
- The htmx indicator spinner was permanently visible due to CSS
source order; the indicator rules now follow .v-spinner.
Also refreshes README for this session's changes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The session cookie now sets the Secure attribute (server.secure_cookies, default true). Adds chi RealIP and Recoverer middleware plus a securityHeaders middleware that emits a Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on every response. HSTS is intentionally left to the TLS-terminating proxy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
eBay marketplaces are now polled through eBay's official Buy > Browse API (client-credentials OAuth2) instead of an Apify scraper actor; Apify still handles Yahoo JP and Mercari. Browse API calls are tracked per day in a new ebay_api_usage table and capped (default 5000, configurable) on eBay's Pacific-time reset clock, so polling halts before the limit is hit. Credentials live in config.toml [ebay] and are overridable via /settings, which also surfaces the day's running call count.
Also carries the server.secure_cookies config plumbing (field, accessor, example) consumed by the following commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
