MBombeck/HealthLog v1.4.45

v1.4.45 — analytics 9 s perf fix + audit-marathon closure

on GitHub

v1.4.45 closes the audit-marathon that followed v1.4.42's iOS-readiness release. v1.4.43 was skipped — a same-day v1.4.44 REG-11 hotfix shipped on main while this marathon was running; v1.4.45 keeps the version monotone.

Headline

/api/analytics dashboard cold-mount: 9 s → 2-3 s via p-limit(4) cap on the slim slice's WMY fan-out. The regression had been latent since v1.4.40 W-WMY-WIRE. WMY-converged tenants now land ≤ 500 ms cold; warm cache (60 s TTL hit) unchanged at ~50 ms.

What landed

Fourteen touch-disjoint waves:

• W1 Analytics perf cap (closes the 9 s regression)
• W2 Chart empty-state copy split on raw count (fixes the "Erfasse 3 Einträge" false-positive on populated accounts)
• W3 Security: auth.login.failed audit drops the raw identifier + WithingsApiError.message capped at 1024 chars
• W4 QoL copy: load-error label, "Anbieter" rename, persistent pill warning state, localised 404, bilingual global-error, plural forms across 6 locales
• W5 Mobile-UI: Switch + comparison pills + mood kebab + Sheet close-X tap targets to 44 px, scrollBehaviorForUser() helper
• W6 Zod multi-issue rollout to 41 routes — every measurements / medications / mood / auth / settings / admin / consent / bugreport route now returns every Zod issue under details.issues
• W7 Withings typed-classifier wiring across both sync paths
• W8 Ops: widgets-RL dedup + docker BuildKit version-pin fix + env-check CI lockstep
• W9 Workouts source-priority threaded through write-time picker
• W11 Mobile-UI residual: 6 Mediums + 4 Lows (animate-spin sweep, skeleton heights, scatter aspect ratio, tile-strip skeleton, chart no-data-in-range state)
• W12 QoL residual: 13 atomic commits (account-delete CTA + danger-zone visual quieting, <OfflineBanner>, doctor-report disabled-not-hidden, coach.network copy split, SW CACHE_VERSION re-anchor, formatDateOrRelative helper, etc.)
• W13 Security residual: auth.check-user audit row + Coach SSE replay-injection scan + checkAuthSurfaceRateLimit wrapper + Zod-narrow passkey body
• W14 Withings parked-state: 24 h persistent-failure park (B4) + per-kind failure counters (B7) — closes the v1.4.42 W2 backlog

Plus the W10 multi-axis QA round (code-reviewer / security / design / senior-dev / product-lead / simplifier) and a 6-commit reconcile pass.

Migration

prisma/migrations/0075_v1443_integration_park — adds consecutive_failures_by_kind (JSONB) + persistent_failure_started_at (TIMESTAMP) to IntegrationStatus. Idempotent (IF NOT EXISTS) + reversible + non-destructive backfill. Run prisma migrate deploy post-deploy; no downtime expected.

iOS contract

Preserved. returnAllZodIssues envelope is additively extended (error field unchanged); new endpoints (/api/integrations/withings/resume, /api/settings/account DELETE) are additive. v0.5.4 keeps working.

Quality gates

• pnpm typecheck ✓
• pnpm lint ✓
• pnpm test --run — 491 files / 5076 passed / 1 skipped (+261 vs. v1.4.42 baseline)
• pnpm knip (enforcing) ✓

Operator notes

• Schema migration required — prisma migrate deploy post-deploy.
• No env-var change. pnpm check-env (v1.4.42) still passes; the new env-check CI gate enforces manifest ↔ .env.production.example lockstep.
• docker-publish.yml now bakes NEXT_PUBLIC_APP_VERSION at build time so /api/version can never serve a stale version after a Coolify cache re-use.
• Withings persistent-failure park flips state to "parked" after > 24 h of consecutive persistent failures. Parked integration's next scheduled sync is short-circuited until the user / operator clicks "Wieder verbinden" (rate-limited 5/min/user).