ovumcy/ovumcy-web v1.2.0 on GitHub

Pregnancy test day field. An always-shown day field (none / negative / positive) in the dashboard and calendar day editors. A positive test with no later cycle start pauses cycle predictions until a new period is logged. The field is part of the /api/v1/days payload (docs/openapi.yaml) and the owner CSV and JSON exports (docs/export.md); the CSV column is appended at the end so existing column positions stay stable.

All /api/v1 read endpoints are now owner-gated. GET /users/current, /days, /days/:date, and /stats/overview chain handler.OwnerOnly after AuthRequired, matching every mutation. Behavior-neutral for the single-role (owner) product — AuthRequired already rejects any non-owner role — closing a defense-in-depth uniformity gap.
Security documentation corrected to match the code. Recovery codes are 12 base32-style characters (~60 bits of entropy), not "12 hex / 48 bits"; the documented CSP now includes manifest-src 'self'; the /auth/oidc rate-limit row and the companion security headers (COOP, X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, HSTS) are documented; the web product is clarified as single-role (owner).

Raised internal/security OIDC config-validation and internal/db repository test coverage (token/state TTL, daily-log read whitelist, symptom owner-scoping).