The web UI was linking to /v1/ REST API paths that aren't served
through nginx. Added SVG/JPG/PDF rendering and share link endpoints
directly to the web server so everything works through port 443.
- Add render.go with SVG, JPG, PDF handlers for auth and share paths
- Register render routes and share management routes in web server
- Update template links from /v1/... to /notebooks/... paths
- Add share link creation, display, and revocation to notebook view
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Read x-engpad-username/x-engpad-password from gRPC metadata
(matching what the Android client sends)
- Allow TLS 1.2 on gRPC port — Android's BoringSSL/OkHttp transport
does not negotiate TLS 1.3 without Conscrypt
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Proto service renamed from EngPadSync to EngPadSyncService per buf
STANDARD lint rule SERVICE_SUFFIX
- Added java_package and java_multiple_files options for Android client
- Added buf.yaml with STANDARD lint and FILE breaking detection
- Regenerated Go gRPC stubs, updated server references
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace fmt.Printf logging calls with slog.Info/slog.Error for structured
JSON output to stderr. Add internal/log package to initialize the default
slog handler from the config log level. Fix .gitignore to only ignore the
binary at the repo root, not the cmd/eng-pad-server directory.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CRITICAL:
- A-001: SQL injection in snapshot — escape single quotes in backup path
- A-002: Timing attack — always verify against dummy hash when user not
found, preventing username enumeration
- A-003: Notebook ownership — all authenticated endpoints now verify
user_id before loading notebook data
- A-004: Point data bounds — decodePoints returns error on misaligned
data, >4MB payloads, and NaN/Inf values
HIGH:
- A-005: Error messages — generic errors in HTTP responses, no err.Error()
- A-006: Share link authz — RevokeShareLink verifies notebook ownership
- A-007: Scan errors — return 500 instead of silently continuing
MEDIUM:
- A-008: Web server TLS — optional TLS support (HTTPS when configured)
- A-009: Input validation — page_size, stroke count, point_data alignment
checked in SyncNotebook RPC
- A-010: Graceful shutdown — 30s drain on SIGINT/SIGTERM, all servers
shut down properly
Added AUDIT.md with all 17 findings, status, and rationale for
accepted risks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- HTML templates: layout, login, notebook list, notebook view, page viewer
- Web server with chi router, embedded templates via //go:embed
- Login/logout flow with session cookies
- Notebook list, page grid with SVG thumbnails, page viewer
- Share link views (same templates, no auth chrome)
- Server command wired to start gRPC + REST + web servers concurrently
- Graceful shutdown on SIGINT/SIGTERM
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SVG: strokes → SVG path elements with dashed/arrow support,
coordinates scaled from 300 DPI to 72 DPI
- JPG: rasterization at 300 DPI using Go image package, Bresenham
line drawing with round pen circles
- PDF: minimal PDF generation with raw operators, no external library
- 6 tests: SVG output, dashed style, arrow heads, JPG magic bytes,
PDF header, page size calculations
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Proto definitions (engpad.v1.EngPadSync) with 6 RPCs
- Generated Go gRPC code
- Auth interceptor: username/password from metadata
- SyncNotebook: upsert with full page/stroke replacement in a tx
- DeleteNotebook, ListNotebooks handlers
- Share link RPCs: CreateShareLink, RevokeShareLink, ListShareLinks
- Share link token management (32-byte random, optional expiry)
- gRPC server with TLS 1.3
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
