Commit Graph

4 Commits

Author SHA1 Message Date
Protocolbot 1d7b4d7abd fix: strip base path in API router for subdirectory deployments
The API router's parse_path() only stripped /api from the URI, but
when deployed in a subdirectory (e.g. /protocol-droid/), the URI is
/protocol-droid/api/auth/register — the /api regex didn't match.
Now detects base path from SCRIPT_NAME and strips it before routing.
2026-07-06 15:05:13 -06:00
Protocolbot 3386ac6542 feat: switch from MySQL to SQLite for zero-dependency deployment
- Rewrite db.php to use SQLite via PDO (no external DB server needed)
- Rewrite schema.sql for SQLite (AUTOINCREMENT, CHECK constraints,
  triggers for updated_at, ON CONFLICT instead of ON DUPLICATE KEY)
- Fix config.php upsert to use ON CONFLICT syntax
- Fix index.php: tag filter via json_each, vote upsert via ON CONFLICT,
  and fix protocol create route (was returning 405 for POST /api/protocols)
- Fix yaml.php seed import: replace invalid false callbacks with fn() => null,
  fix yaml_parse pos argument (-1 -> 0)
- Update Dockerfile: drop pdo_mysql/mysqli (pdo_sqlite is built in)
- Update CloudronManifest.json: remove mysql addon, bump to v0.3.0
- Update README for SQLite deployment
2026-07-06 14:42:45 -06:00
Protocolbot 7379d0c540 fix: rewrite asset and API paths for subdirectory deployments
index.html uses absolute /frontend/ paths for CSS and JS, and app.js
hardcoded const API = '/api'. In subdirectory deployments these resolve
to the wrong URL, causing unstyled HTML and broken API calls.

- index.php: rewrite /frontend/ references in index.html with detected basePath
- app.js: derive BASE_PATH from the script's own URL and prefix API calls
2026-07-06 13:36:08 -06:00
Protocolbot 02794e565e feat: initial release of Protocol Droid v0.2.0
A tool for authoring, sharing, and curating social protocols.

Features:
- Protocol library with search, tag filtering, and sort by date/relevance
- Protocol authoring with structured fields (title, description, steps, outcome, practice, source, tags)
- Protocol forking with provenance tracking
- Collection creation with searchable protocol picker and ordering
- User accounts with roles (admin, member, viewer)
- YAML import/export for portability
- Self-hostable on LAMP/Cloudron, works in subdirectories
- Responsive design with hamburger menu on mobile
- About page

Security:
- CSRF protection via Origin/Referer validation
- Session regeneration on login/register
- Secure session cookie params (HttpOnly, SameSite, Secure)
- Visibility enforcement on private/unlisted items
- YAML object injection hardening
- Login rate limiting
- Path traversal protection
- Input validation and length clamping
- Vote value constraining

Stack: PHP 8.x + MySQL/MariaDB, vanilla JS frontend, no external dependencies.

Hippocratic License (HL3-CORE).
2026-07-06 13:18:08 -06:00