Review findings and fixes:
- Fix subscription routes use :userId not :id
- Fix GET /plans returns { plans: [...] } wrapper
- Fix org routes require admin-only JWT role
- Flag missing POST /referrals/apply endpoint
- Flag missing POST /subscriptions/restore endpoint
- Expand org-client and marketplace-client with full API signatures
- Add x-product-id header requirement
- Add NomGap Migration Plan
- Add Known Backend Gaps appendix
- Add /implement-shared-packages workflow
- Enterprise SAML/OIDC callbacks used raw 'sso_xxx' string as passwordHash
which would crash bcrypt.compare(). Now uses userRepo.hashPassword(randomUUID())
- Added updateLastLogin() for existing enterprise SSO users
- Upgraded bcrypt cost factor from 10 to 12 per PRD spec
- All 53 auth tests passing
- GET /auth/mfa/totp/secret — retrieve decrypted TOTP secret for auth app
- POST /auth/mfa/push/create, GET /pending, POST /:id/respond, GET /:id/status
- POST /auth/qr/create, POST /auth/qr/confirm, GET /auth/qr/:id/status
- Kotlin SDK: getTotpSecret, getPendingApprovals, respondToApproval, confirmQrLogin
- Swift SDK: getTotpSecret, getPendingApprovals, respondToApproval, confirmQrLogin
- All 53 auth tests passing
- Create repos.txt as single source of truth for all 7 workspace repos
- Update all repo-management workflows to source from repos.txt:
- repo_sync-repos, repo_push-repos, repo_backup-and-push
- repo_backup-main-branch, repo_commit-workspace
Benefits:
- One file to update when adding/removing repos
- Consistent repo list across all workflows
- Scripts can read repos.txt for automation
- refresh.sh: idempotent script, auto-discovers repos, updates symlinks + copies docs/workflows
- launchd plist: scheduled daily at 11 PM + on login
- /refresh-chat-history workflow for on-demand Cascade runs
- README updated with auto-refresh docs and full data inventory
- Repo docs and workflows refreshed from all 4 repos
- backup-main.sh: no longer pushes unpushed main commits, removed Main Push column
- commit-workspace.sh: removed push_repo function, local commits only
- repo_commit-workspace.md: updated docs to reflect no-push behavior
- Create Backup Main Branch skill with comprehensive documentation
- Add Windsurf workflow for easy access
- Implement bash script with multi-repo support
- Smart detection to avoid duplicate backups
- Automatic cleanup of old backups (keeps 7 days)
- Color-coded output for better visibility
- Always returns to main branch after backup
