feat: v1.0.0 — UX polish, security hardening, code quality

UI/UX: - Bill detail page tab UI (Analysis / Timeline / Votes / Notes) - Topic tag pills on bill detail and listing pages — filtered to known topics, clickable, properly labelled via shared lib/topics.ts - Notes panel always-open in Notes tab; sign-in prompt for guests - Collapsible sidebar with icon-only mode and localStorage persistence - Bills page defaults to has-text filter enabled - Follow mode dropdown transparency fix - Favicon (Landmark icon, blue background) Security: - Fernet encryption for ntfy passwords at rest (app/core/crypto.py) - Separate ENCRYPTION_SECRET_KEY env var; falls back to JWT derivation - ntfy_password no longer returned in GET response — replaced with ntfy_password_set: bool; NotificationSettingsUpdate type for writes - JWT_SECRET_KEY fail-fast on startup if using default placeholder - get_optional_user catches (JWTError, ValueError) only, not Exception Bug fixes & code quality: - Dashboard N+1 topic query replaced with single OR query - notification_utils.py topic follower N+1 replaced with batch query - Note query in bill detail page gated on token (enabled: !!token) - search.py max_length=500 guard against oversized queries - CollectionCreate.validate_name wired up with @field_validator - LLM_RATE_LIMIT_RPM default raised from 10 to 50 Authored by: Jack Levy
2026-03-15 01:10:31 -04:00
parent 4308404cca
commit 9633b4dcb8
24 changed files with 591 additions and 296 deletions
--- a/backend/app/api/dashboard.py
+++ b/backend/app/api/dashboard.py
@@ -2,7 +2,7 @@ from datetime import date, timedelta

 from fastapi import Depends
 from fastapi import APIRouter
-from sqlalchemy import desc, select
+from sqlalchemy import desc, or_, select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload

@@ -92,15 +92,15 @@ async def get_dashboard(
                feed_bills.append(bill)
                seen_ids.add(bill.bill_id)

-    # 3. Bills matching followed topics
-    for topic in followed_topics:
+    # 3. Bills matching followed topics (single query with OR across all topics)
+    if followed_topics:
        result = await db.execute(
            select(Bill)
            .options(selectinload(Bill.sponsor), selectinload(Bill.briefs), selectinload(Bill.trend_scores))
            .join(BillBrief, Bill.bill_id == BillBrief.bill_id)
-            .where(BillBrief.topic_tags.contains([topic]))
+            .where(or_(*[BillBrief.topic_tags.contains([t]) for t in followed_topics]))
            .order_by(desc(Bill.latest_action_date))
-            .limit(10)
+            .limit(20)
        )
        for bill in result.scalars().all():
            if bill.bill_id not in seen_ids:
--- a/backend/app/api/notifications.py
+++ b/backend/app/api/notifications.py
@@ -12,6 +12,7 @@ from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession

 from app.config import settings as app_settings
+from app.core.crypto import decrypt_secret, encrypt_secret
 from app.core.dependencies import get_current_user
 from app.database import get_db
 from app.models.notification import NotificationEvent
@@ -41,7 +42,7 @@ def _prefs_to_response(prefs: dict, rss_token: str | None) -> NotificationSettin
        ntfy_auth_method=prefs.get("ntfy_auth_method", "none"),
        ntfy_token=prefs.get("ntfy_token", ""),
        ntfy_username=prefs.get("ntfy_username", ""),
-        ntfy_password=prefs.get("ntfy_password", ""),
+        ntfy_password_set=bool(decrypt_secret(prefs.get("ntfy_password", ""))),
        ntfy_enabled=prefs.get("ntfy_enabled", False),
        rss_enabled=prefs.get("rss_enabled", False),
        rss_token=rss_token,
@@ -88,7 +89,7 @@ async def update_notification_settings(
    if body.ntfy_username is not None:
        prefs["ntfy_username"] = body.ntfy_username.strip()
    if body.ntfy_password is not None:
-        prefs["ntfy_password"] = body.ntfy_password.strip()
+        prefs["ntfy_password"] = encrypt_secret(body.ntfy_password.strip())
    if body.ntfy_enabled is not None:
        prefs["ntfy_enabled"] = body.ntfy_enabled
    if body.rss_enabled is not None:
--- a/backend/app/api/search.py
+++ b/backend/app/api/search.py
@@ -11,7 +11,7 @@ router = APIRouter()

@router.get("")
 async def search(
-    q: str = Query(..., min_length=2),
+    q: str = Query(..., min_length=2, max_length=500),
    db: AsyncSession = Depends(get_db),
 ):
    # Bill ID direct match