- models.py: add composite (user_id, date) indexes to flock_history,
feed_purchases, and other_purchases for faster date-filtered queries
(egg_collections already had one via its unique constraint)
- main.py: add v2.2 migration to create the three composite indexes on
existing installs at startup
- stats.py: fix N+1 query in monthly_stats — flock history is now fetched
once and looked up per month using bisect_right instead of one DB query
per month row; also remove unnecessary Decimal(str(...)) round-trips
since SQLAlchemy already returns Numeric columns as Decimal
- eggs.py: add limit parameter (default 500, max 1000) to list_eggs to
cap unbounded fetches on large datasets
- dashboard.js: pass start= (30 days ago) when fetching eggs so the
dashboard only loads the data it actually needs for the chart and
recent collections list
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- nginx: add X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
and Referrer-Policy headers on all responses; rate limit /api/auth/login
to 5 req/min per IP (burst 3) to prevent brute force
- frontend: add escHtml() utility to api.js; use it on all notes fields
across dashboard, log, history, flock, and budget pages to prevent XSS
- log.js: fix broken loadRecent() call referencing removed #recent-body
element; replaced with loadHistory() from history.js
- schemas.py: raise minimum password length from 6 to 10 characters
- admin.py: add audit logging for password reset, disable, delete, and
impersonate actions; fix impersonate to use named admin param for logging
- main.py: add startup env validation — exits with clear error if any
required env var is missing; configure structured logging to stdout
- docker-compose.yml: add log rotation (10 MB / 3 files) to all services
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
