• v0.0.1-rc.10 951bc511e8

    Carol v0.0.1-rc.10
    Some checks failed
    Secrets / gitleaks (push) Successful in 12s
    Release / Build, sign, and publish (push) Successful in 2m16s
    Release (Android) / Build, sign, attach (push) Failing after 4m27s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 5m6s
    Pre-release

    james released this 2026-06-23 20:40:35 +00:00 | 161 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.10 — 2026-06-23

    Bug fixes

    • switch Avatar to expo-image so source.headers reach the network (#256) (9869485)
    • use expo-file-system File for native picture upload (#253, fifth attempt) (d1705d7)
    • bypass URL rewriter for picture upload (#253, fourth attempt) (b9e3989)
    • strip wrong Content-Type on multipart so RN regenerates it (b71fbe8)
    • detect FormData via RN polyfill private field, not just Content-Type (d17bd65)
    • include oauth_inits in postgres teardown table list (4151e9c)
    • profile picture upload + display on android (#253, #256) — second pass (7c4fde0)
    • wire Enter-to-submit across form-bearing screens (#255) (2500c7a)
    • keyboard-aware scroll across form-bearing screens (#254) (3a3d3cc)
    • profile picture renders on android (#256) (9832f11)
    • profile picture upload works on android (#253) (60413aa)
    • drop literal tags from empty-state strings (fb82042)
    • configure i18next for single-brace {var} interpolation (4ca1356)
    • domain routes accept bearer tokens, not just session (4246d17)
    • give the sidebar shell flex: 1 so the nav list renders (ceb6780)
    • respect the status-bar inset in the mobile header (7c4c969)
    • /api/auth/me accepts bearer tokens, not session-only (a813f2a)
    • invalidate useMe cache after login (f7b33be)
    • iterate Headers explicitly when rewriting Request (69bb01e)
    • middlewares return undefined when not modifying (827ef5b)
    • explicitly copy request body in the off-origin rewriter (74c70c9)
    • rewrite relative URLs in the off-origin rewriter (745e3b1)
    • pin react-native to 0.85.3 via pnpm.overrides (f85521e)
    • pin react + react-dom to 19.2.3 via pnpm.overrides (ab2ed62)
    • loosen react pin so the bundle ships one copy (7546fd7)
    • make SPA catch-all optional so / serves index.html (#185) (bc045c0)
    • unwrap cursor pagination envelope on flat-list hooks (#184) (b9e72f6)
    • drop access_tokens + refresh_tokens before users in CI teardown (#180) (5d2e64a)
    • space note creates so cursor pagination is deterministic (#178) (c3b413c)
    • lazy-load openapi registry inside GET handler (#178) (db0ab48)
    • add tsx>esbuild to lavamoat.allowScripts as disabled (#178) (500c50a)
    • restore nested next-intl/@swc/helpers@0.5.23 in package-lock.json (#178) (31ec66b)
    • form inputs overflow their container on every screen (#24 follow-up) (2be45c9)

    Build / tooling

    • bundle the Expo Web client into the API image (#186) (54094bb)

    Chores

    • strip diagnostics from picture upload + display path (6521f57)
    • log Avatar source + load events to diagnose blank picture (dbd0fa1)
    • introspect FormData ctor + parts to diagnose native send (acb9e87)
    • log picker asset shape to diagnose FormDataPart error (16f9e35)
    • bump rewriter diagnostic from console.log to console.warn (8639d29)
    • instrument rewriter + upload catch to diagnose Android FormData path (9a54364)
    • teach package-age check to walk pnpm-lock.yaml (#213) (27a8bea)
    • ignore CVE-2026-12151 in Next.js bundled undici (0c8fedb)
    • add lucide-react-native + nav icons (#210) (3121888)
    • drop UI deps, prune public-route allowlist, refresh docs (#185) (f01f0fd)
    • drop next-intl request config and tanstack query client (#185) (93ea8a0)
    • delete root layout, providers, and PWA service worker (#185) (d9961e8)
    • delete pwa screens, components, and themes (#185) (b92ee95)
    • catalog keys for slice 2 screens (#184) (2382bfe)
    • add en keys for profile/skills/experience client screens (#184) (c629bfa)
    • bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199) (0ebe643)
    • scaffold @carol/client — Expo SDK 56 + Router + RN Web (#183) (f752a5e)
    • scaffold @carol/api-client — package.json, tsconfig, vitest, eslint (#182) (d147811)
    • restructure into pnpm workspaces — apps/api + placeholders (#181) (6f626f5)
    • commit initial openapi.json (#178) (0182366)

    Documentation

    • note /api/contracts in the paginated-endpoints list (f0c3174)
    • fix the Expo Go recipe — don't pass --android (85ed67d)
    • add CONTRIBUTING.md with local dev + build recipes (f73958c)
    • refresh pagination section for #191 newly-paginated endpoints (d868427)
    • wire @carol/api-client into CI + conventions doc + CLAUDE.md (#182) (723c47b)
    • note bearer auth in CLAUDE.md, add ACCESS/REFRESH_TOKEN_TTL_SECONDS to README (#180) (665a2e9)
    • name the PWA bundle as a release artifact in idea.md (#177) (a4a4bb0)
    • adopt ADR-0027 for frontend/backend split (#177) (0de0ec9)

    Features

    • link-session token for native OAuth linking (#245) (be40c6f)
    • native clipboard via expo-clipboard (#218) (55fc1fc)
    • contracts tab in the experience screen (e14fdcd)
    • contracts catalog strings + contract_has_position key (6170cbb)
    • contracts hooks + shared cache invalidation (6b87f06)
    • contracts routes + DTOs + one-position invariant (3a0f86f)
    • jobs.is_contract column + contract-aware repository (563609a)
    • OAuth callback → bearer token handoff for native (#215) (08f177d)
    • profile picture upload via expo-image-picker (#217) (78f654e)
    • zod schema error messages → i18n catalog keys (#212) (5fc6bcb)
    • linked-identities panel on the account screen (#216) (32d0057)
    • show + change the configured server URL from the login screen (#235) (1da0a58)
    • forgejo workflow for flatpak release (#188) (4b19659)
    • flatpak manifest + desktop entry + icons (#188) (5ec858a)
    • tauri shell wraps the expo web bundle (#188) (5f67abf)
    • runtime URL plumbing distinguishes web vs tauri webview (#188) (85e37ec)
    • public-route allowlist for new SW + manifest paths (#208) (efdbfef)
    • service worker with precache + offline shell (#208) (f4d02cc)
    • expo web manifest + icons (#208) (4eb09d6)
    • tighter active-route + brand styling (#210) (8666916)
    • native drawer + mobile hamburger (#210) (22181ad)
    • theme + locale switchers in the sidebar footer (#210) (9c3ac74)
    • collapse + expand sidebar with persistence (#210) (ccab92d)
    • forgejo workflow for signed android release (#187) (0d407f3)
    • android build wiring (prebuild + signing config) (#187) (9a7bbd2)
    • runtime API URL settings + secure storage (#187) (cbf6819)
    • sidebar nav shell on the (app) layout (a6f543c)
    • port projects, applications, chat as placeholders (#184) (73da311)
    • add education section to experience screen (#184) (06b416b)
    • port network placeholder to expo router (#184) (15afc2a)
    • port account screen to expo router (#184) (9b426bd)
    • catch-all to serve the Expo Web bundle (#186) (fdb2982)
    • cursor pagination on /api/account/tokens (#191) (eac0a8e)
    • cursor pagination on /api/profile/contacts (#191) (24fa7f7)
    • cursor pagination on /api/educations (#191) (27e9a88)
    • adopt sort/filter on /api/notes (#192) (ea37116)
    • parseFilter helper (#192) (5616c38)
    • parseSort helper (#192) (d57ff40)
    • port experience (jobs) screen to expo router (#184) (ae699bf)
    • port skills screen to expo router (#184) (231f5c5)
    • port profile screen to expo router (#184) (ce9853f)
    • theme + i18n + auth glue + Notes reference + CI gates (#183) (1c32b55)
    • POST /api/auth/token + /api/auth/refresh, OpenAPI registration, tests (#180) (9a27217)
    • mint + verify access tokens, refresh-rotation w/ reuse detection (#180) (c96b512)
    • access + refresh token tables w/ family_id for reuse detection (#180) (b5273bc)
    • generate OpenAPI 3.1 spec from zod + CI drift gate (#178) (b62db24)
    • cursor pagination on /api/notes + conventions doc (#179) (b596155)
    • migrate user + settings DTOs to zod (#179) (f1c84b2)
    • adopt RFC 7807 Problem Details across all routes (#179) (168a2b0)
    • jobs, positions, contributions — three-tier career history (#24) (570f73f)

    Other

    • Merge pull request 'fix(client): profile picture upload + display on android (#253, #256)' (#263) from fix-formdata-detection into main (951bc51)
    • Merge pull request 'feat(api+client): link-session token for native OAuth linking (#245)' (#262) from 245-native-oauth-link-session into main (0b350ac)
    • Merge pull request 'fix(test): include oauth_inits in postgres teardown table list' (#261) from fix-postgres-tests-oauth-inits into main (1d3207a)
    • Merge pull request 'fix(client): profile picture upload + display on android (#253, #256) — second pass' (#260) from 253-256-android-profile-picture-2 into main (25df282)
    • Merge pull request 'fix(client): keyboard-aware scroll + Enter-to-submit on forms (#254, #255)' (#258) from 254-255-keyboard-form-ux into main (dd5adea)
    • Merge pull request 'fix(client): profile picture upload + display on android (#253, #256)' (#257) from 253-android-profile-picture into main (052daf3)
    • Merge pull request 'feat(client): native clipboard via expo-clipboard (#218)' (#247) from 218-native-clipboard into main (b479d9c)
    • Merge pull request 'fix(i18n): drop literal tags from empty-state strings' (#252) from 251-em-tags into main (a458673)
    • Merge pull request 'feat(api+client): contracts feature (#25)' (#250) from 25-contracts into main (e20a9e8)
    • Merge pull request 'feat(api+client): OAuth callback → bearer token handoff for native (#215)' (#249) from 215-oauth-native-bearer into main (55f24fb)
    • Merge pull request 'feat(client): profile picture upload via expo-image-picker (#217)' (#248) from 217-profile-picture-upload into main (2f06806)
    • Merge pull request 'feat(api): zod schema error messages → i18n catalog keys (#212)' (#246) from 212-zod-i18n into main (38e5459)
    • Merge pull request 'feat(api+client): linked-identities panel on the account screen (#216)' (#244) from 216-linked-identities-panel into main (d525373)
    • Merge pull request 'chore(ci): teach package-age check to walk pnpm-lock.yaml (#213)' (#242) from 213-pnpm-lock-package-ages into main (425d9cb)
    • Merge pull request 'chore(security): ignore CVE-2026-12151 in Next.js bundled undici' (#240) from trivyignore-next-undici into main (542dfd6)
    • Merge pull request 'feat(client): show + change the configured server URL from the login screen (#235)' (#238) from 235-login-server-url into main (55277f7)
    • Merge pull request 'fix(deps): pin react-native to 0.85.3 via pnpm.overrides' (#232) from fix-rn-dedupe into main (729f10c)
    • Merge pull request 'docs: add CONTRIBUTING.md with local dev + build recipes' (#231) from contributing-md into main (0ee4841)
    • Merge pull request 'feat(client): linux flatpak via tauri shell (#188)' (#222) from 188-linux-flatpak into main (e75e5aa)
    • Merge pull request 'feat(client): restore PWA install + offline shell via Expo (#208)' (#223) from 208-pwa-install-offline into main (270d9ff)
    • Merge pull request 'feat(client): nav shell — icons, collapse, switchers, native drawer (#210)' (#211) from 210-nav-shell-features into main (af8da7a)
    • Merge pull request 'feat(client): signed Android APK build with runtime API URL (#187)' (#207) from 187-android-build into main (5a47d9f)
    • Merge pull request 'chore(api): decommission Next.js UI (#185)' (#209) from 185-decommission-nextjs-ui into main (983dd57)
    • Merge pull request 'feat(client): port projects, applications, chat as placeholders (#184)' (#206) from 184-projects-applications-chat into main (efb63f7)
    • Merge pull request 'feat(client): port account, network, education screens (#184)' (#205) from 184-people-account-slice into main (bb3851d)
    • Merge pull request 'feat: single-container deployment — API serves the Expo Web bundle (#186)' (#204) from 186-single-container-deployment into main (c6de397)
    • Merge pull request 'feat(api): cursor pagination on remaining flat lists (#191)' (#203) from 191-pagination-remaining-lists into main (ae02f45)
    • Merge pull request 'feat(api): parseSort + parseFilter query helpers (#192)' (#202) from 192-sort-filter-helpers into main (f3ecfd2)
    • Merge pull request 'feat(client): port profile/skills/experience screens (#184)' (#201) from 184-career-core-screens into main (9cd4f7d)
    • Merge pull request 'chore(deps): bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199)' (#200) from 199-bump-vitest-vite into main (f2320c6)
    • Merge pull request 'feat(client): scaffold @carol/client — Expo Router + RN Web (#183)' (#198) from 183-expo-client-scaffolding into main (8527d2a)
    • Merge pull request 'feat(api-client): generated typed client + TanStack Query hooks (#182)' (#197) from 182-generated-api-client into main (ecf7f8c)
    • Merge pull request 'chore: restructure into pnpm workspaces — apps/api + placeholders (#181)' (#195) from 181-workspace-restructure into main (511fc71)
    • Merge pull request 'feat(api): token-based auth — bearer + refresh (#180)' (#194) from 180-token-auth into main (2851492)
    • Merge pull request 'feat(api): OpenAPI 3.1 spec generation + /api/openapi.json + CI drift gate (#178)' (#193) from 178-openapi-spec-generation into main (54b936f)
    • Merge pull request 'feat(api): contract hardening — Problem Details, zod, pagination (#179)' (#190) from 179-api-contract-hardening into main (826e340)
    • Merge pull request 'docs(adr): adopt ADR-0027 for frontend/backend split (#177)' (#189) from 177-adr-frontend-backend-split into main (062daea)
    • Merge pull request 'feat(service+pwa): jobs, positions, contributions — three-tier career history (#24)' (#175) from 24-jobs-positions-contributions into main (c2f3834)
    • Merge pull request 'refactor(pwa): add semantic colour tokens + migrate primitives off inlined hex (#149)' (#174) from 149-semantic-color-tokens into main (20e7302)

    Performance

    • cache the access token in memory (a5930f8)

    Refactor

    • add semantic colour tokens + migrate primitives off inlined hex (#149) (62e8b2b)

    Tests

    • wipe jobs/positions/contributions between Postgres runs (#24 follow-up) (ed5b9e7)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:f5cc22626146df70ae94061ff19e36a55060d75d7164bd43d38c9ade925e461b
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:f5cc22626146df70ae94061ff19e36a55060d75d7164bd43d38c9ade925e461b
    
    Downloads