15s landscape (1920x1080) split-screen: left shows SquareMCP chat
prompt + animated cURL command + 200 response with wamid; right shows
a rendered WhatsApp phone UI with the message bubble appearing and blue
double-checkmarks. Also adds transparent-background logo PNG for Meta
Tech Provider icon upload.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add src/notifications/slack.ts — Slack webhook integration with rich blocks
- Add src/notifications/index.ts — dispatcher with test-submission filtering
- Wire notifyNewPilotRequest() into POST /api/pilot-request (fire-and-forget)
- Filter out test submissions (@example.com, E2E, Smoke Test, QA Test, Browser Test)
- Skip alert gracefully when SLACK_PILOT_WEBHOOK_URL is not set
- Update .gitignore to exclude .playwright-mcp/ artifacts
Runs on every push to main and every PR:
1. npm ci — install deps
2. npm run build — TypeScript type check
3. npm test — vitest run (216 tests, all mocked, no DB/Redis needed)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Guards the browser OAuth popup flow used by claude.ai and ChatGPT:
- GET /login: return_to URL validation, XSS escaping, error display
- POST /login: first-party cookie properties (httpOnly/secure/lax/domain),
open redirect blocking, credential rejection paths
- GET /oauth/authorize: must redirect to /login (never app.squaremcp.com),
return_to encoding, valid session bypasses redirect
Also exports `app` from index.ts and guards main() with NODE_ENV !== 'test'
so the Express app can be imported by supertest without triggering DB init.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add GET/POST /login to hermes for first-party cookie during OAuth popup
(fixes browser CHIPS cookie partitioning that broke claude.ai connection)
- Add role column to all findCustomer* SQL queries in src/auth.ts
- Add claude.ai tab to docs/getting-started.html with OAuth flow steps
- Add ARCHITECTURE.md with system diagrams, data flow, and key invariants
- Rewrite README.md and DEPLOY.md to reflect actual MicroK8s deployment
- Deploy updated docs site (squaremcp-docs sha256 updated)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add YC_APPLICATION_ANSWERS.md with full Summer 2026 application draft
(all fields answered, updated with mortgage broker user interview quote)
- Wire OffthreadVideo into YCAppVideo.tsx for founder recording playback
- Ignore .mov files and .gstack/ in .gitignore
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add YCAppVideo Remotion composition (1920x1080, 60s)
- 3s intro card with founder name + company
- 55s video placeholder with branded frame + lower thirds
- 2s outro card with logo + tagline
- Update Root.tsx with new composition
- Add YC_APPLICATION_TALKING_POINTS.md with bullet points
and recording tips per YC instructions
- Add /public static route to serve files from /vaults/public
- Fix LinkedIn API version: 202501 → 202603 (active version)
- OpenAPI schema already included POST /api/linkedin/video
- Successfully posted Remotion video to LinkedIn
Implements full 4-step LinkedIn Videos API flow: download from public URL,
initialize upload, 4MB chunk PUT with ETag collection, finalize, poll until
AVAILABLE, then publish via POST /rest/posts reading post ID from x-restli-id.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TikTok: getUserProfile, getUserVideos, createVideo (PULL_FROM_URL),
getVideoStatus via Content Posting API v2. Full multi-tenant credential
isolation and audit logging on write operations.
Snapchat: getMe (Login Kit), getAdAccounts (Marketing API). createSnap
throws with a clear explanation that Creative Kit is mobile-only — no
server-side posting API exists.
Platform type, validPlatforms list, and /api/connections endpoint all
updated to include tiktok and snapchat. Architecture diagram updated.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add src/multitenancy/ with AES-256-GCM credential store, WhatsApp
webhook router (phone_number_id -> customerId), and per-customer
audit log (90-day Redis TTL)
- Add src/billing/ with plan definitions and meterMiddleware that
resolves API key -> Customer object with getCredential() closure
- Refactor all src/clients/* to accept optional customer param,
falling back to env vars for backward compat with single-user mode
- Thread customer through handleToolCall(name, args, customer?)
- Add customers table to MySQL schema initDatabase()
- Add /webhook/whatsapp (immediate 200 + async routing) and
/api/connect/* onboarding endpoints to index.ts
- Add Redis 7 to docker-compose.yml; add REDIS_URL and
CREDENTIAL_ENCRYPTION_KEY to hermes-k8s.yaml
- Add product/incubation/ with architecture write-up and PlantUML
diagrams (system architecture + 5 user flows)
- Extend OpenAPI spec in manifest.ts with all platform endpoints
Verification: 3 isolation tests (credential, webhook routing, audit
log) passed against live Redis. Deployed to hermes.squaremcp.com.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace FETCHERPAY with generic CUSTOM account examples
- Update README.md, .env.example, and DEPLOY.md with generic configurations
- Remove hardcoded IPs, email addresses, and domain names
- Update package.json description to be more generic
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
