BillTracker/client/lib/version.js

export const APP_VERSION = '0.24.0';
export const APP_NAME    = 'BillTracker';

export const RELEASE_NOTES = {
  version: '0.24.0',
  date: '2026-05-10',
  highlights: [
    { icon: '🧹', title: 'Clear Demo Data Fix', desc: 'Fixed Clear Demo Data button — removed placeholder, made button accessible, fixed seed user ID bug, removed duplicate endpoint.' },
    { icon: '🛡️', title: 'Admin Toggle-Paid Restricted', desc: 'Admins can no longer toggle payments on other users\' bills. All bill payment mutations now require ownership.' },
    { icon: '🔧', title: 'Analytics Crash Fix', desc: 'Imported missing standardizeError in analytics routes — invalid query params now return 400 instead of 500.' },
    { icon: '📦', title: 'Export Data Integrity', desc: 'User exports now include cycle_type, cycle_day, and bill_history_ranges — no more data loss on export/import.' },
    { icon: '🔓', title: 'Single-User Mode Lockout Fix', desc: 'Fixed single-user mode locking out when expired sessions exist — removed unnecessary session join from user lookup.' },
    { icon: '⏱️', title: 'Rate Limiter Scoped', desc: 'Password rate limiter now only applies to change-password routes, not all profile reads/updates.' },
    { icon: '🔑', title: 'Session Invalidation Fix', desc: 'Profile password change now correctly invalidates other sessions using cookie value, not missing sessionId.' },
    { icon: '🍪', title: 'CSRF Default Fixed', desc: 'CSRF cookie httpOnly defaults to false (matches SPA pattern). Password change routes no longer exempted from CSRF.' },
    { icon: '📅', title: 'Notification Due-Day Fix', desc: 'Fixed same-day reminder classification — now compares calendar days instead of timestamps to avoid overdue misclass.' },
    { icon: '📊', title: 'Upcoming Bills Validation', desc: 'Negative/invalid day windows now default to 30 instead of producing empty results.' },
  ],
};
fix: HIGH+MEDIUM batch — 10 fixes (v0.24.0) HIGH: - Admin toggle-paid: removed cross-user admin branch, now requires ownership - Analytics crash: imported missing standardizeError - Export data loss: added cycle_type, cycle_day, bill_history_ranges to exports - Single-user lockout: removed unnecessary sessions join from getSingleModeUser MEDIUM: - Password rate limiter: scoped to change-password only, not all profile routes - Profile session invalidation: fixed req.sessionId → req.cookies[COOKIE_NAME] - CSRF default: httpOnly now defaults to false (matches SPA double-submit pattern) - CSRF password routes: removed csrfSkip for password change endpoints - Notification due-day: calendar day comparison instead of timestamp floor - Upcoming bills: clamped days to 1-365, default 30 for invalid input FUTURE.md: marked all 10 items as FIXED, bumped version refs HISTORY.md: added v0.24.0 entry 2026-05-10 15:25:47 -05:00			`export const APP_VERSION = '0.24.0';`
initial commit 2026-05-03 19:51:57 -05:00			`export const APP_NAME = 'BillTracker';`

			`export const RELEASE_NOTES = {`
fix: HIGH+MEDIUM batch — 10 fixes (v0.24.0) HIGH: - Admin toggle-paid: removed cross-user admin branch, now requires ownership - Analytics crash: imported missing standardizeError - Export data loss: added cycle_type, cycle_day, bill_history_ranges to exports - Single-user lockout: removed unnecessary sessions join from getSingleModeUser MEDIUM: - Password rate limiter: scoped to change-password only, not all profile routes - Profile session invalidation: fixed req.sessionId → req.cookies[COOKIE_NAME] - CSRF default: httpOnly now defaults to false (matches SPA double-submit pattern) - CSRF password routes: removed csrfSkip for password change endpoints - Notification due-day: calendar day comparison instead of timestamp floor - Upcoming bills: clamped days to 1-365, default 30 for invalid input FUTURE.md: marked all 10 items as FIXED, bumped version refs HISTORY.md: added v0.24.0 entry 2026-05-10 15:25:47 -05:00			`version: '0.24.0',`
v0.20.4: Explicit migration dependency management - Added dependsOn field to all 17 versioned migrations - Added validateMigrationDependencies() function for dependency validation - Migrations with unmet dependencies are skipped with error log (no crash) - Dependency satisfaction logged: [migration] vX depends on [vY] — satisfied - appliedVersions Set tracks newly applied migrations for subsequent checks - Hudson security audit: 7/7 PASS 2026-05-09 23:24:51 -05:00			`date: '2026-05-10',`
initial commit 2026-05-03 19:51:57 -05:00			`highlights: [`
fix: HIGH+MEDIUM batch — 10 fixes (v0.24.0) HIGH: - Admin toggle-paid: removed cross-user admin branch, now requires ownership - Analytics crash: imported missing standardizeError - Export data loss: added cycle_type, cycle_day, bill_history_ranges to exports - Single-user lockout: removed unnecessary sessions join from getSingleModeUser MEDIUM: - Password rate limiter: scoped to change-password only, not all profile routes - Profile session invalidation: fixed req.sessionId → req.cookies[COOKIE_NAME] - CSRF default: httpOnly now defaults to false (matches SPA double-submit pattern) - CSRF password routes: removed csrfSkip for password change endpoints - Notification due-day: calendar day comparison instead of timestamp floor - Upcoming bills: clamped days to 1-365, default 30 for invalid input FUTURE.md: marked all 10 items as FIXED, bumped version refs HISTORY.md: added v0.24.0 entry 2026-05-10 15:25:47 -05:00			`{ icon: '🧹', title: 'Clear Demo Data Fix', desc: 'Fixed Clear Demo Data button — removed placeholder, made button accessible, fixed seed user ID bug, removed duplicate endpoint.' },`
			`{ icon: '🛡️', title: 'Admin Toggle-Paid Restricted', desc: 'Admins can no longer toggle payments on other users\' bills. All bill payment mutations now require ownership.' },`
			`{ icon: '🔧', title: 'Analytics Crash Fix', desc: 'Imported missing standardizeError in analytics routes — invalid query params now return 400 instead of 500.' },`
			`{ icon: '📦', title: 'Export Data Integrity', desc: 'User exports now include cycle_type, cycle_day, and bill_history_ranges — no more data loss on export/import.' },`
			`{ icon: '🔓', title: 'Single-User Mode Lockout Fix', desc: 'Fixed single-user mode locking out when expired sessions exist — removed unnecessary session join from user lookup.' },`
			`{ icon: '⏱️', title: 'Rate Limiter Scoped', desc: 'Password rate limiter now only applies to change-password routes, not all profile reads/updates.' },`
			`{ icon: '🔑', title: 'Session Invalidation Fix', desc: 'Profile password change now correctly invalidates other sessions using cookie value, not missing sessionId.' },`
			`{ icon: '🍪', title: 'CSRF Default Fixed', desc: 'CSRF cookie httpOnly defaults to false (matches SPA pattern). Password change routes no longer exempted from CSRF.' },`
			`{ icon: '📅', title: 'Notification Due-Day Fix', desc: 'Fixed same-day reminder classification — now compares calendar days instead of timestamps to avoid overdue misclass.' },`
			`{ icon: '📊', title: 'Upcoming Bills Validation', desc: 'Negative/invalid day windows now default to 30 instead of producing empty results.' },`
initial commit 2026-05-03 19:51:57 -05:00			`],`
v0.19.4: bump version to 0.19.4 in package.json and login screen 2026-05-09 20:25:05 -05:00			`};`