- Backend: previous month calculation with year wrapping (Jan→Dec)
- Backend: previous_month_paid per bill row, previous_month_total in summary
- Frontend: 'Last Month' column in desktop table with muted text
- Frontend: 'Last Month' in mobile view, summary card for prev month total
- Hudson security audit: 5/5 PASS (SQL injection, date wrapping, user scoping, auth, XSS)
- Skip-to-content link for keyboard users (sr-only/focus:not-sr-only pattern)
- aria-expanded and aria-haspopup on Tracker menu dropdown
- aria-label on footer, role='main' and aria-labelledby on layout wrapper
- Main content wrapped in <main> with unique id from React useId()
- Fixed build error: useId imported from react, not react-router-dom
- Hudson security audit: 5/5 PASS (no XSS, no DOM clobbering, no injection)
- Added dependsOn field to all 17 versioned migrations
- Added validateMigrationDependencies() function for dependency validation
- Migrations with unmet dependencies are skipped with error log (no crash)
- Dependency satisfaction logged: [migration] vX depends on [vY] — satisfied
- appliedVersions Set tracks newly applied migrations for subsequent checks
- Hudson security audit: 7/7 PASS
- React.lazy + Suspense for all page components (except LoginPage)
- PageLoader component for loading states
- Version badge on admin roadmap page
- Version in /api/about-admin response
- Roadmap nav link for admins (dropdown + sidebar)
- /admin/roadmap route
- New AdminDashboard component with Roadmap and Activity Log
- Color-coded priority cards (🔴🟠🟡🔵💭) with collapsible sections
- CRITICAL/HIGH expanded by default, others collapsed
- Activity log shows DEVELOPMENT_LOG entries in reverse chronological order
- Admin-only rendering, non-admins see standard About page
- Custom scrollbar styles for admin panels
- Version bumped to 0.20.0 (Bishop)
Added ErrorBoundary component wrapping all routes in App.jsx.
Shows friendly fallback UI with Try Again and Reload buttons
instead of white screen crash. Logs component stack to console.
CRITICAL fix: Users upgrading from pre-migration-tracking databases
(now get 'invalid username/password' because schema_migrations table
doesn't exist. Added handleLegacyDatabase() and
reconcileLegacyMigrations() to detect and reconcile legacy DBs.
Security fixes:
- Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist
- Public /about bypass: added admin route guard in App.jsx
- Sensitive info exposure: expanded redactSensitiveContent() patterns
- Error message path leaks: generic error messages only
- Race condition: wrapped in db.transaction() in server.js
- Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1)
All verified by Bishop (build + runtime) and Private_Hudson (security).
- Added schema_migrations table for explicit version tracking (CRITICAL fix)
- Refactored runMigrations() to use versioned migration objects
- Added hasMigrationBeenApplied() and recordMigration() helpers
- Migrations now skip already-applied versions and log progress
- Updated FUTURE.md with migration system issues and criticality ratings
- Updated Engineering_Reference_Manual.md with migration system docs
- Added DEVELOPMENT_LOG.md for agent work tracking
null