Development Log

Taught the editor’s cancel action to respect context: if you arrive from an existing post, backing out now takes you straight back to that story instead of dumping you on the admin listing. Kept the previous dashboard fallback for brand-new drafts so creators still have a safe landing spot when they abandon work that never had a permalink.

Shipped a flurry of auth tweaks to tame mobile Safari: rewired the form to use real submit events, blocked autofill from auto-posting credentials, and inserted a requestAnimationFrame pause so iOS commits touch events before the worker call fires. While chasing the bug, refreshed the login template, experimented with staging origins in the Cloudflare allowlist, and layered verbose console logging to map every step of the session flow.

Captured the post identifier returned from create and update operations so the editor can route authors directly to the freshly saved article once the toast message clears. Added resilient fallbacks that keep redirecting even if the response body is missing, prioritizing the reader-facing post view but defaulting to the admin console when needed.

Hardened the blog post API so any mix of truthy strings, numbers, or booleans for sticky collapses into a predictable 0 or 1, eliminating quirks from different form controls. Introduced an ESM-aware test harness that exercises create and update flows end to end, guaranteeing sticky metadata survives round trips before the UI tries to prioritize it.

Added a sticky selector to the editor alongside smarter limit/sort sanitizers so admins can flag marquee posts without worrying about malformed query params. Surfaced sticky status in the API responses and home page cards with badges and highlight styles, keeping promoted stories pinned ahead of the rolling chronology.

Extended the schema definition to include the new sticky flag so fresh D1 databases ship with the column already in place. Documented the one-line ALTER TABLE needed for existing installs, giving operators a clear migration note before sticky features roll out.

Expanded the middleware-generated Content Security Policy to whitelist Google Maps domains for frame-src and child-src, unblocking embedded maps inside posts. Kept the rest of the directive set intact so existing script, font, and image protections stay enforced while the map iframe loads safely.

Introduced a mode switcher so writers can jump between the Quill visual canvas and a raw HTML textarea, keeping both views synchronized as you type. Improved accessibility by updating button labels, focus management, and helper text, ensuring the toggle makes it obvious when you’re editing markup directly.

Upgraded the editor toolbar with an image handler that validates URLs, prompts for optional alt text, and drops embeds exactly where the cursor sits. Bundled Quill’s image-resize module and tailored the styling so inline photos get orange handles and clear feedback when resizing or aligning within a story.

Refactored the auth helper to scan entire DOM subtrees and react to mutations, making sure newly injected buttons inherit the correct authenticated or anonymous state. Hooked a MutationObserver so attribute tweaks and late-loaded fragments immediately recalc visibility, which brought the post edit button back for logged-in users.

Replaced the static edit link with a styled button that only renders for authenticated viewers and launches the post editor with the right query string. Wired a click handler that computes the edit URL at runtime, so the control keeps working even when the post is rendered client-side.

Retitled the about, archive, admin, login, and post pages to drop the Road Chronicles name and align with the Scott’s Website identity rolled out on the homepage. Freshened the supporting copy so each section now speaks in the site owner’s voice—from the experimental origin story on the About page to the tongue-in-cheek archive description.

Swapped the motorcycle iconography for the new sunrise mark everywhere, updated navigation states, and surfaced the signed-in user chip consistently across admin surfaces. Standardized the footer to credit Scott Abernethy by name, closing the loop on the branding refresh started on the front page.

Reintroduced the home hero with a cleaner welcome headline, swapped to the sun icon, and renamed the site to Scott’s Website throughout the landing page. Dialed in the copyright footer and tagline so the front page immediately reflects the shift from Road Chronicles to a more personal blog.

Expanded the top of this page with a three-part narrative capturing the late-night debugging odyssey behind the iPhone login fix, documenting what the diff alone couldn’t show. Set the tone for future entries by explaining why the log matters—connecting AI-assisted experiments with the hands-on interventions that finally shipped.

Added an explicit OPTIONS responder so Safari’s cross-origin preflight succeeds, hardened JSON parsing failures into actionable errors, and tightened response headers around login to keep diagnostics consistent. Shifted the session cookie to a host-only, SameSite=Lax token while only enabling CORS headers when the request truly comes from another origin, giving iOS a privacy-friendly path to stay signed in.

Rebuilt the login worker to look up users from the database, verify PBKDF2 hashes, mint JWT-backed session tokens with configurable TTLs, and emit richer diagnostics whenever auth dependencies misbehave. Extended the session helpers to reuse a shared max-age constant, fetch user details during verification, and return user/token data to the frontend while expanding the iOS regression tests.

Introduced a cookie-domain resolver so deployments on the production apex emit cookies Safari will accept and logged every Set-Cookie header that leaves the login/logout workers for easier field debugging. Instrumented the authenticated route guard to record incoming cookies and set a sturdier WWW-Authenticate header, giving the team better observability into iPhone rejection paths.

Expanded the middleware to detect Font Awesome kit usage, dynamically whitelisting its domains alongside the core script/style/font directives so external assets can execute on iOS without tripping CSP. Normalized responses for JavaScript requests—covering .js and .mjs—to enforce correct MIME types and propagate the generated security headers on every pass.

Backed out the aggressive CSP middleware and inline console probes after they introduced new regressions, restoring the last known-good deployment while deeper iOS testing continued. Reset the asset pipeline to its pre-experiment defaults so subsequent fixes could iterate on a stable foundation.

Broadened the middleware to inject a site-wide Content Security Policy, return JavaScript fallbacks with a dedicated 404 stub, and ensure every asset response carries the correct charset. Dropped inline boot logs into the index, login, and shared auth scripts so Safari testers can confirm the moment each bundle executes.

Added middleware that intercepts JavaScript requests returning HTML, normalizes their MIME type, and blocks the fallback content that was confusing Mobile Safari. Instrumented the auth client with exhaustive logging around fetches, payload parsing, and UI events while shipping per-asset headers that force Cloudflare Pages to serve JavaScript with the right content type.

Tightened every auth response with explicit no-store/no-cache headers, Vary: Cookie, and timestamped verification requests so stale caches stop hiding login success from iOS. Mirrored the cache-busting updates across admin and editor screens, ensuring their guards respect the refreshed session detection logic.

Introduced reusable helpers for building session cookies and logout directives, aligning all auth responses with consistent cache controls and enriched metadata. Updated the frontend auth manager and admin tooling to respect the new headers while adding an iOS-focused Playwright smoke test to catch regressions.

Extended the dev log with narrative recaps for the recent auth and editor overhauls so the project history finally reflected the rapid-fire progress. Standardized the layout and spacing of older entries to match the refreshed storytelling format introduced in the preceding release.

Rewrote the development log to replace terse blurbs with narrative summaries that capture the intent behind each merge. Standardized the card structure and typography so future entries stay consistent and easy to scan.

Overhauled the authentication workers to set resilient SameSite=None cookies, add a /auth/debug probe, and clean up login/logout responses for on-device testing. Streamlined the admin experience by tightening auth fallbacks, trimming redundant UI code, and letting the shared site auth script drive visibility toggles.

Reinforced the login flow with consistent cookie attributes and domain-aware logout helpers so Safari honors the session token. Updated admin screens and the verification handler to surface authenticated user data while reusing the shared session utilities.

Patched the login regression by regenerating JWT cookies with HttpOnly, Secure, and SameSite=None flags while tightening session parsing utilities. Aligned the admin headers and editor page to rely on shared auth toggles and expanded the password hashing helpers backing PBKDF2 validation.

Added an inline Edit Post shortcut to story pages that appears for authenticated riders and jumps straight to the editor. Hooked the control into the existing auth visibility system so it hides automatically for anonymous visitors.

Carried the new rich-text formatting to the public post view by styling Quill-generated lists, alignment, and indentation classes. Refined body copy colors and spacing to keep long-form stories readable regardless of the formatting choices authors make.

Integrated the Quill editor into the admin composer with a dark-themed toolbar, live image preview, and dedicated status and tag controls. Expanded the form logic to support editing existing posts, uploading hero images, and validating required fields before saving.

Updated the home feed request to sort by updated_at and filter out drafts so the freshest edits rise to the top. Refined the card builder to reuse the global viewPost helper, surface the latest timestamp, and keep excerpts and tags consistent.

Removed the Dev Log link from the primary navigation to keep the top-level menu focused on core reader destinations. Reordered the timeline cards on the log itself so the newest releases appear first alongside refreshed copy.

Backfilled the development log with summaries for the recent iPhone authentication fixes so the timeline stayed complete. Captured the lessons learned from the mobile debugging push, giving future contributors a clear record of what changed and why.

Introduced an archive workflow by shipping the /archive.html layout together with js/archive.js, which filters API responses to entries marked with the new archive status. Expanded the editor dropdown and API persistence so writers can retire posts without deleting them while keeping archived rides accessible for long-time readers.

Launched this dedicated development log, composed of Tailwind-styled cards that chronicle the evolution of the project. Seeded the log with historical context for each merged pull request, giving contributors a single hub for release notes.

Reviewed the login pipeline on iPhone browsers and relaxed strict cookie assumptions so Safari can establish a SameSite=None session without being blocked. Added extra verification logging and device-testing guidance to help diagnose mobile-only authentication issues quickly.

Refactored the authentication client to avoid Safari-incompatible script patterns and ensured the login form gracefully degrades on older iOS builds. Updated the markup and event wiring to keep the experience consistent even when asynchronous auth scripts load slowly on mobile networks.

Eliminated modern JavaScript syntax from the auth bundle so legacy Safari engines can parse it, focusing on removing spread operators and optional chaining. Polyfilled the minimal runtime helpers we still needed and tightened our build guardrails to prevent ES2015-only features from slipping back in.

Audited the entire authentication flow on older mobile browsers and patched race conditions that left the UI in an unauthenticated state. Reworked initialization fallbacks so the site now checks /auth/verify when the primary auth manager fails to boot.

Prepared a revert branch to roll the main site back to the pre-editor state after regressions were reported. Documented the steps required to restore the stable experience and captured the follow-up tasks that would let us reintroduce the richer editor safely.

Integrated the Quill rich-text editor into the admin experience, complete with custom theming to match the Road Chronicles palette. Sanitized saved content, added excerpt helpers, and refreshed the public post templates so formatted entries render beautifully.

Forced unauthenticated visitors away from the admin suite by checking the session before rendering management pages. Added redirect helpers in the auth manager to send users to /login.html and return them to their original destination after signing in.

Fixed the header visibility toggles so a logout button appears as soon as the auth manager detects a signed-in user. Strengthened our auth event bus to broadcast state changes to every page that listens for auth:loaded.

First pass at exposing logout actions throughout the site, wiring up the UI buttons to call /auth/logout. Hardened the auth state restoration logic so stale localStorage entries no longer show ghost sessions.

Taught the password hashing helper to pull AUTH_PEPPER from the environment when deriving PBKDF2 hashes. Updated the documentation to remind operators to keep pepper configuration in sync across environments.

Lowered the PBKDF2 iteration counts to stay within Cloudflare Workers execution limits while maintaining strong password security. Refreshed the helper script defaults and noted the runtime cap in both docs and console warnings.

Solved a Tailwind initialization race on the login screen by ensuring the framework loads before we bind event handlers. Added operational runbooks explaining how to tail Pages logs when investigating authentication hiccups.

Tweaked the login page so Tailwind initializes reliably even when the CDN responds slowly. Adjusted script ordering and added defensive checks so the page can render with fallback styling if needed.

Protected the auth endpoints against missing database bindings by adding explicit checks before each query. Improved error logging and JSON responses to help diagnose misconfigured environments more quickly.

Documented the Cloudflare Pages and Workers log locations directly in the repo for faster troubleshooting. Added inline references in the auth functions so future engineers know exactly where to look when debugging.

Reskinned the login template to match the rest of the site, embracing the Harley-inspired color palette. Cleaned up spacing, typography, and responsive behavior so the form looks sharp on phones and desktops alike.

Documented the required secrets for local and production environments and committed .dev.vars.example to guide setup. Updated .gitignore to keep sensitive environment files out of version control.

Connected authentication state to the site navigation so admin links only appear for logged-in users. Introduced the data-auth-visible pattern that powers conditional rendering across the frontend.

Reworked the underlying authentication services, adding helpers for sessions, logout handling, and consistent response formatting. Outlined the stabilization plan for the stack so future work could build on a predictable foundation.

Wrapped the dynamic /js/auth.js loader in robust error handling to avoid breaking pages when the script fails to fetch. Broadcasted custom events so other modules can react when the auth script loads or errors out.

Removed the legacy redirect guard from post.html that was hiding public stories behind an auth check. Ensured individual post pages remain accessible to anonymous readers while still respecting admin-only actions.

Updated the D1 schema so posts default to a generated text UUID when an ID isn't supplied. Aligned the insert logic across the API so new posts share a consistent identifier strategy.

Implemented the Cloudflare Pages functions that handle login, logout, and session verification. Stored secrets via Wrangler, wired JWT issuance, and added cookie helpers to power the entire authentication flow.

Introduced the standalone auth.js client that persists session state in localStorage and notifies subscribers when it changes. Provided convenience helpers for login, logout, and verification, giving every page a single source of truth for auth.