- coerceEpoch: early-return fallback on null/undefined input (was falling
through to new Date(null) → epoch 0, surfacing as 1970-01-01 in the
stories list); also unify the tail branch to Number.isFinite for
consistency with the number-type fast path
- autosave .catch: roll back lastSavedFingerprintRef on unexpected throw
so the next session change retries instead of silently marking the
content as saved
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
From PR #114 external review agent — adopted the real, low-cost findings;
remaining items (false positives / design trade-offs) explained in PR replies:
- coerceEpoch: !Number.isNaN → Number.isFinite — reject ±Infinity, which
previously slipped through and produced Invalid Date via new Date(Infinity)
- enforceRetentionCap pass2/pass3: decrement overflow only when idbDelete
actually succeeds — a failed best-effort delete no longer under-evicts
- cloudListStories: explicit column list instead of select() — avoid pulling
the bulky session_jsonb when only metadata is needed
- Supabase stories: composite primary key (user_id, id) + onConflict user_id,id
— avoid a cross-user Session.id collision rejecting the second user's save
(skeleton not yet deployed, so the migration is edited in place)
typecheck + build:cf green.
Replace the fixed bottom-right ember-500 floating button with a
dedicated fourth column in the about grid, matching existing visual
language (smallcaps heading + icon link). Adds submitFeedback and
feedbackDescription i18n keys for zh-CN, en, ja.
Grid uses md:grid-cols-2 lg:grid-cols-4 for better mid-screen
responsiveness.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Insert-beat is a pure in-scene micro-interaction — adding choices that
lead to change-scene contradicted its purpose. Now insert-beat generates
1-3 richer beats then loops back to the original options, which is the
natural UX for "you glanced at something decorative."
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored commits from Claude Code were failing the CLA check
because the bot email had not signed the CLA. Whitelist it so
AI-assisted PRs pass without requiring --admin merge.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Preset firstact JSONs had 37% of beats bundling narration and dialogue
on the same beat object, while the current engine (Paradigm D prose
splitter) produces strictly one-type-per-beat output. This mismatch
caused the preset card experience to feel different from actual gameplay.
Split 275 mixed beats across 94 files (120 total) into independent
narration→dialogue beat pairs, preserving all images, characters, voices,
and graph references. Beat count: 738→1013.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collect beta user feedback via Tally.so — fixed-position button in the
bottom-right corner opens the form in a new tab. Ember-orange default,
clay-dark on hover, i18n labels for zh-CN / en / ja.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove deprecated Architect agent from pipeline diagrams (zh/en/ja SVGs)
and README text — Writer now handles story architecture
- Add OpenDeploy as sponsor section and one-click deploy option
- Change LINUX DO badge link to the actual forum post
- Move Open Deploy to completed in Roadmap
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The window-level 'F' keydown listener now ignores events from INPUT,
TEXTAREA, and contentEditable elements so freeform input is not
interrupted by the presentation-mode toggle.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
User feedback: custom interactions rarely produce new story content because
the classifier heavily biased toward insert-beat (single reaction, no scene
change). Three changes to fix this:
1. Freeform text input now always triggers a full scene generation (skips
the classify step entirely) — users who type expect the story to advance.
2. Vision (background click) classifier de-biased: prompt now favors
change-scene when uncertain, and the code fallback flipped from
insert-beat to change-scene. insert-beat narrowed to pure observation.
3. Insert-beat enhanced: generates 1-3 beats (was 1) with follow-up
choices (was: loop back to original beat). Even when vision classifies
as insert-beat, the player gets richer content and new options.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two defensive fixes surfaced by the PR #95 review (PR-Agent), applied on
top of the staging sync:
1. directScene: routeTaggedStream rejecting BEFORE onPlan fires would leave
planPromise unsettled, hanging `await planPromise` — and thus the whole
/api/start and /api/scene request — forever. Add a .catch that settles
the plan with a minimal fallback and resolves routing to a degraded
result, so the pipeline produces a playable fallback scene (graceful
degradation) instead of hanging.
2. prompts/registry: the duplicate-segment-ID guard only ran under
NODE_ENV=development, so a bad merge introducing a duplicate ID would
silently shadow a segment in production. Run the check in all
environments (once at module load; negligible cost).
Drop the unintended path change (.next/dev/types → .next/types)
that `next build` auto-wrote — this file is managed by Next.js
and should not carry build-vs-dev path diffs across branches.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace the external cdnjs.cloudflare.com <link> with a bundled
npm import so FA CSS+fonts ship as static assets through the
same Cloudflare CDN that serves the app — eliminates an extra
DNS lookup and third-party CDN dependency, improves reliability
for China users.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GALLERY_SECRET was removed in 64cf9c3 — .infiplot files now use
plaintext + SHA-256 integrity, no encryption secret needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CLA bot run on PR #99 failed with 'Resource not accessible by
integration' because it tried to commit cla-signatures/version-1.json
to the branch-protection-protected main branch. The CLA Assistant
action cannot push to protected branches (contributor-assistant/
github-action#150); PAT identity is not granted bypass even though
the PAT owner is repo admin.
Fix: store signatures on a dedicated orphan branch 'cla-signatures'
that has no protection rules, so the PAT can commit freely. This is
the workaround recommended by the action maintainers and the dominant
community solution.
Also brings the staging copy of cla.yml up to parity with main (the
guard step + SHA pin from PR #93 had not been back-merged to staging):
- Add the 'fail on missing CLA_BOT_TOKEN' guard step
- Pin action to contributor-assistant/github-action@ca4a40a7... (v2.6.1);
the old 'cla-assistant-action' path 404s and was a second reason the
bot never fired
Rewrites the i18n system introduced in PR #94 to use Next.js App Router
[locale] dynamic segments with SSR-rendered translations and proper
middleware locale routing.
- Add middleware locale detection: / rewrites to /zh-CN/ internally,
/en and /ja pass through, /zh-CN/... redirects to bare path
- Move all 7 pages under app/[locale]/ with SSR translation injection
- Fix server→client serialization: pre-evaluate function-valued
translations (makeSerializable) to eliminate hydration flash
- Fix language switch key flash: use hard navigation with localStorage-
only persistence, avoiding React state update before page reload
- Add <link rel="alternate" hreflang> tags for multilingual SEO
- Fix Supabase setAll overwriting locale rewrite response
- Trim locales from 22 to 3 (zh-CN/en/ja), delete 19 incomplete files
- LLM-translate 240 firstact game preset JSONs (en + ja, landscape +
portrait) and story titles via gemini-3.5-flash
- Delete 11 one-off migration scripts and outdated i18n docs
- Add useLocalePath hook and navigation utilities
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Addresses pr-agent review on PR #93 (the two CLA-specific items). The
other 9 suggestions targeted code carried in by the sync (middleware,
gender-x) and are out of scope here.
- uses: contributor-assistant/cla-assistant-action@v2.6.1 (404 — wrong name)
+ uses: contributor-assistant/github-action@ca4a40a7... (canonical, pinned)
The action's real home is contributor-assistant/github-action; the
'cla-assistant-action' path we had resolves to 404 and may itself be
why the bot never fired on PR #92. Pin to the full SHA of v2.6.1 so a
movable tag can't slip a malicious update under pull_request_target +
a writable PAT. The repo is archived but v2.6.1 still functions.
- Add a guard step that FAILS the job on the canonical repo
(zonghaoyuan/infiplot) when CLA_BOT_TOKEN is missing. Previously a
missing token silently skipped the job and it 'succeeded' — dangerous
once this becomes a required status check (a lost/expired token would
let CLA enforcement degrade invisibly). Forks still skip cleanly.
Reject header-only files (37 bytes, empty plaintext) at the unpack
boundary instead of letting them through as empty strings.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The encrypted .infiplot format (AES-256-GCM via GALLERY_SECRET) provided no
meaningful security — the payload is AI-generated story content with no
credentials or PII, and the project is open source. Replace with plaintext +
SHA-256 integrity check (format v2). Story share is now always enabled without
requiring a server secret.
- galleryCrypto.ts: AES-256-GCM → plaintext + SHA-256 hash; remove secret param
- 4 API routes: remove GALLERY_SECRET guard and 503 fallback
- story-unpack: forward specific error messages (v1 compat, hash mismatch)
- gallery/page.tsx: remove stale AES-GCM comment
- AGENTS.md: document gallery-pack/gallery-unpack routes
- .env.example, wrangler.jsonc: remove GALLERY_SECRET references
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add "keep_vars": true so Dashboard-set variables survive redeployments
(Vercel-like behavior). Remove empty-string placeholder vars — provider
config (TEXT_BASE_URL, IMAGE_*, VISION_*, TTS_*) is now managed entirely
via Dashboard. Update comments to document three variable categories
(secrets, runtime, build-time) and their setup locations.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Replace hardcoded API URLs and model names with empty-string placeholders
so self-deployers set their own values via Dashboard
- Comment out D1/R2/KV bindings and placement region to prevent deploy
failure for users who don't need these optional services
- Add comprehensive comments for secrets, optional tuning vars, and
build-time NEXT_PUBLIC_* variables
- Hide /stories navigation link until auth integration is ready
(all story persistence code is retained)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Squash-merge the cloudflare-migration branch (7 commits by Kai ki) into
staging with conflict resolution, feature integration, and bug fixes.
Engine:
- Paradigm D: single-stream Writer replacing dual-phase Plan/Beats
- Delete Architect agent; story bible generated via Writer <plan> tag
- Modular prompt architecture (segments/registry/builder)
- StreamRouter for tagged stream splitting (<plan>/<story>/<choices>)
Infrastructure:
- Cloudflare Workers deployment (wrangler.jsonc, OpenNext adapter)
- D1 database schema + Drizzle ORM (scaffolded, not yet active)
- R2 storage helpers (scaffolded, not yet active)
- Story persistence API routes + client-side persistence
BYOK (Bring Your Own Key):
- /api/llm/user-proxy with SSRF-protected LLM proxy (+ requireUser auth)
- CORS-aware fetch in ai-client: auto-detect CORS failure, fallback to
server proxy transparently via OpenAI SDK custom fetch
- BYO config support added to classify-freeform and vision routes
- SettingsModal CORS privacy notice (keys never logged/stored)
SSE streaming:
- engineClient.ts: fetchSSE helper for progressive scene events
- startSession/requestScene accept optional emit callback
- Fix SSE error event field name (error → message) in scene/start routes
i18n integration:
- Wire buildLanguageDirective into paradigm D's prompt builder
- Update corsNotice i18n keys (zh-CN/en/ja) with CORS proxy privacy text
- Preserve Session.language + LanguageSwitcher from i18n commit
Co-authored-by: Kai ki <155355644+zbf1009@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- New client-side i18n via React Context (useI18n, tArray, I18nProvider)
- Catalog ships 21 locale stubs; only zh-CN/en/ja have reviewed translations
- Header language switcher (globe icon + short label) before settings gear
- All hardcoded Chinese UI text migrated to keys: typewriter, options,
hints (with embedded gear icon via dangerouslySetInnerHTML), settings
panel, footer/about, play page hints
- AI output language follows user-selected locale via trailing one-liner
directive appended to Architect/Writer/CharacterDesigner/InsertBeat
user messages (preserves system-prompt cacheability)
- Per-locale separator rule: zh uses middot between every glyph; en/ja
use plain spaces
- Option value → i18n key suffix maps preserve Chinese as the underlying
identifier so analytics unions and STYLE_MAP keys stay byte-stable
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Next.js 16 locks proxy.ts to the Node.js runtime, but OpenNext for
Cloudflare rejects Node.js middleware at build time ("Node.js middleware
is not currently supported", build.js exit 1). Rename to middleware.ts
with an explicit experimental-edge runtime so the Supabase SSR cookie
refresh runs on edge and stays deployable to both Vercel and Workers.
Supabase SSR only uses Web APIs (fetch, cookies), so it is
edge-compatible; the core getUser() refresh logic is unchanged. The
matcher excludes static assets by file extension (not by "contains a
dot") so future dotted dynamic routes (e.g. /u/john.doe) still get the
cookie refresh. getUser() is wrapped in try/catch so a transient
network error (rethrown by @supabase/auth-js) doesn't 500 or crash the
page request — the cookie simply isn't refreshed that round.
Note: runtime must be "experimental-edge", not "edge". Next.js 16 routes
the root middleware file through the pages-router static-info path, where
runtime "edge" throws E1015 at build ("Use runtime 'experimental-edge'
instead"). "experimental-edge" only warns; both are treated as edge by
isEdgeRuntime().
Verified: pnpm typecheck, pnpm build (Vercel), pnpm build:cf
(Cloudflare — Bundling middleware function -> OpenNext build complete,
node-middleware guard no longer fires).
- Add "X" to GENDERS array in lib/options.ts
- Add example phrases for "X" gender (sci-fi themed)
- Make "X" use same preset cards as male gender
- Map "X" to "通用性别" when transmitting to AI
- Add "X" to DISPLAY_ORDER (same as male)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Address the valid points from pr-agent on PR #89, skip the inaccurate
ones (e.g. the $contributorName placeholder it suggested does not exist
in cla-assistant-action; create-file-commit-message fires before any
signer exists).
- cla.yml: move 'token configured?' check into job env and put the whole
step-level if inside a single ${{ }} so && / || are evaluated as a
boolean (step-level if cannot safely reference secrets.* directly)
- cla.yml: declare minimal explicit permissions (contents/pull-requests/
issues/statuses) — this workflow runs on pull_request_target with a token
- cla.yml: drop the overly broad '*bot' allowlist wildcard; keep explicit
bot + maintainer accounts only
- cla.yml: clean up the stray trailing '@' in create-file-commit-message
(used once, at signature-store creation, before any signer exists)
- README{,.en,.ja}: clarify that the CLA is signed via a PR comment, not
before opening the PR — matches the actual CONTRIBUTING flow
- Model support: text/vision now OpenAI-compatible only (Claude/Gemini
via their OpenAI-compatible endpoints); drop stale native-protocol copy
and the anthropic/google rows from the *_PROVIDER table
- TTS: document StepFun (step-tts-2, paid, better quality) alongside
Xiaomi MiMo (free) across zh/en/ja; update Vercel deploy envDescription
- Claude: note that direct Anthropic endpoints lack caching, recommend
gateway for full experience
- Cloudflare: preserve existing one-click deploy (compat work in progress)
Introduce a Contributor License Agreement (CLA) so external contributions
can be licensed under AGPL-3.0 and any other terms (incl. closed-source),
keeping the AGPL-3.0 codebase usable in closed-source projects.
- CLA.md: authoritative English CLA (ICLA + employer authorization, v1.0)
- CLA.zh.md: non-binding Chinese reference translation
- CONTRIBUTING.md: bilingual contributing guide, points to CLA
- .github/workflows/cla.yml: self-hosted cla-assistant-action that records
signatures into cla-signatures/version-1.json; exempts maintainers & bots
via allowlist; skips when CLA_BOT_TOKEN is unset
- .github/PULL_REQUEST_TEMPLATE.md: guides contributors to sign
- README.{md,en.md,ja.md}: add License & contributing footer
- app/terms: note CLA requirement in the IP section
Enforcement requires repo-level setup (PAT secret + branch protection)
documented in cla.yml; not covered by this commit.
WEBP produces ~90% smaller files than PNG at visually identical quality
(tested: 5.4MB → ~550KB per 1792×1024 image), significantly reducing
client download time for users on slower connections.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>