spotlightcam/docs/SESSION_CONTEXT.md

# Session Context - spotlight.cam

**Quick reference for resuming development sessions**

---

## Project Overview

**Name:** spotlight.cam
**Purpose:** P2P video exchange app for dance event participants
**Main Feature:** WebRTC P2P video file transfer (no server storage)
**Tech Stack:** React + Vite + Tailwind | Node.js + Express + Socket.IO | PostgreSQL 15 | Docker Compose

---

## Current Status

**Phase:** MVP Complete - Production Ready
**Tests:** 342/342 backend tests passing - 100% ✅ (72.5% coverage)
**Recent Work:** Activity Log System with real-time admin dashboard (Phase 3.5 complete)

### Core Features (All Implemented)
- JWT authentication with email verification (AWS SES)
- Real-time chat (Socket.IO) - event rooms + private 1:1
  - Real-time active users with instant updates
  - Message validation (2000 char limit with visual counter)
  - Spam protection (rate limiting, duplicate detection, profanity filter)
- WebRTC P2P file transfer (RTCDataChannel, up to 700MB tested)
- Competition heats system for matchmaking
- Recording matching system with 3-tier account system (BASIC/SUPPORTER/COMFORT)
- Fairness algorithm (karma tracking: recordingsDone vs recordingsReceived)
- Dual buffer system (prep before + rest after dancing)
- Matching runs audit with origin_run_id tracking
- Incremental matching (preserves accepted/completed suggestions)
- Scheduler integration (automated matching with cron)
- Atomic stats updates with race condition prevention
- Clickable usernames with @ prefix, country flags
- Matches & ratings API
- QR code event check-in
- PWA (offline support, iOS compatible)
- Security: CSRF, rate limiting, account lockout
- Test bot for automated testing
- Activity Log System - admin monitoring dashboard with real-time streaming (18 action types)

---

## Project Structure (Key Paths)

```
/spotlightcam
├── docker-compose.yml       # nginx:8080 + frontend + backend + db
├── frontend/src/
│   ├── pages/               # React pages
│   │   └── admin/           # Admin pages (ActivityLogsPage.jsx)
│   ├── components/          # Reusable components
│   ├── contexts/            # AuthContext
│   ├── services/            # api.js, socket.js
│   ├── hooks/               # useWebRTC.js
│   └── constants/           # MATCH_STATUS, SUGGESTION_STATUS, etc.
├── backend/src/
│   ├── routes/              # API endpoints (events.js, matches.js, admin.js)
│   ├── controllers/         # Business logic
│   ├── services/            # matching.js (auto-matching), activityLog.js (audit trail)
│   ├── middleware/          # auth.js, admin.js (requireAdmin)
│   ├── socket/              # Socket.IO handlers (chat, WebRTC, admin logs)
│   ├── utils/               # request.js (IP extraction)
│   ├── constants/           # Status constants
│   └── __tests__/           # Jest tests (342 tests - 100% passing)
│       ├── matching-algorithm.test.js      # 19 tests
│       ├── ratings-stats-flow.test.js      # 9 tests
│       ├── matching-runs-audit.test.js     # 6 tests
│       ├── matching-incremental.test.js    # 5 tests
│       └── socket.test.js                  # 12 tests
└── docs/
    ├── SESSION_CONTEXT.md   # This file - quick context
    ├── TODO.md              # Current tasks & roadmap
    ├── ARCHITECTURE.md      # Technical details
    ├── DEPLOYMENT.md        # Deployment guide
    ├── MONITORING.md        # Operations guide
    ├── TESTING_MATCHING_RATINGS.md  # Comprehensive test documentation (45 tests)
    ├── WEBRTC_TESTING_GUIDE.md      # WebRTC testing guide
    └── archive/             # Archived documentation
```

---

## Database Schema (12 tables)

Key models:
- `users` - Auth, profile, social links, location, lockout fields, `isAdmin` flag
  - Account tiers: `accountTier` (BASIC/SUPPORTER/COMFORT), `recordingsDone`, `recordingsReceived`
- `events` - Dance events with unique slugs
- `event_participants` - User-event relationship, competitorNumber, recorderOptOut, `accountTierOverride`
- `divisions` / `competition_types` / `event_user_heats` - Competition system
- `matches` - User pairings with CUID slugs
- `ratings` - 1-5 stars, comments, `statsApplied` flag
- `recording_suggestions` - Auto-matching results with collision detection, `originRunId` tracking
- `matching_runs` - Audit trail (manual/scheduler, status, stats)
- `chat_rooms` / `messages` - Real-time chat persistence
- `activity_logs` - Comprehensive audit trail (18 action types, indexed for performance)

---

## Recent Changes (2025-12-03)

### Chat Enhancements - Complete ✅
**Real-time updates, message validation, and spam protection**

**Commits:** `dd31761` (real-time users), `4a91a10` (message limits), `ace3311` (spam protection)

**1. Real-time Active Users Fix (dd31761)**
- Fixed bug where active users list didn't update when new users joined chat
- Root cause: Used static `checkedInUsers` as base instead of real-time `activeUsers`
- Solution: Rewrote `getAllDisplayUsers()` to prioritize Socket.IO data
- Files: `frontend/src/pages/EventChatPage.jsx`, `frontend/src/hooks/useEventChat.js`

**2. Message Length Limits (4a91a10)**
- Added 2000 character limit for all chat messages (event + match chat)
- Backend validation in `send_event_message` and `send_match_message` handlers
- Frontend: `maxLength` attribute + character counter at 80% threshold (1600+)
- Visual feedback: red text when at limit, submit button disabled
- Files: `backend/src/constants/index.js`, `backend/src/socket/index.js`, `frontend/src/constants/index.js`, `frontend/src/components/chat/ChatInput.jsx`

**3. Spam Protection System (ace3311)**
- Rate Limiting: 10 messages per minute per user
- Duplicate Detection: Prevents identical messages within 1 minute window
- Profanity Filter: bad-words library (v2.0.0) with English + 11 Polish words
- In-memory tracking with automatic cleanup every 5 minutes
- User-friendly error messages for each validation type
- Files: `backend/src/middleware/messageValidation.js` (new), `backend/src/socket/index.js`, `backend/package.json`

---

### Activity Log System (Phase 3.5) - Complete ✅ (2025-12-02)
**Comprehensive admin monitoring with real-time streaming dashboard**

**Backend (Phases 1-5):**
- `activity_logs` table with 18 action types (AUTH_*, EVENT_*, MATCH_*, ADMIN_*, CHAT_*)
- `activityLog.js` service - fire-and-forget logging, never blocks requests
- `requireAdmin` middleware - fresh DB check for admin status
- 3 API endpoints: query logs, get action types, get statistics
- Socket.IO streaming - `admin_activity_logs` room with permission check
- 14 integration points across auth, events, matches, socket handlers

**Frontend (Phases 6-7):**
- `ActivityLogsPage.jsx` (600+ lines) - full admin dashboard
- Stats dashboard: total logs, unique users, failures, 24h activity
- Advanced filtering: date range, category, action type, username, success/failure
- Paginated table (50 per page) with color-coded action badges
- Real-time streaming toggle (Socket.IO integration)
- Admin-only route `/admin/activity-logs` with Shield icon in navbar

**Files Created/Modified:**
- Backend: `schema.prisma`, `activityLog.js`, `admin.js`, `request.js`, admin routes
- Frontend: `ActivityLogsPage.jsx`, `api.js`, `App.jsx`, `Navbar.jsx`
- Integration: 14 logging points in auth, events, matches, socket handlers

**Admin User:** spotlight@radziel.com / Dance123!

---

## Quick Commands

```bash
# Start development
docker compose --profile dev up

# Run all backend tests
docker compose exec backend npm test

# Run specific test suite
docker compose exec backend npm test -- matching-runs-audit.test.js

# Coverage report
docker compose exec backend npm run test:coverage

# Admin CLI
docker compose exec backend npm run cli -- users:list --limit 20

# Access
# Frontend: http://localhost:8080
# API: http://localhost:8080/api
# Health: http://localhost:8080/api/health
```

---

## Development Guidelines

- **Code language:** All code, strings, comments in ENGLISH
- **Communication:** POLISH with developer
- **Git commits:** Standard format, NO AI mentions
- **Port:** 8080 (not 80)
- **Tailwind:** v3.4.0 (v4 has breaking changes)

---

## Key Constants

```javascript
// frontend/src/constants/ & backend/src/constants/
MATCH_STATUS: pending | accepted | rejected | completed
SUGGESTION_STATUS: pending | accepted | rejected | not_found
CONNECTION_STATE: disconnected | connecting | connected | failed
ACCOUNT_TIER: BASIC | SUPPORTER | COMFORT

// Tier fairness penalties
FAIRNESS_SUPPORTER_PENALTY: 10
FAIRNESS_COMFORT_PENALTY: 50

// Matching config
MAX_RECORDINGS_PER_PERSON: 3
PREP_BUFFER_MINUTES: 30
REST_BUFFER_MINUTES: 60
```

---

## Test Accounts (Seeded)

| Username | Email | Password |
|----------|-------|----------|
| john_dancer | john@example.com | Dance123! |
| sarah_swings | sarah@example.com | Swing456! |
| mike_blues | mike@example.com | Blues789! |

---

## Test Coverage Summary

**Total:** 342/342 tests passing (100% ✅)

- **Matching Algorithm:** 19 tests (TC1-TC19)
  - Fundamentals, collision detection, limits, fairness, edge cases
- **Ratings & Stats:** 9 tests
  - Atomic updates, race prevention, idempotency
- **Matching Runs Audit:** 6 tests
  - origin_run_id tracking, sequential runs, filtering
- **Incremental Matching:** 5 tests
- **Recording Stats Integration:** 6 tests
- **WebRTC Signaling:** 12 tests
- **Socket.IO:** 12 tests
- **API Routes:** Full CRUD coverage (auth, events, matches, dashboard)

**Code Coverage:**
- matching.js: 94.71% statements, 91.5% branches
- routes/matches.js: 76.11% statements
- routes/events.js: 78.2% statements

---

## For More Details

- `docs/TODO.md` - Active tasks, security audit, future improvements
- `docs/ARCHITECTURE.md` - Technical implementation details
- `docs/TESTING_MATCHING_RATINGS.md` - Comprehensive test documentation
- `docs/DEPLOYMENT.md` - Production deployment guide
- `docs/MONITORING.md` - Operations and monitoring
- `docs/archive/COMPLETED.md` - Full history of completed features

---

**Last Updated:** 2025-12-03