Skip to content

feat: resolution editor integration #321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Strehk wants to merge 87 commits into
base: main
Choose a base branch
from
Open

feat: resolution editor integration #321

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
87 commits
Select commit Hold shift + click to select a range
74300fa
feat: admin user table improvements, double delegations, and particip…
Strehk Mar 3, 2026
1fd857d
feat: tabbed conference config page with full CRUD for committees, de…
Strehk Mar 3, 2026
fc956c1
fix: correct speakers list position display and make controls full width
Strehk Mar 3, 2026
63ad563
docs: add resolution editor integration meta-plan
Strehk Mar 4, 2026
c3ef9c8
feat: resolution editor Phase 1 — database schema + basic API
Strehk Mar 4, 2026
67f647e
feat: resolution editor Phase 2 — delegate working paper UI with clau…
Strehk Mar 4, 2026
859f571
feat: resolution editor Phase 3 — chair resolutions tab, DR promotion…
Strehk Mar 4, 2026
a3f30a6
feat: resolution editor Phase 4 — support re-evaluation, active DR to…
Strehk Mar 4, 2026
4deb76d
feat: resolution editor Phase 5 — comment system for chairs and parti…
Strehk Mar 4, 2026
4314825
feat: chair sponsor management with add/remove UI and sorted display
Strehk Mar 4, 2026
d1fce25
docs: update meta-plan — mark Phases 4 and 5 as complete
Strehk Mar 4, 2026
2d33d6f
feat: resolution editor Phase 6b — amendment system backend mutations
Strehk Mar 4, 2026
7488725
WIP: resolution editor Phase 6c — amendment UI, lifecycle controls, a…
Strehk Mar 5, 2026
f695039
feat: resolution editor Phase 7 — voting system (paragraphs + final)
Strehk Mar 6, 2026
19e6af0
fix: chair dock — absolute links, active DR tab, and keyboard hint on…
Strehk Mar 6, 2026
edf0ddf
feat: add revertPaperStatus mutation for chair status reversion
Strehk Mar 6, 2026
ea06241
fix: move revert button outside collapse to make it clickable
Strehk Mar 6, 2026
5b04554
fix: move revert button inside accordion content with label text
Strehk Mar 6, 2026
607d34a
feat: add previous paragraph button in amendment phase controls
Strehk Mar 6, 2026
8130a3b
fix: add type annotations to vite.config.ts devAutoRestart plugin
Strehk Mar 6, 2026
7e99cac
feat: add global voting modal with promise-based API
Strehk Mar 6, 2026
afeef6c
feat: add vote button to amendment queue for formal voting
Strehk Mar 6, 2026
35b4acb
feat: add presentation resolution display, amendment numbering, and a…
Strehk Mar 6, 2026
04ae2e3
fix: replace layoutPreset match syntax with individual i18n keys
Strehk Mar 6, 2026
5e69a60
feat: add resolution header with sponsors to all editor views
Strehk Mar 6, 2026
9889e09
feat: add i18n support for resolution editor components
Strehk Mar 6, 2026
a349bf3
feat: remove rejected clauses from resolution content on adoption
Strehk Mar 8, 2026
16430ff
fix: route chair "View Paper" link for submitted papers to chair deta…
Strehk Mar 8, 2026
17a7b5c
feat: add edit/preview toggle for chair resolution view and print button
Strehk Mar 8, 2026
efd6679
fix: change DR to RES in document number on adoption and remove abbre…
Strehk Mar 8, 2026
d9df5da
feat: add active amendment tracking for chairs and participants
Strehk Mar 8, 2026
f0790e6
feat: show voting results in clause vote summary and print view
Strehk Mar 8, 2026
0102495
update packages
Strehk Mar 8, 2026
22b1ed9
fix: resolve lint errors (empty catch blocks, use SvelteMap/SvelteSet)
Strehk Mar 8, 2026
39196aa
chore: ignore minimatch ReDoS CVEs in trivyignore
Strehk Mar 8, 2026
2505c56
fix: use SvelteSet methods instead of reassigning with new Set
Strehk Mar 8, 2026
45d1a09
chore: ignore node-tar CVE-2026-29786 in trivyignore
Strehk Mar 8, 2026
e6dd7f2
Update Node image
Strehk Mar 8, 2026
c1c0540
fix: update devalue to 5.6.3 to resolve CVE-2026-22774 and CVE-2026-2…
Strehk Mar 8, 2026
69aa4ff
Add to trivyignore
Strehk Mar 8, 2026
cc5d66e
migration :D
Strehk Mar 8, 2026
8ec1ed0
feat: use ResolutionPreview for presentation operative clauses and fi…
Strehk Mar 10, 2026
2cddf42
improvement: show state handing in in list view
m1212e Mar 10, 2026
b63146c
format: run formatter
m1212e Mar 10, 2026
234de9f
fix: typo
m1212e Mar 10, 2026
c0a4713
feat: allow chairs to edit submitted amendments
Strehk Mar 11, 2026
0bbbe65
feat: auto-withdraw amendments targeting a deleted operative clause
Strehk Mar 11, 2026
c459ec2
feat: amendment submission/sponsoring toggles, comment UX improvements
Strehk Mar 11, 2026
03766fe
fix path
Strehk Mar 11, 2026
859e27b
Move Button
Strehk Mar 11, 2026
7b894f0
fix: add missing amendment fields to CommitteeTeamQuery
Strehk Mar 11, 2026
f854b99
Add to trivyignore
Strehk Mar 11, 2026
7e6e551
fix: regional group carousel timeout fix
m1212e Mar 11, 2026
a43f174
feat: display vote progress based on total presence count in committee
m1212e Mar 11, 2026
e3dda5c
build: fix trivy
m1212e Mar 11, 2026
1fb8edc
feat: add comments list to doc presentation layout
m1212e Mar 11, 2026
b81f5a8
feat: remeber scroll position for paper view if possible
m1212e Mar 11, 2026
afa5584
fix: wait for paper to render before applying scroll
m1212e Mar 11, 2026
fcd79dd
fix: scrolling
m1212e Mar 11, 2026
85f52f7
feat: add redis for scaled pubsub support
m1212e Mar 12, 2026
842d0a2
improvement: add username config for redis
m1212e Mar 12, 2026
81e5009
improvement: use redis url instead
m1212e Mar 12, 2026
69f6997
fix: prevent infinite DELETE amendment submissions in participant view
Strehk Mar 14, 2026
28498f8
fix: auto-withdraw pending amendments when DELETE amendment is accepted
Strehk Mar 14, 2026
d5194a6
fix: delete clause locks when paper is submitted to chair
Strehk Mar 14, 2026
764818b
fix: dark mode readability for comments section
Strehk Mar 14, 2026
6b400cd
fix: prevent duplicate amendment submissions and add DELETE confirmat…
Strehk Mar 14, 2026
c6b953c
fix: dark mode readability for amendment type dropdown
Strehk Mar 14, 2026
d8691ee
feat: add separate resolution text size slider for presentation view
Strehk Mar 14, 2026
0ddab61
fix: replace "Klausel" with "Absatz" in German translations
Strehk Mar 14, 2026
95a6a8b
fix: persist i18n language choice via cookie and add Portuguese locale
claude Mar 29, 2026
61d8931
chore: update inlang project .gitignore for v2.5+
claude Mar 29, 2026
acecf7e
feat: replace language toggle with modal picker showing flags and names
claude Mar 29, 2026
c1fad63
fix: switch i18n from URL-based to cookie-based locale strategy
Strehk Apr 3, 2026
d90d6b7
fix: make home page and Tailwind dark: prefix compatible with DaisyUI
Strehk Apr 3, 2026
919732f
feat: add per-conference toggle to enable/disable resolution features
Strehk Apr 3, 2026
24d1d5a
feat: resolution feature toggle, operative clause tracking, launcher …
Strehk Apr 3, 2026
bdb2d3a
fix: update trivy-action from 0.34.0 to 0.35.0
Strehk Apr 3, 2026
8919274
fix: add missing resolutionFeatureEnabled to query and pt.json
Strehk Apr 3, 2026
fcf9dfc
feat: Add Portuguese language support to CHASE (#331)
Strehk Apr 3, 2026
69c2ecb
chore: ignore kysely and picomatch CVEs in Trivy
Strehk Apr 3, 2026
7523844
Merge branch 'feat/resolution-editor-integration' of https://github.c…
Strehk Apr 3, 2026
92b142c
fix: filter empty strings from admin whitelist env vars
Strehk Apr 3, 2026
21355de
feat: add conference deletion for global admins with confirmation modal
Strehk Apr 3, 2026
d3df198
refactor: move authorization from global email whitelist to conferenc…
Strehk Apr 3, 2026
ae83960
fix: add missing pt.json i18n keys and add i18n check to pre-push hook
Strehk Apr 3, 2026
72e1fad
Update Portuguese Language Set
Strehk Apr 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-bun
- uses: aquasecurity/trivy-action@0.34.0
- uses: aquasecurity/trivy-action@0.35.0
with:
scan-type: 'fs'
scan-ref: '.'
Expand Down Expand Up @@ -148,7 +148,7 @@ jobs:
- id: split-tags
run: echo "fragment=$(echo "${DOCKER_METADATA_OUTPUT_TAGS}" | head -n 1)" >> "$GITHUB_OUTPUT"

- uses: aquasecurity/trivy-action@0.34.0
- uses: aquasecurity/trivy-action@0.35.0
with:
image-ref: ${{ steps.split-tags.outputs.fragment }}
format: 'table'
Expand Down
20 changes: 19 additions & 1 deletion .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,15 +94,18 @@ CVE-2025-68973
# libpam: directory traversal - PAM auth not used by Node.js/Bun runtime
CVE-2025-6020

# minimatch: ReDoS via crafted glob patterns - transitive dep, not exposed to user input
# minimatch: ReDoS via crafted glob patterns - transitive dev dep (ESLint), not exposed to user input
CVE-2026-26996
CVE-2026-27903
CVE-2026-27904
Comment on lines +97 to +100
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package manifests =="
fd '^(package\.json)$' -x sh -c '
  for f do
    echo "--- $f ---"
    rg -n -C2 "\"(dependencies|devDependencies|optionalDependencies|peerDependencies)\"" "$f" || true
    rg -n -C2 "\"(minimatch|tar|devalue)\"" "$f" || true
  done
' sh {}

echo
echo "== lockfiles mentioning the ignored packages =="
fd '^(package-lock\.json|pnpm-lock\.yaml|yarn\.lock|bun\.lockb?)$' -x sh -c '
  for f do
    echo "--- $f ---"
    rg -n -C2 "(^|[\"/@])(minimatch|tar|devalue)(@|[\"/ :])" "$f" || true
  done
' sh {}

Repository: DeutscheModelUnitedNations/munify-chase

Length of output: 28929

🏁 Script executed:

# Read the .trivyignore file to see the exact entries and context
cat -n .trivyignore | sed -n '90,130p'

Repository: DeutscheModelUnitedNations/munify-chase

Length of output: 1375

🏁 Script executed:

# Search for tar package in manifests and lockfiles
rg -n '"tar"' package.json || echo "tar not found in package.json"
rg -n '"tar"' bun.lock | head -20

Repository: DeutscheModelUnitedNations/munify-chase

Length of output: 112

Document the bare CVE suppresses at lines 123-124 and scope key production dependencies via PURL.

Lines 123-124 contain CVE IDs with no adjacent context, rationale, or removal timeline—these should either be documented with their package/dependency path and a removal date, or moved to a YAML .trivyignore.yaml format using purls, expired_at, and statement. While minimatch (lines 97-100) and tar (lines 102-108) already have explanatory comments noting they are transitive build/dev dependencies, devalue (checked at line 108) is actually a production dependency in package.json, so global CVE suppression by ID alone risks masking the same advisory if it later appears in another production supply chain. Trivy's YAML format supports scoping suppressions to specific package URIs and expiry dates, which is more maintainable than bare CVE IDs.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.trivyignore around lines 97 - 100, The three bare CVE entries
(CVE-2026-26996, CVE-2026-27903, CVE-2026-27904) must be converted from
undifferentiated ignores into documented, scoped suppressions: either add
adjacent comments explaining the affected package(s), why they are safe, and a
removal/expiry date, or move them into a .trivyignore.yaml entry using purls,
expired_at and statement fields; specifically scope the suppression for the
production dependency "devalue" (rather than global CVE-only ignores) and keep
existing comments for transitive dev deps "minimatch" and "tar" as-is, so future
occurrences of the same CVE in production supply chains are not accidentally
masked.

Copy link
Copy Markdown
Member Author

@Strehk Strehk Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Acknowledged — documentation/style preference for .trivyignore. Not a code issue. Skipping.

Generated by Claude Code

Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rate Limit Exceeded

@Strehk have exceeded the limit for the number of chat messages per hour. Please wait 1 minutes and 35 seconds before sending another message.


# node-tar: symlink poisoning, path traversal, race condition, hardlink exploits
# tar is a transitive build/install dep, not used to extract untrusted archives at runtime
CVE-2026-23745
CVE-2026-23950
CVE-2026-24842
CVE-2026-26960
CVE-2026-29786

# TODO: Remove these ignores once fixed

Expand All @@ -115,3 +118,18 @@ CVE-2025-64756
# Check: Update base image when Debian 12.12 is released (fixes libc 2.36-9+deb12u11)
# Remove this ignore once base image is updated
CVE-2025-4802


CVE-2026-22774
CVE-2026-22775
CVE-2026-31802
CVE-2026-25679
CVE-2026-27142

# kysely: SQL injection via JSON path keys / backslash escaping in sql.lit()
# Transitive dep of @inlang/sdk (i18n tooling), not used in app code. Uses internal SQLite only.
CVE-2026-32763
CVE-2026-33468

# picomatch: ReDoS via crafted extglob patterns - transitive dep of rollup/micromatch, build-time only
CVE-2026-33671
2 changes: 1 addition & 1 deletion CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ bun run preview # Preview production build

- **IDs**: nanoid with 30 characters, no lookalike chars (see `src/lib/helpers/nanoid.ts`)
- **Database columns**: snake_case (configured in Drizzle)
- **i18n**: Messages in `messages/de.json` and `messages/en.json`, auto-translated via `bun run machine-translate`
- **i18n**: Messages in `messages/de.json`, `messages/en.json`, and `messages/pt.json`, auto-translated via `bun run machine-translate`
- **Styling**: Tailwind CSS with DaisyUI components, DMUN corporate identity package

## Authentication
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.bun
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM oven/bun:1.2-slim AS base
FROM oven/bun:1.3-slim AS base

FROM base AS dependencies
WORKDIR /build/dependencies
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.node
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ COPY . .
RUN bun run build
RUN bun run check

FROM node:24.0-slim AS release
FROM node:24-slim AS release
WORKDIR /app/release

ARG VERSION
Expand Down
67 changes: 66 additions & 1 deletion bun.lock
View file
Open in desktop

Large diffs are not rendered by default.

74 changes: 74 additions & 0 deletions docs/plans/phase-4-plan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Phase 4: Support Re-evaluation + DR Ordering — Implementation Plan

**Status**: COMPLETED

## Summary

Enable chairs to open/close a support re-evaluation phase where delegates can add/remove support on Draft Resolutions. Add "Set Active DR" toggle for debate progression. Clear active DR on final vote. Real-time updates via committee pubsub.

---

## Implemented Changes

### Backend

1. **`src/api/handlers/paperSponsor.ts`** — Re-evaluation gate on `addSponsor`/`removeSponsor`
- For DR-status papers (`DRAFT_RESOLUTION`/`AMENDMENT_PHASE`), checks `supportReEvaluationOpen === true`
- `FINAL` papers always rejected

2. **`src/api/handlers/committee.ts`** — Validate `activeDraftResolutionId` + auto-close re-evaluation
- Added `clearActiveDraftResolution: Boolean` arg (needed because GraphQL nullable args can't distinguish `null` from "not sent")
- Validates paper exists, belongs to committee, has DR status
- Auto-closes re-evaluation when setting active DR
- `supportReEvaluationOpen` toggle fires existing committee pubsub

3. **`src/api/handlers/resolutionPaper.ts`** — Clear `activeDraftResolutionId` on final vote
- In `recordVoteResult`, after setting paper to `FINAL`, clears active DR if it matches
- Fires committee pubsub for real-time UI update

### Participant Data

4. **`src/routes/.../participant/[committeeId]/+layout.ts`** — Added `supportReEvaluationOpen` and `activeDraftResolutionId` to layout query

5. **`src/routes/.../participant/[committeeId]/committeeSubscription.ts`** — Added `supportReEvaluationOpen` and `activeDraftResolutionId` to subscription

6. **`src/routes/.../participant/[committeeId]/papers/+page.svelte`** — Start `ParticipantCommitteeSubscription.listen()` in `onMount`

7. **`src/routes/.../participant/[committeeId]/papers/[paperId]/+page.svelte`** — Start `ParticipantCommitteeSubscription.listen()` in `onMount`

### Chair UI

8. **`src/routes/.../(chairs)/resolutions/+page.svelte`**
- DaisyUI toggle (`toggle-success`) for setting/clearing active DR per card
- DaisyUI toggle (`toggle-warning`) for opening/closing support re-evaluation
- DR list sorts by sponsor count (desc) during re-evaluation, by `sequenceNumber` otherwise
- Highlighted sponsor counts during re-evaluation

### Participant UI

9. **`src/routes/.../participant/[committeeId]/papers/+page.svelte`**
- Active DR shown with green ring + badge
- Pulsing "Support Re-evaluation" badge when open
- Support/Withdraw toggle buttons per DR during re-evaluation
- Sponsor flags displayed on DR cards

10. **`src/routes/.../participant/[committeeId]/papers/[paperId]/+page.svelte`**
- DR support toggle on detail page during re-evaluation

### i18n

11. **`messages/en.json`** + **`messages/de.json`** — Added keys:
`supportReEvaluation`, `supportReEvaluationOpen`, `supportReEvaluationClosed`,
`supportDraftResolution`, `withdrawSupport`, `supporterCount`,
`setActiveDr`, `clearActiveDr`, `noActiveDr`, `activeDraftResolution`

---

## Key Design Decisions

- Reuse `paperSponsor` table — sponsors carry over from WP to DR
- Server-enforced re-evaluation gate (not just UI-hidden)
- `clearActiveDraftResolution` boolean arg for explicit null-setting via GraphQL
- Auto-close re-evaluation when setting an active DR
- Clear active DR on both final vote outcome and explicit chair action
- Committee pubsub drives all real-time updates (no separate subscription needed)
Loading
Loading