SvelteKit's built-in CSRF only allows one origin, breaking access via
NetBird/Yggdrasil/Tor IPs. Now:
- Disabled checkOrigin in svelte.config.js
- Custom CSRF in hooks.server.ts checks Origin against ALLOWED_ORIGINS
- ALLOWED_ORIGINS env var: comma-separated list of trusted origins
- Caddy no longer needs to rewrite Host/Origin headers
- Each access method (public domain, NetBird IP, Yggdrasil, Tor onion)
just needs its URL added to ALLOWED_ORIGINS
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Sidebar navItems uses $derived() so badge counts stay reactive
- const destructures (c, d, cd) use $derived() to track prop changes
- Added aria-label to hamburger and add-item buttons
- Filter state_referenced_locally warnings in svelte.config.js — these
are intentional one-shot initializers for mutable form inputs
Result: 0 errors, 0 warnings, 0 files with problems.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SvelteKit + PostgreSQL app for tracking vintage computers, audio equipment,
components, and installation history. Features device/component CRUD, operation
logs, QR code labels, global search, image uploads, and dark mode.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
grabowski