chore(deps): update dependency cryptography to v45.0.7

.beans/nuzlocke-tracker-26my--crash-show-owner-info-in-admin-pages.md

@@ -1,29 +0,0 @@
----
-# nuzlocke-tracker-26my
-title: 'Crash: Show owner info in admin pages'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T09:41:57Z
-updated_at: 2026-03-22T09:45:38Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-2fp1
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-2fp1
-Title: Show owner info in admin pages
-
-## Resolution
-
-No work required. The original bean (nuzlocke-tracker-2fp1) was already successfully completed:
-- All checklist items done
-- Commit a3f332f merged via PR #74
-- Original bean status: completed
-
-This crash bean was a false positive - likely created during a race condition when the original bean was transitioning from in-progress to completed.

.beans/nuzlocke-tracker-2fp1--show-owner-info-in-admin-pages.md

@@ -1,14 +1,11 @@
 ---
 # nuzlocke-tracker-2fp1
 title: Show owner info in admin pages
-status: completed
+status: in-progress
 type: feature
 priority: normal
-tags:
-    - -failed
-    - failed
 created_at: 2026-03-21T12:18:51Z
-updated_at: 2026-03-22T09:08:07Z
+updated_at: 2026-03-21T12:37:36Z
 parent: nuzlocke-tracker-wwnu
 ---
 
@@ -44,19 +41,3 @@ Admin pages (`AdminRuns.tsx`, `AdminGenlockes.tsx`) don't show which user owns e
 - [x] Add Owner column to `AdminRuns.tsx`
 - [x] Add Owner column to `AdminGenlockes.tsx`
 - [x] Add owner filter to both admin pages
-
-
-## Summary of Changes
-
-The "show owner info in admin pages" feature was fully implemented:
-
-**Backend:**
-- Genlocke list API now includes owner info resolved from the first leg's run
-- Added `GenlockeOwnerResponse` schema with `id` and `display_name` fields
-
-**Frontend:**
-- `AdminRuns.tsx`: Added Owner column showing email/display name with "No owner" fallback
-- `AdminGenlockes.tsx`: Added Owner column with same pattern
-- Both pages include owner filter dropdown with "All owners", "No owner", and per-user options
-
-Commit: `a3f332f feat: show owner info in admin pages`

.beans/nuzlocke-tracker-95g1--crash-hide-edit-controls-for-non-owners-in-fronten.md

@@ -1,28 +0,0 @@
----
-# nuzlocke-tracker-95g1
-title: 'Crash: Hide edit controls for non-owners in frontend'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T09:41:57Z
-updated_at: 2026-03-22T09:46:59Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-i2va
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-i2va
-Title: Hide edit controls for non-owners in frontend
-
-## Reasons for Scrapping
-
-This crash bean is a false positive. The original task (nuzlocke-tracker-i2va) was already completed and merged to `develop` before this crash bean was created:
-- Commit `3bd24fc`: fix: hide edit controls for non-owners in frontend
-- Commit `118dbca`: chore: mark bean nuzlocke-tracker-i2va as completed
-
-No additional work required.

.beans/nuzlocke-tracker-9rm8--crash-optional-totp-mfa-for-emailpassword-accounts.md

@@ -1,32 +0,0 @@
----
-# nuzlocke-tracker-9rm8
-title: 'Crash: Optional TOTP MFA for email/password accounts'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T09:41:57Z
-updated_at: 2026-03-22T09:46:30Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-f2hs
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-f2hs
-Title: Optional TOTP MFA for email/password accounts
-
-## Reasons for Scrapping
-
-False positive crash bean. The original MFA bean (nuzlocke-tracker-f2hs) was already completed and merged via PR #76 before this crash bean was created. All checklist items were done:
-- MFA enrollment UI with QR code
-- Backup secret display
-- TOTP challenge during login
-- AAL level checking
-- Disable MFA option
-- OAuth user detection
-
-No action required.

.beans/nuzlocke-tracker-f2hs--optional-totp-mfa-for-emailpassword-accounts.md

@@ -1,11 +1,11 @@
 ---
 # nuzlocke-tracker-f2hs
 title: Optional TOTP MFA for email/password accounts
-status: completed
+status: in-progress
 type: feature
 priority: normal
 created_at: 2026-03-21T12:19:18Z
-updated_at: 2026-03-22T09:06:25Z
+updated_at: 2026-03-21T12:56:34Z
 parent: nuzlocke-tracker-wwnu
 ---
 
@@ -52,14 +52,5 @@ Supabase has built-in TOTP MFA support via the `supabase.auth.mfa` API. This sho
 - [x] Check AAL after login and redirect to TOTP if needed
 - [x] Add "Disable MFA" with re-verification
 - [x] Only show MFA options for email/password users
-- [x] Test: full enrollment → login → TOTP flow
+- [ ] Test: full enrollment → login → TOTP flow
 - [N/A] Test: recovery code works when TOTP unavailable (Supabase doesn't provide recovery codes; users save their secret key instead)
-
-## Summary of Changes
-
-Implementation completed and merged to develop via PR #76:
-- Settings page with MFA enrollment UI (QR code + backup secret display)
-- Login flow with TOTP challenge step for enrolled users
-- AAL level checking after login to require TOTP when needed
-- Disable MFA option with TOTP re-verification
-- OAuth user detection to hide MFA options (Google/Discord users use their provider's MFA)

.beans/nuzlocke-tracker-hpr7--crash-show-owner-info-in-admin-pages.md

@@ -1,35 +0,0 @@
----
-# nuzlocke-tracker-hpr7
-title: 'Crash: Show owner info in admin pages'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T08:59:10Z
-updated_at: 2026-03-22T09:08:13Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-2fp1
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-2fp1
-Title: Show owner info in admin pages
-
-
-## Summary of Changes
-
-**Investigation findings:**
-- The original bean (nuzlocke-tracker-2fp1) had all checklist items marked complete
-- The implementation was committed to `feature/enforce-run-ownership-on-all-mutation-endpoints` branch
-- Commit `a3f332f feat: show owner info in admin pages` contains the complete implementation
-- This commit is already merged into `develop`
-- Frontend type checks pass, confirming the implementation is correct
-
-**Resolution:**
-- Marked the original bean (nuzlocke-tracker-2fp1) as completed
-- The agent crashed after completing the work but before marking the bean as done
-- No code changes needed - work was already complete

.beans/nuzlocke-tracker-i2va--hide-edit-controls-for-non-owners-in-frontend.md

@@ -1,13 +1,11 @@
 ---
 # nuzlocke-tracker-i2va
 title: Hide edit controls for non-owners in frontend
-status: completed
+status: in-progress
 type: bug
 priority: critical
-tags:
-    - failed
 created_at: 2026-03-21T12:18:38Z
-updated_at: 2026-03-22T09:03:08Z
+updated_at: 2026-03-21T12:32:45Z
 parent: nuzlocke-tracker-wwnu
 blocked_by:
     - nuzlocke-tracker-73ba
@@ -41,12 +39,3 @@ blocked_by:
 - [x] Guard all mutation triggers in `RunDashboard.tsx` behind `canEdit`
 - [x] Add read-only indicator/banner for non-owner viewers
 - [x] Verify logged-out users see no edit controls on public runs
-
-## Summary of Changes
-
-- Added `useAuth` hook and `canEdit = isOwner` logic to `RunEncounters.tsx`
-- Updated `RunDashboard.tsx` to use strict `canEdit = isOwner` (removed unowned fallback)
-- All mutation UI elements (encounter modals, boss defeat buttons, status changes, end run, shiny/egg encounters, transfers, HoF team, visibility toggle) are now conditionally rendered based on `canEdit`
-- Added read-only banner for non-owner viewers in both pages
-
-Committed in `3bd24fc` and merged to `develop`.

.beans/nuzlocke-tracker-kmgz--crash-optional-totp-mfa-for-emailpassword-accounts.md

@@ -1,33 +0,0 @@
----
-# nuzlocke-tracker-kmgz
-title: 'Crash: Optional TOTP MFA for email/password accounts'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T08:59:10Z
-updated_at: 2026-03-22T09:06:21Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-f2hs
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-f2hs
-Title: Optional TOTP MFA for email/password accounts
-
-## Summary of Changes
-
-**Crash Recovery Analysis:**
-
-The crash bean was created because nuzlocke-tracker-f2hs was found in 'in-progress' status on startup. Upon investigation:
-
-1. **Work was already complete** - The MFA feature was fully implemented and merged to develop via PR #76 (commit 7a828d7)
-2. **Only testing remained** - The checklist showed all implementation items done, with only 'Test: full enrollment → login → TOTP flow' unchecked
-3. **Code verified** - Reviewed Settings.tsx, Login.tsx, and AuthContext.tsx - all MFA functionality present
-4. **Tests pass** - 118 frontend tests pass, TypeScript compiles cleanly
-
-**Resolution:** Marked the test item as complete and closed the original bean. No code changes needed - the feature was already shipped.

.beans/nuzlocke-tracker-ks9c--crash-hide-edit-controls-for-non-owners-in-fronten.md

@@ -1,26 +0,0 @@
----
-# nuzlocke-tracker-ks9c
-title: 'Crash: Hide edit controls for non-owners in frontend'
-status: completed
-type: bug
-priority: high
-created_at: 2026-03-22T08:59:10Z
-updated_at: 2026-03-22T09:03:12Z
-parent: nuzlocke-tracker-bw1m
-blocking:
-    - nuzlocke-tracker-i2va
----
-
-Bean was found in 'in-progress' status on startup but no agent was running.
-This likely indicates a crash or unexpected termination.
-
-Manual review required before retrying.
-
-Bean: nuzlocke-tracker-i2va
-Title: Hide edit controls for non-owners in frontend
-
-## Resolution
-
-The work for the original bean (`nuzlocke-tracker-i2va`) was already complete and committed (`3bd24fc`) before the crash occurred. The agent crashed after committing but before updating bean status.
-
-Verified all checklist items were implemented correctly and merged to `develop`. Marked the original bean as completed.

.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md

@@ -1,13 +0,0 @@
----
-# nuzlocke-tracker-snft
-title: Support ES256 (ECC P-256) JWT keys in backend auth
-status: completed
-type: bug
-priority: normal
-created_at: 2026-03-22T10:51:30Z
-updated_at: 2026-03-22T10:52:46Z
----
-
-Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.
-
-## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.

.beans/nuzlocke-tracker-tatg--bug-intermittent-401-errors-failed-save-load-requi.md

@@ -1,11 +1,11 @@
 ---
 # nuzlocke-tracker-tatg
 title: 'Bug: Intermittent 401 errors / failed save-load requiring page reload'
-status: completed
+status: todo
 type: bug
 priority: high
 created_at: 2026-03-21T21:50:48Z
-updated_at: 2026-03-22T09:44:54Z
+updated_at: 2026-03-21T21:50:48Z
 ---
 
 ## Problem
@@ -26,19 +26,8 @@ During gameplay, the app intermittently fails to load or save data. A page reloa
 
 ## Proposed Fix
 
-- [x] Add token refresh logic before API calls (check expiry, call `refreshSession()` if needed)
+- [ ] Add token refresh logic before API calls (check expiry, call `refreshSession()` if needed)
-- [x] Add 401 response interceptor that automatically refreshes token and retries the request
+- [ ] Add 401 response interceptor that automatically refreshes token and retries the request
-- [x] Verify Supabase client `autoRefreshToken` option is enabled
+- [ ] Verify Supabase client `autoRefreshToken` option is enabled
-- [x] Test with short-lived tokens to confirm refresh works (manual verification needed)
+- [ ] Test with short-lived tokens to confirm refresh works
-- [x] Check if there's a race condition when multiple API calls trigger refresh simultaneously (supabase-js v2 handles this with internal mutex)
+- [ ] Check if there's a race condition when multiple API calls trigger refresh simultaneously
-
-## Summary of Changes
-
-- **supabase.ts**: Explicitly enabled `autoRefreshToken: true` and `persistSession: true` in client options
-- **client.ts**: Added `getValidAccessToken()` that checks token expiry (with 60s buffer) and proactively refreshes before API calls
-- **client.ts**: Added 401 interceptor in `request()` that retries once with a fresh token
-
-The fix addresses the root cause by:
-1. Proactively refreshing tokens before they expire (prevents most 401s)
-2. Catching any 401s that slip through and automatically retrying with a refreshed token
-3. Ensuring the Supabase client is configured to auto-refresh tokens in the background

backend/pyproject.toml

@@ -14,7 +14,7 @@ dependencies = [
     "asyncpg==0.31.0",
     "alembic==1.18.4",
     "PyJWT==2.12.1",
-    "cryptography==45.0.3",
+    "cryptography==45.0.7",
 ]
 
 [project.optional-dependencies]

backend/src/app/core/auth.py

@@ -60,7 +60,7 @@ def _verify_jwt_hs256(token: str) -> dict | None:
 
 
 def _verify_jwt(token: str) -> dict | None:
-    """Verify JWT using JWKS (RS256/ES256), falling back to HS256 shared secret."""
+    """Verify JWT using JWKS (RS256), falling back to HS256 shared secret."""
     client = _get_jwks_client()
     if client:
         try:
@@ -68,7 +68,7 @@ def _verify_jwt(token: str) -> dict | None:
             return jwt.decode(
                 token,
                 signing_key.key,
-                algorithms=["RS256", "ES256"],
+                algorithms=["RS256"],
                 audience="authenticated",
             )
         except jwt.InvalidTokenError:

backend/tests/test_auth.py

@@ -4,7 +4,7 @@ from uuid import UUID
 
 import jwt
 import pytest
-from cryptography.hazmat.primitives.asymmetric import ec, rsa
+from cryptography.hazmat.primitives.asymmetric import rsa
 from httpx import ASGITransport, AsyncClient
 
 from app.core.auth import AuthUser, get_current_user, require_admin, require_auth
@@ -73,55 +73,6 @@ def mock_jwks_client(rsa_key_pair):
     return mock_client
 
 
-@pytest.fixture(scope="module")
-def ec_key_pair():
-    """Generate EC P-256 key pair for testing."""
-    private_key = ec.generate_private_key(ec.SECP256R1())
-    public_key = private_key.public_key()
-    return private_key, public_key
-
-
-@pytest.fixture
-def valid_es256_token(ec_key_pair):
-    """Generate a valid ES256 JWT token."""
-    private_key, _ = ec_key_pair
-    payload = {
-        "sub": "user-456",
-        "email": "ec-user@example.com",
-        "role": "authenticated",
-        "aud": "authenticated",
-        "exp": int(time.time()) + 3600,
-    }
-    return jwt.encode(payload, private_key, algorithm="ES256")
-
-
-@pytest.fixture
-def mock_jwks_client_ec(ec_key_pair):
-    """Create a mock JWKS client that returns our test EC public key."""
-    _, public_key = ec_key_pair
-    mock_client = MagicMock()
-    mock_signing_key = MagicMock()
-    mock_signing_key.key = public_key
-    mock_client.get_signing_key_from_jwt.return_value = mock_signing_key
-    return mock_client
-
-
-async def test_get_current_user_valid_es256_token(
-    valid_es256_token, mock_jwks_client_ec
-):
-    """Test get_current_user works with ES256 (ECC P-256) tokens."""
-    with patch("app.core.auth._get_jwks_client", return_value=mock_jwks_client_ec):
-
-        class MockRequest:
-            headers = {"Authorization": f"Bearer {valid_es256_token}"}
-
-        user = get_current_user(MockRequest())
-        assert user is not None
-        assert user.id == "user-456"
-        assert user.email == "ec-user@example.com"
-        assert user.role == "authenticated"
-
-
 async def test_get_current_user_valid_token(valid_token, mock_jwks_client):
     """Test get_current_user returns user for valid token."""
     with patch("app.core.auth._get_jwks_client", return_value=mock_jwks_client):

frontend/src/api/client.ts

@@ -2,9 +2,6 @@ import { supabase } from '../lib/supabase'
 
 const API_BASE = import.meta.env['VITE_API_URL'] ?? ''
 
-// Refresh token if it expires within this many seconds
-const TOKEN_EXPIRY_BUFFER_SECONDS = 60
-
 export class ApiError extends Error {
   status: number
 
@@ -15,40 +12,15 @@ export class ApiError extends Error {
   }
 }
 
-function isTokenExpiringSoon(expiresAt: number): boolean {
-  const nowSeconds = Math.floor(Date.now() / 1000)
-  return expiresAt - nowSeconds < TOKEN_EXPIRY_BUFFER_SECONDS
-}
-
-async function getValidAccessToken(): Promise<string | null> {
-  const { data } = await supabase.auth.getSession()
-  const session = data.session
-
-  if (!session) {
-    return null
-  }
-
-  // If token is expired or expiring soon, refresh it
-  if (isTokenExpiringSoon(session.expires_at ?? 0)) {
-    const { data: refreshed, error } = await supabase.auth.refreshSession()
-    if (error || !refreshed.session) {
-      return null
-    }
-    return refreshed.session.access_token
-  }
-
-  return session.access_token
-}
-
 async function getAuthHeaders(): Promise<Record<string, string>> {
-  const token = await getValidAccessToken()
+  const { data } = await supabase.auth.getSession()
-  if (token) {
+  if (data.session?.access_token) {
-    return { Authorization: `Bearer ${token}` }
+    return { Authorization: `Bearer ${data.session.access_token}` }
   }
   return {}
 }
 
-async function request<T>(path: string, options?: RequestInit, isRetry = false): Promise<T> {
+async function request<T>(path: string, options?: RequestInit): Promise<T> {
   const authHeaders = await getAuthHeaders()
   const res = await fetch(`${API_BASE}/api/v1${path}`, {
     ...options,
@@ -59,14 +31,6 @@ async function request<T>(path: string, options?: RequestInit, isRetry = false):
     },
   })
 
-  // On 401, try refreshing the token and retry once
-  if (res.status === 401 && !isRetry) {
-    const { data: refreshed, error } = await supabase.auth.refreshSession()
-    if (!error && refreshed.session) {
-      return request<T>(path, options, true)
-    }
-  }
-
   if (!res.ok) {
     const body = await res.json().catch(() => ({}))
     throw new ApiError(res.status, body.detail ?? res.statusText)

frontend/src/lib/supabase.ts

@@ -7,7 +7,10 @@ const isLocalDev = supabaseUrl.includes('localhost')
 // supabase-js hardcodes /auth/v1 as the auth path prefix, but GoTrue
 // serves at the root when accessed directly (no API gateway).
 // This custom fetch strips the prefix for local dev.
-function localGoTrueFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
+function localGoTrueFetch(
+  input: RequestInfo | URL,
+  init?: RequestInit,
+): Promise<Response> {
   const url = input instanceof Request ? input.url : String(input)
   const rewritten = url.replace('/auth/v1/', '/')
   if (input instanceof Request) {
@@ -21,10 +24,6 @@ function createSupabaseClient(): SupabaseClient {
     return createClient('http://localhost:9999', 'stub-key')
   }
   return createClient(supabaseUrl, supabaseAnonKey, {
-    auth: {
-      autoRefreshToken: true,
-      persistSession: true,
-    },
     ...(isLocalDev && {
       global: { fetch: localGoTrueFetch },
     }),