- New BugReport MongoDB model (comment, contact, userId, screenshot, pmState, status)
- POST /api/bug-reports — authenticated submit; emails emanuel@faktorxmensch.com on receipt
- GET/PATCH /api/admin/bug-reports + /[id] — admin list, detail with screenshot, status toggle
- /pm: "Bug" button in HUD captures viewport screenshot (html2canvas), shows annotation
canvas where testers can draw arrows; submits comment + contact + state snapshot
- /admin: new "Bug Reports" tab with open-count badge, screenshot expand, "Erledigt" toggle,
and "In /pm öffnen" link that restores captured engine state via ?restoreBugReport=<id>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous `vue-tsc --noEmit` step was a no-op: the root tsconfig uses
`files: []` with project references, so without `--build` it checks zero files
and always passes. Switch to `vue-tsc --build` (new `yarn typecheck` script)
and make the job blocking.
Fix the one error this surfaced: UsageEventDocument extended mongoose.Document,
whose `model` method collides with the `model: string` field. Use the
recommended pattern — a plain attrs interface passed to the Schema/Model
generics (hydrated docs still expose Document methods). Typecheck is now clean.
Bump actions/checkout@v5 and actions/setup-node@v5 to silence the Node.js 20
runtime deprecation (forced to Node 24 from 2026-06-16).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Usage tracking:
- new UsageEvent collection records every STT/TTS/LLM call per user with
provider, model, volume (audio seconds, characters, tokens) and an
estimated USD cost; self-hosted providers (Speaches/Piper) and cache
hits record at $0
- pricing table for whisper-1, tts-1, gpt-5-nano & co. in server/utils/usage.ts
- weekly KPI mail gains an "AI-Nutzung & Kosten" section: weekly and
rolling 30-day cost, per-kind breakdown, top 5 users by cost
- quota alert mail when rolling 30-day cost exceeds USAGE_ALERT_USD
(default $5), at most once per calendar month (UsageAlertDelivery)
Hardening:
- /api/atc/say now requires an authenticated session (middleware
exemption removed); useFlightLabAudio sends the bearer token
- /api/service/tools/latency requires auth (was a public LLM endpoint)
- per-user rate limits: PTT 20/min, say 60/min, latency 5/min
- cron endpoints (waitlist-drip, weekly-kpi-report) require a shared
secret via ?secret= or x-cron-secret (CRON_SECRET, falls back to
KPI_CRON_SECRET); allowed with a warning while unset so existing
deployments keep working
- PTT records the actual transcribed audio duration for billing accuracy
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
