The repo was authored prettier-style (trailing-comma 'all') but .oxfmtrc.json
was set to 'es5', so every formatted file diverged. Switch the config to 'all'
to match the existing code, ignore docs/** and **/drizzle/** (prose + generated
snapshots the formatter should not own), and reformat the source tree once for
consistency. No behavioural change; all suites green (api 60, worker 28, admin 21).
Finalize the pause-accounting + reorderable-handelingen + login-tab-fix
feature: session log (goal/work/verification/outcome), a one-line roadmap
status note, and an oxfmt pass over the changed files that strips a stray
trailing comma after the last call argument in the worker Stopwatch (es5
trailing-comma style) — pure formatting, tests stay green.
The Instellingen tab was activity management, which Phase 2 made admin-only —
workers saw add/edit/delete controls that all 403. Replace it with an Account
tab showing the signed-in name/email (via /api/me) and an Uitloggen button
(wires the existing AuthContext signOut). Activity management belongs to the
Phase 3 admin app, so the worker client drops the Settings screen and its
now-unused activity-mutation hooks (useActivities read stays).
Products affected: SoleLog worker client (apps/worker).
db:seed now also creates a ready-made dev account via better-auth (properly
hashed), idempotent, and SKIPPED when NODE_ENV=production so no known-password
account ships to prod. Credentials: worker@solelog.local / werkplaats123.
Documented in the worker README. API tests 37/37 green; verified live (sign-in
returns a bearer token; /api/me returns the user).
Phone/LAN testing previously required editing both app.ts (cors origin) and
auth.ts (better-auth trustedOrigins). Now both read env.WEB_ORIGINS, parsed from
a comma-separated CORS_ORIGINS env var (default http://localhost:5173). To test
from a phone, set CORS_ORIGINS to include the LAN origin and restart the API — no
code edit. Documented in .env.example. Also fixed the worker README (db:migrate
creates ./data/app.db, not ./.tmp; phone step now uses CORS_ORIGINS). API tests
36/36 green; typecheck clean.
