# Session: 2026-06-17 — Cleanup, Phase 1 (web client), dev account

## Goal
Lean the workspace down, then deliver Phase 1 (worker timing) as something testable fast.

## Work done
1. **Removed ngrok** (`@expo/ngrok` + 40 binaries) — IT-flagged tunneling tool from Expo. (`3f2c5f0`)
2. **Full cleanup** (workflow) — deleted the legacy Create export: `apps/mobile`, `apps/web`,
   `publisher/`, `previous work.md`, `.easignore`, `.eslintignore`, `.yarn/patches/`, and the
   mobile-only root `resolutions`/eslint devDeps. Port-worthy knowledge extracted first to
   `docs/reference/` (legacy-mobile-app / legacy-backend / legacy-lessons-and-gotchas). CLAUDE.md +
   roadmap updated for the single-backend repo. (`c720865`, `64f8b2f`, `384797d`)
3. Trimmed obsolete `.yarnrc.yml` logFilters — surfaced a real **drizzle/better-auth peer-version
   skew** (tracked as **SL-9**, non-blocking). (`4e9a966`)
4. **Phase 1** (workflow, after pivoting the client off Expo — see below):
   - **Backend** (`apps/api`): domain tables `activities` + `work_sessions` (migration 0001), zod
     contracts in `@solelog/shared`, user-scoped routes — activities CRUD, sessions
     start/stop/discard, history, active-recovery, CSV export, seed, CORS. (`5780998`→`35f9aa5`)
   - **Worker client** (`apps/worker`): fresh **Vite + React + TS PWA** (NO Expo), bearer-token auth,
     Dutch Stopwatch / Geschiedenis / Instellingen on the API. (`3511fd8`→`bd8e8af`)
   - CORS + trusted origins now from `CORS_ORIGINS` env (phone testing = config-only). (`34c48d6`)
   - **Dev login** seeded by `db:seed`: `worker@solelog.local` / `werkplaats123` (dev-only). (`ec2bb7e`)

## Key decision — client is a web app, NOT Expo
Maintainer prefers a non-Expo client (Expo brought ngrok + baggage). Built a Vite+React PWA instead.
Saved as memory `client-web-not-expo`. The first Phase 1 workflow (Expo) was stopped after its plan
commit (`27ae674`); relaunched on the web track.

## Current state — TESTABLE
- `apps/` = `api` + `worker` only. Working tree clean.
- Verified: API 37 tests + typecheck green; worker 24 tests + typecheck + `vite build` green; **live**
  end-to-end round-trip (auth → activities → start/stop session → history → CSV) all pass.
- Run it: terminal 1 `yarn workspace @solelog/api db:migrate; db:seed; start` (:3000); terminal 2
  `yarn workspace @solelog/worker dev` (:5173). Log in with the dev account above.

## Plane
- **SL-10** Phase 1 (+ SL-11 backend, SL-12 worker client) → **Done**.
- **SL-9** drizzle/better-auth peer mismatch → open (non-blocking).

## Known non-blocking items
- Set a real `BETTER_AUTH_SECRET` before any deploy (Phase 5).
- Activities are global until per-user/role scoping in **Phase 2**.
- CSV uses host timezone (carried from legacy).

## Next
**Phase 2 — Accounts & roles**: worker/admin roles, admin-creates-users, per-user data scoping.
(Its own spec → plan → build cycle. Roadmap: `docs/roadmap.md` §9.)