Back to Developer Logs

Build Log — February 6, 2026

Build Log — February 6, 2026

Context / Focus for Today

Security hardening in preparation for public beta. Plan engine improvements with goal time input driving pace derivation. AI coach gets better at handling user corrections and date moves. Major codebase cleanup with 464 ESLint errors resolved.

Things I Got Done Today

Security Hardening

Locked down API routes and auth for public beta readiness.

  • security: harden API routes and auth for public beta — comprehensive audit and fixes
  • fix: close SSRF in Strava webhook subscribe, add HSTS header — prevented server-side request forgery vulnerability
  • fix: revert required webhook secret, validate garmin-client-id instead

Goal Time → Training Paces

New feature: enter a goal time and the system derives all training paces automatically.

  • PR #296 feat: add goal time input to derive training paces for prebuilt plans — users enter goal marathon/half time, system computes zone paces
  • feat(plan-engine): wire pace targets into workouts, expose qualityWorkoutsPerWeek to AI

Plan Engine Improvements

More control over plan generation parameters.

  • PR #297 feat(engine): add qualityWorkoutsPerWeek override — control how many hard sessions per week
  • feat(plan-engine): add durationWeeks parameter for longer plans — support for 20+ week plans
  • fix(plan-engine): better validation for race dates
  • fix: show friendly error when race date is less than 4 weeks away

AI Coach Improvements

Better handling of user corrections and workout date changes.

  • PR #298 fix: add explicit guidance for handling user corrections in AI coach — when users say "no, I meant X", AI now handles gracefully
  • feat(ai): add newDate field to update_workouts for atomic date moves — cleaner workout rescheduling
  • fix: handle empty AI message strings in chat responses

Landing Page

  • feat: add competitor comparison chart to landing page — shows feature matrix vs TrainingPeaks, Final Surge, etc.
  • fix: correct comparison chart claims for TrainingPeaks export and Final Surge pricing
  • fix: landing page UI/UX audit — mobile responsiveness, a11y, polish
  • docs: add landing page UI/UX audit section to FORGARRICK.md

Code Quality

Major cleanup of the codebase.

  • PR #295 fix: resolve all 464 ESLint errors via config and targeted fixes — massive cleanup
  • fix: use correct column names in training load API query
  • fix: type cast steps array in debug workout-export-test route
  • fix: resolve remaining TS errors in debug workout-export-test route
  • fix: type cast unknown segments in debug route
  • fix: handle unknown error type in activity batch upsert

Bug Fixes

  • fix: persist AI coach suggestions to localStorage — suggestions survive page refresh
  • fix: update weekly totals button to show/hide state
  • fix: stabilize flaky 30-day range test in garmin-sync

Merges

  • PR #293 feat: e2e tests and backfill script
  • PR #294 fix: persist AI suggestions

Commits Today

  • 6 PRs merged (#293, #294, #295, #296, #297, #298)
  • Major: Security hardening for public beta (SSRF fix, auth audit)
  • Major: Goal time input → automatic pace derivation
  • Major: 464 ESLint errors eliminated
  • Plan engine: durationWeeks, qualityWorkoutsPerWeek controls
  • AI coach: Better correction handling, atomic date moves

Notes / Observations

  • Security before launch. Found and fixed an SSRF vulnerability in Strava webhook subscription. Added HSTS. Hardened API routes across the board.
  • Goal time is the killer UX. Users think in "I want to run a 3:30 marathon" — now we derive all training paces from that single input. No zone calculators needed.
  • ESLint cleanup was overdue. 464 errors is a lot of debt. Config adjustments + targeted fixes got us to zero. CI will catch regressions now.
  • AI correction handling was a gap — when users said "no, I meant Tuesday not Thursday", the AI would sometimes double-book. Added explicit guidance in the system prompt.

Momentum Score: 9 / 10

Security hardening puts us in good shape for public beta. Goal time input is a real UX win — simple input, smart derivation. Plan engine now supports longer durations and quality workout frequency control. The 464 ESLint errors cleanup was satisfying. Strong day across security, features, and code quality.