FitBuddy-AI · we09532 · Dec 15, 2025 · Dec 15, 2025 · Dec 15, 2025 · Dec 15, 2025
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -95,3 +95,18 @@ When working on this project, prioritize user experience, type safety, and maint
 ## Compatibility Policy
 - **Do NOT add compatibility helpers or legacy mapping code:** Fail fast on missing columns or schema mismatches. Avoid adding server-side compatibility shims that map legacy `fitbuddyai_*` keys to new columns. These helpers create code bloat and hidden behavior; prefer explicit schema changes and migrations.
   - **Do NOT use local-file fallbacks or silent dev fallbacks in server code:** This project is production-first. Server code must require Supabase (or the configured production datastore) and fail loudly if it is not available. Do not add behavior that reads or writes local JSON files as a runtime fallback — that hides configuration problems and leads to inconsistent production behavior.
+
+
+FitBuddyAI Copilot Guidelines
+
+- This repository is production-grade and must be treated as such.
+- Do NOT add placeholder comments or TODOs that indicate unfinished production work.
+- Do NOT add comments that state "this is a placeholder" or similar developer-only notes.
+ - When the user requests a fix, implement the code change; do not respond by
+   only adding explanatory comments in the code instead of performing the
+   requested fix.
+- All code added should be runnable, properly tested, and follow existing project patterns.
+- If a dev-only helper is required, clearly gate it behind NODE_ENV checks and provide a corresponding test or cleanup plan.
+- Sensitive configuration must be stored in environment variables; do not hard-code secrets.
+
+Rationale: This project is deployed to production environments and security, clarity, and maintainability are required. Keep contributions focused and production-ready.
diff --git a/.github/workflows/refresh-token-cleanup.yml b/.github/workflows/refresh-token-cleanup.yml
@@ -0,0 +1,26 @@
+name: Refresh Token Cleanup
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: '0 3 * * *' # every day at 03:00 UTC
+  workflow_dispatch: {}
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      - name: Install deps
+        run: npm ci
+      - name: Run cleanup script
+        env:
+          SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
+          SUPABASE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
+        run: node scripts/cleanup_refresh_tokens.js 30
diff --git a/README.md b/README.md
@@ -150,8 +150,19 @@ If automation is failing or you prefer manual control, change the preview link y
    SUPABASE_SERVICE_ROLE_KEY=your-supabase-service-role-key
    JWT_SECRET=your-secure-jwt-secret-here
    ADMIN_API_TOKEN=your-admin-api-token
+
+   # Encryption keys for server-side refresh-token storage (required for dev)
+   # Preferred: provide multiple keys for rotation in order (newest first):
+   # REFRESH_TOKEN_ENC_KEYS=<keyId1>=<secret1>,<keyId2>=<secret2>
+   # Example:
+   # REFRESH_TOKEN_ENC_KEYS=k2=NEW_SECRET,k1=OLD_SECRET
+   # Legacy single-key option (not recommended for rotation):
+   # REFRESH_TOKEN_ENC_KEY=your-secret
+   # REFRESH_TOKEN_ENC_KEY_ID=k1
    ```
 
+    Note: The dev auth server requires `REFRESH_TOKEN_ENC_KEY` (or `REFRESH_TOKEN_ENC_KEYS`) to be set and will fail to start without it. In production, set the same variables in your deployment environment. Use the multi-key `REFRESH_TOKEN_ENC_KEYS` format to rotate keys safely: add the new key first, leave old keys present until tokens have migrated, then remove old keys.
+
 4. **Generate Secure JWT Secret**
    ```bash
    node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"