Notechondria

Version: 0.1.17 Build Date: 2026-04-10T00:00

What's Changed

Removed the English metabolite names (Citrate, Isocitrate, α-Ketoglutarate, …) that previously floated next to each cycle node. The active metabolite's structural formula now carries all chemical information.
Dropped the on-screen clamp on the active structural formula's position. The formula is now strictly anchored to its node with an outward offset, so it naturally travels off-screen (top / bottom / left) together with the orbiting node — matching how a real metabolite moves along the cycle.
Rewrote particle effects: the background is now dotted with ~26 tiny, individually rotating structural formulas of small molecules that accompany the citric acid cycle (H₂O, CO₂, -COOH, pyruvate fragment, NAD⁺, Pᵢ, H⁺, acetyl-CoA fragment), replacing the previous plain circle particles. Each particle has its own orbit speed, drift, initial rotation and rotation rate, giving the background a "molecule soup" feel.
_Particle class extended with rotation, rotationSpeed, and moleculeType fields; _drawParticleMolecule added to render the eight molecule sketches inside a translated+rotated canvas frame.

Fixed a subtle bug where hitting the Google/GitHub Bind button from Settings while the app had just processed an OAuth redirect could silently log the user in as whoever owned the matching email, or create a brand-new account using the OAuth-provided username/email — effectively overwriting the original account from the user's point of view.
Frontend fix (root cause): _bootstrapApp in app_shell.dart now restores the auth token from local storage before calling _handleOAuthCallback, so the bind branch (which requires an authenticated token) no longer falls through to the unauthenticated /auth/google/ or /auth/github/ endpoint.
Backend fix (defense in depth): GoogleOAuthApiView.post and GitHubOAuthApiView.post now reject any request whose intent field is "bind" with HTTP 400 and a detail pointing the caller at the authenticated /api/v1/auth/bind/{provider}/ endpoint. The guard runs before any OAuth token exchange, so no external calls are made for rejected requests.
Added OAuthBindRejectionTests in backend/creators/tests.py covering both providers. Full creators test suite: 29 tests, all passing.

Added an _ApiKeySection subsection directly above the "Connected accounts" section. It displays the masked key prefix (abcd1234••••…), a Rotate button that calls the new /auth/rotate-api-key/ endpoint, and — on rotation — a one-time plaintext reveal panel with Copy / Dismiss controls. Previously the API key was not visible anywhere in the editor UI after login.
Added helper text below the API key row showing the user's MCP endpoint URL (derived by parsing api_base_url and replacing the path with /mcp/). A copy icon next to the URL lets users grab it without selecting text manually.
New CreatorClient.rotateApiKey(token) method in frontend/editor_app/lib/core/client.dart wraps the rotate endpoint. Wired through app_shell.dart via a new onRotateApiKey callback that updates the in-memory _settings['api_key_prefix'] after a successful rotation.

frontend/editor_app/lib/components/splash_screen.dart — Label removal, formula anchoring, particle molecule rendering
frontend/planner_app/lib/components/splash_screen.dart — Kept in sync
frontend/portal_app/lib/components/splash_screen.dart — Kept in sync
frontend/editor_app/lib/app_shell.dart — Session restore moved before OAuth callback handling; onRotateApiKey wiring
frontend/editor_app/lib/core/client.dart — New rotateApiKey method (interface + implementation)
frontend/editor_app/lib/modules/settings.dart — New _ApiKeySection widget inserted above _ConnectedAccountsSection
backend/creators/api.py — GoogleOAuthApiView / GitHubOAuthApiView reject intent="bind"
backend/creators/tests.py — New OAuthBindRejectionTests class
docs/TASKS.md — Marked urgent splash tasks and Login section items complete
docs/versions/0.1.17.md — This version document
VERSION — Bumped from 0.1.16 to 0.1.17