Releases: zerotonin/flatgym
v0.13.1 — Estimated 1RM in stats
What's new
The PR block in Stats now shows your estimated 1RM next to the top set, using the Epley formula:
1RM ≈ weight × (1 + reps / 30)
Examples:
- 80 kg × 5 → ~93 kg
- 100 kg × 8 → ~127 kg
- 140 kg × 3 → ~154 kg
Two carve-outs:
- A 1-rep top set reports its weight verbatim (no Epley over-estimation at the boundary).
- Assisted lifts (negative weights) get no 1RM row — there's no "max" of assistance.
Asset
Download `gym-tracker.html` below.
v0.13 — Workout duration
What's new
Total workout duration is now auto-tracked, end-to-end.
- Starts on the first + Add Set of a session.
- Stops when you tap Save.
- Stored on the workout record and shown as a small ⏱ chip in History next to the date and preset.
- Format: `47 min` for under an hour, `1h 23m` for longer.
- Edit-mode preserves the original duration — typo fixes don't rewrite the timer.
Per-exercise duration deliberately left out for now — total is what matters; per-exercise gets messy with super-sets and adds visible UI without much payoff.
Asset
Download `gym-tracker.html` below.
v0.12.2 — Rest timer fires on every Add Set
The rest timer now starts on every + Add Set tap, including the very first set of an exercise. Workflow alignment: you do the set, then tap to log it; tapping is the post-set moment.
Asset
Download `gym-tracker.html` below.
v0.12.1 — Rest timer fires on set completion
Fix
The rest timer was firing on + Add Set — i.e. when you create the row, before you've entered the data. That's the wrong moment when you log sets after doing them.
The timer now fires the moment a set transitions from incomplete (weight or reps blank) to complete (both filled). Editing a previously-completed set's number — typo correction — doesn't re-trigger.
Asset
Download `gym-tracker.html` below.
v0.12 — Rest timer + workout notes
What's new
⏱ Rest timer
Auto-starts when you tap + Add Set on an exercise that already has at least one logged set (i.e. you just finished a set). A pill at the bottom of the workout view counts down; tap Skip to dismiss. Beep + vibration when done.
Settings (⚙ → Rest timer):
- On / Off toggle (default: on).
- Rest duration in seconds (default: 120, range: 10–600).
📝 Workout notes
Free-text field at the bottom of every workout. "Felt strong", "back was tight", "tried a new grip" — anything worth remembering. Notes appear under the workout in History.
Edit mode preserves notes through round-trip.
Known limitation
CSV export does not yet include notes. Coming in v0.12.1.
Asset
Download `gym-tracker.html` below.
v0.11 — Month calendar in Stats
What's new
A month-view calendar at the top of the Stats tab.
- 7-column CSS Grid, Monday first.
- Today is framed in the accent colour.
- Workout dates show the preset emoji instead of the day number.
- Multiple workouts on the same date show the first preset's emoji greyed out, with a +N badge counting the additional sessions.
- ‹ / › in the header walk through prior / future months.
Pure vanilla CSS Grid — no new dependencies, reuses the existing colour tokens.
Asset
Download `gym-tracker.html` below.
v0.10.2 — Sortable backup filename
CSV backups are now named flatgym_backup_YYYY_MM_DD.csv (e.g. `flatgym_backup_2026_04_28.csv`) — sortable lexicographically, prefix matches the project name, easy to spot in a Drive folder.
Both export paths (download and share) use the same scheme.
v0.10.1 — PR trophy tiebreak refined
Tweak
On the share card, when several sets tie the all-time max weight for an exercise, the 🏆 badge now goes to the one with the most reps (and on a full tie, still the last set in the workout). Previously it was always the last set regardless of reps.
Example: sets `70×5, 70×8, 70×5` — the 70×8 now gets the trophy. Same as before for full ties like `70×5, 70×5, 70×5`.
Asset
Download `gym-tracker.html` below.
v0.10 — Backup reminder + share-to-cloud
What's new
A safety net for everyone whose only copy of their lifting history is in this browser.
Backup reminder
- Configurable in Settings: Off / Daily / Weekly on <day> / Monthly on <day-of-month>.
- Default: weekly on Sunday. Easy to switch to off if you don't want it.
- Banner appears on home when overdue: "Your data lives only on this device — no server, no account. Without a CSV export, there is no way to recover it." Two buttons: 📥 Export now / Later.
- "Later" hides the banner for the rest of the day; reappears tomorrow if still overdue.
- A brand-new install never nags — only appears once you have data worth backing up.
Share to cloud, no permissions
- New 📤 Share CSV button on the History tab and inside the reminder banner.
- Uses the OS share sheet (Web Share API). On Android tap → Drive / Gmail / Files / WhatsApp / anything installed. On iOS tap → Files (iCloud) / Drive (if installed) / Mail / Messages. The destination app handles every credential — Flatgym never sees your Drive account or asks for permission.
- Falls back to direct download on desktops where the share sheet doesn't accept files.
- Both export paths (download and share) record the timestamp so the reminder resets.
Asset
Download `gym-tracker.html` below.
v0.9.3 — Security hardening
Audit + fixes
A pre-store-submission security audit. Two real issues found and fixed:
Stored XSS via user-typed strings → patched
Roughly a dozen `innerHTML` template-literal sites interpolated user-typed data (preset labels, exercise names, modal titles, the preset editor's input attribute values) without going through the existing `escHTML()` helper. The realistic delivery vector is a malicious imported CSV: a name like `` would have executed when the workout was rendered. Every site is now escaped.
CSV formula injection on export → mitigated (OWASP-style)
Cells starting with `=`, `+`, `-`, `@`, or tab now get an apostrophe prefix so Excel / Sheets / Numbers don't interpret them as formulas. Embedded double-quotes are RFC 4180-doubled. Inverse handling in `fromCSV` keeps round-trips lossless.
Now documented in the README
The repo's README has a new Security section covering threat model, audited categories (XSS, CSV injection, prototype pollution, open redirects, etc.), and what's explicitly out of scope (self-attack via DevTools, lost-device physical access, malicious extensions).
Asset
Download `gym-tracker.html` below.