291 Commits

Author SHA1 Message Date
Gan, Jimmy 3169185999 fix: use lazy initialization for Docker client to prevent hanging in test environment
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 1m48s
Run Tests / Backend Tests (push) Failing after 1h1m15s
Run Tests / Frontend Tests (push) Failing after 16m38s
Run Tests / Test Summary (push) Successful in 11m37s
2026-03-31 11:57:14 +08:00
Gan, Jimmy 01344e8b2d test: add basic diagnostic tests to validate CI environment
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 2m37s
Run Tests / Frontend Tests (push) Has been cancelled
Run Tests / Backend Tests (push) Has been cancelled
Run Tests / Test Summary (push) Has been cancelled
2026-03-31 11:38:44 +08:00
Gan, Jimmy 8431920d26 feat: add comprehensive unit and integration testing infrastructure
Run Tests / Backend Tests (pull_request) Has been cancelled
Run Tests / Frontend Tests (pull_request) Has been cancelled
Run Tests / Test Summary (pull_request) Has been cancelled
- Backend: pytest with unit tests (auth, rbac, config) and integration tests (auth flow, docker, files)
- Frontend: vitest with unit tests (api client) and component tests (login)
- CI: Gitea Actions workflow for automated testing with coverage reports
- Documentation: TESTING.md guide with setup, usage, and best practices
- Coverage goals: 80%+ backend, 70%+ frontend
2026-03-30 11:11:39 +08:00
Gan, Jimmy 0c45efc0ca fix: terminal auth — skip pre-emptive refresh, always refresh on app load for fresh cookies 2026-03-20 01:04:14 +08:00
Gan, Jimmy b742ab8fef fix: harden terminal WebSocket edge cases
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m44s
- Wrap tryRefreshSession in try-finally to ensure authRecoveryInFlight is always reset
- Fix variable scope issue: use const tabState instead of reassigning d
- Add error handling for process.stdin.write() to catch BrokenPipeError/OSError
- Verify WebSocket instance before closing in ping timeout callback
- Properly await conn.wait_closed() to prevent SSH connection leaks
- Gracefully cancel and wait for read_task with 2s timeout

These fixes prevent race conditions, resource leaks, and improve error recovery.
2026-03-15 23:18:20 +08:00
Gan, Jimmy d69b744ae7 fix: resolve variable redeclaration in Terminal.svelte
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m50s
Change 'const d' to 'let d' to allow reassignment in nested scopes
2026-03-13 22:45:55 +08:00
Gan, Jimmy 7b17a53cab fix: resolve terminal WebSocket auth failures and improve reconnection
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 1m8s
- Remove insecure query token parameter from backend (cookie-only auth)
- Add detailed JWT error logging (expired, invalid, missing tokens)
- Force token refresh before first WebSocket connection
- Stop reconnection after 3 consecutive auth failures
- Increase ping interval from 12s to 30s (reduce traffic)
- Increase pong timeout from 5s to 10s (handle network latency)
- Show attempt counter in reconnection error messages

Root cause: Frontend was reconnecting with 6-day-old expired token,
causing 403 rejections. Now ensures fresh cookies before connecting.
2026-03-13 22:26:22 +08:00
Gan, Jimmy 00b5d362e7 debug: add detailed logging for terminal WebSocket connections
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m35s
2026-03-12 00:23:23 +08:00
Gan, Jimmy e0f432bc39 fix: add pong/timeout detection to prevent silent connection hangs
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m2s
- Backend now responds to __ping__ with __pong__
- Frontend detects missing pong within 5s and closes connection
- This triggers proper reconnect/auth recovery instead of hanging
- Fixes 'keepalive ping timeout' issue where connection appears alive but is dead
2026-03-11 23:55:51 +08:00
Gan, Jimmy 74100c8882 fix: change WebAuthn RP_ID to jimmygan.com to support all subdomains
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m0s
2026-03-11 01:43:19 +08:00
Gan, Jimmy 5c5baba3d4 debug: add step-by-step alerts to trace passkey registration flow
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m24s
2026-03-11 01:30:12 +08:00
Gan, Jimmy 7277560856 debug: add alert to show WebAuthn errors on iPad
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
- Add alert() to display full error details for debugging
- Helps diagnose issues when browser console is unavailable
2026-03-11 01:25:36 +08:00
Gan, Jimmy b98333db36 fix: correct WebAuthn RP_ID to match domain suffix
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m48s
- Change RP_ID from jimmygan.com to nas.jimmygan.com
- RP_ID must be a valid suffix of the origin domain
- Fixes WebAuthn failing silently on iOS/iPadOS
2026-03-11 01:15:36 +08:00
Gan, Jimmy 42c5693ede fix: add WebAuthn environment variables to docker-compose
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m23s
- Set WEBAUTHN_RP_ID=jimmygan.com for both main and dev
- Set WEBAUTHN_ORIGINS to match respective domains
- Fixes passkey registration failing due to origin mismatch
2026-03-11 01:01:14 +08:00
Gan, Jimmy 2f8a5d84dc fix: WebAuthn config typo and improve error handling
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m41s
- Fix WEBAUTHN_ORIGIN -> WEBAUTHN_ORIGINS env var name
- Add null check for cancelled passkey creation
- Use finally block to ensure loading state is always reset
- Add console.error for better debugging
2026-03-11 00:53:28 +08:00
Gan, Jimmy 75cfafd388 chore: remove CI test comment
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m18s
2026-03-11 00:47:22 +08:00
Gan, Jimmy 80ad5e9197 test: verify CI auto-trigger for dev branch
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 5m54s
2026-03-11 00:41:07 +08:00
Gan, Jimmy cc3e9dc6fa fix: improve terminal robustness with exponential backoff and better keepalive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m11s
- Backend: Add 10s connection timeout, improve SSH keepalive (15s × 8 retries)
- Backend: Add detailed error logging for debugging
- Frontend: Implement exponential backoff (1s → 30s max) instead of fixed 2s
- Frontend: Reduce heartbeat to 12s (within 15s SSH keepalive window)
- Frontend: Reset reconnect counter on successful connection
- Frontend: Fix race condition in auth recovery after manual close
2026-03-11 00:24:17 +08:00
Gan, Jimmy 4201917e17 fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-09 23:44:23 +08:00
Gan, Jimmy e72665c466 fix: refresh terminal websocket auth on reconnect
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m16s
Reuse the existing refresh-token flow before opening terminal websocket connections so reconnects can recover from expired access tokens without requiring a full dashboard reload.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 17:49:46 +08:00
Gan, Jimmy 175ebeede4 fix: sync dashboard page query state
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Successful in 17m2s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m48s
Keep the selected dashboard page in sync with lightweight URL query params so direct terminal links can land on the right page without exposing extra client state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 11:02:53 +08:00
Gan, Jimmy 1b9ea140b6 fix: raise terminal per-user session cap
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m44s
Allow more concurrent dashboard terminal tabs per user and use the current access token for websocket reconnects so refreshed sessions keep working.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 10:37:08 +08:00
Gan, Jimmy 6067857dad fix: clarify blocked security events
Deploy Dashboard (Dev) / deploy-dev (push) Has started running
Label unauthorized security events as blocked and highlight likely scanner probes so the log view is easier to interpret during investigations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 10:36:37 +08:00
Gan, Jimmy 35a3019e0d fix: add security log investigation filters
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m22s
Add server-side IP and date range filtering for security logs so investigations can narrow events without relying on client-side filtering alone.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 09:59:59 +08:00
Gan, Jimmy 44f0ed5d04 fix: harden dashboard auth and terminal flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m29s
Tighten terminal websocket auth and proxy trust handling while making file-backed auth/RBAC writes atomic to reduce high-impact security and persistence risks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 23:53:58 +08:00
Gan, Jimmy c9f06fbbbb fix: keep terminal sessions alive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m23s
Add WebSocket and SSH keepalives so idle dashboard terminal sessions stay connected across proxies and long-running idle periods.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 16:11:43 +08:00
Gan, Jimmy aaabb8a373 fix: sync terminal page with dashboard theme
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m43s
Make terminal tabs, controls, and xterm colors follow the global light/dark theme so terminal UI stays visually consistent with the rest of the dashboard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 10:51:53 +08:00
Gan, Jimmy b0f66f9650 fix: show terminal close reason in UI
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m47s
Display websocket close reason text (or close code fallback) in terminal tabs so SSH/session failures are diagnosable without checking backend logs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 09:15:48 +08:00
Gan, Jimmy 4f95f0249d feat: add Mac host to dashboard terminal
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m15s
Add a dedicated Mac terminal target with separate SSH host/user/key settings and mount a dedicated Mac key file for dashboard containers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 08:32:54 +08:00
Claude Code da88513456 fix: keep dashboard terminal sessions alive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m5s
Remove backend idle timeout enforcement so terminal sessions persist until the UI disconnects or the SSH process ends.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 05:48:14 +00:00
jimmy c29bda76f3 fix: support image drop and paste in terminal
Allow drag/drop and clipboard image paste in the dashboard terminal so users can quickly upload images into the active shell session, with a visible hint for discoverability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 05:48:10 +00:00
Gan, Jimmy b74d45c621 fix: keep terminal route mounted across page switches
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m9s
Keep the Terminal component mounted and toggle visibility via CSS so tab state and WebSocket sessions persist when navigating between sidebar pages, while preserving existing per-tab close and full teardown cleanup behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 09:28:17 +08:00
Gan, Jimmy d8e6f5716a feat: add cc-connect start/stop controls
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Add backend start/stop endpoints and wire cc-connect UI controls to toggle container state with post-action health refresh and clear error handling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:11:53 +08:00
Gan, Jimmy a91a1132c9 feat: add info engine MVP pipeline and dashboard page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m10s
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:35:10 +08:00
Gan, Jimmy 14965c7e03 feat: add cc-connect dashboard health integration
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m49s
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:24:03 +08:00
Gan, Jimmy 910ed3f7e6 feat: add LiteLLM health page to dashboard
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m45s
Expose LiteLLM operational status in the NAS Dashboard UI so auth-required and outage states are visible without calling backend APIs directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:50:56 +08:00
Gan, Jimmy 56743d1cf4 fix: make LiteLLM health probe auth-aware
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m4s
Allow the dashboard health check to include optional LiteLLM auth headers and treat unauthenticated 401 responses as an auth-required healthy state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:38:25 +08:00
Gan, Jimmy 9bae5a62a5 fix: attach litellm to shared dashboard network
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m34s
Connect LiteLLM to nas-dashboard_internal and point dashboard-dev to the litellm container hostname so health probes work without host-loopback routing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:31:44 +08:00
Gan, Jimmy 6cabbd6c59 fix: set dev dashboard LiteLLM URL to host gateway
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m52s
Point dashboard-dev LiteLLM health checks at host.docker.internal so the container can reach the NAS LiteLLM service bound on localhost.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:23:01 +08:00
Gan, Jimmy ed4090a910 feat: add LiteLLM gateway scaffold and dashboard health probe
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 01:08:12 +08:00
Gan, Jimmy bd2a166253 fix: use hybrid sidebar links for LAN and public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m58s
Keep LAN/Tailscale-home behavior for NAS-targeted links while converting remote :8443 URLs to standard HTTPS on public access so external links resolve correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:55:37 +08:00
Gan, Jimmy 72bb37ffe5 fix: correct sidebar LAN detection for public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
Separate Tailscale IP detection from true LAN detection so public internet users routed through VPS no longer get non-routable port links in the sidebar.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:46:05 +08:00
Gan, Jimmy 50e1d779de perf: add compression and caching for faster public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m20s
Optimizations to reduce latency over Tailscale tunnel:
- Add GZip middleware for 70% bandwidth reduction (480KB → ~150KB)
- Cache static assets with immutable headers (1 year)
- Remove 500ms blocking CPU interval in system stats

These changes significantly improve dashboard load time over public network.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:21:51 +08:00
Gan, Jimmy ae437db92e refactor: split auth router into focused modules
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Split the 429-line auth.py into three modules for better maintainability:
- auth.py (264 lines): core auth, login, token refresh, RBAC, preferences
- passkey.py (187 lines): WebAuthn passkey registration and authentication
- totp.py (41 lines): TOTP 2FA setup and verification

All 21 endpoints maintain backward compatibility under /api/auth prefix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:19:33 +08:00
Gan, Jimmy 7ab2ad41c4 feat: add role-based sidebar link visibility control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m37s
2026-03-01 18:17:45 +08:00
Gan, Jimmy 12b9949495 fix: add missing 'settings' page to role access control list
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m38s
2026-03-01 18:04:56 +08:00
Gan, Jimmy 862097813d feat: add UI to edit role default page permissions
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m24s
2026-03-01 17:57:45 +08:00
Gan, Jimmy fce71cfea0 fix: remove Google Fonts to resolve CSP warning, use system fonts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m31s
2026-03-01 17:51:27 +08:00
Gan, Jimmy 79a9fc980e debug: add exception logging to preferences save endpoint
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m51s
2026-03-01 17:45:00 +08:00
Gan, Jimmy 98f836d3e4 debug: add console logging for sidebar order save failures
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
2026-03-01 17:39:51 +08:00