- Set WEBAUTHN_RP_ID=jimmygan.com for both main and dev
- Set WEBAUTHN_ORIGINS to match respective domains
- Fixes passkey registration failing due to origin mismatch
- Fix WEBAUTHN_ORIGIN -> WEBAUTHN_ORIGINS env var name
- Add null check for cancelled passkey creation
- Use finally block to ensure loading state is always reset
- Add console.error for better debugging
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reuse the existing refresh-token flow before opening terminal websocket connections so reconnects can recover from expired access tokens without requiring a full dashboard reload.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a dedicated dev.nas.jimmygan.com reverse proxy entry so the dev dashboard can be reached through the VPS Caddy configuration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Keep the selected dashboard page in sync with lightweight URL query params so direct terminal links can land on the right page without exposing extra client state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add tmux to the claude-dev runtime contract so persistent terminal sessions can rely on it, and make the Claude preflight patch resilient to current CLI builds so image builds keep passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allow more concurrent dashboard terminal tabs per user and use the current access token for websocket reconnects so refreshed sessions keep working.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Label unauthorized security events as blocked and highlight likely scanner probes so the log view is easier to interpret during investigations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add server-side IP and date range filtering for security logs so investigations can narrow events without relying on client-side filtering alone.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tighten terminal websocket auth and proxy trust handling while making file-backed auth/RBAC writes atomic to reduce high-impact security and persistence risks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add WebSocket and SSH keepalives so idle dashboard terminal sessions stay connected across proxies and long-running idle periods.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Make terminal tabs, controls, and xterm colors follow the global light/dark theme so terminal UI stays visually consistent with the rest of the dashboard.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Display websocket close reason text (or close code fallback) in terminal tabs so SSH/session failures are diagnosable without checking backend logs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ensure dashboard deploy workflows copy tracked compose files into /nas-dashboard before docker compose up, so new SSH host mounts/envs (like Mac terminal) actually reach runtime.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a dedicated Mac terminal target with separate SSH host/user/key settings and mount a dedicated Mac key file for dashboard containers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Document completed analysis, implemented LiteLLM networking fix context, and current environment blockers so a more capable environment can resume and finish validation/merge.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove backend idle timeout enforcement so terminal sessions persist until the UI disconnects or the SSH process ends.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Allow drag/drop and clipboard image paste in the dashboard terminal so users can quickly upload images into the active shell session, with a visible hint for discoverability.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keep the Terminal component mounted and toggle visibility via CSS so tab state and WebSocket sessions persist when navigating between sidebar pages, while preserving existing per-tab close and full teardown cleanup behavior.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete any existing claude-dev container before compose up so name conflicts do not block CI deployment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create /claude-dev-runtime before writing previous-image.txt so post-build record step does not fail when the bind path is absent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop the server2 preload stage and rely on direct docker build pulls to avoid long-running preload stream stalls in CI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop chmod on the read-only mounted server2 SSH key so preload can execute without failing the workflow before the SSH attempt.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mount a read-only SSH key into the claude-dev deploy runner container and use it explicitly for server2 preload so the fast-path image transfer can authenticate.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Treat server2 preload as best-effort so missing SSH keys do not fail deployment; fall back to normal registry pull during image build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the runner-only host alias with an explicit SSH user@host so the preload step can resolve and stream the base image tar reliably.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Switch claude-dev to node:20-bookworm-slim and preload the base image from server2 in CI to avoid slow pulls on the NAS runner.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Limit workflow path triggers to each workflow file, add concurrency groups to cancel outdated runs, and checkout the exact triggering SHA for deterministic deploys.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add backend start/stop endpoints and wire cc-connect UI controls to toggle container state with post-action health refresh and clear error handling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Define claude-dev capabilities as a tested contract and deploy immutable tags only after smoke checks so daily tooling upgrades remain CI-first and rollback-safe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>