Commit Graph

146 Commits

Author SHA1 Message Date
Gan, Jimmy a683321d92 fix: remove chmod on read-only mounted preload key
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Failing after 11m51s
Drop chmod on the read-only mounted server2 SSH key so preload can execute without failing the workflow before the SSH attempt.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 01:30:01 +08:00
Gan, Jimmy d7b2cb3885 fix: mount SSH key for server2 preload in runner job
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Failing after 29s
Mount a read-only SSH key into the claude-dev deploy runner container and use it explicitly for server2 preload so the fast-path image transfer can authenticate.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 01:22:24 +08:00
Gan, Jimmy 8c23aabd97 fix: make claude-dev preload non-blocking in CI
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Has started running
Treat server2 preload as best-effort so missing SSH keys do not fail deployment; fall back to normal registry pull during image build.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 01:02:06 +08:00
Gan, Jimmy 88c378594e fix: use explicit server2 SSH target in claude-dev preload
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Failing after 24s
Replace the runner-only host alias with an explicit SSH user@host so the preload step can resolve and stream the base image tar reliably.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:59:00 +08:00
Gan, Jimmy 19001edfbd fix: speed up claude-dev base image availability
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Failing after 33s
Switch claude-dev to node:20-bookworm-slim and preload the base image from server2 in CI to avoid slow pulls on the NAS runner.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:56:02 +08:00
Gan, Jimmy ce061c1977 fix: scope deploy triggers and cancel stale workflow runs
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Waiting to run
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m9s
Limit workflow path triggers to each workflow file, add concurrency groups to cancel outdated runs, and checkout the exact triggering SHA for deterministic deploys.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:28:02 +08:00
Gan, Jimmy d8e6f5716a feat: add cc-connect start/stop controls
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Add backend start/stop endpoints and wire cc-connect UI controls to toggle container state with post-action health refresh and clear error handling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:11:53 +08:00
Gan, Jimmy 755a0b6ae9 feat: add CI-gated claude-dev image package
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Deploy Claude Dev (Dev) / deploy-claude-dev-dev (push) Has started running
Define claude-dev capabilities as a tested contract and deploy immutable tags only after smoke checks so daily tooling upgrades remain CI-first and rollback-safe.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:40:44 +08:00
Gan, Jimmy a91a1132c9 feat: add info engine MVP pipeline and dashboard page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m10s
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:35:10 +08:00
Gan, Jimmy 14965c7e03 feat: add cc-connect dashboard health integration
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m49s
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:24:03 +08:00
Gan, Jimmy e76f15c432 docs: mark LiteLLM phase tasks complete
Update Phase 14 checklist to reflect completed LiteLLM scaffold, health probe, networking, auth-aware health checks, and dashboard status UI delivery.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 04:01:01 +08:00
Gan, Jimmy 910ed3f7e6 feat: add LiteLLM health page to dashboard
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m45s
Expose LiteLLM operational status in the NAS Dashboard UI so auth-required and outage states are visible without calling backend APIs directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:50:56 +08:00
Gan, Jimmy 56743d1cf4 fix: make LiteLLM health probe auth-aware
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m4s
Allow the dashboard health check to include optional LiteLLM auth headers and treat unauthenticated 401 responses as an auth-required healthy state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:38:25 +08:00
Gan, Jimmy 9bae5a62a5 fix: attach litellm to shared dashboard network
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m34s
Connect LiteLLM to nas-dashboard_internal and point dashboard-dev to the litellm container hostname so health probes work without host-loopback routing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:31:44 +08:00
Gan, Jimmy 6cabbd6c59 fix: set dev dashboard LiteLLM URL to host gateway
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m52s
Point dashboard-dev LiteLLM health checks at host.docker.internal so the container can reach the NAS LiteLLM service bound on localhost.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:23:01 +08:00
Gan, Jimmy 76c10a6c07 fix: use compose-compatible env_file format
Switch env_file declarations back to string list syntax so Synology's docker compose parser accepts the LiteLLM and cc-connect compose files.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 01:11:58 +08:00
Gan, Jimmy ed4090a910 feat: add LiteLLM gateway scaffold and dashboard health probe
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 01:08:12 +08:00
Gan, Jimmy bd2a166253 fix: use hybrid sidebar links for LAN and public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m58s
Keep LAN/Tailscale-home behavior for NAS-targeted links while converting remote :8443 URLs to standard HTTPS on public access so external links resolve correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:55:37 +08:00
Gan, Jimmy 72bb37ffe5 fix: correct sidebar LAN detection for public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
Separate Tailscale IP detection from true LAN detection so public internet users routed through VPS no longer get non-routable port links in the sidebar.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:46:05 +08:00
Gan, Jimmy 50e1d779de perf: add compression and caching for faster public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m20s
Optimizations to reduce latency over Tailscale tunnel:
- Add GZip middleware for 70% bandwidth reduction (480KB → ~150KB)
- Cache static assets with immutable headers (1 year)
- Remove 500ms blocking CPU interval in system stats

These changes significantly improve dashboard load time over public network.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:21:51 +08:00
Gan, Jimmy ae437db92e refactor: split auth router into focused modules
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Split the 429-line auth.py into three modules for better maintainability:
- auth.py (264 lines): core auth, login, token refresh, RBAC, preferences
- passkey.py (187 lines): WebAuthn passkey registration and authentication
- totp.py (41 lines): TOTP 2FA setup and verification

All 21 endpoints maintain backward compatibility under /api/auth prefix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:19:33 +08:00
Gan, Jimmy 7ab2ad41c4 feat: add role-based sidebar link visibility control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m37s
2026-03-01 18:17:45 +08:00
Gan, Jimmy 20aa6f12a3 perf: add Docker layer caching to dev CI workflow
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 53s
2026-03-01 18:07:19 +08:00
Gan, Jimmy 12b9949495 fix: add missing 'settings' page to role access control list
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m38s
2026-03-01 18:04:56 +08:00
Gan, Jimmy 862097813d feat: add UI to edit role default page permissions
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m24s
2026-03-01 17:57:45 +08:00
Gan, Jimmy fce71cfea0 fix: remove Google Fonts to resolve CSP warning, use system fonts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m31s
2026-03-01 17:51:27 +08:00
Gan, Jimmy 79a9fc980e debug: add exception logging to preferences save endpoint
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m51s
2026-03-01 17:45:00 +08:00
Gan, Jimmy 98f836d3e4 debug: add console logging for sidebar order save failures
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
2026-03-01 17:39:51 +08:00
Gan, Jimmy f746f1e37f fix: remove extra '>' typo, consolidate user management, compact bottom bar
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m31s
2026-03-01 16:46:27 +08:00
Gan, Jimmy 4e2ef9c6bf fix: add drop zone placeholder for empty sidebar categories
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
2026-03-01 16:21:28 +08:00
Gan, Jimmy df994e0621 feat: add Tools-2 category + collapsible sidebar categories
Deploy Dashboard (Dev) / deploy-dev (push) Successful
2026-03-01 16:13:29 +08:00
Gan, Jimmy ada5f3f0f4 fix: restore missing itemKey function in Sidebar (caused infinite load)
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
2026-03-01 15:44:36 +08:00
Gan, Jimmy d40a2ebc45 refactor: unified sidebar item renderer with cross-category drag-and-drop + clean dark mode
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m21s
- Replace 3 separate category renderers with single unified loop using Svelte snippet for icons
- Items now properly move between categories (Main/Media/Tools) via drag-and-drop
- buildLists() resolves items from global allItems map regardless of original category
- Convert all remaining conditional dark class strings to Tailwind dark: variants in Sidebar
2026-03-01 15:28:52 +08:00
Gan, Jimmy fa43b5a409 fix: enable Tailwind v4 class-based dark mode with @custom-variant
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
2026-03-01 15:22:55 +08:00
Gan, Jimmy 62856c9343 fix: comprehensive dark mode support across all pages
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m11s
- Fix body/html dark background to surface-950
- Add dark scrollbar styling
- Fix App.svelte wrapper to use Tailwind dark: classes instead of conditional strings
- Add dark:bg-surface-800 and dark:border-surface-700 to all cards in Dashboard, Docker, Files, Gitea
- Add dark text variants for headings, labels, and content text
- Add dark hover states for interactive elements
- Enable cross-category sidebar drag-and-drop
2026-03-01 14:59:23 +08:00
Gan, Jimmy a8debcfb4b feat: access control UI in Settings + sidebar drag-and-drop reordering
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
jimmy 15ad628425 Merge pull request 'feat: add favicon for browser tab' (#4) from dev into main
Deploy Dashboard / deploy (push) Successful in 44s
2026-03-01 13:39:09 +08:00
Gan, Jimmy 82fe5eb88c feat: add favicon for browser tab
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m35s
2026-03-01 13:38:26 +08:00
jimmy 87a79cd1ca Merge pull request 'fix: security page - logfmt parser and disable Caddy log fetching' (#3) from dev into main
Deploy Dashboard / deploy (push) Successful in 32s
2026-03-01 13:00:21 +08:00
Gan, Jimmy 533672c8ae fix: disable Caddy log fetching - causes Docker API timeouts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m2s
2026-03-01 12:54:00 +08:00
Gan, Jimmy 53481f16f8 fix: reduce log tail defaults and add Docker client timeout to prevent security page hanging
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 51s
2026-03-01 11:43:02 +08:00
Gan, Jimmy 26f458acee fix: parse Authelia logfmt format in security logs
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m22s
2026-03-01 11:06:48 +08:00
Gan, Jimmy 4cef51e15f fix: dev dashboard shares prod socket proxy network 2026-03-01 10:48:02 +08:00
jimmy 75beb0ccae Merge pull request 'fix: reduce false positives in security log detection' (#2) from dev into main
Deploy Dashboard / deploy (push) Successful in 50s
2026-03-01 10:32:04 +08:00
Gan, Jimmy cb1028ebb6 fix: reduce false positives in security log detection
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m34s
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)
2026-03-01 10:31:38 +08:00
jimmy 407abd23c1 Merge pull request 'feat: watchtower, dev environment, security logs, SMTP tunnel' (#1) from dev into main
Deploy Dashboard / deploy (push) Successful in 36s
2026-03-01 10:10:24 +08:00
Gan, Jimmy abba79aefb feat: add watchtower label to docker-socket-proxy
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 33s
2026-03-01 10:09:03 +08:00
Gan, Jimmy 5a95010f35 fix: route watchtower SMTP through SSH tunnel to bypass GFW
- Switch to shoutrrr notification URL format
- Use extra_hosts to resolve smtp.gmail.com to local tunnel (192.168.31.222:1587)
- Add URL-encoded SMTP credentials for shoutrrr URL compatibility
- SSH tunnel: NAS:1587 -> server2 -> smtp.gmail.com:587
2026-03-01 01:07:47 +08:00
Gan, Jimmy 4b32929dcc feat: watchtower tracking, dev environment, security logs page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00