Phase 1: Fix immediate test failures
- Fix path handling in files router (strip leading slashes)
- Fix test assertions to match actual API behavior
- Add proper error handling for missing files in download endpoint
- Reload files router in test fixtures to pick up config changes
- Fix upload endpoint test to use query params instead of form data
Phase 2: Improve test reliability
- Standardize error responses: docker_router now uses HTTPException
- Add global exception handlers for validation, Docker errors, and unhandled exceptions
- Fix flaky TOTP replay protection test
- Fix flaky password hash loading test with proper module reload
- Enhanced Docker mock fixtures with error scenarios and factory pattern
Phase 3: Add coverage reporting
- Add pytest-cov with 40% minimum coverage threshold
- Add pyproject.toml with pytest and coverage configuration
- Update test workflow to generate coverage and JUnit XML reports
- Remove -x flag to see all test failures
- Configure asyncio_default_fixture_loop_scope to fix deprecation warning
Results:
- All 144 tests passing (was 137 passed, 5 failed, 2 skipped)
- Test execution time: ~3s locally
- Coverage: 43% (above 40% threshold)
- No skipped tests
- Standardized error handling across all endpoints
Agent Panel UI:
- Visual dashboard showing all agents with status (idle/working)
- Agent cards with stats: total tasks, completed tasks
- Capabilities display for each agent
- Execution log showing recent agent activity
- Real-time updates (refreshes every 10 seconds)
- Click agent to filter execution log
- Status indicators: pending, running, completed, failed, pending_approval
Email Notifications:
- SMTP email service with HTML templates
- Task assignment notifications
- Agent approval request emails with action details
- Agent completion notifications
- Configurable via environment variables (SMTP_HOST, SMTP_USER, SMTP_PASSWORD, SMTP_TO)
- Integrated with agent executor service
PDF Invoice Generation:
- Professional PDF invoices using ReportLab
- Generate from time entries by project
- Client information and company branding
- Itemized time entries with hours, rates, amounts
- Automatic totals calculation
- Download as PDF attachment
- API endpoints: /api/opc/invoices/generate
- Projects and clients management endpoints
Additional Features:
- Projects CRUD API
- Clients CRUD API
- Project time tracking summary
- Billable vs non-billable hours tracking
Phase 1 MVP 100% Complete:
✅ PostgreSQL database with full schema
✅ Task CRUD API with automatic time tracking
✅ Kanban board with drag-and-drop
✅ Agent executor service with LLM integration
✅ WebSocket real-time updates
✅ 3 core agents (PM, CTO, COO)
✅ Agent panel UI with execution logs
✅ Email notifications (Telegram + Email)
✅ PDF invoice generation
All 12 tasks completed!
Agent Executor Service:
- BaseAgent class with LLM integration via LiteLLM proxy
- AgentExecutor service that processes pending executions every 5 seconds
- Action execution: create_subtask, update_status, send_notification, add_comment
- Approval workflow: CxO level agents require user approval before execution
- Telegram notifications for approvals and completions
- Error handling and execution status tracking
WebSocket Real-Time Updates:
- WebSocket endpoint at /ws/opc for real-time task updates
- ConnectionManager for broadcasting to all connected clients
- Frontend WebSocket client with auto-reconnect
- Live updates for task create/update/move/delete actions
- Agent execution status broadcasts
Integration:
- Agent executor starts on dashboard startup
- Task router broadcasts WebSocket updates on all mutations
- Frontend OPC page subscribes to WebSocket and updates UI in real-time
- Agents (PM, CTO, COO) can now execute tasks autonomously
Phase 1 MVP Complete:
✅ PostgreSQL database with full schema
✅ Task CRUD API with automatic time tracking
✅ Kanban board with drag-and-drop
✅ Agent executor service with LLM integration
✅ WebSocket real-time updates
✅ 3 core agents ready to execute
Next: Agent panel UI, email notifications, PDF invoicing
- Wrap tryRefreshSession in try-finally to ensure authRecoveryInFlight is always reset
- Fix variable scope issue: use const tabState instead of reassigning d
- Add error handling for process.stdin.write() to catch BrokenPipeError/OSError
- Verify WebSocket instance before closing in ping timeout callback
- Properly await conn.wait_closed() to prevent SSH connection leaks
- Gracefully cancel and wait for read_task with 2s timeout
These fixes prevent race conditions, resource leaks, and improve error recovery.
- Backend now responds to __ping__ with __pong__
- Frontend detects missing pong within 5s and closes connection
- This triggers proper reconnect/auth recovery instead of hanging
- Fixes 'keepalive ping timeout' issue where connection appears alive but is dead
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allow more concurrent dashboard terminal tabs per user and use the current access token for websocket reconnects so refreshed sessions keep working.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add server-side IP and date range filtering for security logs so investigations can narrow events without relying on client-side filtering alone.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Tighten terminal websocket auth and proxy trust handling while making file-backed auth/RBAC writes atomic to reduce high-impact security and persistence risks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add WebSocket and SSH keepalives so idle dashboard terminal sessions stay connected across proxies and long-running idle periods.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a dedicated Mac terminal target with separate SSH host/user/key settings and mount a dedicated Mac key file for dashboard containers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove backend idle timeout enforcement so terminal sessions persist until the UI disconnects or the SSH process ends.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add backend start/stop endpoints and wire cc-connect UI controls to toggle container state with post-action health refresh and clear error handling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allow the dashboard health check to include optional LiteLLM auth headers and treat unauthenticated 401 responses as an auth-required healthy state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Optimizations to reduce latency over Tailscale tunnel:
- Add GZip middleware for 70% bandwidth reduction (480KB → ~150KB)
- Cache static assets with immutable headers (1 year)
- Remove 500ms blocking CPU interval in system stats
These changes significantly improve dashboard load time over public network.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)