Gan, Jimmy
789e4124be
Update TRUSTED_PROXIES to include Docker bridge gateway 172.17.0.1
...
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-28 00:12:48 +08:00
Gan, Jimmy
019fddc079
dashboard: externalize service URLs and network config (Sprint 03 config externalization)
...
Deploy Dashboard (Dev) / Backend Tests (push) Failing after 2m17s
Deploy Dashboard (Dev) / Frontend Tests (push) Failing after 3m34s
Deploy Dashboard (Dev) / Deploy to Dev (push) Has been skipped
Run Tests / Secret Detection (pull_request) Failing after 30s
Run Tests / Backend Tests (pull_request) Failing after 2m18s
Run Tests / Frontend Tests (pull_request) Failing after 18s
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-03 18:28:05 +08:00
Gan, Jimmy
ddaf3c6cee
security: Sprint 00 — critical security fixes (OPC WS auth, Transmission creds, SECRET_KEY, passkey rate limit)
...
- Add JWT token auth to OPC WebSocket (unauthenticated → 403, per-user tracking)
- Externalize Transmission RPC credentials to TRANSMISSION_USER/PASS env vars
- Remove hardcoded SECRET_KEY fallback from dev compose
- Rate-limit passkey register options endpoint at 5/minute
- Add PDD (docs/improvement-plan.md) and sprint specs (specs/)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-03 13:31:25 +08:00
Gan, Jimmy
c78c77fc6e
test: trigger deploy-dev workflow
Deploy Dashboard (Dev) / Deploy to Dev (push) Failing after 24m13s
2026-04-22 01:59:16 +08:00
Gan, Jimmy
8b935a1e6e
test: verify CI workflow with asyncpg 0.30.0
Deploy Dashboard (Dev) / Backend Tests (push) Has been cancelled
Deploy Dashboard (Dev) / Frontend Tests (push) Has been cancelled
Deploy Dashboard (Dev) / Deploy to Dev (push) Has been cancelled
Run Tests / Backend Tests (push) Failing after 46s
Run Tests / Frontend Tests (push) Failing after 1m51s
Run Tests / Test Summary (push) Failing after 19s
2026-04-22 00:42:14 +08:00
Gan, Jimmy
e66f7353d5
test: verify CI workflow improvements
...
Deploy Dashboard (Dev) / Backend Tests (push) Failing after 1m48s
Deploy Dashboard (Dev) / Frontend Tests (push) Failing after 47s
Deploy Dashboard (Dev) / Deploy to Dev (push) Has been skipped
Run Tests / Backend Tests (push) Failing after 46s
Run Tests / Frontend Tests (push) Failing after 5m27s
Run Tests / Test Summary (push) Failing after 23s
Simple version bump to test:
- Tests run before deploy
- Deploy only happens if tests pass
- Health checks verify deployment
2026-04-21 23:08:22 +08:00
Gan, Jimmy
81f33c0b5a
chore: bump dashboard version to v1.5
...
Deploy Dashboard (Dev) / Run Tests (push) Has been cancelled
Deploy Dashboard (Dev) / Deploy to Dev (push) Has been cancelled
Run Tests / Frontend Tests (push) Failing after 42s
Run Tests / Backend Tests (push) Failing after 44s
Run Tests / Test Summary (push) Failing after 15s
Test commit to verify new CI workflow behavior:
- Tests should run first
- Deploy should only happen if tests pass
- Health check should verify deployment
2026-04-21 22:35:39 +08:00
Gan, Jimmy
13be35383d
chore: bump dashboard version to trigger deployment
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 3m46s
Run Tests / Backend Tests (push) Failing after 6m39s
Run Tests / Frontend Tests (push) Failing after 1m10s
Run Tests / Test Summary (push) Failing after 21s
2026-04-19 00:14:56 +08:00
Gan, Jimmy
1ba0014d47
feat: add Claude Code conversation tracker
...
Run Tests / Backend Tests (pull_request) Failing after 5m14s
Run Tests / Frontend Tests (pull_request) Failing after 1m20s
Run Tests / Test Summary (pull_request) Failing after 16s
- Create claude-code-tracker service to monitor and parse Claude Code conversations
- Parse JSONL format with messages, tool calls, and metadata
- Store in SQLite with full-text search support
- Generate daily summaries using Claude API
- Add Conversations UI with search, stats, and conversation browsing
- Integrate with dashboard backend and frontend
- Add sync script for Mac to NAS file transfer
2026-04-12 08:41:11 +08:00
Gan, Jimmy
b981c06d59
feat: comprehensive test infrastructure improvements
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m26s
Run Tests / Backend Tests (push) Failing after 2m36s
Run Tests / Frontend Tests (push) Failing after 2m23s
Run Tests / Test Summary (push) Failing after 13s
- Fix unit test imports: add env setup in conftest.py before module imports
- Add 24 new auth router tests (RBAC, preferences, password validation)
- Add 16 new tests for litellm and chat_summary routers
- Apply black formatting and ruff linting across codebase
- Add pre-commit hooks configuration (black, ruff, file checks)
- Increase CI coverage threshold from 40% to 50%
Test Results:
- 206 tests passing (91 unit + 115 integration)
- Coverage: 58.79% on core modules
- auth.py: 57% → 85%, litellm.py: 23% → 87%, chat_summary.py: 41% → 100%
- auth_service: 96.51%, config: 100%, rbac: 93.48%
2026-04-08 00:21:32 +08:00
Gan, Jimmy
74100c8882
fix: change WebAuthn RP_ID to jimmygan.com to support all subdomains
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m0s
2026-03-11 01:43:19 +08:00
Gan, Jimmy
2f8a5d84dc
fix: WebAuthn config typo and improve error handling
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m41s
- Fix WEBAUTHN_ORIGIN -> WEBAUTHN_ORIGINS env var name
- Add null check for cancelled passkey creation
- Use finally block to ensure loading state is always reset
- Add console.error for better debugging
2026-03-11 00:53:28 +08:00
Gan, Jimmy
44f0ed5d04
fix: harden dashboard auth and terminal flows
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m29s
Tighten terminal websocket auth and proxy trust handling while making file-backed auth/RBAC writes atomic to reduce high-impact security and persistence risks.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-06 23:53:58 +08:00
Gan, Jimmy
4f95f0249d
feat: add Mac host to dashboard terminal
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m15s
Add a dedicated Mac terminal target with separate SSH host/user/key settings and mount a dedicated Mac key file for dashboard containers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-06 08:32:54 +08:00
Gan, Jimmy
a91a1132c9
feat: add info engine MVP pipeline and dashboard page
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m10s
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-02 23:35:10 +08:00
Gan, Jimmy
14965c7e03
feat: add cc-connect dashboard health integration
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m49s
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-02 23:24:03 +08:00
Gan, Jimmy
56743d1cf4
fix: make LiteLLM health probe auth-aware
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m4s
Allow the dashboard health check to include optional LiteLLM auth headers and treat unauthenticated 401 responses as an auth-required healthy state.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-02 03:38:25 +08:00
Gan, Jimmy
ed4090a910
feat: add LiteLLM gateway scaffold and dashboard health probe
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-02 01:08:12 +08:00
Gan, Jimmy
72bb37ffe5
fix: correct sidebar LAN detection for public access
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
Separate Tailscale IP detection from true LAN detection so public internet users routed through VPS no longer get non-routable port links in the sidebar.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-01 22:46:05 +08:00
Gan, Jimmy
3fd045aacb
feat: security hardening and HTTPS/SSO infrastructure configs
...
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy
a0354c335b
fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
2026-02-27 23:48:34 +08:00
Gan, Jimmy
3888a57642
chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy
c676c84bc1
feat: add chat group daily summarizer
...
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy
7f94013bf9
feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy
394a1aa367
security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
...
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-02-26 17:22:25 +08:00
Gan, Jimmy
332696689a
fix: support port 8443 origin for WebAuthn passkeys and CORS
2026-02-26 02:00:29 +08:00
Gan, Jimmy
87fdabcd50
Fix OpenClaw: auto-include gateway token in dashboard link
2026-02-22 18:30:34 +08:00
Gan, Jimmy
be1f3b3ad6
Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
...
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy
b1dee47126
Add CORS, rate limiting, security headers, and files endpoint protection
2026-02-21 11:18:29 +08:00
Gan, Jimmy
dd3e8e0d2c
security: remove hardcoded secrets, add health endpoint, add security headers
2026-02-20 22:04:01 +08:00
Gan, Jimmy
b063382085
feat: add container monitor & telegram alerts
...
Added asyncio monitoring task to main.py to watch Docker container state transitions and send Telegram notifications on failures.
2026-02-20 10:31:18 +08:00
Gan, Jimmy
a882f45f2e
Add multi-host terminal: NAS + VPS side-by-side
2026-02-20 00:53:29 +08:00
Gan, Jimmy
197b7c1cbb
Fix session expiry: use config value, increase to 7 days
...
- LOGIN was ignoring ACCESS_TOKEN_EXPIRE_MINUTES (hardcoded 15min default)
- Pass expires_delta from config in login route
- Increase token lifetime from 30min to 7 days
2026-02-19 19:44:30 +08:00
Gan, Jimmy
ee2e5dcb3c
Terminal: SSH to NAS host instead of container shell
...
- Rewrite terminal.py to use asyncssh instead of pty/fork
- Add SSH key pair for dashboard container auth
- Mount SSH key and add SSH config vars in docker-compose
- Install openssh-client in Dockerfile
- Add asyncssh to requirements.txt
2026-02-19 19:24:38 +08:00
Gan, Jimmy
4036292273
Bump version to v1.3 — runner DNS fixed
Deploy Dashboard / deploy (push) Successful in 3m39s
2026-02-19 10:26:40 +08:00
Gan, Jimmy
91c8d1b775
Bump version to v1.2 — CI/CD pipeline test
Deploy Dashboard / deploy (push) Failing after 2m6s
2026-02-19 10:18:32 +08:00
Gan, Jimmy
7aeabe1839
Test CI/CD: add version comment
Deploy Dashboard / deploy (push) Failing after 17s
2026-02-19 10:15:14 +08:00
Gan, Jimmy
75c89b1ef9
Fix auth crashes + add CI/CD workflow
...
Deploy Dashboard / deploy (push) Failing after 6m59s
- Fix jose->pyjwt import mismatch
- Fix bcrypt->pbkdf2 password hashing
- Fix Sidebar logout prop (ReferenceError)
- Add .gitea/workflows/deploy.yml for automated deployment
2026-02-19 10:04:38 +08:00
Gan, Jimmy
651bc0580e
Phase 7: Auth & Security upgrade (JWT, 2FA, Login UI)
2026-02-19 03:47:48 +08:00
Gan, Jimmy
70aa421d7f
Add NAS dashboard MVP: Docker mgmt, Gitea, Files, Terminal
2026-02-19 01:59:50 +08:00