Commit Graph

29 Commits

Author SHA1 Message Date
Gan, Jimmy ddaf3c6cee security: Sprint 00 — critical security fixes (OPC WS auth, Transmission creds, SECRET_KEY, passkey rate limit)
- Add JWT token auth to OPC WebSocket (unauthenticated → 403, per-user tracking)
- Externalize Transmission RPC credentials to TRANSMISSION_USER/PASS env vars
- Remove hardcoded SECRET_KEY fallback from dev compose
- Rate-limit passkey register options endpoint at 5/minute
- Add PDD (docs/improvement-plan.md) and sprint specs (specs/)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-03 13:31:25 +08:00
Gan, Jimmy 66d5f4f7d4 fix: use hidden iframe for downloads to avoid popup blockers
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 2m49s
Run Tests / Backend Tests (push) Failing after 5m19s
Run Tests / Frontend Tests (push) Failing after 2m3s
Run Tests / Test Summary (push) Failing after 15s
2026-04-19 00:47:22 +08:00
Gan, Jimmy b5b6f9134b fix: use native navigation for file downloads to support large files
Run Tests / Backend Tests (pull_request) Failing after 4m45s
Run Tests / Frontend Tests (pull_request) Failing after 1m20s
Deploy Dashboard (Dev) / deploy-dev (push) Failing after 2m47s
Run Tests / Backend Tests (push) Failing after 5m52s
Run Tests / Frontend Tests (push) Failing after 1m43s
Run Tests / Test Summary (pull_request) Failing after 33s
Run Tests / Test Summary (push) Has been cancelled
2026-04-18 23:57:07 +08:00
Gan, Jimmy 88e53f3f8e fix: implement streaming downloads for large files
Run Tests / Backend Tests (pull_request) Failing after 5m29s
Run Tests / Frontend Tests (pull_request) Failing after 3m55s
Run Tests / Test Summary (pull_request) Failing after 18s
- Add token-based download system with 5-minute expiry
- Stream files in 8MB chunks on backend (no memory loading)
- Use browser native download with tokens on frontend
- Fixes hang on large files (10GB+) by avoiding memory buffering
2026-04-18 11:03:22 +08:00
Gan, Jimmy cdf8ab18fc fix: add error handling and feedback for file downloads
Run Tests / Backend Tests (pull_request) Failing after 5m4s
Run Tests / Frontend Tests (pull_request) Failing after 1m5s
Run Tests / Test Summary (pull_request) Failing after 17s
2026-04-13 10:25:40 +08:00
Gan, Jimmy 1ff48ab86d fix: add authentication to file downloads
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m24s
Run Tests / Backend Tests (push) Failing after 4m13s
Run Tests / Frontend Tests (push) Failing after 3m53s
Run Tests / Test Summary (push) Failing after 13s
Run Tests / Backend Tests (pull_request) Failing after 4m13s
Run Tests / Frontend Tests (pull_request) Failing after 2m58s
Run Tests / Test Summary (pull_request) Failing after 18s
2026-04-09 22:55:44 +08:00
Gan, Jimmy 1422cc9bc8 feat: complete Phase 1 MVP - add agent executor and WebSocket real-time updates
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Run Tests / Backend Tests (push) Has been cancelled
Run Tests / Frontend Tests (push) Has been cancelled
Run Tests / Test Summary (push) Has been cancelled
Agent Executor Service:
- BaseAgent class with LLM integration via LiteLLM proxy
- AgentExecutor service that processes pending executions every 5 seconds
- Action execution: create_subtask, update_status, send_notification, add_comment
- Approval workflow: CxO level agents require user approval before execution
- Telegram notifications for approvals and completions
- Error handling and execution status tracking

WebSocket Real-Time Updates:
- WebSocket endpoint at /ws/opc for real-time task updates
- ConnectionManager for broadcasting to all connected clients
- Frontend WebSocket client with auto-reconnect
- Live updates for task create/update/move/delete actions
- Agent execution status broadcasts

Integration:
- Agent executor starts on dashboard startup
- Task router broadcasts WebSocket updates on all mutations
- Frontend OPC page subscribes to WebSocket and updates UI in real-time
- Agents (PM, CTO, COO) can now execute tasks autonomously

Phase 1 MVP Complete:
 PostgreSQL database with full schema
 Task CRUD API with automatic time tracking
 Kanban board with drag-and-drop
 Agent executor service with LLM integration
 WebSocket real-time updates
 3 core agents ready to execute

Next: Agent panel UI, email notifications, PDF invoicing
2026-03-31 14:46:44 +08:00
Gan, Jimmy 1ca019fa48 feat: add OPC (One Person Company) management system with Kanban board
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Run Tests / Backend Tests (push) Has been cancelled
Run Tests / Frontend Tests (push) Has been cancelled
Run Tests / Test Summary (push) Has been cancelled
Phase 1 MVP implementation:
- PostgreSQL database schema for tasks, agents, executions, time tracking
- Backend API: task CRUD, agent management, automatic time tracking
- Frontend: Kanban board with drag-and-drop (Parking Lot → In Progress → Done)
- Task modal for creating/editing tasks with tags, priority, assignee
- 3 core agents seeded: PM, CTO, COO
- Agent approval workflow: CxO level requires approval, others auto-execute
- Automatic time tracking: starts on in_progress, stops on done
- RBAC integration: OPC page accessible to admin/member roles

Features:
- Drag-and-drop tasks between columns
- Assign tasks to humans or AI agents
- Priority badges (low, medium, high, urgent)
- Tags and due dates
- Task history tracking
- Time entry tracking with automatic timer
- Agent execution records with approval workflow

Next steps:
- Initialize OPC database on NAS
- Implement agent executor service
- Add WebSocket for real-time updates
- Add email notifications
- Add PDF invoice generation
2026-03-31 14:31:31 +08:00
Gan, Jimmy 2f8a5d84dc fix: WebAuthn config typo and improve error handling
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m41s
- Fix WEBAUTHN_ORIGIN -> WEBAUTHN_ORIGINS env var name
- Add null check for cancelled passkey creation
- Use finally block to ensure loading state is always reset
- Add console.error for better debugging
2026-03-11 00:53:28 +08:00
Gan, Jimmy 4201917e17 fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-09 23:44:23 +08:00
Gan, Jimmy e72665c466 fix: refresh terminal websocket auth on reconnect
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m16s
Reuse the existing refresh-token flow before opening terminal websocket connections so reconnects can recover from expired access tokens without requiring a full dashboard reload.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 17:49:46 +08:00
Gan, Jimmy d8e6f5716a feat: add cc-connect start/stop controls
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Add backend start/stop endpoints and wire cc-connect UI controls to toggle container state with post-action health refresh and clear error handling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:11:53 +08:00
Gan, Jimmy a91a1132c9 feat: add info engine MVP pipeline and dashboard page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m10s
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:35:10 +08:00
Gan, Jimmy 14965c7e03 feat: add cc-connect dashboard health integration
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m49s
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:24:03 +08:00
Gan, Jimmy 910ed3f7e6 feat: add LiteLLM health page to dashboard
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m45s
Expose LiteLLM operational status in the NAS Dashboard UI so auth-required and outage states are visible without calling backend APIs directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:50:56 +08:00
Gan, Jimmy a8debcfb4b feat: access control UI in Settings + sidebar drag-and-drop reordering
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy 643d576816 fix: filter terminal UI chrome (shortcuts, prompts, keybindings) from TTS 2026-02-26 16:40:34 +08:00
Gan, Jimmy 3d6fb06439 feat: add TTS voice picker to voice mode bottom sheet 2026-02-26 16:22:16 +08:00
Gan, Jimmy ee6c404122 fix: TTS reads output in auto mode (don't skip when listening) 2026-02-26 16:12:36 +08:00
Gan, Jimmy 70c716fd19 feat: voice mode bottom sheet with hold/tap/auto talk modes 2026-02-26 16:03:43 +08:00
Gan, Jimmy 47ab062edd fix: type STT text char-by-char, increase TTS debounce to 2s 2026-02-26 15:50:17 +08:00
Gan, Jimmy af74552a01 fix: iOS TTS unlock on user gesture, use \r for terminal Enter 2026-02-26 15:45:27 +08:00
Gan, Jimmy 70d3be71b9 fix: voice controls reactivity, disable mic on unsupported browsers 2026-02-26 15:40:15 +08:00
Gan, Jimmy 9c5dbcdb37 feat: add voice mode (STT/TTS) to terminal page 2026-02-26 15:35:43 +08:00
Gan, Jimmy be1f3b3ad6 Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy 651bc0580e Phase 7: Auth & Security upgrade (JWT, 2FA, Login UI) 2026-02-19 03:47:48 +08:00
Gan, Jimmy f3db7d3654 Dashboard UI overhaul: modern design with system stats, SVG icons, Inter font, theme toggle, loading states, and log modal 2026-02-19 02:29:25 +08:00
Gan, Jimmy 70aa421d7f Add NAS dashboard MVP: Docker mgmt, Gitea, Files, Terminal 2026-02-19 01:59:50 +08:00