mission-control

Commit Graph

Author	SHA1	Message	Date
nyk	96168fe2f4	feat: audit hardening, webhook retry, and local Claude session tracking (#68 ) Security hardening: - Fix timing-safe comparison bugs in webhooks.ts and auth.ts (was comparing buffer with itself) - Harden rate limiter IP extraction — use rightmost untrusted IP from XFF chain with MC_TRUSTED_PROXIES support - Add 12-char minimum password validation in Zod schema and runtime check - Add Zod validation on PUT /api/tasks bulk status update Webhook retry system (completing in-progress feature): - Exponential backoff with circuit breaker in webhooks.ts - POST /api/webhooks/retry endpoint for manual retry - GET /api/webhooks/verify-docs endpoint for signature verification docs - Scheduler integration for automatic retry processing - Unit tests for signature verification and backoff logic Local Claude Code session tracking: - New claude-sessions.ts scanner parses JSONL transcripts from ~/.claude/projects/ - Extracts model, tokens, messages, cost estimates, active status per session - Migration 020 adds claude_sessions table - GET/POST /api/claude/sessions endpoint with filtering and aggregate stats - Scheduler runs scan every 60s with MC_CLAUDE_HOME config Quality improvements: - Replace all console.error/warn with structured logger across 31 API routes - Add Docker HEALTHCHECK directive - Add vitest coverage config with v8 provider (60% threshold) - Update README with new features, API docs, env vars, and roadmap items - Fix E2E tests for password length and rate limiter IP changes	2026-03-02 22:17:35 +07:00
Nyk	45ad4a488b	test: add 94 E2E tests covering all CRUD routes + fix middleware location Add comprehensive Playwright E2E test coverage for all major API routes: - tasks-crud (18 tests): full lifecycle, filters, Aegis approval gate - agents-crud (15 tests): CRUD, lookup by name/id, admin-only delete - task-comments (7 tests): threaded comments, validation - workflows-crud (8 tests): workflow template lifecycle - webhooks-crud (9 tests): secret masking, regeneration - alerts-crud (8 tests): alert rule lifecycle - notifications (7 tests): delivery tracking, read status - quality-review (6 tests): reviews with batch lookup - search-and-export (7 tests): global search, export, activities - user-management (8 tests): user admin CRUD - helpers.ts: shared factory functions and cleanup utilities Infrastructure fixes: - Move middleware.ts to src/middleware.ts (Next.js 16 Turbopack requires middleware in src/ when using src/app/ directory — the root-level file was silently ignored, breaking CSRF protection) - Add MC_DISABLE_RATE_LIMIT env var to bypass non-critical rate limiters during E2E runs (login limiter stays active via critical flag) - Fix limit-caps test: /api/activities caps at 500, not 200 - Set playwright workers=1, fullyParallel=false for serial execution - Add CSRF origin fallback to request.nextUrl.host Roadmap additions from user feedback: - Agent-agnostic gateway support (not just OpenClaw) - Direct CLI integration (Codex, Claude Code, etc.) - Native macOS app (Electron or Tauri) 146/146 E2E tests passing (up from 51).	2026-03-02 02:21:10 +07:00

Author

SHA1

Message

Date

nyk

96168fe2f4

feat: audit hardening, webhook retry, and local Claude session tracking (#68 )

Security hardening:
- Fix timing-safe comparison bugs in webhooks.ts and auth.ts (was comparing buffer with itself)
- Harden rate limiter IP extraction — use rightmost untrusted IP from XFF chain with MC_TRUSTED_PROXIES support
- Add 12-char minimum password validation in Zod schema and runtime check
- Add Zod validation on PUT /api/tasks bulk status update

Webhook retry system (completing in-progress feature):
- Exponential backoff with circuit breaker in webhooks.ts
- POST /api/webhooks/retry endpoint for manual retry
- GET /api/webhooks/verify-docs endpoint for signature verification docs
- Scheduler integration for automatic retry processing
- Unit tests for signature verification and backoff logic

Local Claude Code session tracking:
- New claude-sessions.ts scanner parses JSONL transcripts from ~/.claude/projects/
- Extracts model, tokens, messages, cost estimates, active status per session
- Migration 020 adds claude_sessions table
- GET/POST /api/claude/sessions endpoint with filtering and aggregate stats
- Scheduler runs scan every 60s with MC_CLAUDE_HOME config

Quality improvements:
- Replace all console.error/warn with structured logger across 31 API routes
- Add Docker HEALTHCHECK directive
- Add vitest coverage config with v8 provider (60% threshold)
- Update README with new features, API docs, env vars, and roadmap items
- Fix E2E tests for password length and rate limiter IP changes

2026-03-02 22:17:35 +07:00

Nyk

45ad4a488b

test: add 94 E2E tests covering all CRUD routes + fix middleware location

Add comprehensive Playwright E2E test coverage for all major API routes:
- tasks-crud (18 tests): full lifecycle, filters, Aegis approval gate
- agents-crud (15 tests): CRUD, lookup by name/id, admin-only delete
- task-comments (7 tests): threaded comments, validation
- workflows-crud (8 tests): workflow template lifecycle
- webhooks-crud (9 tests): secret masking, regeneration
- alerts-crud (8 tests): alert rule lifecycle
- notifications (7 tests): delivery tracking, read status
- quality-review (6 tests): reviews with batch lookup
- search-and-export (7 tests): global search, export, activities
- user-management (8 tests): user admin CRUD
- helpers.ts: shared factory functions and cleanup utilities

Infrastructure fixes:
- Move middleware.ts to src/middleware.ts (Next.js 16 Turbopack
  requires middleware in src/ when using src/app/ directory — the
  root-level file was silently ignored, breaking CSRF protection)
- Add MC_DISABLE_RATE_LIMIT env var to bypass non-critical rate
  limiters during E2E runs (login limiter stays active via critical flag)
- Fix limit-caps test: /api/activities caps at 500, not 200
- Set playwright workers=1, fullyParallel=false for serial execution
- Add CSRF origin fallback to request.nextUrl.host

Roadmap additions from user feedback:
- Agent-agnostic gateway support (not just OpenClaw)
- Direct CLI integration (Codex, Claude Code, etc.)
- Native macOS app (Electron or Tauri)

146/146 E2E tests passing (up from 51).

2026-03-02 02:21:10 +07:00

2 Commits