johan
/
mission-control
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
26 Commits 1 Branch 0 Tags 12 MiB
Commit Graph

26 Commits

Author SHA1 Message Date
Nyk 299faf50e3 feat: add Docker support, session controls, model catalog, API rate limiting 2026-02-27 20:56:02 +07:00
nyk 4f92c22f32
Merge pull request #44 from builderz-labs/docs/roadmap-update 
Expand roadmap with 10 tracked issues from codebase audit
 2026-02-27 20:17:07 +07:00
Nyk 9e4b50280c docs: expand roadmap with 10 tracked issues from codebase audit 
Adds concrete roadmap items with issue links covering Docker support,
session controls, model catalog, rate limiting, error boundaries,
structured logging, accessibility, HSTS, input validation, and
export limits.
 2026-02-27 20:16:44 +07:00
nyk 0e65f97253
Merge pull request #33 from builderz-labs/fix/db-foreign-keys-indexes 
Fix SQLite foreign keys and add missing indexes
 2026-02-27 20:08:14 +07:00
Nyk b5766b0850 fix: enable foreign_keys pragma and add missing indexes 
- Add `PRAGMA foreign_keys = ON` to db.ts — without this, all
  ON DELETE CASCADE constraints across 7 tables are silently ignored
  (SQLite disables foreign keys by default)
- Add migration 015 with indexes on hot query paths:
  notifications(read_at), notifications(recipient, read_at),
  activities(actor), activities(entity_type, entity_id),
  messages(read_at)
 2026-02-27 20:07:50 +07:00
nyk 3218cfd3eb
Merge pull request #32 from builderz-labs/docs/readme-final-fixes 
Fix remaining README inconsistencies
 2026-02-27 19:50:14 +07:00
Nyk 77e989b5bf docs: fix remaining README inconsistencies 
- Fix panel count in hero section: "20+" → "26" (matches architecture tree)
- Fix security advice: remove stale reference to open security issues (all closed), replace with actionable deployment guidance
 2026-02-27 19:49:48 +07:00
nyk a49786d940
Merge pull request #31 from builderz-labs/docs/readme-accuracy-fixes 
Fix README inaccuracies and add engines field
 2026-02-27 19:24:58 +07:00
Nyk dd7d4fb481 docs: fix README inaccuracies and add engines field 
- Fix migration count: 11 → 14 (actual count in migrations.ts)
- Fix panel count: 23 → 26 (actual count in components/panels/)
- Fix API route count: 25+ → 30+ (actual count in app/api/)
- Update testing line to mention 52 E2E tests
- Collapse completed issues list into link to v1.0.0 release notes
- Add engines.node >= 20 to package.json (matches CI)
 2026-02-27 19:24:36 +07:00
nyk 5515ab5f77
Merge pull request #30 from builderz-labs/fix/ci-release-readiness 
Fix CI workflow and release readiness bugs
 2026-02-27 18:52:41 +07:00
Nyk 5647ac1932 fix: CI workflow and release readiness bugs 
- Swap pnpm/node setup order (pnpm must install before node cache)
- Move build step before E2E tests (next start needs .next/ output)
- Add `cp .env.test .env` step so E2E server has auth credentials
- Fix test:all script to build before E2E (same ordering bug)
- Remove stale package-lock.json (project uses pnpm exclusively)
- Update README: remove "No E2E test suite" (52 tests exist now)
 2026-02-27 18:52:13 +07:00
nyk 243f25a1db
Merge pull request #29 from builderz-labs/test/e2e-critical-fixes 
Add 52 Playwright E2E tests for all critical fixes
 2026-02-27 15:39:19 +07:00
Nyk 8de9e0b5c3 test: add 52 Playwright E2E tests covering all critical fixes 
8 test suites verifying:
- Auth guards on 19 GET endpoints (Issue #4)
- Timing-safe API key comparison (Issue #5)
- Legacy cookie auth removal (Issue #7)
- Login rate limiting (Issue #8)
- CSRF Origin header validation (Issue #20)
- DELETE body standardization (Issue #18)
- Query limit caps at 200 (Issue #19)
- Login flow and session lifecycle

Also fixes migration 013 crash on fresh DB when gateways table
doesn't exist (created lazily by gateways API, not in migrations).
 2026-02-27 15:38:49 +07:00
nyk 2f0335443f
Merge pull request #28 from builderz-labs/docs/update-readme-post-fixes 
docs: update README to reflect completed fixes
 2026-02-27 14:13:34 +07:00
Nyk 33fa5451d7 docs: update README to reflect completed security and quality fixes 
- Update Known Limitations to remove resolved items (#4-#20)
- Replace Roadmap open checkboxes with completed checklist
- Add Up Next section for remaining work
 2026-02-27 14:12:18 +07:00
nyk 84a7989e3a
Merge pull request #27 from builderz-labs/fix/p3-cleanup 
chore: P3 cleanup — CoC, templates, DELETE patterns, limits, CSRF
 2026-02-27 14:04:49 +07:00
Nyk 08c9f3625b chore: CODE_OF_CONDUCT, issue templates, DELETE patterns, limit caps, CSRF origin check 
- Add Contributor Covenant 2.1 Code of Conduct (Closes #16)
- Add bug report and feature request issue templates (Closes #17)
- Standardize DELETE handlers to use request body instead of query params (Closes #18)
- Cap unbounded limit params to Math.min(limit, 200) on 12 endpoints (Closes #19)
- Add CSRF Origin header validation for mutating requests in middleware (Closes #20)
 2026-02-27 14:04:09 +07:00
nyk 5e94d79e66
Merge pull request #26 from builderz-labs/fix/p2-quality 
fix: P2 quality — strict mode, tests, pagination, N+1, CSP
 2026-02-27 14:03:34 +07:00
Nyk bf0df9b6d0 fix: strict mode, test stubs, pagination counts, N+1 queries, CSP hardening 
- Enable TypeScript strict mode and fix all resulting type errors
- Add auth test stubs for requireRole and safeCompare
- Add proper COUNT(*) pagination totals to agents, tasks, notifications,
  messages, conversations, and standup history endpoints
- Fix N+1 queries by hoisting db.prepare() outside loops in agents,
  activities, notifications, conversations, standup, gateway health,
  and notification delivery routes
- Remove unsafe-eval from CSP script-src directive
- Remove deprecated X-XSS-Protection header
 2026-02-27 14:02:52 +07:00
nyk 704c661bad
Merge pull request #25 from builderz-labs/fix/p1-security-high 
fix: P1 security high — legacy auth, rate limit, SSRF, SQL injection
 2026-02-27 14:02:12 +07:00
Nyk 3b600d817e fix: remove legacy auth, add login rate limiting, block SSRF metadata, parameterize migration SQL 2026-02-27 13:58:52 +07:00
nyk 98f1990b57
Merge pull request #21 from builderz-labs/fix/p0-security-critical 
fix: P0 security critical — auth guards, timing-safe compare, XSS
 2026-02-27 13:56:50 +07:00
Nyk 1ee506b4cf fix: add auth checks on all GET endpoints, timing-safe comparisons, and XSS sanitization 2026-02-27 13:04:24 +07:00
nyk 84ba833454 docs: fix roadmap issue number references 2026-02-27 12:29:47 +07:00
nyk de69a87fdf docs: add project status, known limitations, and roadmap to README 2026-02-27 12:21:31 +07:00
Nyk 99815d20b3 feat: initial open-source release 
OpenClaw Mission Control — agent orchestration dashboard.

Built with Next.js 16, React 19, TypeScript, SQLite, and Tailwind CSS.
MIT License.
 2026-02-23 02:00:44 +07:00