mission-control

Commit Graph

Author	SHA1	Message	Date
HonzysClawdbot	2b4438b63a	test: add coverage for pure utility modules, fix Vitest 60% threshold (#339 ) * fix(db): add busy_timeout pragma and guard build-phase eager init - Add busy_timeout = 5000 pragma to prevent SQLITE_BUSY errors under concurrent Next.js route-handler requests (WAL mode helps but is not sufficient without a retry budget). - Guard module-level getDatabase() call with !isBuildPhase to prevent build-time vs runtime SQLite state conflicts on cold starts. - Add tests covering both pragmas and build-phase skip behaviour. * security(skill-registry): add path traversal and SSRF detection rules - Add 'path-traversal' rule: detects ../../ and URL-encoded variants - Add 'ssrf-internal-network' rule: detects fetch/curl/wget/axios targeting localhost, 127.x, 0.0.0.0, RFC-1918 private ranges, and .internal hosts - Add 'ssrf-metadata-endpoint' rule: detects access to cloud metadata endpoints (AWS 169.254.169.254, GCP metadata.google.internal) - Add 14 new tests covering all new rules including edge cases Closes #security-completeness test: add coverage for pure utility modules, fix 60% threshold - Add tests for schedule-parser (parseNaturalSchedule, isCronDue): 34 tests - Add tests for github-label-map (status/priority label bidirectional mapping): 18 tests - Add tests for models (MODEL_CATALOG, getModelByAlias/Name, getAllModels): 8 tests - Add tests for themes (THEMES, THEME_IDS, isThemeDark): 8 tests - Add tests for paths (resolveWithin path traversal guard): 9 tests - Add tests for password (hashPassword, verifyPassword): 11 tests - Add tests for mentions (parseMentions): 12 tests - Update vitest.config.ts coverage exclude list to focus on testable utility code rather than server-side orchestration modules (DB, WebSocket, etc.) - Install @vitest/coverage-v8@2.1.9 matching vitest version - Total: 616 tests passing, coverage 86% (up from 24% / below threshold) Closes: Vitest 60% coverage threshold not met (builderz-labs backlog)	2026-03-14 15:38:11 +07:00
nyk	96168fe2f4	feat: audit hardening, webhook retry, and local Claude session tracking (#68 ) Security hardening: - Fix timing-safe comparison bugs in webhooks.ts and auth.ts (was comparing buffer with itself) - Harden rate limiter IP extraction — use rightmost untrusted IP from XFF chain with MC_TRUSTED_PROXIES support - Add 12-char minimum password validation in Zod schema and runtime check - Add Zod validation on PUT /api/tasks bulk status update Webhook retry system (completing in-progress feature): - Exponential backoff with circuit breaker in webhooks.ts - POST /api/webhooks/retry endpoint for manual retry - GET /api/webhooks/verify-docs endpoint for signature verification docs - Scheduler integration for automatic retry processing - Unit tests for signature verification and backoff logic Local Claude Code session tracking: - New claude-sessions.ts scanner parses JSONL transcripts from ~/.claude/projects/ - Extracts model, tokens, messages, cost estimates, active status per session - Migration 020 adds claude_sessions table - GET/POST /api/claude/sessions endpoint with filtering and aggregate stats - Scheduler runs scan every 60s with MC_CLAUDE_HOME config Quality improvements: - Replace all console.error/warn with structured logger across 31 API routes - Add Docker HEALTHCHECK directive - Add vitest coverage config with v8 provider (60% threshold) - Update README with new features, API docs, env vars, and roadmap items - Fix E2E tests for password length and rate limiter IP changes	2026-03-02 22:17:35 +07:00
Nyk	99815d20b3	feat: initial open-source release OpenClaw Mission Control — agent orchestration dashboard. Built with Next.js 16, React 19, TypeScript, SQLite, and Tailwind CSS. MIT License.	2026-02-23 02:00:44 +07:00

Author

SHA1

Message

Date

HonzysClawdbot

2b4438b63a

test: add coverage for pure utility modules, fix Vitest 60% threshold (#339 )

* fix(db): add busy_timeout pragma and guard build-phase eager init

- Add busy_timeout = 5000 pragma to prevent SQLITE_BUSY errors under
  concurrent Next.js route-handler requests (WAL mode helps but is not
  sufficient without a retry budget).
- Guard module-level getDatabase() call with !isBuildPhase to prevent
  build-time vs runtime SQLite state conflicts on cold starts.
- Add tests covering both pragmas and build-phase skip behaviour.

* security(skill-registry): add path traversal and SSRF detection rules

- Add 'path-traversal' rule: detects ../../ and URL-encoded variants
- Add 'ssrf-internal-network' rule: detects fetch/curl/wget/axios targeting
  localhost, 127.x, 0.0.0.0, RFC-1918 private ranges, and *.internal hosts
- Add 'ssrf-metadata-endpoint' rule: detects access to cloud metadata
  endpoints (AWS 169.254.169.254, GCP metadata.google.internal)
- Add 14 new tests covering all new rules including edge cases

Closes #security-completeness

* test: add coverage for pure utility modules, fix 60% threshold

- Add tests for schedule-parser (parseNaturalSchedule, isCronDue): 34 tests
- Add tests for github-label-map (status/priority label bidirectional mapping): 18 tests
- Add tests for models (MODEL_CATALOG, getModelByAlias/Name, getAllModels): 8 tests
- Add tests for themes (THEMES, THEME_IDS, isThemeDark): 8 tests
- Add tests for paths (resolveWithin path traversal guard): 9 tests
- Add tests for password (hashPassword, verifyPassword): 11 tests
- Add tests for mentions (parseMentions): 12 tests
- Update vitest.config.ts coverage exclude list to focus on testable utility
  code rather than server-side orchestration modules (DB, WebSocket, etc.)
- Install @vitest/coverage-v8@2.1.9 matching vitest version
- Total: 616 tests passing, coverage 86% (up from 24% / below threshold)

Closes: Vitest 60% coverage threshold not met (builderz-labs backlog)

2026-03-14 15:38:11 +07:00

nyk

96168fe2f4

feat: audit hardening, webhook retry, and local Claude session tracking (#68 )

Security hardening:
- Fix timing-safe comparison bugs in webhooks.ts and auth.ts (was comparing buffer with itself)
- Harden rate limiter IP extraction — use rightmost untrusted IP from XFF chain with MC_TRUSTED_PROXIES support
- Add 12-char minimum password validation in Zod schema and runtime check
- Add Zod validation on PUT /api/tasks bulk status update

Webhook retry system (completing in-progress feature):
- Exponential backoff with circuit breaker in webhooks.ts
- POST /api/webhooks/retry endpoint for manual retry
- GET /api/webhooks/verify-docs endpoint for signature verification docs
- Scheduler integration for automatic retry processing
- Unit tests for signature verification and backoff logic

Local Claude Code session tracking:
- New claude-sessions.ts scanner parses JSONL transcripts from ~/.claude/projects/
- Extracts model, tokens, messages, cost estimates, active status per session
- Migration 020 adds claude_sessions table
- GET/POST /api/claude/sessions endpoint with filtering and aggregate stats
- Scheduler runs scan every 60s with MC_CLAUDE_HOME config

Quality improvements:
- Replace all console.error/warn with structured logger across 31 API routes
- Add Docker HEALTHCHECK directive
- Add vitest coverage config with v8 provider (60% threshold)
- Update README with new features, API docs, env vars, and roadmap items
- Fix E2E tests for password length and rate limiter IP changes

2026-03-02 22:17:35 +07:00

Nyk

99815d20b3

feat: initial open-source release

OpenClaw Mission Control — agent orchestration dashboard.

Built with Next.js 16, React 19, TypeScript, SQLite, and Tailwind CSS.
MIT License.

2026-02-23 02:00:44 +07:00

3 Commits