johan
/
mission-control
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
146 Commits 1 Branch 0 Tags 12 MiB
Commit Graph

146 Commits

Author SHA1 Message Date
rezero-household 55487bc7c9 docs: clarify OPENCLAW_MEMORY_DIR for memory browser 
OpenClaw does not create a memory/ subdirectory under OPENCLAW_HOME.
Agent memory markdown files (daily logs, MEMORY.md, etc.) live in each
agent's workspace directory, not in ~/.openclaw/memory/.

Without OPENCLAW_MEMORY_DIR set, the memory browser falls back to
OPENCLAW_HOME, which only contains .sqlite session indices — not the
human-readable markdown files users expect to see.

Document the correct value and add an inline note to .env.example.
 2026-03-01 14:46:54 -08:00
rezero-household 2eec86cc87 fix: use correct auth field in gateway WebSocket handshake 
OpenClaw gateway configured with auth.mode='token' expects
{ token: '...' } in the connect handshake params, not { password: '...' }.
Sending 'password' causes the gateway to reject the handshake, resulting
in a disconnect→reconnect loop that floods the error log.

Tested against OpenClaw gateway v2026.2.25 with auth.mode='token'.
 2026-03-01 14:46:04 -08:00
nyk e77ec4cf2d
Merge pull request #52 from builderz-labs/fix/cron-trigger-params 
fix: cron job manual trigger sending wrong params
 2026-03-02 02:48:09 +07:00
Nyk b6c6bb955d fix: send jobId/jobName instead of command when triggering cron jobs 
The triggerJob function was sending { command: job.command } to the API,
but the backend expects jobId or jobName to identify the job. This caused
all manual cron triggers to fail with "Job ID required" (400 error).

Also adds the missing `id` field to the CronJob store interface so
TypeScript recognizes the field already returned by the API.
 2026-03-02 02:44:20 +07:00
nyk 1544d9f725
Merge pull request #51 from builderz-labs/feat/e2e-test-expansion 
E2E test expansion + middleware fix + roadmap updates
 2026-03-02 02:26:11 +07:00
Nyk a2846357ac docs: add per-agent cost breakdowns to roadmap 
User feedback: per-agent cost visibility is a top priority for
operators running their own agent orchestration setups. Currently
derivable from per-session data but not yet a dedicated panel.
 2026-03-02 02:21:45 +07:00
Nyk 45ad4a488b test: add 94 E2E tests covering all CRUD routes + fix middleware location 
Add comprehensive Playwright E2E test coverage for all major API routes:
- tasks-crud (18 tests): full lifecycle, filters, Aegis approval gate
- agents-crud (15 tests): CRUD, lookup by name/id, admin-only delete
- task-comments (7 tests): threaded comments, validation
- workflows-crud (8 tests): workflow template lifecycle
- webhooks-crud (9 tests): secret masking, regeneration
- alerts-crud (8 tests): alert rule lifecycle
- notifications (7 tests): delivery tracking, read status
- quality-review (6 tests): reviews with batch lookup
- search-and-export (7 tests): global search, export, activities
- user-management (8 tests): user admin CRUD
- helpers.ts: shared factory functions and cleanup utilities

Infrastructure fixes:
- Move middleware.ts to src/middleware.ts (Next.js 16 Turbopack
  requires middleware in src/ when using src/app/ directory — the
  root-level file was silently ignored, breaking CSRF protection)
- Add MC_DISABLE_RATE_LIMIT env var to bypass non-critical rate
  limiters during E2E runs (login limiter stays active via critical flag)
- Fix limit-caps test: /api/activities caps at 500, not 200
- Set playwright workers=1, fullyParallel=false for serial execution
- Add CSRF origin fallback to request.nextUrl.host

Roadmap additions from user feedback:
- Agent-agnostic gateway support (not just OpenClaw)
- Direct CLI integration (Codex, Claude Code, etc.)
- Native macOS app (Electron or Tauri)

146/146 E2E tests passing (up from 51).
 2026-03-02 02:21:10 +07:00
nyk 31520fe85d
Merge pull request #50 from builderz-labs/feat/v1.2-release 
feat: v1.2.0 — validation hardening, unit tests, quality improvements
 2026-03-02 00:26:13 +07:00
Nyk df06c3a2ad feat: v1.2.0 — validation hardening, unit tests, quality improvements 
- Fix task status enum mismatch (blocked → quality_review)
- Add 12 Zod schemas for all unvalidated mutation routes
- Apply validateBody() across 11 API route handlers
- Add readLimiter (120/min) for GET-heavy endpoints
- Extend heavyLimiter to search, backup, cleanup routes
- Add security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
- Fill auth test stubs with real assertions (safeCompare, requireRole)
- Add validation, rate-limit, and db-helpers unit test suites (60 tests total)
- Replace as-any casts with typed interfaces (SessionQueryRow, UserQueryRow, CountRow)
- Bump version to 1.2.0, add CHANGELOG.md, update README roadmap
 2026-03-02 00:22:59 +07:00
nyk 281315c685
Merge pull request #49 from builderz-labs/fix/scrub-sensitive-data 
fix: scrub deployment-specific data from public repo
 2026-03-01 15:40:16 +07:00
Nyk ef872652e9 fix: replace screenshot with redacted version 
Blur Sessions, Recent Logs, and Live Feed panels to remove
production filesystem paths and agent session names.
 2026-03-01 15:39:49 +07:00
Nyk 8dd6e7ef17 fix: scrub deployment-specific data from public repo 
- Replace hardcoded Telegram bot integrations (Jarv/Forge/Nefes/Ops)
  with a single generic Telegram entry
- Remove 'forge' agent from hardcoded UI color themes
- Replace /home/openclaw/ paths in .env.example with /path/to/
- Fix default port in scripts: 3005 → 3000 (matches docs)
- Replace 'Jarvis' placeholder with generic 'my-agent'
- Rename 'Forge' → 'Builder' in agent identity registry
 2026-03-01 15:37:55 +07:00
nyk 55b2544aab
Merge pull request #47 from builderz-labs/fix/v1.1-security-bugs 
fix: patch security and build bugs in v1.1
 2026-03-01 15:35:00 +07:00
nyk 9c95933521
Merge pull request #48 from builderz-labs/docs/add-screenshot 
docs: add dashboard screenshot and fix E2E test count
 2026-03-01 15:27:48 +07:00
Nyk 1b09c5903a docs: add dashboard screenshot and fix E2E test count 
- Add Mission Control dashboard screenshot to README hero section
- Fix E2E test count: 52 → 51 (actual count from audit)
 2026-03-01 15:26:50 +07:00
Nyk c8f932344f fix: patch command injection, missing rate limit, Docker build, logger crash 
- Sanitize session ID in control route to prevent command injection
  via unsanitized URL params interpolated into shell commands
- Add mutationLimiter and structured logging to session control endpoint
- Install python3/make/g++ in Dockerfile deps stage for better-sqlite3
  native addon compilation
- Handle missing public/ directory in Docker COPY with glob pattern
- Guard pino-pretty transport against missing devDependency at runtime
 2026-02-27 21:57:50 +07:00
nyk 0165173225
Merge pull request #46 from builderz-labs/feat/medium-priority-v1.1 
feat: error boundaries, pino logger, a11y, HSTS, zod validation, export limits
 2026-02-27 21:48:10 +07:00
Nyk c104b7e071 Merge remote-tracking branch 'origin/main' into feat/medium-priority-v1.1 
# Conflicts:
#	src/app/api/agents/route.ts
#	src/app/api/alerts/route.ts
#	src/app/api/auth/login/route.ts
#	src/app/api/spawn/route.ts
#	src/app/api/tasks/[id]/route.ts
#	src/app/api/tasks/route.ts
#	src/app/api/webhooks/route.ts
#	src/lib/validation.ts
 2026-02-27 21:47:56 +07:00
nyk 08f3c12c1f
Merge pull request #45 from builderz-labs/feat/high-priority-v1.1 
feat: Docker, session controls, model catalog, API rate limiting
 2026-02-27 21:38:42 +07:00
Nyk 321a7c2db2 feat: error boundaries, pino logger, a11y, HSTS, zod validation, export limits 2026-02-27 21:37:06 +07:00
Nyk 299faf50e3 feat: add Docker support, session controls, model catalog, API rate limiting 2026-02-27 20:56:02 +07:00
nyk 4f92c22f32
Merge pull request #44 from builderz-labs/docs/roadmap-update 
Expand roadmap with 10 tracked issues from codebase audit
 2026-02-27 20:17:07 +07:00
Nyk 9e4b50280c docs: expand roadmap with 10 tracked issues from codebase audit 
Adds concrete roadmap items with issue links covering Docker support,
session controls, model catalog, rate limiting, error boundaries,
structured logging, accessibility, HSTS, input validation, and
export limits.
 2026-02-27 20:16:44 +07:00
nyk 0e65f97253
Merge pull request #33 from builderz-labs/fix/db-foreign-keys-indexes 
Fix SQLite foreign keys and add missing indexes
 2026-02-27 20:08:14 +07:00
Nyk b5766b0850 fix: enable foreign_keys pragma and add missing indexes 
- Add `PRAGMA foreign_keys = ON` to db.ts — without this, all
  ON DELETE CASCADE constraints across 7 tables are silently ignored
  (SQLite disables foreign keys by default)
- Add migration 015 with indexes on hot query paths:
  notifications(read_at), notifications(recipient, read_at),
  activities(actor), activities(entity_type, entity_id),
  messages(read_at)
 2026-02-27 20:07:50 +07:00
nyk 3218cfd3eb
Merge pull request #32 from builderz-labs/docs/readme-final-fixes 
Fix remaining README inconsistencies
 2026-02-27 19:50:14 +07:00
Nyk 77e989b5bf docs: fix remaining README inconsistencies 
- Fix panel count in hero section: "20+" → "26" (matches architecture tree)
- Fix security advice: remove stale reference to open security issues (all closed), replace with actionable deployment guidance
 2026-02-27 19:49:48 +07:00
nyk a49786d940
Merge pull request #31 from builderz-labs/docs/readme-accuracy-fixes 
Fix README inaccuracies and add engines field
 2026-02-27 19:24:58 +07:00
Nyk dd7d4fb481 docs: fix README inaccuracies and add engines field 
- Fix migration count: 11 → 14 (actual count in migrations.ts)
- Fix panel count: 23 → 26 (actual count in components/panels/)
- Fix API route count: 25+ → 30+ (actual count in app/api/)
- Update testing line to mention 52 E2E tests
- Collapse completed issues list into link to v1.0.0 release notes
- Add engines.node >= 20 to package.json (matches CI)
 2026-02-27 19:24:36 +07:00
nyk 5515ab5f77
Merge pull request #30 from builderz-labs/fix/ci-release-readiness 
Fix CI workflow and release readiness bugs
 2026-02-27 18:52:41 +07:00
Nyk 5647ac1932 fix: CI workflow and release readiness bugs 
- Swap pnpm/node setup order (pnpm must install before node cache)
- Move build step before E2E tests (next start needs .next/ output)
- Add `cp .env.test .env` step so E2E server has auth credentials
- Fix test:all script to build before E2E (same ordering bug)
- Remove stale package-lock.json (project uses pnpm exclusively)
- Update README: remove "No E2E test suite" (52 tests exist now)
 2026-02-27 18:52:13 +07:00
nyk 243f25a1db
Merge pull request #29 from builderz-labs/test/e2e-critical-fixes 
Add 52 Playwright E2E tests for all critical fixes
 2026-02-27 15:39:19 +07:00
Nyk 8de9e0b5c3 test: add 52 Playwright E2E tests covering all critical fixes 
8 test suites verifying:
- Auth guards on 19 GET endpoints (Issue #4)
- Timing-safe API key comparison (Issue #5)
- Legacy cookie auth removal (Issue #7)
- Login rate limiting (Issue #8)
- CSRF Origin header validation (Issue #20)
- DELETE body standardization (Issue #18)
- Query limit caps at 200 (Issue #19)
- Login flow and session lifecycle

Also fixes migration 013 crash on fresh DB when gateways table
doesn't exist (created lazily by gateways API, not in migrations).
 2026-02-27 15:38:49 +07:00
nyk 2f0335443f
Merge pull request #28 from builderz-labs/docs/update-readme-post-fixes 
docs: update README to reflect completed fixes
 2026-02-27 14:13:34 +07:00
Nyk 33fa5451d7 docs: update README to reflect completed security and quality fixes 
- Update Known Limitations to remove resolved items (#4-#20)
- Replace Roadmap open checkboxes with completed checklist
- Add Up Next section for remaining work
 2026-02-27 14:12:18 +07:00
nyk 84a7989e3a
Merge pull request #27 from builderz-labs/fix/p3-cleanup 
chore: P3 cleanup — CoC, templates, DELETE patterns, limits, CSRF
 2026-02-27 14:04:49 +07:00
Nyk 08c9f3625b chore: CODE_OF_CONDUCT, issue templates, DELETE patterns, limit caps, CSRF origin check 
- Add Contributor Covenant 2.1 Code of Conduct (Closes #16)
- Add bug report and feature request issue templates (Closes #17)
- Standardize DELETE handlers to use request body instead of query params (Closes #18)
- Cap unbounded limit params to Math.min(limit, 200) on 12 endpoints (Closes #19)
- Add CSRF Origin header validation for mutating requests in middleware (Closes #20)
 2026-02-27 14:04:09 +07:00
nyk 5e94d79e66
Merge pull request #26 from builderz-labs/fix/p2-quality 
fix: P2 quality — strict mode, tests, pagination, N+1, CSP
 2026-02-27 14:03:34 +07:00
Nyk bf0df9b6d0 fix: strict mode, test stubs, pagination counts, N+1 queries, CSP hardening 
- Enable TypeScript strict mode and fix all resulting type errors
- Add auth test stubs for requireRole and safeCompare
- Add proper COUNT(*) pagination totals to agents, tasks, notifications,
  messages, conversations, and standup history endpoints
- Fix N+1 queries by hoisting db.prepare() outside loops in agents,
  activities, notifications, conversations, standup, gateway health,
  and notification delivery routes
- Remove unsafe-eval from CSP script-src directive
- Remove deprecated X-XSS-Protection header
 2026-02-27 14:02:52 +07:00
nyk 704c661bad
Merge pull request #25 from builderz-labs/fix/p1-security-high 
fix: P1 security high — legacy auth, rate limit, SSRF, SQL injection
 2026-02-27 14:02:12 +07:00
Nyk 3b600d817e fix: remove legacy auth, add login rate limiting, block SSRF metadata, parameterize migration SQL 2026-02-27 13:58:52 +07:00
nyk 98f1990b57
Merge pull request #21 from builderz-labs/fix/p0-security-critical 
fix: P0 security critical — auth guards, timing-safe compare, XSS
 2026-02-27 13:56:50 +07:00
Nyk 1ee506b4cf fix: add auth checks on all GET endpoints, timing-safe comparisons, and XSS sanitization 2026-02-27 13:04:24 +07:00
nyk 84ba833454 docs: fix roadmap issue number references 2026-02-27 12:29:47 +07:00
nyk de69a87fdf docs: add project status, known limitations, and roadmap to README 2026-02-27 12:21:31 +07:00
Nyk 99815d20b3 feat: initial open-source release 
OpenClaw Mission Control — agent orchestration dashboard.

Built with Next.js 16, React 19, TypeScript, SQLite, and Tailwind CSS.
MIT License.
 2026-02-23 02:00:44 +07:00