* feat: add workspace-scoped auth sessions and core API filtering
* feat: extend workspace scoping to search status standup and messaging
* feat: scope agent connect github and alert workflows by workspace
* fix: scope status sync and session alerts by workspace
* feat: add phase2 workspace migration and scope chat pipeline alerts
* feat: add model selection for agents and cron jobs
* feat: add deterministic agent avatars to task and squad views
* feat: add read-only cron calendar and agenda views
* feat: render task descriptions with markdown
Security hardening:
- Fix timing-safe comparison bugs in webhooks.ts and auth.ts (was comparing buffer with itself)
- Harden rate limiter IP extraction — use rightmost untrusted IP from XFF chain with MC_TRUSTED_PROXIES support
- Add 12-char minimum password validation in Zod schema and runtime check
- Add Zod validation on PUT /api/tasks bulk status update
Webhook retry system (completing in-progress feature):
- Exponential backoff with circuit breaker in webhooks.ts
- POST /api/webhooks/retry endpoint for manual retry
- GET /api/webhooks/verify-docs endpoint for signature verification docs
- Scheduler integration for automatic retry processing
- Unit tests for signature verification and backoff logic
Local Claude Code session tracking:
- New claude-sessions.ts scanner parses JSONL transcripts from ~/.claude/projects/
- Extracts model, tokens, messages, cost estimates, active status per session
- Migration 020 adds claude_sessions table
- GET/POST /api/claude/sessions endpoint with filtering and aggregate stats
- Scheduler runs scan every 60s with MC_CLAUDE_HOME config
Quality improvements:
- Replace all console.error/warn with structured logger across 31 API routes
- Add Docker HEALTHCHECK directive
- Add vitest coverage config with v8 provider (60% threshold)
- Update README with new features, API docs, env vars, and roadmap items
- Fix E2E tests for password length and rate limiter IP changes
* fix: resolve all 44 failing CI E2E tests
- Bypass non-critical rate limiters in test env (MC_DISABLE_RATE_LIMIT=1)
to prevent 429s when 165 tests share the same IP bucket
- Make admin seed idempotent (INSERT OR IGNORE) to fix UNIQUE constraint
race when multiple Next.js workers initialize concurrently
- Add distinct x-forwarded-for headers to login-flow tests so they never
share the critical login rate-limit bucket with other test suites
- Add missing 018_token_usage migration that the heartbeat POST handler
depends on, fixing the 500 on inline token reporting
* docs: update README with latest features and test count
- Update migration count from 15 to 18
- Update E2E test count from 146 to 165
- Move Direct CLI, OpenAPI docs, and GitHub sync to completed roadmap
- Add Direct CLI and GitHub sync feature descriptions
- Add /api/connect and /api/github to API reference
- Remove resolved known limitation (vitest stubs)
- Update repo description
* fix: prevent build-time admin seed with wrong credentials in CI
Move `cp .env.test .env` before `pnpm build` in CI workflow so env vars
are present during build. Add NEXT_PHASE guard to skip seed during build
as belt-and-suspenders — env vars may not be available at build time.
Root cause: `next build` imports db.ts, triggering seedAdminUserFromEnv()
with undefined AUTH_USER/AUTH_PASS, seeding user `admin` instead of
`testadmin`. Runtime seed then sees count > 0 and skips. Tests login
as `testadmin` which doesn't exist → 401.
- Add `PRAGMA foreign_keys = ON` to db.ts — without this, all
ON DELETE CASCADE constraints across 7 tables are silently ignored
(SQLite disables foreign keys by default)
- Add migration 015 with indexes on hot query paths:
notifications(read_at), notifications(recipient, read_at),
activities(actor), activities(entity_type, entity_id),
messages(read_at)
Nyk
nyk