df06c3a2ad
feat: v1.2.0 — validation hardening, unit tests, quality improvements
...
- Fix task status enum mismatch (blocked → quality_review)
- Add 12 Zod schemas for all unvalidated mutation routes
- Apply validateBody() across 11 API route handlers
- Add readLimiter (120/min) for GET-heavy endpoints
- Extend heavyLimiter to search, backup, cleanup routes
- Add security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
- Fill auth test stubs with real assertions (safeCompare, requireRole)
- Add validation, rate-limit, and db-helpers unit test suites (60 tests total)
- Replace as-any casts with typed interfaces (SessionQueryRow, UserQueryRow, CountRow)
- Bump version to 1.2.0, add CHANGELOG.md, update README roadmap
2026-03-02 00:22:59 +07:00
281315c685
Merge pull request #49 from builderz-labs/fix/scrub-sensitive-data
...
fix: scrub deployment-specific data from public repo
2026-03-01 15:40:16 +07:00
ef872652e9
fix: replace screenshot with redacted version
...
Blur Sessions, Recent Logs, and Live Feed panels to remove
production filesystem paths and agent session names.
2026-03-01 15:39:49 +07:00
8dd6e7ef17
fix: scrub deployment-specific data from public repo
...
- Replace hardcoded Telegram bot integrations (Jarv/Forge/Nefes/Ops)
with a single generic Telegram entry
- Remove 'forge' agent from hardcoded UI color themes
- Replace /home/openclaw/ paths in .env.example with /path/to/
- Fix default port in scripts: 3005 → 3000 (matches docs)
- Replace 'Jarvis' placeholder with generic 'my-agent'
- Rename 'Forge' → 'Builder' in agent identity registry
2026-03-01 15:37:55 +07:00
55b2544aab
Merge pull request #47 from builderz-labs/fix/v1.1-security-bugs
...
fix: patch security and build bugs in v1.1
2026-03-01 15:35:00 +07:00
9c95933521
Merge pull request #48 from builderz-labs/docs/add-screenshot
...
docs: add dashboard screenshot and fix E2E test count
2026-03-01 15:27:48 +07:00
1b09c5903a
docs: add dashboard screenshot and fix E2E test count
...
- Add Mission Control dashboard screenshot to README hero section
- Fix E2E test count: 52 → 51 (actual count from audit)
2026-03-01 15:26:50 +07:00
c8f932344f
fix: patch command injection, missing rate limit, Docker build, logger crash
...
- Sanitize session ID in control route to prevent command injection
via unsanitized URL params interpolated into shell commands
- Add mutationLimiter and structured logging to session control endpoint
- Install python3/make/g++ in Dockerfile deps stage for better-sqlite3
native addon compilation
- Handle missing public/ directory in Docker COPY with glob pattern
- Guard pino-pretty transport against missing devDependency at runtime
2026-02-27 21:57:50 +07:00
0165173225
Merge pull request #46 from builderz-labs/feat/medium-priority-v1.1
...
feat: error boundaries, pino logger, a11y, HSTS, zod validation, export limits
2026-02-27 21:48:10 +07:00
c104b7e071
Merge remote-tracking branch 'origin/main' into feat/medium-priority-v1.1
...
# Conflicts:
# src/app/api/agents/route.ts
# src/app/api/alerts/route.ts
# src/app/api/auth/login/route.ts
# src/app/api/spawn/route.ts
# src/app/api/tasks/[id]/route.ts
# src/app/api/tasks/route.ts
# src/app/api/webhooks/route.ts
# src/lib/validation.ts
2026-02-27 21:47:56 +07:00
08f3c12c1f
Merge pull request #45 from builderz-labs/feat/high-priority-v1.1
...
feat: Docker, session controls, model catalog, API rate limiting
2026-02-27 21:38:42 +07:00
321a7c2db2
feat: error boundaries, pino logger, a11y, HSTS, zod validation, export limits
2026-02-27 21:37:06 +07:00
299faf50e3
feat: add Docker support, session controls, model catalog, API rate limiting
2026-02-27 20:56:02 +07:00
4f92c22f32
Merge pull request #44 from builderz-labs/docs/roadmap-update
...
Expand roadmap with 10 tracked issues from codebase audit
2026-02-27 20:17:07 +07:00
9e4b50280c
docs: expand roadmap with 10 tracked issues from codebase audit
...
Adds concrete roadmap items with issue links covering Docker support,
session controls, model catalog, rate limiting, error boundaries,
structured logging, accessibility, HSTS, input validation, and
export limits.
2026-02-27 20:16:44 +07:00
0e65f97253
Merge pull request #33 from builderz-labs/fix/db-foreign-keys-indexes
...
Fix SQLite foreign keys and add missing indexes
2026-02-27 20:08:14 +07:00
b5766b0850
fix: enable foreign_keys pragma and add missing indexes
...
- Add `PRAGMA foreign_keys = ON` to db.ts — without this, all
ON DELETE CASCADE constraints across 7 tables are silently ignored
(SQLite disables foreign keys by default)
- Add migration 015 with indexes on hot query paths:
notifications(read_at), notifications(recipient, read_at),
activities(actor), activities(entity_type, entity_id),
messages(read_at)
2026-02-27 20:07:50 +07:00
3218cfd3eb
Merge pull request #32 from builderz-labs/docs/readme-final-fixes
...
Fix remaining README inconsistencies
2026-02-27 19:50:14 +07:00
77e989b5bf
docs: fix remaining README inconsistencies
...
- Fix panel count in hero section: "20+" → "26" (matches architecture tree)
- Fix security advice: remove stale reference to open security issues (all closed), replace with actionable deployment guidance
2026-02-27 19:49:48 +07:00
a49786d940
Merge pull request #31 from builderz-labs/docs/readme-accuracy-fixes
...
Fix README inaccuracies and add engines field
2026-02-27 19:24:58 +07:00
dd7d4fb481
docs: fix README inaccuracies and add engines field
...
- Fix migration count: 11 → 14 (actual count in migrations.ts)
- Fix panel count: 23 → 26 (actual count in components/panels/)
- Fix API route count: 25+ → 30+ (actual count in app/api/)
- Update testing line to mention 52 E2E tests
- Collapse completed issues list into link to v1.0.0 release notes
- Add engines.node >= 20 to package.json (matches CI)
2026-02-27 19:24:36 +07:00
5515ab5f77
Merge pull request #30 from builderz-labs/fix/ci-release-readiness
...
Fix CI workflow and release readiness bugs
2026-02-27 18:52:41 +07:00
5647ac1932
fix: CI workflow and release readiness bugs
...
- Swap pnpm/node setup order (pnpm must install before node cache)
- Move build step before E2E tests (next start needs .next/ output)
- Add `cp .env.test .env` step so E2E server has auth credentials
- Fix test:all script to build before E2E (same ordering bug)
- Remove stale package-lock.json (project uses pnpm exclusively)
- Update README: remove "No E2E test suite" (52 tests exist now)
2026-02-27 18:52:13 +07:00
243f25a1db
Merge pull request #29 from builderz-labs/test/e2e-critical-fixes
...
Add 52 Playwright E2E tests for all critical fixes
2026-02-27 15:39:19 +07:00
8de9e0b5c3
test: add 52 Playwright E2E tests covering all critical fixes
...
8 test suites verifying:
- Auth guards on 19 GET endpoints (Issue #4 )
- Timing-safe API key comparison (Issue #5 )
- Legacy cookie auth removal (Issue #7 )
- Login rate limiting (Issue #8 )
- CSRF Origin header validation (Issue #20 )
- DELETE body standardization (Issue #18 )
- Query limit caps at 200 (Issue #19 )
- Login flow and session lifecycle
Also fixes migration 013 crash on fresh DB when gateways table
doesn't exist (created lazily by gateways API, not in migrations).
2026-02-27 15:38:49 +07:00
2f0335443f
Merge pull request #28 from builderz-labs/docs/update-readme-post-fixes
...
docs: update README to reflect completed fixes
2026-02-27 14:13:34 +07:00
33fa5451d7
docs: update README to reflect completed security and quality fixes
...
- Update Known Limitations to remove resolved items (#4-#20)
- Replace Roadmap open checkboxes with completed checklist
- Add Up Next section for remaining work
2026-02-27 14:12:18 +07:00
84a7989e3a
Merge pull request #27 from builderz-labs/fix/p3-cleanup
...
chore: P3 cleanup — CoC, templates, DELETE patterns, limits, CSRF
2026-02-27 14:04:49 +07:00
08c9f3625b
chore: CODE_OF_CONDUCT, issue templates, DELETE patterns, limit caps, CSRF origin check
...
- Add Contributor Covenant 2.1 Code of Conduct (Closes #16 )
- Add bug report and feature request issue templates (Closes #17 )
- Standardize DELETE handlers to use request body instead of query params (Closes #18 )
- Cap unbounded limit params to Math.min(limit, 200) on 12 endpoints (Closes #19 )
- Add CSRF Origin header validation for mutating requests in middleware (Closes #20 )
2026-02-27 14:04:09 +07:00
5e94d79e66
Merge pull request #26 from builderz-labs/fix/p2-quality
...
fix: P2 quality — strict mode, tests, pagination, N+1, CSP
2026-02-27 14:03:34 +07:00
bf0df9b6d0
fix: strict mode, test stubs, pagination counts, N+1 queries, CSP hardening
...
- Enable TypeScript strict mode and fix all resulting type errors
- Add auth test stubs for requireRole and safeCompare
- Add proper COUNT(*) pagination totals to agents, tasks, notifications,
messages, conversations, and standup history endpoints
- Fix N+1 queries by hoisting db.prepare() outside loops in agents,
activities, notifications, conversations, standup, gateway health,
and notification delivery routes
- Remove unsafe-eval from CSP script-src directive
- Remove deprecated X-XSS-Protection header
2026-02-27 14:02:52 +07:00
704c661bad
Merge pull request #25 from builderz-labs/fix/p1-security-high
...
fix: P1 security high — legacy auth, rate limit, SSRF, SQL injection
2026-02-27 14:02:12 +07:00
3b600d817e
fix: remove legacy auth, add login rate limiting, block SSRF metadata, parameterize migration SQL
2026-02-27 13:58:52 +07:00
98f1990b57
Merge pull request #21 from builderz-labs/fix/p0-security-critical
...
fix: P0 security critical — auth guards, timing-safe compare, XSS
2026-02-27 13:56:50 +07:00
1ee506b4cf
fix: add auth checks on all GET endpoints, timing-safe comparisons, and XSS sanitization
2026-02-27 13:04:24 +07:00
84ba833454
docs: fix roadmap issue number references
2026-02-27 12:29:47 +07:00
de69a87fdf
docs: add project status, known limitations, and roadmap to README
2026-02-27 12:21:31 +07:00
99815d20b3
feat: initial open-source release
...
OpenClaw Mission Control — agent orchestration dashboard.
Built with Next.js 16, React 19, TypeScript, SQLite, and Tailwind CSS.
MIT License.
2026-02-23 02:00:44 +07:00
Nyk
nyk