johan
/
mission-control
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mission-control/CHANGELOG.md

11 KiB
Raw Blame History

Changelog

All notable changes to Mission Control are documented in this file.

[Unreleased]

[2.0.1] - 2026-03-18

Mission Control 2.0.1 is the first patch release after the v2 launch. It rolls up the full set of fixes and follow-on features that landed after v2.0.0, including HTTP/Tailscale login hardening, zero-config onboarding, internationalization, gateway/runtime stability fixes, deeper task-routing automation, and the latest OpenClaw compatibility updates.

Added

  • First-time setup wizard and zero-config startup flow for fresh installs
  • Full i18n coverage across the application with 10 language packs and panel-level translations
  • Trusted reverse proxy and header-auth support for more flexible self-hosted deployments
  • Gateway health history logging and timeline visibility
  • Port-based Tailscale Serve proxy detection and stronger public websocket URL handling
  • Task implementation-target persistence, session targeting, and complexity-based model-tier routing
  • GNAP sync for git-native task persistence
  • Hybrid dashboard mode for simultaneous gateway and local session visibility
  • Workspace skill root discovery, filtering, and per-agent skill-root display
  • Windows PowerShell installer support
  • awaiting_owner task status detection

Changed

  • Node runtime policy now accepts all versions >=22 instead of a narrow allowlist
  • CSP and browser-security helpers were factored into dedicated modules for clearer hardening boundaries
  • Docker/image release automation now supports the official Docker Hub image when repository secrets are configured
  • Release metadata and docs now point to the Builderz Labs repository as the canonical source

Fixed

  • HTTP and Tailscale login regressions caused by unconditional HTTPS redirects and CSP nonce propagation gaps
  • Fresh HTTP Docker installs failing login because secure-cookie behavior did not follow the actual request protocol
  • Gateway auth and credential detection for mixed token/password setups
  • Task dispatch using display names instead of gateway agent IDs
  • Docker and gateway-optional regressions across Compose startup, health probes, public assets, OPENCLAW_HOME, and read-only config handling
  • SQLite SQLITE_BUSY contention by adding busy_timeout and guarding build-phase eager initialization
  • Doctor banner dismissal persistence, cron panel crash handling, and null-safe model config editing
  • Gateway connectivity and onboarding probe issues, including POST-based wizard health checks and explicit public websocket URL preference
  • Notification refresh timing, agent empty-state UX, duplicate task-title/delete handling, and several panel/runtime regressions
  • Memory diagnostics scoping, gateway notification delivery, session labels, and multiple i18n namespace gaps
  • Password generation now uses a CSPRNG in the Windows installer
  • Reagraph CSP rendering regression caused by nonce handling in style-src
  • /api/spawn now supports OpenClaw agents that rely on configured default models instead of requiring a runtime model
  • Gateway dashboard registration now has explicit regression coverage preserving device-auth posture

Security

  • Removed unsafe-inline in favor of nonce-based CSP handling
  • Strengthened skill-registry SSRF and path-traversal detection rules
  • Stopped forcing dangerouslyDisableDeviceAuth during Mission Control gateway registration

Tests

  • Coverage for pure utility modules to keep the Vitest threshold passing in CI
  • Gateway health history E2E and supporting utility tests
  • Docker-mode integration coverage for gateway connectivity regressions
  • Regression coverage for spawn-schema compatibility and gateway dashboard registration behavior

Contributors

  • @0xNyk
  • @Brixyy
  • @clintbaxley
  • @dk-blackfuel
  • @firefloc-nox
  • @HonzysClawdbot
  • @hectorse.88
  • @jonathan-squaredlemons
  • @jonboirama
  • @joshua-mo-143
  • @jrrcdev
  • @lucascr
  • @RazorFin
  • @topshelfmedia

Fixed

  • HTTP and Tailscale login broken by unconditional HTTPS redirect — replaced with opt-in NEXT_PUBLIC_FORCE_HTTPS=1 (#309)
  • CSP nonce mismatch blocking inline scripts after login — nonce now propagated into SSR request headers (#308, #311)
  • Layout inline theme script missing nonce attribute, causing CSP violations on chunk loading (#308, #311)
  • Task dispatch sending agent display name instead of gateway ID — now resolves openclawId from config (#310)
  • Session cookie Secure flag forced in production even over HTTP — now derived from actual request protocol (#304)
  • Node version check changed from allowlist (22, 24) to floor (>=22) for future compatibility

Changed

  • CSP generation and browser-security helpers extracted to src/lib/csp.ts and src/lib/browser-security.ts

Contributors

  • @0xNyk
  • @polaris-dxz
  • @jaserNo1

[2.0.0] - 2026-03-11

Added

  • Dual-mode operations for both OpenClaw gateway deployments and local workstation installs
  • Hermes observability, including session, task, cron, memory, and transcript visibility
  • Obsidian-style memory knowledge system with graph visualization, health signals, and filesystem browser
  • Rebuilt onboarding flow with session-scoped walkthroughs, security scan, and OpenClaw gateway setup guidance
  • OpenClaw doctor status and in-app doctor fix workflow for runtime drift detection and remediation
  • Expanded OpenClaw dashboard coverage for channels, chat, sessions, cron, usage, devices, approvals, logs, and schema-backed config
  • Global exec approval overlay, unified cost tracker, and richer agent communication/session routing views
  • Embedded chat workspace, Claude Code task bridge, framework adapters, self-update flow, and stronger local agent/skill discovery
  • Automated task dispatch, automated Aegis review, natural-language recurring tasks, and richer gateway backup/update actions

Fixed

  • Agent and workspace deletion now removes OpenClaw config state correctly and refreshes the UI consistently
  • Security scan autofix no longer breaks host access or E2E runtime env state after applying fixes
  • Mission Control builds now isolate build-time SQLite state from runtime SQLite state, eliminating SQLITE_BUSY build contention
  • Standalone deploy/runtime handling now preserves data directories, static assets, and restart detection more reliably
  • OpenClaw config compatibility issues around malformed model.primary payloads, stale keys, and doctor warning classification
  • Local Hermes transcript loading, gateway chat/channel RPC fallbacks, and memory panel regressions from the refactor cycle
  • E2E harness isolation so tests use fresh temp OpenClaw state, temp skill roots, and deterministic scheduler behavior
  • Login/autofill/CSP regressions, websocket/device-identity edge cases, memory graph fit/overflow issues, and several panel parity gaps found during the refactor

Changed

  • Project version advanced to 2.0.0
  • Node runtime policy standardized on 22.x across local development, CI, Docker, and standalone deployment
  • README, landing-page handoff, and release documentation refreshed to match the current Mission Control interface and feature set
  • This release captures 189 commits on top of main and marks the major refactor branch as the new baseline for Mission Control
  • Navigation, loading, branding, and onboarding flows were redesigned to match the broader v2 operator experience

Contributors

  • @0xNyk

[1.3.0] - 2026-03-02

Added

  • Local Claude Code session tracking — auto-discovers sessions from ~/.claude/projects/, extracts token usage, model info, cost estimates, and active status from JSONL transcripts
  • GET/POST /api/claude/sessions endpoint with filtering, pagination, and aggregate stats
  • Webhook retry system with exponential backoff and circuit breaker
  • POST /api/webhooks/retry endpoint for manual retry of failed deliveries
  • GET /api/webhooks/verify-docs endpoint for signature verification documentation
  • Webhook signature verification unit tests (HMAC-SHA256 + backoff logic)
  • Docker HEALTHCHECK directive
  • Vitest coverage configuration (v8 provider, 60% threshold)
  • Cron job deduplication on read and duplicate prevention on add
  • MC_CLAUDE_HOME env var for configuring Claude Code home directory
  • MC_TRUSTED_PROXIES env var for rate limiter IP extraction

Fixed

  • Timing-safe comparison bug in webhook signature verification (was comparing buffer with itself)
  • Timing-safe comparison bug in auth token validation (same issue)
  • Rate limiter IP spoofing — now uses rightmost untrusted IP from X-Forwarded-For chain
  • Model display bug: getModelInfo() always returned first model (haiku) for unrecognized names
  • Feed item ID collisions between logs and activities in the live feed
  • WebSocket reconnect thundering-herd — added jitter to exponential backoff

Changed

  • All 31 API routes now use structured pino logger instead of console.error/console.warn
  • Cron file I/O converted from sync to async (fs/promises)
  • Password minimum length increased to 12 characters
  • Zod validation added to PUT /api/tasks bulk status updates
  • README updated with 64 API routes, new features, and env vars
  • Migration count: 20 (added claude_sessions table)
  • 69 unit tests, 165 E2E tests — all passing

Contributors

  • @TGLTommy — model display bug fix
  • @doanbactam — feed ID fix, jittered reconnect, cron deduplication

[1.2.0] - 2026-03-01

Added

  • Zod input validation schemas for all mutation API routes
  • Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
  • Rate limiting on resource-intensive endpoints (search, backup, cleanup, memory, logs)
  • Unit tests for auth, validation, rate-limit, and db-helpers modules

Fixed

  • Task status enum mismatch (blockedquality_review) in validation schema
  • Type safety improvements in auth.ts and db.ts (replaced as any casts)

Changed

  • Standardized alert route to use validateBody() helper
  • Bumped package version from 1.0.0 to 1.2.0

[1.1.0] - 2026-02-27

Added

  • Multi-user authentication with session management
  • Google SSO with admin approval workflow
  • Role-based access control (admin, operator, viewer)
  • Audit logging for security events
  • 1Password integration for secrets management
  • Workflow templates and pipeline orchestration
  • Quality review system with approval gates
  • Data export (CSV/JSON) for audit logs, tasks, activities
  • Global search across all entities
  • Settings management UI
  • Gateway configuration editor
  • Notification system with @mentions
  • Agent communication (direct messages)
  • Standup report generation
  • Scheduled auto-backup and auto-cleanup
  • Network access control (host allowlist)
  • CSRF origin validation

[1.0.0] - 2026-02-15

Added

  • Agent orchestration dashboard with real-time status
  • Task management with Kanban board
  • Activity stream with live updates (SSE)
  • Agent spawn and session management
  • Webhook integration with HMAC signatures
  • Alert rules engine with condition evaluation
  • Token usage tracking and cost estimation
  • Dark/light theme support
  • Docker deployment support