96168fe2f4
Security hardening: - Fix timing-safe comparison bugs in webhooks.ts and auth.ts (was comparing buffer with itself) - Harden rate limiter IP extraction — use rightmost untrusted IP from XFF chain with MC_TRUSTED_PROXIES support - Add 12-char minimum password validation in Zod schema and runtime check - Add Zod validation on PUT /api/tasks bulk status update Webhook retry system (completing in-progress feature): - Exponential backoff with circuit breaker in webhooks.ts - POST /api/webhooks/retry endpoint for manual retry - GET /api/webhooks/verify-docs endpoint for signature verification docs - Scheduler integration for automatic retry processing - Unit tests for signature verification and backoff logic Local Claude Code session tracking: - New claude-sessions.ts scanner parses JSONL transcripts from ~/.claude/projects/ - Extracts model, tokens, messages, cost estimates, active status per session - Migration 020 adds claude_sessions table - GET/POST /api/claude/sessions endpoint with filtering and aggregate stats - Scheduler runs scan every 60s with MC_CLAUDE_HOME config Quality improvements: - Replace all console.error/warn with structured logger across 31 API routes - Add Docker HEALTHCHECK directive - Add vitest coverage config with v8 provider (60% threshold) - Update README with new features, API docs, env vars, and roadmap items - Fix E2E tests for password length and rate limiter IP changes |
||
|---|---|---|
| .. | ||
| README.md | ||
| agent-costs.spec.ts | ||
| agents-crud.spec.ts | ||
| alerts-crud.spec.ts | ||
| auth-guards.spec.ts | ||
| csrf-validation.spec.ts | ||
| delete-body.spec.ts | ||
| direct-cli.spec.ts | ||
| github-sync.spec.ts | ||
| helpers.ts | ||
| legacy-cookie-removed.spec.ts | ||
| limit-caps.spec.ts | ||
| login-flow.spec.ts | ||
| notifications.spec.ts | ||
| openapi.spec.ts | ||
| quality-review.spec.ts | ||
| rate-limiting.spec.ts | ||
| search-and-export.spec.ts | ||
| task-comments.spec.ts | ||
| tasks-crud.spec.ts | ||
| timing-safe-auth.spec.ts | ||
| user-management.spec.ts | ||
| webhooks-crud.spec.ts | ||
| workflows-crud.spec.ts | ||
README.md
E2E Tests
Playwright end-to-end specs for Mission Control API and UI.
Running
# Start the dev server first (or let Playwright auto-start via reuseExistingServer)
pnpm dev --hostname 127.0.0.1 --port 3005
# Run all tests
pnpm test:e2e
# Run a specific spec
pnpm exec playwright test tests/tasks-crud.spec.ts
Test Environment
Tests require .env.local with:
API_KEY=test-api-key-e2e-12345MC_DISABLE_RATE_LIMIT=1(bypasses mutation/read rate limits, keeps login rate limit active)
Spec Files
Security & Auth
auth-guards.spec.ts— All API routes return 401 without authcsrf-validation.spec.ts— CSRF origin header validationlegacy-cookie-removed.spec.ts— Old cookie format rejectedlogin-flow.spec.ts— Login, session, redirect lifecyclerate-limiting.spec.ts— Login brute-force protectiontiming-safe-auth.spec.ts— Constant-time API key comparison
CRUD Lifecycle
tasks-crud.spec.ts— Tasks POST/GET/PUT/DELETE with filters, Aegis gateagents-crud.spec.ts— Agents CRUD, lookup by name/id, admin-only deletetask-comments.spec.ts— Threaded comments on tasksworkflows-crud.spec.ts— Workflow template CRUDwebhooks-crud.spec.ts— Webhooks with secret masking and regenerationalerts-crud.spec.ts— Alert rule CRUD with full lifecycleuser-management.spec.ts— User admin CRUD
Features
notifications.spec.ts— Notification delivery and read trackingquality-review.spec.ts— Quality reviews with batch lookupsearch-and-export.spec.ts— Global search, data export, activity feed
Infrastructure
limit-caps.spec.ts— Endpoint limit caps enforceddelete-body.spec.ts— DELETE body standardization
Shared
helpers.ts— Factory functions (createTestTask,createTestAgent, etc.) and cleanup helpers