Commit Graph
1271 Commits
Author SHA1 Message Date
kaitranntt 2e45447bb7 fix(dashboard): resolve edge cases in backup restore and settings UI
Backend:
- Add atomic restore with mutex to prevent concurrent corruption
- Implement rollback on failure for backup restore
- Add symlink security validation

Frontend:
- Add 'backups' tab to URL validation in settings hook
- Add error boundary for lazy-loaded settings sections
- Clamp progress bar values to prevent visual bugs
- Add AbortController cleanup to prevent memory leaks
- Fix misleading debug mode description and add actual console logging
2026-01-14 15:42:12 -05:00
kaitranntt bd5e9d2b78 feat(dashboard): implement full parity UX improvements
- Remove 'agy' hardcode from quota hook (multi-provider support)
- Add quota N/A badge with AlertCircle icon for fetch failures
- Add new 'backups' tab to Settings page with Archive icon
- Create BackupsSection component with list/restore UI
- Add persist backend routes (GET /api/persist/backups, POST /api/persist/restore)
- Add debug mode toggle in Settings proxy section (localStorage persisted)

Closes documentation gap for persist command dashboard parity.
2026-01-14 13:52:54 -05:00
semantic-release-bot 01fe780514 chore(release): 7.20.1 [skip ci]
## [7.20.1](https://github.com/kaitranntt/ccs/compare/v7.20.0...v7.20.1) (2026-01-14)

### Bug Fixes

* **ci:** expand ai-review allowedTools to prevent token waste ([ac7b324](https://github.com/kaitranntt/ccs/commit/ac7b324d4989883c7a8e92030891e51bfc040cc3))
* **cliproxy:** address PR review feedback ([04c9b08](https://github.com/kaitranntt/ccs/commit/04c9b087ca3466c4b2871a777906f87b19566d3c))
* **cliproxy:** return null for unknown quota, add verbose diagnostics ([1ac1941](https://github.com/kaitranntt/ccs/commit/1ac19415ce835df15f3fcefbb698f12ec89ec5e9))
* **deps:** add express-rate-limit to production dependencies ([d9631be](https://github.com/kaitranntt/ccs/commit/d9631be81a018d9e007f241bcb6b928664cc6991)), closes [#333](https://github.com/kaitranntt/ccs/issues/333)
2026-01-14 18:39:17 +00:00
Kai (Tam Nhu) TranandGitHub bc1b1b6799 Merge pull request #335 from kaitranntt/dev
feat(release): v7.20.1 - quota diagnostics and ai-review improvements
2026-01-14 13:38:10 -05:00
github-actions[bot] bb9549cb22 chore(release): 7.20.0-dev.3 [skip ci] 2026-01-14 18:32:34 +00:00
kaitranntt ac7b324d49 fix(ci): expand ai-review allowedTools to prevent token waste
- Add more allowed bash patterns: gh issue view, gh api, git commands
- Add base tools: Edit, LS for better flexibility
- Update prompt to write pr_review.md in working dir (not /tmp/)
- Add step to Read before Write to avoid security block
- Add explicit rules about avoiding shell operators (||, &&, <<)
- Allow rm pr_review.md for cleanup

Previous run had 9 tool rejections wasting ~5000 tokens due to:
- gh issue view not allowed (only gh pr view was)
- /tmp/ outside working directory
- Write without Read blocked
- Complex shell operators blocked
2026-01-14 13:31:18 -05:00
github-actions[bot] 43aaa6dbf4 chore(release): 7.20.0-dev.2 [skip ci] 2026-01-14 18:12:00 +00:00
Kai (Tam Nhu) TranandGitHub 3ea1ea3064 Merge pull request #334 from kaitranntt/kai/fix/missing-express-rate-limit
fix(deps): add express-rate-limit to production dependencies
2026-01-14 13:10:58 -05:00
kaitranntt d9631be81a fix(deps): add express-rate-limit to production dependencies
express-rate-limit was imported in auth-middleware.ts but only the
@types/express-rate-limit package was declared in devDependencies.
This caused "Cannot find module 'express-rate-limit'" error when
running `ccs config` after installing v7.20.0 globally.

Closes #333
2026-01-14 13:06:58 -05:00
github-actions[bot] b740816dd9 chore(release): 7.20.0-dev.1 [skip ci] 2026-01-14 16:39:33 +00:00
Kai (Tam Nhu) TranandGitHub cc83b596fb Merge pull request #331 from kaitranntt/fix/quota-fix
fix(cliproxy): return null for unknown quota, add verbose diagnostics
2026-01-14 11:38:31 -05:00
kaitranntt 04c9b087ca fix(cliproxy): address PR review feedback
- Pass verbose flag through fetchQuotaWithDedup to fetchAccountQuota
- Change verbose logging from console.log to console.error (stderr)
- Keep quotaPercent optional (semantically correct for cases without quota)
2026-01-14 10:49:47 -05:00
semantic-release-bot 8e115a2a20 chore(release): 7.20.0 [skip ci]
## [7.20.0](https://github.com/kaitranntt/ccs/compare/v7.19.2...v7.20.0) (2026-01-14)

### Features

* **config:** add ccs config auth CLI subcommand ([39c1ee2](https://github.com/kaitranntt/ccs/commit/39c1ee2ca0f01a1254812a4a8fe8f6c2ed052fe0)), closes [#319](https://github.com/kaitranntt/ccs/issues/319)
* **dashboard:** add optional login authentication ([#319](https://github.com/kaitranntt/ccs/issues/319)) ([464b410](https://github.com/kaitranntt/ccs/commit/464b410e8b3e017689ce7de6b6fc06b3f04c7fdd))
* **persist:** add --list-backups and --restore options for backup management ([ef7e595](https://github.com/kaitranntt/ccs/commit/ef7e595b6fa4c96ac88e2e98f992fd05f7525e2e))
* **persist:** add backup management for settings.json ([#312](https://github.com/kaitranntt/ccs/issues/312)) ([3ac687e](https://github.com/kaitranntt/ccs/commit/3ac687ec9fab6ad4ce11bd3af6af5c596958a5e2)), closes [#248](https://github.com/kaitranntt/ccs/issues/248)

### Bug Fixes

* **auth:** add security hardening per code review ([a3a167e](https://github.com/kaitranntt/ccs/commit/a3a167e62aaa555c71379e91a9dfd0b7f5ddf145))
* **auth:** move redirect to useEffect and validate bcrypt hash format ([37e3468](https://github.com/kaitranntt/ccs/commit/37e3468d4dece26d35ef6b5ad9683312473e1ca9))
* **ci:** add full CLIProxy env vars for AI review ([7cfd3c1](https://github.com/kaitranntt/ccs/commit/7cfd3c1f9dbd387d4fc6388382727222bd8475bd))
* **ci:** add Write tool to allowedTools for PR comment posting ([e7dca48](https://github.com/kaitranntt/ccs/commit/e7dca480d313b2227638a3e8a53554b3d28d2c8e))
* **persist:** harden security and edge case handling ([#328](https://github.com/kaitranntt/ccs/issues/328)) ([397331e](https://github.com/kaitranntt/ccs/commit/397331ec8995b261e0b6916874d59947ede0a88f)), closes [#312](https://github.com/kaitranntt/ccs/issues/312)
* **ui:** use wss:// for WebSocket on HTTPS pages ([#315](https://github.com/kaitranntt/ccs/issues/315)) ([db58c6b](https://github.com/kaitranntt/ccs/commit/db58c6bbcabdb1edc1748212ad0b85af682ac597))
2026-01-14 15:35:23 +00:00
Kai (Tam Nhu) TranandGitHub 2faa837777 Merge pull request #329 from kaitranntt/dev
feat(release): v7.20.0 - persist command and dashboard auth
2026-01-14 10:34:23 -05:00
github-actions[bot] cafb849b0b chore(release): 7.19.2-dev.5 [skip ci] 2026-01-14 15:32:37 +00:00
kaitranntt 7cfd3c1f9d fix(ci): add full CLIProxy env vars for AI review
- Use /api/provider/agy endpoint for proper model routing
- Set ANTHROPIC_DEFAULT_*_MODEL to route Haiku/Sonnet/Opus correctly
- Disable telemetry, error reporting, bug command
- Set max output/thinking tokens
2026-01-14 10:31:37 -05:00
kaitranntt 1ac19415ce fix(cliproxy): return null for unknown quota, add verbose diagnostics
- Change calculateAverageQuota() to return null instead of 100 when no model data
- Update callers to use null coalescing (?? 0) for health check thresholds
- Display "N/A (fetch unavailable)" for null quota values
- Add --verbose flag to quota-related functions for troubleshooting
- Add debug logging: token refresh status, API response, errors
2026-01-14 10:19:27 -05:00
github-actions[bot] 2af9c31643 chore(release): 7.19.2-dev.4 [skip ci] 2026-01-14 15:07:42 +00:00
Kai (Tam Nhu) TranandGitHub 397331ec89 fix(persist): harden security and edge case handling (#328)
Security fixes:
- Add fs.chmodSync(backupPath, 0o600) after backup creation
- Add symlink detection (isSymlink helper) before all file operations
- Reject symlinks in write, backup, and restore operations

Edge case fixes:
- Handle empty settings.json (0 bytes) gracefully
- Validate parsed JSON is object type (not array/primitive)
- Validate backup JSON integrity before restore
- Show backup path guidance on write failure
- Validate existing env is object before spread

Maintenance:
- Add backup rotation (keep last 10, MAX_BACKUPS constant)
- Add cleanupOldBackups() function

Addresses security findings from PR #312 code review.
2026-01-14 10:06:44 -05:00
kaitranntt e7dca480d3 fix(ci): add Write tool to allowedTools for PR comment posting
Root cause: Claude's allowedTools pattern matching is literal string
matching. Multiline content in --body breaks the `Bash(gh pr comment *)`
pattern. The Bash(cat *) pattern only matches reading, not writing with
redirection.

Changes:
- Add Write tool to allowedTools (enables temp file creation)
- Remove Bash(cat *) (not needed, Write replaces it)
- Update prompt to require Write + --body-file pattern
- Explicitly warn against inline --body with multiline content

Tested locally: Successfully posted comment using Write + --body-file
2026-01-14 10:06:05 -05:00
github-actions[bot] c2a16a253e chore(release): 7.19.2-dev.3 [skip ci] 2026-01-14 14:30:53 +00:00
kaitrannttandLeynier Gutiérrez González 3ac687ec9f feat(persist): add backup management for settings.json (#312)
Add `--list-backups` and `--restore` options to the ccs persist command
for backup management. Enables users to list and restore settings.json
backups. Updated CLAUDE.md to document persist command.

Resolves #248

Co-authored-by: Leynier Gutiérrez González <leynier41@gmail.com>
2026-01-14 09:29:32 -05:00
Leynier Gutiérrez Gonzálezandkaitranntt ef7e595b6f feat(persist): add --list-backups and --restore options for backup management
Add backup management functionality to the persist command:
- List available backups with timestamps and dates
- Restore from most recent or specific backup
- Improved error handling for corrupted settings.json
- Updated CLAUDE.md to document the persist command and the exception to the non-invasive constraint
2026-01-14 09:27:48 -05:00
github-actions[bot] 3b4c29ddcb chore(release): 7.19.2-dev.2 [skip ci] 2026-01-14 13:35:51 +00:00
SergeyandGitHub db58c6bbca fix(ui): use wss:// for WebSocket on HTTPS pages (#315) 2026-01-14 08:34:53 -05:00
github-actions[bot] 8daabdde5c chore(release): 7.19.2-dev.1 [skip ci] 2026-01-13 21:46:25 +00:00
Kai (Tam Nhu) TranandGitHub 4a1679d747 Merge pull request #327 from kaitranntt/feat/login-auth
feat(dashboard): add optional login authentication with CLI setup (#319)
2026-01-13 16:45:27 -05:00
github-actions[bot] fffcd7aa0e chore(sync): merge main into dev after release [skip ci] 2026-01-13 21:45:08 +00:00
semantic-release-bot cb32e913d2 chore(release): 7.19.2 [skip ci]
## [7.19.2](https://github.com/kaitranntt/ccs/compare/v7.19.1...v7.19.2) (2026-01-13)

### Bug Fixes

* **ci:** expand allowedTools patterns for flexible comment posting ([0a27c6a](https://github.com/kaitranntt/ccs/commit/0a27c6a12f53dd050dc8104ce8d82e2cb4bcef3f))
2026-01-13 21:44:41 +00:00
kaitranntt 0a27c6a12f fix(ci): expand allowedTools patterns for flexible comment posting
Add Bash(echo *) and Bash(cat *) patterns to allow heredocs and pipes.
This gives the AI reviewer flexibility to use any method for posting
multi-line review comments while remaining safe (shell-operator aware).
2026-01-13 16:43:39 -05:00
github-actions[bot] a4437491ed chore(sync): merge main into dev after release [skip ci] 2026-01-13 21:39:14 +00:00
semantic-release-bot e0776df0e6 chore(release): 7.19.1 [skip ci]
## [7.19.1](https://github.com/kaitranntt/ccs/compare/v7.19.0...v7.19.1) (2026-01-13)

### Bug Fixes

* **ci:** update allowedTools pattern to prevent token waste on retries ([edec6f6](https://github.com/kaitranntt/ccs/commit/edec6f6df242a092545a3c7ffd2856aad4f3f2af))
2026-01-13 21:38:50 +00:00
kaitranntt edec6f6df2 fix(ci): update allowedTools pattern to prevent token waste on retries
Changed pattern from `Bash(gh pr comment:*)` to `Bash(gh pr comment *)`
to match space-separated args. Updated prompt to discourage heredocs
and pipes which don't match the pattern, causing 6+ retry attempts.
2026-01-13 16:37:43 -05:00
kaitranntt a3a167e62a fix(auth): add security hardening per code review
- Add timing-safe username comparison to prevent timing attacks
- Regenerate session on login to prevent session fixation
- Add warning log when session secret persistence fails
2026-01-13 16:23:10 -05:00
github-actions[bot] 60488c262d chore(sync): merge main into dev after release [skip ci]
# Conflicts:
#	package.json
2026-01-13 21:23:02 +00:00
semantic-release-bot c514a8bc75 chore(release): 7.19.0 [skip ci]
## [7.19.0](https://github.com/kaitranntt/ccs/compare/v7.18.3...v7.19.0) (2026-01-13)

### Features

* **doctor:** add --help flag with comprehensive command documentation ([22c7d4a](https://github.com/kaitranntt/ccs/commit/22c7d4a20d96d12a2c38ec60d226a6bc26dce9b0))

### Bug Fixes

* **ci:** prevent AI review self-cancellation with smart concurrency ([25d31ce](https://github.com/kaitranntt/ccs/commit/25d31ce4329daf9512df4e0236e02d89d05b0842))
* **ci:** trigger AI review on follow-up commits to PR ([a2a13fb](https://github.com/kaitranntt/ccs/commit/a2a13fb16ec3d655a817e548a5cb72a21c6c774e))
2026-01-13 21:22:36 +00:00
github-actions[bot] 1d2dcbf1f6 chore(release): 7.18.3-dev.3 [skip ci] 2026-01-13 21:04:12 +00:00
kaitranntt 25d31ce432 fix(ci): prevent AI review self-cancellation with smart concurrency
Root cause: When the bot posts a review comment, GitHub fires an
issue_comment event that joins the same concurrency group and cancels
the in-progress run BEFORE job `if` conditions are evaluated.

Solution: Non-actionable triggers (bot comments, comments without
/review) get a unique per-run group via format('skip-{0}', github.run_id),
while legitimate triggers share the PR-based group for proper
cancellation of outdated reviews.
2026-01-13 16:03:02 -05:00
github-actions[bot] 865870ba4c chore(release): 7.18.3-dev.2 [skip ci] 2026-01-13 20:53:31 +00:00
kaitranntt a2a13fb16e fix(ci): trigger AI review on follow-up commits to PR
- Add `synchronize` event to trigger on new commits pushed to PR
- Add `reopened` event to trigger when PR is reopened
- Update documentation comments to reflect new behavior
- Keep cancel-in-progress to prevent stale reviews

Fixes issue where AI review only ran on PR creation, requiring
manual /review comment for subsequent commits.
2026-01-13 15:52:18 -05:00
kaitranntt 39c1ee2ca0 feat(config): add ccs config auth CLI subcommand
Interactive CLI for managing dashboard authentication:
- ccs config auth setup: Interactive wizard with bcrypt password hashing
- ccs config auth show: Display current auth status and ENV overrides
- ccs config auth disable: Disable auth with confirmation

Follows modular facade pattern from auth-commands.ts.
Uses InteractivePrompt for masked password input.
Includes local documentation at docs/dashboard-auth-cli.md.

Related: #319
2026-01-13 15:13:10 -05:00
kaitranntt 37e3468d4d fix(auth): move redirect to useEffect and validate bcrypt hash format
- Fix React side effect: move navigate() to useEffect in LoginPage
- Remove misplaced express-rate-limit from ui/package.json
- Add bcrypt hash format validation before bcrypt.compare
2026-01-13 14:43:55 -05:00
kaitranntt 759d43c8f7 Merge remote-tracking branch 'origin/dev' into feat/login-auth 2026-01-13 14:31:01 -05:00
github-actions[bot] 097b018532 chore(release): 7.18.3-dev.1 [skip ci] 2026-01-13 19:22:20 +00:00
Kai (Tam Nhu) TranandGitHub 8fb822f873 Merge pull request #320 from kaitranntt/feat/doctor-help-command
feat(doctor): add --help flag with comprehensive command documentation
2026-01-13 14:21:23 -05:00
github-actions[bot] aaa8f88662 chore(sync): merge main into dev after release [skip ci]
# Conflicts:
#	package.json
2026-01-13 19:02:01 +00:00
semantic-release-bot 75609221b1 chore(release): 7.18.3 [skip ci]
## [7.18.3](https://github.com/kaitranntt/ccs/compare/v7.18.2...v7.18.3) (2026-01-13)

### Bug Fixes

* **ci:** simplify AI review workflow by disabling progress tracking ([4ef2d48](https://github.com/kaitranntt/ccs/commit/4ef2d4848cf12d197ba1f8cd5dac66b55c82c8be))
* **ci:** simplify AI review workflow by disabling progress tracking ([#323](https://github.com/kaitranntt/ccs/issues/323)) ([39b37ca](https://github.com/kaitranntt/ccs/commit/39b37caa892f8b723f003c8ed0c6d8f2fe96d799))
2026-01-13 19:01:33 +00:00
github-actions[bot] dfe0e2d5ba chore(release): 7.18.2-dev.1 [skip ci] 2026-01-13 19:01:15 +00:00
Kai (Tam Nhu) TranandGitHub 39b37caa89 fix(ci): simplify AI review workflow by disabling progress tracking (#323)
fix(ci): simplify AI review workflow by disabling progress tracking
2026-01-13 14:00:31 -05:00
kaitranntt 4ef2d4848c fix(ci): simplify AI review workflow by disabling progress tracking
Root cause of cancellations was track_progress posting comments that
triggered new workflow runs. Instead of complex concurrency isolation,
simply disable progress tracking.

Changes:
- track_progress: false (no intermediate comments)
- Simple concurrency: ai-review-<PR_NUMBER>
- Removed extra bot filters (no longer needed)

Result: Clean PRs with just the final review comment.
2026-01-13 14:00:14 -05:00