Commit Graph
368 Commits
Author SHA1 Message Date
Tam Nhu Tran ac574e0baf fix(cliproxy): address code review feedback (attempt 2/5)
- Add tiers shape validation in variant-routes POST/PUT endpoints
- Use process.exit(1) for blocked --config on composite variants
2026-02-12 08:26:03 +07:00
Tam Nhu Tran d7e0d1cacf fix(cursor): pass all args to handler, use getCursorConfig in routes
- Route all cursor args to handler for proper unknown-subcommand reporting
- Replace loadOrCreateUnifiedConfig + fallback with getCursorConfig()
2026-02-12 08:04:42 +07:00
Tam Nhu Tran 6af718626f fix(cursor): align daemon routes, add enabled field, handle bare command
- Change /start and /stop to /daemon/start and /daemon/stop matching copilot convention
- Add enabled field to CursorConfig for dashboard toggle parity
- Simplify getCursorConfig() to trust mergeWithDefaults()
- Handle bare 'ccs cursor' to show help instead of reserved-name error
2026-02-12 07:43:27 +07:00
Tam Nhu Tran 2ba826bb72 fix(cursor): use getCursorConfig(), fix help text and stub messages 2026-02-12 07:31:02 +07:00
Tam Nhu Tran 4ca4a9d2ab fix(cursor): add subcommand parity comment and raw settings TODO 2026-02-12 07:17:28 +07:00
Tam Nhu Tran 1e4cae3490 fix(cursor): clean up settings validation and route consistency 2026-02-12 04:27:53 +07:00
Tam Nhu Tran 1ebd9f43d6 feat(cliproxy): add dashboard CRUD for composite variants
- Extend create dialog with composite mode toggle and per-tier config tabs
- Add cliproxy-edit-dialog for modifying existing single and composite variants
- Add Edit action and composite type badge to variant table
- Extend API types with composite variant fields
- Update variant routes: GET (composite fields), POST (composite create), PUT (composite update)
2026-02-12 04:25:12 +07:00
Tam Nhu Tran b8aaa58d6e fix(cursor): address remaining PR #528 review feedback
- Add comment explaining whitelist merge pattern in PUT /settings
- Add comment for bare 'ccs cursor' fallthrough (differs from copilot)
- Add unit tests for cursor settings routes validation logic
  - Tests for null/non-object/array body rejection
  - Tests for port validation (integer, range 1-65535)
  - Tests for auto_start/ghost_mode boolean validation
  - Tests for whitelist merge (ignores unknown properties)
  - Tests for /settings/raw validation and file operations
  - Tests for mtime conflict detection

All web-server tests pass. Pre-existing test failures unrelated.
2026-02-12 04:17:34 +07:00
Tam Nhu Tran f5a912b114 fix(cursor): validate request body on settings endpoints
- Reject null/non-object bodies on PUT /settings with 400
- Validate settings field exists on PUT /settings/raw before write
- Use getCcsDir()-based path instead of hardcoded ~/.ccs/ in responses
2026-02-12 04:08:16 +07:00
Tam Nhu Tran d58e98815b fix(cursor): address PR #528 review feedback
- Replace non-null assertions with guard clauses in cursor-routes.ts
- Add port range validation (1-65535) in cursor-settings-routes.ts
2026-02-12 03:58:23 +07:00
Tam Nhu Tran 55bc53152c chore: merge dev into cursor-config branch
Brings in merged PRs #525 (protobuf) and #526 (auth) fixes.
Resolves stale cursor file copies by taking dev versions.
2026-02-12 03:54:15 +07:00
Tam Nhu Tran 7d9c538248 fix(glm): fix missed help text reference and glm-4.5-air pricing
- Update delegation help text from "GLM-4.6" to "GLM-5"
- Fix glm-4.5-air pricing to OpenRouter verified rates:
  input $0.20 -> $0.13, output $1.10 -> $0.85, cache $0.03 -> $0.025
2026-02-12 01:52:32 +07:00
Tam Nhu Tran 3e26dee013 feat(glm): update default model to GLM-5 and fix all GLM pricing
- Update default GLM model from glm-4.7 to glm-5 across configs, presets, help text, and fallbacks
- Add glm-5 pricing entry ($1.00/$3.20 per M tokens, OpenRouter verified)
- Fix incorrect glm-4.7 pricing: $0.60/$2.20 -> $0.40/$1.50 (OpenRouter verified)
- Fix incorrect glm-4.6 pricing: $0.60/$2.20 -> $0.35/$1.50 (OpenRouter verified)
- Fix incorrect glm-4.5 pricing: $0.60/$2.20 -> $0.35/$1.55 (OpenRouter verified)
- Keep all previous GLM model entries for backward compatibility

Closes #532
2026-02-12 01:43:59 +07:00
Tam Nhu Tran 1bebf16357 fix(cursor): add input validation on dashboard settings routes 2026-02-11 19:06:54 +07:00
Tam Nhu Tran 93dafa04d5 feat(cursor): add config integration and dashboard routes 2026-02-11 18:08:24 +07:00
Tam Nhu Tran 706cca8b3e fix(config): dynamic health message, cache getters, static imports, cloud hint
- Fix hardcoded 'Created ~/.ccs directory' in health-service.ts fixHealthIssue()
- Cache getCacheFile() in local vars: readDiskCache, writeDiskCache, clearDiskCache
- Convert dynamic imports of setGlobalConfigDir/detectCloudSyncPath to static
- Add remediation hint to cloud sync warning: 'Consider: CCS_DIR=/path/outside/cloud'
2026-02-11 12:05:07 +07:00
Tam Nhu Tran 9699e01725 refactor(config): DRY precedence logic, dynamic recovery messages, CCS_HOME cloud warning
- Extract shared _resolveCcsDir() to prevent getCcsDir/getCcsDirSource divergence
- Replace all hardcoded ~/.ccs/ and ~/.claude/ in recovery-manager.ts with
  dynamic paths from instance properties (ccsDir, claudeDir, sharedDir, etc.)
- Add cloud sync detection for CCS_HOME env var (parity with CCS_DIR/--config-dir)
- Cache getSessionSecretPath() in local var in auth-middleware.ts
- Cache getCacheDir() in local var in disk-cache.ts ensureCacheDir()
2026-02-11 11:52:30 +07:00
Tam Nhu Tran c8800b418a fix(config): resolve remaining hardcoded paths and improve readability
- Replace hardcoded ~/.ccs in error messages: ccs.ts (lines 83, 151)
  and delegation-handler.ts (line 333) now use getCcsDir()
- Cache repeated getter calls in local vars for readability:
  openrouter-catalog.ts getCachedModels/setCachedModels,
  aggregator.ts getInstancePaths
- Add path.resolve() for CCS_HOME env var consistency with CCS_DIR
2026-02-11 11:35:44 +07:00
Tam Nhu Tran d5abc7d691 fix(config): lazy-evaluate paths, fix TOCTOU, segment-boundary cloud detection
- Convert 4 module-level constants to lazy-evaluated functions to avoid
  import-time caching: openrouter-catalog, aggregator, disk-cache, auth-middleware
- Fix symlink-checks.ts to use ccsDir parameter instead of homedir/.ccs,
  remove unused homedir parameter from checkSettingsSymlinks()
- Replace TOCTOU existsSync+statSync with single statSync in try/catch
  for --config-dir validation in ccs.ts
- Switch detectCloudSyncPath from substring to path-segment-boundary matching
  to prevent false positives (e.g., megauser != MEGA, Dropbox-api != Dropbox)
- Add test for false-positive protection
2026-02-11 11:24:34 +07:00
Tam Nhu Tran 60d6bbd027 fix(config): migrate all hardcoded paths to getCcsDir() and improve validation
- Replace os.homedir() + '.ccs' with getCcsDir() across 14 instances in 13 files:
  version-command, model-config, openrouter-catalog, config-checks, disk-cache,
  aggregator, auth-middleware, shell-completion, shared-manager, recovery-manager,
  auto-repair, delegation-validator, claude-dir-installer, cliproxy executor
- Add isDirectory() validation for --config-dir argument in ccs.ts
- Make detectCloudSyncPath() case-insensitive for cloud provider matching
- Fix help-command.ts to use dynamic dirDisplay for all path references
- Add 5 new tests: setGlobalConfigDir precedence, relative path resolution,
  reset behavior, getCcsDirSource with --config-dir, case-insensitive detection
- Clean up unused os imports after migration
2026-02-11 11:15:08 +07:00
kaitranntt 8c6afe2e73 feat: update cliproxy, config loader, glmt transformer, and provider routes 2026-02-10 10:45:16 -05:00
Kai (Tam Nhu) TranGitHubCarlos Umanzorgithub-actions[bot] <github-actions[bot]@users.noreply.github.com>semantic-release-bot
0b394933ae feat: hybrid CLIProxy catalog sync + agent teams env fix (#486)
* fix(teams): propagate CLAUDE_CONFIG_DIR to tmux session for agent teammates

When CCS launches Claude with CLAUDE_CONFIG_DIR pointing to the isolated
instance path, agent team teammates spawned via tmux split-window don't
inherit it because tmux creates new panes from its own session environment.
This causes teammates to use ~/.claude/ instead of ~/.ccs/instances/{profile}/,
creating a split-brain in shared state (tasks, teams, mailbox).

Sets key CCS env vars in the tmux session environment via `tmux setenv` so
all new panes inherit the correct config directory.

* refactor(teams): use spawnSync array args instead of execSync string

Avoids shell interpretation of env values by passing args as array
to spawnSync instead of interpolating into a shell command string.

* chore(release): 7.38.0-dev.1 [skip ci]

* feat(cliproxy): add hybrid catalog sync with CLIProxyAPI (#485)

* chore(release): 7.38.0 [skip ci]

## [7.38.0](https://github.com/kaitranntt/ccs/compare/v7.37.1...v7.38.0) (2026-02-07)

### Features

* **release:** v7.38.0 - Extended Context, Qwen Models, Bug Fixes ([#480](https://github.com/kaitranntt/ccs/issues/480)) ([b454834](https://github.com/kaitranntt/ccs/commit/b4548341750804339c87c48259dd8741425d2acf)), closes [#472](https://github.com/kaitranntt/ccs/issues/472) [#474](https://github.com/kaitranntt/ccs/issues/474) [#103](https://github.com/kaitranntt/ccs/issues/103) [#478](https://github.com/kaitranntt/ccs/issues/478) [#482](https://github.com/kaitranntt/ccs/issues/482)

* feat(cliproxy): add hybrid catalog sync with CLIProxyAPI

Add `ccs cliproxy catalog` command family for syncing model catalogs
from CLIProxyAPI's model-definitions endpoint. Cached locally with
24h TTL, merges remote models with static catalog preserving
broken/deprecated flags. Dashboard API endpoint at /api/cliproxy/catalog.

Closes #477

---------

Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net>

* chore(reviewer): upgrade review model from opus 4.5 to opus 4.6

- update default model in code-reviewer.ts
- update REVIEW_MODEL, ANTHROPIC_MODEL, ANTHROPIC_DEFAULT_OPUS_MODEL
  in ai-review.yml workflow
- aligns reviewer with AGY model catalog default

* chore(release): 7.38.0-dev.2 [skip ci]

* fix(hooks): add image analysis env vars for settings-based profiles (#484)

* chore(release): 7.38.0 [skip ci]

## [7.38.0](https://github.com/kaitranntt/ccs/compare/v7.37.1...v7.38.0) (2026-02-07)

### Features

* **release:** v7.38.0 - Extended Context, Qwen Models, Bug Fixes ([#480](https://github.com/kaitranntt/ccs/issues/480)) ([b454834](https://github.com/kaitranntt/ccs/commit/b4548341750804339c87c48259dd8741425d2acf)), closes [#472](https://github.com/kaitranntt/ccs/issues/472) [#474](https://github.com/kaitranntt/ccs/issues/474) [#103](https://github.com/kaitranntt/ccs/issues/103) [#478](https://github.com/kaitranntt/ccs/issues/478) [#482](https://github.com/kaitranntt/ccs/issues/482)

* fix(hooks): add image analysis env vars for settings-based profiles

Image analysis hook was injected into settings files for API profiles
but the CCS_IMAGE_ANALYSIS_* env vars were never set, causing the hook
to skip. Add getImageAnalysisHookEnv() call to both settings-based and
GLMT proxy execution paths, matching CLIProxy profile behavior.

Closes #440

* fix(hooks): add hook env vars to copilot executor

Copilot profile had same gap as settings-based profiles: hooks installed
but webSearch/imageAnalysis env vars and CCS_PROFILE_TYPE never set.
Add missing env var injection matching other profile flows.

---------

Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net>

* chore(release): 7.38.0-dev.3 [skip ci]

---------

Co-authored-by: Carlos Umanzor <cumanzor@gmail.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net>
2026-02-06 23:54:03 -05:00
kaitranntt 8d5f7d2d83 fix(dashboard): delete accounts from unified config mode
Dashboard API DELETE /api/accounts/:name now checks both unified config
(config.yaml) and legacy profiles (profiles.json) before deletion,
matching CLI behavior in remove-command.ts.

Fixes #455
2026-02-04 18:03:41 -05:00
kaitranntt 57d4b04c68 fix(hooks): deduplicate WebSearch hooks when saving via Dashboard
Add deduplicateCcsHooks() call to PUT /api/settings/:profile endpoint.
This prevents WebSearch hooks from accumulating when users save settings
via the Dashboard UI.

Fixes #450
2026-02-04 11:36:31 -05:00
kaitranntt c324e92eb4 fix(backup): create backups only when settings content changes
Previously, PUT /api/settings/:profile created a backup on every request
regardless of whether the content actually changed. This led to hundreds
of identical backup files accumulating in ~/.ccs/backups/.

Changes:
- Compare existing content with new content before creating backup
- Reuse computed newContent for atomic write (DRY)
- Make hook injection idempotent by checking content before write

Fixes #433
2026-02-03 19:48:00 -05:00
kaitranntt 258220b7e8 refactor(oauth): align box chars with CCS standard and add JSDoc
Use Unicode box characters (╔═╗║╚╝) per design guidelines and
add JSDoc to parseCallbackUrl helper function.
2026-02-02 23:41:13 -05:00
kaitranntt 09b5239f58 fix(jsonl): add explicit UTF-8 BOM stripping
Strip BOM character before JSON parsing to ensure robust
cross-platform JSONL file handling.
2026-02-02 23:40:36 -05:00
kaitranntt 4fd2f601f6 fix(websocket): add maxPayload limit to prevent DoS attacks
Set 1MB payload limit and disable perMessageDeflate to prevent
memory exhaustion and zip bomb attacks on WebSocket server.
2026-02-02 23:40:04 -05:00
Kai (Tam Nhu) TranandGitHub 24b03121fd fix(dashboard): cross-browser OAuth with manual callback fallback (#417) (#423)
- Remove destructive /start endpoint call from Dashboard OAuth dialog
  (was killing running CLIProxy Docker instances via killProcessOnPort)
- Use /start-url + polling only (management API, non-destructive)
- Auto-open browser tab via window.open() with manual fallback URL display
- Add paste-callback CLI mode (--paste-callback flag) for headless/SSH
- Use dynamic proxy target with management headers instead of hardcoded localhost
- Extract timeout constants, restore invariant comment
- Move hook-utils tests from src/__tests__/ to tests/unit/ (fixes tsc)
- Add try-catch for preset apply, remove auth URL console.log
2026-02-02 16:11:36 -05:00
kaitranntt 7947a7ac89 feat(cliproxy): add backend caching and reauth indicator for quota endpoints
- Add in-memory quota cache with 2-minute TTL to reduce external API calls
- Add needsReauth flag to CodexQuotaResult and GeminiCliQuotaResult types
- Update quota routes to use caching (codex, gemini, and generic routes)
- Add "Reauth needed" indicator in account-item.tsx with CLI command hint
- Add "Reauth needed" indicator in account-card.tsx for flow visualization
- Cache successful results only (don't cache expired tokens needing reauth)
2026-01-29 23:01:45 -05:00
kaitranntt 2f5a50b801 feat(cliproxy): add Codex/Gemini quota API routes
- add dedicated /quota/codex/:accountId and /quota/gemini/:accountId endpoints

- reorder routes to place specific before generic for correct Express matching

- fix Gemini auth file detection to support new naming format

- handle nested token structure in Gemini auth files
2026-01-29 21:50:02 -05:00
kaitranntt 32dbd5e174 refactor(cliproxy): remove model alias functionality
- delete model-alias-config.ts and cliproxy-alias-handler.ts

- simplify sync to use ANTHROPIC_MODEL directly

- remove alias routes, hooks, and UI components
2026-01-28 11:57:22 -05:00
kaitranntt 9924b2fb25 fix(cliproxy): address edge cases in sync module
- Reset isSyncing flag in stopAutoSyncWatcher (prevents stale state)
- Validate empty profile names in mapProfileToClaudeKey
- Add whitespace validation in API routes (POST/DELETE /aliases)
- Add Number.isInteger check for port validation
- Wrap response.json() in try-catch for React hooks (handles non-JSON 502)
2026-01-28 11:57:22 -05:00
kaitranntt 56500fee98 feat(cliproxy): add sync API routes
- add /api/cliproxy/sync endpoints for local sync
- add /api/cliproxy/sync/aliases for model alias management
- add /api/cliproxy/sync/auto-sync for watcher toggle
- separate try-catch for config save vs watcher restart
2026-01-28 11:57:22 -05:00
kaitranntt 4a2abc74ca fix: add claude provider to statsProviderMap, UI types, and provider arrays
Fixes remaining edge cases from #382:
- Add anthropic/claude mapping to statsProviderMap in cliproxy-auth-routes
- Add 'claude' case to provider-refreshers switch statement
- Add 'claude' to 4 UI type definitions in api-client.ts
- Add 'claude' to cliproxy-dialog providers array and options
- Add 'claude' to use-cliproxy-auth-flow VALID_PROVIDERS
- Fix wizard index.tsx type cast to include all 8 providers
2026-01-27 21:02:34 -05:00
kaitranntt 9cd9c423e9 fix: replace hardcoded provider validation arrays with CLIPROXY_PROFILES import
Closes #382

Replace duplicate hardcoded provider validation arrays across three route files
with a single import from CLIPROXY_PROFILES constant. This DRY fix eliminates
code duplication and ensures provider validation is consistent across all routes.

Files updated:
- account-routes.ts
- cliproxy-auth-routes.ts
- cliproxy-stats-routes.ts

Reduces code by 21 lines while improving maintainability.
2026-01-27 20:50:24 -05:00
kaitranntt d1b579ad1b fix(api): add race condition prevention and input validation for account control
- add mutex pattern with providerLocks Map for solo mode

- convert soloAccount to async function

- extract VALID_PROVIDERS constant and isValidProvider helper (DRY)

- allow empty arrays in bulk endpoints (return early success)

- add accountIds string validation (non-empty strings only)
2026-01-24 12:22:49 -05:00
kaitranntt 2a0efbd954 fix(cliproxy): propagate backend parameter to version check functions
Root cause: fetchLatestCliproxyVersion() and checkCliproxyUpdate()
ignored the caller's backend selection, always re-computing from config.
This caused --update to report wrong version when config wasn't synced.

Changes:
- Add optional backend param to fetchLatestCliproxyVersion()
- Add optional backend param to checkCliproxyUpdate()
- Pass effectiveBackend in binary-service.ts calls
- Pass backend in cliproxy-stats-routes.ts web endpoints

Fixes inconsistent version reporting when switching between
CLIProxyAPI (original) and CLIProxyAPIPlus backends.
2026-01-23 22:56:27 -05:00
kaitranntt 0a1cbcc612 fix(cliproxy): use backend-specific GitHub repos for version fetching
Root cause: fetchLatestVersion and fetchAllVersions were hardcoded to
CLIProxyAPIPlus repo, ignoring backend selection.

Changes:
- Add getGitHubApiUrls(backend) helper to types.ts
- Make fetchLatestVersion and fetchAllVersions backend-aware
- Make version list cache backend-specific (bin/{backend}/.version-list-cache.json)
- Update /api/cliproxy/versions route to use configured backend
- Allow version management even when proxy not running (ProxyStatusWidget)
- Show settings button in all states for easier access
2026-01-23 14:55:51 -05:00
kaitranntt 88560c7119 fix(ui): sync backend state across all CLIProxy UI components
- Add useUpdateBackend mutation hook that invalidates related queries
- Reduce update-check stale time from 1hr to 5min + enable refetchOnWindowFocus
- Settings proxy page now uses mutation hook for proper query invalidation
- Make all CLIProxy labels dynamic based on backendLabel from API:
  - cliproxy-header.tsx: page title
  - app-sidebar.tsx: nav item label
  - cliproxy-stats-overview.tsx: both offline and running descriptions
  - model-preferences-grid.tsx: card description
  - settings proxy section: descriptions for local/remote modes
- Fix API route to use DEFAULT_BACKEND constant instead of hardcoded 'plus'

Ensures backend switching in Settings immediately reflects in all CLIProxy pages.
2026-01-23 13:46:47 -05:00
kaitranntt 299d96c011 fix(api): add type guard for tier_defaults and extract tiers constant
- Add defensive type guard in misc-routes.ts to prevent runtime crash
  if malformed tier_defaults object is passed to PUT /api/thinking
- Extract VALID_THINKING_TIERS constant to thinking-validator.ts
  to eliminate duplication across validation code
- Export constant from cliproxy barrel file

Addresses P2/P3 items from PR #351 review
2026-01-21 17:39:54 -05:00
kaitranntt 19b7a49eee feat(thinking): improve config validation and codex support
- Add shouldShowWarnings() helper for cleaner warning control
- Improve applyThinkingSuffix() regex for accurate suffix detection
- Fix provider_overrides validation for nested tier structure
- Add thinking section to YAML config export with documentation
- Update UI to clarify codex uses reasoning effort levels
- Remove unused setManualOverride hook
2026-01-21 17:25:33 -05:00
kaitranntt 99d164901e Merge remote-tracking branch 'origin/dev' into feat/thinking-flag
Resolve merge conflicts keeping both features:
- thinking: extended thinking/reasoning budget control
- dashboard_auth: dashboard authentication
- backups: config backups section
2026-01-20 20:19:51 -05:00
kaitranntt a019ed2cf8 fix(cliproxy): address PR review issues for backend selection
- Remove duplicate CLIProxyBackend type from platform-detector.ts (import from types.ts)
- Add warning for invalid --backend CLI value (was silently ignored)
- Show toast notification when backend change blocked by running proxy
- Migrate from deprecated CLIPROXY_FALLBACK_VERSION to getFallbackVersion()
- Add comprehensive JSDoc for backend API endpoints
2026-01-18 10:24:53 -05:00
kaitranntt 8ade4a6b26 feat(cliproxy): add backend selection for CLIProxyAPI vs CLIProxyAPIPlus
Add cliproxy.backend config field to choose between CLIProxyAPI (original)
and CLIProxyAPIPlus backends. Includes CLI --backend flag, Dashboard toggle,
and provider validation to block Kiro/ghcp on original backend.
2026-01-18 10:10:01 -05:00
kaitranntt 7b80dccdd3 fix(persist): add rate limiting, tests, and code quality improvements
- Add express-rate-limit to restore endpoint (5 req/min)
- Add JSDoc documentation to RestoreMutex class
- Extract magic numbers to named constants in BackupsSection
- Add unit tests for persist-routes.ts (23 tests)
- Add unit tests for BackupsSection component (28 tests)

Addresses PR #339 code review feedback.
2026-01-14 17:59:15 -05:00
kaitranntt 623a3146d7 fix(dashboard): resolve 6 critical security and UX edge cases
- TOCTOU symlink attack: use file descriptor for atomic read in persist-routes
- Non-atomic mutex: add RestoreMutex class with Promise queue pattern
- Restore confirmation: add AlertDialog before destructive backup restore
- Sensitive data exposure: sanitize auth_token/management_key in debug console
- Chunk retry: add lazyWithRetry wrapper with exponential backoff (3 retries)
- URL tab case sensitivity: normalize tab param with toLowerCase()
2026-01-14 16:47:11 -05:00
kaitranntt 2e45447bb7 fix(dashboard): resolve edge cases in backup restore and settings UI
Backend:
- Add atomic restore with mutex to prevent concurrent corruption
- Implement rollback on failure for backup restore
- Add symlink security validation

Frontend:
- Add 'backups' tab to URL validation in settings hook
- Add error boundary for lazy-loaded settings sections
- Clamp progress bar values to prevent visual bugs
- Add AbortController cleanup to prevent memory leaks
- Fix misleading debug mode description and add actual console logging
2026-01-14 15:42:12 -05:00
kaitranntt bd5e9d2b78 feat(dashboard): implement full parity UX improvements
- Remove 'agy' hardcode from quota hook (multi-provider support)
- Add quota N/A badge with AlertCircle icon for fetch failures
- Add new 'backups' tab to Settings page with Archive icon
- Create BackupsSection component with list/restore UI
- Add persist backend routes (GET /api/persist/backups, POST /api/persist/restore)
- Add debug mode toggle in Settings proxy section (localStorage persisted)

Closes documentation gap for persist command dashboard parity.
2026-01-14 13:52:54 -05:00
kaitranntt a3a167e62a fix(auth): add security hardening per code review
- Add timing-safe username comparison to prevent timing attacks
- Regenerate session on login to prevent session fixation
- Add warning log when session secret persistence fails
2026-01-13 16:23:10 -05:00