Commit Graph
1792 Commits
Author SHA1 Message Date
kaitranntt ac7b324d49 fix(ci): expand ai-review allowedTools to prevent token waste
- Add more allowed bash patterns: gh issue view, gh api, git commands
- Add base tools: Edit, LS for better flexibility
- Update prompt to write pr_review.md in working dir (not /tmp/)
- Add step to Read before Write to avoid security block
- Add explicit rules about avoiding shell operators (||, &&, <<)
- Allow rm pr_review.md for cleanup

Previous run had 9 tool rejections wasting ~5000 tokens due to:
- gh issue view not allowed (only gh pr view was)
- /tmp/ outside working directory
- Write without Read blocked
- Complex shell operators blocked
2026-01-14 13:31:18 -05:00
github-actions[bot] 43aaa6dbf4 chore(release): 7.20.0-dev.2 [skip ci] 2026-01-14 18:12:00 +00:00
Kai (Tam Nhu) TranandGitHub 3ea1ea3064 Merge pull request #334 from kaitranntt/kai/fix/missing-express-rate-limit
fix(deps): add express-rate-limit to production dependencies
2026-01-14 13:10:58 -05:00
kaitranntt d9631be81a fix(deps): add express-rate-limit to production dependencies
express-rate-limit was imported in auth-middleware.ts but only the
@types/express-rate-limit package was declared in devDependencies.
This caused "Cannot find module 'express-rate-limit'" error when
running `ccs config` after installing v7.20.0 globally.

Closes #333
2026-01-14 13:06:58 -05:00
Sergey GaluzaandOnSteroids e055890e16 fix: address PR #4 review - HTTPS tests and timeout handling
- Fix timeout test to use HTTPS server (tunnel uses https.request)
- Fix timeout event handling - call reject directly instead of relying on destroy error event
- Fix misleading comment in remote-token-uploader (Authorization header, not X-Management-Key)
- Remove unused imports in test files

Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>
2026-01-14 18:06:58 +01:00
Sergey GaluzaandOnSteroids c3bfa34703 fix: address PR #4 review suggestions
- Fix race condition in start() using Promise instead of boolean flag
- Document that tunnel intentionally doesn't limit response sizes (streaming)
- Improve token upload failure visibility with actionable user message

Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>
2026-01-14 18:06:58 +01:00
Sergey GaluzaandOnSteroids e7e95e6970 fix: increase timeout in connection tracking test for CI
Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>
2026-01-14 18:06:58 +01:00
9e9cbd4858 feat(cliproxy): add HTTPS tunnel for remote proxy mode (#1)
* feat(cliproxy): add HTTPS tunnel for remote proxy mode

Claude Code doesn't support HTTPS in ANTHROPIC_BASE_URL directly (undici
limitation). This adds an HTTP→HTTPS tunnel proxy for remote CLIProxyAPI
connections.

Changes:
- Add HttpsTunnelProxy: local HTTP server tunneling to remote HTTPS
- Add CodexReasoningProxy HTTPS support and path prefix stripping
- Remote mode now uses root paths (/v1/messages) not provider-prefixed
- Add remote token uploader for syncing OAuth tokens to remote server
- Auto-upload tokens after OAuth auth when remote mode is enabled

Flow for remote HTTPS:
  Claude CLI → CodexReasoningProxy → HttpsTunnel → Remote HTTPS

Built with [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>

* fix: address PR review issues for HTTPS tunnel proxy

- Add connection tracking with activeConnections Set for proper cleanup
- Add port validation after start() to reject port 0
- Add Authorization header fallback injection in buildForwardHeaders()
- Handle client disconnect (premature close) and request errors
- Improve error handling in uploadTokenToRemoteAsync (log instead of silent catch)
- Add comprehensive tests for HttpsTunnelProxy (97% coverage)
- Add integration tests for remote-token-uploader
- Add stripPathPrefix unit tests for remote mode

Built with [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>

* fix: bump Node.js engine requirement to >=18.0.0

FormData and Blob APIs used in remote-token-uploader require Node.js 18+.
Addresses coderabbit review comment about Node.js engine compatibility.

Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>

* fix: address remaining PR suggestions

- Add verbose parameter to registerAccountFromToken for proper propagation
- Improve stripPathPrefix with path normalization (double slashes, leading slash)
- Add edge case tests for path normalization

Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>

* fix: add timeout to flaky npm CLI tests

Tests 'handles empty arguments gracefully' and 'handles very long argument'
were missing timeout option in execSync, causing occasional timeouts when
bun test's 5000ms limit was reached before CLI completed.

Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>

* fix: address new PR review feedback

- Add path segment boundary check to prevent partial matches (/codex vs /codextra)
- Add hostname validation in HttpsTunnelProxy constructor
- Add race condition protection with 'starting' flag in start()
- Sanitize error messages (detailed only in verbose mode)
- Update comments for clarity (regex behavior)
- Add comprehensive tests for all edge cases

Built [OnSteroids](https://onsteroids.ai)

Co-Authored-By: OnSteroids <built@onsteroids.ai>

---------

Co-authored-by: OnSteroids <built@onsteroids.ai>
2026-01-14 18:05:49 +01:00
github-actions[bot] b740816dd9 chore(release): 7.20.0-dev.1 [skip ci] 2026-01-14 16:39:33 +00:00
Kai (Tam Nhu) TranandGitHub cc83b596fb Merge pull request #331 from kaitranntt/fix/quota-fix
fix(cliproxy): return null for unknown quota, add verbose diagnostics
2026-01-14 11:38:31 -05:00
kaitranntt 04c9b087ca fix(cliproxy): address PR review feedback
- Pass verbose flag through fetchQuotaWithDedup to fetchAccountQuota
- Change verbose logging from console.log to console.error (stderr)
- Keep quotaPercent optional (semantically correct for cases without quota)
2026-01-14 10:49:47 -05:00
semantic-release-bot 8e115a2a20 chore(release): 7.20.0 [skip ci]
## [7.20.0](https://github.com/kaitranntt/ccs/compare/v7.19.2...v7.20.0) (2026-01-14)

### Features

* **config:** add ccs config auth CLI subcommand ([39c1ee2](https://github.com/kaitranntt/ccs/commit/39c1ee2ca0f01a1254812a4a8fe8f6c2ed052fe0)), closes [#319](https://github.com/kaitranntt/ccs/issues/319)
* **dashboard:** add optional login authentication ([#319](https://github.com/kaitranntt/ccs/issues/319)) ([464b410](https://github.com/kaitranntt/ccs/commit/464b410e8b3e017689ce7de6b6fc06b3f04c7fdd))
* **persist:** add --list-backups and --restore options for backup management ([ef7e595](https://github.com/kaitranntt/ccs/commit/ef7e595b6fa4c96ac88e2e98f992fd05f7525e2e))
* **persist:** add backup management for settings.json ([#312](https://github.com/kaitranntt/ccs/issues/312)) ([3ac687e](https://github.com/kaitranntt/ccs/commit/3ac687ec9fab6ad4ce11bd3af6af5c596958a5e2)), closes [#248](https://github.com/kaitranntt/ccs/issues/248)

### Bug Fixes

* **auth:** add security hardening per code review ([a3a167e](https://github.com/kaitranntt/ccs/commit/a3a167e62aaa555c71379e91a9dfd0b7f5ddf145))
* **auth:** move redirect to useEffect and validate bcrypt hash format ([37e3468](https://github.com/kaitranntt/ccs/commit/37e3468d4dece26d35ef6b5ad9683312473e1ca9))
* **ci:** add full CLIProxy env vars for AI review ([7cfd3c1](https://github.com/kaitranntt/ccs/commit/7cfd3c1f9dbd387d4fc6388382727222bd8475bd))
* **ci:** add Write tool to allowedTools for PR comment posting ([e7dca48](https://github.com/kaitranntt/ccs/commit/e7dca480d313b2227638a3e8a53554b3d28d2c8e))
* **persist:** harden security and edge case handling ([#328](https://github.com/kaitranntt/ccs/issues/328)) ([397331e](https://github.com/kaitranntt/ccs/commit/397331ec8995b261e0b6916874d59947ede0a88f)), closes [#312](https://github.com/kaitranntt/ccs/issues/312)
* **ui:** use wss:// for WebSocket on HTTPS pages ([#315](https://github.com/kaitranntt/ccs/issues/315)) ([db58c6b](https://github.com/kaitranntt/ccs/commit/db58c6bbcabdb1edc1748212ad0b85af682ac597))
2026-01-14 15:35:23 +00:00
Kai (Tam Nhu) TranandGitHub 2faa837777 Merge pull request #329 from kaitranntt/dev
feat(release): v7.20.0 - persist command and dashboard auth
2026-01-14 10:34:23 -05:00
github-actions[bot] cafb849b0b chore(release): 7.19.2-dev.5 [skip ci] 2026-01-14 15:32:37 +00:00
kaitranntt 7cfd3c1f9d fix(ci): add full CLIProxy env vars for AI review
- Use /api/provider/agy endpoint for proper model routing
- Set ANTHROPIC_DEFAULT_*_MODEL to route Haiku/Sonnet/Opus correctly
- Disable telemetry, error reporting, bug command
- Set max output/thinking tokens
2026-01-14 10:31:37 -05:00
kaitranntt 1ac19415ce fix(cliproxy): return null for unknown quota, add verbose diagnostics
- Change calculateAverageQuota() to return null instead of 100 when no model data
- Update callers to use null coalescing (?? 0) for health check thresholds
- Display "N/A (fetch unavailable)" for null quota values
- Add --verbose flag to quota-related functions for troubleshooting
- Add debug logging: token refresh status, API response, errors
2026-01-14 10:19:27 -05:00
github-actions[bot] 2af9c31643 chore(release): 7.19.2-dev.4 [skip ci] 2026-01-14 15:07:42 +00:00
Kai (Tam Nhu) TranandGitHub 397331ec89 fix(persist): harden security and edge case handling (#328)
Security fixes:
- Add fs.chmodSync(backupPath, 0o600) after backup creation
- Add symlink detection (isSymlink helper) before all file operations
- Reject symlinks in write, backup, and restore operations

Edge case fixes:
- Handle empty settings.json (0 bytes) gracefully
- Validate parsed JSON is object type (not array/primitive)
- Validate backup JSON integrity before restore
- Show backup path guidance on write failure
- Validate existing env is object before spread

Maintenance:
- Add backup rotation (keep last 10, MAX_BACKUPS constant)
- Add cleanupOldBackups() function

Addresses security findings from PR #312 code review.
2026-01-14 10:06:44 -05:00
kaitranntt e7dca480d3 fix(ci): add Write tool to allowedTools for PR comment posting
Root cause: Claude's allowedTools pattern matching is literal string
matching. Multiline content in --body breaks the `Bash(gh pr comment *)`
pattern. The Bash(cat *) pattern only matches reading, not writing with
redirection.

Changes:
- Add Write tool to allowedTools (enables temp file creation)
- Remove Bash(cat *) (not needed, Write replaces it)
- Update prompt to require Write + --body-file pattern
- Explicitly warn against inline --body with multiline content

Tested locally: Successfully posted comment using Write + --body-file
2026-01-14 10:06:05 -05:00
github-actions[bot] c2a16a253e chore(release): 7.19.2-dev.3 [skip ci] 2026-01-14 14:30:53 +00:00
kaitrannttandLeynier Gutiérrez González 3ac687ec9f feat(persist): add backup management for settings.json (#312)
Add `--list-backups` and `--restore` options to the ccs persist command
for backup management. Enables users to list and restore settings.json
backups. Updated CLAUDE.md to document persist command.

Resolves #248

Co-authored-by: Leynier Gutiérrez González <leynier41@gmail.com>
2026-01-14 09:29:32 -05:00
Leynier Gutiérrez Gonzálezandkaitranntt ef7e595b6f feat(persist): add --list-backups and --restore options for backup management
Add backup management functionality to the persist command:
- List available backups with timestamps and dates
- Restore from most recent or specific backup
- Improved error handling for corrupted settings.json
- Updated CLAUDE.md to document the persist command and the exception to the non-invasive constraint
2026-01-14 09:27:48 -05:00
github-actions[bot] 3b4c29ddcb chore(release): 7.19.2-dev.2 [skip ci] 2026-01-14 13:35:51 +00:00
SergeyandGitHub db58c6bbca fix(ui): use wss:// for WebSocket on HTTPS pages (#315) 2026-01-14 08:34:53 -05:00
github-actions[bot] 8daabdde5c chore(release): 7.19.2-dev.1 [skip ci] 2026-01-13 21:46:25 +00:00
Kai (Tam Nhu) TranandGitHub 4a1679d747 Merge pull request #327 from kaitranntt/feat/login-auth
feat(dashboard): add optional login authentication with CLI setup (#319)
2026-01-13 16:45:27 -05:00
github-actions[bot] fffcd7aa0e chore(sync): merge main into dev after release [skip ci] 2026-01-13 21:45:08 +00:00
semantic-release-bot cb32e913d2 chore(release): 7.19.2 [skip ci]
## [7.19.2](https://github.com/kaitranntt/ccs/compare/v7.19.1...v7.19.2) (2026-01-13)

### Bug Fixes

* **ci:** expand allowedTools patterns for flexible comment posting ([0a27c6a](https://github.com/kaitranntt/ccs/commit/0a27c6a12f53dd050dc8104ce8d82e2cb4bcef3f))
2026-01-13 21:44:41 +00:00
kaitranntt 0a27c6a12f fix(ci): expand allowedTools patterns for flexible comment posting
Add Bash(echo *) and Bash(cat *) patterns to allow heredocs and pipes.
This gives the AI reviewer flexibility to use any method for posting
multi-line review comments while remaining safe (shell-operator aware).
2026-01-13 16:43:39 -05:00
github-actions[bot] a4437491ed chore(sync): merge main into dev after release [skip ci] 2026-01-13 21:39:14 +00:00
semantic-release-bot e0776df0e6 chore(release): 7.19.1 [skip ci]
## [7.19.1](https://github.com/kaitranntt/ccs/compare/v7.19.0...v7.19.1) (2026-01-13)

### Bug Fixes

* **ci:** update allowedTools pattern to prevent token waste on retries ([edec6f6](https://github.com/kaitranntt/ccs/commit/edec6f6df242a092545a3c7ffd2856aad4f3f2af))
2026-01-13 21:38:50 +00:00
kaitranntt edec6f6df2 fix(ci): update allowedTools pattern to prevent token waste on retries
Changed pattern from `Bash(gh pr comment:*)` to `Bash(gh pr comment *)`
to match space-separated args. Updated prompt to discourage heredocs
and pipes which don't match the pattern, causing 6+ retry attempts.
2026-01-13 16:37:43 -05:00
kaitranntt a3a167e62a fix(auth): add security hardening per code review
- Add timing-safe username comparison to prevent timing attacks
- Regenerate session on login to prevent session fixation
- Add warning log when session secret persistence fails
2026-01-13 16:23:10 -05:00
github-actions[bot] 60488c262d chore(sync): merge main into dev after release [skip ci]
# Conflicts:
#	package.json
2026-01-13 21:23:02 +00:00
semantic-release-bot c514a8bc75 chore(release): 7.19.0 [skip ci]
## [7.19.0](https://github.com/kaitranntt/ccs/compare/v7.18.3...v7.19.0) (2026-01-13)

### Features

* **doctor:** add --help flag with comprehensive command documentation ([22c7d4a](https://github.com/kaitranntt/ccs/commit/22c7d4a20d96d12a2c38ec60d226a6bc26dce9b0))

### Bug Fixes

* **ci:** prevent AI review self-cancellation with smart concurrency ([25d31ce](https://github.com/kaitranntt/ccs/commit/25d31ce4329daf9512df4e0236e02d89d05b0842))
* **ci:** trigger AI review on follow-up commits to PR ([a2a13fb](https://github.com/kaitranntt/ccs/commit/a2a13fb16ec3d655a817e548a5cb72a21c6c774e))
2026-01-13 21:22:36 +00:00
github-actions[bot] 1d2dcbf1f6 chore(release): 7.18.3-dev.3 [skip ci] 2026-01-13 21:04:12 +00:00
kaitranntt 25d31ce432 fix(ci): prevent AI review self-cancellation with smart concurrency
Root cause: When the bot posts a review comment, GitHub fires an
issue_comment event that joins the same concurrency group and cancels
the in-progress run BEFORE job `if` conditions are evaluated.

Solution: Non-actionable triggers (bot comments, comments without
/review) get a unique per-run group via format('skip-{0}', github.run_id),
while legitimate triggers share the PR-based group for proper
cancellation of outdated reviews.
2026-01-13 16:03:02 -05:00
github-actions[bot] 865870ba4c chore(release): 7.18.3-dev.2 [skip ci] 2026-01-13 20:53:31 +00:00
kaitranntt a2a13fb16e fix(ci): trigger AI review on follow-up commits to PR
- Add `synchronize` event to trigger on new commits pushed to PR
- Add `reopened` event to trigger when PR is reopened
- Update documentation comments to reflect new behavior
- Keep cancel-in-progress to prevent stale reviews

Fixes issue where AI review only ran on PR creation, requiring
manual /review comment for subsequent commits.
2026-01-13 15:52:18 -05:00
kaitranntt 39c1ee2ca0 feat(config): add ccs config auth CLI subcommand
Interactive CLI for managing dashboard authentication:
- ccs config auth setup: Interactive wizard with bcrypt password hashing
- ccs config auth show: Display current auth status and ENV overrides
- ccs config auth disable: Disable auth with confirmation

Follows modular facade pattern from auth-commands.ts.
Uses InteractivePrompt for masked password input.
Includes local documentation at docs/dashboard-auth-cli.md.

Related: #319
2026-01-13 15:13:10 -05:00
kaitranntt 37e3468d4d fix(auth): move redirect to useEffect and validate bcrypt hash format
- Fix React side effect: move navigate() to useEffect in LoginPage
- Remove misplaced express-rate-limit from ui/package.json
- Add bcrypt hash format validation before bcrypt.compare
2026-01-13 14:43:55 -05:00
kaitranntt 759d43c8f7 Merge remote-tracking branch 'origin/dev' into feat/login-auth 2026-01-13 14:31:01 -05:00
github-actions[bot] 097b018532 chore(release): 7.18.3-dev.1 [skip ci] 2026-01-13 19:22:20 +00:00
Kai (Tam Nhu) TranandGitHub 8fb822f873 Merge pull request #320 from kaitranntt/feat/doctor-help-command
feat(doctor): add --help flag with comprehensive command documentation
2026-01-13 14:21:23 -05:00
github-actions[bot] aaa8f88662 chore(sync): merge main into dev after release [skip ci]
# Conflicts:
#	package.json
2026-01-13 19:02:01 +00:00
semantic-release-bot 75609221b1 chore(release): 7.18.3 [skip ci]
## [7.18.3](https://github.com/kaitranntt/ccs/compare/v7.18.2...v7.18.3) (2026-01-13)

### Bug Fixes

* **ci:** simplify AI review workflow by disabling progress tracking ([4ef2d48](https://github.com/kaitranntt/ccs/commit/4ef2d4848cf12d197ba1f8cd5dac66b55c82c8be))
* **ci:** simplify AI review workflow by disabling progress tracking ([#323](https://github.com/kaitranntt/ccs/issues/323)) ([39b37ca](https://github.com/kaitranntt/ccs/commit/39b37caa892f8b723f003c8ed0c6d8f2fe96d799))
2026-01-13 19:01:33 +00:00
github-actions[bot] dfe0e2d5ba chore(release): 7.18.2-dev.1 [skip ci] 2026-01-13 19:01:15 +00:00
Kai (Tam Nhu) TranandGitHub 39b37caa89 fix(ci): simplify AI review workflow by disabling progress tracking (#323)
fix(ci): simplify AI review workflow by disabling progress tracking
2026-01-13 14:00:31 -05:00
kaitranntt 4ef2d4848c fix(ci): simplify AI review workflow by disabling progress tracking
Root cause of cancellations was track_progress posting comments that
triggered new workflow runs. Instead of complex concurrency isolation,
simply disable progress tracking.

Changes:
- track_progress: false (no intermediate comments)
- Simple concurrency: ai-review-<PR_NUMBER>
- Removed extra bot filters (no longer needed)

Result: Clean PRs with just the final review comment.
2026-01-13 14:00:14 -05:00
github-actions[bot] 9e0ba102a5 chore(sync): merge main into dev after release [skip ci]
# Conflicts:
#	package.json
2026-01-13 18:51:11 +00:00