Commit Graph
2788 Commits
Author SHA1 Message Date
Tam Nhu Tran e9fceed807 fix(ui): redirect to login when auth check fails from remote access
When the auth check API call fails (e.g., 403 from the localhost
security middleware), the catch block assumed no auth was needed and
marked the user as authenticated. This caused a silently broken
dashboard with no providers and no error feedback.

Now treats auth check failure as auth-required, redirecting to the
login page where users get a clear prompt to configure credentials.
2026-03-28 21:22:20 -04:00
Tam Nhu Tran efe6953da0 fix(ui): hide version badge when API fails instead of showing v5.0.0
HeroSection defaulted to '5.0.0' when version prop was undefined,
causing a misleading version badge when the overview API fails (e.g.,
403 from remote access without auth). Now hides the badge entirely
until a real version is loaded.
2026-03-28 21:22:20 -04:00
Tam Nhu Tran c26efae72a docs(docker): add post-deployment guide for auth, token migration, and verification
Users deploying via ccs docker up hit silent failures when accessing
the dashboard remotely: empty providers, wrong version badge (v5.0.0),
no CLIProxy detected. Root cause is the dashboard auth middleware
blocking non-localhost API access.

Added sections:
- Dashboard auth setup (required for remote access)
- Auth token migration from previous deployments
- Post-deployment verification checklist
- Troubleshooting: empty dashboard, 0 clients, ETXTBSY race

Closes #841
2026-03-28 21:22:20 -04:00
github-actions[bot] 39a4cc3523 chore(release): 7.61.1-dev.7 [skip ci] 2026-03-29 01:13:33 +00:00
Kai (Tam Nhu) TranandGitHub 37b8acc07a Merge pull request #844 from kaitranntt/kai/feat/843-parallel-review-jobs
feat(ai-review): workflow-level parallel review jobs
2026-03-28 21:11:57 -04:00
Tam Nhu Tran 86f45c2274 style(ai-review): add emojis to orchestrator output format sections 2026-03-28 21:09:56 -04:00
Tam Nhu Tran 97f07c2b12 refactor(ai-review): matrix strategy + orchestrator AI merge
- Replace 3 duplicate review jobs with 1 matrix job (-200 lines)
  Matrix entries: Security, Quality, CCS Compliance (run in parallel)
- Restore review-prompt.md as orchestrator merge prompt
  (dedup, severity rank, unified assessment, security+CCS tables)
- Aggregate job now runs claude-code-action with orchestrator prompt
  to produce polished unified review (not just stapled sections)
- Fallback to simple concat if orchestrator fails
- Dynamic prompt access via outputs[matrix.prompt_output] syntax
2026-03-28 21:02:57 -04:00
Tam Nhu Tran 8c371e73a3 feat(ai-review): workflow-level parallel review jobs
Replace single monolithic review job with 3 parallel GitHub Actions jobs
running simultaneously. Agent tool is unavailable in claude-code-action,
so parallelism is achieved at the workflow level instead.

Pipeline: prepare → load-prompts → 3 parallel reviews → aggregate

Jobs:
- prepare: resolve PR metadata and runner (unchanged)
- load-prompts: load focused prompts from base branch (security model)
- security-review: injection, auth, race conditions, supply chain
- quality-review: error handling, false assumptions, performance
- ccs-review: CCS-specific project compliance rules
- aggregate: merge 3 outputs into single PR comment

Each reviewer runs independently with 10min timeout, 25 max-turns.
Aggregate is pure bash (no API calls) — downloads artifacts, merges,
posts/updates single deduped comment.

Closes #843
2026-03-28 20:55:42 -04:00
github-actions[bot] 9e94d06aef chore(release): 7.61.1-dev.6 [skip ci] 2026-03-29 00:28:06 +00:00
Kai (Tam Nhu) TranandGitHub 66b66583f1 Merge pull request #838 from kaitranntt/kai/feat/837-parallel-ai-review
feat(ai-review): parallel subagent review pipeline
2026-03-28 20:26:31 -04:00
Tam Nhu Tran d2510fc860 fix(ai-review): use printf for subagent prompt outputs, match existing pattern
Replace echo with printf '%s\n' for subagent prompt GITHUB_OUTPUT writes
to match the existing main prompt pattern (line 216). Prevents edge case
where echo misinterprets leading -n/-e as flags.
2026-03-28 20:24:46 -04:00
Tam Nhu Tran 53ad2836c4 refactor(ai-review): switch --allowedTools to --tools for actual restriction
--allowedTools is an approval list (skip permission prompts), redundant
with bypassPermissions. --tools is the actual availability whitelist.

Also simplified tool list: Bash sub-patterns (gh pr diff *, etc.) aren't
supported by --tools. The workflow token has contents:read only, so the
agent physically cannot push/delete/modify the repo even with full Bash.
2026-03-28 20:13:47 -04:00
Tam Nhu Tran 36e8cc47d9 fix(ai-review): address all review findings — restore allowedTools, add fallbacks
Fixes from ai-review bot feedback on PR #838:

- [HIGH] Restore --allowedTools with Agent added (was incorrectly removed,
  not redundant with bypassPermissions — it's a tool whitelist)
- [MED] Add inline fallback prompts when subagent files missing from base branch
- [MED] Add graceful degradation in orchestrator for Agent tool failures
  and empty subagent prompts
- [MED] Replace hardcoded PROMPT_EOF delimiters with random openssl-generated
  delimiters to prevent early heredoc termination
- [LOW] Add per-subagent turn budget guidance (8-10 turns each, 50 total)
- [LOW] Add "Do NOT fetch diff separately" instruction to all 4 subagent prompts
2026-03-28 19:59:35 -04:00
Tam Nhu Tran d67fa350b8 refactor(ai-review): remove redundant allowedTools, enforce subagent dispatch
- Remove --allowedTools from claude_args (redundant with bypassPermissions,
  was never actually restricting tools)
- Strengthen orchestrator prompt: MANDATORY/FORBIDDEN language for subagent
  dispatch, explicit "you MUST use Agent tool" enforcement
2026-03-28 19:50:13 -04:00
github-actions[bot] bdb7bdb101 chore(release): 7.61.1-dev.5 [skip ci] 2026-03-28 23:38:44 +00:00
Kai (Tam Nhu) TranandGitHub 73003a12a0 Merge pull request #835 from kaitranntt/kai/fix/834-docker-cliproxy-detection
fix(docker): CLIProxy detection, session lock, and binary guard for integrated stack
2026-03-28 19:37:12 -04:00
Tam Nhu Tran ce023aa8f4 feat(ai-review): parallel subagent review pipeline
Rewrite ai-review workflow to use parallel subagents for faster,
more thorough PR reviews. Splits monolithic single-agent review into
4-stage pipeline: triage → 3 parallel focused reviewers → adversarial
red-team → aggregated single comment.

Changes:
- Add Agent tool to allowedTools for subagent spawning
- Increase max-turns 30→50, timeout 15→18min for subagent overhead
- Rewrite review-prompt.md as orchestration prompt (198→93 lines)
- Create 4 focused subagent prompts in .github/review-prompts/:
  - security.md: injection, auth, race conditions, supply chain
  - quality.md: error handling, false assumptions, AI blind spots
  - ccs-compliance.md: all 12 CCS-specific project rules
  - adversarial.md: red-team gap hunter (runs after parallel phase)
- Load all subagent prompts from base branch (security model preserved)
- Scope-aware dispatch: trivial PRs skip subagents entirely

Target: reduce avg review time from ~7min to <5min.

Closes #837
2026-03-28 19:32:08 -04:00
Tam Nhu Tran a517c506cb test(docker): add tests for health check port detection and ETXTBSY guard
Cover checkCliproxyPort() with all ProxyStatus branches (running,
starting, blocked with/without blocker, free). Cover deleteBinary()
ETXTBSY guard — verifies ETXTBSY throws clear message while other
errors (ENOENT, EACCES, EBUSY) are re-thrown.
2026-03-28 19:20:05 -04:00
Tam Nhu Tran e8b7ac730f fix(docker): wrap session registration in try-catch and narrow ETXTBSY guard
Session registration in spawn handler can throw on lock contention or
disk errors — wrap in try-catch to prevent silent proxy-untracked state.

Narrow EBUSY catch to ETXTBSY only since EBUSY on non-Linux platforms
can mean mount point or directory in use, not running binary. Fix
misleading "skip" comment to say "abort".
2026-03-28 19:00:54 -04:00
Tam Nhu Tran 7d410b26d0 fix(docker): address review findings — PID guard, deleteBinary guard, blocked fallback
- Guard child.pid falsy in bootstrap (PID 0 creates immortal phantom lock)
- Add ETXTBSY/EBUSY guard to deleteBinary() (same vuln as downloadAndInstall)
- Fix error message to suggest container restart (not circular ccs docker update)
- Tighten status.blocked guard to handle missing blocker gracefully
2026-03-28 18:12:18 -04:00
Tam Nhu Tran 5eac9c584a fix(cliproxy): guard binary install against ETXTBSY when running
In Docker, the dashboard tried to update the CLIProxy binary while
the bootstrap's instance was already executing it, causing ETXTBSY.
Now catches the error and throws a clear message instead of crashing.
2026-03-28 17:56:03 -04:00
Tam Nhu Tran a0f28f8807 fix(docker): register session lock from bootstrap for proxy discovery
Docker bootstrap spawns CLIProxy but never registered a session lock,
so the dashboard's fallback detection found nothing. Now registers on
spawn and unregisters on close.
2026-03-28 17:55:51 -04:00
Tam Nhu Tran d7a80ed38d fix(docker): use HTTP-first proxy detection in health checks
Health check used OS-level port detection (lsof/ss) which is
unavailable in minimal Alpine containers. Switched to the unified
detectRunningProxy() which tries HTTP first, then session lock,
then port-process as fallback.
2026-03-28 17:55:39 -04:00
github-actions[bot] 4536d1e5e3 chore(release): 7.61.1-dev.4 [skip ci] 2026-03-28 20:37:48 +00:00
Kai (Tam Nhu) TranandGitHub 119b08fa00 Merge pull request #833 from kaitranntt/kai/fix/832-docker-remote-deploy
fix(docker): remote env var syntax and build timeout
2026-03-28 16:36:16 -04:00
Tam Nhu Tran cbe93d4f76 test(docker): update executor tests for export syntax and build timeout
Align test assertions with the env var export pattern and the 5-minute
build timeout used by up and update operations.
2026-03-28 16:22:17 -04:00
Tam Nhu Tran 60167d3f2b fix(docker): use export for remote env vars and increase build timeout
Remote compose commands placed env vars directly before a compound
if/then statement which is invalid bash syntax. Changed to export
statements chained with &&.

Added REMOTE_DOCKER_BUILD_TIMEOUT_MS (5min) for up and update
operations that involve npm install inside the container. Quick
queries (status, config, down) keep the default 30s timeout.

Closes #832
2026-03-28 16:22:17 -04:00
github-actions[bot] 23fd673fee chore(release): 7.61.1-dev.3 [skip ci] 2026-03-28 20:12:53 +00:00
Kai (Tam Nhu) TranandGitHub c6bdf4d39c Merge pull request #827 from kaitranntt/kai/fix/websearch-hook-install-settings-profiles
fix(websearch): install hook for settings profiles
2026-03-28 16:11:14 -04:00
Tam Nhu Tran 836c485095 Merge remote-tracking branch 'origin/dev' into kai/fix/websearch-hook-install-settings-profiles 2026-03-28 15:47:22 -04:00
github-actions[bot] 2c52fe614f chore(release): 7.61.1-dev.2 [skip ci] 2026-03-28 19:41:27 +00:00
Kai (Tam Nhu) TranandGitHub d3f0acc59c Merge pull request #826 from kaitranntt/kai/fix/gemini-3-1-presets
fix(cliproxy): resolve gemini presets from live models
2026-03-28 15:39:56 -04:00
github-actions[bot] 27cd473c97 chore(release): 7.61.1-dev.1 [skip ci] 2026-03-28 19:36:55 +00:00
Kai (Tam Nhu) TranandGitHub e9cddabc4a Merge pull request #828 from kaitranntt/kai/chore/ccs-backlog-project-automation
chore: automate CCS backlog project sync
2026-03-28 15:35:20 -04:00
Tam Nhu Tran 0821c68559 fix(websearch): restore hook recovery and force register 2026-03-28 10:37:20 -04:00
Tam Nhu Tran ed37a2a513 Merge remote-tracking branch 'origin/dev' into kai/fix/websearch-hook-install-settings-profiles 2026-03-28 10:26:47 -04:00
Tam Nhu Tran cc55b9d794 Merge remote-tracking branch 'origin/dev' into kai/chore/ccs-backlog-project-automation-refresh 2026-03-28 10:17:56 -04:00
github-actions[bot] 92042697b0 chore(sync): merge main into dev after release [skip ci]
# Conflicts:
#	package.json
2026-03-28 14:15:12 +00:00
semantic-release-bot 91b800003b chore(release): 7.61.1 [skip ci]
## [7.61.1](https://github.com/kaitranntt/ccs/compare/v7.61.0...v7.61.1) (2026-03-28)

### Bug Fixes

* **ci:** require explicit /review command for AI review reruns ([3ebf17f](https://github.com/kaitranntt/ccs/commit/3ebf17f1701f9d7fd60aade0ec6bd8147b91e761))
2026-03-28 14:14:56 +00:00
Kai (Tam Nhu) TranandGitHub 114e19f7de Merge pull request #831 from kaitranntt/kai/hotfix-ai-review-comment-trigger
fix(ci): require explicit /review command for AI review reruns
2026-03-28 10:13:20 -04:00
Tam Nhu Tran 3ebf17f170 fix(ci): require explicit /review command for AI review reruns 2026-03-28 10:10:31 -04:00
github-actions[bot] 228ed3b036 chore(release): 7.61.0-dev.1 [skip ci] 2026-03-28 14:03:00 +00:00
Kai (Tam Nhu) TranandGitHub f4673389e4 Merge pull request #830 from kaitranntt/kai/fix/829-docker-assets-missing
fix(docker): include docker/ assets in npm package
2026-03-28 10:01:23 -04:00
Tam Nhu Tran 2423864817 fix(cliproxy): align gemini flash pricing and dashboard imports 2026-03-28 09:54:26 -04:00
Tam Nhu Tran e6617726cb fix: harden CCS backlog sync pagination and recovery 2026-03-28 09:51:53 -04:00
Tam Nhu Tran 0e6965d205 fix(websearch): harden settings-profile hook setup
- fail enabled settings-profile create and launch flows when hook preparation is still unusable

- refresh stale shared hook binaries without rewriting unchanged installs or failing benign races

- add rollback and regression coverage for disabled, stale, invalid, copy, import, and launch paths
2026-03-28 09:51:13 -04:00
Tam Nhu Tran 13254f28a6 test(docker): add regression test for bundled asset availability
Verify all four integrated Docker assets (compose file, Dockerfile,
supervisord config, entrypoint script) resolve and exist on disk.
Prevents silent exclusion from future packaging changes.
2026-03-28 09:47:37 -04:00
Tam Nhu Tran 50b56600dd fix(docker): include docker/ assets in npm package
The docker/ directory was missing from package.json files array,
causing all ccs docker commands to fail after npm install with
"Missing bundled Docker asset" error. Also add .npmignore exception
for docker/*.sh since the blanket *.sh exclusion stripped the
entrypoint script.

Closes #829
2026-03-28 09:47:23 -04:00
Tam Nhu Tran b3b3853db0 chore: automate CCS backlog project sync 2026-03-27 17:52:34 -04:00
Tam Nhu Tran 2251312411 fix(cliproxy): centralize gemini compatibility and fallback hints 2026-03-27 17:38:31 -04:00