fb2e5242da
fix: Vault seeding, service health checks, and restart idempotency
...
BotServer CI/CD / build (push) Successful in 55m52s
- Replace hardcoded passwords with generate_random_string() for all Vault-seeded services
- Add valkey-cli, nc to SafeCommand allowlist; fix PATH in all 4 execution methods
- Fix empty Vault KV values ('none' placeholder) preventing 'Failed to parse K=V' errors
- Fix special chars in generated passwords triggering shell injection false positives
- Add ALM app.ini creation with absolute paths for Forgejo CLI
- Increase Qdrant timeout 15s→45s, ALM wait 5s→20s
- Persist file_states and kb_states to disk for .bas/KB idempotency across restarts
- Add duplicate check to use_website registration (debug log for existing)
- Remove dead code (SERVER_START_EPOCH, server_epoch)
- Add generate_random_string() to shared mod.rs, remove duplicates
2026-04-01 12:22:57 -03:00
2fa59057fa
fix: Resolve migration error, Vault 403, cache timeout, and shell injection false positives
...
BotServer CI/CD / build (push) Has been cancelled
- Fix migration 6.2.5: Create lost_reason column before VIEW that references it
- Fix Vault 403: Enable KV2 secrets engine after initialization
- Fix cache timeout: Increase Valkey readiness wait from 12s to 30s
- Fix command_guard: Remove () from forbidden chars (safe in std::process::Command)
2026-03-31 19:55:16 -03:00
7906a9bf32
security: add CoreDNS ACL hardening and fail2ban proxy jail
...
- dns_hardener.rs: apply ACL (anti-amplification) + errors plugin to Corefile via lxc
- fail2ban.rs: add apply_proxy() for caddy-http-flood jail in pragmatismo-proxy container
- security_fix.rs: integrate dns and fail2ban_proxy steps into run_security_fix/status
- mod.rs: export dns_hardener module
2026-03-17 11:18:19 -03:00
9fc38b80d3
Fix clippy type complexity warnings
2026-03-17 01:12:05 -03:00
c0b619b58f
Fix: add FromRequestParts impl for security AuthenticatedUser extractor
BotServer CI / build (push) Successful in 11m32s
2026-03-16 22:04:59 -03:00
d1cb6b758c
Fix LXD container mode: PATH, socket proxy, exec
BotServer CI / build (push) Successful in 10m54s
2026-03-15 20:00:06 -03:00
ef426b7a50
LXD proxy and container improvements
BotServer CI / build (push) Failing after 7m5s
2026-03-15 15:50:02 -03:00
7fb73e683f
feat: add campaigns, attendance SLA, and marketing modules
2026-03-14 16:35:42 -03:00
13892b3157
Fix tenant-org-bot relationship and CRM lead form
2026-03-12 18:19:18 -03:00
c072fb936e
fix(llm): load system-prompt from config.csv correctly
...
BotServer CI / build (push) Successful in 17m27s
- Move system_prompt retrieval inside spawn_blocking closure
- Include system_prompt in the return tuple to fix scope issue
- Add trace logging for debugging system-prompt loading
- GLM-5 and other LLM providers now correctly receive custom system prompts
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-09 11:55:05 -03:00
1e71c9be09
feat: Add comprehensive stage progress logging
...
BotServer CI / build (push) Failing after 2m39s
- Add detailed logging for all 5 pipeline stages (PLAN, BUILD, REVIEW, DEPLOY, MONITOR)
- Log stage start/complete events with agent IDs and progress details
- Add resource creation/deletion logging in drive_handlers
- Improve pipeline summary logging with task ID, nodes, resources, and URL
This addresses the requirement for textual progress in console logs.
2026-03-01 22:36:14 -03:00
2c92a81302
merge: Unify master into main - all commits unified
BotServer CI / build (push) Failing after 6m9s
2026-03-01 07:43:07 -03:00
8f495c75ec
WIP: Local changes before merging master into main
2026-03-01 07:40:11 -03:00
0b1b17406d
chore(core): various email and security updates
2026-02-24 19:02:48 -03:00
e143968179
feat: Add JWT secret rotation and health verification
...
SEC-02: Implement credential rotation security improvements
- Add JWT secret rotation to rotate-secret command
- Generate 64-character HS512-compatible secrets
- Automatic .env backup with timestamp
- Atomic file updates via temp+rename pattern
- Add health verification for rotated credentials
- Route rotate-secret, rotate-secrets, vault commands in CLI
- Add verification attempts for database and JWT endpoints
Security improvements:
- JWT_SECRET now rotatable (previously impossible)
- Automatic rollback via backup files
- Health checks catch configuration errors
- Clear warnings about token invalidation
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-19 19:42:41 +00:00
ac5b814536
fix(security): Fix unsafe code, CORS logic, and expect usage
2026-02-19 12:06:05 +00:00
d7211a6c19
fix: Resolve unused import and variable warnings
2026-02-19 11:48:17 +00:00
b1118f977d
fix: Correct parameter names in tool .bas files to match database schema
...
- Tool 06: Change tipoExibicao to tipoDescricao (matches pedidos_uso_imagem table)
- Tool 07: Change tipoExibicao to categoriaDescricao (matches licenciamentos table)
- Both tools now compile and execute successfully with database inserts
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 17:51:47 +00:00
848b875698
fix: Use PORT env var instead of BOTSERVER_PORT, default to port 9000
...
- Change BOTSERVER_PORT to PORT for consistency with .env.embedded
- Update default port from 8080 to 9000 in config
- Fix service port references in security integration
- Update directory setup ExternalPort to 9000
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-17 14:43:16 +00:00
17cb4ef147
Fix: Update source files and fix notify dependency reference
...
BotServer CI / build (push) Successful in 11m35s
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-13 22:30:57 +00:00
5ea171d126
Refactor: Split large files into modular subdirectories
...
BotServer CI / build (push) Failing after 1m34s
Split 20+ files over 1000 lines into focused subdirectories for better
maintainability and code organization. All changes maintain backward
compatibility through re-export wrappers.
Major splits:
- attendance/llm_assist.rs (2074→7 modules)
- basic/keywords/face_api.rs → face_api/ (7 modules)
- basic/keywords/file_operations.rs → file_ops/ (8 modules)
- basic/keywords/hear_talk.rs → hearing/ (6 modules)
- channels/wechat.rs → wechat/ (10 modules)
- channels/youtube.rs → youtube/ (5 modules)
- contacts/mod.rs → contacts_api/ (6 modules)
- core/bootstrap/mod.rs → bootstrap/ (5 modules)
- core/shared/admin.rs → admin_*.rs (5 modules)
- designer/canvas.rs → canvas_api/ (6 modules)
- designer/mod.rs → designer_api/ (6 modules)
- docs/handlers.rs → handlers_api/ (11 modules)
- drive/mod.rs → drive_handlers.rs, drive_types.rs
- learn/mod.rs → types.rs
- main.rs → main_module/ (7 modules)
- meet/webinar.rs → webinar_api/ (8 modules)
- paper/mod.rs → (10 modules)
- security/auth.rs → auth_api/ (7 modules)
- security/passkey.rs → (4 modules)
- sources/mod.rs → sources_api/ (5 modules)
- tasks/mod.rs → task_api/ (5 modules)
Stats: 38,040 deletions, 1,315 additions across 318 files
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-12 21:09:30 +00:00
Rodrigo Rodriguez
fc0926ffff
WIP: Multiple code improvements from previous session
...
- Fix various compiler warnings
- Update analytics, auto_task, and basic keywords
- Improve security, channels, and core modules
- Update designer, directory, and drive modules
- Fix embedded UI and LLM modules
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-08 12:25:37 +00:00
8d3f9339ee
Fix: add /api/auth/me to public routes in RBAC
2026-02-04 14:25:14 -03:00
355215c2a2
Update: refactor migrations, update source files, and add new features
2026-02-04 13:29:29 -03:00
1f7cdfa9cf
Fix conditional compilation for Windows-specific security methods
...
- Wrapped Windows security configuration code blocks in #[cfg(windows)] attributes
- Removed nested cfg attributes that were causing compilation errors
- Properly separated Windows and Linux code paths using compile-time attributes
- Fixed calls to configure_windows_security() and update_windows_signatures()
2026-01-28 20:11:18 -03:00
ff4e6c4fe8
fix(lxc): configure lxd-sock proxy for brother mode and update installers
GBCI / build (push) Failing after 47s
2026-01-26 11:44:18 -03:00
fdf74903ad
fix(server): update security modules and TODOs
2026-01-25 08:42:36 -03:00
0a24cd4b50
Fix build errors and unused imports in core, security and package_manager modules
2026-01-24 22:04:47 -03:00
6fa52e1dd8
feat: implement feature bundling architecture and fix conditional compilation
...
- Restructured Cargo.toml with Bundle Pattern for easy feature selection
- Added feature bundles: tasks → automation + drive + monitoring
- Applied conditional compilation guards throughout codebase:
* AppState fields (drive, cache, task_engine, task_scheduler)
* main.rs initialization (S3, Redis, Tasks)
* SessionManager Redis usage
* bootstrap S3/Drive operations
* compiler task scheduling
* shared module Task/NewTask exports
- Eliminated all botserver compilation warnings
- Minimal build now compiles successfully
- Accepted core dependencies: automation (Rhai), drive (S3), cache (Redis)
- Created DEPENDENCY_FIX_PLAN.md with complete documentation
Minimal feature set: chat + automation + drive + cache
Verified: cargo check -p botserver --no-default-features --features minimal ✅
2026-01-23 13:14:20 -03:00
66abce913f
Feature gating refactor: modular compilation with minimal feature set
2026-01-22 19:45:18 -03:00
fc9c07d204
Refactor schema.rs into modular files
2026-01-22 13:57:40 -03:00
18b8afd54c
O
2026-01-19 21:19:10 -03:00
5126c648ff
Auto-commit: 20260118_195334
2026-01-18 19:53:34 -03:00
a2783f9b32
Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars
2026-01-13 22:21:25 -03:00
31777432b4
Implement TODO items: session auth, face API, task logs, intent storage
...
Learn Module:
- All 9 handlers now use AuthenticatedUser extractor
Security:
- validate_session_sync reads roles from SESSION_CACHE
AutoTask:
- get_task_logs reads from manifest with status logs
- store_compiled_intent saves to cache and database
Face API:
- AWS Rekognition, OpenCV, InsightFace implementations
- Detection, verification, analysis methods
Other fixes:
- Calendar/task integration database queries
- Recording database methods
- Analytics insights trends
- Email/folder monitoring mock data
2026-01-13 14:48:49 -03:00
3fc3c58816
Fix overlapping route panic: remove duplicate /api/docs/import from drive module
2026-01-11 18:49:04 -03:00
3e75bbff97
MS Office 100% Compatibility - Phase 1 Implementation
...
- Add rust_xlsxwriter for Excel export with formatting support
- Add docx-rs for Word document import/export with HTML conversion
- Add PPTX export support with slides, shapes, and text elements
- Refactor sheet module into 7 files (types, formulas, handlers, etc)
- Refactor docs module into 6 files (types, handlers, storage, etc)
- Refactor slides module into 6 files (types, handlers, storage, etc)
- Fix collaboration modules (borrow issues, rand compatibility)
- Add ooxmlsdk dependency for future Office 2021 features
- Fix type mismatches in slides storage
- Update security protection API router type
Features:
- Excel: Read xlsx/xlsm/xls, write xlsx with styles
- Word: Read/write docx with formatting preservation
- PowerPoint: Write pptx with slides, shapes, text
- Real-time collaboration via WebSocket (already working)
- Theme-aware UI with --sentient-* CSS variables
2026-01-11 09:56:15 -03:00
b4003e3e0a
fix(auth): align auth middleware anonymous paths with RBAC config
...
- Remove broad /api/auth anonymous path that was matching /api/auth/me
- Add specific anonymous paths: /api/auth/login, /api/auth/refresh, /api/auth/bootstrap
- Remove /api/auth/logout, /api/auth/2fa/* from anonymous (require auth)
- Fix /api/auth/me returning 401 for authenticated users
2026-01-10 17:31:50 -03:00
8a6d63ff3e
debug: add logging for auth header extraction
2026-01-10 14:24:56 -03:00
209f4d74f7
feat(rbac): add missing route permissions
...
- Add /api/email/** routes
- Add messaging channels: telegram, whatsapp, msteams, instagram
- Add /api/pages/** routes
- Add /api/insights/** routes
- Add /api/app-logs/** routes
- Add /api/user/** for user profile
- Add /api/ui/email/** HTMX routes
2026-01-10 14:13:08 -03:00
0bda3ed466
fix(auth): simplify session validation and add debug logging
...
- Remove restrictive length check in validate_session_sync
- Accept any non-empty token as valid session
- Add debug logging throughout auth flow
- Add RBAC decision logging for troubleshooting
2026-01-10 14:03:34 -03:00
b4647cd8d2
feat(rbac): implement complete RBAC middleware and route permissions
...
- Add rbac_middleware_fn for use in middleware layer chain
- Add RBAC middleware to request processing pipeline (after auth)
- Complete route permissions for ALL apps:
- Anonymous: health, i18n, product, auth/login, chat, websocket
- Authenticated users: drive, mail, calendar, tasks, docs, paper, sheet,
slides, meet, research, sources, canvas, video, player, workspaces,
projects, goals, settings, bots (read), designer, dashboards, crm,
contacts, billing, products, tickets, learn, social, llm, autotask
- Admin/SuperAdmin: users, groups, bot management, analytics, monitoring,
audit, security, admin panel, attendant
- SuperAdmin only: RBAC management
- Add all /api/ui/** HTMX routes with proper permissions
- Chat remains anonymous for customer support functionality
2026-01-10 11:41:25 -03:00
81b8fd8f2d
fix(auth): handle Zitadel session tokens and grant Admin role
...
- Treat non-JWT bearer tokens as Zitadel session IDs
- Grant Admin role to valid sessions (temporary until proper role lookup)
- Add is_jwt_format helper to distinguish JWTs from session IDs
- Update RBAC to allow authenticated users access to UI monitoring routes
2026-01-10 11:14:33 -03:00
e3b3f04206
Normalize API paths: remove unnecessary /v1/ prefix
...
- Update all internal API routes from /api/v1/* to /api/*
- Protection API: /api/security/protection/*
- Botmodels calls: /api/vision/*, /api/audio/*, /api/speech/*
- Remove /api/v1/health from anonymous paths (keep /api/health)
External APIs (Reddit, Facebook, etc.) keep their original versioned paths
2026-01-10 09:48:43 -03:00
79ee009983
Fix: Add auth endpoints to anonymous paths list
...
- /api/auth/login was being blocked by auth middleware
- Add all auth endpoints to allow_anonymous_paths:
- /api/auth/login
- /api/auth/logout
- /api/auth/refresh
- /api/auth/bootstrap
- /api/auth/2fa/verify
- /api/auth/2fa/resend
- /oauth
- /auth/callback
2026-01-10 09:44:59 -03:00
faeae250bc
Add security protection module with sudo-based privilege escalation
...
- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands
Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers
2026-01-10 09:41:12 -03:00
00acf1c76e
fix: Add trusted_shell_script_arg for internal scripts
...
- shell_script_arg blocks $( and backticks for user input safety
- trusted_shell_script_arg allows these for internal installer scripts
- Internal scripts need shell features like command substitution
- Updated bootstrap, installer, facade, and llm modules
2026-01-09 12:13:35 -03:00
db267714ca
fix: Allow URL-safe characters in SafeCommand arguments
...
- Allow &, ?, = in URL arguments (http:// or https://)
- Allow // pattern in URLs (needed for protocol)
- These are safe since Command::new().args() doesn't use shell
- Fixes Vault health check with query parameters
- Add debug logging to safe_curl and vault_health_check
2026-01-09 11:56:11 -03:00
703497b00c
fix: Remove dead code and unused fields - proper fixes per PROMPT.md
...
- large_org_optimizer.rs: Remove unused fields (cached_at, roles, organization_id from structs)
Add partition_manager() getter to use the field
- middleware.rs: Implement Display for AuthError to use InvalidToken message
- organization_rbac.rs: Remove unused user_groups and user_direct_permissions fields
- passkey.rs: Remove unused first_attempt_at field
- opencv.rs: Remove unused format field and ImageFormat enum
- rekognition.rs: Remove unused liveness_sessions field
No #[allow(dead_code)] - code is properly fixed or deleted
2026-01-09 11:00:14 -03:00
b674d85583
Fix SafeCommand to allow shell scripts with redirects and command chaining
...
- Add shell_script_arg() method for bash/sh/cmd -c scripts
- Allow > < redirects in shell scripts (blocked in regular args)
- Allow && || command chaining in shell scripts
- Update safe_sh_command functions to use shell_script_arg
- Update run_commands, start, and LLM server commands
- Block dangerous patterns: backticks, path traversal
- Fix struct field mismatches and type errors
2026-01-08 23:50:38 -03:00
