GeneralBots/gb
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: update submodules and add migration scripts

Browse source
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-03-14 16:34:49 -03:00
parent 2fe4586be5
commit 9adfd66c9a
22 changed files with 1583 additions and 4970 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
botserver

@ -1 +1 @@
Subproject commit ad4aca21ffec3de5db510317aa1e366a15c50499
Subproject commit 13892b315722e958c063cf8e92bb69c38b1c23a9

2
botui

@ -1 +1 @@
Subproject commit b01a02d396b941151000126a708b5e886b3b36da
Subproject commit 97d2a934a9fa372285f5dbf64e3bb0cec67f660c

93
crm2_setup.sql Normal file
View file

@ -0,0 +1,93 @@
-- ============================================
-- CRM v2 - Unified Deals Table
-- Execute: psql -h localhost -U gbuser -d botserver -f crm2_setup.sql
-- ============================================
-- 1. Drop old tables (never used in production)
DROP TABLE IF EXISTS crm_leads CASCADE;
DROP TABLE IF EXISTS crm_opportunities CASCADE;
-- 2. Create domain: segments
CREATE TABLE crm_deal_segments (
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
org_id uuid NOT NULL,
bot_id uuid NOT NULL,
name varchar(50) NOT NULL,
description varchar(255),
created_at timestamptz DEFAULT now()
);
-- Insert default segments
INSERT INTO crm_deal_segments (org_id, bot_id, name)
SELECT org_id, bot_id, name FROM crm_pipeline_stages LIMIT 1;
-- 3. Create main deals table
CREATE TABLE crm_deals (
-- 🆔 Key
id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
org_id uuid NOT NULL,
bot_id uuid NOT NULL,
-- 🔗 Links to Contact/Account (NO DUPLICATE!)
contact_id uuid REFERENCES crm_contacts(id),
account_id uuid REFERENCES crm_accounts(id),
-- 🔗 Owner/Team (FK to users)
owner_id uuid REFERENCES users(id),
assignedto_id uuid REFERENCES users(id),
am_id uuid REFERENCES users(id),
-- 💰 Deal
description text,
value numeric(15,2),
-- 📊 Pipeline (use existing crm_pipeline_stages!)
stage_id uuid REFERENCES crm_pipeline_stages(id),
probability integer DEFAULT 0,
-- 🎯 Classification
source varchar(50), -- EMAIL, CALL, WEBSITE, REFERAL
segment_id uuid REFERENCES crm_deal_segments(id),
territory varchar(30),
-- 📅 Dates
expected_close_date date,
period integer, -- 1=manhã, 2=tarde, 3=noite (or hour 1-24)
deal_date date,
created_at timestamptz DEFAULT now(),
updated_at timestamptz,
-- 🌐 Social
linkedin varchar(100),
facebook varchar(80),
twitter varchar(30),
instagram varchar(50),
-- 📝 Notes (only current, history goes to crm_activities)
notes text,
-- 🏷️ Tags
tags text[],
-- 🔍 Flags
hard_to_find boolean DEFAULT false,
-- 📦 Custom Fields (remaining ~50 fields from gb.rob)
custom_fields jsonb DEFAULT '{}'
);
-- 4. Add deal_id to crm_activities (for history migration)
ALTER TABLE crm_activities ADD COLUMN IF NOT EXISTS deal_id uuid REFERENCES crm_deals(id);
-- 5. Create indexes
CREATE INDEX idx_crm_deals_org_bot ON crm_deals(org_id, bot_id);
CREATE INDEX idx_crm_deals_contact ON crm_deals(contact_id);
CREATE INDEX idx_crm_deals_account ON crm_deals(account_id);
CREATE INDEX idx_crm_deals_stage ON crm_deals(stage_id);
CREATE INDEX idx_crm_deals_owner ON crm_deals(owner_id);
CREATE INDEX idx_crm_deals_source ON crm_deals(source);
CREATE INDEX idx_crm_deals_company ON crm_deals(company);
-- 6. Grant permissions
GRANT ALL ON crm_deals TO gbuser;
GRANT ALL ON crm_deal_segments TO gbuser;

112
import_csv.py Normal file
View file

@ -0,0 +1,112 @@
import os
import sys
import csv
import json
import urllib.request
import urllib.parse
# Config
BOT_NAME = "pragmatismogb"
API_URL = "http://localhost:8080"
LOGIN_USER = os.getenv("CRM_USER", "admin")
LOGIN_PASS = os.getenv("CRM_PASS", "admin")
def login():
print(f"Logging in to {API_URL} as {LOGIN_USER}...")
req = urllib.request.Request(f"{API_URL}/api/auth/login",
data=json.dumps({"email": LOGIN_USER, "password": LOGIN_PASS}).encode("utf-8"),
headers={"Content-Type": "application/json"})
try:
with urllib.request.urlopen(req) as response:
if response.status == 200:
body = json.loads(response.read().decode('utf-8'))
token = body.get("token") or body.get("access_token")
# Alternatively check for Set-Cookie header
cookie = response.getheader("Set-Cookie")
if token:
print("Login successful (Got Token)")
return {"type": "bearer", "value": token}
elif cookie:
print("Login successful (Got Cookie)")
return {"type": "cookie", "value": cookie.split(';')[0]}
else:
return {"type": "bearer", "value": ""} # Unknown state
else:
print(f"Login failed: {response.status}")
sys.exit(1)
except Exception as e:
print(f"Login failed: {e}")
return None
def import_csv(auth, leads_file, opps_file):
headers = {"bot-name": BOT_NAME, "Content-Type": "application/json"}
if auth:
if auth["type"] == "bearer":
headers["Authorization"] = f"Bearer {auth['value']}"
elif auth["type"] == "cookie":
headers["Cookie"] = auth["value"]
# Import leads
try:
with open(leads_file, "r") as f:
reader = csv.DictReader(f)
for row in reader:
val_str = row.get("value", "").strip()
val = float(val_str) if val_str else 0.0
payload = {
"title": row.get("title", ""),
"description": row.get("description", ""),
"value": val,
"currency": row.get("currency", "USD"),
"source": row.get("source", "")
}
req = urllib.request.Request(f"{API_URL}/api/crm/leads",
data=json.dumps(payload).encode("utf-8"),
headers=headers,
method="POST")
try:
with urllib.request.urlopen(req) as response:
print(f"[+] Created lead: {payload['title']} -> {response.status}")
except Exception as e:
print(f"[-] Failed lead: {payload['title']} -> {e}")
except FileNotFoundError:
print(f"Could not find {leads_file}")
# Import opps
try:
with open(opps_file, "r") as f:
reader = csv.DictReader(f)
for row in reader:
val_str = row.get("value", "").strip()
val = float(val_str) if val_str else 0.0
pr_str = row.get("probability", "").strip()
pr = int(pr_str) if pr_str else 25
payload = {
"name": row.get("name", ""),
"description": row.get("description", ""),
"value": val,
"currency": row.get("currency", "USD"),
"stage": row.get("stage", "qualification"),
"probability": pr
}
req = urllib.request.Request(f"{API_URL}/api/crm/opportunities",
data=json.dumps(payload).encode("utf-8"),
headers=headers,
method="POST")
try:
with urllib.request.urlopen(req) as response:
print(f"[+] Created opportunity: {payload['name']} -> {response.status}")
except Exception as e:
print(f"[-] Failed opportunity: {payload['name']} -> {e}")
except FileNotFoundError:
print(f"Could not find {opps_file}")
if __name__ == "__main__":
if len(sys.argv) < 3:
print("Usage: python3 import_csv.py <leads_csv> <opps_csv>")
sys.exit(1)
auth_data = login()
import_csv(auth_data, sys.argv[1], sys.argv[2])

422
migrate_gb_rob.py Normal file
View file

@ -0,0 +1,422 @@
#!/usr/bin/env python3
"""
Migration script: gb.rob -> crm_deals + crm_activities
Execute: python3 migrate_gb_rob.py
"""
import os
import re
import json
from datetime import datetime
from decimal import Decimal
import psycopg2
from psycopg2 import extras
# Database connection
conn = psycopg2.connect(
host="localhost",
database="botserver",
user="gbuser"
)
conn.autocommit = False
cur = conn.cursor()
def parse_history_to_activities(history_text, deal_id, org_id, bot_id, owner_id):
"""Parse history field into crm_activities"""
if not history_text:
return []
activities = []
# Pattern: "DD/MM/YYYY: description" or "DD/MM/YYYY - description"
pattern = r'(\d{2}/\d{2}/\d{4})[;:]?\s*(.+?)(?=\d{2}/\d{2}/\d{4}|$)'
for match in re.finditer(pattern, str(history_text), re.DOTALL):
date_str = match.group(1)
description = match.group(2).strip()
try:
due_date = datetime.strptime(date_str, '%d/%m/%Y')
except:
due_date = None
# Determine activity type from description
activity_type = 'call'
if 'email' in description.lower() or 'mail' in description.lower():
activity_type = 'email'
elif 'wpp' in description.lower() or 'whatsapp' in description.lower():
activity_type = 'whatsapp'
elif 'reunião' in description.lower() or 'reuniao' in description.lower() or 'meeting' in description.lower():
activity_type = 'meeting'
# Determine outcome
outcome = None
desc_lower = description.lower()
if 'enviad' in desc_lower or 'enviado' in desc_lower:
outcome = 'sent'
elif 'recebid' in desc_lower:
outcome = 'received'
elif 'interesse' in desc_lower and 'não' in desc_lower:
outcome = 'not_interested'
elif 'agend' in desc_lower:
outcome = 'scheduled'
activities.append({
'org_id': org_id,
'bot_id': bot_id,
'deal_id': deal_id,
'activity_type': activity_type,
'subject': f"Follow-up: {description[:50]}",
'description': description,
'due_date': due_date,
'outcome': outcome,
'owner_id': owner_id,
'created_at': datetime.now()
})
return activities
def get_stage_id(stage_name):
"""Get stage_id from crm_pipeline_stages"""
cur.execute(
"SELECT id FROM crm_pipeline_stages WHERE LOWER(name) = %s",
(stage_name.lower(),)
)
result = cur.fetchone()
return result[0] if result else None
def get_user_id(username):
"""Get user_id from username"""
if not username:
return None
cur.execute(
"SELECT id FROM users WHERE username = %s",
(str(username).strip(),)
)
result = cur.fetchone()
return result[0] if result else None
def get_segment_id(segment_name, org_id, bot_id):
"""Get or create segment_id"""
if not segment_name:
return None
# Try to find existing
cur.execute(
"SELECT id FROM crm_deal_segments WHERE LOWER(name) = %s",
(str(segment_name).lower(),)
)
result = cur.fetchone()
if result:
return result[0]
# Create new
cur.execute("""
INSERT INTO crm_deal_segments (org_id, bot_id, name)
VALUES (%s, %s, %s)
RETURNING id
""", (org_id, bot_id, str(segment_name).strip()))
return cur.fetchone()[0]
def migrate_rob_to_deals():
"""Main migration function"""
print("🔄 Starting migration...")
# Get default org_id and bot_id
cur.execute("SELECT org_id, id FROM bots LIMIT 1")
bot_row = cur.fetchone()
bot_id = bot_row[1]
cur.execute("SELECT org_id FROM organizations LIMIT 1")
org_id = cur.fetchone()[0]
# Check if gb.rob exists
cur.execute("""
SELECT table_name FROM information_schema.tables
WHERE table_schema = 'gb' AND table_name = 'rob'
""")
if not cur.fetchone():
print("⚠️ Table gb.rob not found!")
print(" Checking if it's in public schema...")
cur.execute("""
SELECT table_name FROM information_schema.tables
WHERE table_name = 'rob'
""")
result = cur.fetchone()
if not result:
print("❌ Table rob not found in any schema")
return
schema = 'public'
print(f"✅ Found table in schema: {schema}")
else:
schema = 'gb'
table_name = f"{schema}.rob" if schema != 'public' else 'rob'
print(f"📋 Reading from table: {table_name}")
# Get column names
cur.execute(f"""
SELECT column_name FROM information_schema.columns
WHERE table_name = 'rob' AND table_schema = '{schema}'
ORDER BY ordinal_position
""")
columns = [row[0] for row in cur.fetchall()]
print(f" Columns: {len(columns)}")
# Fetch all rows
cur.execute(f"SELECT * FROM {table_name}")
rows = cur.fetchall()
print(f" Rows to migrate: {len(rows)}")
# Create column index map
col_map = {col: i for i, col in enumerate(columns)}
migrated = 0
activities_created = 0
for row in rows:
try:
# Extract fields using column map
company = row[col_map.get('company')]
contact = row[col_map.get('contact')]
email = row[col_map.get('email')]
phone = row[col_map.get('phone')]
mobile = row[col_map.get('mobile')]
website = row[col_map.get('website')]
address = row[col_map.get('address')]
city = row[col_map.get('city')]
state = row[col_map.get('state')]
country = row[col_map.get('country')]
notes = row[col_map.get('notes')]
history = row[col_map.get('history')]
action = row[col_map.get('action')]
segment = row[col_map.get('segment')]
segment1 = row[col_map.get('segment1')]
territory = row[col_map.get('territory')]
linkedin = row[col_map.get('linkedin')]
facebook = row[col_map.get('facebook')]
twitter = row[col_map.get('twitter')]
hard_to_find = row[col_map.get('hard_to_find')]
value = row[col_map.get('value')]
chance = row[col_map.get('chance')]
period = row[col_map.get('period')]
assignedto = row[col_map.get('assignedto')]
am = row[col_map.get('am')]
robid = row[col_map.get('robid')]
created = row[col_map.get('created'))
updated_at = row[col_map.get('updated_at'))
# Parse name from contact
first_name = None
last_name = None
if contact:
contact_str = str(contact).strip()
if ' ' in contact_str:
parts = contact_str.split(None, 1)
first_name = parts[0]
last_name = parts[1] if len(parts) > 1 else None
else:
first_name = contact_str
# Map action to stage
action_map = {
'lead': 'new',
'desqualified': 'lost',
'qualified': 'qualified',
'email': 'new',
'call': 'new',
'schedule': 'qualified',
'poc': 'proposal',
'win': 'won',
'recover': 'qualified',
'wait': 'negotiation',
'find': 'new',
'emul_asked': 'new',
'emul': 'new',
'close': 'won',
'recovered': 'qualified'
}
stage_name = action_map.get(str(action).lower().strip(), 'new')
stage_id = get_stage_id(stage_name)
# Get owner_id from assignedto
owner_id = get_user_id(assignedto)
# Get am_id
am_id = get_user_id(am)
# Get segment_id
segment_id = get_segment_id(segment1, org_id, bot_id)
# Parse period (hour or morning/afternoon)
period_val = None
if period:
period_str = str(period).lower().strip()
if period_str.isdigit():
period_val = int(period_str)
elif 'manhã' in period_str or 'manha' in period_str:
period_val = 1
elif 'tarde' in period_str:
period_val = 2
elif 'noite' in period_str:
period_val = 3
# Parse value
deal_value = None
if value:
try:
deal_value = Decimal(str(value))
except:
pass
# Parse chance to probability
probability = 0
if chance:
chance_str = str(chance).lower()
if 'alta' in chance_str:
probability = 80
elif 'média' in chance_str or 'media' in chance_str:
probability = 50
elif 'baixa' in chance_str:
probability = 20
# Parse created timestamp
created_at = datetime.now()
if created:
try:
created_at = datetime.fromtimestamp(int(created))
except:
try:
created_at = datetime.strptime(str(created), '%Y-%m-%d')
except:
pass
# Updated at
updated_at_val = updated_at if updated_at else datetime.now()
# Generate deal_id
deal_id = extras.uuid.uuid4()
# Build custom_fields with remaining columns
custom_fields = {}
remaining_cols = [
'segment', 'segment1', 'segment2', 'networking',
'tech', 'bot', 'template', 'legalname',
'questions', 'features',
'partner', 'partnercontact',
'revenue', 'once', 'recurrence',
'employees', 'poc',
'talk', 'mail',
'mkt7', 'mkt8', 'mkt9',
'video_sent', 'prp_sent', 'emulator',
'CTOFound', 'priority', 'llm_notes',
'detailedsegment', 'assessment',
'address1', 'address2', 'address3', 'state_1', 'cep',
'fax', 'video_1', 'specialistazureappsinfra',
'specialistazuredataai', 'azurecloudacqspecialist',
'cloudsolutionmw', 'cloudacqspecialistmw',
'cloudsolutionbizapps', 'cloudacqspecialistbizapps',
'cloudsolutionarchitectsappsinfra', 'cloudsolutionarchitectsdataai'
]
for col in remaining_cols:
if col in col_map:
val = row[col_map[col]]
if val is not None:
custom_fields[col] = val
# Insert deal
cur.execute("""
INSERT INTO crm_deals (
id, org_id, bot_id,
contact_id, account_id,
owner_id, assignedto_id, am_id,
description, value,
stage_id, probability,
source, segment_id, territory,
linkedin, facebook, twitter,
notes,
hard_to_find, period,
custom_fields,
created_at, updated_at
) VALUES (
%s, %s, %s,
NULL, NULL,
%s, %s, %s,
%s, %s,
%s, %s,
%s, %s, %s,
%s, %s, %s,
%s,
%s, %s,
%s,
%s, %s
)
""", (
deal_id, org_id, bot_id,
None, None,
owner_id, owner_id, am_id,
notes, deal_value,
stage_id, probability,
action, segment_id, territory,
linkedin, facebook, twitter,
notes,
hard_to_find if hard_to_find else False,
period_val,
json.dumps(custom_fields) if custom_fields else '{}',
created_at, updated_at_val
))
# Migrate history to activities
activities = parse_history_to_activities(history, deal_id, org_id, bot_id, owner_id)
for activity in activities:
cur.execute("""
INSERT INTO crm_activities (
id, org_id, bot_id, deal_id,
activity_type, subject, description,
due_date, outcome, owner_id, created_at
) VALUES (
%s, %s, %s, %s,
%s, %s, %s,
%s, %s, %s, %s
)
""", (
extras.uuid.uuid4(),
activity['org_id'], activity['bot_id'], deal_id,
activity['activity_type'], activity['subject'], activity['description'],
activity['due_date'], activity['outcome'], activity['owner_id'],
activity['created_at']
))
activities_created += 1
migrated += 1
if migrated % 10 == 0:
print(f" Migrated {migrated} deals...")
except Exception as e:
print(f" ⚠️ Error on row {migrated}: {e}")
continue
conn.commit()
print(f"✅ Migration complete!")
print(f" Deals migrated: {migrated}")
print(f" Activities created: {activities_created}")
if __name__ == "__main__":
try:
migrate_rob_to_deals()
except Exception as e:
print(f"❌ Migration failed: {e}")
conn.rollback()
finally:
cur.close()
conn.close()

8
out.txt
View file

@ -1,8 +0,0 @@
data: {"candidates": [{"content": {"role": "model","parts": [{"text": "Hello!"}]}}],"usageMetadata": {"trafficType": "ON_DEMAND"},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
data: {"candidates": [{"content": {"role": "model","parts": [{"text": " How can I help you today"}]}}],"usageMetadata": {"trafficType": "ON_DEMAND"},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
data: {"candidates": [{"content": {"role": "model","parts": [{"text": "?"}]}}],"usageMetadata": {"trafficType": "ON_DEMAND"},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}
data: {"candidates": [{"content": {"role": "model","parts": [{"text": "","thoughtSignature": "AY89a18iOcFus5wr5bW5xN6zZ4aUiCyhgmg6HE2YjtYDV/dwZ5oZlZHeTmiUKv34qq0="}]},"finishReason": "STOP"}],"usageMetadata": {"promptTokenCount": 1,"candidatesTokenCount": 9,"totalTokenCount": 10,"trafficType": "ON_DEMAND","promptTokensDetails": [{"modality": "TEXT","tokenCount": 1}],"candidatesTokensDetails": [{"modality": "TEXT","tokenCount": 9}]},"modelVersion": "gemini-3.1-flash-lite-preview","createTime": "2026-03-10T14:54:45.066123Z","responseId": "tTCwacuEBMvnitYP06qsgQY"}

737
prompts/BOTCODER_ANALYSIS.md
View file

@ -1,737 +0,0 @@
# BotCoder Multi-Agent OS - Architecture Analysis
## Executive Summary
Based on analysis of **botserver** (Rust backend), **botui** (Web UI), and **botapp** (Tauri Desktop), we can architect **BotCoder** as a unified multi-agent operating system that leverages the existing Mantis Farm infrastructure while adding code-specific capabilities similar to Claude Code.
---
## Current Architecture Analysis
### 1. BotServer (Rust Backend) - `botserver/src/auto_task/`
#### Multi-Agent Pipeline (The "Mantis Farm")
**File:** `orchestrator.rs` (1147 lines)
The orchestrator implements a **5-stage multi-agent pipeline**:
```
┌─────────────────────────────────────────────────────────────┐
│ ORCHESTRATOR PIPELINE │
├─────────────────────────────────────────────────────────────┤
│ │
│ Stage 1: PLAN ────────► Mantis #1 (Planner) │
│ - Analyze user request │
│ - Break down into sub-tasks │
│ - Identify tables, pages, tools, schedulers │
│ - Derive enterprise-grade work breakdown │
│ │
│ Stage 2: BUILD ───────► Mantis #2 (Builder) │
│ - Generate application code │
│ - Create HTML/CSS/JS files │
│ - Define database schema │
│ - Build tools & schedulers │
│ │
│ Stage 3: REVIEW ───────► Mantis #3 (Reviewer) │
│ - Validate code quality │
│ - Check HTMX patterns │
│ - Verify security │
│ - Ensure no hardcoded data │
│ │
│ Stage 4: DEPLOY ───────► Mantis #4 (Deployer) │
│ - Deploy application │
│ - Verify accessibility │
│ - Confirm static assets loading │
│ │
│ Stage 5: MONITOR ───────► Mantis #1 (Planner) │
│ - Setup health monitoring │
│ - Track error rates │
│ - Monitor response times │
│ │
└─────────────────────────────────────────────────────────────┘
```
#### Agent Status System
**Agent States:**
- **WILD** - Uninitialized agent
- **BRED** - Agent created and ready
- **EVOLVED** - Agent has completed work successfully
- **WORKING** - Agent actively processing
- **DONE** - Agent finished
- **FAILED** - Agent encountered error
**Agent Roles:**
```rust
pub enum AgentRole {
Planner, // Mantis #1 - Architect & Analyst
Builder, // Mantis #2 - Code Generator
Reviewer, // Mantis #3 - QA & Validation
Deployer, // Mantis #4 - Deployment
Monitor, // Mantis #1 (reused) - Health checks
}
```
#### Agent Executor (Container-Based)
**File:** `agent_executor.rs` (115 lines)
Provides **containerized execution environment** for agents:
```rust
pub struct AgentExecutor {
pub state: Arc<AppState>,
pub session_id: String,
pub task_id: String,
container: Option<ContainerSession>,
}
```
**Capabilities:**
- ✅ Spawn containerized terminal sessions
- ✅ Execute shell commands
- ✅ Broadcast terminal output via WebSocket
- ✅ Browser automation integration (chromiumoxide)
- ✅ Real-time progress updates
**WebSocket Events:**
- `terminal_output` - stdout/stderr from agent
- `thought_process` - agent reasoning/thinking
- `step_progress` - pipeline stage progress (1/5, 2/5...)
- `browser_ready` - browser automation available
- `agent_thought` - agent-specific thoughts
- `agent_activity` - structured activity logs
- `task_node` - task breakdown visualization
#### Intent Classification
**File:** `intent_classifier.rs`
Classifies user requests into types:
- **APP_CREATE** - Generate new application
- **APP_MODIFY** - Modify existing app
- **CODE_REVIEW** - Review code
- **DEBUG** - Debug issues
- **DEPLOY** - Deploy application
- **ANALYZE** - Analyze codebase
**Entity Extraction:**
- Tables (database schema)
- Features (UI components)
- Pages (routes/views)
- Tools (business logic)
- Schedulers (background jobs)
#### App Generator
**File:** `app_generator.rs` (3400+ lines)
**LLM-powered code generation:**
- Generates HTMX applications
- Creates database schemas
- Builds REST API endpoints
- Generates BASIC tools
- Creates scheduled jobs
- Produces E2E tests
**Output:**
```rust
pub struct GeneratedApp {
pub name: String,
pub description: String,
pub tables: Vec<TableDefinition>,
pub pages: Vec<GeneratedPage>,
pub tools: Vec<GeneratedTool>,
pub schedulers: Vec<SchedulerDefinition>,
}
```
#### Designer AI
**File:** `designer_ai.rs`
Runtime code modifications with:
- Undo/redo support
- Real-time UI editing
- Visual layout changes
- Style modifications
#### Safety Layer
**File:** `safety_layer.rs`
- Constraint checking
- Simulation before execution
- Audit trail
- Approval workflows
---
### 2. BotUI (Web Interface) - `botui/ui/suite/`
#### Vibe Builder UI
**File:** `partials/vibe.html` (47KB)
**Components:**
1. **Pipeline Tabs** - Plan/Build/Review/Deploy/Monitor stages
2. **Agents Sidebar** - Mantis #1-4 status cards
3. **Workspaces List** - Project management
4. **Canvas Area** - Task node visualization
5. **Chat Overlay** - Real-time communication with agents
**Agent Cards Display:**
```html
<div class="as-agent-card" data-agent-id="1">
<div class="as-agent-header">
<span class="as-status-dot green"></span>
<span class="as-agent-name">Mantis #1</span>
</div>
<div class="as-agent-body">
<span class="as-agent-icons">👀 ⚙️ ⚡</span>
<span class="as-badge badge-evolved">EVOLVED</span>
</div>
</div>
```
**WebSocket Integration:**
```javascript
// Connect to task progress stream
const ws = new WebSocket(`ws://localhost:8080/ws/task-progress/${taskId}`);
ws.onmessage = (event) => {
const data = JSON.parse(event.data);
handleTaskProgress(data);
};
// Event types handled:
// - pipeline_start
// - pipeline_complete
// - step_progress (1/5, 2/5, ...)
// - agent_thought
// - agent_activity
// - task_node
// - terminal_output
// - manifest_update
```
**Real-time Updates:**
- Agent status changes (WILD → BRED → WORKING → EVOLVED)
- Task node visualization (plan breakdown)
- Terminal output streaming
- Progress indicators
- File generation notifications
#### Other UI Components
- `chat.html` - Chat interface for agent interaction
- `editor-inner.html` - Code editor (currently textarea, needs Monaco)
- `explorer-inner.html` - File browser
- `settings.html` - Configuration
- `tasks.html` - Task management
- `desktop-inner.html` - Desktop integration
---
### 3. BotApp (Desktop) - `botapp/src/`
**Tauri-based desktop application** with:
- System tray integration
- Service monitoring
- File system access
- Desktop sync (rclone)
- Native notifications
**Main Features:**
```rust
// Desktop service monitoring
pub struct ServiceMonitor {
services: HashMap<String, ServiceStatus>,
}
// Tray management
pub struct TrayManager {
mode: RunningMode, // Server | Desktop | Client
}
// Drive integration
mod drive {
list_files()
upload_file()
create_folder()
}
// Sync integration
mod sync {
get_sync_status()
start_sync()
configure_remote()
}
```
---
## BotCoder Multi-Agent OS Architecture
### Vision
**BotCoder** = **Vibe Builder** + **Code-Specific Agents** + **Professional Tools**
Create a complete development environment that:
1. Uses the existing Mantis Farm infrastructure
2. Adds specialized coding agents (similar to Claude Code)
3. Provides professional editor experience (Monaco, terminal, git, etc.)
4. Supports both internal (GB Platform) and external (Forgejo) deployment
---
## Proposed BotCoder Agent Ecosystem
### Core Mantis Farm (Keep Existing)
```
Mantis #1: Planner & Orchestrator ───► Already exists in botserver
Mantis #2: Code Generator ───► Already exists (AppGenerator)
Mantis #3: Reviewer & Validator ───► Already exists
Mantis #4: Deployer ───► Already exists
```
### New Specialized Agents (Add to BotCoder)
```
┌─────────────────────────────────────────────────────────────────┐
│ BOTCODER AGENTS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Mantis #5: Editor Agent ───► File operations │
│ - Multi-file editing │
│ - Syntax awareness │
│ - Refactoring support │
│ - Code completion │
│ │
│ Mantis #6: Database Agent ───► Schema operations │
│ - Query optimization │
│ - Migration management │
│ - Data visualization │
│ - Index suggestions │
│ │
│ Mantis #7: Git Agent ───► Version control │
│ - Commit analysis │
│ - Branch management │
│ - Conflict resolution │
│ - Code archaeology │
│ │
│ Mantis #8: Test Agent ───► Quality assurance │
│ - Test generation │
│ - Coverage analysis │
│ - E2E testing (chromiumoxide) │
│ - Performance profiling │
│ │
│ Mantis #9: Browser Agent ───► Web automation │
│ - Page recording │
│ - Element inspection │
│ - Performance monitoring │
│ - SEO checking │
│ │
│ Mantis #10: Terminal Agent ───► Command execution │
│ - Shell command execution │
│ - Build system integration │
│ - Package management │
│ - Docker orchestration │
│ │
│ Mantis #11: Documentation Agent ───► Docs & comments │
│ - Auto-generate docs │
│ - Comment quality check │
│ - README generation │
│ - API documentation │
│ │
│ Mantis #12: Security Agent ───► Security auditing │
│ - Vulnerability scanning │
│ - Dependency analysis │
│ - Secret detection │
│ - OWASP compliance │
│ │
└─────────────────────────────────────────────────────────────────┘
```
---
## BotCoder Architecture
### Backend (Rust)
```
botserver/src/
├── auto_task/ # EXISTING - Mantis Farm
│ ├── orchestrator.rs # Keep - Multi-agent pipeline
│ ├── agent_executor.rs # Keep - Container execution
│ ├── app_generator.rs # Keep - LLM code gen
│ ├── designer_ai.rs # Keep - Runtime edits
│ ├── intent_classifier.rs # Keep - Request classification
│ └── safety_layer.rs # Keep - Constraint checking
├── botcoder/ # NEW - BotCoder-specific agents
│ ├── mod.rs
│ ├── editor_agent.rs # Mantis #5 - File operations
│ ├── database_agent.rs # Mantis #6 - Schema ops
│ ├── git_agent.rs # Mantis #7 - Version control
│ ├── test_agent.rs # Mantis #8 - Testing
│ ├── browser_agent.rs # Mantis #9 - Web automation
│ ├── terminal_agent.rs # Mantis #10 - Command exec
│ ├── docs_agent.rs # Mantis #11 - Documentation
│ └── security_agent.rs # Mantis #12 - Security
├── deployment/ # NEW - From vibe.md Phase 0
│ ├── mod.rs # DeploymentRouter
│ ├── forgejo.rs # ForgejoClient
│ ├── api.rs # Deployment endpoints
│ └── templates.rs # CI/CD workflows
├── api/ # EXTEND - Add BotCoder APIs
│ ├── editor.rs # Monaco integration
│ ├── database.rs # DB UI backend
│ ├── git.rs # Git operations
│ ├── browser.rs # Browser automation
│ └── terminal.rs # WebSocket terminals
└── browser/ # NEW - From vibe.md Phase 4
├── mod.rs # BrowserSession
├── recorder.rs # ActionRecorder
├── validator.rs # TestValidator
└── api.rs # HTTP endpoints
```
### Frontend (Web + Desktop)
```
botui/ui/suite/
├── partials/
│ ├── vibe.html # EXISTING - Agent sidebar
│ ├── vibe-deployment.html # NEW - Deployment modal
│ ├── editor.html # NEW - Monaco editor
│ ├── database.html # NEW - Schema visualizer
│ ├── git-status.html # NEW - Git operations
│ ├── git-diff.html # NEW - Diff viewer
│ ├── browser-controls.html # NEW - Browser automation
│ └── terminal.html # NEW - Enhanced terminal
├── js/
│ ├── vibe.js # EXISTING - Vibe logic
│ ├── deployment.js # NEW - Deployment handler
│ ├── editor.js # NEW - Monaco integration
│ ├── database.js # NEW - DB visualization
│ ├── git.js # NEW - Git operations
│ ├── browser.js # NEW - Browser automation
│ └── terminal.js # NEW - Terminal (xterm.js)
└── css/
├── agents-sidebar.css # EXISTING - Mantis cards
├── deployment.css # NEW - Deployment styles
├── editor.css # NEW - Editor styles
├── database.css # NEW - DB UI styles
└── terminal.css # NEW - Terminal styles
```
---
## Integration Strategy
### Option 1: BotCoder as Separate Repository (Recommended)
```
gb/
├── botserver/ # Existing - Backend services
├── botui/ # Existing - Web UI
├── botapp/ # Existing - Desktop app
└── botcoder/ # NEW - Multi-agent IDE
├── Cargo.toml
├── src/
│ ├── main.rs
│ ├── agents/ # BotCoder agents
│ ├── editor/ # Editor integration
│ └── workspace/ # Workspace management
└── ui/
├── src/
│ ├── components/ # React/Vue components
│ ├── pages/ # IDE pages
│ └── lib/
└── index.html
```
**Pros:**
- Clean separation of concerns
- Independent release cycle
- Can be deployed standalone
- Easier to maintain
**Cons:**
- Duplicate some botserver code
- Need to share common libs
### Option 2: BotCoder as Module in BotServer
```
botserver/src/
├── auto_task/ # Existing Mantis Farm
└── botcoder/ # New BotCoder module
├── mod.rs
├── agents/
├── editor/
└── workspace/
```
**Pros:**
- Share existing infrastructure
- Single deployment
- Unified WebSocket channels
**Cons:**
- Tighter coupling
- Larger monolith
### Recommendation: **Option 1 (Separate Repo)**
But share common libraries via a `botlib` crate:
```
gb/
├── botlib/ # Shared utilities
│ ├── src/
│ │ ├── agents/ # Agent traits
│ │ ├── llm/ # LLM clients
│ │ └── websocket/ # WebSocket utils
│ └── Cargo.toml
├── botserver/ # Uses botlib
├── botui/ # Uses botlib
├── botapp/ # Uses botlib
└── botcoder/ # Uses botlib ← NEW
```
---
## BotCoder Features vs Vibe Builder
### Vibe Builder (Existing)
- ✅ Multi-agent pipeline (Mantis #1-4)
- ✅ App generation (HTMX apps)
- ✅ WebSocket real-time updates
- ✅ Agent status visualization
- ✅ Task breakdown
- ✅ Deployment (internal GB platform)
### BotCoder (Add)
- 📝 **Monaco Editor** - Professional code editing
- 🗄️ **Database UI** - Schema visualization
- 🐙 **Git Operations** - Version control UI
- 🌐 **Browser Automation** - Testing & recording
- 📂 **Multi-File Workspace** - Tab management
- 🖥️ **Enhanced Terminal** - xterm.js integration
- 🚀 **Dual Deployment** - Internal + Forgejo
- 🔒 **Security Scanning** - Vulnerability detection
- 📚 **Auto-Documentation** - Generate docs
- 🧪 **E2E Testing** - chromiumoxide integration
---
## BotCoder Multi-Agent Workflow Example
### User Request: "Create a CRM with contacts and deals"
```
1. CLASSIFY
└─ Intent: APP_CREATE
└─ Entities: { tables: [contacts, deals], features: [Contact Manager, Deal Pipeline] }
2. PLAN (Mantis #1 - Planner)
├─ Break down into 12 sub-tasks
├─ Create task nodes
└─ Estimate: 45 files, 98k tokens, 2.5 hours
3. BUILD (Mantis #2 - Builder)
├─ Generate HTML/CSS/JS files
├─ Create database schema
├─ Build REST API endpoints
└─ Output: /apps/my-crm/
4. CODE REVIEW (Mantis #3 - Reviewer)
├─ Check HTMX patterns
├─ Verify security
├─ Validate error handling
└─ Status: PASSED
5. OPTIMIZE (Mantis #5 - Editor Agent) ← NEW
├─ Analyze code structure
├─ Suggest refactorings
├─ Apply safe optimizations
└─ Generate PR
6. TEST (Mantis #8 - Test Agent) ← NEW
├─ Generate unit tests
├─ Create E2E tests (chromiumoxide)
├─ Measure coverage
└─ Status: 87% coverage
7. SECURITY CHECK (Mantis #12 - Security Agent) ← NEW
├─ Scan vulnerabilities
├─ Check dependencies
├─ Detect secrets
└─ Status: 0 issues found
8. DEPLOY (Mantis #4 - Deployer)
├─ Choose deployment target
│ ├─ Internal GB Platform ← Selected
│ └─ External Forgejo (optional)
├─ Deploy to /apps/my-crm/
└─ Verify accessibility
9. DOCUMENT (Mantis #11 - Documentation Agent) ← NEW
├─ Generate README.md
├─ Create API docs
├─ Add code comments
└─ Output: /docs/
10. MONITOR (Mantis #1 - Planner)
├─ Setup uptime monitoring
├─ Track error rates
├─ Monitor response times
└─ Status: ACTIVE
```
---
## Technical Implementation Plan
### Phase 1: Core BotCoder Infrastructure (Week 1)
**Tasks:**
1. Create `botcoder/` repository structure
2. Implement `botlib` shared crate
3. Add Mantis #5-12 agent stubs
4. Extend WebSocket protocol for new agents
5. Update orchestrator to support 12 agents
**Deliverables:**
- ✅ BotCoder repo initialized
- ✅ Agent trait system defined
- ✅ WebSocket events extended
- ✅ Orchestrator handles 12-agent pipeline
### Phase 2: Editor & Database UI (Week 2)
**Tasks:**
1. Integrate Monaco Editor (replace textarea)
2. Build database schema visualizer
3. Add query builder UI
4. Implement Mantis #5 (Editor Agent)
5. Implement Mantis #6 (Database Agent)
**Deliverables:**
- ✅ Monaco loads with syntax highlighting
- ✅ ER diagram shows tables/relationships
- ✅ Query builder generates SQL
- ✅ Editor agent can refactor code
- ✅ Database agent optimizes queries
### Phase 3: Git & Browser Automation (Week 3)
**Tasks:**
1. Build git operations UI
2. Implement diff viewer
3. Add browser automation panel (chromiumoxide)
4. Implement Mantis #7 (Git Agent)
5. Implement Mantis #9 (Browser Agent)
**Deliverables:**
- ✅ Git status shows changes
- ✅ Diff viewer displays side-by-side
- ✅ Browser automation records actions
- ✅ Git agent manages branches
- ✅ Browser agent generates Playwright tests
### Phase 4: Testing, Security & Docs (Week 4)
**Tasks:**
1. Implement test generation
2. Add security scanning
3. Build documentation generator
4. Implement Mantis #8 (Test Agent)
5. Implement Mantis #12 (Security Agent)
6. Implement Mantis #11 (Docs Agent)
**Deliverables:**
- ✅ Test agent generates coverage reports
- ✅ Security agent scans vulnerabilities
- ✅ Docs agent generates README
- ✅ E2E tests run via chromiumoxide
### Phase 5: Deployment Integration (Week 5)
**Tasks:**
1. Implement deployment router (from vibe.md Phase 0)
2. Add Forgejo integration
3. Build deployment UI
4. Integrate with existing Mantis #4 (Deployer)
**Deliverables:**
- ✅ Can deploy internally to /apps/
- ✅ Can deploy externally to Forgejo
- ✅ CI/CD pipelines auto-generated
- ✅ Deployment choice in UI
---
## Success Metrics
### Agent Performance
- ⚡ Pipeline completes in < 2 minutes
- 🎯 95%+ task success rate
- 🔄 < 5% agent failures requiring retry
- 📊 Real-time progress updates < 100ms latency
### Code Quality
- ✅ 80%+ test coverage
- 🔒 0 critical vulnerabilities
- 📝 100% documented public APIs
- 🚀 < 30s deployment time
### User Experience
- 💬 Natural language → working app
- 🎨 Beautiful UI by default
- 🔧 Professional tools (Monaco, terminal, git)
- 📱 Works on desktop + web
---
## Comparison: BotCoder vs Claude Code
| Feature | BotCoder | Claude Code |
|---------|----------|-------------|
| Multi-agent pipeline | ✅ 12 specialized agents | ❌ Single agent |
| Visual agent status | ✅ Real-time Mantis cards | ❌ No agent visibility |
| App generation | ✅ Full-stack (HTMX + DB) | ✅ Code generation only |
| Database UI | ✅ Schema visualizer | ❌ No DB tools |
| Git operations | ✅ Dedicated agent (Mantis #7) | ✅ Git integration |
| Browser automation | ✅ chromiumoxide + Mantis #9 | ✅ Playwright support |
| Deployment options | ✅ Dual (Internal + Forgejo) | ❌ No deployment |
| Desktop app | ✅ Tauri (botapp) | ❌ CLI only |
| Multi-user | ✅ SaaS platform | ❌ Single user |
| Visual workspace | ✅ Vibe Builder | ❌ Terminal only |
| Agent reasoning | ✅ Transparent thoughts | ❌ Black box |
---
## Conclusion
**BotCoder** can leverage the existing **Mantis Farm** infrastructure in `botserver` while adding specialized coding agents and professional tools. The architecture is:
1. **Foundation:** Existing orchestrator.rs (1147 lines) - 5-stage pipeline
2. **Extension:** Add 7 new specialized agents (Mantis #5-12)
3. **UI:** Extend vibe.html with editor, database, git, browser panels
4. **Desktop:** Integrate with botapp for native experience
5. **Deployment:** Dual deployment (internal GB Platform + external Forgejo)
**Estimated Effort:** 5 weeks (following vibe.md roadmap)
**Result:** A complete multi-agent development environment that exceeds Claude Code's capabilities while offering visual agent management, dual deployment, and multi-user SaaS architecture.

955
prompts/BOTCODER_HYBRID_ARCHITECTURE.md
View file

@ -1,955 +0,0 @@
# BotCoder Hybrid Architecture v2.0
## CLI + Optional Multi-Agent Facade (BYOK vs BotServer)
## Executive Summary
**BotCoder** exists as a **terminal-based AI coding agent** with real-time streaming and tool execution. This document outlines how to extend it into a **hybrid CLI/multi-agent OS** that can:
1. **Work standalone (BYOK)** - Direct LLM access, local execution
2. **Use botserver facade** - Leverage Mantis Farm agents when available
3. **Switch dynamically** - Fall back to local if botserver unavailable
---
## Current BotCoder Architecture
### Existing CLI Implementation (`/home/rodriguez/src/pgm/botcoder`)
**Dependencies:**
```toml
tokio = "1.42" # Async runtime
reqwest = "0.12" # HTTP client
ratatui = "0.29" # TUI framework
crossterm = "0.29" # Terminal handling
futures = "0.3" # Async utilities
regex = "1.10" # Pattern matching
```
**Core Features:**
- ✅ Real-time streaming LLM responses
- ✅ Tool execution (read_file, execute_command, write_file)
- ✅ Delta format parsing (git-style diffs)
- ✅ TPM rate limiting
- ✅ Conversation history management
- ✅ Animated TUI with ratatui
**Tool Support:**
```rust
// Currently supported tools
fn execute_tool(tool: &str, param: &str, project_root: &str) -> String {
match tool {
"read_file" => read_file(param),
"execute_command" => execute_command(param, project_root),
"write_file" => write_file(param),
"list_files" => list_files(param, project_root),
_ => format!("Unknown tool: {}", tool),
}
}
```
**LLM Integration:**
```rust
// Direct Azure OpenAI client
mod llm {
pub struct AzureOpenAIClient {
endpoint: String,
api_key: String,
deployment: String,
}
impl LLMProvider for AzureOpenAIClient {
async fn generate(&self, prompt: &str, params: &serde_json::Value)
-> Result<String, Box<dyn std::error::Error>>;
}
}
```
---
## Proposed Hybrid Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ BOTCODER HYBRID MODE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ BOTCODER CLI (main.rs) │ │
│ │ - TUI interface (ratatui) │ │
│ │ - Tool execution │ │
│ │ - Delta parsing │ │
│ │ - Rate limiting │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ LLM PROVIDER TRAIT (abstraction) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌───────────────┴───────────────┐ │
│ ▼ ▼ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ DIRECT LLM │ │ BOTSERVER FACADE │ │
│ │ (BYOK Mode) │ │ (Multi-Agent Mode) │ │
│ │ │ │ │ │
│ │ - Azure OpenAI │ │ - Mantis #1-4 │ │
│ │ - Anthropic │ │ - Mantis #5-12 │ │
│ │ - OpenAI │ │ - Orchestrator │ │
│ │ - Local LLM │ │ - WebSocket │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │ │ │
│ │ (Optional) │
│ ▼ ▼ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ LOCAL EXECUTION │ │ AGENT EXECUTION │ │
│ │ │ │ │ │
│ │ - File operations │ │ - Containerized │ │
│ │ - Command execution │ │ - AgentExecutor │ │
│ │ - Git operations │ │ - Browser automation│ │
│ │ - Docker control │ │ - Test generation │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
```
---
## Implementation Plan
### Phase 1: LLM Provider Abstraction (Week 1)
**Goal:** Create trait-based system for multiple LLM backends
**File:** `src/llm/mod.rs`
```rust
use async_trait::async_trait;
/// Unified LLM provider trait
#[async_trait]
pub trait LLMProvider: Send + Sync {
/// Generate completion with streaming support
async fn generate_stream(
&self,
prompt: &str,
params: &GenerationParams,
) -> Result<StreamResponse, LLMError>;
/// Generate completion (non-streaming)
async fn generate(
&self,
prompt: &str,
params: &GenerationParams,
) -> Result<String, LLMError>;
/// Get provider capabilities
fn capabilities(&self) -> ProviderCapabilities;
/// Get provider name
fn name(&self) -> &str;
}
pub struct GenerationParams {
pub temperature: f32,
pub max_tokens: u32,
pub top_p: f32,
pub tools: Vec<ToolDefinition>,
pub system_prompt: Option<String>,
}
pub struct StreamResponse {
pub content_stream: tokio_stream::wrappers::ReceiverStream<String>,
pub tool_calls: Vec<ToolCall>,
pub usage: TokenUsage,
}
pub struct ProviderCapabilities {
pub streaming: bool,
pub tools: bool,
pub max_tokens: u32,
pub supports_vision: bool,
}
```
**Implementations:**
```rust
// src/llm/azure_openai.rs
pub struct AzureOpenAIClient {
endpoint: String,
api_key: String,
deployment: String,
client: reqwest::Client,
}
#[async_trait]
impl LLMProvider for AzureOpenAIClient {
async fn generate(&self, prompt: &str, params: &GenerationParams)
-> Result<String, LLMError> {
// Existing implementation
}
fn capabilities(&self) -> ProviderCapabilities {
ProviderCapabilities {
streaming: true,
tools: true,
max_tokens: 4096,
supports_vision: false,
}
}
fn name(&self) -> &str {
"azure-openai"
}
}
// src/llm/anthropic.rs
pub struct AnthropicClient {
api_key: String,
client: reqwest::Client,
}
#[async_trait]
impl LLMProvider for AnthropicClient {
async fn generate(&self, prompt: &str, params: &GenerationParams)
-> Result<String, LLMError> {
// Anthropic API implementation
}
fn capabilities(&self) -> ProviderCapabilities {
ProviderCapabilities {
streaming: true,
tools: true,
max_tokens: 8192,
supports_vision: true,
}
}
fn name(&self) -> &str {
"anthropic"
}
}
// src/llm/botserver_facade.rs
pub struct BotServerFacade {
base_url: String,
api_key: Option<String>,
client: reqwest::Client,
}
#[async_trait]
impl LLMProvider for BotServerFacade {
async fn generate(&self, prompt: &str, params: &GenerationParams)
-> Result<String, LLMError> {
// Instead of direct LLM call, use botserver's orchestrator
// 1. Classify intent
// 2. Execute multi-agent pipeline
// 3. Return aggregated result
}
fn capabilities(&self) -> ProviderCapabilities {
ProviderCapabilities {
streaming: true, // Via WebSocket
tools: true, // Via AgentExecutor
max_tokens: 128000, // Multi-agent consensus
supports_vision: true, // Via Browser Agent
}
}
fn name(&self) -> &str {
"botserver-mantis-farm"
}
}
```
**Configuration:**
```rust
// src/config.rs
#[derive(Debug, Clone)]
pub struct BotCoderConfig {
pub llm_provider: LLMProviderType,
pub botserver_url: Option<String>,
pub project_path: PathBuf,
pub enable_facade: bool,
pub fallback_to_local: bool,
}
#[derive(Debug, Clone)]
pub enum LLMProviderType {
AzureOpenAI,
Anthropic,
OpenAI,
LocalLLM,
BotServerFacade, // Use Mantis Farm
}
impl BotCoderConfig {
pub fn from_env() -> Result<Self, ConfigError> {
let llm_provider = match env::var("LLM_PROVIDER").as_deref() {
Ok("azure") => LLMProviderType::AzureOpenAI,
Ok("anthropic") => LLMProviderType::Anthropic,
Ok("botserver") => LLMProviderType::BotServerFacade,
_ => LLMProviderType::AzureOpenAI, // Default
};
let botserver_url = env::var("BOTSERVER_URL").ok();
let enable_facade = env::var("ENABLE_BOTSERVER_FACADE")
.unwrap_or_else(|_| "false".to_string()) == "true";
Ok(Self {
llm_provider,
botserver_url,
project_path: env::var("PROJECT_PATH")?.into(),
enable_facade,
fallback_to_local: true,
})
}
}
```
---
### Phase 2: Multi-Agent Facade Integration (Week 2)
**Goal:** Connect to botserver's Mantis Farm when available
**File:** `src/botserver_client.rs`
```rust
use reqwest::Client;
use serde::{Deserialize, Serialize};
pub struct BotServerClient {
base_url: String,
api_key: Option<String>,
client: Client,
}
impl BotServerClient {
pub fn new(base_url: String, api_key: Option<String>) -> Self {
Self {
base_url,
api_key,
client: Client::new(),
}
}
/// Classify intent using botserver's intent classifier
pub async fn classify_intent(&self, text: &str)
-> Result<ClassifiedIntent, BotServerError> {
let url = format!("{}/api/autotask/classify", self.base_url);
let response = self.client
.post(&url)
.json(&serde_json::json!({ "text": text }))
.header("Authorization", self.api_key.as_ref().map(|k| format!("Bearer {}", k)).unwrap_or_default())
.send()
.await?;
if response.status().is_success() {
Ok(response.json().await?)
} else {
Err(BotServerError::ClassificationFailed(response.text().await?))
}
}
/// Execute multi-agent pipeline
pub async fn execute_pipeline(&self, classification: &ClassifiedIntent)
-> Result<OrchestrationResult, BotServerError> {
let url = format!("{}/api/autotask/execute", self.base_url);
let response = self.client
.post(&url)
.json(classification)
.header("Authorization", self.api_key.as_ref().map(|k| format!("Bearer {}", k)).unwrap_or_default())
.send()
.await?;
if response.status().is_success() {
Ok(response.json().await?)
} else {
Err(BotServerError::PipelineFailed(response.text().await?))
}
}
/// Subscribe to WebSocket progress updates
pub async fn subscribe_progress(&self, task_id: &str)
-> Result<tokio_tungstenite::WebSocketStream<tokio_tungstenite::MaybeTlsStream<tokio::net::TcpStream>>, BotServerError> {
let ws_url = format!(
"{}/ws/task-progress/{}",
self.base_url.replace("http", "ws"),
task_id
);
tokio_tungstenite::connect_async(&ws_url).await
.map_err(BotServerError::WebSocketError)
}
/// Use specialized agents directly
pub async fn query_agent(&self, agent_id: u8, query: &str)
-> Result<AgentResponse, BotServerError> {
match agent_id {
5 => self.query_editor_agent(query).await,
6 => self.query_database_agent(query).await,
7 => self.query_git_agent(query).await,
8 => self.query_test_agent(query).await,
9 => self.query_browser_agent(query).await,
10 => self.query_terminal_agent(query).await,
11 => self.query_docs_agent(query).await,
12 => self.query_security_agent(query).await,
_ => Err(BotServerError::InvalidAgent(agent_id)),
}
}
// Specific agent methods
async fn query_editor_agent(&self, query: &str)
-> Result<AgentResponse, BotServerError> {
// POST /api/botcoder/editor/query
let url = format!("{}/api/botcoder/editor/query", self.base_url);
let response = self.client
.post(&url)
.json(&serde_json::json!({ "query": query }))
.send()
.await?;
Ok(response.json().await?)
}
async fn query_database_agent(&self, query: &str)
-> Result<AgentResponse, BotServerError> {
// Query database schema, optimize queries
let url = format!("{}/api/botcoder/database/query", self.base_url);
let response = self.client
.post(&url)
.json(&serde_json::json!({ "query": query }))
.send()
.await?;
Ok(response.json().await?)
}
// ... other agent methods
}
#[derive(Debug, Deserialize)]
pub struct ClassifiedIntent {
pub intent_type: String,
pub entities: IntentEntities,
pub original_text: String,
}
#[derive(Debug, Deserialize)]
pub struct OrchestrationResult {
pub success: bool,
pub task_id: String,
pub stages_completed: u8,
pub app_url: Option<String>,
pub message: String,
pub created_resources: Vec<CreatedResource>,
}
#[derive(Debug, thiserror::Error)]
pub enum BotServerError {
#[error("Classification failed: {0}")]
ClassificationFailed(String),
#[error("Pipeline execution failed: {0}")]
PipelineFailed(String),
#[error("WebSocket error: {0}")]
WebSocketError(#[from] tokio_tungstenite::tungstenite::Error),
#[error("Invalid agent ID: {0}")]
InvalidAgent(u8),
#[error("HTTP error: {0}")]
HttpError(#[from] reqwest::Error),
#[error("JSON error: {0}")]
JsonError(#[from] serde_json::Error),
}
```
---
### Phase 3: Unified Tool Execution (Week 2-3)
**Goal:** Abstract tool execution to work locally or via agents
**File:** `src/tools/mod.rs`
```rust
use async_trait::async_trait;
/// Unified tool execution trait
#[async_trait]
pub trait ToolExecutor: Send + Sync {
async fn execute(&self, tool: &ToolCall, context: &ExecutionContext)
-> Result<ToolResult, ToolError>;
fn supports_tool(&self, tool_name: &str) -> bool;
}
pub struct ToolCall {
pub name: String,
pub parameters: serde_json::Value,
pub agent_id: Option<u8>, // Which agent should execute
}
pub struct ToolResult {
pub output: String,
pub exit_code: i32,
pub metadata: serde_json::Value,
}
pub struct ExecutionContext {
pub project_path: PathBuf,
pub botserver_client: Option<BotServerClient>,
pub use_local_fallback: bool,
}
/// Local tool executor (existing implementation)
pub struct LocalToolExecutor {
project_root: PathBuf,
}
#[async_trait]
impl ToolExecutor for LocalToolExecutor {
async fn execute(&self, tool: &ToolCall, context: &ExecutionContext)
-> Result<ToolResult, ToolError> {
match tool.name.as_str() {
"read_file" => self.read_file(tool.parameters).await,
"write_file" => self.write_file(tool.parameters).await,
"execute_command" => self.execute_command(tool.parameters).await,
"list_files" => self.list_files(tool.parameters).await,
"git_operation" => self.git_operation(tool.parameters).await,
_ => Err(ToolError::UnknownTool(tool.name.clone())),
}
}
fn supports_tool(&self, tool_name: &str) -> bool {
matches!(tool_name,
"read_file" | "write_file" | "execute_command" |
"list_files" | "git_operation"
)
}
}
/// Agent-based tool executor (via botserver)
pub struct AgentToolExecutor {
botserver_client: BotServerClient,
}
#[async_trait]
impl ToolExecutor for AgentToolExecutor {
async fn execute(&self, tool: &ToolCall, context: &ExecutionContext)
-> Result<ToolResult, ToolError> {
// Route to appropriate agent
let agent_id = tool.agent_id.unwrap_or_else(|| {
self.infer_agent_for_tool(&tool.name)
});
match self.botserver_client.query_agent(agent_id, &tool.parameters.to_string()).await {
Ok(response) => Ok(ToolResult {
output: response.output,
exit_code: response.exit_code,
metadata: response.metadata,
}),
Err(e) => {
// Fallback to local if enabled
if context.use_local_fallback {
warn!("Agent execution failed, falling back to local: {}", e);
LocalToolExecutor::new(context.project_path.clone()).execute(tool, context).await?
} else {
Err(ToolError::AgentError(e.to_string()))
}
}
}
}
fn supports_tool(&self, tool_name: &str) -> bool {
matches!(tool_name,
"database_query" | "schema_visualize" | "git_commit" |
"test_generate" | "browser_record" | "docs_generate" |
"security_scan" | "code_refactor" | "optimize_query"
)
}
fn infer_agent_for_tool(&self, tool_name: &str) -> u8 {
match tool_name {
"code_refactor" | "syntax_check" => 5, // Editor Agent
"database_query" | "schema_visualize" | "optimize_query" => 6, // Database Agent
"git_commit" | "git_branch" | "git_merge" => 7, // Git Agent
"test_generate" | "coverage_report" => 8, // Test Agent
"browser_record" | "page_test" => 9, // Browser Agent
"shell_execute" | "docker_build" => 10, // Terminal Agent
"docs_generate" | "api_docs" => 11, // Docs Agent
"security_scan" | "vulnerability_check" => 12, // Security Agent
_ => 2, // Default to Builder Agent
}
}
}
```
---
### Phase 4: Hybrid Execution Loop (Week 3)
**Goal:** Main loop that seamlessly switches between local and agent execution
**File:** `src/main.rs` (modified)
```rust
use llm::LLMProvider;
use tools::{LocalToolExecutor, AgentToolExecutor, ToolExecutor};
struct BotCoder {
config: BotCoderConfig,
llm_provider: Box<dyn LLMProvider>,
local_executor: LocalToolExecutor,
agent_executor: Option<AgentToolExecutor>,
botserver_client: Option<BotServerClient>,
}
impl BotCoder {
pub async fn new(config: BotCoderConfig) -> Result<Self, Box<dyn std::error::Error>> {
// Initialize LLM provider based on config
let llm_provider: Box<dyn LLMProvider> = match config.llm_provider {
LLMProviderType::AzureOpenAI => {
Box::new(llm::AzureOpenAIClient::new()?)
}
LLMProviderType::Anthropic => {
Box::new(llm::AnthropicClient::new()?)
}
LLMProviderType::BotServerFacade => {
// Will use botserver client
Box::new(llm::BotServerFacade::new(
config.botserver_url.clone().unwrap()
)?)
}
_ => Box::new(llm::AzureOpenAIClient::new()?),
};
// Initialize tool executors
let local_executor = LocalToolExecutor::new(config.project_path.clone());
let mut agent_executor = None;
let mut botserver_client = None;
// Try to connect to botserver if enabled
if config.enable_facade {
if let Some(url) = &config.botserver_url {
match BotServerClient::new(url.clone(), None).health_check().await {
Ok(()) => {
println!("✓ Connected to botserver at {}", url);
let client = BotServerClient::new(url.clone(), None);
botserver_client = Some(client.clone());
agent_executor = Some(AgentToolExecutor::new(client));
}
Err(e) => {
warn!("Failed to connect to botserver: {}", e);
if config.fallback_to_local {
println!("⚠ Falling back to local execution");
}
}
}
}
}
Ok(Self {
config,
llm_provider,
local_executor,
agent_executor,
botserver_client,
})
}
pub async fn run(&mut self) -> Result<(), Box<dyn std::error::Error>> {
let mut iteration = 0;
let mut conversation_history: Vec<String> = Vec::new();
loop {
iteration += 1;
println!("=== ITERATION {} ===", iteration);
// Display execution mode
if self.agent_executor.is_some() {
println!("Mode: Multi-Agent (BotServer Facade)");
println!("Agents Available: Mantis #1-12");
} else {
println!("Mode: Local (BYOK)");
}
println!();
// Build context
let context = self.build_context(&conversation_history);
// Generate response (streaming)
let response = match self.llm_provider.generate_stream(&context, &Default::default()).await {
Ok(r) => r,
Err(e) => {
// Try fallback to local if botserver fails
if self.agent_executor.is_some() && self.config.fallback_to_local {
warn!("LLM provider failed, trying fallback: {}", e);
// Switch to local provider
continue;
} else {
return Err(e.into());
}
}
};
// Stream response to TUI
self.display_streaming_response(response).await?;
// Extract tools from response
let tools = self.extract_tools(&full_response);
// Execute tools (local or agent-based)
for tool in tools {
let result = self.execute_tool_hybrid(tool).await?;
conversation_history.push(format!("Tool: {}\nResult: {}", tool.name, result));
}
conversation_history.push(format!("Assistant: {}", full_response));
// Trim history
if conversation_history.len() > 20 {
conversation_history.drain(0..10);
}
}
}
async fn execute_tool_hybrid(&self, tool: ToolCall) -> Result<ToolResult, ToolError> {
let context = ExecutionContext {
project_path: self.config.project_path.clone(),
botserver_client: self.botserver_client.clone(),
use_local_fallback: self.config.fallback_to_local,
};
// Try agent executor first if available
if let Some(agent_executor) = &self.agent_executor {
if agent_executor.supports_tool(&tool.name) {
println!("🤖 Executing via Mantis Agent: {}", tool.name);
return agent_executor.execute(&tool, &context).await;
}
}
// Fall back to local executor
if self.local_executor.supports_tool(&tool.name) {
println!("🔧 Executing locally: {}", tool.name);
return self.local_executor.execute(&tool, &context).await;
}
Err(ToolError::UnknownTool(tool.name))
}
}
```
---
## Usage Examples
### Example 1: Local Mode (BYOK)
```bash
# .env configuration
LLM_PROVIDER=azure
PROJECT_PATH=/home/user/myproject
ENABLE_BOTSERVER_FACADE=false
```
```bash
$ botcoder
=== ITERATION 1 ===
Mode: Local (BYOK)
✓ Azure OpenAI connected
> Add authentication to this Rust project
[AI Reasoning...]
I'll add JWT authentication using the `jsonwebtoken` crate.
CHANGE: Cargo.toml
<<<<<<< CURRENT
[dependencies]
tokio = "1.0"
=======
[dependencies]
tokio = "1.0"
jsonwebtoken = "9.0"
=======
[EXECUTE] Tool 1/3: write_file -> Cargo.toml
✓ File updated
```
### Example 2: Multi-Agent Mode (BotServer Facade)
```bash
# .env configuration
LLM_PROVIDER=botserver
BOTSERVER_URL=http://localhost:8080
PROJECT_PATH=/home/user/myproject
ENABLE_BOTSERVER_FACADE=true
FALLBACK_TO_LOCAL=true
```
```bash
$ botcoder
=== ITERATION 1 ===
✓ Connected to botserver at http://localhost:8080
Mode: Multi-Agent (BotServer Facade)
Agents Available: Mantis #1-12
> Create a CRM system with contacts and deals
[CLASSIFY] Intent: APP_CREATE
[PLAN] Mantis #1 breaking down request...
✓ 12 sub-tasks identified
✓ Estimated: 45 files, 98k tokens, 2.5 hours
[BUILD] Mantis #2 generating code...
✓ contacts table schema created
✓ deals table schema created
✓ Contact Manager page generated
✓ Deal Pipeline page generated
[REVIEW] Mantis #3 validating code...
✓ HTMX patterns verified
✓ Security checks passed
✓ 0 vulnerabilities found
[OPTIMIZE] Mantis #5 refactoring...
✓ Extracted duplicate code to utils.rs
✓ Added error handling wrappers
[TEST] Mantis #8 generating tests...
✓ 87% code coverage achieved
✓ E2E tests created (chromiumoxide)
[SECURITY] Mantis #12 scanning...
✓ 0 critical vulnerabilities
✓ All dependencies up to date
[DEPLOY] Mantis #4 deploying...
Target: Internal GB Platform
✓ App deployed to /apps/my-crm/
✓ Verify at http://localhost:8080/apps/my-crm/
[DOCUMENT] Mantis #11 generating docs...
✓ README.md created
✓ API documentation generated
✓ Pipeline complete in 1m 47s
```
### Example 3: Hybrid Mode (Automatic Fallback)
```bash
$ botcoder
=== ITERATION 1 ===
Mode: Multi-Agent (BotServer Facade)
✓ Connected to botserver
> Refactor this function for better performance
[EDITOR] Mantis #5 analyzing code...
⚠ BotServer connection lost
[FALLBACK] Switching to local mode...
[LOCAL] Analyzing with Azure OpenAI...
✓ Refactoring complete
```
---
## Benefits of Hybrid Architecture
### For Users (BYOK)
- ✅ **Privacy** - Code never leaves local machine
- ✅ **Speed** - Direct LLM access, no intermediate hops
- ✅ **Cost Control** - Use your own API keys
- ✅ **Offline Capable** - Works with local LLMs (llama.cpp, Ollama)
### For Users (BotServer Facade)
- ✅ **Multi-Agent Consensus** - 12 specialized agents collaborate
- ✅ **Advanced Capabilities** - Browser automation, security scanning, test generation
- ✅ **Visual Debugging** - Watch agent reasoning in Vibe Builder UI
- ✅ **Enterprise Features** - Team sharing, approval workflows, audit trails
### Seamless Switching
- ✅ **Automatic Fallback** - If botserver unavailable, use local
- ✅ **Tool Routing** - Use agent for complex tasks, local for simple ones
- ✅ **Cost Optimization** - Reserve expensive agents for hard problems
- ✅ **Progressive Enhancement** - Start local, upgrade to multi-agent as needed
---
## Configuration Matrix
| Scenario | LLM Provider | Tools | When to Use |
|----------|--------------|-------|-------------|
| **Local Development** | Azure/Anthropic (Direct) | Local file ops | Privacy-critical code |
| **Enterprise Project** | BotServer Facade | Agent-based | Complex refactoring |
| **Open Source** | Local LLM (Ollama) | Local | No API budget |
| **Learning** | BotServer Facade | Agent-based | Study agent reasoning |
| **CI/CD** | BotServer Facade | Agent-based | Automated testing |
| **Quick Fix** | Azure/Anthropic (Direct) | Local | Fast iteration |
| **Security Audit** | BotServer Facade | Mantis #12 | Comprehensive scan |
---
## Implementation Roadmap
### Week 1: Foundation
- [x] Extract existing LLM client to trait
- [ ] Implement Azure OpenAI provider
- [ ] Implement Anthropic provider
- [ ] Add BotServerFacade provider (stub)
### Week 2: BotServer Integration
- [ ] Implement BotServerClient
- [ ] Add WebSocket progress streaming
- [ ] Implement agent query methods
- [ ] Add health check & fallback logic
### Week 3: Tool Execution
- [ ] Refactor existing tools to trait
- [ ] Implement LocalToolExecutor
- [ ] Implement AgentToolExecutor
- [ ] Add tool routing logic
### Week 4: Hybrid Loop
- [ ] Modify main loop for provider switching
- [ ] Add streaming TUI updates
- [ ] Implement automatic fallback
- [ ] Add mode indicator to UI
### Week 5: Testing & Docs
- [ ] Test all three modes (local, agent, hybrid)
- [ ] Add configuration examples
- [ ] Write migration guide
- [ ] Update README
---
## Conclusion
The **hybrid BotCoder** gives users the best of both worlds:
1. **CLI First** - Fast, local, privacy-focused development
2. **Multi-Agent Power** - On-demand access to 12 specialized agents
3. **Seamless Switching** - Automatic fallback between modes
4. **Progressive Enhancement** - Start simple, scale when needed
**Result:** A coding agent that works offline for quick fixes but can call in a full multi-agent orchestra when facing complex challenges.
**Estimated Effort:** 5 weeks (1 developer)
**Lines of Code:** ~2000 new lines (modular, trait-based)
The BotCoder CLI becomes the **control plane** for the Mantis Farm, offering both direct terminal access and a gateway to the full multi-agent OS when needed.

38
prompts/PLAN.md Normal file
View file

@ -0,0 +1,38 @@
# Refactoring Progress & Plan
## ✅ Completed Tasks (v6.2.5)
### CRM v2.5 Implementation
- **Migration 6.2.5**: Added `department_id` to `crm_deals`, SLA tables
- **Schema**: Added `attendance_sla_policies` and `attendance_sla_events` tables
- **Structs**: Added `department_id` to `CrmDeal`, updated `ListQuery` with filters
- **API**: Department filtering on `list_leads` and `list_opportunities`
- **SLA Module**: Created `attendance/sla.rs` with breach detection background task
- **Tests**: Unit tests for CRM and SLA modules
- **Documentation**: Updated `sales-pipeline.md` with new stages and department filtering
- **Consolidation**: Merged `crm-marketing.md`, `crm-sales.md`, `crm-service.md``crm.md`
### Previous Fixes
- WhatsApp Adapter Error Handling
- Third-Party Config Robustness
- BASIC Script Preprocessing
## ❌ Pending (Full Implementation)
1. **Unified `/api/crm/deals` routes** - Add CRUD handlers
2. **Marketing campaign execution** - `send_campaign` in triggers.rs
3. **Marketing dynamic lists refresh** - Query-based list resolution
4. **Email tracking endpoints** - Open/click pixel tracking
5. **Marketing AI content generation** - LLM prompt integration
6. **Attendance skills-based routing** - Filter by attendant preferences
7. **Attendance webhooks** - HMAC-signed POST events
8. **Attendance kanban endpoint** - Sessions grouped by status
9. **WhatsApp attendant commands** - /queue, /take, /tips, etc.
## 📋 Current Status
- `cargo check -p botserver`: ✅
- `cargo clippy -p botserver`: ✅ (0 warnings)
- Migration ready: ✅
See `prompts/crm.md` for detailed implementation guide.

877
prompts/UNIFIED_PLAN.md
View file

@ -1,877 +0,0 @@
# Unified Implementation Plan: VibeCode Platform
## Executive Summary
This document **unifies** two separate task lists into a cohesive roadmap:
- **task.md**: Security & stability fixes (immediate priority)
- **TASK.md**: Feature implementation roadmap (development pipeline)
**Current Status:**
- 🎯 Backend: **80% complete** - LLM-powered app generation, multi-agent orchestration, browser automation ready
- 🎨 Frontend: **40% complete** - Vibe UI exists, missing professional tools (Monaco, Database UI, Git, Browser)
- 🔐 Security: **Needs attention** - Unsafe unwraps, dependency vulnerabilities (see Security Priorities below)
---
## Part I: Security & Stability (FROM task.md) - IMMEDIATE PRIORITY ⚠️
### 1. Unsafe Unwraps in Production (Violates AGENTS.md Error Handling)
**Issue:** The codebase uses `.unwrap()`, `.expect()`, `panic!()` in production code, which is explicitly forbidden by AGENTS.md.
**Vulnerable Locations:**
```
botserver/src/drive/drive_handlers.rs:269 - Response::builder() unwrap
botserver/src/basic/compiler/mod.rs - Multiple unwrap() calls
botserver/src/llm/llm_models/deepseek_r3.rs - unwrap() outside tests
botserver/src/botmodels/opencv.rs - Test scope unwrap() leaks
```
**Action Items:**
- [ ] Replace ALL `.unwrap()` with safe alternatives:
- Use `?` operator with proper error propagation
- Use `unwrap_or_default()` for defaults
- Use pattern matching with early returns
- Apply `ErrorSanitizer` to avoid panics
- [ ] Run `cargo clippy -- -W clippy::unwrap_used -W clippy::expect_used`
- [ ] Add unit tests verifying error paths work correctly
**Estimated Effort:** 4-6 hours
---
### 2. Dependency Vulnerabilities (Found by `cargo audit`)
**Vulnerable Component:**
- **Crate:** `glib 0.18.5`
- **Advisory:** `RUSTSEC-2024-0429`
- **Issue:** Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
- **Context:** Pulled through `botdevice` and `botapp` via Tauri plugins/GTK dependencies
**Action Items:**
- [ ] Review exact usage of glib in the codebase
- [ ] Check if patches are available in newer versions
- [ ] Evaluate risk given desktop GUI context
- [ ] If critical: upgrade GTK/Glib ecosystem dependencies
- [ ] If acceptable: document risk assessment and add to security review checklist
**Estimated Effort:** 2-4 hours
---
### 3. General Security Posture Alignment
**CSRF Protection:**
- ✅ Custom CSRF store exists: `redis_csrf_store.rs`
- ⚠️ Verify: ALL state-changing endpoints use it (standard `tower-csrf` is absent from Cargo.toml)
**Security Headers:**
- ✅ `headers.rs` provides CSP, HSTS, X-Frame-Options
- ⚠️ Verify: Headers are attached UNIVERSALLY in botserver, not selectively omitted
**Action Items:**
- [ ] Audit all POST/PUT/DELETE endpoints for CSRF token validation
- [ ] Create middleware test to ensure security headers on all responses
- [ ] Document security checklist for new endpoints
**Estimated Effort:** 3-4 hours
---
## Part II: Feature Implementation Roadmap (FROM TASK.md) - DEVELOPMENT PIPELINE
### Architecture Overview
```
┌──────────────────────────────────────────────────────────────┐
│ USER REQUEST │
│ "I want a full CRM system" │
└────────────────────────┬─────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ VIBE BUILDER UI │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Agent Sidebar │ │ Canvas Area │ │
│ │ (Mantis #1-4) │ │ - Task Nodes │ │
│ │ - Status cards │ │ - Preview │ │
│ │ - Workspaces │ │ - Chat Overlay │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
│ NEW TOOLS TO ADD: │
│ 🔌 MCP Sources Panel ← botserver/src/sources/ui.rs │
│ 📝 Monaco Editor ← Phase 1 (Critical) │
│ 🗄️ Database Visualizer ← Phase 2 (Critical) │
│ 🐙 Git Operations ← Phase 3 (High) │
│ 🌐 Browser Automation ← Phase 4 (High) │
│ 📂 Multi-File Workspace ← Phase 5 (Medium) │
│ 🖥️ Enhanced Terminal ← Phase 6 (Medium) │
└────────────────────────┬─────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ BOTSERVER (Rust Backend) │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Orchestrator │ │ AppGenerator │ │ Designer AI │ │
│ │ (5 agents) │ │(LLM-driven) │ │(modifications)│ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Browser │ │ Git │ │ Terminal │ │
│ │ Automation │ │ Operations │ │ Service │ │
│ │(chromiumoxide)│ │(git2) │ │(xterm.js) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ MCP & Sources Integration ← ALREADY IMPLEMENTED │ │
│ │ - botserver/src/sources/mcp.rs │ │
│ │ - botserver/src/sources/ui.rs │ │
│ │ - /api/ui/sources/* endpoints │ │
│ └──────────────────────────────────────────────────┘ │
└────────────────────────┬─────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ GENERATED OUTPUT │
│ - PostgreSQL tables │
│ - HTML pages with HTMX │
│ - CSS styling │
│ - JavaScript │
│ - BASIC tools/schedulers │
│ - E2E tests (Playwright) │
└──────────────────────────────────────────────────────────────┘
```
---
## Part III: MCP & Sources Integration - EXISTING INFRASTRUCTURE ✅
### What Already Exists
**Backend Implementation (botserver/src/sources/):**
```
sources/
├── mod.rs # Module exports
├── mcp.rs # MCP client, connection, server types
├── ui.rs # HTML pages for /suite/sources/*
├── knowledge_base.rs # Knowledge base upload/query
└── sources_api # API endpoints
```
**API Endpoints (defined in botserver/src/core/urls.rs):**
```
/sources/*:
/suite/sources - Main sources list page
/suite/sources/mcp/add - Add MCP server form
/suite/sources/mcp/catalog - MCP server catalog
/api/ui/sources/*:
/api/ui/sources/mcp - List MCP servers
/api/ui/sources/mcp/:name - Get server details
/api/ui/sources/mcp/:name/enable - Enable server
/api/ui/sources/mcp/:name/disable - Disable server
/api/ui/sources/mcp/:name/tools - List server tools
/api/ui/sources/mcp/:name/test - Test server connection
/api/ui/sources/mcp/scan - Scan for MCP servers
/api/ui/sources/mcp-servers - Get server catalog
/api/ui/sources/kb/upload - Upload to knowledge base
/api/ui/sources/kb/list - List knowledge base docs
/api/ui/sources/kb/query - Query knowledge base
/api/ui/sources/repositories - List repositories
/api/ui/sources/apps - List connected apps
```
**Vibe UI Integration (botui/ui/suite/):**
```
botui/ui/suite/
├── partials/
│ └── vibe.html # Main Vibe Builder UI
│ # - Agent sidebar (Mantis #1-4)
│ # - Canvas area with task nodes
│ # - Chat overlay
│ # - Preview panel
├── vibe/
│ └── agents-sidebar.css # Styles for agent sidebar
├── js/
│ └── chat-agent-mode.js # Agent-mode JavaScript
└── css/
└── chat-agent-mode.css # Agent-mode styles
```
### Integration Task: Add MCP Panel to Vibe UI
**Goal:** Add a "Sources" panel to Vibe that shows connected MCP servers and allows management.
**Action Items:**
1. **Create MCP Panel Component:**
- File: `botui/ui/suite/partials/vibe-mcp-panel.html`
- Features:
- List connected MCP servers
- Show server status (active/inactive)
- Display available tools per server
- Quick enable/disable toggles
- "Add Server" button (opens `/suite/sources/mcp/add`)
2. **Add JavaScript:**
- File: `botui/ui/suite/js/vibe-mcp.js`
- Fetch servers from `/api/ui/sources/mcp`
- Handle enable/disable actions
- Update server status in real-time
- Display tool risk levels
3. **Add Styles:**
- File: `botui/ui/suite/vibe/mcp-panel.css`
- Match existing agents-sidebar.css aesthetic
- Server cards with status indicators
- Tool badges with risk levels
4. **Integrate into Vibe:**
- Add "Sources" tab to Vibe sidebar
- Load MCP panel when tab clicked
- Show server count badge
**Estimated Effort:** 6-8 hours
---
## Part IV: Implementation Phases (UPDATED WITH MCP INTEGRATION)
### Phase 0: Security & Stability ⚠️ - IMMEDIATE (Week 0)
**Priority: CRITICAL - Must complete before any feature work**
**Tasks:**
1. [ ] Fix all unsafe `unwrap()` calls
2. [ ] Address dependency vulnerabilities
3. [ ] Verify CSRF & security headers coverage
**Estimated Effort:** 9-14 hours
**Success Criteria:**
- ✅ Zero `unwrap()` in production code
- ✅ `cargo audit` passes cleanly
- ✅ All state-changing endpoints use CSRF tokens
- ✅ All responses include security headers
---
### Phase 0.5: MCP Integration in Vibe (Week 0.5)
**Priority: HIGH - Leverage existing infrastructure**
**Tasks:**
1. [ ] Create MCP panel component
2. [ ] Add JavaScript for server management
3. [ ] Style panel to match Vibe aesthetic
4. [ ] Integrate into Vibe sidebar
**Estimated Effort:** 6-8 hours
**Success Criteria:**
- ✅ MCP servers visible in Vibe UI
- ✅ Can enable/disable servers
- ✅ Can see available tools
- ✅ Can add new servers
---
### Phase 1: Code Editor Integration (P0 - Critical)
**Goal:** Replace textarea with professional code editor
**Tasks:**
1. **Download Monaco Editor**
```bash
cd botui
npm install monaco-editor@0.45.0
cp -r node_modules/monaco-editor min/vs ui/suite/js/vendor/
```
2. **Create Editor Component**
- `botui/ui/suite/partials/editor.html`
- Monaco container with tab bar
- File tree sidebar
- Save/Publish buttons
3. **Editor JavaScript**
- `botui/ui/suite/js/editor.js`
- Monaco initialization
- Language detection (.html, .css, .js, .bas, .json)
- Tab management (open, close, switch)
- Auto-save with WebSocket sync
4. **API Endpoints**
- `botserver/src/api/editor.rs`
- GET `/api/editor/file/{path}` - Read file
- POST `/api/editor/file/{path}` - Save file
- GET `/api/editor/files` - List files
5. **Integration**
- Update `chat-agent-mode.html` - replace textarea with Monaco
- Update `vibe.html` - add editor panel
- Add keyboard shortcuts (Ctrl+S, Ctrl+P, Ctrl+Shift+F)
**Success Criteria:**
- Monaco loads in < 2 seconds
- Syntax highlighting for 5+ languages
- Multi-file tabs work
- Auto-save completes successfully
**Estimated Effort:** 8-12 hours
---
### Phase 2: Database UI & Schema Visualization (P0 - Critical)
**Goal:** Visual database management and query builder
**Tasks:**
1. **Schema Visualizer Component**
- `botui/ui/suite/partials/database.html`
- Canvas-based ER diagram
- Table cards with fields
- Relationship lines (foreign keys)
- Zoom/pan controls
2. **Database JavaScript**
- `botui/ui/suite/js/database.js`
- Fetch schema: `/api/database/schema`
- Render tables using Canvas API
- Click table → show field details
- Drag to rearrange
3. **Query Builder UI**
- Visual SELECT builder
- Table selection dropdown
- Join interface
- Filter conditions
- SQL preview pane
4. **Data Grid**
- Sortable columns
- Inline editing
- Pagination
- Export (CSV/JSON)
5. **Backend API**
- `botserver/src/api/database.rs`
- GET `/api/database/schema` - Tables, fields, relationships
- GET `/api/database/table/{name}/data` - Paginated data
- POST `/api/database/query` - Execute SQL
- POST `/api/database/table/{name}/row` - Insert/update
- DELETE `/api/database/table/{name}/row/{id}` - Delete
**Success Criteria:**
- ER diagram shows all tables
- Query builder generates valid SQL
- Data grid supports inline edits
- Export works correctly
**Estimated Effort:** 16-20 hours
---
### Phase 3: Git Operations UI (P1 - High Priority)
**Goal:** Version control interface in Vibe
**Tasks:**
1. **Git Status Panel**
- `botui/ui/suite/partials/git-status.html`
- File list with status icons
- Stage/unstage checkboxes
- "Commit" button
2. **Diff Viewer**
- `botui/ui/suite/partials/git-diff.html`
- Side-by-side comparison
- Line highlighting (green/red)
- Syntax highlighting
3. **Commit Interface**
- Message input
- "Commit & Push" button
- Progress indicator
4. **Branch Manager**
- Branch dropdown
- "New Branch" dialog
- Switch/delete actions
5. **Commit Timeline**
- Vertical timeline
- Author, date, message
- Click → view diff
6. **Backend API**
- `botserver/src/api/git.rs`
- GET `/api/git/status` - Git status
- GET `/api/git/diff/{file}` - File diff
- POST `/api/git/commit` - Create commit
- POST `/api/git/push` - Push to remote
- GET `/api/git/branches` - List branches
- POST `/api/git/branch/{name}` - Create/switch
- GET `/api/git/log` - Commit history
**Success Criteria:**
- Git status displays correctly
- Diff viewer shows side-by-side
- Commit workflow works end-to-end
- Branch switching succeeds
**Estimated Effort:** 12-16 hours
---
### Phase 4: Browser Automation Engine (P1 - High Priority)
**Goal:** Pure Rust browser automation for testing & recording
**Why Rust + Chromiumoxide:**
- ✅ Already in workspace: `chromiumoxide = "0.7"`
- ✅ No Node.js dependency
- ✅ Feature flag exists: `browser` in botserver/Cargo.toml
- ✅ Reference implementation: bottest/src/web/browser.rs (1000+ lines)
**Tasks:**
1. **Core Browser Module**
- `botserver/src/browser/mod.rs`
- `BrowserSession` - Manage browser instance
- `BrowserManager` - Session lifecycle
- Methods: `navigate()`, `click()`, `fill()`, `screenshot()`, `execute()`
2. **Action Recorder**
- `botserver/src/browser/recorder.rs`
- `RecordedAction` - Navigate, Click, Fill, Wait, Assert
- `ActionRecorder` - Record/stop/export
- Export as Playwright test
3. **Test Validator**
- `botserver/src/browser/validator.rs`
- Check for flaky selectors
- Validate wait conditions
- Suggest improvements via Designer AI
4. **Browser API**
- `botserver/src/browser/api.rs`
- POST `/api/browser/session` - Create session
- POST `/api/browser/session/:id/execute` - Run action
- GET `/api/browser/session/:id/screenshot` - Capture
- POST `/api/browser/session/:id/record/start` - Start recording
- POST `/api/browser/session/:id/record/stop` - Stop & get actions
- GET `/api/browser/session/:id/record/export` - Export test
5. **Vibe UI - Browser Panel**
- `botui/ui/suite/partials/browser-controls.html`
- URL bar with navigation buttons
- Record/Stop/Export buttons
- Actions timeline
- Browser preview iframe
- Screenshot gallery
- `botui/ui/suite/js/browser.js`
- Session management
- Action recording
- Test export
- `botui/ui/suite/css/browser.css`
- Browser panel styling
- Recording indicator animation
- Actions timeline
- Screenshot gallery grid
6. **Integration with Vibe**
- Add "Browser Automation" button to Vibe toolbar
- Load browser-controls.html in panel
- Element picker for selector capture
- Screenshot capture & gallery
**Success Criteria:**
- Can navigate to any URL
- Element picker captures selectors
- Recording generates valid Playwright tests
- Screenshots capture correctly
**Estimated Effort:** 20-24 hours
---
### Phase 5: Multi-File Editing Workspace (P2 - Medium Priority)
**Goal:** Professional multi-file editing
**Tasks:**
1. **Tab Management**
- File tabs with close buttons
- Active tab highlighting
- Tab overflow scrolling
- Drag to reorder
2. **Split-Pane Layout**
- Split horizontal/vertical buttons
- Resize handles
- 2x2 grid max
3. **File Comparison**
- Side-by-side diff
- Line-by-line navigation
- Copy changes (L→R)
4. **File Tree Sidebar**
- Nested folders
- File type icons
- Expand/collapse
- Double-click to open
5. **Quick Open**
- Ctrl+P → Search files
- Fuzzy matching
- Arrow navigation
6. **Project Search**
- Ctrl+Shift+F → Search all files
- Results with line numbers
- Click to open file
**Success Criteria:**
- 10+ files open in tabs
- Split view works (2-4 panes)
- File comparison displays diffs
- Quick open searches files
**Estimated Effort:** 12-16 hours
---
### Phase 6: Enhanced Terminal (P2 - Medium Priority)
**Goal:** Interactive shell in Vibe
**Tasks:**
1. **Terminal Container**
- xterm.js integration (already vendor file)
- Multiple terminal tabs
- Fit addon for auto-resize
2. **WebSocket Terminal**
- Bi-directional WebSocket: `/ws/terminal/{session_id}`
- Protocol: `{"type": "input", "data": "command\n"}`
- Handle ANSI escape codes
3. **Command History**
- Up/Down arrows
- Ctrl+R search
- Persist in localStorage
4. **Command Completion**
- Tab completion
- File path completion
- Command flags
5. **Backend Terminal Server**
- Spawn PTY per session
- WebSocket handler
- Clean up on disconnect
6. **File Transfer**
- Drag file to upload
- `upload` / `download` commands
- Progress bars
**Success Criteria:**
- Can type commands & see output
- Arrow keys navigate history
- Can run vim, top, etc.
- Multiple terminals work
**Estimated Effort:** 10-14 hours
---
### Phase 7: Advanced CRM Templates (P2 - Medium Priority)
**Goal:** Pre-built CRM accelerators
**Tasks:**
1. **Template System**
- `botserver/src/templates/crm/`
- Template JSON definitions
- Prompt templates
- Field libraries
2. **CRM Templates**
- **Sales CRM**
- Tables: contacts, leads, opportunities, accounts, activities
- Pages: dashboard, pipeline, contacts list
- Tools: lead_scoring, email_automation
- Schedulers: daily_summary, weekly_review
- **Real Estate CRM**
- Tables: properties, clients, showings, offers
- Pages: property gallery, client portal
- Tools: mls_sync, showing_scheduler
- Schedulers: showing_reminders, market_update
- **Healthcare CRM**
- Tables: patients, appointments, treatments, insurance
- Pages: patient portal, appointment scheduler
- Tools: insurance_verification, appointment_reminders
- Schedulers: daily_appointments, insurance_alerts
3. **Template Gallery UI**
- `botui/ui/suite/partials/template-gallery.html`
- Template cards with descriptions
- Preview screenshots
- "Use Template" button
4. **Template Generator**
- Load template JSON
- Customize with user details
- Generate all files
- Deploy to /apps/{name}
**Success Criteria:**
- Can select template from gallery
- Template generates full CRM
- Customization works
- Generated CRM is functional
**Estimated Effort:** 20-24 hours
---
## Part V: Technical Implementation Notes
### Code Quality Standards (per AGENTS.md)
**MUST Follow:**
1. ✅ **Error Handling** - NO panics, use `?` operator
2. ✅ **Safe Commands** - Use `SafeCommand` wrapper
3. ✅ **Error Sanitization** - Use `ErrorSanitizer`
4. ✅ **SQL Safety** - Use `sql_guard`
5. ✅ **Rate Limiting** - Per-IP and per-User limits
6. ✅ **CSRF Protection** - CSRF tokens on state-changing endpoints
7. ✅ **Security Headers** - CSP, HSTS, X-Frame-Options, etc.
8. ✅ **No CDNs** - All assets local
9. ✅ **File Size** - Max 450 lines per file
10. ✅ **Clippy Clean** - 0 warnings, no `#[allow()]`
### File Organization
**Botui (Frontend):**
```
botui/ui/suite/
partials/
editor.html
database.html
git-status.html
git-diff.html
browser-controls.html
terminal.html
template-gallery.html
vibe-mcp-panel.html # NEW - MCP integration
js/
editor.js
database.js
git.js
browser.js
terminal.js
templates.js
vibe-mcp.js # NEW - MCP integration
css/
editor.css
database.css
git.css
browser.css
terminal.css
templates.css
vibe/
mcp-panel.css # NEW - MCP integration
```
**Botserver (Backend):**
```
botserver/src/
api/
editor.rs
database.rs
git.rs
browser/
mod.rs # BrowserSession, BrowserManager
recorder.rs # ActionRecorder
validator.rs # TestValidator
api.rs # HTTP endpoints
test_generator.rs
templates/
crm/
sales.json
real_estate.json
healthcare.json
mod.rs
sources/ # ALREADY EXISTS
mod.rs
mcp.rs
ui.rs
knowledge_base.rs
```
### Dependencies
**Already in Workspace:**
```toml
chromiumoxide = "0.7" # Browser automation
tokio = "1.41" # Async runtime
axum = "0.7" # HTTP framework
diesel = "2.1" # Database
git2 = "0.18" # Git operations (add if needed)
```
**Frontend (download & serve locally):**
```
monaco-editor@0.45.0 # Code editor
xterm.js@5.3.0 # Terminal (already vendor file)
```
---
## Part VI: Testing Strategy
### Unit Tests
- All new modules need unit tests
- Test coverage > 80%
- Location: `botserver/src/<module>/tests.rs`
### Integration Tests
- End-to-end workflows
- Location: `bottest/tests/integration/`
### E2E Tests
- Use chromiumoxide (bottest infrastructure)
- Location: `bottest/tests/e2e/`
- Test scenarios:
- Generate CRM from template
- Edit in Monaco editor
- View database schema
- Create git commit
- Record browser test
---
## Part VII: Rollout Plan (UPDATED)
### Milestone 0: Security & MCP (Week 0)
- **Day 1-2:** Fix all unsafe `unwrap()` calls
- **Day 3:** Address dependency vulnerabilities
- **Day 4:** Verify CSRF & security headers
- **Day 5:** Integrate MCP panel into Vibe UI
### Milestone 1: Core Editor (Week 1)
- Phase 1 complete (Monaco integration)
### Milestone 2: Database & Git (Week 2)
- Phase 2 complete (Database UI)
- Phase 3 complete (Git Operations)
### Milestone 3: Browser & Workspace (Week 3)
- Phase 4 complete (Browser Automation)
- Phase 5 complete (Multi-File Editing)
### Milestone 4: Terminal & Templates (Week 4)
- Phase 6 complete (Enhanced Terminal)
- Phase 7 complete (CRM Templates)
---
## Part VIII: Success Metrics
### Security Milestones
- ✅ Zero `unwrap()` in production code
- ✅ `cargo audit` passes
- ✅ All endpoints have CSRF + security headers
### Phase 0.5: MCP Integration
- ✅ MCP panel visible in Vibe sidebar
- ✅ Can enable/disable servers
- ✅ Can view available tools
- ✅ Can add new servers
### Phase 1: Code Editor
- Monaco loads < 2 seconds
- 5+ syntax highlighters work
- Multi-file tabs functional
- Auto-save succeeds
### Phase 2: Database UI
- Schema visualizer displays all tables
- Query builder generates valid SQL
- Data grid supports inline edits
- Export functionality works
### Phase 3: Git Operations
- Git status shows changed files
- Diff viewer shows side-by-side
- Commit workflow works
- Branch switching succeeds
### Phase 4: Browser Automation
- Can navigate to any URL
- Element picker captures selectors
- Recording generates valid tests
- Screenshots capture correctly
### Phase 5: Multi-File Workspace
- 10+ files open in tabs
- Split view supports 2-4 panes
- File comparison works
- Project search is fast (< 1s for 100 files)
### Phase 6: Terminal
- Interactive shell works
- Can run vim, top, etc.
- Multiple terminals run simultaneously
- File transfer works
### Phase 7: CRM Templates
- 3+ CRM templates available
- Generation takes < 30 seconds
- Generated CRMs are fully functional
- Industry-specific features work
---
## Conclusion
The BotUI platform has a **powerful backend** capable of generating full applications via LLM. The main gaps are in the **frontend user experience** and **security hardening**.
**Key Insight:**
- The `botserver/src/sources/` infrastructure for MCP is **already complete**
- The Vibe UI exists and is functional
- We need to **connect** them: add an MCP panel to the Vibe sidebar
**Updated Priority Order:**
1. ⚠️ **Security fixes** (Week 0) - Unblock development risk
2. 🔌 **MCP integration** (Week 0.5) - Quick win, leverage existing code
3. 📝 **Code editor** (Week 1) - Core developer tool
4. 🗄️ **Database UI** (Week 2) - Visual data management
5. 🐙 **Git operations** (Week 2) - Version control
6. 🌐 **Browser automation** (Week 3) - Testing & recording
7. 📂 **Multi-file workspace** (Week 3) - Professional editing
8. 🖥️ **Terminal** (Week 4) - Interactive shell
9. 📇 **CRM templates** (Week 4) - Accelerators
Once these phases are complete, VibeCode will match or exceed Claude Code's capabilities while offering:
✅ **Multi-user SaaS deployment**
**Visual app building** (Vibe Builder)
✅ **Enterprise-grade multi-agent orchestration**
**Pure Rust backend** (no Node.js dependency)
**Integrated MCP servers** (extensible tools)
**Integrated browser automation** (chromiumoxide)
✅ **Professional development environment**
**Total Estimated Effort:** 113-141 hours (~3-4 weeks with 1 developer)

79
prompts/arch.md Normal file
View file

@ -0,0 +1,79 @@
# Missing Areas in Documentation (botbook)
### 1. Missing Testing Documentation
- No comprehensive testing guide
- Missing test strategy documentation
- No performance testing docs
- Missing security testing guide
### 2. Missing Deployment Documentation
- No Docker/Kubernetes deployment guides
- Missing cloud provider specific docs (AWS, Azure, GCP)
- No CI/CD pipeline documentation
- Missing scaling/load balancing guides
### 3. Missing Monitoring Documentation
- No comprehensive observability guide
- Missing alerting configuration docs
- No business metrics documentation
- Missing health check dashboard docs
### 4. Missing Data Management Documentation
- No backup/restore procedures
- Missing data migration guides
- No data validation documentation
- Missing data anonymization for testing
### 5. Missing Developer Experience Documentation
- No local development setup guide
- Missing debugging/troubleshooting guide
- No code review guidelines
- Missing contribution workflow docs
## Missing Areas in Testing (bottest)
### 1. Missing Security Tests
- No authentication/authorization tests
- Missing penetration testing scenarios
- No security vulnerability tests
- Missing DLP policy tests
### 2. Missing Performance Tests
- No load testing infrastructure
- Missing stress testing
- No scalability tests
- Missing concurrency tests
### 3. Missing Integration Tests
- Incomplete service integration tests
- Missing third-party service tests
- No end-to-end workflow tests
- Missing data consistency tests
### 4. Missing Compliance Tests
- No SOC2 compliance tests
- Missing GDPR compliance tests
- No data retention tests
- Missing audit trail tests
### 5. Missing User Experience Tests
- No accessibility (a11y) tests
- Missing internationalization tests
- No user journey tests
- Missing error handling tests
## Most Critical Missing Documentation:
1. Testing Strategy - Can't ensure quality without proper testing docs
2. Deployment Guides - Hard to deploy to production
3. Monitoring Setup - Can't maintain production systems
4. Security Testing - Critical for enterprise adoption
5. Developer Onboarding - Hard for new contributors
## Most Critical Missing Tests:
1. Security Tests - Critical vulnerabilities could go undetected
2. Performance Tests - Scaling issues won't be caught
3. Integration Tests - Service dependencies could break
4. Compliance Tests - Regulatory requirements not verified
5. End-to-End Tests - Complete workflows not validated

175
prompts/campaigns.md Normal file
View file

@ -0,0 +1,175 @@
# Campaigns - Multichannel Marketing Platform
## Overview
Unified campaign management system supporting email, WhatsApp, Instagram, and Facebook with AI-powered content generation and targeting.
## Core Tables
### 1. marketing_campaigns
Main campaign entity linking deals, contacts, and metrics.
| Column | Type | Description |
|--------|------|-------------|
| id | uuid | Primary key |
| org_id | uuid | Organization |
| bot_id | uuid | Bot |
| name | varchar(100) | Campaign name |
| status | varchar(20) | draft, scheduled, running, paused, completed |
| channel | varchar(20) | email, whatsapp, instagram, facebook, multi |
| content_template | jsonb | AI-generated content per channel |
| scheduled_at | timestamptz | When to send |
| sent_at | timestamptz | When actually sent |
| metrics | jsonb | Opens, clicks, responses |
| budget | numeric | Campaign budget |
| created_at | timestamptz | |
| updated_at | timestamptz | |
### 2. marketing_lists
Saved recipient lists (static or dynamic).
| Column | Type | Description |
|--------|------|-------------|
| id | uuid | Primary key |
| org_id | uuid | Organization |
| bot_id | uuid | Bot |
| name | varchar(100) | List name |
| list_type | varchar(20) | static, dynamic |
| query_text | text | SQL-like filter or broadcast.bas path |
| contact_count | int | Cached count |
| created_at | timestamptz | |
| updated_at | timestamptz | |
### 3. marketing_list_contacts
Junction table for static lists.
| Column | Type | Description |
|--------|------|-------------|
| list_id | uuid | FK to marketing_lists |
| contact_id | uuid | FK to crm_contacts |
| added_at | timestamptz | |
### 4. marketing_recipients
Track campaign delivery per contact.
| Column | Type | Description |
|--------|------|-------------|
| id | uuid | Primary key |
| campaign_id | uuid | FK to marketing_campaigns |
| contact_id | uuid | FK to crm_contacts |
| deal_id | uuid | FK to crm_deals (nullable) |
| channel | varchar(20) | email, whatsapp, etc |
| status | varchar(20) | pending, sent, delivered, failed |
| sent_at | timestamptz | |
| delivered_at | timestamptz | |
| opened_at | timestamptz | Email open (pixel) |
| clicked_at | timestamptz | Link click |
| response | jsonb | WhatsApp status callback |
### 5. marketing_templates
Content templates with AI prompts.
| Column | Type | Description |
|--------|------|-------------|
| id | uuid | Primary key |
| org_id | uuid | Organization |
| name | varchar(100) | Template name |
| channel | varchar(20) | email, whatsapp, instagram, facebook |
| subject | varchar(200) | Email subject / WhatsApp text |
| media_url | varchar(500) | Image/video URL |
| ai_prompt | text | Instructions for LLM |
| variables | jsonb | Available placeholders |
| approved | boolean | Meta approval status |
| meta_template_id | varchar(100) | Meta template ID |
| created_at | timestamptz | |
### 6. email_tracking
Email-specific metrics (invisible pixel + link tracking).
| Column | Type | Description |
|--------|------|-------------|
| id | uuid | Primary key |
| recipient_id | uuid | FK to marketing_recipients |
| campaign_id | uuid | FK to marketing_campaigns |
| message_id | varchar(100) | SMTP message ID |
| open_token | uuid | Unique pixel token |
| opened | boolean | |
| opened_at | timestamptz | |
| clicked | boolean | |
| clicked_at | timestamptz | |
| ip_address | varchar(45) | |
| user_agent | varchar(500) | |
### 7. whatsapp_business
WhatsApp Business API configuration.
| Column | Type | Description |
|--------|------|-------------|
| id | uuid | Primary key |
| bot_id | uuid | Bot |
| phone_number_id | varchar(50) | Meta phone ID |
| business_account_id | varchar(50) | Meta business ID |
| access_token | varchar(500) | Encrypted |
| webhooks_verified | boolean | |
## Flow
### 1. Campaign Creation
1. User clicks "New Campaign"
2. Selects channel(s): email, whatsapp, instagram, facebook, multi
3. Chooses audience:
- **broadcast.bas**: If present in .gbdialog, execute and use returned contact list
- **Marketing List**: Select from saved lists
- **Dynamic Query**: Build SQL-like filter
4. AI generates content preview for each channel
5. User edits/approves content
6. Schedule or send immediately
### 2. Audience Selection
```
// broadcast.bas example (.gbdialog/scr/broadcast.bas)
SEND "SELECT id, name, phone, email FROM crm_contacts WHERE tags @> '{prospect}'"
// Result: list of contact UUIDs
```
### 3. Content Generation
- LLM receives: contact data, deal info, campaign goal
- Generates: subject, body text, image suggestion
- User can edit before approval
### 4. Multi-Channel Preview
Single UI showing:
- Email preview (desktop/mobile)
- WhatsApp preview (text + image)
- Instagram/Facebook post preview
- "Publish All" button triggers all channels
### 5. Metrics Sync
- **Email**: Invisible 1x1 pixel for opens, tracked links for clicks
- **WhatsApp**: Webhook callbacks from Meta API
- **Instagram/Facebook**: Graph API for insights
## Deal Integration
- Pipeline stage changes can trigger campaigns
- Deals link to campaigns via `marketing_recipients.deal_id`
- Campaign metrics visible in deal sidebar
## File Structure
```
botserver/src/
marketing/
mod.rs # Routes, handlers
campaigns.rs # CRUD operations
lists.rs # List management
templates.rs # Template management
email.rs # Email sending + tracking
whatsapp.rs # WhatsApp API integration
metrics.rs # Metrics aggregation
ai.rs # Content generation
```
## Dependencies
- WhatsApp: meta-whatsapp-business-webhook
- Email: lettre (SMTP) + tracking pixel
- Instagram/Facebook: facebook-graph-api
- AI: Already have LLM integration in designer

2
prompts/PENDING.md → prompts/finalize.md
View file

@ -2,7 +2,7 @@
> **Last Updated:** 2025-02-28
> **Purpose:** Track actionable tasks and improvements for the GB platform
how much can botserver be clustered if cache tables drive are containerzaed web balancer simple can be done
---
## 🔐 Authentication & Identity (Zitadel)

0
prompts/SECURITY_CHECKLIST.md → prompts/sec-01.md
View file

0
prompts/SECURITY_REVIEW.md → prompts/sec-02.md
View file

1
prompts/sec-apis-botmodels.md Normal file
View file

@ -0,0 +1 @@
secure communication between botmodels and botserver

210
prompts/sec-bigpickle.md Normal file
View file

@ -0,0 +1,210 @@
# Análise de Segurança - BigPickle/General Bots
**Data:** 2026-03-11
**Escopo:** botserver, botlib, bottest
---
## 1. Resumo Executivo
| Categoria | Status | Severidade |
|-----------|--------|------------|
| **Execução de Comandos** | ⚠️ PARCIAL | ALTA |
| **Rate Limiting** | ✅ IMPLEMENTADO | - |
| **CSRF Protection** | ✅ IMPLEMENTADO | - |
| **Security Headers** | ✅ IMPLEMENTADO | - |
| **Error Handling** | ⚠️ PARCIAL | MÉDIA |
| **SQL Injection** | ✅ IMPLEMENTADO | - |
---
## 2. Execução de Comandos (IMP-02)
### 2.1 SafeCommand - Bom
O projeto implementa `SafeCommand` em `botserver/src/security/command_guard.rs`:
- Lista branca de comandos permitidos (ffmpeg, pdftotext, pandoc, etc.)
- Bloqueio de comandos perigosos (wget, nc, netcat, dd, mkfs)
- ~190 usos corretos no codebase
### 2.2 Command::new Direto - PROBLEMA
Encontrados **8 arquivos** com `Command::new` direto (sem SafeCommand):
| Arquivo | Linha | Comando | Risco |
|---------|-------|---------|-------|
| `core/bootstrap/bootstrap_utils.rs` | 39,53,76,99,112,126,133,161,176,211,231 | pkill, pgrep, sh, curl, nc, bash | ALTO |
| `auto_task/container_session.rs` | 27,52,117 | lxc | MÉDIO |
| `core/bootstrap/bootstrap_manager.rs` | 255 | caddy | MÉDIO |
| `llm/local.rs` | 434,530 | cmd_path (dinâmico) | ALTO |
| `botmodels/python_bridge.rs` | 198 | python_path (config) | MÉDIO |
| `monitoring/real_time.rs` | 595 | df | BAIXO |
| `core/package_manager/cli.rs` | 1136 | psql | MÉDIO |
**Recomendação:** Migrar todos para `SafeCommand` ou `AsyncCommand` (para async).
---
## 3. Rate Limiting (IMP-07)
### ✅ Implementado corretamente
- Usa crate `governor` com algoritmo token bucket
- Arquivos:
- `security/rate_limiter.rs` - Rate limiter HTTP global
- `core/rate_limit.rs` - Rate limiter combinado
- `llm/rate_limiter.rs` - Rate limiter LLM
- `core/bot/channels/whatsapp_rate_limiter.rs` - Rate limiter WhatsApp
### Limites configurados
| Tipo | Limite | Burst |
|------|--------|-------|
| Default | 100 req/s | 200 |
| Strict | 50 req/s | 100 |
| Relaxed | 500 req/s | 1000 |
| API | 100 req/s | 150 |
**Status:** ✅ CONFORME
---
## 4. CSRF Protection (IMP-08)
### ✅ Implementado corretamente
- Arquivo: `security/csrf.rs`
- Usa padrão Double-Submit Cookie
- Configurações:
- Token expiry: 60 minutos
- Cookie secure: true
- SameSite: Strict
- Exempt paths: /api/health, /api/version
- Exempt methods: GET, HEAD, OPTIONS
**Status:** ✅ CONFORME
---
## 5. Security Headers (IMP-09)
### ✅ Implementado corretamente
- Arquivo: `security/headers.rs`
| Header | Valor Padrão | Valor Strict |
|--------|--------------|--------------|
| Content-Security-Policy | `self` + inline | `self` apenas |
| X-Frame-Options | DENY | DENY |
| X-Content-Type-Options | nosniff | nosniff |
| Strict-Transport-Security | 1 ano | 2 anos + preload |
| Referrer-Policy | strict-origin-when-cross-origin | no-referrer |
| Permissions-Policy | Bloqueado | Bloqueado |
**Status:** ✅ CONFORME
---
## 6. Error Handling (IMP-01)
### 6.1 Error Sanitizer - Bom
Arquivo: `security/error_sanitizer.rs`
- 72 usos de `log_and_sanitize()` no codebase
- Remove informações sensíveis de logs
### 6.2 unwrap()/expect() - PROBLEMA
Encontrados **945 usos** de `.unwrap()` e `.expect()`:
- Concentrados em:
- `whatsapp/mod.rs` (~20)
- `llm/mod.rs` (~15)
- `security/jwt.rs` (~15)
- `attendance/mod.rs` (~10)
### 6.3 panic!/todo!/unimplemented! - BOM
Apenas **5 ocorrências**:
- 2 panic! (1 em WhatsApp - crítico, 1 em installer)
- 2 todo! (em bottest - aceitável)
- 1 panic! em teste
**Recomendação:** Substituir `.unwrap()` por tratamento adequado com `?`, `ok_or_else()`, ou `match`.
---
## 7. SQL Injection (IMP-04)
### ✅ Implementado corretamente
- Arquivo: `security/sql_guard.rs`
- 69 usos de `sanitize_identifier()` no codebase
- Previne SQL injection em operações de tabela
**Status:** ✅ CONFORME
---
## 8. Autenticação e Autorização
### 8.1 JWT
- Arquivo: `security/jwt.rs`
- Implementação robusta com tokens
### 8.2 RBAC
- Arquivo: `security/rbac_middleware.rs`
- Permissões baseadas em roles
### 8.3 Zitadel
- Arquivo: `security/zitadel_auth.rs`
- Integração com IdP externo
**Status:** ✅ CONFORME
---
## 9. Outras Vulnerabilidades
### 9.1 Secrets Management
- Arquivo: `security/secrets.rs`
- Integração com Vault
### 9.2 Password Security
- Arquivo: `security/password.rs`
- Hashing adequado
### 9.3 MFA/Passkey
- Arquivos: `security/mfa.rs`, `security/passkey.rs`, `security/passkey_service.rs`
### 9.4 DLP (Data Loss Prevention)
- Arquivo: `security/dlp.rs`
### 9.5 File Validation
- Arquivo: `security/file_validation.rs`
---
## 10. Recomendações Prioritárias
| # | Ação | Severidade | Esforço |
|---|------|------------|---------|
| 1 | Migrar Command::new de bootstrap_utils.rs para SafeCommand | ALTA | MÉDIO |
| 2 | Migrar Command::new de container_session.rs para AsyncCommand | ALTA | MÉDIO |
| 3 | Corrigir .unwrap() em whatsapp/mod.rs | ALTA | BAIXO |
| 4 | Migrar llm/local.rs (cmd_path dinâmico) para SafeCommand | ALTA | ALTO |
| 5 | Remover panic! em core/bot/channels/whatsapp.rs:65 | CRÍTICA | BAIXO |
---
## 11. Métricas
- **Linhas de código Rust:** ~150,000
- **Arquivos de segurança:** 30+
- **Testes de segurança:** Presentes
- **Cobertura de linting:** 0 warnings (clippy)
---
## 12. Conclusão
O projeto tem uma **base de segurança sólida** com:
- ✅ Rate limiting, CSRF, Headers implementados
- ✅ SQL guard implementado
- ✅ SafeCommand para maioria das execuções
**Pontos de atenção:**
- ~8 locais ainda usam Command::new direto
- ~945 .unwrap() que podem causar panics
- 1 panic! crítico em produção
**Recomendação:** Corrigir os itens de alta prioridade antes de push para produção.

261
prompts/sec-kilo.md Normal file
View file

@ -0,0 +1,261 @@
# Security Tasklist - Kilo Codebase
## Comprehensive Security Assessment
Based on a thorough analysis of the Kilo codebase, this document outlines the security posture, identifies vulnerabilities, and provides a prioritized tasklist for security improvements.
---
## 1. Security Architecture Overview
The codebase has a well-structured security module with multiple layers of protection:
- **Authentication**: JWT tokens, API keys, session management
- **Authorization**: RBAC (Role-Based Access Control) system
- **Input Validation**: SQL injection prevention, XSS protection, path traversal detection
- **Security Headers**: CSP, HSTS, XSS protection headers
- **Rate Limiting**: Governor-based rate limiting for API endpoints
- **Error Handling**: Error sanitization to prevent sensitive data exposure
- **Command Execution**: SafeCommand wrapper for command injection prevention
- **Audit Logging**: Comprehensive audit event tracking
- **Encryption**: Data encryption, TLS, mTLS support
- **Secrets Management**: Vault integration
---
## 2. Current Security Posture
### Strengths:
1. **Comprehensive security module** with 60+ security-related files
2. **Multiple authentication methods** (JWT, API keys, sessions)
3. **RBAC system** with fine-grained permissions
4. **SQL injection prevention** via SQL guard
5. **Command injection prevention** via SafeCommand
6. **XSS protection** via security headers and input sanitization
7. **Rate limiting** for API endpoints
8. **Error sanitization** to prevent sensitive data exposure
9. **Audit logging** for security events
10. **TLS/mTLS support** with certificate management
### Weaknesses:
1. **Default CSP includes unsafe-inline and unsafe-eval**
2. **Passkey implementation is incomplete** (commented out)
3. **Some files still use Command::new directly** instead of SafeCommand
4. **Potential for path traversal vulnerabilities** in file operations
5. **JWT secret management** uses default secret if not configured
6. **CORS configuration** has permissive default origins in development
7. **Some endpoints have excessive anonymous access**
8. **Error handling could be more robust** in some areas
---
## 3. Detailed Security Tasklist
### High Priority Tasks:
#### 1. CSP Hardening
- **Description**: Remove 'unsafe-inline' and 'unsafe-eval' from default CSP policy
- **Impact**: High - Prevents XSS attacks
- **Files to Modify**: `botserver/src/security/headers.rs`
- **Action Items**:
- Implement nonces or hashes for inline scripts
- Test CSP with all application features
- Update CSP configuration for different environments
#### 2. Passkey Implementation
- **Description**: Complete the passkey module implementation
- **Impact**: High - Adds modern, phishing-resistant authentication
- **Files to Modify**:
- `botserver/src/security/auth_api/passkey.rs`
- Database schema files
- UI integration files
- **Action Items**:
- Add database schema for passkey storage
- Implement passkey authentication flow
- Add passkey UI integration
- Test passkey functionality
#### 3. Command Execution Security
- **Description**: Replace all direct Command::new calls with SafeCommand
- **Impact**: High - Prevents command injection vulnerabilities
- **Files to Check**:
- `botserver/src/security/command_guard.rs` (usage)
- All files with command execution logic
- **Action Items**:
- Audit all places where commands are executed
- Replace direct Command::new calls with SafeCommand
- Add more strict validation for shell script arguments
#### 4. JWT Security
- **Description**: Improve JWT token security
- **Impact**: High - Prevents token-related vulnerabilities
- **Files to Modify**: `botserver/src/security/jwt.rs`
- **Action Items**:
- Enforce minimum secret length requirements
- Implement JWT secret rotation
- Add JWT token validation improvements
- Remove default secret and enforce environment variable configuration
---
### Medium Priority Tasks:
#### 5. CORS Configuration
- **Description**: Restrict CORS configuration for production
- **Impact**: Medium - Prevents unauthorized cross-origin requests
- **Files to Modify**: `botserver/src/main_module/server.rs`
- **Action Items**:
- Restrict allowed origins in production
- Validate CORS configuration for all environments
- Add proper origin validation for API endpoints
#### 6. RBAC and Permissions
- **Description**: Review and improve permission system
- **Impact**: Medium - Prevents unauthorized access to sensitive endpoints
- **Files to Check**:
- `botserver/src/security/auth_api/mod.rs`
- `botserver/src/main_module/server.rs` (route definitions)
- **Action Items**:
- Review and reduce anonymous paths
- Implement more granular permissions for sensitive endpoints
- Add permission validation for all API routes
#### 7. Path Traversal Prevention
- **Description**: Audit file operations for path traversal vulnerabilities
- **Impact**: Medium - Prevents unauthorized file system access
- **Files to Check**: All file handling functions
- **Action Items**:
- Audit all file operations for path traversal vulnerabilities
- Improve path validation in file handling functions
- Add tests for path traversal scenarios
#### 8. Error Handling Improvements
- **Description**: Replace unsafe unwrapping with proper error handling
- **Impact**: Medium - Prevents application crashes and sensitive data exposure
- **Files to Check**: All production code files
- **Action Items**:
- Audit all unwrap()/expect() calls in production code
- Replace with proper error handling
- Ensure all errors are properly sanitized before being returned to clients
---
### Low Priority Tasks:
#### 9. Security Headers
- **Description**: Review and update security headers configuration
- **Impact**: Low - Enhances overall security posture
- **Files to Modify**: `botserver/src/security/headers.rs`
- **Action Items**:
- Review and update security headers configuration
- Ensure all headers are properly set on all responses
- Add tests for security headers
#### 10. Rate Limiting
- **Description**: Improve rate limiting for sensitive endpoints
- **Impact**: Low - Prevents brute force and denial of service attacks
- **Files to Modify**: `botserver/src/security/rate_limiter.rs`
- **Action Items**:
- Review rate limit configurations
- Implement per-user rate limiting for sensitive endpoints
- Add rate limit headers to responses
#### 11. Audit Logging
- **Description**: Enhance audit event coverage
- **Impact**: Low - Improves security monitoring and incident response
- **Files to Modify**: `botserver/src/security/audit.rs`
- **Action Items**:
- Review audit event coverage
- Add more detailed audit events for sensitive operations
- Implement audit log retention and rotation
#### 12. Secrets Management
- **Description**: Improve vault integration and secrets management
- **Impact**: Low - Enhances secret protection
- **Files to Check**:
- `botserver/src/config.rs`
- Vault integration files
- **Action Items**:
- Improve vault integration
- Add secrets rotation mechanisms
- Ensure all sensitive data is properly encrypted
---
## 4. Vulnerability Summary
| Vulnerability | Severity | Status | Description |
|---------------|----------|--------|-------------|
| CSP with unsafe-inline/unsafe-eval | High | Open | Default CSP allows unsafe inline scripts and eval |
| Incomplete passkey implementation | High | Open | Passkey module is commented out and incomplete |
| Direct Command::new usage | Medium | Open | Some files still use direct command execution |
| JWT default secret | Medium | Open | Uses weak default secret if not configured |
| Permissive CORS in dev | Medium | Open | Development CORS has overly permissive origins |
| Excessive anonymous access | Medium | Open | Too many endpoints allow anonymous access |
| Path traversal risks | Medium | Open | File operations may be vulnerable to path traversal |
| Unsafe unwrap() calls | Low | Open | Some production code uses unsafe unwrapping |
---
## 5. Key Files and Directories
### Security Module: `/home/rodriguez/src/gb/botserver/src/security/`
- **auth_api/** - Authentication and authorization APIs
- **jwt.rs** - JWT token management
- **csrf.rs** - CSRF protection
- **headers.rs** - Security headers configuration
- **sql_guard.rs** - SQL injection prevention
- **command_guard.rs** - Command injection prevention
- **error_sanitizer.rs** - Error handling and sanitization
- **rate_limiter.rs** - Rate limiting implementation
- **audit.rs** - Audit logging
### Main Server Configuration: `/home/rodriguez/src/gb/botserver/src/main_module/server.rs`
- Server initialization
- CORS configuration
- Auth provider setup
- API routing
### Input Validation: `/home/rodriguez/src/gb/botserver/src/security/validation.rs`
- Email, URL, phone validation
- XSS prevention
- HTML sanitization
---
## 6. Recommendations
### Process Improvements:
1. **Implement a security review process** for all new code
2. **Add security testing** to CI/CD pipeline
3. **Conduct regular security audits** of the codebase
4. **Update dependencies** to address known vulnerabilities
5. **Implement a bug bounty program** for external security researchers
6. **Add security training** for developers
### Tooling Recommendations:
- **Dependency Scanning**: Use `cargo audit` for vulnerability detection
- **Code Quality**: Use `cargo clippy` with security lints
- **Security Testing**: Implement penetration testing and fuzzing
- **Monitoring**: Set up real-time security event monitoring and alerting
---
## 7. Task Prioritization Strategy
1. **High Priority (Fix within 2 weeks)**: CSP hardening, passkey implementation, command execution security, JWT security
2. **Medium Priority (Fix within 1 month)**: CORS configuration, RBAC/permissions, path traversal prevention, error handling
3. **Low Priority (Fix within 3 months)**: Security headers, rate limiting, audit logging, secrets management
---
## 8. Success Metrics
- 0 critical vulnerabilities
- 0 high severity vulnerabilities
- 95% test coverage for security-related code
- All security tasks completed within recommended timeframes
- No security incidents reported post-implementation
---
*This document is a living security tasklist and should be updated regularly based on codebase changes, security assessments, and emerging threats.*

189
prompts/sec-minmax.md Normal file
View file

@ -0,0 +1,189 @@
# Security Tasklist - MinMax Analysis
## Overview
Comprehensive security tasklist based on automated analysis of all source code modules: botserver, botui, botlib, botdevice, botapp, bottest.
---
## CRITICAL (P0) - Fix Immediately
### 1. Unsafe Command Execution
**Files with direct Command::new (64 remaining):**
- `botserver/src/core/bootstrap/bootstrap_utils.rs:39,53,76,99,112,126,133,161,176,211,231`
- `botserver/src/core/package_manager/installer.rs:1154`
- `botserver/src/botmodels/python_bridge.rs:198`
- `botserver/src/auto_task/container_session.rs:27,52,117`
- `botserver/src/llm/local.rs:434,530`
- `botserver/src/monitoring/real_time.rs:595`
**Action:** Replace ALL `Command::new` with `SafeCommand::new`
### 2. Panic Usage (4 instances)
- `botserver/src/core/bot/channels/whatsapp.rs:65` - `panic!("WhatsApp queue initialization failed")`
- `botserver/src/core/package_manager/installer.rs:28` - `panic!` for parsing error
**Action:** Replace with proper error handling using `?` or `Result`
### 3. Unsafe Unwrap/Expect (647 instances)
Major hotspots:
- `botserver/src/whatsapp/mod.rs` - 30+ unwrap() on JSON serialization
- `botserver/src/llm/mod.rs` - Multiple unwrap() on serialization
- `botserver/src/security/jwt.rs` - Multiple expect() on token operations
**Action:** Systematic replacement with `ok_or_else()`, `match`, or `if let`
---
## HIGH PRIORITY (P1) - Fix Within 1 Week
### 4. SQL Query Construction (format! with SQL)
- `botserver/src/email/signatures.rs:306` - `diesel::sql_query(format!(...))`
- `botserver/src/contacts/contacts_api/service.rs:251` - `format!("SELECT COUNT(*)...")`
- `botserver/src/basic/keywords/db_api.rs:644` - `format!("DELETE FROM {}...")`
- `botserver/src/maintenance/mod.rs:458,479` - `diesel::sql_query(format!(...))`
**Action:** Use sql_guard consistently, validate all table/column names
### 5. CSP Configuration - unsafe-inline/unsafe-eval
- `botserver/src/security/headers.rs` - Default CSP includes unsafe directives
**Action:** Implement nonce-based CSP, remove unsafe-inline/unsafe-eval
### 6. JWT Secret Management
- `botserver/src/security/jwt.rs` - Default secret fallback if not configured
- Multiple `expect("Failed to generate")` in token operations
**Action:** Enforce minimum secret length, fail startup if not configured
---
## MEDIUM PRIORITY (P2) - Fix Within 2 Weeks
### 7. Passkey Implementation - Incomplete
- `botserver/src/security/passkey.rs` - Implementation present but incomplete
- `botserver/src/security/passkey_service.rs` - Service layer incomplete
**Action:** Complete passkey registration/authentication flow
### 8. RBAC - Anonymous Access
- `botserver/src/main_module/server.rs` - Some routes may allow excessive anonymous access
**Action:** Audit all route permissions, minimize anonymous endpoints
### 9. Path Traversal Risks
- `botserver/src/security/path_guard.rs` exists but needs usage audit
- File operations in `botserver/src/basic/keywords/file_ops/`
**Action:** Ensure all file operations use path_guard validation
### 10. Rate Limiting Coverage
- Governor-based rate limiting exists but not applied uniformly
- WhatsApp-specific rate limiter at `botserver/src/core/bot/channels/whatsapp_rate_limiter.rs`
**Action:** Apply consistent rate limiting to ALL API endpoints
---
## LOW PRIORITY (P3) - Fix Within 1 Month
### 11. Error Sanitization Coverage
- 67 instances using `log_and_sanitize` found
- Coverage good in security/rbac.rs, basic/keywords/db_api.rs
- Missing in some API handlers
**Action:** Ensure ALL HTTP error responses use error_sanitizer
### 12. Security Headers
- `botserver/src/security/headers.rs` - Comprehensive implementation exists
- Tests at lines 476-625
**Action:** Verify all responses include security headers
### 13. Audit Logging
- `botserver/src/security/audit.rs` - Module exists
- Need coverage verification for all security events
**Action:** Audit event coverage review
### 14. Secrets Management
- Vault integration via `vaultrs` exists
- Ensure all secrets loaded from `/tmp/` not hardcoded
**Action:** Verify secrets loading from `/tmp/vault-*`
---
## VERIFICATION COMMANDS
### Dependency Audit
```bash
cargo audit
cargo deny check
```
### Code Quality
```bash
cargo clippy --workspace # Target: 0 warnings
```
### Security Tests
```bash
cargo test -p botserver security
```
### Specific Pattern Search
```bash
# Find Command::new
grep -r "Command::new" botserver/src --include="*.rs" | grep -v SafeCommand | grep -v "// Safe"
# Find unwrap/expect
grep -r "\.unwrap\(\)\|\.expect(" botserver/src --include="*.rs" | wc -l
# Find format! with SQL
grep -r 'format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE' botserver/src --include="*.rs"
```
---
## SECURITY MODULES STATUS
| Module | Status | Notes |
|--------|--------|-------|
| sql_guard | ✅ Good | Used in db_api, search, find |
| command_guard | ✅ Good | SafeCommand widely adopted |
| csrf | ✅ Good | Full implementation with Redis store |
| error_sanitizer | ✅ Good | 67 usage instances |
| jwt | ⚠️ Review | Default secret, unwrap usage |
| rate_limiter | ✅ Good | Governor-based |
| headers | ⚠️ Review | CSP needs hardening |
| passkey | ❌ Incomplete | Needs completion |
| audit | ✅ Good | Module exists |
| rbac | ⚠️ Review | Anonymous access audit needed |
---
## TASK BATCH STRATEGY
### Batch 1 - Command Execution (64 files)
1. Search all `Command::new` occurrences
2. Replace with `SafeCommand::new`
3. Verify with clippy
### Batch 2 - Unwrap/Expect (647 instances)
1. Sort by file frequency
2. Fix highest-volume files first:
- whatsapp/mod.rs (30+)
- llm/mod.rs (15+)
- security/jwt.rs (20+)
3. Use offline fix approach
### Batch 3 - SQL Queries (19 instances)
1. Verify sql_guard usage
2. Add validate_table_name calls
3. Test SQL injection resistance
---
*Generated: 2026-03-11*
*Analysis: Automated grep + code review*
*Target: Zero critical/high security issues*

0
task.md → prompts/sec-x.md
View file

2091
prompts/vib.md
View file

File diff suppressed because it is too large Load diff

299
zap.md
View file

@ -1,299 +0,0 @@
# WhatsApp - Bot Salesianos
respeitar AGENTS.md
## Status: Operacional
| Campo | Valor |
|-------|-------|
| Bot ID | `32c579e5-609b-4a07-8599-4e0fccc4d764` |
| Phone | +15558293147 |
| Phone ID | 323250907549153 |
| Business ID | 1261667644771701 |
---
## Comandos
- `/clear` - Limpa histórico da conversa
---
## Streaming
1. Mensagens sem lista: enviar a cada 3 parágrafos
2. Mensagens com lista: **ISOLAR como mensagem única** (sem texto antes ou depois)
3. Limite máximo: 4000 caracteres por mensagem
### Exemplo de Agrupamento Correto
**Resposta completa do bot:**
```
Olá! 😊
Infelizmente, não tenho a informação específica sobre o horário de funcionamento da Escola Salesiana no momento.
Para obter essa informação, você pode:
1. *Entrar em contato com a secretaria* - Posso te ajudar a enviar uma mensagem perguntando sobre os horários
2. *Agendar uma visita* - Assim você conhece a escola pessoalmente e obtém todas as informações necessárias
Gostaria que eu te ajudasse com alguma dessas opções? Se quiser entrar em contato com a secretaria, preciso apenas de:
- Seu nome
- Telefone
- Email
- Sua pergunta sobre os horários
Ou, se preferir, posso agendar uma visita para você conhecer a escola! 🏫
O que prefere?
```
**Deve ser enviado como 5 mensagens separadas:**
**Mensagem 1:**
```
Olá! 😊
Infelizmente, não tenho a informação específica sobre o horário de funcionamento da Escola Salesiana no momento.
Para obter essa informação, você pode:
```
**Mensagem 2 (LISTA ISOLADA):**
```
1. *Entrar em contato com a secretaria* - Posso te ajudar a enviar uma mensagem perguntando sobre os horários
2. *Agendar uma visita* - Assim você conhece a escola pessoalmente e obtém todas as informações necessárias
```
**Mensagem 3:**
```
Gostaria que eu te ajudasse com alguma dessas opções? Se quiser entrar em contato com a secretaria, preciso apenas de:
```
**Mensagem 4 (LISTA ISOLADA):**
```
- Seu nome
- Telefone
- Email
- Sua pergunta sobre os horários
```
**Mensagem 5:**
```
Ou, se preferir, posso agendar uma visita para você conhecer a escola! 🏫
O que prefere?
```
**Regras:**
- ✅ Cada lista = **1 mensagem ISOLADA** (nunca misturar com texto)
- ✅ Texto antes da lista = mensagem separada
- ✅ Texto depois da lista = mensagem separada
- ✅ Listas nunca são quebradas no meio
---
## Testar Webhook (Simular Callback)
Script de teste em `/tmp/test_whatsapp.sh`:
```bash
#!/bin/bash
# Testa o webhook do WhatsApp simulando uma mensagem
BOT_ID="32c579e5-609b-4a07-8599-4e0fccc4d764"
FROM="5521972102162" # Número de teste
curl -X POST "http://localhost:8080/webhook/whatsapp/${BOT_ID}" \
-H "Content-Type: application/json" \
-d '{
"object": "whatsapp_business_account",
"entry": [{
"id": "1261667644771701",
"changes": [{
"field": "messages",
"value": {
"messaging_product": "whatsapp",
"metadata": {
"display_phone_number": "15558293147",
"phone_number_id": "323250907549153"
},
"contacts": [{
"wa_id": "'${FROM}'",
"profile": { "name": "Teste Usuario" }
}],
"messages": [{
"id": "test_msg_'$(date +%s)'",
"from": "'${FROM}'",
"timestamp": "'$(date +%s)'",
"type": "text",
"text": { "body": "Olá, como posso ajudar?" }
}]
}
}]
}]
}'
```
Executar teste:
```bash
bash /tmp/test_whatsapp.sh
```
---
## Testar Comando /clear
```bash
BOT_ID="32c579e5-609b-4a07-8599-4e0fccc4d764"
FROM="5521972102162"
curl -X POST "http://localhost:8080/webhook/whatsapp/${BOT_ID}" \
-H "Content-Type: application/json" \
-d '{
"object": "whatsapp_business_account",
"entry": [{
"id": "1261667644771701",
"changes": [{
"field": "messages",
"value": {
"messaging_product": "whatsapp",
"metadata": {
"display_phone_number": "15558293147",
"phone_number_id": "323250907549153"
},
"contacts": [{
"wa_id": "'${FROM}'",
"profile": { "name": "Teste Usuario" }
}],
"messages": [{
"id": "test_clear_'$(date +%s)'",
"from": "'${FROM}'",
"timestamp": "'$(date +%s)'",
"type": "text",
"text": { "body": "/clear" }
}]
}
}]
}]
}'
```
---
## Debug
```bash
# Verificar servidor
curl http://localhost:8080/health
# Monitorar logs
tail -f botserver.log | grep -iE "(whatsapp|Embedding)"
# Verificar sessões ativas (requer acesso ao banco)
# SELECT * FROM user_sessions WHERE bot_id = '32c579e5-609b-4a07-8599-4e0fccc4d764';
```
---
## Arquivos Relacionados
- Config: `/opt/gbo/data/salesianos.gbai/salesianos.gbot/config.csv`
- Handler: `botserver/src/whatsapp/mod.rs`
- Adapter: `botserver/src/core/bot/channels/whatsapp.rs`
- Cache: `botserver/src/llm/cache.rs`
---
## Pendências
1. **Implementar suporte a `/webhook/whatsapp/default`** (ver TODO abaixo)
2. Configurar webhook na Meta Business Suite para produção
3. Configurar SSL/TLS no servidor de produção
---
## 📋 TODO: Default Bot Routing
### Objetivo
Permitir que a URL `/webhook/whatsapp/default` funcione como roteador dinâmico de bots baseado em comandos de usuário.
### Comportamento Atual
- ✅ `/webhook/whatsapp/{uuid}` → Rota direta para bot específico
- ❌ `/webhook/whatsapp/default`**FALHA** (espera UUID, não aceita "default")
### Comportamento Desejado
1. `/webhook/whatsapp/default` → Rota para o bot default (`/opt/gbo/data/default.gbai/default.gbot`)
2. Quando usuário digita um `whatsapp-id` (ex: "cristo", "salesianos"):
- Sistema busca bot com essa propriedade no `config.csv`
- Mapeia `phone_number``bot_id` na sessão/cache
- Troca de bot para aquela sessão
3. Mensagens subsequentes daquele `phone_number` são roteadas para o bot mapeado
4. Se usuário digitar outro `whatsapp-id`, encerra sessão anterior e abre nova para o novo bot
### Arquivos a Modificar
#### 1. `botserver/src/whatsapp/mod.rs`
- **Linha ~178**: Modificar `verify_webhook` e `handle_webhook`
- Mudar `Path(bot_id): Path<Uuid>``Path(bot_id): Path<String>`
- Adicionar parsing: `"default"` → buscar UUID do bot default
- Manter parsing UUID para compatibilidade
#### 2. `botserver/src/whatsapp/mod.rs`
- **Nova função**: `resolve_bot_id(bot_id_str: &str, state: &AppState) -> Result<Uuid, Error>`
- Se `"default"` → retorna UUID do bot default via `get_default_bot()`
- Se UUID válido → retorna UUID
- Caso contrário → erro
#### 3. `botserver/src/whatsapp/mod.rs`
- **Nova função**: `check_whatsapp_id_routing(message_text: &str, state: &AppState) -> Option<Uuid>`
- Verifica se texto é um comando de troca de bot
- Busca em todos os bots por `whatsapp-id` no `config.csv`
- Retorna bot_id se encontrar match
#### 4. `botserver/src/whatsapp/mod.rs`
- **Modificar** `process_incoming_message`
- Antes de processar, verificar se mensagem é comando de roteamento
- Se for, atualizar mapeamento `phone``bot_id` no cache
- Se não for, usar mapeamento existente do cache
### Bots com whatsapp-id Configurado
- ✅ **cristo.gbot**: `whatsapp-id,cristo`
- ❓ **salesianos.gbot**: verificar se tem whatsapp-id
- ✅ **default.gbot**: não tem whatsapp-id (é o roteador)
### Implementação em Passos
**Passo 1**: Modificar handlers para aceitar "default"
```rust
// Antes
Path(bot_id): Path<Uuid>
// Depois
Path(bot_id_str): Path<String>
let bot_id = resolve_bot_id(&bot_id_str, &state)?;
```
**Passo 2**: Implementar `resolve_bot_id`
- Buscar `get_default_bot()` quando `bot_id_str == "default"`
- Parse UUID caso contrário
**Passo 3**: Implementar roteamento dinâmico
- Verificar cache: `phone_number``bot_id`
- Se não existir, usar bot_id do webhook
- Se mensagem for comando (whatsapp-id), atualizar cache
**Passo 4**: Testar
```bash
# Teste 1: URL com default
curl -X POST "http://localhost:8080/webhook/whatsapp/default" ...
# Teste 2: URL com UUID (deve continuar funcionando)
curl -X POST "http://localhost:8080/webhook/whatsapp/32c579e5-609b-4a07-8599-4e0fccc4d764" ...
# Teste 3: Roteamento por comando
# Enviar mensagem "cristo" → deve rotear para bot cristo
# Enviar mensagem "salesianos" → deve trocar para bot salesianos
```
### URLs de Teste
- Localtunnel: `https://bright-bananas-deny.loca.lt/webhook/whatsapp/default`
- Local: `http://localhost:8080/webhook/whatsapp/default`