clock/weather etc. default to 1/6 width; sizes store an integer span 1-12
(legacy s/m/l still accepted by /api/dashboard/layout).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Edit-layout mode: per-card resize (S/M/L), show/hide with a hidden-cards tray,
drag-to-reorder via a dedicated grip handle, and reset-to-default. Persists via
the existing /api/dashboard/layout (order/sizes/hidden) — no backend change.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Removes the rsync --delete / manual-migration / no-rollback footguns from the
deploy path. Validated: clean deploy passes the health gate; a forced health
failure correctly rolls back from the .prev snapshot and recovers.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A cryptographically-verified CF Access JWT (signature vs team JWKS + audience +
email allow-list) now counts as the owner, so browser requests through the CF
tunnel don't need the owner token copied onto each device. Fails closed → owner
token remains the fallback (LAN-direct + dev/tests unaffected). Opt-in via
CF_ACCESS_TEAM_DOMAIN / CF_ACCESS_AUD / CF_ACCESS_OWNER_EMAILS.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it)
- Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak)
- Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup)
- Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s
- Q9: disabled failing syncoid-donatello timer on Z
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Read-only static band from public/devices.json (ARP scan), grouped Smart Home /
Entertainment / Personal / Network / Flagged. Kept distinct from Little Blue's
service health band. Live discovery deferred.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Left sidebar collapses (topbar menu button); rail collapses (topbar button + strip).
- <=860px / portrait: sidebar + rail become off-canvas drawers over main with a
scrim, closed by default; main goes full-width single-column.
- Smooth transitions; crossing the breakpoint resets to a sane default.
- New components/chrome.js owns toggle + drawer state.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Addresses final-review findings: I1 render-generation guard prevents a double-mount
/timer leak on rapid re-navigation; I2 adds anonymous-rejection tests for the owner-only
POST /speedtest/run and /health/check; M1 CSS comment; M2 cron↔worker dedup note;
M4 full 8-byte PNG signature check; M5 card-contract unit test for all 7 cards.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds GET /api/health/services returning registry services grouped by
category with merged cached status and per-group healthy counts, and
POST /api/health/check (owner-only) that enqueues a health.check
pg-boss job. Registers the health_check worker in the jobs index.
Adds HTML5 drag-to-reorder for .sv-card elements in Sacred Valley. The
pure moveId helper is unit-tested. Drop calls PUT /api/dashboard/layout
to persist the new card_order; DOM reflects the new order immediately.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the Plan 6 card framework: svCard() chrome factory, pure orderCards()
ordering helper with unit tests, three stub card modules (clock/weather/host-perf),
and rewrites sacred_valley.js with the two-band layout that mounts ordered cards.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
23 TDD tasks across 4 phases: grid framework + data cards, reuse cards,
speedtest, Little Blue health band. Verified against repo patterns (validate,
api.put, requireOwner, pg-boss, migrations).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Server-side icon cache (lib/health/icons.js + GET /api/icons/:slug.png) fetches
each icon once from dashboard-icons into a persistent dir and serves it from the
LAN. Browser never contacts the CDN; slug sanitized; first-letter fallback.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Two-band dashboard: draggable data cards (clock/weather/host-perf/speedtest/
jobs/inbox/search) + Little Blue read-only Health band (config registry +
pg-boss health engine + grouped service tiles w/ auto-icons). Refined-B chrome,
server-side layout persistence, polling refresh. Fix-it agent deferred.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- migration 011_yerin.sql: seed read-only 'yerin' agent ({read:true}, kind claude,
model NULL = server default; switch to local Ollama via agents.model anytime)
- companion-stdio.js: select the toolset from VOID_TOOL_REGISTRY ('security' →
Yerin's securityRegistry; default → Dross's companionRegistry)
- tests/mcp/registry_select.test.js
Remaining for Yerin (left for review): an entry point (route or cron) + persona
prompt — see docs/yerin-security-agent.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Three more read-only tools on securityRegistry:
- pending_review: agent-proposed changes awaiting approval (injection surface)
- resource_exposure: host/url/status attack-surface inventory (resources.listExposure,
scalar cols only — no monitoring/metadata/credentials)
- token_audit: token label/last_used/revoked, never the hash
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
verifyToken loaded every non-revoked token and bcrypt-compared each (O(n) per
request — auth-latency DoS + linear scaling). New token format
vk_<selector>.<verifier>: the non-secret selector is indexed and locates exactly
one row; only the verifier is bcrypt-hashed. Legacy NULL-selector tokens still
verify via a fallback scan. Dropped the useless idx_agent_tokens_hash.
- migration 010_token_selector.sql (adds selector col + unique partial index)
- createToken/verifyToken reworked; also adds listTokenMeta (read for Yerin's
token_audit tool)
- tests/repos/token_selector.test.js
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- pool.js: add pool.on('error') handler — an idle-client error (DB restart /
.215 failover) previously crashed the process (no 'error' listener → throw)
- context tool: project a SAFE_COLUMNS allow-list for resources (never the
monitoring/metadata JSON blobs); also add 'resource' to TABLE (was unhandled)
- applyPendingChange: guard the 'upsert' arm so a non-upsertable entity_type
fails with a clear ValidationError instead of a bare TypeError
Tests: pool_error, context (resource case), pending_extended_actions (guard).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
New securityRegistry (separate from companionRegistry) with two read-only,
secret-free tools for the Yerin security agent:
- audit_log: query the redacted audit trail by actor_kind/actor_id
- agent_inventory: list agents + capabilities/scopes (explicit projection,
never SELECT *, no token material)
Follows the existing createRegistry() pattern. Design + wiring roadmap in
docs/yerin-security-agent.md. Not yet seeded/exposed over MCP (left for review).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
