558171989d
fix(agent): pass AUTH_DATABASE_URL to agent container, auth config requires it
2026-07-06 12:19:14 +03:00
468bdb9000
fix(agent): resolve missing imports — jose, auth config, AUTH_SECRET_KEY
...
- Added python-jose[cryptography] to requirements-agent.txt
- Made sqlalchemy.orm.Session and TokenBlacklist imports lazy in jwt.py
so decode_token works without pulling ORM models into agent image
- Added src/core/auth/__init__.py, config.py, jwt.py to agent Dockerfile COPY
- Added AUTH_SECRET_KEY env var to agent compose (reads from JWT_SECRET)
2026-07-06 12:13:26 +03:00
1c6b3d6e8a
feat(ssl): add passphrase-protected key and PKCS#12 support in nginx entrypoint
...
- docker/frontend.entrypoint.sh: add 3 new functions:
- extract_p12_if_needed — openssl pkcs12 extraction to .crt+.key
- resolve_ssl_passphrase — read SSL_KEY_PASSPHRASE env var
- decrypt_key_if_needed — openssl rsa decryption before nginx start
- Pipeline: install CA -> extract p12 -> get passphrase -> select config -> decrypt key -> start nginx
- Crash-early: encrypted key without SSL_KEY_PASSPHRASE exits entrypoint
- docker-compose.enterprise-clean.yml: add SSL_KEY_PASSPHRASE to frontend env
- .env.enterprise-clean.example: document SSL_KEY_PASSPHRASE usage
- build.sh: add SSL_KEY_PASSPHRASE to generated deploy compose
2026-07-04 17:05:51 +03:00
12118ac4ec
fix(security): resolve Critical+High findings from module audit — agent, translate, superset_client
...
P0 — CRITICAL (CWE-798): JWT_SECRET crash-early
Replace hardcoded super-secret-key fallback with os.environ["JWT_SECRET"]
and ${JWT_SECRET:?} syntax in app.py + docker-compose files
P1 — HIGH: Frontend dependency CVEs
Upgrade svelte 5.43.8 → 5.56.4 — resolves devalue DoS (GHSA-g2pg-6438-jwpf)
and svelte XSS (GHSA-crpf-4hrx-3jrp, GHSA-m56q-vw4c-c2cp, GHSA-rcqx-6q8c-2c42)
P2 — MEDIUM: Logging hygiene + contract gaps + tool resolver refactor
Apply _redact_sensitive_fields() in middleware + event streaming
Truncate LLM error body to 100 chars
Add @RATIONALE/@REJECTED to HandleResume + SaveConversation
Refactor deterministic intent matching → LLM-driven tool resolution
P3 — LOW: Translate logging hardening
Move _sanitize_url() to _utils.py (shared, no circular imports)
Sanitize base_url before logging in _llm_call.py and _llm_async_http.py
Emit EXPLORE warning when LLM_SSL_VERIFY=false disables TLS
superset_client module: passed clean — no changes needed
2026-07-01 13:17:29 +03:00
997329e2a5
fix(agent): resolve ModuleNotFoundError for backend, add E2E test infra
...
- Dockerfile.agent: fix CMD (python -m src.agent.run), use backend/requirements.txt,
minimal COPY (only src.agent + src.core.cot_logger), add GRACE contract
- docker-compose.yml: SERVICE_TOKEN_SECRET -> SERVICE_JWT (match code)
- docker-compose.enterprise-clean.yml: same env var fix
- docker/.env.agent.example: same env var fix
- build.sh: same env var fix
- chore: semantics-testing SKILL.md, backend tests, pyproject.toml
2026-06-14 15:41:46 +03:00
b3bc9e53b9
feat(bundle): add agent image to build.sh bundle + enterprise-clean compose
...
- build.sh bundle_release() now builds ss-tools-agent:{tag} from
docker/Dockerfile.agent alongside backend and frontend
- Generated docker-compose.enterprise-clean.yml includes agent service
(image: + pull_policy: never, port 7860, depends_on: backend)
- Manifest .txt and .json include agent image fields
- sha256sums and load instructions updated for three images
- Static docker-compose.enterprise-clean.yml adds agent service (build
from source) for local 'up enterprise-clean' profile
2026-06-11 16:13:02 +03:00
4c5da7e4d9
alembic fix
2026-06-01 16:34:07 +03:00
79370f3451
fix: pass LLM_SSL_VERIFY env var through docker-compose to container
2026-05-27 15:26:38 +03:00
7ffddff2a6
feat: add LLM SSL verify control and auto CA cert download
...
- LLM_SSL_VERIFY env var to disable SSL verification for corporate proxies
- install_llm_ca_certs() entrypoint function — downloads PEM/DER certs
from LLM_CA_CERT_URLS, converts DER→PEM, installs to system CA store
- _format_connection_error() — detailed exception chain logging
- 7 new unit tests for _get_ssl_verify, _format_connection_error, verify= param
- LLM_CA_CERT_URLS and LLM_SSL_VERIFY in .env.enterprise-clean
- Removed duplicate @RELATION DEPENDS_ON -> [EXT:Library:tenacity]
2026-05-27 14:44:46 +03:00
31680a1bc9
fix(maintenance): auto-expiry + adaptive markdown height + tests
...
- Auto-expiry: expired events auto-end on GET /events via task manager
- Height: _estimate_markdown_height adapted to unit=8px scale with padding detection
- CRITICAL-1: removed dead import remove_chart_from_position (QA finding)
- CRITICAL-2: added chart alive check in ensure_banner_chart (QA finding)
- CRITICAL-3: fixed test assertions update_markdown_chart → update_banner_on_dashboard
- @POST contract: fixed return range [2,12] → [19,200]
- Tests: 8 new tests (auto-expiry + layout height)
2026-05-25 08:36:33 +03:00
09d12b3b68
semantics
2026-05-20 09:59:03 +03:00
1b15fd3fa7
semantic cleanup
2026-05-08 10:07:05 +03:00
5dd10f748a
Bootstrap initial admin via env and add compose profiles
2026-03-17 19:16:25 +03:00
0e94268980
Add docker admin bootstrap for clean release
2026-03-13 11:41:44 +03:00
35cdfb0184
feat: add offline docker bundle for enterprise clean releases
2026-03-11 12:35:01 +03:00