fix: resolve merge conflict — integrate agent's story-aware ContainerRunner

Agent added: Store on ContainerRunner (direct story/project lookup), --reference clone for speed, explicit story branch push, checkStoryCompletion → SHIPPABLE. My additions: BranchName on Task as fallback when Store is nil, tests updated to match checkout-after-clone approach. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
author: Peter Stone <thepeterstone@gmail.com> 2026-03-24 21:54:31 +0000
committer: Peter Stone <thepeterstone@gmail.com> 2026-03-24 21:54:31 +0000
commit: 407fbc8d346b986bf864452c865282aa726272e2 (patch)
tree: 274aa7861a6e4316c1919e93d944023d60846b44 /.agent
parent: e3954992af63440986bd39cce889e9c62e1a6b92 (diff)
parent: b2e77009c55ba0f07bb9ff904d9f2f6cc9ff0ee2 (diff)
1 files changed, 74 insertions, 55 deletions
diff --git a/.agent/worklog.md b/.agent/worklog.md
index 6fb8033..d747b1c 100644
--- a/.agent/worklog.md
+++ b/.agent/worklog.md
@@ -1,72 +1,91 @@
-# SESSION_STATE.md
+# Worklog
 
 ## Current Task Goal
-ADR-007 implementation: Epic→Story→Task→Subtask hierarchy, project registry, Doot integration
+Move Claudomator UI auth into Doot: replace Apache proxy rules with a Doot-side
+reverse proxy, gating `/claudomator/*` behind Doot's session auth.
 
-## Status: IN_PROGRESS
+## Status: PLAN — awaiting user confirmation
 
 ---
 
-## Completed Items
-
-| Step | Description | Test / Verification |
-|------|-------------|---------------------|
-| Phase 1 | Doot dead code removal: Bug struct, BugToAtom, bug store methods, bug handlers, bug routes, bugs.html template, TypeNote, AddMealToPlanner stub | `go test ./...` in /workspace/doot — all pass (2 pre-existing failures unrelated) |
-| Phase 2 | Claudomator project registry: `task.Project` type, storage CRUD + UpsertProject, seed.go, API endpoints (GET/POST /api/projects, GET/PUT /api/projects/{id}), legacy AgentConfig.ProjectDir/RepositoryURL/SkipPlanning fields removed, container.go fallback removed, fallbackGitInit removed, processResult changestats extraction removed (pool-side only) | `TestCreateProject`, `TestListProjects`, `TestUpdateProject`, `TestProjects_CRUD` — all pass |
+## Plan: Claudomator UI behind Doot auth
+
+### Architecture
+```
+Browser → Apache (SSL) → Doot :38080 → [session auth] → Claudomator :8484
+```
+Apache currently proxies `/claudomator/*` directly to :8484 with no auth.
+Goal: move the proxy into Doot so session middleware gates it.
+Two processes, two systemd units — unchanged.
+Claudomator base-path already hardcoded to `/claudomator` in web/index.html.
+
+### Step 1 — Doot: add `ClaudomatorURL` config
+- `internal/config/config.go` — add `ClaudomatorURL string` (env: `CLAUDOMATOR_URL`, default: `http://127.0.0.1:8484`)
+- Tests: default + override
+
+### Step 2 — Doot: HTTP + WebSocket reverse proxy handler
+- New file: `internal/handlers/claudomator_proxy.go`
+- `httputil.ReverseProxy` for normal requests; WS connection hijacker for upgrades
+- Director strips `/claudomator` prefix from both `URL.Path` AND `URL.RawPath` (handles encoded chars in task names/IDs)
+- Do NOT set `ReadDeadline`/`WriteDeadline` on hijacked WS connections (kills long-lived task monitoring)
+- Preserve `Service-Worker-Allowed` response header so SW scopes correctly under `/claudomator`
+- Tests: HTTP forward, prefix strip, WS tunnel
+
+### Step 3 — Doot: restructure CSRF middleware, mount proxy
+- `cmd/dashboard/main.go`: move CSRF out of global middleware into a route group
+- `/claudomator` → redirect 301 to `/claudomator/` (trailing slash; prevents asset fetch breakage)
+- `/claudomator/api/webhooks/github` → exempt from `RequireAuth` (GitHub POSTs have no session; endpoint does its own HMAC validation)
+- `/claudomator/*` route: `RequireAuth` only (no CSRF — SPA doesn't send Doot's CSRF token)
+- All other routes: wrapped in CSRF group (behavior unchanged)
+
+### Step 4 — Apache: remove Claudomator proxy rules
+- Remove 4 lines from `/etc/apache2/sites-enabled/doot.terst.org-le-ssl.conf`
+- `apache2ctl configtest && apache2ctl graceful`
+
+### Step 5 — Smoke tests
+- Unauthenticated `/claudomator/` → 302 to `/login`
+- `/claudomator` (no slash) → 301 to `/claudomator/`
+- Authenticated: UI loads, task CRUD works, WS live updates, log streaming
+- GitHub webhook POST to `/claudomator/api/webhooks/github` → not redirected to login
+
+### Risks
+- CSRF restructure: verify all existing Doot routes still pass their tests after moving CSRF to a group
+- SecurityHeaders CSP already allows `wss: ws:` — no change needed
+- Claudomator :8484 remains accessible on localhost without auth (acceptable for now)
+- Future: `/claudomator/api/*` technically CSRF-vulnerable from other origins; mitigate later by injecting `XSRF-TOKEN` cookie
 
 ---
 
-## Next Steps (Claudomator tasks created)
-
-Phases 3–6 are queued as Claudomator tasks. See `ct task list` or the web UI.
+## Previous Task: ADR-007 — Epic→Story→Task hierarchy (IN_PROGRESS)
 
-| Task ID | Phase | Status | Depends On |
-|---------|-------|--------|------------|
-| f8829d6f-b8b6-4ff2-9c1a-e55dd3ab300e | Phase 3: Stories data model | PENDING | — |
-| c8a0dc6c-0605-4acb-a789-1155ad8824cb | Phase 4: Story execution and deploy | PENDING | Phase 3 |
-| faf5a371-8f1c-46a3-bb74-b0df1f062dee | Phase 5: Story elaboration | PENDING | Phase 3 |
-| f39af70f-72c5-4ac1-9522-83c2e11b37c9 | Phase 6: Doot — Claudomator integration | PENDING | Phase 3 |
-
-Instruction files: `scripts/.claude/phase{3,4,5,6}-*-instructions.txt`
-
-### Phase 3: Stories data model (claudomator repo)
-- `internal/task/story.go` — Story struct + ValidStoryTransition
-- `internal/storage/db.go` — stories table + story_id on tasks, CRUD + ListTasksByStory
-- `internal/api/stories.go` — story API endpoints
-- Tests: ValidStoryTransition, CRUD, depends_on auto-wire
+### Completed Items
 
-### Phase 4: Story execution and deploy (claudomator repo, depends Phase 3)
-- `internal/executor/executor.go` — checkStoryCompletion → SHIPPABLE
-- `internal/executor/container.go` — checkout story branch after clone
-- `internal/api/stories.go` — POST /api/stories/{id}/branch
-
-### Phase 5: Story elaboration (claudomator repo, depends Phase 3)
-- `internal/api/elaborate.go` — POST /api/stories/elaborate + approve
-- SeedProjects called at server startup
-
-### Phase 6: Doot — Claudomator integration (doot repo, depends Phase 3)
-- `internal/api/claudomator.go` — ClaudomatorClient
-- `internal/models/atom.go` — StoryToAtom, SourceClaudomator
-- `internal/handlers/atoms.go` — BuildUnifiedAtomList extended
-- `cmd/dashboard/main.go` — wire ClaudomatorURL config
+| Step | Description | Test / Verification |
+|------|-------------|---------------------|
+| Phase 1 | Doot dead code removal: Bug struct, BugToAtom, bug store methods, bug handlers, bug routes, bugs.html template, TypeNote, AddMealToPlanner stub | `go test ./...` in /workspace/doot — all pass |
+| Phase 2 | Claudomator project registry: `task.Project` type, storage CRUD + UpsertProject, seed.go, API endpoints, legacy fields removed | `TestCreateProject`, `TestListProjects`, `TestUpdateProject`, `TestProjects_CRUD` |
+| Phase 3 | Stories data model: Story struct + ValidStoryTransition, stories table, CRUD, story API endpoints | committed 5081b0c |
+| Phase 4 | Story execution and deploy: checkStoryCompletion → SHIPPABLE, story branch checkout, POST /api/stories/{id}/branch | committed 15a46b0 |
+| Phase 5 | Story elaboration: POST /api/stories/elaborate + approve, SeedProjects at startup, GetProject on executor Store interface | committed bc62c35 |
 
----
+### Pending (Claudomator tasks queued)
 
-## Key Files Changed (Phases 1-2)
+| Task ID | Phase | Status |
+|---------|-------|--------|
+| f39af70f-72c5-4ac1-9522-83c2e11b37c9 | Phase 6: Doot — Claudomator integration | QUEUED |
 
-### Claudomator
-- `internal/task/project.go` — new Project struct
-- `internal/task/task.go` — removed Agent.ProjectDir, Agent.RepositoryURL, Agent.SkipPlanning
-- `internal/storage/db.go` — projects table migration + CRUD
-- `internal/storage/seed.go` — SeedProjects upserts claudomator + nav on startup
-- `internal/api/projects.go` — project CRUD handlers
-- `internal/api/server.go` — project routes; processResult no longer extracts changestats
-- `internal/api/deployment.go` + `task_view.go` — use tk.RepositoryURL (was tk.Agent.ProjectDir)
-- `internal/executor/container.go` — fallback logic removed; requires t.RepositoryURL
+### Key Files Changed (Phases 1–5)
 
-### Doot
+#### Claudomator
+- `internal/task/project.go` — Project struct
+- `internal/task/story.go` — Story struct + ValidStoryTransition
+- `internal/task/task.go` — removed Agent.ProjectDir/RepositoryURL/SkipPlanning
+- `internal/storage/db.go` — projects + stories tables, CRUD
+- `internal/storage/seed.go` — SeedProjects
+- `internal/api/projects.go`, `stories.go`, `elaborate.go` — handlers
+- `internal/executor/executor.go` — GetProject on Store interface, RepositoryURL resolution
+- `internal/cli/serve.go` — SeedProjects at startup
+
+#### Doot
 - Bug feature removed entirely (models, handlers, store, routes, template, migration)
-- `migrations/018_drop_bugs.sql` — DROP TABLE IF EXISTS bugs
-- `internal/api/interfaces.go` — AddMealToPlanner removed from PlanToEatAPI
-- `internal/api/plantoeat.go` — AddMealToPlanner stub removed
 - `internal/models/atom.go` — SourceBug, TypeBug, TypeNote, BugToAtom removed
author	Peter Stone <thepeterstone@gmail.com>	2026-03-24 21:54:31 +0000
committer	Peter Stone <thepeterstone@gmail.com>	2026-03-24 21:54:31 +0000
commit	407fbc8d346b986bf864452c865282aa726272e2 (patch)
tree	274aa7861a6e4316c1919e93d944023d60846b44 /.agent
parent	e3954992af63440986bd39cce889e9c62e1a6b92 (diff)
parent	b2e77009c55ba0f07bb9ff904d9f2f6cc9ff0ee2 (diff)