| Age | Commit message (Collapse) | Author |
|---|
|
Phase 1: Authentication and read-only context
- POST /agent/auth/request - request access with name + agent_id
- GET /agent/auth/poll - poll for approval status
- POST /agent/auth/approve|deny - user approval (browser auth required)
- GET /agent/context - 7-day timeline context (agent session required)
Phase 1.5: Browser-only agent endpoints (HTML pages)
- GET /agent/web/request - request page with token
- GET /agent/web/status - status page with polling
- GET /agent/web/context - context page with timeline data
WebSocket notifications:
- GET /ws/notifications - push agent requests to browsers
- Approval modal with trust indicators and countdown timer
Database:
- agents table for registered agent tracking
- agent_sessions table for pending/active sessions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
|
Allow external resources in Content-Security-Policy:
- frame-src: youtube.com, embed.windy.com (for webcams/weather)
- style-src: fonts.googleapis.com (for Inter font)
- font-src: fonts.gstatic.com (for font files)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
|
- Remove default password fallback - require DEFAULT_PASS in all environments
- Fix XSS vulnerabilities in HTML generation (handlers.go:795,920)
- Add security headers middleware (X-Frame-Options, CSP, HSTS, etc.)
- Add rate limiting on login endpoint (5 req/15min per IP)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
