5364bd8497
feat(api): comprehensive QA hardening — security gates, chat improvements, beta scaffolds
...
Closes checklist items F-01..F-06, D-01..D-28, S-01..S-10, C-01..C-07,
B-01..B-07, R-01..R-02, O-03.
Security (28 deletions + 10 auth gates):
- Delete 28 unauthenticated debug/cursor/firebase/test routes
- Gate ai/chat, ai/conversation, context/summarize, work-completed with withTenantProject/withAuth
- Add HMAC-SHA256 signature verification to webhooks/coolify
- Switch all admin secret comparisons to timingSafeStringEq
Foundations (lib/server/*):
- api-handler.ts: withAuth, withTenantProject, withWorkspace, withAdminSecret, withRateLimit
- logger.ts: structured request-scoped logging with turnId
- audit-log.ts: writeAuditLog helper + audit_log table
- rate-limit.ts: Postgres sliding window rate limiter
- coolify-webhook.ts: verifyCoolifySignature
- timing-safe.ts: timingSafeStringEq
Chat hardening (chat/route.ts):
- MAX_TOOL_ROUNDS 15 → 8 (C-01)
- Loop detection: hard-break at 3 identical fingerprints (was 5) (C-02)
- Add 6-consecutive-tool-call hard-break (C-02)
- Mode: respond first, act second prompt block (C-03)
- SSE heartbeat every 25s via setInterval (C-04)
- Per-tool 45s timeout via Promise.race (C-05)
- turnId per-turn UUID for log correlation (C-06)
- Recovery fires when roundsSinceText >= 4 (C-07)
- SSE plan event on plan_task_add/edit (B-05)
Beta features:
- invites table + GET/POST /api/invites (P4.8)
- invites/[token] validate + redeem (P4.8)
- fs_project_dev_servers table + lib/server/dev-server-state.ts (P6.B1)
- fs_project_secrets table + CRUD routes (P6.D2)
- lib/integrations/brief-extract.ts (P3.7)
Documentation:
- app/api/ROUTES.md: full route map with auth + tenant
2026-05-17 19:17:22 -07:00
b148552217
fix(ai): hardcode all default LLM references to gemini-3.1-pro-preview across monorepo
2026-05-16 15:00:17 -07:00
22c3e4d3c9
fix(deploy): install openssl in base docker image to fix prisma client initialization error during build phase
2026-05-16 14:05:48 -07:00
cd062bd30d
fix(deploy): use explicit ssh:// scheme and port 222 for gitea clone urls in coolify
2026-05-16 13:54:17 -07:00
67855b94c2
fix(ai): upgrade deploy mechanism to use explicit ssh deploy keys rather than http basic auth to solve gitea cloning bugs
2026-05-16 13:30:14 -07:00
bed6607803
fix(ai): actually throw probe error out of probeDevServerReadiness so AI captures the failure synchronously
2026-05-16 13:16:17 -07:00
cdddaced30
fix(ai): implement two-stage loop detection to warn before hard-stopping (Fix 11)
2026-05-16 12:59:16 -07:00
c06ab8650b
fix(ai): relax fs_edit line number enforcement to allow safe oldString replacements
2026-05-16 12:54:15 -07:00
25558d3923
fix(ai): correct syntax for executing bash scripts inside the dev container
2026-05-16 12:49:50 -07:00
d290951351
feat(ai): inject full directory tree into context to eliminate manual fs_list probing
2026-05-16 12:40:31 -07:00
f053567741
fix(ai): sync auto-commit with streamed result to surface commit SHA to UI (Fix 10)
2026-05-16 12:26:54 -07:00
3f4a0de2e6
fix(ai): add hard-rule prompt clause forbidding unverified mutation claims (Fix 8)
2026-05-16 12:25:26 -07:00
aff22cba93
fix(ai): force recovery summary when final tools fail (Fix 6)
2026-05-16 12:25:00 -07:00
ad66fe61c9
fix(ai): implement fixes 4, 5, and 7 to broaden loop detection, tighten silent stretches, and lower tool round caps
2026-05-16 12:24:09 -07:00
8bed453f7c
fix(ai): feed verified tool history back into model context to prevent hallucination compounding (Fix 3)
2026-05-16 12:22:58 -07:00
0494a67632
feat(ai): persist raw tool execution results in postgres to enable fine-tuning dataset extraction
2026-05-16 11:59:46 -07:00
dbc12de838
feat(ui): add JSON export functionality to session viewer for AI fine-tuning
2026-05-16 11:32:40 -07:00
bc59fb99c1
fix(agent): ensure is_force_https_enabled is applied to docker compose apps when setting custom domains
2026-05-16 11:29:31 -07:00
b682ab35e5
feat(ui): build session viewer to read raw AI transcripts and tool calls
2026-05-16 11:10:05 -07:00
08ea31c39e
fix(agent): increase dev server readiness probe timeout to 300s to accommodate slow Next.js cold boots and prevent premature AI loop restarts
2026-05-15 16:59:10 -07:00
7832e83542
fix(ai): update system prompt to enforce line-number usage for fs_edit to prevent 404 block mismatches
2026-05-15 16:38:17 -07:00
614c30b70c
feat(ui): add manual reload button to preview device toggles
2026-05-15 16:31:31 -07:00
b53cb0546e
fix(ai): ensure dev container is running before attempting to generate codebase summary
2026-05-15 16:22:43 -07:00
67c43028dd
feat(ai): inject dynamic codebase summary into system prompt to eliminate blind structure searches
2026-05-15 16:16:45 -07:00
377725a98f
feat(ui): hardcode visual preview tab to primary frontend port 3000
2026-05-15 16:03:06 -07:00
32567e3b49
feat(ui): remove design tab from primary navigation
2026-05-15 15:49:01 -07:00
106fe6f4c3
feat(ui): move preview device toggles into the global nav rail
2026-05-15 15:42:49 -07:00
dea388f99d
feat(ai): implement adaptive 5-dimensional QA rubric for multi-surface evaluation
2026-05-15 14:35:27 -07:00
2db6bee780
feat(ui): add showcase toggle and runtime renderer to design explorer
2026-05-15 14:09:27 -07:00
547d74ae44
fix(ui): handle fallback UI for design systems without visual previews
2026-05-15 14:00:01 -07:00
3bed7ff3a9
feat(ui): implement split-pane live preview for design systems
2026-05-15 13:56:12 -07:00
688378aa1f
feat(ai): replace hardcoded design kits with dynamic open-design templates and registries
2026-05-15 13:49:16 -07:00
93da5cbd78
fix(ui): import missing Sparkles icon in chat panel
2026-05-15 13:15:10 -07:00
299addfcad
feat(ai): integrate open-design capabilities (templates, media generation, visual QA)
2026-05-15 11:07:44 -07:00
4862c76a60
feat(ui): add mobile preview device framing and design QA tools
2026-05-15 11:01:49 -07:00
6c85b1db34
fix(mcp): resolve external preview routing failures and correct monorepo git paths
2026-05-14 14:56:29 -07:00
0f5fbd0f73
design(auth): update session loading state to match new premium dark mode aesthetic
2026-05-14 14:42:40 -07:00
ba79f0d025
fix(auth): correct css import path to resolve next.js build error
2026-05-14 14:24:54 -07:00
3e32a2d2c9
design(auth): apply new marketing site styling to sign in page
2026-05-14 14:18:02 -07:00
6f987f7639
design(ui): adjust mobile h1 size to prevent text wrapping issues
2026-05-14 13:58:52 -07:00
e21236fa73
copy(marketing): add 'Does this look familiar?' transition to wall section
2026-05-14 13:53:12 -07:00
7cc719383d
copy(marketing): update 'the wall' section headline and sub-headline
2026-05-14 13:49:11 -07:00
ae4896d3fd
copy(marketing): update hero headline and sub-headline
2026-05-14 13:44:47 -07:00
f72a5bb6ba
feat(marketing): make top nav and footer logos link to homepage
2026-05-14 13:07:22 -07:00
c48372d9bd
feat(marketing): add mission page and top nav link
2026-05-14 12:31:35 -07:00
b74af31132
design(ui): brighten hero breadcrumb text contrast
2026-05-14 11:35:36 -07:00
d99e8f96c5
fix(ai): strip deepseek xml tags from chat history & secure git tools
...
This commit addresses the issue where DeepSeek's raw XML markup (like <tool_calls> and <think>) was leaking into chat history, causing hallucinations in subsequent turns. It also patches a vulnerability in the git commit tool where arbitrary shell injection was possible.
Additionally, it includes UX copy and color contrast adjustments for the marketing homepage breadcrumbs.
2026-05-14 11:34:42 -07:00
afee3e6c1f
fix(ui): improve mobile responsiveness on marketing homepage
2026-05-14 10:03:16 -07:00
6151a72bfd
feat(ui): add 5 high-end design systems to registry and fix auth logo styling
2026-05-13 22:51:22 -07:00
1ad2d515ff
fix(auth): correct missing closing brace in auth component
2026-05-13 22:28:26 -07:00
