mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
56 Commits 2 Branches 0 Tags
5364bd8497042362c057e605a2b0376fcbf8dd44
Commit Graph

26 Commits

Author SHA1 Message Date
mawkone
5364bd8497 feat(api): comprehensive QA hardening — security gates, chat improvements, beta scaffolds 
Closes checklist items F-01..F-06, D-01..D-28, S-01..S-10, C-01..C-07,
B-01..B-07, R-01..R-02, O-03.

Security (28 deletions + 10 auth gates):
- Delete 28 unauthenticated debug/cursor/firebase/test routes
- Gate ai/chat, ai/conversation, context/summarize, work-completed with withTenantProject/withAuth
- Add HMAC-SHA256 signature verification to webhooks/coolify
- Switch all admin secret comparisons to timingSafeStringEq

Foundations (lib/server/*):
- api-handler.ts: withAuth, withTenantProject, withWorkspace, withAdminSecret, withRateLimit
- logger.ts: structured request-scoped logging with turnId
- audit-log.ts: writeAuditLog helper + audit_log table
- rate-limit.ts: Postgres sliding window rate limiter
- coolify-webhook.ts: verifyCoolifySignature
- timing-safe.ts: timingSafeStringEq

Chat hardening (chat/route.ts):
- MAX_TOOL_ROUNDS 15 → 8 (C-01)
- Loop detection: hard-break at 3 identical fingerprints (was 5) (C-02)
- Add 6-consecutive-tool-call hard-break (C-02)
- Mode: respond first, act second prompt block (C-03)
- SSE heartbeat every 25s via setInterval (C-04)
- Per-tool 45s timeout via Promise.race (C-05)
- turnId per-turn UUID for log correlation (C-06)
- Recovery fires when roundsSinceText >= 4 (C-07)
- SSE plan event on plan_task_add/edit (B-05)

Beta features:
- invites table + GET/POST /api/invites (P4.8)
- invites/[token] validate + redeem (P4.8)
- fs_project_dev_servers table + lib/server/dev-server-state.ts (P6.B1)
- fs_project_secrets table + CRUD routes (P6.D2)
- lib/integrations/brief-extract.ts (P3.7)

Documentation:
- app/api/ROUTES.md: full route map with auth + tenant
 2026-05-17 19:17:22 -07:00
mawkone
cd062bd30d fix(deploy): use explicit ssh:// scheme and port 222 for gitea clone urls in coolify 2026-05-16 13:54:17 -07:00
mawkone
67855b94c2 fix(ai): upgrade deploy mechanism to use explicit ssh deploy keys rather than http basic auth to solve gitea cloning bugs 2026-05-16 13:30:14 -07:00
mawkone
cdddaced30 fix(ai): implement two-stage loop detection to warn before hard-stopping (Fix 11) 2026-05-16 12:59:16 -07:00
mawkone
c06ab8650b fix(ai): relax fs_edit line number enforcement to allow safe oldString replacements 2026-05-16 12:54:15 -07:00
mawkone
f053567741 fix(ai): sync auto-commit with streamed result to surface commit SHA to UI (Fix 10) 2026-05-16 12:26:54 -07:00
mawkone
3f4a0de2e6 fix(ai): add hard-rule prompt clause forbidding unverified mutation claims (Fix 8) 2026-05-16 12:25:26 -07:00
mawkone
aff22cba93 fix(ai): force recovery summary when final tools fail (Fix 6) 2026-05-16 12:25:00 -07:00
mawkone
ad66fe61c9 fix(ai): implement fixes 4, 5, and 7 to broaden loop detection, tighten silent stretches, and lower tool round caps 2026-05-16 12:24:09 -07:00
mawkone
8bed453f7c fix(ai): feed verified tool history back into model context to prevent hallucination compounding (Fix 3) 2026-05-16 12:22:58 -07:00
mawkone
0494a67632 feat(ai): persist raw tool execution results in postgres to enable fine-tuning dataset extraction 2026-05-16 11:59:46 -07:00
mawkone
7832e83542 fix(ai): update system prompt to enforce line-number usage for fs_edit to prevent 404 block mismatches 2026-05-15 16:38:17 -07:00
mawkone
67c43028dd feat(ai): inject dynamic codebase summary into system prompt to eliminate blind structure searches 2026-05-15 16:16:45 -07:00
mawkone
377725a98f feat(ui): hardcode visual preview tab to primary frontend port 3000 2026-05-15 16:03:06 -07:00
mawkone
dea388f99d feat(ai): implement adaptive 5-dimensional QA rubric for multi-surface evaluation 2026-05-15 14:35:27 -07:00
mawkone
2db6bee780 feat(ui): add showcase toggle and runtime renderer to design explorer 2026-05-15 14:09:27 -07:00
mawkone
547d74ae44 fix(ui): handle fallback UI for design systems without visual previews 2026-05-15 14:00:01 -07:00
mawkone
3bed7ff3a9 feat(ui): implement split-pane live preview for design systems 2026-05-15 13:56:12 -07:00
mawkone
688378aa1f feat(ai): replace hardcoded design kits with dynamic open-design templates and registries 2026-05-15 13:49:16 -07:00
mawkone
299addfcad feat(ai): integrate open-design capabilities (templates, media generation, visual QA) 2026-05-15 11:07:44 -07:00
mawkone
4862c76a60 feat(ui): add mobile preview device framing and design QA tools 2026-05-15 11:01:49 -07:00
mawkone
6c85b1db34 fix(mcp): resolve external preview routing failures and correct monorepo git paths 2026-05-14 14:56:29 -07:00
mawkone
d99e8f96c5 fix(ai): strip deepseek xml tags from chat history & secure git tools 
This commit addresses the issue where DeepSeek's raw XML markup (like <tool_calls> and <think>) was leaking into chat history, causing hallucinations in subsequent turns. It also patches a vulnerability in the git commit tool where arbitrary shell injection was possible.

Additionally, it includes UX copy and color contrast adjustments for the marketing homepage breadcrumbs.
 2026-05-14 11:34:42 -07:00
mawkone
c8bbae6978 feat(marketing): replace landing page with new site design and animations 2026-05-13 20:50:02 -07:00
mawkone
8bc8bc36f1 fix(ai): add system prompt guardrail to prevent infinite dev server loops when testing protected auth routes 2026-05-13 15:07:31 -07:00
mawkone
575c38cb34 chore: convert submodules to standard directories for true monorepo structure 2026-05-13 14:54:23 -07:00