GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions
3921 commits 88 branches 325 tags 94 MiB
Commit graph

10 commits

Author SHA1 Message Date
Rodrigo Rodriguez
d7211a6c19 fix: Resolve unused import and variable warnings 2026-02-19 11:48:17 +00:00
Rodrigo Rodriguez (Pragmatismo)
479950945b feat(auth): Add OTP password display on bootstrap and fix Zitadel login flow 
- Add generate_secure_password() for OTP generation during admin bootstrap
- Display admin credentials (username/password) in console on first run
- Save credentials to ~/.gb-setup-credentials file
- Fix Zitadel client to support PAT token authentication
- Replace OAuth2 password grant with Zitadel Session API for login
- Fix get_current_user to fetch user data from Zitadel session
- Return session_id as access_token for proper authentication
- Set email as verified on user creation to skip verification
- Add password grant type to OAuth application config
- Update directory_setup to include proper redirect URIs
 2026-01-06 22:56:35 -03:00
Rodrigo Rodriguez (Pragmatismo)
65b2583add Add dynamic table check to all db_api handlers 
- Added is_table_allowed_with_conn check to get_record_handler
- Added is_table_allowed_with_conn check to create_record_handler
- Added is_table_allowed_with_conn check to update_record_handler
- Added is_table_allowed_with_conn check to delete_record_handler
- Returns 404 with clear message if table doesn't exist
 2026-01-02 19:18:58 -03:00
Rodrigo Rodriguez (Pragmatismo)
bbbb9e190f Allow dynamic tables from app_generator in db_api 
- Added table_exists_in_database() to check if table exists in PostgreSQL
- Updated validate_table_name() to allow valid identifiers (not just whitelist)
- Added validate_table_name_with_conn() for full validation with DB check
- Added is_table_allowed_with_conn() for handlers to verify table existence
- Updated list_records_handler and count_records_handler to use dynamic check
- Uses parameterized query for table existence check (SQL injection safe)
 2026-01-02 18:20:04 -03:00
Rodrigo Rodriguez (Pragmatismo)
a5dee11002 Security audit: Remove all production .unwrap()/.expect(), add SafeCommand, ErrorSanitizer 
- Phase 1 Critical: All 115 .unwrap() verified in test code only
- Phase 1 Critical: All runtime .expect() converted to proper error handling
- Phase 2 H1: Antivirus commands now use SafeCommand (added which/where to whitelist)
- Phase 2 H2: db_api.rs error responses use log_and_sanitize()
- Phase 2 H5: Removed duplicate sanitize_identifier (re-exports from sql_guard)

32 files modified for security hardening.
Moon deployment criteria: 10/10 met
 2025-12-28 21:26:08 -03:00
Rodrigo Rodriguez (Pragmatismo)
c67aaa677a feat(security): Complete security infrastructure implementation 
SECURITY MODULES ADDED:
- security/auth.rs: Full RBAC with roles (Anonymous, User, Moderator, Admin, SuperAdmin, Service, Bot, BotOwner, BotOperator, BotViewer) and permissions
- security/cors.rs: Hardened CORS (no wildcard in production, env-based config)
- security/panic_handler.rs: Panic catching middleware with safe 500 responses
- security/path_guard.rs: Path traversal protection, null byte prevention
- security/request_id.rs: UUID request tracking with correlation IDs
- security/error_sanitizer.rs: Sensitive data redaction from responses
- security/zitadel_auth.rs: Zitadel token introspection and role mapping
- security/sql_guard.rs: SQL injection prevention with table whitelist
- security/command_guard.rs: Command injection prevention
- security/secrets.rs: Zeroizing secret management
- security/validation.rs: Input validation utilities
- security/rate_limiter.rs: Rate limiting with governor crate
- security/headers.rs: Security headers (CSP, HSTS, X-Frame-Options)

MAIN.RS UPDATES:
- Replaced tower_http::cors::Any with hardened create_cors_layer()
- Added panic handler middleware
- Added request ID tracking middleware
- Set global panic hook

SECURITY STATUS:
- 0 unwrap() in production code
- 0 panic! in production code
- 0 unsafe blocks
- cargo audit: PASS (no vulnerabilities)
- Estimated completion: ~98%

Remaining: Wire auth middleware to handlers, audit logs for sensitive data
 2025-12-28 19:29:18 -03:00
Rodrigo Rodriguez (Pragmatismo)
561264521c Add SECURITY_TASKS.md - security audit checklist, consolidate duplicate utils 2025-12-28 15:32:48 -03:00
Rodrigo Rodriguez (Pragmatismo)
aeb4e8af0f Fix all clippy warnings - 0 warnings 2025-12-28 14:27:52 -03:00
Rodrigo Rodriguez (Pragmatismo)
96cf7b57f8 App generator LLM-only, app logs, knowledge base, web search, designer magic 2025-12-28 11:50:50 -03:00
Rodrigo Rodriguez (Pragmatismo)
14b7cf70af feat(autotask): Implement AutoTask system with intent classification and app generation 
- Add IntentClassifier with 7 intent types (APP_CREATE, TODO, MONITOR, ACTION, SCHEDULE, GOAL, TOOL)
- Add AppGenerator with LLM-powered app structure analysis
- Add DesignerAI for modifying apps through conversation
- Add app_server for serving generated apps with clean URLs
- Add db_api for CRUD operations on bot database tables
- Add ask_later keyword for pending info collection
- Add migration 6.1.1 with tables: pending_info, auto_tasks, execution_plans, task_approvals, task_decisions, safety_audit_log, generated_apps, intent_classifications, designer_changes
- Write apps to S3 drive and sync to SITE_ROOT for serving
- Clean URL structure: /apps/{app_name}/
- Integrate with DriveMonitor for file sync

Based on Chapter 17 - Autonomous Tasks specification
 2025-12-27 21:10:09 -03:00