- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands
- Create comprehensive botbook documentation
- Update SUMMARY.md with protection-tools entry
Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers
- Fix JwtKey::from_secret to use &str instead of &[u8]
- Fix auth_middleware_with_providers to avoid holding &Request across await
- Add ExtractedAuthData struct for thread-safe auth data extraction
- Remove duplicate require_permission_middleware export from rbac_middleware
- Fix check_route_access argument order in rbac_middleware
- Remove unused auth_config field from ZitadelAuthProviderAdapter
- Remove unused imports (body::Body, http::Request, AuthError)
- Make check_permission_string public for middleware use
- Add missing jwt_manager, auth_provider_registry, rbac_manager fields to AppState
Phase 5.1 compilation test: PASSED (0 warnings, 0 errors)
- Fix CSS breakpoints to sync header tabs with dropdown menu visibility
- Add missing apps (docs, sheet, slides, social) to hide/show logic
- Remove incorrect paper breakpoint (not in header tabs)
- Reorder dropdown: dynamic items first (header tab apps), then static items
- Move People after dynamic items (after social)
- Remove duplicate Social entry from dropdown menu
- All 26 suite app folders have menu entries (no orphans)
- Add isBasicFile() and openInDesigner() functions in drive.js
- Remove .bas from inline editor, redirect to designer with bucket/path params
- Update designer FileQuery to include bucket parameter
- Add load_from_drive() function to fetch .bas content from MinIO
- Fix designer initialization for HTMX dynamic loading
- Parse URL params from both query string and hash fragment
- Add parseBasicCodeToNodes() to convert BASIC code to visual nodes
- Support TALK, HEAR, SET, IF, FOR, CALL, WAIT, GET, PARAM commands
- Add saveToDrive() to save changes back to original location
- Fix createNode() to return the created node
- Add generateBasCode() for converting nodes back to BASIC
- Changed apps-dropdown right position from 60px to 0 in app.css
- Wrapped apps button and dropdown in a container with position:relative
- Moved dropdown to be a sibling of the button inside the container
- Removed duplicate dropdown from header-right section
- Designer now uses state.bucket_name (like app_generator) instead of DB lookup
- Fixed local file path to match app_server fallback: {site_path}/{bot}.gbai/{bot}.gbapp/{app}/{file}
- Fixed S3 path to match app_server: {bot}.gbapp/{app}/{file} in bucket {bot}.gbai
- Added S3 bucket creation retry logic (like app_generator)
- Updated CSP to allow unpkg.com, cdnjs.cloudflare.com, cdn.jsdelivr.net for scripts/styles
- Added fonts.googleapis.com and fonts.gstatic.com for web fonts
- Updated APP_GENERATOR_PROMPT to use HTMX CDN instead of non-existent /js/vendor path
- Added designer prompt guidelines for relative asset paths
- Add WebSocket proxy for /ws/task-progress in botui (was missing, blocking progress events)
- Fix task detail endpoint to use UUID binding for auto_tasks query
- Fix task list to query auto_tasks table instead of tasks table
- Add proper CSS for task cards with status-based colors
- Add task detail panel CSS for header, progress, sections
- Add count-all to stats HTML response
- Skip 0-byte files in drive monitor and document processor
- Add detailed logging for LLM calls in intent classifier and app generator
- Remove unused variables and fake demo activity simulation
- Change DRIVE_MONITOR checking logs from info to trace
- Fix hardcoded 'gpt-4' model in auto_task modules (intent_classifier, app_generator, designer_ai, intent_compiler) to use configured llm-model from bot config
- Add vector_db (Qdrant) to required bootstrap components for KB indexing
- Add Qdrant health check with clear error messages when unavailable
- Change verbose [START] debug messages from info to trace level
- Fix episodic memory role handling in Claude client (convert 'episodic' to system context)
- Disable auth for /api routes during development
- Add DynamicLLMProvider wrapper for runtime LLM provider updates
- Start DriveMonitor for default.gbai bucket on server startup
- Fix DriveMonitor to detect config.csv changes and update LLM provider
- Fix path matching to detect config.csv in root and .gbot folders
- Add /api/auth to anonymous paths to fix 401 on auth endpoint
- Fix foreign key references in 6.1.0 migration (users.id not users.user_id)
- Use correct bucket name 'default.gbai' for DriveMonitor
