Learn Module Session Integration:
- Added AuthenticatedUser extractor to 9 handlers
- submit_quiz, get_progress, start_course, complete_lesson_handler
- create_assignment, get_pending_assignments, get_certificates
- get_recommendations, get_user_stats
Security Auth Role Fetching:
- validate_session_sync() reads from SESSION_CACHE
- Maps role strings to Role enum (Admin, SuperAdmin, etc.)
- Falls back to User role for uncached sessions
AutoTask Improvements:
- get_task_logs() reads from manifest with status-based logs
- store_compiled_intent() saves to cache and database
Face API Full Implementation:
- AWS Rekognition: detect, verify, analyze
- OpenCV: local face detection/verification
- InsightFace: RetinaFace detection, ArcFace verification
- Helper methods: get_image_bytes, simulate_face_detection, generate_landmarks
- Remove broad /api/auth anonymous path that was matching /api/auth/me
- Add specific anonymous paths: /api/auth/login, /api/auth/refresh, /api/auth/bootstrap
- Remove /api/auth/logout, /api/auth/2fa/* from anonymous (require auth)
- Fix /api/auth/me returning 401 for authenticated users
The issue was auth middleware treating /api/auth/me as anonymous due to
prefix matching on /api/auth, while RBAC correctly required authentication.
- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands
- Create comprehensive botbook documentation
- Update SUMMARY.md with protection-tools entry
Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers
- Fix JwtKey::from_secret to use &str instead of &[u8]
- Fix auth_middleware_with_providers to avoid holding &Request across await
- Add ExtractedAuthData struct for thread-safe auth data extraction
- Remove duplicate require_permission_middleware export from rbac_middleware
- Fix check_route_access argument order in rbac_middleware
- Remove unused auth_config field from ZitadelAuthProviderAdapter
- Remove unused imports (body::Body, http::Request, AuthError)
- Make check_permission_string public for middleware use
- Add missing jwt_manager, auth_provider_registry, rbac_manager fields to AppState
Phase 5.1 compilation test: PASSED (0 warnings, 0 errors)
- Fix CSS breakpoints to sync header tabs with dropdown menu visibility
- Add missing apps (docs, sheet, slides, social) to hide/show logic
- Remove incorrect paper breakpoint (not in header tabs)
- Reorder dropdown: dynamic items first (header tab apps), then static items
- Move People after dynamic items (after social)
- Remove duplicate Social entry from dropdown menu
- All 26 suite app folders have menu entries (no orphans)
- Add isBasicFile() and openInDesigner() functions in drive.js
- Remove .bas from inline editor, redirect to designer with bucket/path params
- Update designer FileQuery to include bucket parameter
- Add load_from_drive() function to fetch .bas content from MinIO
- Fix designer initialization for HTMX dynamic loading
- Parse URL params from both query string and hash fragment
- Add parseBasicCodeToNodes() to convert BASIC code to visual nodes
- Support TALK, HEAR, SET, IF, FOR, CALL, WAIT, GET, PARAM commands
- Add saveToDrive() to save changes back to original location
- Fix createNode() to return the created node
- Add generateBasCode() for converting nodes back to BASIC
- Changed apps-dropdown right position from 60px to 0 in app.css
- Wrapped apps button and dropdown in a container with position:relative
- Moved dropdown to be a sibling of the button inside the container
- Removed duplicate dropdown from header-right section
