Your Name
55b7cbe904
fix: P1安全加固 — 全局JWT保护 + 审计日志补全 + 敏感字段过滤
...
Settings API:
- 所有端点添加JWT认证(get_current_admin)
- 不可改项(secret_key/api_key/encryption_key/database_url)禁止PUT修改
- 敏感字段GET响应自动脱敏(前8位+...)
- Schedules/Presets/Retry CRUD添加JWT+审计日志
Servers API:
- POST/PUT/DELETE添加JWT认证
- 服务器增删改写审计日志
Assets API:
- Platform/Node写操作添加JWT认证
- Platform创建添加审计日志
2026-05-22 08:46:09 +08:00
Your Name
b9139093f1
fix: 更新.env.example + CLAUDE.md反映D2迁移
...
- .env.example: install.php→install.html引用, 添加NEXUS_API_BASE_URL
- install.py: 移除_write_env中重复的site_url计算
- CLAUDE.md: 全面更新项目记忆, 反映6步完成+D1/D2/D3解决
2026-05-22 08:39:33 +08:00
Your Name
f796ddf0a5
feat: D2 install.php→install.html迁移 + D3 WebSSH终端完善
...
D2: install.php → install.html + FastAPI API
- 新增 server/api/install.py: 6个安装向导API端点(无JWT)
- 新增 web/app/install.html: Alpine.js五步安装向导
- main.py: 条件启动模式(无.env=安装模式,仅/api/install/可用)
- InstallModeMiddleware: 安装模式下非安装路由返回503
- DbSessionMiddleware: 跳过安装API(自管理临时引擎连接)
- 三写一致性: .env + config.php + MySQL settings表同步
D3: WebSSH terminal.html 完善
- 全功能xterm.js终端 + Koko协议 + 自动resize
- Alpine.js + Tailwind CSS v4 统一风格
- 全屏/断开连接/连接状态指示器
文档更新:
- status.md: 第五步→✅ , 完成度~95%
- roadmap.md: D2技术债务已解决
2026-05-22 08:37:01 +08:00
Your Name
c9a99f4fb3
fix: 全项目文档对齐 + 代码清理
...
代码修复:
- web/agent/agent.py: datetime.utcnow() → datetime.now(timezone.utc)
- requirements.txt: 移除 paramiko==3.5.0 (已无活跃引用)
- 删除 server/infrastructure/ssh/pool.py (DEPRECATED, 无引用)
连接池三层对齐 (config.py/.env.example/session.py):
- DB_POOL_SIZE 100→160, DB_MAX_OVERFLOW 100→120
- 基于 MySQL max_connections=400, install.php 公式
文档修复 (21项):
- P0: 硬编码域名/IP替换为配置变量占位符
- P1: 10个过时设计文档加归档标注 (引用旧文件结构)
- P2: step-3-webssh报告 paramiko引用修正
- 6份审查报告连接池参数勘误 100/100→160/120
- ECC安全报告 EC5 datetime.utcnow 标记已修复
- docs/README.md 文档索引重写
- docs/memory/mem_nexus_overview.md 移除硬编码凭证
- docs/project/tech-stack-inventory.md paramiko标记已移除
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 08:19:56 +08:00
Your Name
302fdcc1a1
test: update E2E test suite for v6 API + JWT auth
...
- Login first to acquire JWT token for all protected routes
- Use correct v6 API paths (/api/presets/, /api/schedules/, /api/scripts/)
- Add tests for: scripts CRUD, schedules toggle, settings, audit, sync browse
- Remove obsolete password-presets and retry-jobs paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 00:39:03 +08:00
Your Name
5590391779
feat: Nexus Agent rebrand + server_id + exec endpoint + trigger_type
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Agent (agent.py):
- Rebrand MultiSync → Nexus throughout
- Add server_id to heartbeat payload (required by backend AgentHeartbeat schema)
- Add /exec endpoint for remote command execution via Nexus
- Update heartbeat fields to match backend: cpu_usage, mem_usage, disk_usage
- Use 60s default interval (matches CLAUDE.md spec)
Agent (agent.sh):
- Rebrand, add SERVER_ID env var, send in heartbeat payload
- Update service name to nexus-agent
Agent (install.sh):
- Rebrand, add --id parameter for server_id
- Write server_id to config.json
- Service name: nexus-agent
- Add config.example.json for reference
SyncEngineV2:
- Add trigger_type parameter to sync_files() (was hardcoded "manual")
- Schedule/retry runners can now pass "schedule"/"retry" trigger types
Nginx:
- Add /agent/ to static asset locations for agent file downloads
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 00:37:39 +08:00
Your Name
56993e4f98
fix: auth logout, Nginx configs, missing dependency, CORS
...
- auth: logout endpoint now accepts refresh_token (was admin_id which
frontend can't know) — added logout_by_token() to AuthService
- api.js: sendBeacon uses Blob with application/json content-type
(was sending text/plain which FastAPI couldn't parse)
- Nginx: fixed SPA fallback to 404 (not SPA), added install.php
PHP-FPM handler, added production HTTPS config for api.synaglobal.vip
- requirements: added cryptography==44.0.0 (used by crypto.py but
was missing from requirements.txt)
- models: removed unused Fernet import from domain models
- CORS: added http://api.synaglobal.vip origin
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 00:30:28 +08:00
Your Name
cd3c35b5e6
fix: add per-field save buttons to settings page
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 00:04:29 +08:00
Your Name
f0c586a345
feat: complete frontend interactive features + unified sidebar
...
- credentials: add credential CRUD form (type, host, port, user, password, db)
- schedules: add enable/disable toggle, edit modal, server selection
- retries: add status badges, retry progress bar, error display, refresh
- audit: add action filter dropdown, IP column, better status badges
- settings: reorganize into sections (brand/alert/infra/telegram)
- servers: add/edit modal with full form fields
- scripts: add execute modal + delete button
- All pages: unified sidebar with all nav items + hover states
- install.php: fix post-AdminLTE removal link paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 00:02:46 +08:00
Your Name
00a6491e59
chore: remove AdminLTE PHP frontend (keep only install.php)
...
All functionality now covered by web/app/*.html (Alpine.js + Tailwind).
Deleted: 29 PHP pages, ace editor, chart.min.js, app.js, style.css.
Kept: install.php (installation wizard with DB table creation + .env write).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 23:42:21 +08:00
Your Name
7caa880ebd
feat: unified api.js auth + Pydantic models + JWT security hardening
...
- All Alpine.js pages now use shared api.js for JWT auto-refresh (9 pages)
- Dashboard uses /servers/stats endpoint instead of fetching all servers
- Replaced all raw dict params with Pydantic models (agent, settings, presets)
- Added AgentHeartbeat, AgentExec, SettingUpdatePayload, DbCredentialCreate schemas
- JWT decode now requires exp+sub claims; better error logging
- ServerService.push_to_servers delegates to SyncService.batch_push
- SyncService handles None audit_repo/retry_repo gracefully
- Branding: web/app.js + web/style.css MultiSync→Nexus
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 23:38:01 +08:00
Your Name
a584792603
feat: Pydantic request models + pagination + JWT auto-refresh
...
- server/api/schemas.py: New shared Pydantic models for all API routes
(ServerCreate/Update/Push/Check, SyncFiles/Commands/Config/Sftp/Browse,
ScriptCreate/Update/Execute, ScheduleCreate/Update, PlatformCreate/Update,
NodeCreate/Update, PaginatedResponse)
- servers.py: Replace raw dict with Pydantic models, add pagination
(page/per_page params, response now includes items/total/pages)
- sync_v2.py: Replace raw dict with SyncFiles/Commands/Config/Sftp/Browse
- scripts.py: Replace raw dict with ScriptCreate/Update/Execute
- assets.py: Replace raw dict with PlatformCreate/Update, NodeCreate/Update
- web/app/api.js: Shared JS auth module with JWT auto-refresh (2min
before expiry), 401 retry with refresh token, doLogout with
sendBeacon to backend, backward-compatible ah() alias
- web/app/servers.html: Use api.js, handle paginated response format
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 23:18:49 +08:00
Your Name
1a27327036
fix: PHP frontend JWT auth + API endpoints + missing tables + branding
...
- login.php: Fix JWT response format (success/access_token vs status=ok),
store JWT tokens in session, support TOTP 202 flow
- api_client.php: Dual auth (JWT Bearer + X-API-Key fallback), add
auto-refresh on 401, fix API endpoints (checkServerHealth → array,
getServerLogs, getAuditLogs, getDashboardStats field mapping)
- api_proxy.php: Fix check_all to use /api/servers/check (not per-server),
fix get_logs to support global endpoint, restart_multisync → restart_nexus
- install.php: Add 4 missing tables (platforms, nodes, ssh_sessions,
command_logs), fix table creation order for FK dependencies, add JWT
columns to admins, add new indexes, add platform_id/node_id/protocols/
extra_attrs/connectivity to servers
- logout.php: Call /api/auth/logout to invalidate JWT refresh token
- index.php: Use JWT Bearer auth for API calls
- server_service.py: Implement real check_all_servers with concurrent
httpx Agent health checks (was stub)
- servers.py: Add GET /api/servers/logs global sync logs endpoint
- Branding: MultiSync → Nexus across all PHP files (sidebar, titles,
TOTP issuer, version strings)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 23:11:30 +08:00
Your Name
814e11588e
feat: P1 background tasks + server stats endpoint
...
1. schedule_runner.py: cron-based schedule execution every 60s
- Parses 5-field cron expressions (*, */N, ranges, lists)
- Triggers SyncEngineV2.sync_files for due schedules
- Prevents re-trigger within same minute
2. retry_runner.py: automatic retry of failed pushes every 5min
- Exponential backoff (60s base, doubles per retry, max 64x)
- Respects max_retries from PushRetryJob model
3. GET /api/servers/stats: dashboard aggregation endpoint
- Returns total/online/offline counts + category breakdown
- Reads real-time status from Redis, falls back to MySQL
- Registered before /{id} to avoid path collision
4. main.py: register schedule_runner + retry_runner as background tasks
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:58:17 +08:00
Your Name
73c1776e1e
fix: P0 critical runtime issues
...
1. conftest.py: add missing `from server.main import app` import
2. dependencies.py: get_db() reuses middleware session instead of
creating independent AsyncSessionLocal (fixes double-session bug)
3. auth_jwt.py: get_optional_admin uses request.state.db instead of
creating leaked AsyncSessionLocal session
4. config.py: default DATABASE_URL uses mysql+aiomysql (not pymysql)
5. sync_engine_v2.py: sanitize config keys with regex, escape values
to prevent command injection in sync_config
6. sync_v2.py: add POST /api/sync/browse endpoint for remote dir listing
7. files.html: browseDir calls real API instead of placeholder stub
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:54:35 +08:00
Your Name
ead4b2580f
fix: 3 code bugs + test fixes (46/46 passing)
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
1. infrastructure/__init__.py: remove nonexistent get_ssh_pool import,
use lazy __getattr__ to avoid triggering MySQL engine at import time
2. auth_service.py + auth_jwt.py: JWT sub field must be string
(PyJWT 2.12+ enforces RFC 7519), decode with int() conversion
3. session.py: lazy engine init — engine created on first access
instead of module import time, allows testing without MySQL
4. Tests: fix Column default assertions (SQLAlchemy defaults only
apply on DB INSERT), fix Request.url mock for Starlette
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:30:34 +08:00
Your Name
3ba85986ed
docs: update 194 skill files with cleaned group tags + metadata
...
All skill files group labels cleaned (no duplicates, no garbled text).
CMS developer renamed to frontend developer in AG group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:12:57 +08:00
Your Name
3ecd3d75d4
docs: reports + research + team roster + tech-stack evaluation
...
Add implementation progress reports, review reports (CTO/quality/deploy),
session log, signoff table, team roster, collaboration charter,
tech-stack evaluation and inventory, research reports.
Remove obsolete multisync_server.py.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:12:29 +08:00
Your Name
539c33ef42
feat: Nexus 6.0 6-step implementation (Step 0-5)
...
Step 0: Infrastructure hardening — Redis BlockingConnectionPool,
WebSocket two-layer (memory+Redis Pub/Sub), JWT auth, DB session leak fix
Step 1: Data layer — 4 new tables (platforms/nodes/command_logs/ssh_sessions),
data migration (category→Node), repos + API routes
Step 2: Auth layer — JWT middleware on all routes, TOTP JWT integration
Step 3: Web SSH — asyncssh connection pool, /ws/terminal endpoint,
xterm.js frontend, Koko protocol
Step 4: Sync engine v2 — file/command/config/SFTP modes, parallel execution
Step 5: Frontend migration — 12 Tailwind CSS v4 + Alpine.js pages,
PHP-FPM removal from nginx config
21 Python backend + 12 HTML frontend + 2 deploy configs + 3 test files
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:11:38 +08:00
Your Name
e5b0c2d4ef
ci: restore gitea workflows
2026-05-21 05:55:02 +08:00
Your Name
4cfed27bf7
docs: superpowers design specs + plans
2026-05-21 05:50:24 +08:00
Your Name
003ca96f07
tests: load_test + quick_load + test_api
2026-05-21 05:49:05 +08:00
Your Name
9e20898fd0
mcp: multisync_server + bridge + firefox
2026-05-21 05:48:19 +08:00
Your Name
cad49e6de1
docs: memory knowledge base + settings
2026-05-21 05:47:42 +08:00
Your Name
06f1e9ee07
docs: 194 team skills
2026-05-21 05:43:51 +08:00
Your Name
55e14805de
install.php: auto-detect site URL + simplified DB config + auto-configure process guardian
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 05:42:55 +08:00
Your Name
ae94101eb8
docs: add CLAUDE.md project memory for agent continuity
2026-05-20 17:29:02 +08:00
Your Name
f9045a8404
refactor: 仓库结构扁平化 + PHP前端合并到Nexus仓库
...
- 将 Nexus/Nexus/* 移到仓库根目录(消除双层嵌套)
- 删除旧的多层空壳目录 (server/, web/, agent/, deploy/, docs/)
- 将PHP前端 (web/) 合并进Nexus仓库 — 统一管理
- 部署时 git clone Nexus 仓库即可,不再需要两个仓库
目录结构:
server/ ← Python FastAPI后端
web/ ← PHP前端 (install.php, config.php, etc)
deploy/ ← Supervisor + Shell健康检查
docs/ ← 部署文档
tests/ ← 测试
.env ← 不在git中 (install.php生成)
.gitignore ← 排除 .env, SECRETS.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 17:24:21 +08:00
Your Name
05600232b7
feat: Nexus 6.0 Phase A+B — 心跳系统 + 3层守护 + Telegram告警 + install.php重写
...
Phase A (Python Backend):
- E1: WebSocket alert/recovery broadcast (server/api/websocket.py)
- E2: Agent heartbeat → Redis write + alert detection (server/api/agent.py)
- E3: Redis→MySQL 10min batch flush (server/background/heartbeat_flush.py)
- E4: load_settings_from_db() + threshold fields (server/config.py)
- E5: Python self-monitor 30s loop (server/background/self_monitor.py)
- E6: Telegram Bot push module (server/infrastructure/telegram/)
- E7: Server listing reads Redis for live status (server/api/servers.py)
- E8: /health endpoint for Shell health_monitor.sh (server/api/health.py)
- E9: Lifespan startup with background tasks (server/main.py)
Phase C (DevOps):
- D1: Supervisor config (deploy/nexus.conf)
- D2: Shell health_monitor.sh (deploy/health_monitor.sh)
Also:
- .gitignore: restored .env + SECRETS.md exclusion (never commit)
- Agent heartbeat: Redis buffer → frontend direct read → 10min → MySQL
- Alert detection: CPU/mem/disk > threshold → WebSocket + Telegram push
- Recovery detection: previously alerted metrics normal → auto-push recovery
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 17:02:45 +08:00
Your Name
98cb33c3d6
Add .env + SECRETS.md for test deployment (private repo)
...
Temporary: includes real credentials for deployment testing.
Will be removed from .gitignore when switching to formal repo.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 15:46:11 +08:00
Your Name
2cf7602573
Add SECRETS.md to .gitignore — prevent credential leak
...
SECRETS.md is a local-only file for storing database passwords,
API keys, and server credentials. It must never be committed to Git.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 15:37:47 +08:00
Your Name
669a62b17a
Update DEPLOY.md: production domain + clean sensitive values
...
- Domain: api.synaglobal.vip (强制 HTTPS)
- Website directory: /www/wwwroot/api.synaglobal.vip
- Supervisor config using .env (no hardcoded passwords)
- MySQL create DB command uses placeholder password
- Nginx config with 宝塔 SSL path and PHP-FPM socket
- All sensitive values removed from doc — safe for Git
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 15:36:47 +08:00
Your Name
99e23d7e78
Phase 1 complete: Repository implementations + Service layer + API routes + Deploy docs
...
- All 11 Repository Protocol interfaces (Admin, Setting, AuditLog, PushSchedule,
PushRetryJob, PasswordPreset + existing 5)
- All 11 async SQLAlchemy Repository implementations
- 4 Application Services (ServerService, ScriptService, AuthService, SyncService)
- FastAPI DI wiring in dependencies.py (repos → services)
- 6 API route modules (servers, auth, agent, scripts, settings/schedules/presets/audit/retries)
- Agent /api/exec endpoint for remote shell command execution
- Batch push engine with asyncio.Semaphore(10) concurrency control
- TOTP authentication + brute-force protection (5 failures / 15 min lockout)
- DB credential management with $DB_* variable substitution
- Ubuntu deployment guide (docs/DEPLOY.md) with dependency fix script
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 14:42:55 +08:00
Your Name
5ae8855894
Add CI/CD pipeline: Gitea Actions (test + lint + deploy)
...
CI (every push):
- pytest with coverage (>=50% gate)
- ruff lint check
- mypy type check (non-blocking)
CD (main branch only, after CI passes):
- SSH deploy to production server
- git pull + pip install + supervisorctl restart
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 14:25:31 +08:00
Your Name
b2617b4e31
Nexus v6.0.0: Initialize project structure with Clean Architecture
...
- Project brand: Nexus (configurable via settings.SYSTEM_NAME)
- Clean Architecture 4-layer directory structure:
server/domain/models/ — SQLAlchemy models
server/domain/repositories/ — Abstract interfaces (Protocol)
server/infrastructure/database/ — Async SQLAlchemy session + crypto
server/infrastructure/redis/ — Decoupled Redis client
server/infrastructure/ssh/ — Unified SSH connection pool
server/application/services/ — Business logic (TODO)
server/api/ — FastAPI routes (TODO)
- Config: Python 3.12+, PHP 8.2+, MySQL 8.4 LTS, Redis 7.0+
- Async SQLAlchemy (aiomysql) replacing sync pymysql
- Test framework: pytest + async fixtures + Playwright (conftest.py)
- MCP server address: 47.254.123.106
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 14:19:09 +08:00