Nexus Agent
69068e2e39
feat(ops): server_batch 回收、sync_logs 清理与 Agent 安装跳过
...
部署对齐三项后端能力:启动/周期收尾僵尸批量任务、30 天推送日志 purge、已安装且版本不低于主站时跳过批量安装 Agent。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 15:23:03 +08:00
Nexus Agent
fe8b24ca0b
fix(notify): 资源恢复 Telegram 联动 CPU/内存/磁盘开关
...
关闭分项告警后不再推送对应恢复消息;仪表盘移除服务器列表并更新设置页说明。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 13:22:38 +08:00
Nexus Agent
27da842a20
fix: Telegram 开关多 worker 同步与服务器行内详情展开
...
关闭 notify_* 后通过 Redis 广播同步各 worker 内存设置;修复 expanded id 类型不匹配导致点击名称无法展开详情。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 13:05:22 +08:00
Nexus Agent
8c86b50d09
feat(servers): 未设路径区块与行内详情;命令栏恢复单色
...
服务器页拆分未设路径列表、行内展开详情;API target_path_unset 可选过滤。
命令栏取消 Shell 语法彩色,ANSI 仅保留 xterm SSH 输出区。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 12:48:45 +08:00
Nexus Agent
09d4613e46
fix(scripts): script_executions.results 扩 MEDIUMTEXT 并截断落库
...
366 台批量执行 results JSON 超 TEXT 64KB 导致 flush 失败、状态卡在 running。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 11:57:20 +08:00
Nexus Agent
08a0157c95
feat: 调度表单重构、登录门控、批量任务与页面缓存对齐
...
调度页执行周期可视化/单次执行/分类选机/推送源对齐;登录 IP 门控与无缝导航;
服务器批量后台任务、执行记录、凭据合并、各页激活刷新与错误提示修复。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 11:17:21 +08:00
Nexus Agent
b8425cc059
fix(servers): 状态/心跳/Agent 列 overlay 后排序
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 07:38:28 +08:00
Nexus Agent
06af90d35e
feat(scripts): 执行详情服务器名与顶栏居中提示
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 07:20:37 +08:00
Nexus Agent
0b2d7ac50d
feat(scripts): 异步执行、全局进度看板与完成提示音设置
...
脚本 exec 立即返回 running 并在后台跑批次;/ws/alerts 推送 script_progress/complete;
新增 ScriptRunsPage、Telegram 汇总通知与可配置的浏览器完成提示音。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 07:07:02 +08:00
Nexus Agent
5f63fb0a3f
fix(scripts): 执行进度按成功台数计算,失败项快速定位与面板清理
...
progress 改为 success/total(失败不计入分子);脚本库执行详情中文化、失败筛选与终态任务移出批量状态面板。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 05:11:39 +08:00
Nexus Agent
c435413563
feat(servers): 分类筛选/批量改分类、分页中文与列排序,脚本库按分类选机
...
支持 300+ 台服务器按分类浏览与批量管理,修复分页「全部」与排序;门控 Gate3 强制本地 API。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 04:30:24 +08:00
Nexus Agent
c8b0663508
feat: 批量IP添加、脚本库历史、推送权限记录与脚本SSH执行修复
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
批量添加替代CSV并支持去重;脚本库页内嵌执行历史;推送历史记录 rsync 权限策略;
脚本执行不再依赖 Agent 在线;服务器同步日志与相关单测补齐。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 03:15:40 +08:00
Nexus Agent
dfb0ea2d8f
fix(frontend): 脚本库与推送调度对齐设计文档
...
修复 ScriptsPage 执行契约(script_id/command、历史过滤、长任务/凭据)及 SchedulesPage 缺失能力(target_path、next_run、push/script、cron/once、sync_mode);后端补迁移与 schedule_runner 传参。
2026-06-08 02:39:18 +08:00
Nexus Agent
5ed3c28491
fix(sync): 推送异常时落库 failed,修复订正时区与卡住阈值
...
rsync 抛错时 sync_log 不再永久 running;reconcile 兼容 naive UTC。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 02:14:33 +08:00
Nexus Agent
7ea94a60ab
fix(auth,servers): 修复 refresh 自动登出与服务器状态未知
...
API 返回 status 字段供前端显示在线状态;token_version 为 NULL 时 refresh cookie 含 :None 导致续期 401。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 22:53:29 +08:00
Nexus Agent
05006cb5df
feat(auth): refresh token 先 Redis 后 MySQL 双写
...
登录 30 天会话 hash 持久化到 admin_refresh_tokens;启动从 MySQL 回填 Redis,
Redis 重启后会话仍可 refresh。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 21:56:56 +08:00
Nexus Agent
a14fbb3df3
fix(ssh): 快速添加跳过主机密钥校验并中文化错误
...
凭据轮询在 SSH_STRICT 默认 true 时因 HostKeyNotVerifiable 在认证前失败;
探测始终 known_hosts=None,默认 strict 改为 false,错误信息统一中文。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 21:31:38 +08:00
Nexus Agent
ea2507dbc0
feat(telegram): 全部通知改为中文详细说明
...
统一告警/恢复/系统/Layer3/测试消息格式,含来源、影响与建议操作。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 21:01:47 +08:00
Nexus Agent
f9934bd4f1
feat(ops-patrol): Layer 3 巡检与 Telegram 配置打通
...
保存 Telegram 时同步至 .env,health_monitor 支持 MySQL 回退,
设置页展示巡检状态,部署时自动安装 cron。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 20:17:24 +08:00
Nexus Deploy
4ba45abf38
feat(servers): 凭据轮询登录与连接失败列表
...
- 密码/SSH密钥预设增加用户名;快速添加(IP)轮询全部预设尝试 SSH 登录
- 成功入 servers 列表;失败写入 pending_servers 并支持重试/删除
- 新增 credential_poller、try_ssh_login 与 add-by-ip/pending API
2026-06-06 20:08:48 +08:00
Your Name
78798e3630
feat(push): refactor B0-B6, /ws/sync channel, staging cleanup
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 08:14:09 +08:00
Your Name
928e3c5fdb
fix: 登录白名单 IP 绕过防暴破锁定
...
白名单内 IP 跳过失败次数锁定;失败仅审计不计数;成功登录清除该用户历史失败记录。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 01:37:22 +08:00
Your Name
832e34fd98
fix: 修复 6 个 MEDIUM 级 Bug (锁定/重试/调度/分页/SSH池/token_version)
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 01:29:06 +08:00
Your Name
d93c518a14
feat(files): POSIX paths, elevation, recursive chmod, access hints and docs
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-01 19:54:18 +08:00
Your Name
8311821590
fix: 全量修复批量选择、JWT 60min、script-callback 认证与心跳数据流
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-01 12:17:47 +08:00
Your Name
32feb1b6db
fix: 全站 ruff 清零 — 77 errors → 0
...
Fixes:
- F821: install.py site_url 未定义(NameError)、sync_v2.py os 未导入、script_jobs.py LOG f-string
- F401: 移除 22 个未使用导入(models/__init__.py、install.py、auth.py 等)
- B904: 20 个 except 块 raise 添加 from e/from None
- S110: 20 个有意的 try-except-pass 添加 noqa 注释(SSH清理/DDL幂等/WS断连)
- B007: 3 个未使用循环变量重命名(dirs→_dirs、server_id→_server_id)
- F541: 3 个无占位符 f-string 修正
- F841: auth.py 未使用 ip_address 变量移除
- S105: auth_service.py Redis key prefix 误报 noqa
- B023: script_execution_flush.py 循环变量绑定修复
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-05-30 20:07:45 +08:00
Your Name
84282e87ae
feat: servers list iteration — server-side pagination/search/sort/status filter
...
Backend:
- server_repo.py: get_paginated() adds search/sort_by/sort_order/is_online params
with whitelist-validated sorting and DB-level pagination
- servers.py: list_servers() adds search/sort_by/sort_order/is_online Query params
with Redis post-filter for is_online accuracy
- servers.py: fix all 12 pre-existing ruff errors (unused imports, B904, S110, F541)
- servers.py: fix F821 bug — agent_port undefined in upgrade_agent()
Frontend:
- servers.html: complete rewrite with server-side pagination, debounced search,
clickable column sorting, status filter dropdown, auto-refresh toggle,
keyboard shortcuts (↑↓/jk/Esc//r), CSV export, skeleton loading,
empty state with contextual hints, pagination controls (first/prev/nums/next/last)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-05-30 19:45:53 +08:00
Your Name
74de9d303e
feat: 推送页面 Round 2 迭代 — 同步说明 + 在线标识 + 失败重试 + Telegram通知 + 文件预览
...
F5: 同步模式详细说明 — 每种模式下方显示说明文字,切换时动态更新
F2: 服务器在线状态标识 — 服务器列表显示🟢 /🔴 在线/离线标识
F1: 失败自动重试 — 推送失败自动创建重试任务 + 失败行"🔄 重试"按钮
F3: 推送完成 Telegram 通知 — 全成功🟢 /部分失败🟡 /全失败🔴 三种消息含详情
F4: 文件内容预览 — 文件管理器点击文件名弹出内容预览模态框
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-29 15:59:30 +08:00
Your Name
ad2e7667d3
Merge branch 'claude/condescending-ishizaka-3cff3a'
2026-05-28 21:02:09 +08:00
Your Name
82c297776a
feat: 推送页面 5 项迭代 — WS实时进度 + 分组选择 + 历史增强 + 文件操作 + 推送校验
...
F1: broadcast_sync_progress() + batch_id + 前端WS逐台更新
F2: get_paginated() platform_id/node_id + /categories端点 + 筛选下拉框
F4: _sync_log_to_dict() 补全字段 + diff_summary捕获 + 可展开详情面板
F7: /local-file-ops端点 + 文件管理器删除/重命名
F8: /verify端点 md5sum对比 + 推送后校验UI
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-28 21:01:27 +08:00
Your Name
867e2aa552
Merge branch 'claude/condescending-ishizaka-3cff3a'
...
# Conflicts:
# server/infrastructure/database/setting_repo.py
2026-05-26 21:58:38 +08:00
Your Name
ccb78ed980
feat: SSH key preset system — dropdown + backend auto-resolve
...
- Add SshKeyPreset model + repo (encrypted_private_key, public_key)
- Add ssh_key_preset_id to Server model + schemas
- Add CRUD + reveal API routes (/api/ssh-key-presets/)
- servers.py: auto-resolve ssh_key_preset_id → decrypt → set ssh_key_private
- servers.html: key preset dropdown in key auth section, hides path/textarea on select
- Mirror password preset pattern: zero frontend credential exposure
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com >
2026-05-25 22:49:57 +08:00
Your Name
99201f48fd
fix: MissingGreenlet error — convert all middleware to pure ASGI
...
Root cause: BaseHTTPMiddleware.call_next() runs the endpoint in a
separate async task, which breaks SQLAlchemy's greenlet context.
After session.commit(), the connection is released to the pool.
When session.refresh() tries to acquire a new connection for a
SELECT, it fails with MissingGreenlet because the greenlet spawn
context is not available in the call_next() task.
Fix (two-part):
1. Convert all 4 middleware classes from BaseHTTPMiddleware to pure
ASGI middleware — eliminates call_next() entirely so the entire
request chain runs in the same async context.
2. Set expire_on_commit=False on the session factory — after commit,
objects retain their in-memory values instead of being expired.
This removes the need for session.refresh() entirely.
All session.refresh() calls removed from 11 repository files.
With expire_on_commit=False, post-commit attribute access no longer
triggers lazy loads that would also fail with MissingGreenlet.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com >
2026-05-25 15:24:15 +08:00
Your Name
c72631a293
merge: 安装脚本+PHP移除+宝塔适配 合并到main
...
合并 claude/condescending-ishizaka-3cff3a 分支:
- deploy/install.sh: 一键安装脚本(宝塔/标准模式自适应)
- deploy/upgrade.sh + uninstall.sh
- docs/install-guide.md: 完整中文安装教程
- PHP完全移除: install.php删除, config.php→config.json
- crypto.py: 移除PHP AES-CBC兼容, 纯Fernet
- install.py: 宝塔Supervisor路径自适应, Fernet密钥生成
- install.html: Step 5宝塔/标准模式条件渲染
- 44个冲突文件使用worktree分支版本(全部最新代码)
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com >
2026-05-25 08:25:29 +08:00
Your Name
a1276f38ad
feat: 一键安装脚本 + PHP完全移除 + config.php→config.json
...
新增文件:
- deploy/install.sh: 7步一键安装(自动检测宝塔/标准模式)
- deploy/upgrade.sh: git pull + pip install + restart + 健康检查
- deploy/uninstall.sh: 停服务+删配置, 可选--purge删部署目录
- docs/install-guide.md: 完整中文安装教程(宝塔+手动)
核心改动:
- install.py: 宝塔Supervisor路径自适应, init-db返回bt_panel标记,
config.php→config.json, 移除PHP锁文件, 生成Fernet加密密钥
- install.html: Step 5根据btPanel显示不同Supervisor/Nginx/SSL指引
- crypto.py: 移除PHP AES-CBC兼容层, 纯Fernet加密
- 删除 web/install.php (1192行PHP, 功能已完全迁移到Python)
PHP清理:
- Nginx配置: config\.php→config\.json deny规则
- config.py/main.py/migrations.py: install.php注释→install wizard
- CLAUDE.md/AGENTS.md: config.php→config.json, 移除PHP引用
- firefox_server.py: login.php→login.html默认URL
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com >
2026-05-25 08:23:37 +08:00
Your Name
400dcae781
fix: 代码验证发现的两处问题
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- websocket.py: asyncio.get_event_loop() → get_running_loop()
(Python 3.10+废弃,shutdown时可能RuntimeError)
- asyncssh_pool.py: 全忙等待逻辑在锁外操作有竞态条件
简化为直接raise ConnectionError,不在锁外重试
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com >
2026-05-24 16:31:13 +08:00
Your Name
cdd0be328a
fix: 六轮深度扫描 — 47项Bug修复、安全加固、死代码清理
...
Critical runtime bugs:
- terminal.html WebSSH完全不可用(URL前缀/JSON解析/Content-Type三处错误)
- servers.py路由遮蔽:/logs被/{id}拦截,3个前端页面同步日志查询失败
- scripts.html startExecPoll()→startExecPolling(),长任务快速执行崩溃
- agent.py {value!r!s:.50}格式串非法,agent发非数值时ValueError
- alerts.html d.daily.reduce()无null检查,API返回空数据时TypeError
Resource leak / stability:
- websocket.py僵尸连接未关闭TCP,文件描述符泄漏
- websocket.py _last_alert_time字典无限增长(加1小时过期清理)
- asyncssh_pool.py全忙时超过MAX_CONNECTIONS无限增长
- self_monitor.py Telegram告警无冷却,宕机时每30秒刷屏
- schedule_runner.py一次性调度执行超60秒会重复触发
- 限速脚本EXPIRE每次重置窗口可绕过(改用Lua原子脚本)
Security:
- JWT access token加token_version声明,改密码后旧token立失效(零宽限)
- INSTALL_MODE导入时常量→动态函数,安装后JWT认证不再残留禁用
- install.py /lock端点加管理员存在性验证,防止阻断安装
- ServerUpdate schema移除connectivity只读字段,防止伪造连接状态
Frontend fixes:
- doExec()缺r.ok检查、commands.html null检查
- _server_to_dict()补last_checked_at+ssh_key_public
- _field_match()逗号cron表达式修复
- alerts类型显示、SSH会话名称、搜索高亮定位
- 一次性/循环定时任务(run_mode+fire_at+自动禁用)
Dead code removed (400+ lines):
- SyncService batch_push/_push_single等5个方法(零调用者)
- 5个未使用schema(SyncCommands/SyncConfig/SyncSftp/FileDeploy/PaginatedResponse)
- 6个零调用service方法、3个无前端API端点
- 4个未使用import
Schema migrations:
- push_schedules: run_mode + fire_at列,cron_expr改NULL
- servers: 7个新列 + ssh_key_private/public VARCHAR(500)→TEXT
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com >
2026-05-24 16:26:40 +08:00
Your Name
fbf5eadcf2
fix(security): R2+R3 全面代码审计修复 — 3 CRITICAL / 9 HIGH / 15 MEDIUM / 10 LOW
...
CRITICAL:
- C-1: sync_service.py rsync命令shlex.quote防Shell注入回归
- C-2: agent.py exec端点危险命令正则拦截+compare_digest+僵尸进程修复
- C-3: WebSSH JWT token绑定server_id防IDOR
HIGH:
- H-1: 所有PUT/POST端点setattr改为字段白名单防任意字段注入
- H-2: settings/assets/scripts端点添加JWT认证
- H-3: refresh_token invalidate-then-generate防并发重放
- H-4: servers.py Redis pipeline解决N+1查询
- H-7: settings API Key/Secret掩码+禁止修改
- H-8: TOTP暴力破解速率限制(5次/5分钟)
- H-9: get_optional_admin改用request-scoped session
MEDIUM:
- M-2: X-Real-IP优先+X-Forwarded-For取末值防IP伪造
- M-4: asyncssh异常信息脱敏(只含server_id)
- M-5: 分页limit上限(500/200/500/500)
- M-9: API层Redis依赖抽象至dependencies.py
- M-10: WebSocket ConnectionManager多worker Redis聚合
- M-13: login_attempts复合索引
- M-14: ServerRepository.get_by_ids批量查询
- M-15: API错误消息统一中文
R3追加:
- sysctl命令注入防护+regex验证
- $DB_PASS明文存储→masked_command双命令方案
- MYSQL_PWD环境变量替代-p flag
- health端点拆分(公开/需认证)
- repo层**kwargs→字段白名单
- 全局str(e)信息泄露修复(API/Telegram/WebSocket)
- SSRF私有IP拦截
- Nginx HTTPS配置+DB备份脚本
- 前端CDN SRI哈希+XSS修复
- __import__替换为正常import
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-24 10:58:33 +08:00
Your Name
9bba58a529
feat: Telegram test+ChatID, Agent IP allowlist/upgrade, alert history page
...
Telegram:
- POST /api/settings/telegram/test: send test message (checks token+chat_id)
- GET /api/settings/telegram/chats: call getUpdates, return up to 5 chats
- settings.html: test button + detect chat IDs with click-to-fill
Agent IP allowlist (web/agent/agent.py):
- allowed_ips config: list of trusted IPs/CIDRs from config.json
- _ip_allowed(): checks exact IP, CIDR (ipaddress module), hostname
- verify_api_key(): now checks IP allowlist before API key
- /health: also checks IP allowlist
- install.sh: auto-extracts central server IP from --url, adds to allowed_ips
Agent auto-upgrade (server/api/servers.py):
- POST /api/servers/{id}/upgrade-agent: SSH → curl new agent.py → systemctl restart
- servers.html: 升级 Agent button in Agent tab (only when online)
Alert history (new page):
- domain/models: AlertLog table (server_id, type, value, is_recovery, created_at)
- migrations.py: CREATE TABLE IF NOT EXISTS alert_logs
- websocket.py: _save_alert_log() called from broadcast_alert/recovery
- settings.py: GET /api/alert-history/ (paginated, filters), GET /stats
- main.py: register alert_history_router
- alerts.html: new page with stats cards, top-servers bar chart, alert list
- layout.js: 🔔 告警中心 added to sidebar nav
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 18:27:12 +08:00
Your Name
5fcc1e22a6
feat: login IP allowlist with proxy subscription parser
...
server/infrastructure/subscription_parser.py (new):
- parse_subscription_content(): fetch and decode subscription, extract host/IP
- Supports SS, VMess, VLESS, Trojan, Hysteria2 formats
- Base64 decode with padding fix; IPv4/CIDR/hostname detection
server/config.py:
- LOGIN_ALLOWED_IPS setting (empty = allow all, comma-separated)
server/api/settings.py:
- POST /settings/ip-allowlist/parse-subscription: fetch URL, decode, return hosts
- POST /settings/ip-allowlist: save allowlist to settings table + reload
- GET /settings/ip-allowlist: return current list
server/application/services/auth_service.py:
- _ip_in_allowlist(): supports exact IP, CIDR (ipaddress module), hostname match
- login(): check allowlist before brute-force check; if IP blocked return
reason='ip_blocked' with clear message; audit log 'login_ip_blocked'
web/app/settings.html:
- New '登录 IP 白名单' card with:
- Subscription URL input + parse button (calls backend parser)
- Parsed IPs with checkboxes (select/deselect before adding)
- Manual IP/CIDR/hostname textarea input
- Current allowlist with per-IP remove buttons
- Clear all button (removes restriction)
- Status badge: 启用 N条 / 未启用(不限制)
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 18:11:23 +08:00
Your Name
d414b945e1
feat: audit log time-range filter + script execution schedules
...
Audit log time-range filter:
- audit_log_repo.py: unified query() with action/admin_username/date_from/date_to
filters + total count; _build_filters() helper for date parsing
- settings.py GET /audit/: add date_from, date_to, admin_username query params
- audit.html: date range inputs (YYYY-MM-DD), admin filter input, action filter
expanded with optgroups (服务器/推送/脚本/认证/设置); clear filter button
Script execution schedules:
- domain/models: PushSchedule extended with schedule_type('push'|'script'),
script_id FK, script_content Text, exec_timeout int, long_task bool;
source_path made nullable
- migrations.py: 6 new ALTER TABLE statements (idempotent)
- schedule_runner.py: detect schedule_type; for 'script' type use ScriptService;
for 'push' type keep original SyncEngineV2 sync_files behaviour
- schemas.py: ScheduleCreate/Update add all new fields
- schedules.html: full UI rewrite
- type selector radio: 📁 文件推送 / ⚡ 脚本执行
- script fields: script library dropdown + textarea + timeout + long_task
- schedule list shows type badge + detail preview
- saveSched() validates required fields per type
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 17:29:16 +08:00
Your Name
d2832567c7
feat: push logs view in commands.html + paginated sync log API
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
sync_log_repo.py:
- get_all_paginated(): server_id/status/sync_mode/trigger_type filters +
server name JOIN + total count for pagination
server/api/servers.py GET /servers/logs:
- Add server_id/status/sync_mode/trigger_type/offset/limit query params
- Return {items, total, offset, limit} instead of plain list
web/app/commands.html (renamed title to '操作日志'):
- Third view: '推送日志' with paginated table
- Columns: 状态(dot badge) / 服务器 / 模式 / 触发方式 / 源路径 /
目标路径 / 文件数 / 耗时 / 操作人 / 开始时间
- Filters: 服务器 + 状态(success/failed/running) + 模式 (incremental/full/...)
- Pagination controls with prev/next page (50 per page)
- Error message in row title attribute (hover for details)
web/app/push.html:
- Update loadHistory() to handle new {items, total} response format
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 17:20:53 +08:00
Your Name
b9e8db7a3f
feat: per-alert notification toggles with switch UI
...
config.py:
- Add NOTIFY_ALERT_CPU/MEM/DISK, NOTIFY_RECOVERY, NOTIFY_TIME_DRIFT,
NOTIFY_SYSTEM_REDIS, NOTIFY_SYSTEM_MYSQL, NOTIFY_RESTART settings
(string 'true'/'false', loaded from MySQL settings table at startup)
telegram/__init__.py:
- _notify_enabled(): check setting string ('false'/'0'/'no'/'off' = disabled)
- send_telegram_alert(): checks NOTIFY_ALERT_{CPU|MEM|DISK} per alert_type
- send_telegram_recovery(): checks NOTIFY_RECOVERY
- send_telegram_system_alert(): new notify_key param, checks matching setting
- send_telegram_restart_*(): check NOTIFY_RESTART
self_monitor.py:
- Pass notify_key='NOTIFY_SYSTEM_REDIS/MYSQL' to send_telegram_system_alert
server/api/agent.py:
- Pass notify_key='NOTIFY_TIME_DRIFT' to time-drift alert
settings.html:
- New '告警通知项目' section with 8 toggle switches (pill style)
- Grouped by category: 服务器资源 / 服务器 / 系统
- Optimistic toggle with revert on API failure
- renderNotifyToggles() reads _allSettings and toggleNotify() saves instantly
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 17:12:07 +08:00
Your Name
6108d69b24
fix: Phase 4 audit fixes
...
F4a-01 script_callback_rate: INCR+EXPIRE were non-atomic; a crash between
the two could leave the rate-limit key without a TTL, permanently
blocking future callbacks for that job/IP. Fix: use Redis pipeline
so INCR+EXPIRE are sent in one roundtrip and EXPIRE always executes.
F4a-02 sync_service: add comment documenting that StrictHostKeyChecking=no
is a legacy issue in the dead-code SyncService shim; main sync path
(SyncEngineV2) honours SSH_STRICT_HOST_CHECKING from settings.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 16:00:28 +08:00
Your Name
61b891db73
fix: Phase 3 line-walk fixes (3a-3d)
...
F3a-01 agent.py: _safe_float() prevents ValueError from non-numeric metric values
F3b-01 schedule_runner.py: fix tz-aware minus naive DateTime TypeError
F3b-02 schedule_runner.py: cron field divided by 0 returns False instead of crash
F3c-01 redis/client.py: mask credentials in REDIS_URL log output
F3d-01 main.py: cancel background tasks when primary worker lock is lost
F3d-02 main.py: strip whitespace from CORS origins after split
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 15:37:15 +08:00
Your Name
80d73d1b74
fix: WSL startup compatibility + dependency updates
...
- redis/client.py: use BlockingConnectionPool.from_url() (fixes 'url' kwarg error)
- database/engine_compat.py: patch aiomysql do_ping to satisfy pool_pre_ping
- database/session.py: apply engine_compat patch before create_async_engine
- requirements.txt: SQLAlchemy 2.0.49 (fixes aiomysql ping() reconnect signature)
- .env.example: document NEXUS_REDIS_URL format
- scripts/wsl_ensure_venv.sh: create project .venv (PEP 668 safe)
- scripts/wsl_start_dev.sh: use .venv python, validate Redis before start
- scripts/wsl_integration_smoke.sh: code-only verification mode
- scripts/wsl_check_mysql.py / bootstrap_database.py: MySQL setup helpers
- scripts/sync_frontend_vendor.py: vendor asset sync utility
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 15:27:18 +08:00
Your Name
752a24497c
feat: Phase 2 security audit fixes + script execution platform
...
Security (P0/P1/P2):
- WebSSH: dedicated short-lived token, server_id binding, 4003 close code
- Remove /api/agent/exec from control plane (RCE surface eliminated)
- Global JWT middleware (JwtAuthMiddleware) with install-mode bypass
- decrypt_value: failure returns None, never leaks ciphertext
- Telegram: sanitize_external_message strips sensitive fields
- Agent auth: startup enforces non-empty API key, compare_digest
- Credentials: password_set bool flag, no plaintext in API responses
- audit_log: writes admin_username + ip_address on all CUD ops
- Install lock: all /api/install/* except GET /status return 403 post-install
- WebSocket dedup: publish once, subscribers deliver locally
Script execution platform:
- script_jobs.py / script_job_callback.py: async batching and callback
- script_execution_store.py / script_callback_rate.py: Redis-backed state
- script_execution_flush.py: background flusher to MySQL
- scripts.html / script-executions.html: full execution UI
- agent_url.py: centralised URL builder
Frontend:
- All 13 pages migrated from CDN to /app/vendor/ (no external deps)
- vendor/: alpinejs, tailwindcss-browser, xterm, xterm-addon-*, qrious
- Dashboard WebSocket real-time alerts; 8h JWT session timeout
Tests:
- test_security_unit.py: 15 unit tests (JWT, sanitize, vendor, install 403)
- test_api.py: env-configurable admin credentials
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 15:26:56 +08:00
Your Name
938d26927f
P1/P2: 后端安全与稳定性修复
...
- Agent per-server API Key认证 (agent.py)
- JWT updated_at校验与会话超时 (auth_jwt.py)
- 服务器凭据Fernet加密存储+密码脱敏 (servers.py)
- WebSSH服务器级授权检查 (webssh.py)
- Config同步去重+回滚机制 (sync_engine_v2.py)
- DB层分页offset/limit (server_repo.py)
- session.py logger修复 + @property死代码清理
- 心跳刷入rollback误用修复 (heartbeat_flush.py)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-22 22:28:57 +08:00
Your Name
8530f0e0d5
安全补强: 6项P0/P1漏洞修复
...
P0-1: PHP配置注入防护 — install.py添加_escape_php_string()转义单引号和反斜杠
P0-2: WebSocket JWT校验 — _verify_ws_token()要求exp+sub字段
P1-1: 删除SHA256密码fallback — auth_service.py和auth.py直接import bcrypt
P1-3: LIKE通配符转义 — search.py添加_escape_like()并对所有ilike()加escape参数
P1-2: 安全响应头中间件 — main.py添加SecurityHeadersMiddleware注入4个安全头
P0-3: Refresh Token重用检测 — Admin模型添加token_version字段,token格式改为token:admin_id:version
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-22 22:16:50 +08:00
Your Name
e9feaa6cdc
前后端一致性审计 + 批量操作 + 调度同步模式
...
- 服务器列表: 添加批量选择(checkbox)+批量推送/删除操作栏
- 推送页面: 支持从服务器列表页预选服务器跳转(sessionStorage)
- 调度页面: 添加同步模式选择(增量/全量/校验和)
- 后端: PushSchedule模型+Schema+API+ScheduleRunner添加sync_mode字段
- 仪表盘: 移除重复的函数定义和初始化调用
- 数据库迁移: 启动时自动执行schema migration(添加sync_mode列)
- 安装向导: 添加schema migration步骤
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 11:01:17 +08:00