Nexus Agent
fb6a4be797
feat(commands): 推送日志第三视图与 CSV 导入模板
...
按对齐计划 Phase1:Commands 页增加推送日志筛选视图;补全 servers_import_template.csv;扩写功能指南 §12.6/12.8/12.10 与 acceptance_catalog。
2026-06-08 02:45:17 +08:00
Nexus Agent
dfb0ea2d8f
fix(frontend): 脚本库与推送调度对齐设计文档
...
修复 ScriptsPage 执行契约(script_id/command、历史过滤、长任务/凭据)及 SchedulesPage 缺失能力(target_path、next_run、push/script、cron/once、sync_mode);后端补迁移与 schedule_runner 传参。
2026-06-08 02:39:18 +08:00
Nexus Agent
f12a0b6a36
fix(sync): rsync 推送后设置远程属主 www 与权限 755
...
推送默认 --chown=www:www --chmod=D755,F755,避免文件落盘为 root。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 02:23:43 +08:00
Nexus Agent
2b016f91af
fix(push): 普通文件上传不限制后缀
...
upload-files 接受任意后缀含 .zip;拖拽/多选统一原样暂存,解压改走「ZIP 解压上传」按钮。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 01:19:20 +08:00
Nexus Agent
217c5d9935
feat(push): 源路径验证、普通文件上传与暂存文件管理
...
补齐 Round4 H5/H6:验证 Nexus 主机源路径、失败批量重试;新增 upload-files 与普通文件多选上传;上传后可浏览/预览/重命名/删除暂存目录内容。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-08 01:14:07 +08:00
Nexus Agent
9337f37da8
fix(files,deploy): 文件上传字段名与 Layer3 巡检脚本
...
后端同时接受 file/files 并支持多文件 SFTP 上传;修复 health_monitor.sh 引号语法使 Layer 3 cron 可运行。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 23:00:01 +08:00
Nexus Agent
7ea94a60ab
fix(auth,servers): 修复 refresh 自动登出与服务器状态未知
...
API 返回 status 字段供前端显示在线状态;token_version 为 NULL 时 refresh cookie 含 :None 导致续期 401。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 22:53:29 +08:00
Nexus Agent
05006cb5df
feat(auth): refresh token 先 Redis 后 MySQL 双写
...
登录 30 天会话 hash 持久化到 admin_refresh_tokens;启动从 MySQL 回填 Redis,
Redis 重启后会话仍可 refresh。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 21:56:56 +08:00
Nexus Agent
69087988b1
fix(auth): 反代后登录白名单读取真实客户端 IP
...
Docker/1Panel 反代时 request.client.host 为 172.18.0.1;可信内网跳读取 X-Real-IP/X-Forwarded-For。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 21:50:39 +08:00
Nexus Agent
a14fbb3df3
fix(ssh): 快速添加跳过主机密钥校验并中文化错误
...
凭据轮询在 SSH_STRICT 默认 true 时因 HostKeyNotVerifiable 在认证前失败;
探测始终 known_hosts=None,默认 strict 改为 false,错误信息统一中文。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 21:31:38 +08:00
Nexus Agent
f9934bd4f1
feat(ops-patrol): Layer 3 巡检与 Telegram 配置打通
...
保存 Telegram 时同步至 .env,health_monitor 支持 MySQL 回退,
设置页展示巡检状态,部署时自动安装 cron。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 20:17:24 +08:00
Nexus Agent
540a7fce05
fix(settings): Telegram 检测/测试闭环与 8 项告警开关恢复
...
检测与测试前自动持久化 Token/Chat ID;getUpdates 清除 Webhook 并返回具体 API 错误;恢复 NOTIFY 分项开关与免密 reveal。
2026-06-07 19:45:07 +08:00
Nexus Agent
72d82d737b
fix(security): BL-07 WS 403 澄清与 code-review 跟进加固
...
外网无 token WebSocket 的 HTTP 403 为应用层拒绝而非反代故障;边端 agent
在中心 401 时停止心跳重试;install 锁定路由级 404 且归档失败 fail-closed。
同步安全规范与 BL-06 一致,门控 7/7 PASS。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 12:12:49 +08:00
Nexus Agent
eab35a35be
fix(security): BL-06 强制 Agent per-server key 并合并心跳单次查库
...
移除 Agent 认证与安装链路的 global API_KEY 回退,收口 risk-acceptance 接受项 2;巡检补修心跳重复 get_server 并加 assert_called_once 回归测试。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 11:17:41 +08:00
Nexus Agent
e5e2582743
fix(security): 外网攻击面加固 BL-01~05
...
收紧 PUBLIC 路径误匹配、强制 health/detail 与壁纸 sync 鉴权、默认关闭 OpenAPI;
安装锁定后 /api/install/* 统一 404;附探测脚本、测试与审计文档。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-07 01:45:10 +08:00
Nexus Agent
722917bfc9
fix(api): API 全量巡检 B1–B6 修复 server_ids 上限与 pending 审计
...
限制健康检查/推送/脚本执行的 server_ids 规模,补齐 pending 重试失败与删除审计,并附分批巡检报告。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 23:57:46 +08:00
Nexus Agent
c9e08799f9
fix(install): 守护配置对齐宿主机 cron 与验收检查
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Docker 向导提示 nx cron/宿主机路径;裸机 cron 含 db_backup;验收脚本检查 cron 与 MySQL 备份能力。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 23:11:02 +08:00
Nexus Deploy
58bdf820dc
fix(install): 安装锁定后将 install.html 归档为 .bak
...
防止已安装环境继续提供安装向导静态页;entrypoint 与升级脚本避免容器重建后恢复。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 21:30:15 +08:00
Nexus Deploy
107b089b16
fix(1panel): 安装锁持久化与升级后 1panel-network 校验
...
防止 nx update 重建容器后丢失安装锁、未接入 1panel-network 导致 MySQL/Redis 不可达。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 20:52:13 +08:00
Nexus Deploy
4ba45abf38
feat(servers): 凭据轮询登录与连接失败列表
...
- 密码/SSH密钥预设增加用户名;快速添加(IP)轮询全部预设尝试 SSH 登录
- 成功入 servers 列表;失败写入 pending_servers 并支持重试/删除
- 新增 credential_poller、try_ssh_login 与 add-by-ip/pending API
2026-06-06 20:08:48 +08:00
Nexus Deploy
5a56e5a8cb
fix(1panel): 安装向导脱敏、配置一致性与 nx update 门控回滚
...
- /state 白名单脱敏;init-db db_port 修复;connection-check 后清空 redis_pass
- install.html sessionStorage token 与无 token 友好提示
- nx update: 镜像 import 门控、健康失败自动回滚、PENDING=0 回写、卷双写
- Redis 容器改名密码迁移;备份失败默认 WARN;update.sh 管道 ROOT 回退
2026-06-06 17:40:30 +08:00
Nexus Deploy
850038a3ec
fix(install): 安装向导 Redis 密码不被 nx update/Compose 覆盖
...
Compose 不再注入 NEXUS_REDIS_URL;nx update 保留卷内带密码 URL;步骤 4 可从 install state 修复无密码 URL。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 11:34:26 +08:00
Nexus Deploy
49f88a2cd8
fix(install): Docker .env 持久化与 entrypoint 覆盖 Compose 占位符
...
向导 init-db 后立即同步 nexus-state 卷;entrypoint 跳过不完整 env 并在启动前 source /app/.env,避免缺 DATABASE_URL 与无密码 REDIS_URL 导致容器崩溃。
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 11:08:22 +08:00
Nexus Deploy
b11360015d
fix(install): 1Panel Redis 无账号与步骤 4 URL 自愈
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
确立 Redis 仅密码认证(:pass@/default),隐藏误导性用户名字段;
connection-check 自动修正错误 NEXUS_REDIS_URL,并更新运维文档与验收脚本。
2026-06-06 07:51:52 +08:00
Nexus Deploy
3b2856f388
fix(install): auto-resolve 1Panel Redis auth (:pass@ / default)
...
Stop prefilling root; probe multiple Redis URL formats on credential
check and persist the URL that works for init-db.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 07:15:57 +08:00
Nexus Deploy
807f4c2448
fix(install): correct Redis URL auth for 1Panel root user
...
Password must use redis://:pass@ or redis://root:pass@ host; wizard adds
redis_user field defaulting to root on 1Panel Docker installs.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 06:59:45 +08:00
Nexus Deploy
da061d35db
feat(install): require MySQL/Redis credential check at wizard step 3
...
Add test-credentials API and UI gate before init-db writes .env.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-06 06:47:22 +08:00
Nexus Deploy
b866e944ab
fix: Code Review P0/P1 batches 1-3 and single-operator risk acceptance
...
Apply sync/install/auth/schedule/retry/agent/settings fixes from full
code review; document accepted WS and Agent legacy risks for solo ops.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-04 15:57:49 +08:00
Nexus Deploy
a2ae74d582
release: BUG fixes batch 1-6, full bug scan docs, Ubuntu/Linux dev
...
- Backend: auth refresh reuse, schedule/retry/sync/agent/files fixes
- Frontend: push WS, files ETag browse, vite build assets
- Docs: audit/changelog, production deploy gate, bug scan registry B7-77
- Deploy: deploy-production.sh, prune assets, gate logs
2026-06-04 14:01:14 +08:00
Your Name
4b5602a719
feat(files): fix editor freeze, EOL gates, server form and session UX
...
- FilesPage storeToRefs + remotePath coercion; Monaco preload; list action buttons
- text_io for UTF-8/LF; install/sync EOL; check_shell_eol + check_text_eol gates
- ServerFormDialog, hash login redirect, AppAuth keep-session; design docs and audits
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-03 00:42:55 +08:00
Your Name
f078d0e03b
feat(push): localize sync/rsync error messages to Chinese in history and progress
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 15:18:01 +08:00
Your Name
524dabcf7f
refactor(editor): P0 — per-tab model, EOL preservation, conflict detection (409)
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 14:46:49 +08:00
Your Name
78798e3630
feat(push): refactor B0-B6, /ws/sync channel, staging cleanup
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 08:14:09 +08:00
Your Name
c6f1d73ff5
feat(files): P4 GET browse with ETag and P5 zero-flicker loading
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 05:59:55 +08:00
Your Name
67dac0168f
feat: 文件管理器复制粘贴守卫、2MB编辑限制、一键配置sudoers、编辑器外观重构
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-02 02:20:22 +08:00
Your Name
d93c518a14
feat(files): POSIX paths, elevation, recursive chmod, access hints and docs
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-01 19:54:18 +08:00
Your Name
8935081ac5
feat: full-site acceptance automation and health/detail fix
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-01 15:22:42 +08:00
Your Name
d519113734
fix: Gate3 health plain text, refresh empty body, prune underscore chunks
...
test_api: assert /health returns plain text ok instead of JSON parse.
auth: RefreshRequest.refresh_token optional so SPA POST {} is not 422.
prune: allow leading underscore in asset names to avoid deleting _plugin-vue_export-helper.
Add run_test_api_on_server.sh and deployment follow-up changelog.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-01 13:41:28 +08:00
Your Name
8311821590
fix: 全量修复批量选择、JWT 60min、script-callback 认证与心跳数据流
...
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-06-01 12:17:47 +08:00
Your Name
b1aa235726
fix: Gate3 false positive + test_api.py production compatibility
...
- Gate3: Replace loose grep (matched "0/25 failed" summary) with precise
[FAIL] marker counting + "N test(s) failed" pattern
- test_api.py: Add .env credential loading for gate check automation
- test_api.py: Fix REST status codes (POST→201, DELETE→204)
- test_api.py: Add 204 empty body handling, dynamic ID, pre-cleanup
- Add gate_log.jsonl tracking to all 7 gates
- Add knowledge graph restructure changelog
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-26 19:33:31 +08:00
Your Name
752a24497c
feat: Phase 2 security audit fixes + script execution platform
...
Security (P0/P1/P2):
- WebSSH: dedicated short-lived token, server_id binding, 4003 close code
- Remove /api/agent/exec from control plane (RCE surface eliminated)
- Global JWT middleware (JwtAuthMiddleware) with install-mode bypass
- decrypt_value: failure returns None, never leaks ciphertext
- Telegram: sanitize_external_message strips sensitive fields
- Agent auth: startup enforces non-empty API key, compare_digest
- Credentials: password_set bool flag, no plaintext in API responses
- audit_log: writes admin_username + ip_address on all CUD ops
- Install lock: all /api/install/* except GET /status return 403 post-install
- WebSocket dedup: publish once, subscribers deliver locally
Script execution platform:
- script_jobs.py / script_job_callback.py: async batching and callback
- script_execution_store.py / script_callback_rate.py: Redis-backed state
- script_execution_flush.py: background flusher to MySQL
- scripts.html / script-executions.html: full execution UI
- agent_url.py: centralised URL builder
Frontend:
- All 13 pages migrated from CDN to /app/vendor/ (no external deps)
- vendor/: alpinejs, tailwindcss-browser, xterm, xterm-addon-*, qrious
- Dashboard WebSocket real-time alerts; 8h JWT session timeout
Tests:
- test_security_unit.py: 15 unit tests (JWT, sanitize, vendor, install 403)
- test_api.py: env-configurable admin credentials
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-23 15:26:56 +08:00
Your Name
c9a99f4fb3
fix: 全项目文档对齐 + 代码清理
...
代码修复:
- web/agent/agent.py: datetime.utcnow() → datetime.now(timezone.utc)
- requirements.txt: 移除 paramiko==3.5.0 (已无活跃引用)
- 删除 server/infrastructure/ssh/pool.py (DEPRECATED, 无引用)
连接池三层对齐 (config.py/.env.example/session.py):
- DB_POOL_SIZE 100→160, DB_MAX_OVERFLOW 100→120
- 基于 MySQL max_connections=400, install.php 公式
文档修复 (21项):
- P0: 硬编码域名/IP替换为配置变量占位符
- P1: 10个过时设计文档加归档标注 (引用旧文件结构)
- P2: step-3-webssh报告 paramiko引用修正
- 6份审查报告连接池参数勘误 100/100→160/120
- ECC安全报告 EC5 datetime.utcnow 标记已修复
- docs/README.md 文档索引重写
- docs/memory/mem_nexus_overview.md 移除硬编码凭证
- docs/project/tech-stack-inventory.md paramiko标记已移除
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 08:19:56 +08:00
Your Name
302fdcc1a1
test: update E2E test suite for v6 API + JWT auth
...
- Login first to acquire JWT token for all protected routes
- Use correct v6 API paths (/api/presets/, /api/schedules/, /api/scripts/)
- Add tests for: scripts CRUD, schedules toggle, settings, audit, sync browse
- Remove obsolete password-presets and retry-jobs paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-22 00:39:03 +08:00
Your Name
73c1776e1e
fix: P0 critical runtime issues
...
1. conftest.py: add missing `from server.main import app` import
2. dependencies.py: get_db() reuses middleware session instead of
creating independent AsyncSessionLocal (fixes double-session bug)
3. auth_jwt.py: get_optional_admin uses request.state.db instead of
creating leaked AsyncSessionLocal session
4. config.py: default DATABASE_URL uses mysql+aiomysql (not pymysql)
5. sync_engine_v2.py: sanitize config keys with regex, escape values
to prevent command injection in sync_config
6. sync_v2.py: add POST /api/sync/browse endpoint for remote dir listing
7. files.html: browseDir calls real API instead of placeholder stub
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:54:35 +08:00
Your Name
ead4b2580f
fix: 3 code bugs + test fixes (46/46 passing)
...
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
1. infrastructure/__init__.py: remove nonexistent get_ssh_pool import,
use lazy __getattr__ to avoid triggering MySQL engine at import time
2. auth_service.py + auth_jwt.py: JWT sub field must be string
(PyJWT 2.12+ enforces RFC 7519), decode with int() conversion
3. session.py: lazy engine init — engine created on first access
instead of module import time, allows testing without MySQL
4. Tests: fix Column default assertions (SQLAlchemy defaults only
apply on DB INSERT), fix Request.url mock for Starlette
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:30:34 +08:00
Your Name
539c33ef42
feat: Nexus 6.0 6-step implementation (Step 0-5)
...
Step 0: Infrastructure hardening — Redis BlockingConnectionPool,
WebSocket two-layer (memory+Redis Pub/Sub), JWT auth, DB session leak fix
Step 1: Data layer — 4 new tables (platforms/nodes/command_logs/ssh_sessions),
data migration (category→Node), repos + API routes
Step 2: Auth layer — JWT middleware on all routes, TOTP JWT integration
Step 3: Web SSH — asyncssh connection pool, /ws/terminal endpoint,
xterm.js frontend, Koko protocol
Step 4: Sync engine v2 — file/command/config/SFTP modes, parallel execution
Step 5: Frontend migration — 12 Tailwind CSS v4 + Alpine.js pages,
PHP-FPM removal from nginx config
21 Python backend + 12 HTML frontend + 2 deploy configs + 3 test files
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-21 22:11:38 +08:00
Your Name
003ca96f07
tests: load_test + quick_load + test_api
2026-05-21 05:49:05 +08:00
Your Name
f9045a8404
refactor: 仓库结构扁平化 + PHP前端合并到Nexus仓库
...
- 将 Nexus/Nexus/* 移到仓库根目录(消除双层嵌套)
- 删除旧的多层空壳目录 (server/, web/, agent/, deploy/, docs/)
- 将PHP前端 (web/) 合并进Nexus仓库 — 统一管理
- 部署时 git clone Nexus 仓库即可,不再需要两个仓库
目录结构:
server/ ← Python FastAPI后端
web/ ← PHP前端 (install.php, config.php, etc)
deploy/ ← Supervisor + Shell健康检查
docs/ ← 部署文档
tests/ ← 测试
.env ← 不在git中 (install.php生成)
.gitignore ← 排除 .env, SECRETS.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-20 17:24:21 +08:00