580 Commits

Author SHA1 Message Date
r c8efbc2a90 refactor(servers): 行操作移除删除按钮
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
删除改由批量栏「批量删除」执行,降低误删风险。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:35:47 +08:00
r 2cb0b57281 fix(servers): 提高行操作与批量栏文字可读性
tonal/flat 实底按钮、加大字号字重,恢复一键登录全文。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:32:32 +08:00
r 80d6aad54b style(servers): 行操作与批量栏分组图标化 UI
outlined 按钮组 + 批量栏运维/Agent/其他分区展示。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:29:27 +08:00
r 58843a1ef4 refactor(servers): 精简行操作并收拢批量诊断
一键登录文案、移除监测/站点行按钮,检测路径与诊断移至批量栏。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:23:39 +08:00
r 7add9384c1 feat: 终端路由保持会话 + 服务器列表按创建时间倒序
keep-alive 下终端切换不 dispose SSH;列表/推送/终端默认 newest first。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:11:00 +08:00
r 6720ca3474 feat(servers): 主列表宝塔登录 + 健康检查写心跳
主服务器列表操作列一键登录宝塔;SSH 健康检查写入 Redis 心跳并刷新在线状态。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:05:43 +08:00
r 2e797f86b7 feat(btpanel): 服务器列表增加在线状态列
批量读 Redis 心跳返回 status,前端与主服务器列表样式一致。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:54:04 +08:00
r 5ea5c3a411 fix(btpanel): 一键登录 URL 去掉安全入口路径
tmp_token 登录在 :port/login,非 :port/{admin}/login,后者 nginx 404。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:46:22 +08:00
r 3195787461 fix(btpanel): 非 root SSH bootstrap 自动 sudo 提权
ubuntu 等用户免密 sudo 下宝塔已装但脚本未提权导致 ssh_command_failed;附 ssh_timeout 运维清单。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:40:46 +08:00
r 97c47a120f fix(btpanel): 面板登录 URL 使用宝塔 pyenv 执行 tools.py
系统 python3 缺 psutil 导致 SSH 回退失败;相对 tmp_token 自动拼安全入口。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:16:33 +08:00
r 028dc2c8b6 fix(btpanel): API base_url 不含安全入口路径
宝塔 API 走 :port/system,安全入口仅用于浏览器登录;修复代理 404。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:10:34 +08:00
r 51b6d0cdff fix(btpanel): API 签名改为 md5(time+token)
与面板 common.py 一致;原双重 md5 导致密钥校验失败。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:05:39 +08:00
r e5929694c3 fix(btpanel): bootstrap 写入 panel/config/api.json
宝塔读取 config/api.json 而非 data/api.json,错误路径导致白名单与 token 不生效。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:01:40 +08:00
r b768da3ab8 fix(btpanel): bootstrap 误判 exit_code=0 为失败
Python 中 0 or 1 为 1,导致 SSH 成功仍报 ssh_command_failed。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:52:22 +08:00
r 45ca57bf3f fix(ssh): 连接前从 preset_id 解析 SSH 密码
修复宝塔批量引导因仅关联密码预设、行内 password 为空而全部 ssh_command_failed。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:47:22 +08:00
r 14bbfc4ab7 fix(btpanel): 批量获取时跳过已配置 API 的服务器
前端仅提交未配置 ID;后端 batch 任务对已配置记为跳过。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:39:57 +08:00
r 770469c4aa fix(btpanel): 批量勾选提交真实 server id
v-data-table 勾选值为 id 数组,修复误传 undefined 导致 422。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:37:04 +08:00
r b4436143a6 feat(btpanel): 服务器列表批量 SSH 获取 API
支持全部未配置与多选批量引导;未配置 API 时禁用一键登录。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:34:02 +08:00
r 7c99298419 fix(btpanel): 连接配置页始终显示全局设置
未选服务器时不再隐藏整页内容,避免白屏。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:30:03 +08:00
r 461ac81221 fix(btpanel): 接受相对路径 tmp_token 登录链接
宝塔 tools.py 常返回 /login?tmp_token=...,现与 base_url 拼接为完整 URL。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:26:57 +08:00
r 1c4c5af0e4 feat(btpanel): 入口改为服务器列表
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
面板登录页改为全量表格与行内一键登录,侧栏首项更名为服务器列表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:23:26 +08:00
r d00294c86d docs(btpanel): 部署审计与 changelog
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:16:54 +08:00
r 82426b1941 feat(btpanel): 独立宝塔模块与 SSH 自动获取 API
新增侧栏「宝塔面板」菜单、代理 API 与连接配置页;通过 SSH 读写子机
api.json 自动写入凭据,5 分钟后台重试,含审计修复、检测缓存与并发锁。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 09:13:14 +08:00
r ebab836554 docs: 审计文件清单补全 btpanel client
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 08:14:26 +08:00
r ccc5419369 chore: 部署门控 — 今日 changelog/audit、bandit nosec、shell CRLF
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 08:14:05 +08:00
r d8ec4f1af4 fix: 登录白名单校验改用 LOGIN_ALLOWED_IPS 单一数据源
多 worker 下订阅刷新后 UI 已更新但登录仍被拒;另修复刷新失败时前端误清空节点列表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 08:12:52 +08:00
r 9c9a51263c chore: 本地快照 — 终端 UI、服务器 site_url、后台任务与 Agent 导航
汇总未提交工作区:Servers 列表 site_url 链接、终端页与选机器 UI、SSH 连通性与 Telegram 通知、agent/offline/unset_path 后台调度与 gate_ai_review 门控;更新 AGENTS 与 agent-exploration 规则(仅本机 commit);同步 web/app 构建产物与相关文档。
2026-06-18 06:01:50 +08:00
Nexus Agent 1a79c0fbfb feat(watch): Baota-style server detail drawer
Expose load/process counts, per-core CPU, memory MB breakdown, and
separate CPU/MEM top-5 processes from SSH probes in the detail drawer.
2026-06-14 06:23:45 +08:00
Nexus Agent 86a45612c8 fix(ops): writable Layer3 state dir for cron user
Fall back to ~/.nexus/layer3-health when deploy/var is root-owned.
2026-06-14 04:23:20 +08:00
Nexus Agent 05b0fde197 fix(ops): Layer3 health_monitor state dir and Telegram heredocs
Move fail counters under deploy/var/layer3-health, use docker_cmd with
sudo fallback, and refactor alert messages to avoid quote parse errors.

Also fix watch Sparkline rgba gradients, hide empty probe pagination,
and ship pending slot pause/menu UI polish.
2026-06-14 04:20:55 +08:00
Nexus Agent c91cb1cd9e fix(watch): polish paused slot UI and header action spacing
Replace the large dashed pause panel with dimmed rings and a resume CTA,
and add gap between the monitoring switch and remove button.
2026-06-14 03:34:17 +08:00
Nexus Agent 3faa7a4f1c fix(watch): align four metric rings in one row
Move load ring beside CPU/mem/disk so the slot card matches Baota layout.
2026-06-14 03:25:10 +08:00
Nexus Agent b5419cd2c0 feat(watch): SSH-first probe, drop IO metrics, Baota ring UI
Align live monitoring with Baota: always SSH psutil for CPU/mem/load,
remove network/disk IO rates, and show metrics as circular rings in slots.
2026-06-14 03:19:43 +08:00
Nexus Agent 5c508ed14c fix(watch): eager probe on resume so metrics appear immediately
After pausing clears Redis snapshots, resuming or adding pins now triggers
an immediate probe before list_slots returns, with frontend refresh fallback.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-14 02:53:02 +08:00
Nexus Agent 825d0297c4 feat(watch): show centered enable switch when slot monitoring is paused
Paused slots now prompt with a large middle switch before showing CPU and memory metrics; header switch only appears while monitoring is on.
2026-06-14 00:38:44 +08:00
Nexus Agent 4bbc47faab feat(watch): polish monitoring history UI with themed charts and empty states
Align watch metrics pages with dashboard fleet trends: theme-aware ECharts,
skeleton loaders, metric color thresholds, and compact I/O layout on slot cards.
2026-06-13 23:29:58 +08:00
Nexus Agent ba7c790f38 feat(watch): show probe history in Beijing time and retire remote browser
Monitoring history charts and tables now format UTC timestamps as Asia/Shanghai.
Remove Playwright worker, global browser panel, and related API routes; open site URLs in a new tab instead. Fix chain test Redis pipeline mock.
2026-06-13 16:32:02 +08:00
Nexus Agent adee25deb6 fix(watch): repair SSH probe script broken by embedded quote in os_release parse
Use chr(34) inside the bash-wrapped python -c probe so monitor slots work again after hardware detail rollout.
2026-06-13 16:10:32 +08:00
Nexus Agent 4acbf04322 feat(watch): show detailed CPU, memory, and disk specs on monitor slots
Expose used vs total capacity, CPU model, swap, OS uptime, and 1/5/15 load from SSH probes and agent heartbeats.
2026-06-13 14:12:09 +08:00
Nexus Agent feb776616f docs: add 2026-06-13 audit/changelog for files new-file fix deploy gate. 2026-06-13 09:09:01 +08:00
Nexus Agent 72042598b0 Fix files page new-file flow and SFTP parent directory creation.
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Show a clear prompt when no server is selected, wait for the editor workbench before openFile, and mkdir -p parent paths before SFTP writes.
2026-06-13 09:08:17 +08:00
Nexus Agent e95e522d4d docs(audit): gate checklist for Telegram group chat ID detection 2026-06-13 02:05:27 +08:00
Nexus Agent 40cba6a567 fix(settings): detect Telegram group chat IDs via my_chat_member
Extend getUpdates parsing for group joins and update settings UI hints so Chat ID detection works for supergroups, not only private DMs.
2026-06-13 02:04:59 +08:00
Nexus Agent 821cf12ade fix(terminal,alerts): quick-cmd enter on send and offline Telegram channel
Append CR when executing quick commands (fixes trim stripping saved \r) and
allow optional dedicated Telegram bot for server offline alerts only.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-13 01:45:55 +08:00
Nexus Agent deafd46a0e docs(reports): 文件管理移除下载生产验证记录
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 06:52:47 +08:00
Nexus Agent dbb6bc4a55 fix(browser): 门控 — Worker TLS verify 可配置、审计清单与 shell LF
默认校验 Worker HTTPS 证书;审计文件补全变更清单;docker-entrypoint.sh 改为 LF。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 06:50:06 +08:00
Nexus Agent e833b923c8 feat(browser): 远程浏览器 Worker 桥接与顶栏固定悬浮窗
接入 Playwright Worker、会话 WebSocket 与全局浏览器面板(固定于 App Bar 下);
含验证码 stealth、设置项默认音与 URL 安全校验;附带 worker 部署与设计文档。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 06:49:20 +08:00
Nexus Agent 2b0413c43e feat(files): 移除文件管理下载入口
去掉行内与右键下载;大文件提示改为使用终端。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 06:32:09 +08:00
Nexus Agent a51a5c5341 fix(files): 修复下载流式 SFTP 并收紧列表行高
下载在独立 SFTP 会话中流式传输;文件/终端列表与服务器页一致的紧凑操作与行高。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 05:50:09 +08:00
Nexus Agent 80aaf855a3 feat(terminal): 右侧服务器列表增加搜索
侧栏复用 PickerSearch,按名称/域名筛选并支持搜索历史。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 05:46:34 +08:00
Nexus Agent e42612e75f feat(watch): 监测历史四槽同屏展示趋势
资源趋势 2×2 四图;探针记录默认全部槽位;表头内存/硬盘中文。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 05:44:28 +08:00
Nexus Agent 7a0001d8f4 fix(watch): 恢复指标进度条原三档配色
≥90% 红、70–89% 黄、<70% 绿。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 05:29:54 +08:00
Nexus Agent 3598d38b8e fix(watch): 指标进度条 ≥80% 变红,到期倒计时归零加固
进度条阈值由 70/90 改为 80% 红色;remaining_sec≤0 时立即 refreshPins。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 05:17:38 +08:00
Nexus Agent d5ecb54d6e feat(watch): 监测槽等待探针回传占位 UI
开启监测后无 probe_status 时显示等待文案与加载动画,回传后自动展示指标。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 05:08:03 +08:00
Nexus Agent ac98dc496c fix(watch): 移除监测槽 hover 时 Vuetify 灰遮罩
v-card 关闭 link/ripple 并隐藏 overlay,仅保留外框主题色高亮。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 04:54:24 +08:00
Nexus Agent 49b471eff9 test(e2e): 监测槽时长与指标 UI 生产冒烟
Playwright 验证默认 30 分 chip、内存/硬盘/负载与进度条;附部署验证报告。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 04:40:40 +08:00
Nexus Agent 647ebcb673 feat(watch): 监测槽分钟时长档、指标进度条与负载显示
默认 30 分钟,支持 30分/1时/2时/8时/24时;槽卡展示 CPU/内存/硬盘进度条与 1 分钟负载;API 改用 ttl_minutes。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 04:34:52 +08:00
Nexus Agent 4c38bc05d3 docs(audit): 监测槽 hover 外框高亮 2026-06-12 04:21:28 +08:00
Nexus Agent 907607e30b fix(watch): 监测槽 hover 改为外框高亮
悬停时仅边框变主题色,不再整卡铺灰底。
2026-06-12 04:21:16 +08:00
Nexus Agent bdbfef7110 fix(audit): 目标列显示服务器名称而非 #id
审计列表对 server 类型批量解析 target_name,前端展示为「服务器 {name}」。
2026-06-12 04:16:46 +08:00
Nexus Agent 8092000880 fix(watch): psutil SSH 安装 apt 走 sudo
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
非 root 用户 apt-get 未加 sudo 导致 Permission denied;补充 run_root 与中文错误提示。
2026-06-12 04:09:10 +08:00
Nexus Agent e57d689fb2 docs(audit): 补 test_watch_probe_errors 到 psutil 安装审计 2026-06-12 04:04:59 +08:00
Nexus Agent 75efd506f5 feat(watch): 监测槽 SSH 一键安装 psutil
探针报 psutil missing 时显示安装按钮;POST install-psutil 经 SSH pip/apt 安装并审计。
2026-06-12 04:04:48 +08:00
Nexus Agent 32a1885f0d feat(watch): 监测槽开关、8h/24h、到期暂停与探针修复
支持随时暂停/恢复实时监测并保留槽位;TTL 到期自动暂停不占删槽;修复到期竞态导致空槽与唯一约束冲突;探针 parse_error 与中文错误;移除失败 snackbar。
2026-06-12 03:47:56 +08:00
Nexus Agent 7bb85aac41 feat(servers): 新服务器 Agent 安装/升级引导提示
修正仅有 API Key 误判为已装 Agent;列表与展开详情提示安装/升级并提供一键操作。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 03:16:12 +08:00
Nexus Agent f37047f746 docs(audit): 文件搜索与监测槽点击修复审计
补 Step3/Closure/DoD;选机对话框加载失败改 snackbar 提示。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 03:10:15 +08:00
Nexus Agent 6b8965aaf6 fix(watch): 监测槽空槽选机与卡片点击进历史
空槽弹出搜索选机对话框;已填槽整卡可点进监测历史;已在监测的 + 给出提示。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 03:07:00 +08:00
Nexus Agent 6140d68875 feat(files): 文件管理页服务器选择支持搜索
2000+ 子机场景下可搜索名称/域名/路径/ID,并加载全量服务器列表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 03:02:28 +08:00
Nexus Agent b46922fe92 feat(watch): 4 槽实时监测 — 5s 探针、WS、历史页与告警联动
宝塔式自选子机监测:Pin CRUD、全指标 SSH/Redis 探针、探针落库、
/ws/watch 推送、监测历史与进程抽屉;Agent 可选附带 net/disk IO。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 02:56:37 +08:00
Nexus Agent f6e8b29640 fix(ui): 服务器/终端/推送搜索历史互不共享
终端独立 terminal_search 上下文(10条),与 servers_search、push_search 隔离。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 02:03:45 +08:00
Nexus Agent e0133b9098 feat(push,terminal): 推送搜索历史5条与终端中间搜索
推送页独立 combobox 历史(MySQL push_search,上限5);终端空态搜索回中间卡片,右侧栏仅列表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 01:58:33 +08:00
Nexus Agent 724375c884 fix(push): 移除点击复制服务器名称
名称点击恢复为与卡片/行一致的勾选行为。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 01:51:39 +08:00
Nexus Agent 989b17902b feat(terminal): 右侧服务器列表与搜索历史
终端与会话并行:右侧常驻选服列表,combobox 共用服务器页最近 10 条搜索历史。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 01:47:46 +08:00
Nexus Agent 441aa0b9d2 docs: 部署门控审计(移除浏览器 + 推送 UI)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 01:44:17 +08:00
Nexus Agent 540712500f fix: 移除 iframe 浏览器并优化推送页服务器展示
删除内置浏览器前后端;推送页支持卡片/列表切换、点击名称复制与长名称展示。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-12 01:43:51 +08:00
Nexus Agent 17abd62261 feat(servers): 新服务器接入自动 sudo 配置与路径探测
创建/导入/IP 添加成功后后台 onboard 任务;前端注册进度条与 toast。
2026-06-12 00:19:31 +08:00
Nexus Agent 3a4b2ff3eb docs(reports): 未设路径 fleet 探测与推送验证报告 2026-06-11 23:50:11 +08:00
Nexus Agent 2877fd90a4 fix(scripts): batch_detect 不依赖 Redis 批任务结构 2026-06-11 23:48:28 +08:00
Nexus Agent e6abd4ae73 chore(deploy): 补 Gate7 审计与 shell LF 修复 2026-06-11 23:45:44 +08:00
Nexus Agent 29b053b3c0 fix(sync): 未设路径推送回退 /www/wwwroot,UI 判定不变
空或占位 /www/wwwroot 仍算「未设路径」;rsync 推送/预览/验证改用 resolve_push_target_path,并新增批量 detect-path 脚本。
2026-06-11 23:42:58 +08:00
Nexus Agent f11ad35708 chore(scripts): 推送提权验证脚本与温胜夜生产验证报告
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
2026-06-11 23:28:59 +08:00
Nexus Agent 84b388fae2 fix(sync): rsync 推送非 root 自动 sudo 提权
文件推送与文件管理对齐:非 root 默认 auto_sudo 时使用 sudo -n rsync;
新增批量 sudoers 补丁脚本以补全 rsync 白名单。
2026-06-11 23:20:45 +08:00
Nexus Agent 0a5111a959 docs(audit): 浏览器拖动手柄修复审计条目
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 20:20:02 +08:00
Nexus Agent 31846c4212 fix(browser): 修复浮动浏览器最小化条与面板无法拖动
迷你窗口使用独立最小尺寸与拖动手柄;展开态增加左侧拖拽条。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 20:19:49 +08:00
Nexus Agent 2e8daad802 fix(browser): 不可关闭、最小化可拖拽与重启
移除关闭入口;最小化为可拖动浮动条并持久化 minimized_rect;重启保留浏览历史。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 20:15:40 +08:00
Nexus Agent a94d340ec0 docs(audit): 补全全局浮动浏览器 Closure 与文件清单
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 20:11:21 +08:00
Nexus Agent 8356425814 feat: 全局浮动浏览器、记录持久化与角落快捷入口
浮动面板可最小化至右下角、左下角随时展开;标签与浏览记录写入 MySQL,切换菜单保持活动。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 20:10:57 +08:00
Nexus Agent 2a6f526bc9 feat: 内置 Web 浏览器页与服务器站点入口
侧栏浏览器页 iframe 预览 http(s) 站点;服务器列表「站点」由 domain 跳转,禁止嵌入时可新标签打开。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 18:30:44 +08:00
Nexus Agent 996403ad86 docs(audit): 文件上传 www 权限 fixup 审计记录
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 18:24:06 +08:00
Nexus Agent 4e117c04ea feat(files): 上传后自动 chown www:www 与文件 chmod
复用推送的 RSYNC_PUSH 配置,上传成功即 SSH 修正属主/权限;失败时仍保留文件并返回 warning。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 18:23:31 +08:00
Nexus Agent 79105dcec8 fix(files): 改权限后列表不更新及 chown 连带失败
ETag 纳入权限指纹避免 304 旧数据;chmod/chown 分步执行;仅变更属主/属组时才提交 chown。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 18:12:57 +08:00
Nexus Agent d3c0e57a08 fix(servers): 搜索改为手动触发,进页默认全量列表
不再自动恢复 last 搜索;下拉选历史、回车或清空才请求;输入过程不触发过滤。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 17:54:46 +08:00
Nexus Agent af912662de fix: combobox 清空 null 导致服务器列表加载失败
v-combobox 清空时 search 为 null 使 trim() 抛错;422 响应剥离不可序列化的 ctx 避免 500。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 17:52:49 +08:00
Nexus Agent c69e45a571 docs: 服务器搜索历史部署审计与门控记录
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 17:49:43 +08:00
Nexus Agent 130cc840c7 feat: 服务器搜索历史持久化到 MySQL
按管理员将 Servers 页搜索记录存入 admin_ui_preferences,换设备登录仍可恢复;首次自动迁移 localStorage。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 17:46:52 +08:00
Nexus Agent 704764bd7e fix: 订阅白名单多 worker 同步并统一上传上限 500MB
保存 IP 白名单时同步刷新并 Redis 广播 login_* 设置;推送/文件上传与 Nginx 模板对齐为 500MB,避免生产 50m/100m 导致大文件失败。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-11 17:39:26 +08:00
Nexus Agent 426bafd169 Audit: list package-lock.json in RDP removal review. 2026-06-10 23:23:28 +08:00
Nexus Agent dc4593f8b5 Remove browser RDP (guacd/Guacamole) feature entirely.
Product decision: drop 3389 remote desktop page, API, guacd sidecar, and related tests after unresolved target-side black screen issues.
2026-06-10 23:23:09 +08:00
Nexus Agent 341b130d9b fix(rdp): guacd 后台读取队列 + 隧道超时与尺寸
独立 guacd reader 避免 WS 竞争丢数据;ping 回显与 sync 已生产验证;前端 90s 超时与 OPEN 后发尺寸。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 21:54:50 +08:00
Nexus Agent af47b24450 fix(rdp): connect 前挂载画布并修复 RdpPage 布局
Guacamole display 需在 DOM 中才能完成 sync;canvasHost 独立挂载避免 Vue 重绘清除画布。
2026-06-10 21:45:54 +08:00
Nexus Agent aeca2fd7cb fix(rdp): guacd→WebSocket 按完整指令转发,修复黑屏
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
TCP 块转发会截断 img/blob 指令导致 guacamole-common-js 无法渲染;connect 不再经 URL 传密码。
2026-06-10 21:37:10 +08:00
Nexus Agent 960598f504 fix(rdp): 服务端 guacd 握手替代透明 TCP 桥接
guacamole-common-js 不会向 guacd 发送 select/connect;改为 Nexus 用 rdp_hosts 凭据完成握手后再桥接 WebSocket,消除 protocol violation。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 21:33:01 +08:00
Nexus Agent 6f998048b6 fix(rdp): WS JWT 改路径避免 Guacamole 查询串冲突
Guacamole connect() 追加 ?hostname= 会破坏 ?token= 导致 403。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 21:18:23 +08:00
Nexus Agent 9b9a857720 docs(audit): 补全 rdp_hosts 审计文件清单
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 20:59:09 +08:00
Nexus Agent f127f07ab2 feat(rdp): 3389 页独立管理 RDP 主机
rdp_hosts 表与专用 API,在 3389远程页添加/连接,不再依赖子机列表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 20:58:46 +08:00
Nexus Agent dabfc128b3 feat: 浏览器 RDP、推送提示音与子机指标等多项功能
- 3389远程页 + guacd 侧车 WebSocket 桥(无 RDP 会话审计)
- 文件推送完成独立提示音,至少一台成功即播放
- 子机列表展开 CPU/内存/磁盘 sparkline 与指标采样落库
- 终端全量服务器列表、连接中状态;告警 Telegram 公网 IP
- SSH 密钥凭据 UI 简化;子机搜索未设路径筛选

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 01:37:32 +08:00
Nexus Agent dd870859b5 docs(changelog): 记录服务器名称列 chip 副标题回退
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 20:45:10 +08:00
Nexus Agent 700b3b4301 Revert "feat(servers): 名称列地址与资源 chip 副标题"
This reverts commit cc34b9c3cc.
2026-06-09 20:44:39 +08:00
Nexus Agent cc34b9c3cc feat(servers): 名称列地址与资源 chip 副标题
拆分 ServerListNameCell/AddressRow/MetricChips,列表展开前可见分类、CPU/内存/磁盘与心跳。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 20:41:34 +08:00
Nexus Agent 53b700f929 fix(dashboard): 移除舰队资源趋势 CSV 导出
产品决定不在趋势区提供 CSV 下载,保留全屏内明细表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 18:01:45 +08:00
Nexus Agent fc4b46566e docs(audit): 子机离线告警 8 步审计与部署验证
补全 7209f53 门控审计报告与生产验证记录,更新离线统计审计 DoD。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 17:34:29 +08:00
Nexus Agent 7209f53af9 feat: 子机离线 Telegram 告警与仪表盘统计/趋势增强
离线边沿检测推送一次 Telegram(设置开关 notify_alert_offline);对齐仪表盘与服务器页统计卡、舰队趋势交互与告警叠加。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 17:16:48 +08:00
Nexus Agent 283041fe2f docs(audit): gate7 cover test_servers_dashboard 2026-06-09 09:50:51 +08:00
Nexus Agent 85b0c3a980 fix(servers): accurate offline count and status filter
Count online/offline per monitored server via Redis; filter list by UI status; expose offline_list for main table scope.
2026-06-09 09:50:37 +08:00
Nexus Agent cbbcdae66d feat(servers): interactive stat cards and unset_path count
Click offline/online to filter, unset-path to scroll to panel; add unset_path to /servers/stats; fix Docker deploy frontend sync.
2026-06-09 09:42:51 +08:00
Nexus Agent c5e54da8de docs(audit): list all files for agent diagnose UI gate 7 2026-06-09 09:27:04 +08:00
Nexus Agent a82d69c3e5 feat(servers): add Agent diagnose button and API endpoint
Expose central heartbeat + SSH probe diagnostics in the servers UI via POST /api/servers/{id}/agent-diagnose, sharing logic with the CLI script.
2026-06-09 09:26:42 +08:00
Nexus Agent fc837bfd43 feat(ops): add batch Agent remote diagnose script
SSH from central creds to inspect systemctl, redacted config, 401/heartbeat logs, and /health on sub-servers.
2026-06-09 09:19:40 +08:00
Nexus Agent 7a9dc3d3fc fix(credentials): default database credential host to 127.0.0.1
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 09:11:34 +08:00
Nexus Agent 1fefa4b6cb feat(credentials): validate RSA/OPENSSH PEM and auto-derive public key
Accepts keys like nz-admin.pem (BEGIN RSA PRIVATE KEY); rejects invalid PEM
before encrypting. Public key field optional on create/update.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 09:05:06 +08:00
Nexus Agent 6a6f3f7614 docs: audit cover web/app build output
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / e2e (push) Blocked by required conditions
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 09:00:29 +08:00
Nexus Agent fe8c11b706 fix(credentials): load SSH key presets via getList and validate save form
The ssh-key-presets API returns a plain array; fetchPagePerPage left the
list empty so new keys appeared not to save.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 09:00:00 +08:00
Nexus Agent b287707359 docs: record HTTP detail zh production deploy at 64c8bd7
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:56:56 +08:00
Nexus Agent 64c8bd74b8 docs: audit and deploy verification for API detail zh rollout
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:54:27 +08:00
Nexus Agent 1c0d7e9eb6 fix(api): localize service-layer ValueError messages to Chinese
So str(exc) passthrough on scripts, batch, sync, and schedule routes
returns Chinese without relying only on the HTTP detail translation layer.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:53:18 +08:00
Nexus Agent a842af2405 fix(auth): use Chinese fallbacks and map reason codes to user messages
Stop exposing raw reason codes like admin_not_found in TOTP setup errors;
auth routes and JWT guard now use Chinese literals with auth_failure_detail.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:44:51 +08:00
Nexus Agent 81004cf0a5 docs: note HTTP detail zh layer in handoff TOP 10
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:42:48 +08:00
Nexus Agent 3ba78cd10a feat(api): translate HTTPException detail to Chinese for admin routes
Add a global detail translator for common 4xx messages (Server not found,
auth headers, settings not found, etc.) while keeping /api/agent/* in English.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:42:43 +08:00
Nexus Agent 213aad97a4 docs: push category fix verification and refresh handoff to c366ed5
Record production evidence (101 机器人 vs old 5) and update AI handoff
with current deploy state and TOP 10 priorities.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:36:14 +08:00
Nexus Agent c366ed5adc fix(push): load full server list for accurate category selection
Push page previously fetched only 200 servers by ID order, so large categories
like 机器人 showed a handful of machines. Also decouple unset-path panel from
the main category chip filter and align category labels with the servers page.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 08:12:50 +08:00
Nexus Agent 664efb9ed5 feat(dashboard): add 24h fleet CPU/mem/disk trends with v-sparkline.
Sample fleet averages every heartbeat flush into fleet_metric_samples;
expose GET /api/servers/fleet-metrics and Dashboard sparkline card (B-02).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 07:24:57 +08:00
Nexus Agent adcd8010a5 docs: record production deploy at 863e49e after full rollout.
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 07:14:32 +08:00
Nexus Agent 863e49e518 feat(ops): prod timezone probe, web/app container sync, and D-01 agent upgrade.
Unify upgrade-agent with install.sh via agent_deploy; auto-sync Git web/app after
Docker upgrade to prevent vite hash drift; extend prod_probe for Beijing TZ checks.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 07:12:38 +08:00
Nexus Agent 56139a42fe docs(audit): cover timezone follow-up files for gate 7 review.
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 05:51:56 +08:00
Nexus Agent e3efbd4552 feat(timezone): operator schedules and filters use Beijing wall clock.
Cron matching, audit/alert date filters, and schedule UI align on Asia/Shanghai
while JWT/TOTP/heartbeat stay UTC; follow-ups add WS alert timestamps, fixed
install timezone copy, and 422 on invalid date filters.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 05:50:32 +08:00
Nexus Agent 4d82ed4031 build(frontend): rebuild web/app assets and prune stale hashes.
Align index.html with a complete Vite output set and remove 116 orphaned
chunks so git clone loads the SPA correctly.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 03:33:23 +08:00
Nexus Agent b62f1039db feat(ops): add production probe with dual-path health checks.
SSH origin checks cover auth contracts and once-schedule create/delete
when external HTTPS is blocked; includes install script for probe credentials.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 03:28:17 +08:00
Nexus Agent 9f78207aa2 docs: add agent diff guidance and close deploy verification.
Record .cursorrules rules to avoid full-repo diffs over web/app/assets,
and document production health checks for the alerts/schedule fix batch.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 02:52:32 +08:00
Nexus Agent 3864d120fb fix: alerts page size and schedule once fire_at parsing.
Wire alert history items-per-page to the API and parse fire_at ISO strings to datetime so single-shot push schedules save instead of 500.
2026-06-09 02:47:36 +08:00
Nexus Agent 0f6f91e61a fix(api): align alerts/commands contracts and ship full-site test suite.
Restore alert history filters and stats fields, paginate command/session logs for the SPA, show script labels on schedules, and land integration/E2E coverage with rebuilt web assets.
2026-06-09 02:13:13 +08:00
Nexus Agent 091fb97291 Push async submit, Chinese 422 field labels, hide server CSV export.
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Return sync/files immediately with background runner; show loc_zh in validation errors; remove servers toolbar CSV export button.
2026-06-08 23:28:26 +08:00
Nexus Agent abeab9d3e4 Fix recovery Telegram dedup and unify Beijing time display.
Store alert metrics without per-value Redis members to stop duplicate recovery pushes; format all operator-facing timestamps in Asia/Shanghai across Web UI and Telegram.
2026-06-08 23:18:56 +08:00
Nexus Agent 972456a246 feat(agent): 401 停心跳、配置重载后重启与升级双文件下发
提取 heartbeat_policy;install/upgrade 同步 heartbeat_policy.py;config reload 恢复心跳协程。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 23:06:09 +08:00
Nexus Agent 69068e2e39 feat(ops): server_batch 回收、sync_logs 清理与 Agent 安装跳过
部署对齐三项后端能力:启动/周期收尾僵尸批量任务、30 天推送日志 purge、已安装且版本不低于主站时跳过批量安装 Agent。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 15:23:03 +08:00
Nexus Agent a401ea5a4d fix(servers): server_ids 批量上限 2000 并修复列表 422 中文
全选 101 台批量操作不再因 max_length=50 被拒;Pydantic 列表 too_long 错误显示完整中文。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 15:08:03 +08:00
Nexus Agent 632891e6e5 fix(settings): 表单校验与 422 中文错误信息
v-form 保存前 validate;validation_errors_zh 翻译 Pydantic msg;value 数字 coerce。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 14:52:59 +08:00
Nexus Agent ff143c286d fix(settings): 保存设置时将数值字段转为字符串避免 422
SettingUpdatePayload.value 要求 str,连接池与告警阈值为 number 输入。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 14:50:10 +08:00
Nexus Agent 85ecd1f54f fix(servers): 未设路径区表格绑定 sort-by 启用服务端排序
未设路径面板缺 v-model:sort-by,列头点击不触发 API;与主表共享 sortBy。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 14:36:21 +08:00
Nexus Agent 05c7aeb702 fix(servers): 未设路径批量检测对话框选中数
检测路径与批量改分类确认框按当前区块显示并提交正确 server_ids。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 14:09:50 +08:00
Nexus Agent d0526c06b7 fix(servers): 展开详情对比度与同步日志仅 1 条
展开区灰底可读;行内详情只拉最近一条同步记录,去掉「最近 N 条」文案。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 13:45:13 +08:00
Nexus Agent cb49fd9d6d docs(audit): gate7 补资源恢复开关联动与仪表盘去列表
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 13:23:04 +08:00
Nexus Agent fe8b24ca0b fix(notify): 资源恢复 Telegram 联动 CPU/内存/磁盘开关
关闭分项告警后不再推送对应恢复消息;仪表盘移除服务器列表并更新设置页说明。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 13:22:38 +08:00
Nexus Agent 6612c76dc6 docs(audit): gate7 补 dashboard 修复 index.html
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 13:13:43 +08:00
Nexus Agent 86bc737f4c fix(dashboard): 修复服务器列表不显示
清除 keep-alive 下 loading 卡死;改用 v-card-text 与表格内置 loading,并加 30s 自动刷新。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 13:13:34 +08:00
Nexus Agent 27da842a20 fix: Telegram 开关多 worker 同步与服务器行内详情展开
关闭 notify_* 后通过 Redis 广播同步各 worker 内存设置;修复 expanded id 类型不匹配导致点击名称无法展开详情。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 13:05:22 +08:00
Nexus Agent a5b1d34cec docs(audit): gate7 补 web/app/index.html 覆盖
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 12:55:20 +08:00
Nexus Agent 1e83bb34bd feat(servers): 未设路径区批量管理与主表齐平
独立勾选与全选筛选结果,共用 ServerBatchActionBar;列与批量操作对齐主列表。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 12:55:02 +08:00
Nexus Agent 8c86b50d09 feat(servers): 未设路径区块与行内详情;命令栏恢复单色
服务器页拆分未设路径列表、行内展开详情;API target_path_unset 可选过滤。
命令栏取消 Shell 语法彩色,ANSI 仅保留 xterm SSH 输出区。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 12:48:45 +08:00
Nexus Agent 8312a6cf81 fix(terminal): WebSSH xterm SSH 交互区 ANSI 彩色输出
PTY 环境变量注入 TERM=xterm-256color,DATA 帧 base64 保 ESC;前端解码写入 xterm;命令栏 Shell 高亮 CSS 与黑屏分离。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 12:35:27 +08:00
Nexus Agent 1d1fb6285b fix(terminal): 快捷命令栏「管理」改为「断开」
底部快捷栏提供断开会话,快捷命令配置仍走系统设置。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 12:14:47 +08:00
Nexus Agent 835ef2c8ea fix(terminal): WebSSH 固定黑底白字 ANSI 终端配色
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
不再跟随 Vuetify 浅色主题,xterm 始终使用经典黑底白字与 16 色输出。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 12:09:00 +08:00
Nexus Agent 09d4613e46 fix(scripts): script_executions.results 扩 MEDIUMTEXT 并截断落库
366 台批量执行 results JSON 超 TEXT 64KB 导致 flush 失败、状态卡在 running。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 11:57:20 +08:00
Nexus Agent 22d5d21c1f fix(schedules): 单次显示「当天」、收窄重复方式下拉
单次执行不再出现「重复方式」;「每天」改为「当天」;循环模式下拉宽度收窄。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 11:49:20 +08:00
Nexus Agent 08a0157c95 feat: 调度表单重构、登录门控、批量任务与页面缓存对齐
调度页执行周期可视化/单次执行/分类选机/推送源对齐;登录 IP 门控与无缝导航;
服务器批量后台任务、执行记录、凭据合并、各页激活刷新与错误提示修复。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 11:17:21 +08:00
Nexus Agent b8425cc059 fix(servers): 状态/心跳/Agent 列 overlay 后排序
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:38:28 +08:00
Nexus Agent b220a5a762 fix(terminal): 移除命令栏冗余按钮,断开遮罩仅覆盖 SSH 区
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:30:31 +08:00
Nexus Agent b011b60f9c feat(ui): 服务器/脚本/重试队列页面自动刷新
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:27:46 +08:00
Nexus Agent 442e005d27 docs(audit): 终端修复审计补 index.html
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:24:44 +08:00
Nexus Agent 908ae938b5 fix(terminal): 深链 server_id 下命令输入框可用
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:24:32 +08:00
Nexus Agent b12fb4770b docs(audit): Gate 7 vite assets 跳过门控审计
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:21:31 +08:00
Nexus Agent 6150a39889 fix(deploy): Gate 7 跳过 web/app/assets 哈希产物
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:21:20 +08:00
Nexus Agent 06af90d35e feat(scripts): 执行详情服务器名与顶栏居中提示
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:20:37 +08:00
Nexus Agent 9723e0f528 docs(audit): Gate 7 diff 修复门控审计
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:09:59 +08:00
Nexus Agent 118ec9f6b0 fix(deploy): Gate 7 仅对比 HEAD~1..HEAD 并跳过 gate_log
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:09:46 +08:00
Nexus Agent 3d76c4a447 docs(audit): 补齐脚本看板部署门控所需审计段落
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:08:28 +08:00
Nexus Agent 0b2d7ac50d feat(scripts): 异步执行、全局进度看板与完成提示音设置
脚本 exec 立即返回 running 并在后台跑批次;/ws/alerts 推送 script_progress/complete;
新增 ScriptRunsPage、Telegram 汇总通知与可配置的浏览器完成提示音。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 07:07:02 +08:00
Nexus Agent 3f995a74bb docs: 更新 AI handoff 至 df95a24
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 05:51:57 +08:00
Nexus Agent df95a2429f feat(frontend): 全选筛选结果与脚本失败分组复制
服务器列表支持跨页全选当前筛选/分类本组;脚本执行详情按错误类型分组(去动态 IP)并复制失败清单,不做 CSV 导出。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 05:51:11 +08:00
Nexus Agent 5f63fb0a3f fix(scripts): 执行进度按成功台数计算,失败项快速定位与面板清理
progress 改为 success/total(失败不计入分子);脚本库执行详情中文化、失败筛选与终态任务移出批量状态面板。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 05:11:39 +08:00
Nexus Agent c435413563 feat(servers): 分类筛选/批量改分类、分页中文与列排序,脚本库按分类选机
支持 300+ 台服务器按分类浏览与批量管理,修复分页「全部」与排序;门控 Gate3 强制本地 API。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 04:30:24 +08:00
Nexus Agent c8b0663508 feat: 批量IP添加、脚本库历史、推送权限记录与脚本SSH执行修复
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
批量添加替代CSV并支持去重;脚本库页内嵌执行历史;推送历史记录 rsync 权限策略;
脚本执行不再依赖 Agent 在线;服务器同步日志与相关单测补齐。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 03:15:40 +08:00
Nexus Agent fb6a4be797 feat(commands): 推送日志第三视图与 CSV 导入模板
按对齐计划 Phase1:Commands 页增加推送日志筛选视图;补全 servers_import_template.csv;扩写功能指南 §12.6/12.8/12.10 与 acceptance_catalog。
2026-06-08 02:45:17 +08:00
Nexus Agent dfb0ea2d8f fix(frontend): 脚本库与推送调度对齐设计文档
修复 ScriptsPage 执行契约(script_id/command、历史过滤、长任务/凭据)及 SchedulesPage 缺失能力(target_path、next_run、push/script、cron/once、sync_mode);后端补迁移与 schedule_runner 传参。
2026-06-08 02:39:18 +08:00
Nexus Agent f12a0b6a36 fix(sync): rsync 推送后设置远程属主 www 与权限 755
推送默认 --chown=www:www --chmod=D755,F755,避免文件落盘为 root。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 02:23:43 +08:00
Nexus Agent 5ed3c28491 fix(sync): 推送异常时落库 failed,修复订正时区与卡住阈值
rsync 抛错时 sync_log 不再永久 running;reconcile 兼容 naive UTC。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 02:14:33 +08:00
Nexus Agent 77cd9a5205 fix(docker): 生产镜像安装 rsync 修复文件推送失败
容器内缺少 rsync/openssh-client/sshpass,_rsync_push 触发 FileNotFoundError。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 02:10:06 +08:00
Nexus Agent 814262bd83 feat(push): 暂存文件支持批量删除
推送页暂存列表增加多选、全选与批量删除确认,复用 local-file-ops 逐条删除。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 02:05:33 +08:00
Nexus Agent 2b016f91af fix(push): 普通文件上传不限制后缀
upload-files 接受任意后缀含 .zip;拖拽/多选统一原样暂存,解压改走「ZIP 解压上传」按钮。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 01:19:20 +08:00
Nexus Agent 217c5d9935 feat(push): 源路径验证、普通文件上传与暂存文件管理
补齐 Round4 H5/H6:验证 Nexus 主机源路径、失败批量重试;新增 upload-files 与普通文件多选上传;上传后可浏览/预览/重命名/删除暂存目录内容。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-08 01:14:07 +08:00
Nexus Agent a225b655d9 feat(frontend): 恢复服务器批量检测路径并修复推送目标路径
补回 SPA 迁移丢失的 detect-path 确认框与结果弹窗,推送页留空走各机 target_path,文件页默认 50 条/页。
2026-06-08 00:56:35 +08:00
Nexus Agent bdb3b3bc34 docs(deploy): 生产对齐部署验证报告与 changelog 补全
记录 e5a3f25 部署、前端镜像重建与 Agent 1/1 升级结果。
2026-06-07 23:22:21 +08:00
Nexus Agent e5a3f2524e fix(auth): change_password 改密路径 audit_repo 定义顺序
部署前补齐门控审计与 Layer3 演练终验记录,消除 ruff F821。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 23:11:28 +08:00
Nexus Agent 9337f37da8 fix(files,deploy): 文件上传字段名与 Layer3 巡检脚本
后端同时接受 file/files 并支持多文件 SFTP 上传;修复 health_monitor.sh 引号语法使 Layer 3 cron 可运行。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 23:00:01 +08:00
Nexus Agent 7ea94a60ab fix(auth,servers): 修复 refresh 自动登出与服务器状态未知
API 返回 status 字段供前端显示在线状态;token_version 为 NULL 时 refresh cookie 含 :None 导致续期 401。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 22:53:29 +08:00
Nexus Agent 05006cb5df feat(auth): refresh token 先 Redis 后 MySQL 双写
登录 30 天会话 hash 持久化到 admin_refresh_tokens;启动从 MySQL 回填 Redis,
Redis 重启后会话仍可 refresh。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 21:56:56 +08:00
Nexus Agent 69087988b1 fix(auth): 反代后登录白名单读取真实客户端 IP
Docker/1Panel 反代时 request.client.host 为 172.18.0.1;可信内网跳读取 X-Real-IP/X-Forwarded-For。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 21:50:39 +08:00
Nexus Agent a14fbb3df3 fix(ssh): 快速添加跳过主机密钥校验并中文化错误
凭据轮询在 SSH_STRICT 默认 true 时因 HostKeyNotVerifiable 在认证前失败;
探测始终 known_hosts=None,默认 strict 改为 false,错误信息统一中文。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 21:31:38 +08:00
Nexus Agent c50f65e8ea docs: Layer 3 巡检 Telegram 用户终验确认
记录用户已收到引号修复与中文详细通知消息,闭环终验通过。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 21:09:14 +08:00
Nexus Agent ea2507dbc0 feat(telegram): 全部通知改为中文详细说明
统一告警/恢复/系统/Layer3/测试消息格式,含来源、影响与建议操作。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 21:01:47 +08:00
Nexus Agent f60a5ea5bc fix(deploy): health_monitor 剥离 .env 引号以修复 Telegram 404
容器 .env 带引号的 Token 导致 sendMessage URL 无效;增加 normalize_env_value
与失败日志。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 20:58:02 +08:00
Nexus Agent ca0de7d04d docs: Layer 3 模拟巡检告警验证报告
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
记录 flock 失败计数 bug 修复与 iptables 演练结果。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 20:56:21 +08:00
Nexus Agent 764703d401 fix(deploy): health_monitor flock 失败计数回传
flock 子 shell 递增后未回传 FAIL,导致 Layer 3 永不触发重启与 Telegram。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 20:53:14 +08:00
Nexus Agent b8785d1d51 docs: Layer 3 巡检 Telegram 配置后生产复查
记录用户配置 Telegram 后 env 同步、health_monitor 就绪与 cron 状态。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 20:49:13 +08:00
Nexus Agent 5b372fb8a2 docs: Layer 3 巡检部署生产验证报告
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 20:19:31 +08:00
Nexus Agent f9934bd4f1 feat(ops-patrol): Layer 3 巡检与 Telegram 配置打通
保存 Telegram 时同步至 .env,health_monitor 支持 MySQL 回退,
设置页展示巡检状态,部署时自动安装 cron。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 20:17:24 +08:00
Nexus Agent 66a4cba39b docs: 设置页 Telegram 修复生产验证报告
记录 540a7fc 部署结果与浏览器终验步骤。
2026-06-07 19:46:43 +08:00
Nexus Agent 540a7fce05 fix(settings): Telegram 检测/测试闭环与 8 项告警开关恢复
检测与测试前自动持久化 Token/Chat ID;getUpdates 清除 Webhook 并返回具体 API 错误;恢复 NOTIFY 分项开关与免密 reveal。
2026-06-07 19:45:07 +08:00
Nexus Agent 2e911dcca7 fix(frontend): 设置页恢复 IP 白名单订阅 URL 与解析预览
补回代理订阅配置 UI,修正 ip-allowlist 保存 payload 为 manual_ips + subscription_url。
2026-06-07 19:34:24 +08:00
Nexus Agent a5d5518054 fix(frontend): 设置页恢复 Telegram Chat ID 自动检测
Vue SPA 迁移遗漏 getUpdates 检测按钮;对接 GET /settings/telegram/chats,并修正 cron 脚本 bash 调用。
2026-06-07 19:31:13 +08:00
Nexus Agent e3fe161ae5 fix(deploy): 健康检查 PORT 缺省 8600
NEXUS_PUBLISH_PORT 未写入 .env.prod 时避免空端口误打 OpenResty 导致部署脚本误报失败。
2026-06-07 18:05:27 +08:00
Nexus Agent d0be2fdcf1 fix(deploy): SSH secrets 加载、Docker 运行时检测与外网探测脚本修复
使 deploy-production.sh 可读本机 secrets 并在非 docker 组用户下用 sudo 识别 1Panel 栈;修复 security_probe_external.sh 的 curl shift 误用与 WebSocket 自动 venv。
2026-06-07 17:34:27 +08:00
Nexus Agent 72d82d737b fix(security): BL-07 WS 403 澄清与 code-review 跟进加固
外网无 token WebSocket 的 HTTP 403 为应用层拒绝而非反代故障;边端 agent
在中心 401 时停止心跳重试;install 锁定路由级 404 且归档失败 fail-closed。
同步安全规范与 BL-06 一致,门控 7/7 PASS。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 12:12:49 +08:00
Nexus Agent eab35a35be fix(security): BL-06 强制 Agent per-server key 并合并心跳单次查库
移除 Agent 认证与安装链路的 global API_KEY 回退,收口 risk-acceptance 接受项 2;巡检补修心跳重复 get_server 并加 assert_called_once 回归测试。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 11:17:41 +08:00
Nexus Agent e5e2582743 fix(security): 外网攻击面加固 BL-01~05
收紧 PUBLIC 路径误匹配、强制 health/detail 与壁纸 sync 鉴权、默认关闭 OpenAPI;
安装锁定后 /api/install/* 统一 404;附探测脚本、测试与审计文档。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 01:45:10 +08:00
Nexus Agent 722917bfc9 fix(api): API 全量巡检 B1–B6 修复 server_ids 上限与 pending 审计
限制健康检查/推送/脚本执行的 server_ids 规模,补齐 pending 重试失败与删除审计,并附分批巡检报告。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:57:46 +08:00
Nexus Agent ac17f91106 docs(audit): 14 页 API 契约审计与凭据轮询 SSOT 收尾
记录凭据轮询/pending 契约对照与生产验证,更新功能指南与附录 J,并将 pending 相关类型集中到 api.ts。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:50:05 +08:00
Nexus Agent 9ee5c8a708 docs(project): nx 上帝菜单巡检 round1–10 归档总结
新增 nexus-god-menu-audit-summary.md 汇总巡检交付与日常速查,并链入文档索引。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:25:44 +08:00
Nexus Agent fb9dbcb11a docs(deploy): 同步 1Panel 运维 SSOT(round4–8 能力)
README 与知识文档补全 nx cron/备份/验收;卸载脚本提示改为 1Panel 容器名。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:23:27 +08:00
Nexus Agent 72e46cef32 fix(deploy): 升级后镜像验收与 verify 脚本修复
验收检查容器内 round6/7 特性;修复 host.docker.internal 引号;nx verify 与升级后自动验收。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:21:44 +08:00
Nexus Agent e5d482264d fix(install): 向导守护 UI 与升级后 cron 交互提示
Docker 完成页展示 Layer 3 cron 步骤与 host_deploy_root;TTY 下 nx update 可一键安装巡检/备份 crontab。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:20:23 +08:00
Nexus Agent c9e08799f9 fix(install): 守护配置对齐宿主机 cron 与验收检查
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Docker 向导提示 nx cron/宿主机路径;裸机 cron 含 db_backup;验收脚本检查 cron 与 MySQL 备份能力。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:11:02 +08:00
Nexus Agent 89865ec690 fix(deploy): 部署脚本自动识别 Docker 与 Supervisor 运行时
upgrade/deploy-production 等分流到 nexus-1panel upgrade;升级完成后提示安装 nx cron。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 23:07:47 +08:00
Nexus Agent ba69bc3355 fix(deploy): git pull 后备份脚本不依赖可执行位
db_backup/backup_mysql 改为检测文件存在并用 bash 调用;install_ops_cron 一并 chmod 备份脚本。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 22:39:10 +08:00
Nexus Agent 49f159a8ce fix(deploy): install_ops_cron 自动安装 cron 包
生产 Azure 主机默认无 crontab,安装脚本现会 apt install cron 并启用服务。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 22:38:43 +08:00
Nexus Agent 4e1347ba45 fix(deploy): Docker 感知 MySQL 备份与 nx cron 安装
升级/定时备份通过 docker exec 1Panel MySQL 容器 dump,不再依赖宿主机 mysqldump;nx 菜单新增巡检与备份 crontab 安装。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 22:37:49 +08:00
Nexus Deploy 61b8d7d419 fix(deploy): health_monitor Docker 适配与巡检第三轮修补
Docker 生产用 docker restart;读 .env.prod 端口与容器 Telegram;已归档跳过全量热同步。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 22:25:27 +08:00
Nexus Deploy 954bdbd972 fix(deploy): 验收脚本已安装时输出正确通过文案
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 21:54:03 +08:00
Nexus Deploy 314bece418 fix(deploy): 验收脚本已安装时跳过 install API 检查
锁定后 /api/install/* 返回 403 属预期,不应判 FAIL。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 21:53:43 +08:00
Nexus Deploy 687e059a86 fix(deploy): 上帝菜单巡检第二轮 — 全新安装卷冲突与验收修正
FRESH 清除 nexus-state 旧锁;PENDING=1 时 entrypoint 不恢复旧 env;验收脚本已安装期望 404。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 21:53:03 +08:00
Nexus Deploy baacdb0252 fix(deploy): 已归档安装向导时 sync 脚本验收期望 404
避免 nx update 因 install.html 已移除而误报失败。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 21:31:06 +08:00
Nexus Deploy 58bdf820dc fix(install): 安装锁定后将 install.html 归档为 .bak
防止已安装环境继续提供安装向导静态页;entrypoint 与升级脚本避免容器重建后恢复。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 21:30:15 +08:00
Nexus Deploy dd66d99f2d fix(deploy): nx 上帝菜单巡检修补 1panel-network 与升级竞态
purge 阶段 compose 叠加 1panel overlay;菜单启动/重建与回滚后校验网络;install-auto 已安装改走 update。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 21:27:01 +08:00
Nexus Deploy 107b089b16 fix(1panel): 安装锁持久化与升级后 1panel-network 校验
防止 nx update 重建容器后丢失安装锁、未接入 1panel-network 导致 MySQL/Redis 不可达。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 20:52:13 +08:00
Nexus Deploy 1f5daebeed fix(deploy): nx update 在 set -u 下 local root 同行展开报错
拆分 nexus_publish_port/set_install_complete/sync_env_prod_to_volume 的 local 声明,
避免 env_file="$root/..." 在 root 赋值前展开导致 unbound variable。
2026-06-06 20:38:11 +08:00
Nexus Deploy 4ba45abf38 feat(servers): 凭据轮询登录与连接失败列表
- 密码/SSH密钥预设增加用户名;快速添加(IP)轮询全部预设尝试 SSH 登录
- 成功入 servers 列表;失败写入 pending_servers 并支持重试/删除
- 新增 credential_poller、try_ssh_login 与 add-by-ip/pending API
2026-06-06 20:08:48 +08:00
Nexus Deploy 5a56e5a8cb fix(1panel): 安装向导脱敏、配置一致性与 nx update 门控回滚
- /state 白名单脱敏;init-db db_port 修复;connection-check 后清空 redis_pass
- install.html sessionStorage token 与无 token 友好提示
- nx update: 镜像 import 门控、健康失败自动回滚、PENDING=0 回写、卷双写
- Redis 容器改名密码迁移;备份失败默认 WARN;update.sh 管道 ROOT 回退
2026-06-06 17:40:30 +08:00
Nexus Deploy 850038a3ec fix(install): 安装向导 Redis 密码不被 nx update/Compose 覆盖
Compose 不再注入 NEXUS_REDIS_URL;nx update 保留卷内带密码 URL;步骤 4 可从 install state 修复无密码 URL。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 11:34:26 +08:00
Nexus Deploy beb802802a chore: 添加 scripts/git-push.sh 与本地 Gitea secrets 约定
push 读取 deploy/nexus-1panel.secrets.sh(gitignore),clone/pull 仍可匿名。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 11:22:07 +08:00
Nexus Deploy 476d87c678 docs: Gitea 公共仓库无需凭据
更新 .cursorrules 与 linux-dev-paths,明确不配置/探测 GITEA token。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 11:13:07 +08:00
Nexus Deploy 49f88a2cd8 fix(install): Docker .env 持久化与 entrypoint 覆盖 Compose 占位符
向导 init-db 后立即同步 nexus-state 卷;entrypoint 跳过不完整 env 并在启动前 source /app/.env,避免缺 DATABASE_URL 与无密码 REDIS_URL 导致容器崩溃。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 11:08:22 +08:00
Nexus Deploy b11360015d fix(install): 1Panel Redis 无账号与步骤 4 URL 自愈
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
确立 Redis 仅密码认证(:pass@/default),隐藏误导性用户名字段;
connection-check 自动修正错误 NEXUS_REDIS_URL,并更新运维文档与验收脚本。
2026-06-06 07:51:52 +08:00
Nexus Deploy 3b2856f388 fix(install): auto-resolve 1Panel Redis auth (:pass@ / default)
Stop prefilling root; probe multiple Redis URL formats on credential
check and persist the URL that works for init-db.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 07:15:57 +08:00
Nexus Deploy 9d9fbc62f5 docs: add 1Panel operations knowledge SSOT and Redis test script
Consolidate install wizard, networking, URL formats, and troubleshooting
into docs/project/nexus-1panel-operations-knowledge.md.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 07:08:42 +08:00
Nexus Deploy 807f4c2448 fix(install): correct Redis URL auth for 1Panel root user
Password must use redis://:pass@ or redis://root:pass@ host; wizard adds
redis_user field defaulting to root on 1Panel Docker installs.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 06:59:45 +08:00
Nexus Deploy da061d35db feat(install): require MySQL/Redis credential check at wizard step 3
Add test-credentials API and UI gate before init-db writes .env.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 06:47:22 +08:00
Nexus Deploy d0544c9bd2 fix(1panel): grant nexus@% for Docker MySQL 1045 on install
Add fix-1panel-mysql-grant.sh and clearer install wizard errors when
1Panel MySQL only allows nexus@localhost.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 06:19:19 +08:00
Nexus Deploy 3f5eacae60 feat(deploy): add 1Panel install wizard verify script
Server-side checklist for 1panel-network, container host sync, and
install API defaults before completing /app/install.html.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 06:05:15 +08:00
Nexus Deploy b25d0798f6 fix(1panel): sync MySQL/Redis container hosts on nx update
Upgrade was skipping 1panel-network detection; wizard now overrides stale host.docker.internal from volume/API defaults.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 05:47:43 +08:00
Nexus Deploy 6b1d23c7d7 fix(1panel): sync Redis URL to container name on 1panel-network
Update NEXUS_REDIS_URL when detecting 1Panel-redis-*; add Redis TCP precheck and connection errors matching MySQL.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 05:39:52 +08:00
Nexus Deploy 6951b8049f fix(1panel): join 1panel-network and connect MySQL/Redis by container name
Per 1Panel App Store architecture, bridge apps must use Docker DNS on 1panel-network instead of host.docker.internal.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 05:35:04 +08:00
Nexus Deploy da0424a268 fix(install): MySQL TCP probe and clearer host.docker.internal errors
Step 2 now detects whether host MySQL is listening; init-db fails fast with 1Panel setup guidance on error 2003.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 05:22:16 +08:00
Nexus Deploy 569263dddb fix(install): remove redundant Redis/MySQL host hints in wizard step 3
Docker defaults already prefill host.docker.internal; drop duplicate 1Panel install reminders from the form.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 05:08:55 +08:00
Nexus Deploy 646929ddff feat(deploy): register nx globally via install-nx-cli.sh
Centralize chmod and /usr/local/bin symlinks; install, upgrade, update, and every nx invocation refresh the global nx command.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 04:43:00 +08:00
Nexus Deploy 0a7c5ee617 fix(deploy): set executable bit on nx and refresh symlinks on update
Git tracked deploy/nx as 644 so /usr/local/bin/nx failed with Permission denied after pull; update.sh now chmods CLI scripts before upgrade.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 04:39:33 +08:00
Nexus Deploy 93400b7793 fix(install): split Redis install check (step 2) from connection test (step 4)
Step 2 only TCP-probes host Redis without blocking the wizard; step 4 runs /connection-check on MySQL and Redis from .env before creating the admin account.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 04:32:47 +08:00
Nexus Deploy a5aa5f81ad docs(deploy): merge nx god into unified menu and expand README
Consolidate install and ops into a single nx menu with one-click update via update.sh; document all curl install/update entry points in the root README.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 04:27:11 +08:00
Nexus Deploy 86c865e710 feat(deploy): add update.sh and always rebuild on upgrade
Upgrade no longer exits when Git is already up to date; it still rebuilds the Nexus image to pick up entrypoint changes. Add deploy/update.sh as the one-command entry point.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 04:16:15 +08:00
Nexus Deploy 1bd69077a2 fix(deploy): auto-remove legacy Compose MySQL containers on upgrade
Run uninstall-mysql-compose before install/upgrade and pass --remove-orphans so nexus-prod mysql orphans are stopped after the service is dropped from compose.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 03:32:00 +08:00
Nexus Deploy f37ebf8621 feat(docker): remove bundled MySQL from production Compose stack
Production installs now run only the Nexus container; MySQL and Redis are self-hosted on the machine or 1Panel, with install wizard defaults pointing at host.docker.internal.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 03:27:57 +08:00
Nexus Deploy e42dc77127 feat(deploy): add redis compose uninstall; require Redis in install wizard
Step 2 blocks until Redis connects; uninstall-redis-compose.sh removes legacy
nexus-prod-redis container without touching host/1Panel Redis.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:51:52 +08:00
Nexus Deploy 536d520744 fix(nx): resolve deploy dir when invoked via /usr/local/bin symlink
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
readlink -f fixes sourcing nexus-1panel.sh; register nexus-1panel global cmd.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:49:34 +08:00
Nexus Deploy 6276ea08b7 feat(docker): remove bundled Redis; use external host install
Compose stack is MySQL+Nexus only; wizard Redis check is non-blocking
and defaults to host.docker.internal for self-managed Redis.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:48:00 +08:00
Nexus Deploy c81fe3183f fix(deploy): sync install.py into container for Redis env-check hotfix
sync-install-wizard-to-container.sh now copies server/api/install.py and
restarts Nexus so Docker installs pick up redis:6379 without full rebuild.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:34:53 +08:00
Nexus Deploy 5e7c5beb43 fix(install): probe redis via docker service host in env-check
Install wizard no longer hardcodes 127.0.0.1:6379; Docker installs get
mysql/redis prefills and a passing Redis check inside the nexus container.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:31:11 +08:00
Nexus Deploy 9b7dba99ff fix(install): drop Gitea token warning for public repo installs
Public anonymous clone needs no secrets file; document token as optional
for private repos only.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:20:56 +08:00
Nexus Deploy 222703d733 fix(install): allow curl-pipe bash when set -u is enabled
BASH_SOURCE[0] is unset for stdin scripts; call main directly in
install-1panel-docker.sh and quick-install.sh.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:11:40 +08:00
Nexus Deploy d884ea00ca feat(install): add full-stack install-1panel-docker.sh for fresh servers
Replace the nx redirect stub with a real orchestrator that chains 1Panel
setup, Docker Compose checks, and install-nexus-fresh; document UI-only
OpenResty proxy rules in README-1panel.md.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 02:00:24 +08:00
Nexus Deploy 422dcae0ff fix(docker): bake install.html into prod image with build verify and sync script 2026-06-06 01:14:59 +08:00
Nexus Deploy 343def7e77 fix(docker): include install.html and wizard vendor assets in prod image 2026-06-06 00:36:03 +08:00
Nexus Deploy 83ce11f55c feat(install): per-host auto-generated secrets for Docker installs
Each fresh 1Panel/Docker install generates unique MYSQL and NEXUS keys
via scripts/generate_nexus_secrets.py; install wizard reuses compose env.
2026-06-06 00:25:57 +08:00
Nexus Deploy e613aecc8e docs: clarify Gitea web URL vs git clone URL in README 2026-06-06 00:19:04 +08:00
Nexus Deploy f71da47ccf docs: add root README for Gitea product page and install scripts 2026-06-06 00:14:34 +08:00
Nexus Deploy 1acac6439a feat(deploy): public repo quick-install via curl (1Panel style)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-06 00:11:43 +08:00
Nexus Deploy feda614c52 fix(deploy): register nx/nexus-fresh in PATH for root
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-05 23:58:37 +08:00
Nexus Deploy 6cef3d2942 fix(deploy): private Gitea raw 404 — use clone or token API download
Anonymous curl saved "Not found." causing "Not: command not found";
add download-install-fresh.sh, --skip-clone, and script self-check.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-05 23:52:48 +08:00
Nexus Deploy 00f44032ff feat(deploy): add 1Panel-style fresh install script for empty DB
install-nexus-fresh.sh with phased checks, install wizard URL, and nx god
menu hints; wired into nx install-fresh and install menu option 6.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-05 23:44:38 +08:00
Nexus Deploy 8ddcf2ad0d feat(deploy): add nx interactive installer and god ops menu
Single entry deploy/nx for install wizard, post-install restart/upgrade/logs,
and install-auto for non-interactive 2c8g setup on 1Panel Docker hosts.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-05 23:41:04 +08:00
Nexus Deploy 65e4478b4b feat(deploy): load credentials from nexus-1panel.secrets.sh
Keep secrets out of tracked scripts; support git add -f secrets file,
git remote token parsing, and port/firewall checks for one-click install.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-05 23:37:37 +08:00
Nexus Deploy 2f830424a4 feat(deploy): unified 1Panel script with profiles and port checks
Merge install/upgrade into nexus-1panel.sh with 1c4g/2c8g/4c16g resource
profiles; preflight Gitea and firewall hints; post-install HTTPS health probe.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-05 22:59:47 +08:00
Nexus Deploy 7b33b745a0 feat(deploy): add 1Panel Docker one-click install script
Automates clone, docker/.env.prod, compose up, and health check for 2C8G prod stack.
2026-06-05 22:52:44 +08:00
Nexus Deploy bfda70bbe7 chore(docker): tune production stack for 2C8G hosts
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Add mysql-prod-2c8g.cnf, container mem/cpu limits, Redis maxmemory,
and default Nexus pool 30/20 for 8GiB 1Panel deployments.
2026-06-05 22:44:06 +08:00
Nexus Deploy 2f67e9e2b9 docs: add 1Panel Docker production deploy stack
Add Dockerfile.prod, docker-compose.prod.yml, OpenResty example,
and migration plan for Baota to 1Panel + Compose deployment.
2026-06-05 22:40:04 +08:00
Nexus Deploy 811eb97fbf chore: Ubuntu local dev scripts, deploy gate, and audit changelogs
Rename WSL helpers to Linux-native scripts, expose Redis in docker-compose,
prefer .venv tools in pre_deploy_check, and record 2026-06-04 audit waves.
2026-06-04 23:02:21 +08:00
Nexus Deploy 0100ab2582 docs: consolidate archive, SSOT guide, and agent entry stubs
Move line-walk/delta/phase2/frontend audits and legacy memory into
docs/archive/, add functional development SSOT, thin AGENTS/CLAUDE stubs,
and regenerate changelog/audit indexes via consolidate_docs.py.
2026-06-04 23:01:03 +08:00
Nexus Deploy b866e944ab fix: Code Review P0/P1 batches 1-3 and single-operator risk acceptance
Apply sync/install/auth/schedule/retry/agent/settings fixes from full
code review; document accepted WS and Agent legacy risks for solo ops.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-04 15:57:49 +08:00
Nexus Deploy a2ae74d582 release: BUG fixes batch 1-6, full bug scan docs, Ubuntu/Linux dev
- Backend: auth refresh reuse, schedule/retry/sync/agent/files fixes
- Frontend: push WS, files ETag browse, vite build assets
- Docs: audit/changelog, production deploy gate, bug scan registry B7-77
- Deploy: deploy-production.sh, prune assets, gate logs
2026-06-04 14:01:14 +08:00
Your Name 9ac6a2d27f fix(docker): track docker/.env.example despite .env.* gitignore
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-03 00:59:00 +08:00
Your Name 3cec226b89 feat(docker): add Compose stack for MySQL, Redis and Nexus API
- Dockerfile with healthcheck and entrypoint for deps + .env persistence
- generate_env.py for local secrets; design docs and changelog

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-03 00:58:46 +08:00
Your Name 51948469c2 build(frontend): track Vite output in Git for Gitea deploy
- Stop ignoring web/app/index.html and web/app/assets/
- Bundle index-DBKIQT7H.js from current vite build (~101MB assets)

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-03 00:52:44 +08:00
Your Name 4b5602a719 feat(files): fix editor freeze, EOL gates, server form and session UX
- FilesPage storeToRefs + remotePath coercion; Monaco preload; list action buttons
- text_io for UTF-8/LF; install/sync EOL; check_shell_eol + check_text_eol gates
- ServerFormDialog, hash login redirect, AppAuth keep-session; design docs and audits

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-03 00:42:55 +08:00
Your Name 9c9c763e9c fix(credentials): password preset is name+password only, no username field
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 16:08:50 +08:00
Your Name 0cc1cc14a4 fix(terminal): restore app-bar top inset so tab bar and xterm are not clipped
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 16:02:17 +08:00
Your Name f078d0e03b feat(push): localize sync/rsync error messages to Chinese in history and progress
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 15:18:01 +08:00
Your Name 524dabcf7f refactor(editor): P0 — per-tab model, EOL preservation, conflict detection (409)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 14:46:49 +08:00
Your Name 0ccd1ba934 fix(files): use proxyRefs for inject context unwrapping
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 08:25:25 +08:00
Your Name a6673157a5 fix(files): unwrap injected refs via reactive context for v-model
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 08:23:03 +08:00
Your Name 78798e3630 feat(push): refactor B0-B6, /ws/sync channel, staging cleanup
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 08:14:09 +08:00
Your Name 68fdcbae0a refactor(terminal): split TerminalPage into composables and components (T1-T6)
Extract session/WS/xterm logic with markRaw native store, per-session disconnect overlay, shared server picker, and cmd bar via ShellHighlightField expose.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 06:44:56 +08:00
Your Name 181560eca2 fix(ui): align servers stat cards with dashboard; improve files browse errors
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 06:08:02 +08:00
Your Name c6f1d73ff5 feat(files): P4 GET browse with ETag and P5 zero-flicker loading
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 05:59:55 +08:00
Your Name 6cb591212d refactor(files): P2 split UI into components with page context inject
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 05:14:13 +08:00
Your Name 7cbddf5d48 refactor(files): P1 split composables, Pinia store, directory cache
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 05:05:26 +08:00
Your Name cb738a8e9a fix: file manager double browse from v-select init and stale chunks
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 04:36:46 +08:00
Your Name 5393252036 fix: eliminate double browse requests in file manager
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 04:29:11 +08:00
Your Name 3bc2843642 fix: browse序号保护防止token刷新重试导致的双刷新 2026-06-02 03:48:01 +08:00
Your Name 1d6d26d612 fix: 加载中隐藏空状态提示,消除进目录时的视觉双刷新 2026-06-02 03:19:27 +08:00
Your Name c65e3ea2a7 fix: 目录双击导致双刷新(e.detail守卫),横幅仅在实际权限错误时显示
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 03:07:51 +08:00
Your Name 67dac0168f feat: 文件管理器复制粘贴守卫、2MB编辑限制、一键配置sudoers、编辑器外观重构
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 02:20:22 +08:00
Your Name 57d67c494b fix: 警告横幅关闭后进子目录不再重新出现,文案简化
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 01:51:13 +08:00
Your Name 928e3c5fdb fix: 登录白名单 IP 绕过防暴破锁定
白名单内 IP 跳过失败次数锁定;失败仅审计不计数;成功登录清除该用户历史失败记录。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 01:37:22 +08:00
Your Name 832e34fd98 fix: 修复 6 个 MEDIUM 级 Bug (锁定/重试/调度/分页/SSH池/token_version)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 01:29:06 +08:00
Your Name 19cfb7caaa fix: 系统全扫描修复 7 个 HIGH 级 Bug
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 01:22:00 +08:00
Your Name ea3046f635 fix: unix_ls parse_ls_la_line 兼容 long-iso 8字段格式
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 01:09:39 +08:00
Your Name 39a8cf16cf fix(ui): 调度与重试队列路由导航及前端资源一致性
侧栏可滚动与显式导航;懒加载失败提示;getList 兼容分页响应;生产 prune 清理 1065 个过期 chunk。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 22:36:08 +08:00
Your Name b62d4f6f9f fix(audit): 审计日志操作与目标类型全面中文化
补全 action/target 映射表与词段兜底;审计页筛选下拉使用中文标签。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 22:18:42 +08:00
Your Name 44c19f329a fix(terminal): Ctrl+D 快捷键文案改为退出
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 22:13:54 +08:00
Your Name 9e924562d2 fix(terminal): 右下角快捷键与右键菜单中文化并放大
快捷键区改为中文大按钮;工具栏字号/回滚/全屏中文化;右键菜单加大并在命令栏拦截英文系统菜单。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 22:00:49 +08:00
Your Name e3eb0e65a5 fix(ui): 仪表盘/审计/调度/重试修复与终端快捷命令改版
统一终端页与全局侧栏菜单;快捷命令仅在终端执行,增删改排序迁入系统设置;命令输入区加高与 Enter/Shift+Enter 行为;后端自定义命令优先与 reorder API。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 21:56:07 +08:00
Your Name fc056059f9 docs: production deploy changelog for files/POSIX release
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 20:45:14 +08:00
Your Name bd6467dff9 docs: master plan execution progress and changelog
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 19:58:50 +08:00
Your Name e704b01093 fix(deploy): restore pre_deploy_check.sh content
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 19:57:06 +08:00
Your Name 246070e599 fix(deploy): pre_deploy gate uses repo root and newest audit
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 19:56:36 +08:00
Your Name d93c518a14 feat(files): POSIX paths, elevation, recursive chmod, access hints and docs
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 19:54:18 +08:00
Your Name 1cfac23c01 feat: terminal ANSI colors and enhanced shell syntax highlighting
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 15:49:27 +08:00
Your Name 799140f6c4 feat: terminal SPA layout, route sync, and WebSocket URL helper
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 15:41:59 +08:00
Your Name 8935081ac5 feat: full-site acceptance automation and health/detail fix
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 15:22:42 +08:00
Your Name ab431028c1 fix: 服务器页批量选择绑定 Vuetify4 modelValue
v-model:selected 无法同步勾选状态;生产已部署 ServersPage-CGp8DUVa.js 并验证「已选择 2 台服务器」。
2026-06-01 14:54:39 +08:00
Your Name cc2dad7f31 docs: 生产浏览器验收 — SPA/WebSSH/health_monitor
详见 docs/reports/2026-06-01-browser-verification.md;批量条与 Telegram/Push/kill 留维护窗口或人工确认。
2026-06-01 14:20:45 +08:00
Your Name 24b4439b2b docs: 单负责人执行计划 — handoff 对齐、生产验收、prune 加固
计划见 docs/design/plans/2026-06-01-single-owner-execution.md;生产 health/app/Redis/MySQL 已通过。
2026-06-01 14:09:17 +08:00
Your Name b8af1fc418 chore: 移除 superpowers 工作流 Skill,改为单 Agent 协作
停用 .cursor/skills 与虚拟部门分派,新增 no-department-agents 规则并更新文档索引与验收标准。
2026-06-01 14:04:50 +08:00
Your Name b77a314b36 chore: remove virtual department agent docs (team/skills)
Delete docs/skills/, docs/team/, and TEAM_ROLES.md. Update docs/README and mem_key_files. Standards and .cursor/skills workflows unchanged.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 13:52:55 +08:00
Your Name d519113734 fix: Gate3 health plain text, refresh empty body, prune underscore chunks
test_api: assert /health returns plain text ok instead of JSON parse.

auth: RefreshRequest.refresh_token optional so SPA POST {} is not 422.

prune: allow leading underscore in asset names to avoid deleting _plugin-vue_export-helper.

Add run_test_api_on_server.sh and deployment follow-up changelog.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 13:41:28 +08:00
Your Name 65c77155d8 fix: 修复前端 assets 清理脚本以支持 Rolldown 产物
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 12:31:55 +08:00
Your Name 2deb89b49c deploy: 前端部署后自动清理孤儿 assets + 冒烟脚本
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 12:29:57 +08:00
Your Name b76295aaec docs: 记录 2026-06-01 生产部署验证结果
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 12:23:44 +08:00
Your Name 8311821590 fix: 全量修复批量选择、JWT 60min、script-callback 认证与心跳数据流
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-01 12:17:47 +08:00
Your Name 73fdcafb81 docs: 完整交接文件 (15章节 + Cursor提示词 + 部署问题)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 11:58:11 +08:00
Your Name 91d0d4104e docs: 添加 .cursorrules 供 Cursor 接管
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 11:54:11 +08:00
Your Name 7fa4bd6dff docs: Cursor交接文件 2026-06-01
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 11:49:12 +08:00
Your Name a20cefcfbd docs: 审计+changelog 全站bug审查修复
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 11:40:23 +08:00
Your Name 6183047fd6 fix: 全站 bug 审查修复 (前端9项 + 后端5项)
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
前端修复:
- P0: App.vue http 未导入导致全局搜索崩溃
- P1: TOTP 登录流程断裂 (TotpRequiredError 非 ApiError 子类)
- P1: ServersPage 编辑服务器 domain 被端口字符串污染
- P1: PushPage Set[0] 无效 → values().next().value
- P1: SettingsPage API 返回字符串未转数字
- P2: api/index.ts getList 重复定义移除
- P2: LoginPage 锁定倒计时 now ref + watch 更新
- P2: TerminalPage 路径验证正则放松 (允许空格/中文)
- P2: useWebSocket CONNECTING/CLOSING 状态关闭旧连接

后端修复:
- P1: websocket.py redis.keys() → scan_iter() 避免阻塞
- P1: auth_service.py TTL 仅在 key 无 TTL 时设置
- P1: servers.py 批量操作加 asyncio.Lock 避免并发 session commit
- P2: settings.py asyncio.get_event_loop() → get_running_loop()
- P2: settings.py datetime.utcfromtimestamp() → datetime.fromtimestamp(tz=utc)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 11:24:55 +08:00
Your Name df2c188f5d docs: Cursor 交接文件
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 23:32:10 +08:00
Your Name 2d00d6a8eb fix: 登录页居中布局 + 删除Logo区域
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 23:30:12 +08:00
Your Name 080c1158d4 docs: 审计文档 + changelog (TerminalPage迭代)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 23:24:53 +08:00
Your Name facc1e8ae4 feat: TerminalPage全面迭代 + 快捷命令MySQL持久化
P0: Ctrl+L清屏、命令历史恢复、重连per-session、onopen不忽略、ping per-session
P1: 空catch处理、termRefs用session.id、错误透传、剪贴板权限、webssh-token错误
P2: 全选菜单、指数退避重连、快捷命令编辑、uptime per-session
新功能: quick_commands MySQL表 + CRUD API、Shell语法高亮输入栏
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 23:12:18 +08:00
Your Name 1ecd8e4542 fix: move wallpaper routes before /{key} catch-all to fix 404
Bing wallpaper endpoint (/bing-wallpapers) was returning 404 from HTTP
because FastAPI matched it against the /{key} catch-all route at position
2 before the specific route at position 13 ever got reached.

- Moved wallpaper routes (bing-wallpapers, bing-wallpaper) and helper code
  before the /{key} wildcard route
- Removed dead guard code in get_setting() that was never effective —
  FastAPI route matching happens before the handler body executes
- Removed duplicate wallpaper code block at end of file

Root cause: FastAPI matches routes in registration order. /{key} at
position 2 matched 'bing-wallpapers' as the key parameter, returning
'Setting not found' instead of routing to the wallpaper endpoint.
2026-05-31 22:00:33 +08:00
Your Name c6485168b6 fix: bing-wallpapers route was being caught by /{key} catch-all
FastAPI matches routes in order: /{key} registered before bing-wallpapers
because routes are sorted by path. /{key} matches 'bing-wallpapers' as a
key name, returning 404 'Setting not found' instead of hitting the actual
bing_wallpapers handler.

Fixed by adding a guard in get_setting() to skip these fixed path names,
and crucially by ensuring bing-wallpaper(s) routes are registered BEFORE
the /{key} catch-all in the router.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:59:26 +08:00
Your Name e9af02dd22 fix: add bing-wallpapers (plural) to PUBLIC_PREFIXES for JWT bypass 2026-05-31 20:53:49 +08:00
Your Name c9baecfdfa feat: Bing wallpaper slideshow — 12 images, hourly rotation, weekly cleanup
- Frontend: fullscreen wallpaper background with 1.5s crossfade transition,
  login card centered with glass effect, images rotate every hour
- Backend: new /api/settings/bing-wallpapers endpoint fetches 8 recent images
  from Bing HPImageArchive, caches to web/app/wallpapers/, returns all URLs
- Auto-cleanup: removes files older than 7 days, keeps max 12 newest
- Old /bing-wallpaper endpoint kept for backward compatibility

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:51:50 +08:00
Your Name 3d5870b404 fix: correct wallpaper dir to 3 levels up (server/api/settings.py -> Nexus/web/app/wallpapers)
Path breakdown: __file__ is server/api/settings.py
  .parent → server/api/
  .parent.parent → server/
  .parent.parent.parent → Nexus/ (repo root)
  Then append web/app/wallpapers

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:38:35 +08:00
Your Name afd32118b2 fix: correct wallpaper directory path in settings.py
- Path(__file__) is server/api/settings.py, so:
  .parent → api/  .parent → server/  .parent → Nexus/ (ROOT)
  .parent → (above ROOT — wrong!)
- Changed from .parent.parent.parent to .parent.parent.parent.parent
  to reach the project root, then into web/app/wallpapers/
- Moved _WALLPAPER_DIR.mkdir into the async function body

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:34:27 +08:00
Your Name d0308aaef6 fix: allow /app/wallpapers/ through AppAuthMiddleware
- Added /app/wallpapers/ to _APP_PUBLIC_PREFIXES so cached wallpaper images
  are served without requiring login auth
- Wallpaper files are now saved to web/app/wallpapers/ by bing_wallpaper() endpoint

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:30:46 +08:00
Your Name 04dda2c419 fix: download Bing wallpaper to server disk, auto-clean weekly
- Changed bing-wallpaper endpoint from URL proxy to image downloader
- Saves wallpaper to web/app/wallpapers/YYYY-MM-DD.jpg
- Auto-deletes wallpapers older than 7 days on each request
- Falls back to yesterday's cached file if download fails
- Added Path import for filesystem access

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:23:55 +08:00
Your Name e084d90c61 fix: add Bing wallpaper proxy endpoint, make it public (no JWT required)
- Added GET /api/settings/bing-wallpaper — proxies cn.bing.com HPImageArchive
  to avoid CORS issues, returns {url} for the daily wallpaper
- Added /api/settings/bing-wallpaper to PUBLIC_PREFIXES in auth_jwt.py
  so the login page can fetch it without authentication
- Login page now fetches wallpaper via backend proxy instead of direct CORS-blocked fetch

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:12:09 +08:00
Your Name 24aa8494e5 security: bind uvicorn to 127.0.0.1 instead of 0.0.0.0
The install wizard wrote '--host 0.0.0.0' which exposed the raw uvicorn
port 8600 on the public IP, bypassing Nginx HTTPS/TLS/WAF/middleware.
Changed to 127.0.0.1 — only local Nginx can reach the backend.

Also applied to running server via supervisor config fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 17:04:28 +08:00
Your Name 5c7775c10c chore: remove old Tailwind HTML pages from git
Vuetify SPA is now the sole frontend entry point at /app/.
Old pages (alerts/servers/scripts/...html) replaced by Vue router.
Keep install.html for setup wizard.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 15:46:29 +08:00
Your Name 7a6479dbfa fix: remove stale login.html from public paths, clean up prefixes
Old Tailwind HTML pages removed from server — Vuetify SPA is now
the sole entry at /app/. Only install.html remains for setup wizard.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 15:44:56 +08:00
Your Name 0fdae981cf fix: add ttf/eot/otf to static asset whitelist in AppAuthMiddleware
Vuetify/Monaco fonts return 404 without these extensions whitelisted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 15:42:43 +08:00
Your Name 3419ab8a09 chore: remove obsolete design department agent docs
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 15:37:57 +08:00
Your Name d512460dc9 fix: frontend type definitions match actual backend API responses
- AlertsPage: template fields alert_type/value/is_recovery (was type/message/recovered)
- CommandsPage: remove non-existent is_dangerous/duration/admin_name; use admin_username
- ScriptsPage: ExecHistoryItem matches /scripts/executions response shape
- types/api.ts: CommandLogItem + SshSessionItem + ScriptExecItem aligned to backend
- Remove unused PaginatedResponse imports from CommandsPage/ScriptsPage

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-31 15:37:41 +08:00
Your Name 0f02e047cc docs: update deployment instructions for Vuetify SPA
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- Split backend/frontend deploy steps
- Add deploy-frontend.sh one-liner reference
- Document AppAuthMiddleware 404 and stale HTML troubleshooting
- Remove obsolete dist copy instructions

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 13:25:33 +08:00
Your Name 35583115ff fix: Vite outputs directly to web/app/ — no dist copy needed
- vite.config.mts: outDir changed from web/app/dist to web/app
- .gitignore: ignore web/app/index.html + web/app/assets/ (build artifacts)
- deploy/deploy-frontend.sh: automated build+deploy+verify script

Deployment is now: bash deploy/deploy-frontend.sh

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 13:24:22 +08:00
Your Name f745714530 fix: allow Vuetify SPA index.html through AppAuthMiddleware
The new Vuetify SPA uses hash routing — all pages served from single
index.html. The old middleware only whitelisted individual HTML page
paths (login.html etc.), blocking the SPA entry point with 404.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 13:13:13 +08:00
Your Name 0d056a45e9 feat: Vuetify 4 frontend — complete rebuild with audit fix
Vue 3 + Vuetify 4 + TypeScript + Vue Router 4 + Pinia frontend,
replacing the old Tailwind+Alpine.js static pages.

Infrastructure (8 new files):
- composables/useSnackbar.ts — centralized notifications
- composables/useServerList.ts — server dropdown data
- composables/useServerPagination.ts — paginated server table
- types/api.ts — 14 typed API response interfaces
- types/global.d.ts — Window augmentation
- utils/status.ts — server status display helpers
- utils/validation.ts — 8 form validation rules
- components/MonacoEditor.vue — fullscreen code editor

14 pages rebuilt:
- LoginPage, DashboardPage, ServersPage, TerminalPage
- FilesPage, PushPage, ScriptsPage, CredentialsPage
- SchedulesPage, RetriesPage, CommandsPage
- AlertsPage, AuditPage, SettingsPage

Critical fixes (from audit):
- Files upload JWT auth (was missing Authorization header)
- API Key reveal password verification dialog
- 6 silent catch blocks → snackbar error feedback
- 33 as any → 0 (typed interfaces + global.d.ts)
- Dashboard: alerts/summary/categories/audit data loading
- WebSocket reconnect timer cleanup + auth failure handling
- Terminal ResizeObserver leak fix
- PushPage timer cleanup on unmount
- FilesPage path double-slash fix (joinPath helper)
- Filter changes reset pagination to page 1

Features added:
- Servers: batch operations, CSV export/import, detail panel
- Push: sync modes, ZIP upload, WebSocket real-time progress, cancel
- Scripts: quick execute panel, execution status tracking
- Files: Monaco editor, context menu, batch delete, rename, chmod
- Terminal: right-click menu, server sidebar, tab persistence
- Settings: batch save, TOTP manual key, password TOTP verification
- Dashboard: category distribution, recent audit, WS refresh

Quality:
- vue-tsc --noEmit zero errors
- vite build passes (1613 modules)
- Formal 8-step security audit passed (0 FINDING)
- .gitignore: dist/ → **/dist/ to cover web/app/dist/

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 12:56:12 +08:00
Your Name 0ded4a28ec fix: 主题系统改用CSS变量 — dark:前缀在浏览器CDN不生效
根因: Tailwind v4 浏览器CDN(tailwindcss-browser.js)不处理外部CSS的
@custom-variant指令, dark:前缀规则完全不生成

方案: 改用CSS变量 + :root.dark {} 选择器
- theme.css: :root 定义亮色值, :root.dark 定义暗色值
- 15个HTML页面: 恢复 bg-[var(--bg-page)] 等CSS变量class
- 移除所有 dark: 前缀class(CSS变量自动适配)
- theme-init.js: 同步读localStorage设.dark class(FOUC防护)
- layout.js: toggleTheme 切换 .dark class + localStorage + MySQL

优势: CSS变量方案不依赖Tailwind dark:变体, 100%兼容浏览器CDN
2026-05-31 04:18:55 +08:00
Your Name 5ac4a5c7cf fix: theme.css 加 @import tailwindcss 使 dark: 变体生效
Tailwind v4 官方文档确认:
@import 'tailwindcss';
@custom-variant dark (&:where(.dark, .dark *));

浏览器CDN build需要 @import 来处理 @custom-variant 指令
2026-05-31 04:13:26 +08:00
Your Name 9c5ebdfdbd feat: 全站主题完全重做 — CSS变量→Tailwind dark: 前缀
设计依据: HyperUI/Flowbite/daisyUI/Meraki UI 深度调研
配色方案: HyperUI 全局色值映射 (gray-* 色系)

改动:
- theme.css: 重写为 @custom-variant dark 配置
- theme-init.js: FOUC防护 — 同步读localStorage设.dark class
- layout.js: 主题系统改用 .dark class + localStorage
- 15个HTML页面: 649处CSS变量class替换为dark:前缀
  bg-[var(--bg-page)] → bg-gray-50 dark:bg-gray-950
  bg-[var(--bg-card)] → bg-white dark:bg-gray-900
  bg-[var(--bg-surface)] → bg-gray-100 dark:bg-gray-800
  border-[var(--border)] → border-gray-200 dark:border-gray-700
  text-[var(--text-primary)] → text-gray-900 dark:text-white
  等9种映射
- design spec: docs/design/specs/2026-05-31-ui-redesign-design.md

修复: FOUC(切换主题时闪暗色)已解决
2026-05-31 04:11:17 +08:00
Your Name c457cb4058 feat: dark mode theme system with synchronous FOUC prevention
- Add vendor/theme-init.js for synchronous dark mode init in <head>
- Update all 13 frontend pages with dark: variant classes
- Dark mode as default, light mode via localStorage toggle
- Remove redundant theme.css rules in favor of Tailwind dark: classes
- Add settings-dark-theme.png reference screenshot

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 03:54:30 +08:00
Your Name 8b2263916c feat: design department agents integrate Tailwind ecosystem knowledge (9 sites)
Deep-learned 9 Tailwind CSS ecosystem sites and injected into all design
department agents via knowledge graph references:

- HyperUI (350+ components, Tailwind v4, Alpine.js)  best match
- Meraki UI (198 components, Application UI, RTL)
- Flowbite (56+ components, data-attr driven, Figma)
- daisyUI (65 semantic components, 35 themes)
- UIBak (200+ components, Alpine.js native)
- Headless UI (a11y benchmark, data-* patterns)
- Tailblocks (63 landing page blocks)
- Kutty (plugin architecture reference, unmaintained)
- WindyToolbox (resource directory)

Updated 10 files: design-department, ui-designer, ux-architect,
frontend-designer, color-curator, inspiration-analyzer, trend-researcher,
moodboard-creator, design-wizard, team roles.

Knowledge graph IDs for cross-session reference:
  tailwind-css-9 (overview)
  tailwind-css-9/hyperui-nexus-tailwind
  tailwind-css-9/meraki-ui-rtl-tailwind
  tailwind-css-9/flowbite-tailwind-bootstrap
  tailwind-css-9/daisyui-tailwind
  tailwind-css-9/uibak-alpinejs
  tailwind-css-9/headless-ui-tailwind-labs
  tailwind-css-9/tailblocks-landing-page
  tailwind-css-9/kutty-tailwind-plugin-alpinejs
  tailwind-css-9/windytoolbox-tailwind

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 03:53:40 +08:00
Your Name 293a0d64fe feat: 全站亮色/暗色主题切换
实现方案: CSS自定义属性 + Tailwind arbitrary values

新增文件:
- web/app/vendor/theme.css — CSS变量定义(亮色+暗色)

修改文件 (15个HTML + 2个JS + 2个Python):
- layout.js — 侧边栏🌙主题切换按钮 + loadTheme/toggleTheme
- settings.py — MUTABLE_KEYS加theme/editor_theme
- 15个HTML页面 — bg-slate-*替换为bg-[var(--bg-*)] + 引入theme.css

替换统计:
- index.html: 48处
- servers.html: 183处
- files.html: 94处
- push.html: 157处
- scripts.html: 83处
- credentials.html: 100处
- schedules.html: 59处
- retries.html: 40处
- commands.html: 57处
- alerts.html: 47处
- audit.html: 32处
- settings.html: 125处
- terminal.html: 89处
- install.html: 72处
- login.html: 14处
总计: 1199处替换

功能:
- 侧边栏底部🌙/☀️按钮切换亮色/暗色
- 主题偏好保存到MySQL(settings表)
- 页面加载时自动恢复主题
- Monaco编辑器主题独立控制(⚙️菜单)
2026-05-31 02:55:45 +08:00
Your Name 94fbdf7b2d refactor: 主题切换移到⚙️设置下拉菜单
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- 移除标题栏独立主题按钮(🌙/☀️)
- 新增⚙️设置按钮 → 下拉菜单
- 菜单项: 「☀️ 亮色主题」/「🌙 暗色主题」动态文字
- 点击菜单外自动关闭
- 菜单样式: bg-slate-800, rounded, shadow, 最小宽度200px
2026-05-31 02:42:24 +08:00
Your Name e65c9993a2 feat: 编辑器亮色/暗色主题切换 + 保存到MySQL
- 标题栏🌙/☀️按钮切换 Monaco 主题
- 'vs'(亮色) / 'vs-dark'(暗色)
- 切换后立即应用到所有打开的标签页
- 通过 PUT /api/settings/editor_theme 保存到MySQL
- 页面加载时自动读取保存的主题偏好
- settings.py MUTABLE_KEYS 白名单加 editor_theme
2026-05-31 02:39:21 +08:00
Your Name ae47eb42de fix: 双击标题栏最大化 + Monaco用官方默认主题
1. 双击编辑器标题栏空白区域 → 切换最大化/还原
2. Monaco移除theme:'vs-dark'和fontFamily覆盖, 使用官方默认配置
3. 编辑器外观与 https://microsoft.github.io/monaco-editor 一致
2026-05-31 02:35:52 +08:00
Your Name c570801119 fix: 编辑器拖拽修复 — 扩大拖拽区域+退出最大化+边界限制
问题:
- 标签栏整体被排除导致可拖拽区域几乎为零
- 最大化/全屏后拖拽不工作
- 没有拖拽视觉提示

修复:
- 添加⠿拖拽把手图标(cursor-grab)
- 只排除button/input/select, 标签栏空白处可拖拽
- 拖拽时自动退出最大化/全屏模式
- 边界限制(不拖出屏幕)
- 拖拽结束触发Monaco重新layout
2026-05-31 02:31:56 +08:00
Your Name cba8b3d8f6 feat: 浮动编辑器 — 拖拽+缩放+全屏+文件树
功能:
- 拖拽: 按住标题栏拖动编辑器面板
- 缩放: 右下角拖拽调整大小
- 最大化(): 占满屏幕留边距
- 全屏(⤢): 完全覆盖页面
- 最小化(—): 收到底部标签栏
- 关闭(✕): 关闭全部标签
- 文件树(🌳): 左侧可折叠文件树, 点击文件打开/目录导航
- 文件树同步: 浏览新目录时自动更新

布局:
┌──────────────────────────────────┐
│ [🌳] [📄a.conf×][📄b.py×]  [][⤢][—][✕] │ ← 可拖拽
├────────┬─────────────────────────┤
│ 📂 ..  │                         │
│ 📁 dir │    Monaco Editor        │
│ 📄 a   │                         │
│ 📄 b   │                         │
│        │ Ln1,Col1|ini|UTF-8|file │
└────────┴─────────────────────────┘  ← 右下角可缩放
2026-05-31 02:26:25 +08:00
Your Name caef4a216b fix: Monaco配置完全对齐官方默认值
对齐项目:
- cursorBlinking: smooth→blink(官方默认)
- 移除: cursorSmoothCaretAnimation, cursorWidth(非官方默认)
- 移除: lineHeight, padding(非官方默认)
- 移除: renderLineHighlight, smoothScrolling(非官方默认)
- 移除: scrollbar自定义尺寸(使用官方默认)
- scrollBeyondLastLine: false→true(官方默认)
- renderWhitespace: selection→none(官方默认)
- 添加: fontFamily(Cascadia Code/Fira Code/JetBrains Mono)
- 移除: quickSuggestions, insertSpaces, foldingHighlight, minimap side/scale
- 保留vs-dark主题(匹配Nexus暗色UI)
2026-05-31 02:20:04 +08:00
Your Name 507b957b4e refactor: 编辑器改为浮动面板 + Monaco配置对齐官方
布局:
- 全屏覆盖 → 右下角浮动面板(70vw×65vh)
- 文件列表始终可见, 编辑器不遮挡
- 最大化/还原按钮()
- 最小化到底部标签栏
- 移除文件树(文件列表已在背景可见)

Monaco配置对齐官方demo:
- fontSize 13→14, lineHeight 20
- wordWrap on→off(水平滚动)
- 新增: folding, matchBrackets, cursorBlinking smooth
- 新增: cursorSmoothCaretAnimation, smoothScrolling
- 新增: padding, renderLineHighlight all, renderWhitespace selection
- 新增: suggestOnTriggerCharacters, quickSuggestions
- 新增: links, colorDecorators
- 新增: tabSize 4
2026-05-31 02:14:56 +08:00
Your Name c70424a224 docs: Monaco IDE编辑器 changelog + 审计报告 2026-05-31 02:08:31 +08:00
Your Name e8c1acba9f fix: 审计8个FINDING修复 (IDE编辑器+终端)
- H-01 [MEDIUM] esc() 加引号转义('"\') 防止onclick XSS
- H-02 [MEDIUM] initialPath 路径白名单校验(仅允许字母数字/.-_)
- H-03 [LOW] doNewFile 文件名白名单正则(替代简单的includes('/'))
- H-08 [LOW] Monaco CDN SRI — 已知限制, 版本锁定@0.45.0
- H-13 [MEDIUM] showModal 移除已删除的modalTextarea引用
- H-20 [LOW] initialPath仅首次连接cd, 不影响恢复的标签
- H-26 [MEDIUM] esc()跨文件一致性 — files.html对齐terminal.html
- H-30 [LOW] esc()注释更新
2026-05-31 02:06:42 +08:00
Your Name 34786737b4 fix: IDE编辑器语法错误 — 多余花括号 2026-05-31 01:56:15 +08:00
Your Name be633f3e58 feat: IDE编辑器重构 — 多标签+文件树+最小化+状态栏
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- 全屏IDE面板替代模态框编辑器
- 多文件标签页: 独立Monaco实例, 切换保持状态
- 左侧文件树: 基于当前目录, 点击文件打开, 点击目录导航
- 最小化/恢复: 底部最小化栏显示所有打开的文件标签
- 状态栏: 光标位置+语言+编码+未保存指示器
- Ctrl+S保存 + 未保存关闭确认
- 标签栏: 点击切换, ×关闭, amber色未保存标记
- 文件树同步: 浏览新目录时自动更新文件树
- 模态框保留用于非编辑操作(重命名/删除/新建等)
2026-05-31 01:50:34 +08:00
Your Name 00a3309005 feat: 服务器列表加「文件」按钮直达文件管理
- servers.html: renderActions 加「文件」链接(琥珀色) → /app/files.html?server_id=X
- files.html: 支持 server_id URL参数, 自动选中服务器并浏览 /www/wwwroot
2026-05-31 01:33:52 +08:00
Your Name 3d15200cfa chore: 移除Monaco debug日志 2026-05-31 01:28:57 +08:00
Your Name d8aca5bf18 fix: Monaco预加载移入files.html(解决api.js缓存问题) 2026-05-31 01:26:59 +08:00
Your Name cb60af4483 debug: Monaco preload 加日志诊断 2026-05-31 01:22:45 +08:00
Your Name 5a5adafb39 feat: Monaco编辑器+右键菜单+排序筛选+chmod+压缩解压+新建文件
编辑器增强:
- E-2 Monaco集成: 70vh全屏编辑器, 暗色主题, bracket着色
- E-3 Ctrl+S保存快捷键 + 未保存指示器
- E-4 语言自动检测(30+扩展名映射)
- Monaco预加载: 登录后CDN后台加载, 打开编辑器秒开
- fallback: Monaco未就绪时退回textarea

文件管理增强:
- F-1 右键菜单: 预览/下载/重命名/权限/复制路径/终端/压缩/解压/删除
- F-2 新建文件按钮(📄+)
- F-3 chmod权限修改(右键→输入权限如755)
- F-4 排序切换(名称/大小/时间)
- F-5 文件类型筛选下拉(.conf/.log/.sh/.py等)
- F-6 压缩(tar.gz)
- F-7 解压(tar.gz/zip)
2026-05-31 01:10:22 +08:00
Your Name c0296b9d8e fix: 预加载文件大小 30KB → 1MB 2026-05-31 01:04:44 +08:00
Your Name ca4aceba3e fix: 面包屑点击事件委托 — 作用域不在fileListEl内
面包屑(#breadcrumbPath)和文件列表(#fileList)是兄弟节点, 不是父子关系
事件委托绑在fileListEl上无法捕获面包屑点击
修复: 给#breadcrumbPath加独立click事件委托
2026-05-31 00:57:58 +08:00
Your Name b5dfa8a870 feat: 文件管理器集成SSH终端
- files.html: 工具栏加「🖥 终端」按钮(绿色),点击在新标签页打开SSH终端
- files.html: openTerminal() 传递 server_id + 当前路径到 terminal.html
- terminal.html: 支持 path URL参数,连接成功后自动 cd 到指定目录
- 打开方式: /app/terminal.html?server_id=8&path=/www/wwwroot
- 右键菜单也会集成「打开终端」选项
2026-05-31 00:53:00 +08:00
Your Name 17cdc96bb0 feat: 文件预加载+缓存 — 双击秒开编辑器
- api.js: Monaco编辑器CDN预加载(登录后后台加载)
- files.html: 文件内容预加载(目录浏览后自动预读≤30KB文本文件)
- files.html: 文件缓存(_fileCache), 双击已缓存文件直接打开
- files.html: 切换服务器时清空缓存
- 预加载策略: 最多10个文件, 仅文本类型, ≤30KB
2026-05-31 00:46:04 +08:00
Your Name 6012af0b4d fix: 双击编辑器冲突 — 延迟区分单击/双击 2026-05-31 00:25:02 +08:00
Your Name 9bdf7e420f feat: 文件管理器4项改进
1. 切换服务器自动重置路径为 /www/wwwroot
2. 默认目录 /www/wwwroot(而非根目录 /)
3. 双击文件打开编辑器(doPreview textarea模态框)
4. 双击目录进入目录(browseDir)
2026-05-31 00:17:22 +08:00
Your Name 40d672fdbb fix: 面包屑双斜杠bug (/tmp显示为//tmp) 2026-05-31 00:11:47 +08:00
Your Name 557c8d28c1 docs: files迭代审计报告 2026-05-30 23:46:12 +08:00
Your Name 9f7be66356 fix: 审计5个FINDING修复 (files迭代)
- H-15 [MEDIUM] download端点加100MB大小限制
- H-02 [LOW] Content-Disposition filename sanitize(替换特殊字符)
- H-12 [LOW] FileDownload/FileRead/FileWrite path加max_length=4096
- H-27 [LOW] doPreview保存失败解析错误详情显示detail
- H-29 [INFO] esc()函数加注释说明用途
- H-01 [HIGH] 远程路径限制 — ACCEPTED_RISK(用户明确决策)
2026-05-30 23:44:35 +08:00
Your Name ac38442383 docs: files.html 全面迭代 changelog 2026-05-30 23:36:49 +08:00
Your Name 14131f98f0 feat: files.html 全面迭代 — 15项改进
安全+后端:
- P2-1 符号链接解析(l权限检测+name/target分离)
- P2-7 新增 /api/sync/download 端点(SFTP流式下载)
- P2-8 新增 /api/sync/read-file + /write-file 端点(base64编码避免shell注入)

前端全面重写:
- P1-1 目录删除二次确认(自定义模态框+输入目录名)
- P2-2/2-3 事件委托替代内联onclick(data-action+data-path)
- P2-4 上传进度条(XHR.upload.onprogress)
- P2-5 文件大小可读化(B/KB/MB/GB)
- P2-6 文件类型图标(30+扩展名映射)
- P2-7 下载按钮+逻辑
- P2-8 文件预览/编辑弹窗(读取+修改+保存)
- P2-9 自定义模态框替代prompt/confirm
- P2-10 批量选择+批量删除(checkbox+全选+底部操作栏)
- P3-1 文件名搜索框(前端实时过滤)
- P3-2 符号链接🔗图标+target tooltip
- P3-3 空目录状态(图标+上传引导按钮)
- P3-4 服务器刷新按钮
- P3-5 操作loading状态(进度条) 2>&1
2026-05-30 23:34:24 +08:00
Your Name 64503c0260 fix: IP校验改用endpoint级HTTPException替代Pydantic validator
model_validator/field_validator在自定义RequestValidationError handler下
无法正确序列化为JSON,导致500。改用endpoint级_validate_ip_list()辅助函数
抛HTTPException(400),避免Pydantic→FastAPI序列化链路问题。
2026-05-30 22:48:41 +08:00
Your Name d19f5af807 fix: IP格式校验用field_validator替代model_validator
model_validator(mode='after')抛出ValueError时FastAPI不能正确序列化为422
→ 导致500 TypeError: Object of type ValueError is not JSON serializable
改用field_validator(mode='before')由Pydantic正常捕获返回422
2026-05-30 22:44:26 +08:00
Your Name 463841a740 docs: settings安全加固审计报告 2026-05-30 22:35:40 +08:00
Your Name 36fde6e6ed fix: 审计7个FINDING修复
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- F-1 [MEDIUM] IpAllowlistSaveRequest 加 IP/CIDR/域名格式校验
- F-2 [MEDIUM] _is_private_host 改为 async DNS 解析 (不再阻塞事件循环)
- F-3 [LOW] hot-reload int转换失败改 logger.warning 而非静默pass
- F-4 [LOW] 提取 _verify_reauth 辅助函数,消除4处重复re-auth代码
- F-5 [LOW] ChangePasswordRequest.totp_code 加 min_length=6 约束
- F-6 [LOW] revealTelegramToken 空catch改 console.error+toast
- F-7 [LOW] toggleApiKeyVisibility 空catch改 console.error+toast
2026-05-30 22:34:45 +08:00
Your Name 1a61fae590 docs: settings 安全加固+UX迭代 changelog 2026-05-30 22:02:45 +08:00
Your Name a50f17941d fix: settings 安全加固 + UX 迭代 — 10项修复
安全修复:
- S-01 SSRF: parse-subscription 加私有IP封禁+重定向限制+响应大小限制
- S-02 值校验: PUT /{key} 加 key 白名单 + INT 范围校验(1-1000/1-100/10-600)
- S-05 重登录: 改密码成功后跳转login.html+绿色提示
- S-07 审计: add_manual_ips/remove_allowlist_ip 补全审计日志
- S-09 TOTP: 已启用TOTP时改密码需输入验证码

UX改进:
- UX-01: 密码框focus ring + 设置项input type映射(number/url/text)
- UX-02: 改密码按钮loading状态(disabled+提交中...)
- UX-03: 3处空catch块→console.error+toast
- UX-04: 保存失败时reloadSettings恢复原值
- UX-05: IP格式校验(前端正则+后端Pydantic model_validator)
2026-05-30 21:58:13 +08:00
Your Name 362b28199f docs: settings 巡检 + Bot Token 脱敏 changelog 2026-05-30 21:18:34 +08:00
Your Name 5213def150 fix: Telegram Bot Token 脱敏 — GET 不返回明文,reveal 需密码验证
- 后端 SENSITIVE_KEYS 加入 telegram_bot_token,GET /settings/ 返回脱敏值
- 新增 POST /settings/telegram/reveal-token 端点(密码验证 + 审计日志)
- 前端 Telegram 区域独立渲染:Bot Token 默认脱敏,点"显示"需输入密码
- Chat ID 保持可编辑(非敏感信息)
- Bot Token 输入框默认 type=password,可切换明文/遮掩
2026-05-30 21:12:41 +08:00
Your Name 5166660f3a fix: GET /api/settings/ip-allowlist 被 /{key} 路由拦截 → 404
/{key} 路由在 ip-allowlist 之前定义,FastAPI 将 ip-allowlist
当作 setting key 查找,找不到返回 404。

修复:将 GET /ip-allowlist 路由移到 /{key} 之前(FastAPI 路由优先级)。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 20:42:42 +08:00
Your Name 48ef06babb chore: gitignore 添加 MCP 工具目录 + 清理测试截图
- .megamemory/ (知识图谱)
- .playwright-mcp/ (浏览器状态/截图)
- tmp/ (临时文件)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 20:39:47 +08:00
Your Name ede7fbaa64 fix: settings PUT 后热更新内存 — 无需重启即生效
问题:修改 Telegram 等设置后需要重启服务器才能生效,
因为 load_settings_from_db() 只在启动时运行。

修复:PUT /api/settings/{key} 写入 DB 后,
同步更新 settings 内存对象(DB_OVERRIDE_MAP 映射 + INT_SETTINGS 类型转换)。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 20:28:51 +08:00
Your Name 4c4d41b8f5 docs: add changelog and audit for ruff cleanup
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 20:10:28 +08:00
Your Name 32feb1b6db fix: 全站 ruff 清零 — 77 errors → 0
Fixes:
- F821: install.py site_url 未定义(NameError)、sync_v2.py os 未导入、script_jobs.py LOG f-string
- F401: 移除 22 个未使用导入(models/__init__.py、install.py、auth.py 等)
- B904: 20 个 except 块 raise 添加 from e/from None
- S110: 20 个有意的 try-except-pass 添加 noqa 注释(SSH清理/DDL幂等/WS断连)
- B007: 3 个未使用循环变量重命名(dirs→_dirs、server_id→_server_id)
- F541: 3 个无占位符 f-string 修正
- F841: auth.py 未使用 ip_address 变量移除
- S105: auth_service.py Redis key prefix 误报 noqa
- B023: script_execution_flush.py 循环变量绑定修复

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 20:07:45 +08:00
Your Name ebe276ea29 docs: add changelog and audit for servers iteration
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 19:50:07 +08:00
Your Name 84282e87ae feat: servers list iteration — server-side pagination/search/sort/status filter
Backend:
- server_repo.py: get_paginated() adds search/sort_by/sort_order/is_online params
  with whitelist-validated sorting and DB-level pagination
- servers.py: list_servers() adds search/sort_by/sort_order/is_online Query params
  with Redis post-filter for is_online accuracy
- servers.py: fix all 12 pre-existing ruff errors (unused imports, B904, S110, F541)
- servers.py: fix F821 bug — agent_port undefined in upgrade_agent()

Frontend:
- servers.html: complete rewrite with server-side pagination, debounced search,
  clickable column sorting, status filter dropdown, auto-refresh toggle,
  keyboard shortcuts (↑↓/jk/Esc//r), CSV export, skeleton loading,
  empty state with contextual hints, pagination controls (first/prev/nums/next/last)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 19:45:53 +08:00
Your Name de8d860244 fix: handle legacy agent heartbeat without server_id + migrate on_event to lifespan
- AgentHeartbeat.server_id changed to Optional[int] — missing server_id
  now returns 200 (discarded) instead of 422, stopping retry loops
- web/agent/agent.py: on_event("startup") → FastAPI lifespan pattern
- Added exponential backoff on consecutive heartbeat failures (cap 5min)
- Agent stops heartbeat loop on "discarded" response from central
- main.py: promoted temporary debug 422 handler to production-grade
- uninstall.sh: added legacy agent cleanup (pkill patterns, crontab,
  /opt/multisync-agent path)
- Confirmed servers.html batch buttons work correctly (disabled state
  is correct when no agents installed)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 18:20:14 +08:00
Your Name 3f50a40d25 feat: Agent 安装/卸载/升级脚本全面迭代
install.sh:
- 新增 Step 0:停旧服务 + 杀端口占用(fuser/ss/netstat 兜底)
- 修正步骤编号 [1/5] → [0/7]
- pip 依赖版本提取为脚本顶部变量,方便统一维护

uninstall.sh:
- 加 pkill 杀残留 Agent 进程
- 加 fuser 杀端口占用
- 清理 /etc/sudoers.d/nexus-agent 残留
- root 用户跳过 sudo 前缀

_sudo_wrap:
- NOPASSWD 命令白名单替代 ALL=(ALL)(仅 systemctl/apt/yum/rm 等)
- 降低 SSH 超时后 sudoers 残留的风险

升级 API:
- restart 前加 fuser -k 杀端口占用(单台+批量)
- install_agent_remote 检查 stdout 中的 FAILED 标记

卸载后清理:
- 清空 agent_api_key(之前只清 agent_version)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 16:11:09 +08:00
Your Name dc48f71b25 feat: 创建 Agent 卸载脚本 uninstall.sh
之前卸载功能调用了不存在的 uninstall.sh,导致 404 下载失败。
脚本功能:停止 systemd 服务 → 禁用并删除 unit → 删除 /opt/nexus-agent → 删除日志
支持非 root 用户(自动检测 sudo 权限)。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 14:35:33 +08:00
Your Name 913fd16bb9 fix: Agent 升级命令添加 sudo 前缀(非 root 用户)
systemctl restart 需要 root 权限,非 root SSH 用户必须加 sudo。
之前 _sudo_wrap 只设置了免密 sudoers 但命令本身没带 sudo,
导致升级时 "Interactive authentication required" 失败。
同时修复单台升级和批量升级的 rollback 命令。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 14:28:49 +08:00
Your Name deffa8a8f4 fix: AppAuthMiddleware 验证 refresh token 格式而非 JWT 解码
refresh token 是 opaque 格式 (token:admin_id:token_version),不是 JWT。
之前用 pyjwt.decode() 验证必然失败,导致所有登录用户访问 /app/ 都返回 404。
改为验证格式合法性(3段、admin_id>0、token_version>=0)。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 05:10:39 +08:00
Your Name 64a8a18287 fix: refresh cookie path 改为 /,修复 AppAuthMiddleware 读不到 cookie
REFRESH_COOKIE_PATH 从 /api/auth 改为 /,这样浏览器访问 /app/ 页面时
也会发送 nexus_refresh cookie,AppAuthMiddleware 才能正确验证登录状态。

同时包含之前的 AppAuthMiddleware 定义顺序修复和 422 调试日志。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 05:08:21 +08:00
Your Name cc0ca47d61 debug: 422 handler 简化 — 只记录 errors 和 content_type,不读 body
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 03:09:30 +08:00
Your Name 449373f24f debug: 添加 422 验证错误日志 — 记录请求体和验证错误详情
诊断 Agent 心跳 422 问题,临时捕获请求体内容。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 03:05:30 +08:00
Your Name 730b665306 fix: AppAuthMiddleware 类定义移到 add_middleware 调用之前
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Python 模块级代码顺序执行,类必须先定义再引用。
之前 add_middleware(AppAuthMiddleware) 在第404行但类定义在第495行,
导致 NameError 服务启动失败。同时修复 _is_install_mode → is_install_mode。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 03:01:08 +08:00
Your Name f5bea6f0d2 fix: AppAuthMiddleware add_middleware 重新加回 2026-05-30 02:46:11 +08:00
Your Name c808c28edf fix: 移除错误的 AppAuthMiddleware add_middleware(类定义在后面)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:45:19 +08:00
Your Name d53309e37e fix: AppAuthMiddleware 类定义移到 add_middleware 之前
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:43:29 +08:00
Your Name a8fe7fed0a fix: 添加 REFRESH_COOKIE_NAME import,修复 AppAuthMiddleware NameError
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:41:12 +08:00
Your Name f91cd847a9 feat: AppAuth 中间件 — 未登录时 /app/ 页面返回空白 HTML 404
通过 nexus_refresh cookie 验证身份,无有效 token 返回空白 HTML,
不暴露系统存在。白名单路径: login/install/vendor/static assets。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:39:48 +08:00
Your Name 993a234152 docs: 审计 + changelog — health纯文本/sha256/AppAuth
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:37:15 +08:00
Your Name e709c72f1f docs: CLAUDE.md 新增部署流程 + Health 纯文本修复
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:30:49 +08:00
Your Name f7c4b95dd6 fix: /health 返回纯文本 "ok" 替代 JSON,隐藏 FastAPI 后端指纹
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:30:01 +08:00
Your Name 75864fe04f fix: md5 → sha256 替换文件校验哈希算法,消除 bandit CWE-327
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 02:27:18 +08:00
Your Name ae22db4b3e fix: Nginx 重定向 + 自定义 404 — 隐藏 FastAPI 后端信息
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
nginx_https.conf 新增注释化重定向规则,将裸页面路径 301 到 /app/ 前缀;
main.py 添加 StarletteHTTPExceptionHandler,404 返回空白 HTML 而非 JSON,
避免泄露后端框架标识。

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-30 02:03:57 +08:00
Your Name 0b82a3fee7 feat: 推送取消 — 引擎 cancel flag 检查 + WS cancelled 计数器
sync_engine_v2: 每台服务器推送前检查 Redis sync:cancel:{batch_id},
若已取消则跳过并标记 cancelled 状态,WS 广播 cancelled 计数。
websocket: broadcast_sync_progress 新增 cancelled 参数。

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 00:57:38 +08:00
Your Name d785c78d6d fix: 审计修复 — esc() 加单引号转义 + 移除死代码 editQuickCmd
B2: esc() 不转义 ' 可能在 onclick 中注入
B4: editQuickCmd 定义但无调用(✏按钮已移除)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 00:26:14 +08:00
Your Name 56906e8fe2 fix: 快速命令栏移至命令栏上方 — chip 样式替代右侧面板列表
自定义命令在前(brand高亮),内置命令在后(灰色)。hover 显示 × 可删除。
+ 号弹窗添加新命令。

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 00:22:31 +08:00
Your Name da234c4e73 fix: 终端命令栏被覆盖 — termContainer隔离终端实例
termminal div 用 absolute inset:0 覆盖了底部 cmdBar。
修复: termContainer(flex-1 relative) 容器隔离,cmdBar 作为 flex sibling 在下方。

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 00:19:16 +08:00
Your Name 7193b88156 feat: 终端页面 11 项全覆盖迭代 — 多标签/快速命令/字体/历史/重连/右键等
11 项改进:
- 多标签会话 (切换/关闭/新建,每标签独立 xterm+WS)
- 快速命令栏 (内置5条 + 自定义,localStorage持久化)
- 字体大小调节 (A−/A+按钮 + Ctrl+/-)
- Ctrl+L 清屏
- 命令历史持久化 (200条 FIFO localStorage)
- 右键菜单 (复制/粘贴/清屏/全选)
- 断开自动重连 (指数退避 + 倒计时)
- 连接信息栏 (时长 + PING RTT)
- 终端路径显示 (OSC title + onTitleChange)
- 滚动缓冲区调节 (1K/5K/10K/50K)
- 快速搜索服务器

后端: PING/PONG + PROMPT_COMMAND 注入

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 00:17:22 +08:00
Your Name ac66f5b4e7 fix: 卸载Agent后清除Redis心跳(之前只清MySQL导致在线状态残留)
卸载Agent后只更新MySQL is_online=False,但前端读Redis覆盖为True。
修复: uninstall_agent_remote + batch_uninstall_agent 都增加redis.delete(heartbeat:{id})

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 23:57:06 +08:00
Your Name 6dd0b487b7 fix: install.sh 和 upgrade_agent 增加 rsync 自动安装
推送功能依赖目标服务器安装 rsync,但 install.sh 仅安装 Python 包。
现在 install.sh 步骤2/6检测并自动安装 rsync(apt/yum/dnf)。
upgrade_agent / batch_upgrade_agent 流程中也增加 rsync 检测,
已有服务器点击"升级 Agent"即可自动补装 rsync。

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 23:45:01 +08:00
Your Name fe211619aa fix: 审计修复 — esc() 增加双引号转义, 移除死代码 replace(/'/g,"\'")
B1: esc() 不转义 " 导致文件名含双引号时破坏 HTML onclick 属性
B2: esc().replace(/'/g,"\'") — esc已转义单引号为&#39;,后续replace为死代码

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 23:07:01 +08:00
Your Name 0cbda8c840 fix: 审计修复 — diagnose/file-diff 端点静默吞错改为 logger.debug/warning
B1: diagnose 磁盘和路径检查 except:pass 改为 logger.debug()
B2: file-diff SSH失败无日志改为 logger.warning()

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 22:11:06 +08:00
Your Name 5958c21048 feat: 推送页面 Round 4 — 服务器搜索 / Diff对比 / 排错诊断 / 源路径输入 / 批量重试
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
5 项新功能:
- H2: 服务器搜索过滤 — 目标服务器下拉加搜索框实时过滤
- H3: 推送对比 Diff 视图 — 预览文件列表加 diff 按钮对比本地与远程差异
- H4: 推送排错面板 — 失败行加诊断按钮检查SSH/磁盘/权限
- H5: 源路径直接输入 — 支持直接输入服务器本地路径推送
- H6: 批量重试 — 一键重试所有失败服务器

新增后端端点:
- POST /api/sync/validate-source-path (H5)
- POST /api/sync/diagnose (H4)
- POST /api/sync/file-diff (H3)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 21:29:41 +08:00
Your Name 02423cb803 docs: 推送页面 Round 2 迭代设计文档与 changelog
- 设计文档: 5 项迭代功能(同步说明、在线标识、失败重试、Telegram通知、文件预览)
- 技术方案: 详细实现步骤与文件清单
- Changelog: 功能变更记录

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 18:54:12 +08:00
Your Name 152852e2c3 fix: 会话时效30天 + 多设备同时登录
- access token 从 30 分钟延长到 30 天
- refresh token 从 7 天延长到 30 天
- refresh token 从 MySQL 单字段改为 Redis Set 存储,支持多设备同时登录
- 单设备退出不再踢掉其他设备(只删自己的 Redis hash)
- 改密码/禁用 TOTP 仍会让所有设备掉线(token_version 递增)
- 移除 reuse 误杀逻辑:版本不匹配只拒绝当前 token,不惩罚其他设备

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 18:52:14 +08:00
Your Name 3c7036babf fix: 补回 servers.html 丢失的检测路径+卸载Agent功能
从 worktree 分支同步完整的 servers.html,补回:
- 批量操作栏"检测路径"按钮(搜索 workerman.bat 自动设置 target_path)
- 批量操作栏"卸载 Agent"按钮
- batchDetectPath() 和 batchUninstallAgent() 函数

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 16:56:23 +08:00
Your Name 74de9d303e feat: 推送页面 Round 2 迭代 — 同步说明 + 在线标识 + 失败重试 + Telegram通知 + 文件预览
F5: 同步模式详细说明 — 每种模式下方显示说明文字,切换时动态更新
F2: 服务器在线状态标识 — 服务器列表显示🟢/🔴在线/离线标识
F1: 失败自动重试 — 推送失败自动创建重试任务 + 失败行"🔄 重试"按钮
F3: 推送完成 Telegram 通知 — 全成功🟢/部分失败🟡/全失败🔴 三种消息含详情
F4: 文件内容预览 — 文件管理器点击文件名弹出内容预览模态框

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 15:59:30 +08:00
Your Name ad2e7667d3 Merge branch 'claude/condescending-ishizaka-3cff3a' 2026-05-28 21:02:09 +08:00
Your Name 82c297776a feat: 推送页面 5 项迭代 — WS实时进度 + 分组选择 + 历史增强 + 文件操作 + 推送校验
F1: broadcast_sync_progress() + batch_id + 前端WS逐台更新
F2: get_paginated() platform_id/node_id + /categories端点 + 筛选下拉框
F4: _sync_log_to_dict() 补全字段 + diff_summary捕获 + 可展开详情面板
F7: /local-file-ops端点 + 文件管理器删除/重命名
F8: /verify端点 md5sum对比 + 推送后校验UI

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 21:01:27 +08:00
Your Name 77b332c037 fix: 远程安装按钮修复 + install.sh sudo/venv兼容 + api_base_url管理
- 修复详情面板"远程安装"按钮始终禁用:s._base_url 改为从新API获取全局API_BASE_URL
- 新增 GET /api/servers/meta/api_base_url 端点
- api_base_url 加入 DB_OVERRIDE_MAP + 启动迁移逻辑
- install.sh 非 root 用户自动 sudo 检测 + NOPASSWD 配置
- 后端 _sudo_wrap 辅助函数应用于 4 个 Agent 操作端点
- install.sh venv 创建加 || true 兼容 set -e(缺 python3-venv 不再直接退出)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 14:33:19 +08:00
Your Name 97be1fd214 完善审计日志中文化:auth_service/script_service/sync_engine 全部 detail 改中文 + 前端新增 webssh_token/refresh_token_mismatch 等映射 + MCP deploy 修复
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 02:57:51 +08:00
Your Name 366bdc18fa fix: deploy tool git pull before gate check + use origin/main
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 02:27:32 +08:00
Your Name 280357d7d7 Merge remote-tracking branch 'origin/claude/condescending-ishizaka-3cff3a' 2026-05-27 02:19:40 +08:00
Your Name fd9b7d85b5 fix: 批量安装按钮检测 + 审计日志中文化 + terminal断开反馈
1. updateBatchBar() hasAgent 判断从 agent_api_key_set 改为 agent_version
2. 所有后端 AuditLog detail 字段统一中文
3. audit.html 操作/目标类型中文映射
4. terminal.html 断开覆盖层 + 重新连接按钮
5. Agent os_release 上报 + 前端系统版本拆分

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 02:17:35 +08:00
Your Name 8b82d6bab0 Add changelog for fmtTime/venv/batchinstall fixes
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 00:59:48 +08:00
Your Name 869f64ac18 Fix install.sh venv robustness + batch install API error reporting
install.sh: detect incomplete venv (missing activate), auto-install
python3-venv and retry instead of silently failing.

servers.py batch install: preserve server_name on exception, detect
"Status: FAILED" in stdout, return error details when stderr is empty,
increase SSH timeout to 180s.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 00:53:00 +08:00
Your Name 69056491a7 Fix fmtTime Invalid Date for timezone-aware timestamps (+00:00)
fmtTime() was appending 'Z' to all timestamps, causing Invalid Date
when the timestamp already had a timezone suffix like +00:00.
Now tries new Date(t) first, falls back to new Date(t+'Z').

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 00:34:51 +08:00
Your Name 02f1fa4ef3 Add .gitattributes + changelog for Agent install fix and deploy
- .gitattributes: enforce LF line endings for .sh/.py to prevent CRLF issues on Linux
- Changelog: document Agent install 404 fix, curl|bash pipe fix, CRLF fix, and successful deployment to both sub-servers

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 00:27:05 +08:00
Your Name eadf7254a1 Merge remote-tracking branch 'origin/claude/condescending-ishizaka-3cff3a' 2026-05-26 22:59:14 +08:00
Your Name 1c70e597a3 Fix Agent install 404 + add command input bar + fix install pipe error hiding
1. Mount /agent/ static files for install.sh/agent.py (was 404)
2. Replace curl|bash pipe with temp-file download to catch curl errors
3. Add command input bar to terminal.html bottom
4. Fix terminal CSS layout for flex with command bar

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 22:57:32 +08:00
Your Name 867e2aa552 Merge branch 'claude/condescending-ishizaka-3cff3a'
# Conflicts:
#	server/infrastructure/database/setting_repo.py
2026-05-26 21:58:38 +08:00
Your Name a2d392dae7 fix: WebSSH terminal echo delay — replace readline() with read()
asyncssh's async-for on shell.stdout internally calls readline()
which buffers until a newline is found. For interactive terminal
use, single-character echo never contains a newline, so all
typed characters were buffered until Enter was pressed.

Fix: use shell.stdout.read(4096) which returns data as soon as
any is available, and set bufsize=4096 on create_process() to
reduce the internal read buffer from 128KB to 4KB for low-latency
interactive echo.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 21:54:40 +08:00
Your Name 8b10f9d64a fix: WebSSH terminal disconnect after connect + stale pool retry
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- Fix shell creation failure on stale pooled SSH connections:
  force-close and retry with fresh connection
- Fix empty error message in logs: use {type(e).__name__}: {e!r}
- Fix double WebSocket.close() causing RuntimeError in finally block:
  track ws_closed flag to avoid closing twice
- Fix Alpine undefined error in terminal.html: $d() now returns
  default object when Alpine hasn't initialized yet
- All websocket.close() calls now wrapped in try/except

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 21:33:31 +08:00
Your Name b1aa235726 fix: Gate3 false positive + test_api.py production compatibility
- Gate3: Replace loose grep (matched "0/25 failed" summary) with precise
  [FAIL] marker counting + "N test(s) failed" pattern
- test_api.py: Add .env credential loading for gate check automation
- test_api.py: Fix REST status codes (POST→201, DELETE→204)
- test_api.py: Add 204 empty body handling, dynamic ID, pre-cleanup
- Add gate_log.jsonl tracking to all 7 gates
- Add knowledge graph restructure changelog

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 19:33:31 +08:00
Your Name 5afb18b745 feat: gate v2 — 3→7 gates with anti-bypass, lint, security, review cross-validation
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 10:02:14 +08:00
Your Name a1b0b2c514 feat: Terminal sidebar+panel, SSH key fix, auth cleanup, pre-deploy gates
- terminal.html: left sidebar (default open), right server panel with server list
- servers.py: fix SSH key double-encryption in update_server, auth method switch cleanup
- servers.html: auth switch clears opposite credentials (key↔password)
- deploy/pre_deploy_check.sh: 3-gate pre-deploy check (changelog/audit/test)
- mcp/Nexus_server.py: deploy() runs gate check before git pull+restart
- docs/audit/: audit record template + today's audit results
- CLAUDE.md: add gate enforcement rules and progress bar discipline

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 09:16:05 +08:00
Your Name f591033309 docs: add changelog for asset management removal
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 00:58:14 +08:00
Your Name 89fa517693 refactor: remove asset management page, simplify server form
- Delete assets.html (platform/node management had low utility)
- Remove "资产管理" sidebar entry from layout.js
- Server form: remove Platform/Node dropdowns, keep only Category
  combobox (with datalist for existing categories)
- Remove loadOrgSelects() and platform_id/node_id from save logic
- Backend API and DB tables preserved for data compatibility

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 00:46:39 +08:00
Your Name 973e23e038 fix: CSV template download 401 + category combobox
1. CSV template download link now uses apiFetch (with JWT) instead
   of direct <a> href which returned 401 Unauthorized
2. Server category field changed from plain input to combobox with
   datalist — users can select existing categories or type new ones

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 00:30:46 +08:00
Your Name ad7f4d8d62 docs: update changelog with route fix and browser verification results
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 00:27:25 +08:00
Your Name fb4e51ec5a fix: move static routes before /{id} to fix route conflict
/batch/install-agent, /batch/upgrade-agent, /import, and
/import/template were registered after /{id}, causing FastAPI
to match 'batch' and 'import' as the {id} parameter.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 00:25:25 +08:00
Your Name 8cd091add8 feat: CSV batch import, SFTP upload, batch Agent operations
Add three missing frontend management features:
1. Server CSV import (POST /api/servers/import) with injection prevention
2. SFTP file upload (POST /api/sync/upload) with path traversal protection
3. Batch Agent install/upgrade with Semaphore concurrency control

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-26 00:17:43 +08:00
Your Name 6be989c299 feat: add SSH key preset management to credentials page
Add third tab "SSH密钥预设" to credentials.html with full CRUD:
- List presets with public key preview and creation date
- Add/edit preset (name, private key, public key)
- Reveal private key via re-authentication modal
- Delete preset with confirmation
- Route "+ 新建" button to correct form based on active tab

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 23:54:11 +08:00
Your Name ccb78ed980 feat: SSH key preset system — dropdown + backend auto-resolve
- Add SshKeyPreset model + repo (encrypted_private_key, public_key)
- Add ssh_key_preset_id to Server model + schemas
- Add CRUD + reveal API routes (/api/ssh-key-presets/)
- servers.py: auto-resolve ssh_key_preset_id → decrypt → set ssh_key_private
- servers.html: key preset dropdown in key auth section, hides path/textarea on select
- Mirror password preset pattern: zero frontend credential exposure

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 22:49:57 +08:00
Your Name 95aa8a610f security: move refresh token to HttpOnly cookie
- Refresh token stored in HttpOnly + Secure + SameSite=Lax cookie
  instead of localStorage (XSS can no longer steal it)
- Login sets cookie, refresh reads from cookie, logout clears cookie
- Access token remains in localStorage (short-lived, 30min)
- Clear pendingPassword from memory after TOTP success/back
- Remove "admin" from username placeholder
- Cookie path scoped to /api/auth (minimal exposure)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 20:22:34 +08:00
Your Name 9de6ac9904 fix: auth default to password + remove SSH tab from assets
servers.html: Default auth method to "密码" (password) instead of "密钥"
(key) when adding a new server. Hide key path row by default.

assets.html: Remove SSH Sessions tab — it duplicated the server list
functionality. Assets page now focuses on classification metadata:
platform templates and node groups only.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 19:33:39 +08:00
Your Name cf0725b037 fix: credentials.html JS parse error + assets.html SSH session UX
credentials.html: Remove broken nested ternary `Alpine?Alpine.store?...`
that caused "Unexpected token ':'" which killed the entire script block,
making all functions (showAddCred, loadCreds, etc.) undefined.

assets.html: Replace SSH session history list with server list +
double-click to open terminal, matching user's requested UX.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 19:17:09 +08:00
Your Name 3943ff4f3a fix: remove updated_at secondary check that invalidated fresh JWTs
The updated_at secondary check in _verify_token() was a "defense in
depth" mechanism, but it caused a race condition: login updates admin
(last_login, onupdate→updated_at) AFTER creating the JWT, so the JWT's
"updated" claim is immediately stale. Any DB admin update (including
innocuous ones like last_login) would invalidate all existing tokens.

The token_version primary check already covers all security scenarios
(password change, TOTP disable, token reuse detection) and is the
correct mechanism for invalidating sessions. Removed the updated_at
check from both _verify_token() and get_optional_admin().

Also reordered login/refresh flows to create JWT AFTER admin update,
so the token captures the latest updated_at (belt and suspenders).

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 16:23:20 +08:00
Your Name deb3a94ee6 fix: token_version NULL handling — normalize None→0 in JWT comparison
Direct DB inserts (e.g. install wizard, manual MySQL) may leave
token_version as NULL. JWT payload had tv:null which failed the
strict != comparison against DB value 0. Normalize both sides
with `or 0` for defensive coding.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 15:37:10 +08:00
Your Name 99201f48fd fix: MissingGreenlet error — convert all middleware to pure ASGI
Root cause: BaseHTTPMiddleware.call_next() runs the endpoint in a
separate async task, which breaks SQLAlchemy's greenlet context.
After session.commit(), the connection is released to the pool.
When session.refresh() tries to acquire a new connection for a
SELECT, it fails with MissingGreenlet because the greenlet spawn
context is not available in the call_next() task.

Fix (two-part):
1. Convert all 4 middleware classes from BaseHTTPMiddleware to pure
   ASGI middleware — eliminates call_next() entirely so the entire
   request chain runs in the same async context.
2. Set expire_on_commit=False on the session factory — after commit,
   objects retain their in-memory values instead of being expired.
   This removes the need for session.refresh() entirely.

All session.refresh() calls removed from 11 repository files.
With expire_on_commit=False, post-commit attribute access no longer
triggers lazy loads that would also fail with MissingGreenlet.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 15:24:15 +08:00
Your Name c72631a293 merge: 安装脚本+PHP移除+宝塔适配 合并到main
合并 claude/condescending-ishizaka-3cff3a 分支:
- deploy/install.sh: 一键安装脚本(宝塔/标准模式自适应)
- deploy/upgrade.sh + uninstall.sh
- docs/install-guide.md: 完整中文安装教程
- PHP完全移除: install.php删除, config.php→config.json
- crypto.py: 移除PHP AES-CBC兼容, 纯Fernet
- install.py: 宝塔Supervisor路径自适应, Fernet密钥生成
- install.html: Step 5宝塔/标准模式条件渲染
- 44个冲突文件使用worktree分支版本(全部最新代码)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 08:25:29 +08:00
Your Name a1276f38ad feat: 一键安装脚本 + PHP完全移除 + config.php→config.json
新增文件:
- deploy/install.sh: 7步一键安装(自动检测宝塔/标准模式)
- deploy/upgrade.sh: git pull + pip install + restart + 健康检查
- deploy/uninstall.sh: 停服务+删配置, 可选--purge删部署目录
- docs/install-guide.md: 完整中文安装教程(宝塔+手动)

核心改动:
- install.py: 宝塔Supervisor路径自适应, init-db返回bt_panel标记,
  config.php→config.json, 移除PHP锁文件, 生成Fernet加密密钥
- install.html: Step 5根据btPanel显示不同Supervisor/Nginx/SSL指引
- crypto.py: 移除PHP AES-CBC兼容层, 纯Fernet加密
- 删除 web/install.php (1192行PHP, 功能已完全迁移到Python)

PHP清理:
- Nginx配置: config\.php→config\.json deny规则
- config.py/main.py/migrations.py: install.php注释→install wizard
- CLAUDE.md/AGENTS.md: config.php→config.json, 移除PHP引用
- firefox_server.py: login.php→login.html默认URL

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-25 08:23:37 +08:00
Your Name 400dcae781 fix: 代码验证发现的两处问题
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- websocket.py: asyncio.get_event_loop() → get_running_loop()
  (Python 3.10+废弃,shutdown时可能RuntimeError)
- asyncssh_pool.py: 全忙等待逻辑在锁外操作有竞态条件
  简化为直接raise ConnectionError,不在锁外重试

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-24 16:31:13 +08:00
Your Name cdd0be328a fix: 六轮深度扫描 — 47项Bug修复、安全加固、死代码清理
Critical runtime bugs:
- terminal.html WebSSH完全不可用(URL前缀/JSON解析/Content-Type三处错误)
- servers.py路由遮蔽:/logs被/{id}拦截,3个前端页面同步日志查询失败
- scripts.html startExecPoll()→startExecPolling(),长任务快速执行崩溃
- agent.py {value!r!s:.50}格式串非法,agent发非数值时ValueError
- alerts.html d.daily.reduce()无null检查,API返回空数据时TypeError

Resource leak / stability:
- websocket.py僵尸连接未关闭TCP,文件描述符泄漏
- websocket.py _last_alert_time字典无限增长(加1小时过期清理)
- asyncssh_pool.py全忙时超过MAX_CONNECTIONS无限增长
- self_monitor.py Telegram告警无冷却,宕机时每30秒刷屏
- schedule_runner.py一次性调度执行超60秒会重复触发
- 限速脚本EXPIRE每次重置窗口可绕过(改用Lua原子脚本)

Security:
- JWT access token加token_version声明,改密码后旧token立失效(零宽限)
- INSTALL_MODE导入时常量→动态函数,安装后JWT认证不再残留禁用
- install.py /lock端点加管理员存在性验证,防止阻断安装
- ServerUpdate schema移除connectivity只读字段,防止伪造连接状态

Frontend fixes:
- doExec()缺r.ok检查、commands.html null检查
- _server_to_dict()补last_checked_at+ssh_key_public
- _field_match()逗号cron表达式修复
- alerts类型显示、SSH会话名称、搜索高亮定位
- 一次性/循环定时任务(run_mode+fire_at+自动禁用)

Dead code removed (400+ lines):
- SyncService batch_push/_push_single等5个方法(零调用者)
- 5个未使用schema(SyncCommands/SyncConfig/SyncSftp/FileDeploy/PaginatedResponse)
- 6个零调用service方法、3个无前端API端点
- 4个未使用import

Schema migrations:
- push_schedules: run_mode + fire_at列,cron_expr改NULL
- servers: 7个新列 + ssh_key_private/public VARCHAR(500)→TEXT

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-24 16:26:40 +08:00
Your Name fbf5eadcf2 fix(security): R2+R3 全面代码审计修复 — 3 CRITICAL / 9 HIGH / 15 MEDIUM / 10 LOW
CRITICAL:
- C-1: sync_service.py rsync命令shlex.quote防Shell注入回归
- C-2: agent.py exec端点危险命令正则拦截+compare_digest+僵尸进程修复
- C-3: WebSSH JWT token绑定server_id防IDOR

HIGH:
- H-1: 所有PUT/POST端点setattr改为字段白名单防任意字段注入
- H-2: settings/assets/scripts端点添加JWT认证
- H-3: refresh_token invalidate-then-generate防并发重放
- H-4: servers.py Redis pipeline解决N+1查询
- H-7: settings API Key/Secret掩码+禁止修改
- H-8: TOTP暴力破解速率限制(5次/5分钟)
- H-9: get_optional_admin改用request-scoped session

MEDIUM:
- M-2: X-Real-IP优先+X-Forwarded-For取末值防IP伪造
- M-4: asyncssh异常信息脱敏(只含server_id)
- M-5: 分页limit上限(500/200/500/500)
- M-9: API层Redis依赖抽象至dependencies.py
- M-10: WebSocket ConnectionManager多worker Redis聚合
- M-13: login_attempts复合索引
- M-14: ServerRepository.get_by_ids批量查询
- M-15: API错误消息统一中文

R3追加:
- sysctl命令注入防护+regex验证
- $DB_PASS明文存储→masked_command双命令方案
- MYSQL_PWD环境变量替代-p flag
- health端点拆分(公开/需认证)
- repo层**kwargs→字段白名单
- 全局str(e)信息泄露修复(API/Telegram/WebSocket)
- SSRF私有IP拦截
- Nginx HTTPS配置+DB备份脚本
- 前端CDN SRI哈希+XSS修复
- __import__替换为正常import

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 10:58:33 +08:00
Your Name 9bba58a529 feat: Telegram test+ChatID, Agent IP allowlist/upgrade, alert history page
Telegram:
- POST /api/settings/telegram/test: send test message (checks token+chat_id)
- GET /api/settings/telegram/chats: call getUpdates, return up to 5 chats
- settings.html: test button + detect chat IDs with click-to-fill

Agent IP allowlist (web/agent/agent.py):
- allowed_ips config: list of trusted IPs/CIDRs from config.json
- _ip_allowed(): checks exact IP, CIDR (ipaddress module), hostname
- verify_api_key(): now checks IP allowlist before API key
- /health: also checks IP allowlist
- install.sh: auto-extracts central server IP from --url, adds to allowed_ips

Agent auto-upgrade (server/api/servers.py):
- POST /api/servers/{id}/upgrade-agent: SSH → curl new agent.py → systemctl restart
- servers.html: 升级 Agent button in Agent tab (only when online)

Alert history (new page):
- domain/models: AlertLog table (server_id, type, value, is_recovery, created_at)
- migrations.py: CREATE TABLE IF NOT EXISTS alert_logs
- websocket.py: _save_alert_log() called from broadcast_alert/recovery
- settings.py: GET /api/alert-history/ (paginated, filters), GET /stats
- main.py: register alert_history_router
- alerts.html: new page with stats cards, top-servers bar chart, alert list
- layout.js: 🔔 告警中心 added to sidebar nav

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 18:27:12 +08:00
Your Name 488838c989 feat: separate subscription/manual IPs + master enable/disable toggle
Data model (separate storage):
- login_allowlist_enabled: 'true'/'false' master switch
- login_subscription_url: URL to fetch every 2h
- login_subscription_ips: last fetch result (replaced entirely each refresh)
- login_manual_ips: manually added (never overwritten by refresh)
- login_allowed_ips: combined (used by auth for legacy compat)

ip_allowlist_refresh.py:
- Saves to login_subscription_ips (replace) + rebuilds login_allowed_ips

auth_service.py:
- Login check: only runs when LOGIN_ALLOWLIST_ENABLED is 'true'
- Combines subscription_ips + manual_ips at auth time (no stale combined key needed)

settings.py:
- POST /ip-allowlist/toggle: quick enable/disable endpoint
- GET /ip-allowlist: returns subscription_ips, manual_ips separately
- POST /ip-allowlist: saves manual_ips + optional subscription_url + optional enabled

settings.html:
- Toggle switch: enable/disable with warning if list is empty
- Green notice when enabled (warns about self-lockout risk)
- Grey notice when disabled
- Subscription IPs section: read-only, auto-refresh badge
- Manual IPs section: deletable per-IP, clear all button

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 18:19:47 +08:00
Your Name da43960f38 feat: subscription URL stored in settings, auto-refresh allowlist every 2h
config.py:
- LOGIN_SUBSCRIPTION_URL: stored in DB, configurable from UI
- LOGIN_MANUAL_IPS: manually added IPs (preserved across auto-refresh)

background/ip_allowlist_refresh.py (new):
- ip_allowlist_refresh_loop(): primary-worker task, every 2h
- _do_refresh(): fetch subscription, parse IPs, merge with manual IPs,
  write combined to LOGIN_ALLOWED_IPS + DB setting; runs once at startup (5s delay)
- get_last_refresh_time(): returns last successful refresh timestamp

main.py:
- Register ip_allowlist_refresh_loop as background task

settings.py:
- GET /ip-allowlist: now returns subscription_url, manual_ips, last_refresh
- POST /ip-allowlist: saves manual_ips + subscription_url, triggers refresh
- POST /ip-allowlist/manual: append to manual list only, trigger rebuild
- DELETE /ip-allowlist/ip: remove single manual IP, trigger rebuild

settings.html:
- Subscription URL field with 保存 + 🔄 instant-refresh button
- Last refresh timestamp display
- Status badge shows '订阅自动刷新' when URL configured
- IP badges: blue=manual (deletable), grey=from subscription (auto)
- 预览 button to inspect subscription IPs without saving

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 18:15:29 +08:00
Your Name 5fcc1e22a6 feat: login IP allowlist with proxy subscription parser
server/infrastructure/subscription_parser.py (new):
- parse_subscription_content(): fetch and decode subscription, extract host/IP
- Supports SS, VMess, VLESS, Trojan, Hysteria2 formats
- Base64 decode with padding fix; IPv4/CIDR/hostname detection

server/config.py:
- LOGIN_ALLOWED_IPS setting (empty = allow all, comma-separated)

server/api/settings.py:
- POST /settings/ip-allowlist/parse-subscription: fetch URL, decode, return hosts
- POST /settings/ip-allowlist: save allowlist to settings table + reload
- GET /settings/ip-allowlist: return current list

server/application/services/auth_service.py:
- _ip_in_allowlist(): supports exact IP, CIDR (ipaddress module), hostname match
- login(): check allowlist before brute-force check; if IP blocked return
  reason='ip_blocked' with clear message; audit log 'login_ip_blocked'

web/app/settings.html:
- New '登录 IP 白名单' card with:
  - Subscription URL input + parse button (calls backend parser)
  - Parsed IPs with checkboxes (select/deselect before adding)
  - Manual IP/CIDR/hostname textarea input
  - Current allowlist with per-IP remove buttons
  - Clear all button (removes restriction)
  - Status badge: 启用 N条 / 未启用(不限制)

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 18:11:23 +08:00
Your Name 37ceaef6d9 feat: auto-poll Agent online status after install with live badge update
- remoteInstallAgent(): after success, start _startAgentOnlinePoller() instead
  of one-shot setTimeout(loadServers, 2000)
- _startAgentOnlinePoller(serverId): poll GET /api/servers/{id} every 5s up to
  2 minutes (24 attempts); when is_online=true, update status badge live,
  disable remote-install button, toast 'Agent 已上线', reload server list
- _updateAgentStatusBadge(isOnline): in-place badge update without full reload
- Install log shows: '✓ 安装成功!等待首次心跳...' then ' Agent 心跳已收到'
- Hint text explains: install ~30-60s, first heartbeat another ~60s
- Manual install: 'click to wait for Agent online' button triggers same poller

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:47:22 +08:00
Your Name d414b945e1 feat: audit log time-range filter + script execution schedules
Audit log time-range filter:
- audit_log_repo.py: unified query() with action/admin_username/date_from/date_to
  filters + total count; _build_filters() helper for date parsing
- settings.py GET /audit/: add date_from, date_to, admin_username query params
- audit.html: date range inputs (YYYY-MM-DD), admin filter input, action filter
  expanded with optgroups (服务器/推送/脚本/认证/设置); clear filter button

Script execution schedules:
- domain/models: PushSchedule extended with schedule_type('push'|'script'),
  script_id FK, script_content Text, exec_timeout int, long_task bool;
  source_path made nullable
- migrations.py: 6 new ALTER TABLE statements (idempotent)
- schedule_runner.py: detect schedule_type; for 'script' type use ScriptService;
  for 'push' type keep original SyncEngineV2 sync_files behaviour
- schemas.py: ScheduleCreate/Update add all new fields
- schedules.html: full UI rewrite
  - type selector radio: 📁 文件推送 /  脚本执行
  - script fields: script library dropdown + textarea + timeout + long_task
  - schedule list shows type badge + detail preview
  - saveSched() validates required fields per type

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:29:16 +08:00
Your Name 4ca07fa252 feat: quick execute panel in scripts.html (no script save required)
Add collapsible '直接执行命令' card at top of scripts page:
- Textarea for ad-hoc command (no script_id, not saved to library)
- Multi-select server list (loaded on first expand, same batch size)
- Options: timeout, DB credential (* substitution), long_task nohup
- Ctrl+Enter shortcut to submit
- Uses same batch tracking + status panel + polling as saved scripts
- Clear button to reset command
- Batch hint shows server count and batch size
- 全选 button for quick server selection

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:23:25 +08:00
Your Name d2832567c7 feat: push logs view in commands.html + paginated sync log API
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
sync_log_repo.py:
- get_all_paginated(): server_id/status/sync_mode/trigger_type filters +
  server name JOIN + total count for pagination

server/api/servers.py GET /servers/logs:
- Add server_id/status/sync_mode/trigger_type/offset/limit query params
- Return {items, total, offset, limit} instead of plain list

web/app/commands.html (renamed title to '操作日志'):
- Third view: '推送日志' with paginated table
- Columns: 状态(dot badge) / 服务器 / 模式 / 触发方式 / 源路径 /
  目标路径 / 文件数 / 耗时 / 操作人 / 开始时间
- Filters: 服务器 + 状态(success/failed/running) + 模式 (incremental/full/...)
- Pagination controls with prev/next page (50 per page)
- Error message in row title attribute (hover for details)

web/app/push.html:
- Update loadHistory() to handle new {items, total} response format

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:20:53 +08:00
Your Name 14dc29f241 feat: Agent install tab with copy command + one-click remote install via SSH
server/api/servers.py:
- POST /{id}/install-agent: SSH-execute install.sh on managed server using
  stored credentials; requires API_BASE_URL + agent_api_key; 120s timeout
- GET /{id}/agent-install-cmd: return pre-filled curl command for copy-paste

web/app/servers.html:
- New 'Agent 安装' tab in server detail panel
  - Shows Agent online/offline status badge
  - Warns if NEXUS_API_BASE_URL or API Key is missing
  - Displays ready-to-copy curl install command with port auto-filled
  - ' 一键远程安装' button (SSH exec): disabled if already online
  - Scrollable install log output panel
  - Tab uses shared showDetailTab() + loadAgentInstall() / remoteInstallAgent()
- Explains: script auto-installs Python, downloads agent.py, writes config,
  sets up systemd, opens firewall port

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:16:14 +08:00
Your Name b9e8db7a3f feat: per-alert notification toggles with switch UI
config.py:
- Add NOTIFY_ALERT_CPU/MEM/DISK, NOTIFY_RECOVERY, NOTIFY_TIME_DRIFT,
  NOTIFY_SYSTEM_REDIS, NOTIFY_SYSTEM_MYSQL, NOTIFY_RESTART settings
  (string 'true'/'false', loaded from MySQL settings table at startup)

telegram/__init__.py:
- _notify_enabled(): check setting string ('false'/'0'/'no'/'off' = disabled)
- send_telegram_alert(): checks NOTIFY_ALERT_{CPU|MEM|DISK} per alert_type
- send_telegram_recovery(): checks NOTIFY_RECOVERY
- send_telegram_system_alert(): new notify_key param, checks matching setting
- send_telegram_restart_*(): check NOTIFY_RESTART

self_monitor.py:
- Pass notify_key='NOTIFY_SYSTEM_REDIS/MYSQL' to send_telegram_system_alert

server/api/agent.py:
- Pass notify_key='NOTIFY_TIME_DRIFT' to time-drift alert

settings.html:
- New '告警通知项目' section with 8 toggle switches (pill style)
- Grouped by category: 服务器资源 / 服务器 / 系统
- Optimistic toggle with revert on API failure
- renderNotifyToggles() reads _allSettings and toggleNotify() saves instantly

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:12:07 +08:00
Your Name 08d0baf762 feat: TOTP re-bind support + improved settings UI
settings.html TOTP section overhaul:
- Status cards: green (enabled) / amber (disabled) with context-aware buttons
- Enabled state: add '重新绑定' button to change Authenticator app/device
  without disabling first (same API, just new QR + verify flow)
- Disabled state: prominent 'Enable TOTP' CTA with warning about security
- Bind panel: shared between first-time setup and re-bind, auto-scrolls into view
- Auto-focus verify input after QR renders; Enter key submits
- QR generation: 180px, transparent background, fallback message if QRious fails
- Re-bind label distinguishes 'rebind success' from 'first enable' toast
- Disable flow: clearer confirm dialog mentioning security implication

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:07:40 +08:00
Your Name 9c063a788f feat: time drift detection between agent and central server
Agent (web/agent/agent.py):
- Heartbeat now includes system_info.agent_time (UTC ISO string)

Central (server/api/agent.py):
- On each heartbeat, compare agent_time vs central datetime.now(utc)
- Thresholds: warn >= 30s, crit >= 60s (affects TOTP/cron accuracy)
- Stores time_drift_seconds + drift_level in Redis heartbeat key
- Sends Telegram alert (5-min cooldown) when drift >= 60s critical

API (server/api/servers.py):
- List and detail endpoints expose time_drift_seconds + drift_level from Redis

Frontend (web/app/servers.html):
- driftBadge(): shows clock emoji badge next to server name
  - amber badge: >=30s (warn)
  - red badge: >=60s (crit)
  - tooltip shows exact drift and NTP check hint
  - no badge when drift < 30s or no data

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 17:04:34 +08:00
Your Name 5a42345bc0 docs: Nexus 6.0 功能说明书 HTML + roadmap stale fix
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:55:24 +08:00
Your Name 6c5e6a2daa feat: file operations (delete/rename/mkdir) + fix roadmap Step3 status
Backend:
- schemas.py: FileOperation model (server_id, operation, path, new_path)
- sync_v2.py: POST /api/sync/file-ops endpoint
  - delete: rm -rf with shlex.quote
  - rename: mv src -> dst with shlex.quote on both paths
  - mkdir: mkdir -p with shlex.quote
  - all operations audit-logged, 30s timeout

Frontend (files.html):
- Header: add 📁+ button (doMkdir via prompt)
- File rows: action buttons (rename + delete) appear on hover
  - rename: prompt for new name, inline mv
  - delete: confirm dialog with warning for dirs (rm -rf)
  - all ops refresh current directory after success
- fileOp() shared helper for POST /api/sync/file-ops

Docs:
- roadmap.md: Step 3 Web SSH updated from 70% to completed

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:46:00 +08:00
Your Name ac0eb79707 feat: rsync dry-run preview (方案D 智能提示型)
Backend:
- schemas.py: SyncPreview model (server_id, source/target_path, sync_mode, verbose)
- sync_engine_v2.py: preview_sync() + _parse_rsync_stats() helpers
  - runs rsync --dry-run --stats; verbose=True adds -v (capped 200 lines)
  - returns stats dict: files_transferred/created/deleted + byte counts
- sync_v2.py: POST /api/sync/preview endpoint with audit log

Frontend (push.html - 方案D):
- Sync mode radio change listener: onSyncModeChange()
- full/overwrite mode: orange warning card + prominent preview button
- incremental/checksum mode: subtle "预览首台变动 →" link
- Inline preview result section (no modal): stats cards + optional file list
- files_deleted shown in red card for destructive modes
- verbose toggle: "显示详细文件列表 ▼" triggers second request with verbose=true
- fmtBytes() helper for human-readable file sizes

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:41:47 +08:00
Your Name e37bc6cea9 docs: drop file editor (Monaco/ACE) - officially rejected
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:31:33 +08:00
Your Name 2c6f3abbd0 docs: add standards/ folder with all reusable dev & audit standards
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:23:50 +08:00
Your Name d5c498549b docs: system development standard v1.0 - full coding rules for Python/FastAPI/Frontend
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:22:36 +08:00
Your Name 07eab6020c docs: extract audit core principles as standalone reference card
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:19:49 +08:00
Your Name 938e700fb3 docs: line-walk audit standard v2.0 - full spec integrating mdc rules + Phase 1-4 lessons
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:17:27 +08:00
Your Name 424c4efd64 docs: general-purpose line-walk audit standard (reusable for any project/AI)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:09:28 +08:00
Your Name c08e2a2242 fix: Phase 1 audit - ssh_key columns String(500) -> Text for RSA key support
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:07:24 +08:00
Your Name 6108d69b24 fix: Phase 4 audit fixes
F4a-01 script_callback_rate: INCR+EXPIRE were non-atomic; a crash between
       the two could leave the rate-limit key without a TTL, permanently
       blocking future callbacks for that job/IP. Fix: use Redis pipeline
       so INCR+EXPIRE are sent in one roundtrip and EXPIRE always executes.

F4a-02 sync_service: add comment documenting that StrictHostKeyChecking=no
       is a legacy issue in the dead-code SyncService shim; main sync path
       (SyncEngineV2) honours SSH_STRICT_HOST_CHECKING from settings.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 16:00:28 +08:00
Your Name 680577fc97 docs: Phase 3 walk-closure report + index update
- docs/reports/audit-phase-3-walk-closure.md: closure declaration
  covering 3a-3i (12 new FINDINGs, all fixed, code backlog = 0)
- docs/reports/README.md: add Phase 3 closure entry

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:56:11 +08:00
Your Name 86bb32f87e fix: Phase 3h script_service + server_service
F3h-01 script_service._build_kill_command: shlex.quote(log_path) wraps the
       path in single-quotes; embedding that inside "..." produced a filename
       with literal single-quote chars that cat/kill could not find.
       Fix: use the shlex-quoted string directly without extra double-quotes.

F3h-02 script_service._substitute_db_vars: non-atomic string replacement
       allowed nested substitution when a credential value contained another
       $DB_* pattern. Fix: replace with null-byte sentinels first, then
       substitute actual values in a second pass.

server_service.push_to_servers: add comment documenting that audit_repo and
       retry_repo are None (internal compat shim — not used by routes).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:50:44 +08:00
Your Name c3c3bae370 fix: Phase 3g sync_engine_v2 bugs
F3g-01 sync_commands line 195: server_results is a list; unpacking it
       with ** raises TypeError, silently caught by gather(return_exceptions=True),
       so S2 command sync and S3 config sync returned empty results for all
       servers. Fixed by using a proper dict: {"server_name": ..., "results": ...}.

F3g-02 sync_config: config value containing newline chars was not stripped
       before shlex.quote; echo inside single-quotes would write multiple lines
       to the sysctl config file, injecting arbitrary keys. Strip \n\r\x00 from
       value before quoting (requires admin auth, defense-in-depth fix).

scripts.py, settings.py: CLEAN (no changes needed).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:46:52 +08:00
Your Name 33b7ed93bf fix: Phase 3e auth_service.py bugs
F3e-01 auth_service.py:180 - jwt_token_expires (MySQL tz-naive) vs
       datetime.now(timezone.utc) caused TypeError on token refresh;
       strip tzinfo before comparison when expires is tz-naive.

F3e-02 auth_service.py:271 - TOTP provisioning URI was not URL-encoding
       issuer or username; special chars (spaces etc.) broke QR scan.
       Use urllib.parse.quote() on both fields.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:41:50 +08:00
Your Name 61b891db73 fix: Phase 3 line-walk fixes (3a-3d)
F3a-01 agent.py: _safe_float() prevents ValueError from non-numeric metric values
F3b-01 schedule_runner.py: fix tz-aware minus naive DateTime TypeError
F3b-02 schedule_runner.py: cron field divided by 0 returns False instead of crash
F3c-01 redis/client.py: mask credentials in REDIS_URL log output
F3d-01 main.py: cancel background tasks when primary worker lock is lost
F3d-02 main.py: strip whitespace from CORS origins after split

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:37:15 +08:00
Your Name aa65f10c52 docs: Phase 2 audit records, project memory, WSL guide
Audit docs:
- docs/reports/audit-phase-2{a-j}-line-walk.md: per-file line walk findings
- docs/reports/audit-phase-2-findings-matrix.md: 63 findings (52 fixed, 3 partial, 7 accepted)
- docs/reports/2026-05-23-full-audit-report.md: full audit consolidation
- docs/reports/audit-full-vs-phase2-reconciliation.md: cross-reference
- docs/reports/audit-phase-2-walk-closure.md: closure sign-off

Project docs:
- docs/project/phase-2-audit-remediation.md: SSOT for all fixes
- docs/project/alert-push-policy.md: dashboard alert design decisions
- docs/project/production-verification-checklist.md: first-deploy checklist
- docs/project/script-execution.md: script platform design
- docs/project/wsl-integration-test.md: WSL code-only verification guide
- docs/project/line-walk-audit-standard.md: audit methodology
- docs/project/mysql-mcp-setup.md: MCP config guide

Changelogs: 18 entries (2026-05-22 to 2026-05-23)
Project memory: CLAUDE.md, AGENTS.md updated to reflect current state
Deploy: nginx_https.conf template updated

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:27:40 +08:00
Your Name 80d73d1b74 fix: WSL startup compatibility + dependency updates
- redis/client.py: use BlockingConnectionPool.from_url() (fixes 'url' kwarg error)
- database/engine_compat.py: patch aiomysql do_ping to satisfy pool_pre_ping
- database/session.py: apply engine_compat patch before create_async_engine
- requirements.txt: SQLAlchemy 2.0.49 (fixes aiomysql ping() reconnect signature)
- .env.example: document NEXUS_REDIS_URL format
- scripts/wsl_ensure_venv.sh: create project .venv (PEP 668 safe)
- scripts/wsl_start_dev.sh: use .venv python, validate Redis before start
- scripts/wsl_integration_smoke.sh: code-only verification mode
- scripts/wsl_check_mysql.py / bootstrap_database.py: MySQL setup helpers
- scripts/sync_frontend_vendor.py: vendor asset sync utility

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:27:18 +08:00
Your Name 752a24497c feat: Phase 2 security audit fixes + script execution platform
Security (P0/P1/P2):
- WebSSH: dedicated short-lived token, server_id binding, 4003 close code
- Remove /api/agent/exec from control plane (RCE surface eliminated)
- Global JWT middleware (JwtAuthMiddleware) with install-mode bypass
- decrypt_value: failure returns None, never leaks ciphertext
- Telegram: sanitize_external_message strips sensitive fields
- Agent auth: startup enforces non-empty API key, compare_digest
- Credentials: password_set bool flag, no plaintext in API responses
- audit_log: writes admin_username + ip_address on all CUD ops
- Install lock: all /api/install/* except GET /status return 403 post-install
- WebSocket dedup: publish once, subscribers deliver locally

Script execution platform:
- script_jobs.py / script_job_callback.py: async batching and callback
- script_execution_store.py / script_callback_rate.py: Redis-backed state
- script_execution_flush.py: background flusher to MySQL
- scripts.html / script-executions.html: full execution UI
- agent_url.py: centralised URL builder

Frontend:
- All 13 pages migrated from CDN to /app/vendor/ (no external deps)
- vendor/: alpinejs, tailwindcss-browser, xterm, xterm-addon-*, qrious
- Dashboard WebSocket real-time alerts; 8h JWT session timeout

Tests:
- test_security_unit.py: 15 unit tests (JWT, sanitize, vendor, install 403)
- test_api.py: env-configurable admin credentials

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:26:56 +08:00
Your Name 341d16fd6d P2迭代: 危险命令检测 + DB会话合并 + API密钥修复 + 安全审计 (6项)
P2-14: agent.py _verify_api_key() 重写文档并明确两步验证逻辑,
       全局密钥匹配直接通过,非匹配密钥放行至handler做per-server验证
P2-15: websocket.py 删除已废弃的 connected_clients=[] 别名,
       health.py 已使用 manager.client_count
P2-16: webssh.py 合并4个AsyncSessionLocal()为1个共享session(预接受操作),
       命令日志保留独立session(长连接WebSocket不能持有单session)
P2-18: 新增危险命令检测 (check_dangerous_command),识别 rm -rf /、
       fork bomb、dd写裸设备、mkfs等模式,scripts.py + webssh.py集成
P2-19: install.py 状态文件不再存储db_pass明文(步骤5已删除文件),
       审计确认所有logger调用无敏感数据泄露
P2-17: httpOnly cookie迁移标记为延期(需前后端+WebSocket全面重构,
       当前JWT+updated_at+CORS限制方案已足够安全)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 23:18:08 +08:00
Your Name d744d7df8e 安全与质量修复: P0-4/P0-5 + P1-6~P1-13 (8项)
P0-4: install.py _write_env() 值加引号转义,防止含#$\等字符的密码破坏.env格式
P0-5: install.py _build_redis_url() URL编码redis密码,防止@:等字符破坏URL解析
P1-6: auth_service.py _decode_access_token() 验证exp/sub声明存在,拒绝畸形JWT
P1-7: websocket.py + webssh.py WebSocket JWT验证增加updated_at检查,密码修改后令牌失效
P1-8: auth.py 无refresh_token的logout返回更明确的提示信息
P1-9: install.py create_admin增加_is_installed()检查,防止.env存在后重复创建
P1-10: servers.py server_stats() 改用SQL聚合查询,避免加载全部服务器对象
P1-11: heartbeat_flush.py 移除get_redis()永不返回None的死代码
P1-13: sync_engine_v2.py completed/failed计数器加asyncio.Lock防止并发竞态

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 23:04:40 +08:00
Your Name 4af9acf564 项目文档与验证脚本: AGENTS.md + 交接文档 + 审计/测试脚本
- AGENTS.md: 项目记忆(与CLAUDE.md同步)
- PROJECT_HANDOVER.md: 项目交接文档
- TEAM_ROLES.md: 团队分工与职责
- audit_scan.py: 全量代码审计扫描
- test_p1_p2.py: P1+P2功能快速验证
- verify.py: WSL模块/路由/安全验证

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:29:54 +08:00
Your Name 6354d507df 修复 sync_v2.py 缺少 AuditLog import (NameError)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:29:35 +08:00
Your Name 7e29397235 配置与文档更新: .gitignore + CLAUDE.md + API微调
- .gitignore: 添加.env/supervisor/日志等忽略规则
- CLAUDE.md: 更新项目记忆与完成状态
- assets.py: Platform/Node API端点
- settings.py: DB_OVERRIDE_MAP键名修复
- schemas.py: 模型schema补充

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:29:20 +08:00
Your Name 4969876ce8 新页面: 资产管理 + 命令日志 + 数据库备份脚本
- assets.html: Platform/Node资产管理页面
- commands.html: 命令/会话双视图 + 危险命令高亮
- deploy/db_backup.sh: mysqldump + 30天保留 + cron集成

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:29:13 +08:00
Your Name b676e320de 前端增强: XSS防护 + 共享布局 + 移动适配 + 设置页
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- index.html: WebSocket告警文本esc()转义
- files.html: escAttr()函数 + 路径拼接转义
- layout.js: 移动端侧边栏overlay + 全局搜索 + 用户信息
- servers.html: 点击展开详情面板(系统信息/同步/SSH)
- settings.html: TOTP QR码设置 + 修改密码 + API Key复制
- api.js: JWT refresh token自动刷新 + Toast通知
- terminal.html: WebSSH xterm.js集成

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:29:06 +08:00
Your Name 938d26927f P1/P2: 后端安全与稳定性修复
- Agent per-server API Key认证 (agent.py)
- JWT updated_at校验与会话超时 (auth_jwt.py)
- 服务器凭据Fernet加密存储+密码脱敏 (servers.py)
- WebSSH服务器级授权检查 (webssh.py)
- Config同步去重+回滚机制 (sync_engine_v2.py)
- DB层分页offset/limit (server_repo.py)
- session.py logger修复 + @property死代码清理
- 心跳刷入rollback误用修复 (heartbeat_flush.py)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:28:57 +08:00
Your Name 8530f0e0d5 安全补强: 6项P0/P1漏洞修复
P0-1: PHP配置注入防护 — install.py添加_escape_php_string()转义单引号和反斜杠
P0-2: WebSocket JWT校验 — _verify_ws_token()要求exp+sub字段
P1-1: 删除SHA256密码fallback — auth_service.py和auth.py直接import bcrypt
P1-3: LIKE通配符转义 — search.py添加_escape_like()并对所有ilike()加escape参数
P1-2: 安全响应头中间件 — main.py添加SecurityHeadersMiddleware注入4个安全头
P0-3: Refresh Token重用检测 — Admin模型添加token_version字段,token格式改为token:admin_id:version

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 22:16:50 +08:00
Your Name cea5730804 P0: Add StaticFiles mount + root redirect to install wizard
Critical fix: FastAPI was not serving any static files, causing all
frontend pages (install.html, login.html, etc.) to return 404.

Changes:
- Add StaticFiles mount at /app/ for web/app/ directory (html=True)
- Redirect root path / to /app/install.html in install mode
- Remove redundant "/" path bypass in InstallModeMiddleware
- Production Nginx still serves static files directly (no conflict)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 12:24:32 +08:00
Your Name dfc37f6e90 修复设置页面键名与后端DB_OVERRIDE_MAP不匹配
settings.html引用pool_size/max_overflow/agent_heartbeat_interval
但config.py的DB_OVERRIDE_MAP期望db_pool_size/db_max_overflow/
heartbeat_timeout,导致这些设置无法从MySQL正确加载。
对齐前端键名与后端映射表。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 12:02:08 +08:00
Your Name 0bcfeaa6d6 修复心跳刷入rollback误用 + API参数规范化
- heartbeat_flush: 移除循环内session.rollback(),防止一个服务器
  刷入失败导致整个批次session状态损坏
- assets.py: 为Query参数添加Query()类型+描述+校验约束,
  统一FastAPI参数风格 (server_id/session_id/limit/parent_id)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 11:58:15 +08:00
Your Name cb5b4c42de 多Worker守护 + 告警服务器名 + 清理PHP残留
- main.py: Redis主Worker选举,防止多Worker重复执行后台任务
- agent.py: 告警/恢复广播使用真实服务器名(查MySQL)替代"server-{id}"
- sync_v2.py: 修复browse目录解析死代码,正确取parts[8]
- install.html: 移除过时install.php引用,更新为"删除.env重装"
- nginx配置: 移除PHP-FPM路由(install.html纯静态无需PHP)
- schedule_runner: 清理未使用的get_redis_sync导入

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 11:54:11 +08:00
Your Name b36e1d8010 服务器详情: 兼容多种Agent心跳字段名(cpu_percent/cpu_usage)
- normalize: cpu_percent || cpu_usage, memory_percent || mem_usage, disk_percent || disk_usage
- 防止Agent使用不同字段名时显示空白

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 11:23:19 +08:00
Your Name 8a5d4159a4 文件管理: 添加缺失的路径输入框 + Enter键触发浏览
- 添加dirPath输入框(之前只有JS引用没有DOM元素)
- Enter键支持快速跳转到指定路径
- 输入框预填默认值'/'

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 11:13:23 +08:00
Your Name c03fe97d18 UX优化: 同步日志显示服务器名 + redis_url可编辑
- 同步日志API: JOIN Server表返回server_name字段
- 推送历史: 显示服务器名称替代操作人
- 仪表盘最近同步: 显示服务器名称替代server_id
- redis_url从SENSITIVE_KEYS移除(非密码,用户需可编辑)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 11:10:20 +08:00
Your Name e9feaa6cdc 前后端一致性审计 + 批量操作 + 调度同步模式
- 服务器列表: 添加批量选择(checkbox)+批量推送/删除操作栏
- 推送页面: 支持从服务器列表页预选服务器跳转(sessionStorage)
- 调度页面: 添加同步模式选择(增量/全量/校验和)
- 后端: PushSchedule模型+Schema+API+ScheduleRunner添加sync_mode字段
- 仪表盘: 移除重复的函数定义和初始化调用
- 数据库迁移: 启动时自动执行schema migration(添加sync_mode列)
- 安装向导: 添加schema migration步骤

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 11:01:17 +08:00
Your Name 83547c0b2e 服务器列表分类过滤 + 搜索增强
- 添加分类过滤下拉框(对接/api/servers/?category=参数)
- 自动从服务器数据提取分类选项填充下拉框
- 搜索框也匹配分类字段
- 添加刷新按钮
- 切换分类时自动重新加载服务器列表

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 10:11:15 +08:00
Your Name 2ec24371c5 /api/auth/me 返回 system_name 供前端品牌定制
- auth.py: /me端点现在查询settings表返回system_name字段
- layout.js的loadLayoutUser()使用此字段动态更新侧边栏品牌名
- 用户在设置页修改"系统名称"后,所有页面侧边栏自动显示

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:54:19 +08:00
Your Name 8ae4bc48cd 文件管理增强 + 更新项目完成度至99%
- files.html: 面包屑导航、目录排序(文件夹优先)、父目录(..)链接、
  文件所有者显示、toast反馈、owner列
- CLAUDE.md: 更新实现状态,新增Phase E UX增强条目(S1-S3安全,
  UX1-UX10前端体验),完成度从95%提升至99%

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:49:10 +08:00
Your Name 9d34655cc1 fix: Alpine.js x-data缺失 + 登录页429锁定处理
- index.html/servers.html: 添加缺失的 x-data="{sidebarOpen:true}"
  (Alpine.js需要初始化sidebarOpen变量)
- login.html: 正确处理429状态码(账户临时锁定),显示锁定提示

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:46:23 +08:00
Your Name 249a1aaed9 重试队列增强 + 审计分页
- 后端: 添加 POST /api/retries/{id}/retry (手动重试) + DELETE /api/retries/{id}
  + 审计日志分页(offset/limit/count) + PushRetryJobRepo新增get_all/get_by_id/delete
- 前端retries: 手动重试按钮、删除按钮、状态过滤、操作人显示、toast反馈
- 前端audit: 分页控件(上一页/下一页)、每页50条、新增retry_job/delete_retry过滤
- 修复index.html: 适配审计API新返回格式(data.items)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:41:33 +08:00
Your Name 120ae186ef 统一所有页面到layout.js共享布局组件
- 将11个业务页面(index/servers/files/scripts/credentials/settings/terminal等)
  的内联侧边栏全部迁移到layout.js的initLayout()共享组件
- 移除各页面重复的loadUser()函数,统一由layout.js处理
- 统一全局搜索功能、用户信息加载、品牌名称显示
- 消除约800行重复的侧边栏HTML代码

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:29:25 +08:00
Your Name cca410da33 P2: 推送页面增强 + 登录页安全强化
- push.html: 完整重写 — 逐服务器状态显示(成功/失败/等待)、进度条、
  同步模式选择卡片、并发/批次配置、全选/全不选、推送历史记录、toast反馈
- login.html: 密码可见性切换(eye图标)、失败次数提示(3次/5次警告)、
  登录失败时卡片shake动画、锁定警告提示区、迁移layout.js

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:23:38 +08:00
Your Name 26833f00d3 P1: Toast通知系统 + 脚本编辑/执行结果格式化
- api.js: 添加全局toast()通知函数,支持success/error/warning/info四种类型
- scripts.html: 完整重写 — 点击脚本名编辑、执行结果按服务器格式化显示(command/stdout/stderr/exit_code)
- servers.html/credentials.html/schedules.html/settings.html: 所有操作添加toast反馈

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 09:20:44 +08:00
Your Name d4ea03d735 P2: 全局搜索功能 — 后端API + 前端侧边栏搜索
- 新增 /api/search/ 端点: 跨服务器/脚本/凭据/调度搜索
- layout.js: 侧边栏底部搜索框, 300ms防抖, 下拉结果面板
- main.py: 注册搜索路由
2026-05-22 09:08:09 +08:00
Your Name f262876b25 P2: 共享侧边栏布局组件 + 4个页面迁移
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
- 新增 layout.js: initLayout() 自动生成侧边栏+高亮+用户信息
- retries/audit/schedules 已迁移到共享布局
- 减少约200行重复HTML代码
2026-05-22 09:05:49 +08:00
Your Name bfa50337e5 P1+P2: 前端功能增强
- servers.html: 服务器详情面板(系统信息/同步日志/SSH会话三标签页)
- index.html: 仪表盘增强(分类分布图/最近同步日志/自动刷新30s)
- credentials.html: 密码预设标签页(对接/api/presets/ CRUD)
2026-05-22 09:03:18 +08:00
Your Name 305f8d5689 P1: 全局JWT保护 + 审计日志补全 — scripts/assets/servers
- scripts.py: 所有9个端点添加JWT认证 + CUD操作审计日志
- assets.py: 所有GET端点添加JWT + 写操作审计日志补全
- servers.py: GET端点JWT保护(上轮未提交)
- WSL全量验证通过: ALL CHECKS PASSED
2026-05-22 08:55:34 +08:00
Your Name 785ffe2a7e fix: 设置页面敏感字段显示为只读锁定状态
脱敏值(包含***或...)显示为只读文本+🔒标记,防止用户编辑部分遮蔽值
2026-05-22 08:47:16 +08:00
Your Name 55b7cbe904 fix: P1安全加固 — 全局JWT保护 + 审计日志补全 + 敏感字段过滤
Settings API:
- 所有端点添加JWT认证(get_current_admin)
- 不可改项(secret_key/api_key/encryption_key/database_url)禁止PUT修改
- 敏感字段GET响应自动脱敏(前8位+...)
- Schedules/Presets/Retry CRUD添加JWT+审计日志

Servers API:
- POST/PUT/DELETE添加JWT认证
- 服务器增删改写审计日志

Assets API:
- Platform/Node写操作添加JWT认证
- Platform创建添加审计日志
2026-05-22 08:46:09 +08:00
Your Name b9139093f1 fix: 更新.env.example + CLAUDE.md反映D2迁移
- .env.example: install.php→install.html引用, 添加NEXUS_API_BASE_URL
- install.py: 移除_write_env中重复的site_url计算
- CLAUDE.md: 全面更新项目记忆, 反映6步完成+D1/D2/D3解决
2026-05-22 08:39:33 +08:00
Your Name f796ddf0a5 feat: D2 install.php→install.html迁移 + D3 WebSSH终端完善
D2: install.php → install.html + FastAPI API
- 新增 server/api/install.py: 6个安装向导API端点(无JWT)
- 新增 web/app/install.html: Alpine.js五步安装向导
- main.py: 条件启动模式(无.env=安装模式,仅/api/install/可用)
- InstallModeMiddleware: 安装模式下非安装路由返回503
- DbSessionMiddleware: 跳过安装API(自管理临时引擎连接)
- 三写一致性: .env + config.php + MySQL settings表同步

D3: WebSSH terminal.html 完善
- 全功能xterm.js终端 + Koko协议 + 自动resize
- Alpine.js + Tailwind CSS v4 统一风格
- 全屏/断开连接/连接状态指示器

文档更新:
- status.md: 第五步→, 完成度~95%
- roadmap.md: D2技术债务已解决
2026-05-22 08:37:01 +08:00
Your Name c9a99f4fb3 fix: 全项目文档对齐 + 代码清理
代码修复:
- web/agent/agent.py: datetime.utcnow() → datetime.now(timezone.utc)
- requirements.txt: 移除 paramiko==3.5.0 (已无活跃引用)
- 删除 server/infrastructure/ssh/pool.py (DEPRECATED, 无引用)

连接池三层对齐 (config.py/.env.example/session.py):
- DB_POOL_SIZE 100→160, DB_MAX_OVERFLOW 100→120
- 基于 MySQL max_connections=400, install.php 公式

文档修复 (21项):
- P0: 硬编码域名/IP替换为配置变量占位符
- P1: 10个过时设计文档加归档标注 (引用旧文件结构)
- P2: step-3-webssh报告 paramiko引用修正
- 6份审查报告连接池参数勘误 100/100→160/120
- ECC安全报告 EC5 datetime.utcnow 标记已修复
- docs/README.md 文档索引重写
- docs/memory/mem_nexus_overview.md 移除硬编码凭证
- docs/project/tech-stack-inventory.md paramiko标记已移除

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 08:19:56 +08:00
Your Name 8c8d2a74d5 docs: add Vercel-style documentation browser
Tailwind CSS + Alpine.js single-page HTML doc viewer with:
- 274 documents embedded (270 md + 4 other file types)
- Dark/light mode with localStorage persistence
- Sidebar navigation with grouped collapsible sections
- Full-text search (filename + content)
- Auto-generated TOC for each document
- Terminal-style code blocks with language labels
- Mobile responsive with slide-out sidebar
- rebuild: python docs/build_html.py

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 07:26:31 +08:00
Your Name 302fdcc1a1 test: update E2E test suite for v6 API + JWT auth
- Login first to acquire JWT token for all protected routes
- Use correct v6 API paths (/api/presets/, /api/schedules/, /api/scripts/)
- Add tests for: scripts CRUD, schedules toggle, settings, audit, sync browse
- Remove obsolete password-presets and retry-jobs paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 00:39:03 +08:00
Your Name 5590391779 feat: Nexus Agent rebrand + server_id + exec endpoint + trigger_type
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
Agent (agent.py):
- Rebrand MultiSync → Nexus throughout
- Add server_id to heartbeat payload (required by backend AgentHeartbeat schema)
- Add /exec endpoint for remote command execution via Nexus
- Update heartbeat fields to match backend: cpu_usage, mem_usage, disk_usage
- Use 60s default interval (matches CLAUDE.md spec)

Agent (agent.sh):
- Rebrand, add SERVER_ID env var, send in heartbeat payload
- Update service name to nexus-agent

Agent (install.sh):
- Rebrand, add --id parameter for server_id
- Write server_id to config.json
- Service name: nexus-agent
- Add config.example.json for reference

SyncEngineV2:
- Add trigger_type parameter to sync_files() (was hardcoded "manual")
- Schedule/retry runners can now pass "schedule"/"retry" trigger types

Nginx:
- Add /agent/ to static asset locations for agent file downloads

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 00:37:39 +08:00
Your Name 56993e4f98 fix: auth logout, Nginx configs, missing dependency, CORS
- auth: logout endpoint now accepts refresh_token (was admin_id which
  frontend can't know) — added logout_by_token() to AuthService
- api.js: sendBeacon uses Blob with application/json content-type
  (was sending text/plain which FastAPI couldn't parse)
- Nginx: fixed SPA fallback to 404 (not SPA), added install.php
  PHP-FPM handler, added production HTTPS config for api.synaglobal.vip
- requirements: added cryptography==44.0.0 (used by crypto.py but
  was missing from requirements.txt)
- models: removed unused Fernet import from domain models
- CORS: added http://api.synaglobal.vip origin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 00:30:28 +08:00
Your Name cd3c35b5e6 fix: add per-field save buttons to settings page
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 00:04:29 +08:00
Your Name f0c586a345 feat: complete frontend interactive features + unified sidebar
- credentials: add credential CRUD form (type, host, port, user, password, db)
- schedules: add enable/disable toggle, edit modal, server selection
- retries: add status badges, retry progress bar, error display, refresh
- audit: add action filter dropdown, IP column, better status badges
- settings: reorganize into sections (brand/alert/infra/telegram)
- servers: add/edit modal with full form fields
- scripts: add execute modal + delete button
- All pages: unified sidebar with all nav items + hover states
- install.php: fix post-AdminLTE removal link paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 00:02:46 +08:00
Your Name 00a6491e59 chore: remove AdminLTE PHP frontend (keep only install.php)
All functionality now covered by web/app/*.html (Alpine.js + Tailwind).
Deleted: 29 PHP pages, ace editor, chart.min.js, app.js, style.css.
Kept: install.php (installation wizard with DB table creation + .env write).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 23:42:21 +08:00
Your Name 7caa880ebd feat: unified api.js auth + Pydantic models + JWT security hardening
- All Alpine.js pages now use shared api.js for JWT auto-refresh (9 pages)
- Dashboard uses /servers/stats endpoint instead of fetching all servers
- Replaced all raw dict params with Pydantic models (agent, settings, presets)
- Added AgentHeartbeat, AgentExec, SettingUpdatePayload, DbCredentialCreate schemas
- JWT decode now requires exp+sub claims; better error logging
- ServerService.push_to_servers delegates to SyncService.batch_push
- SyncService handles None audit_repo/retry_repo gracefully
- Branding: web/app.js + web/style.css MultiSync→Nexus

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 23:38:01 +08:00
Your Name a584792603 feat: Pydantic request models + pagination + JWT auto-refresh
- server/api/schemas.py: New shared Pydantic models for all API routes
  (ServerCreate/Update/Push/Check, SyncFiles/Commands/Config/Sftp/Browse,
  ScriptCreate/Update/Execute, ScheduleCreate/Update, PlatformCreate/Update,
  NodeCreate/Update, PaginatedResponse)
- servers.py: Replace raw dict with Pydantic models, add pagination
  (page/per_page params, response now includes items/total/pages)
- sync_v2.py: Replace raw dict with SyncFiles/Commands/Config/Sftp/Browse
- scripts.py: Replace raw dict with ScriptCreate/Update/Execute
- assets.py: Replace raw dict with PlatformCreate/Update, NodeCreate/Update
- web/app/api.js: Shared JS auth module with JWT auto-refresh (2min
  before expiry), 401 retry with refresh token, doLogout with
  sendBeacon to backend, backward-compatible ah() alias
- web/app/servers.html: Use api.js, handle paginated response format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 23:18:49 +08:00
Your Name 1a27327036 fix: PHP frontend JWT auth + API endpoints + missing tables + branding
- login.php: Fix JWT response format (success/access_token vs status=ok),
  store JWT tokens in session, support TOTP 202 flow
- api_client.php: Dual auth (JWT Bearer + X-API-Key fallback), add
  auto-refresh on 401, fix API endpoints (checkServerHealth → array,
  getServerLogs, getAuditLogs, getDashboardStats field mapping)
- api_proxy.php: Fix check_all to use /api/servers/check (not per-server),
  fix get_logs to support global endpoint, restart_multisync → restart_nexus
- install.php: Add 4 missing tables (platforms, nodes, ssh_sessions,
  command_logs), fix table creation order for FK dependencies, add JWT
  columns to admins, add new indexes, add platform_id/node_id/protocols/
  extra_attrs/connectivity to servers
- logout.php: Call /api/auth/logout to invalidate JWT refresh token
- index.php: Use JWT Bearer auth for API calls
- server_service.py: Implement real check_all_servers with concurrent
  httpx Agent health checks (was stub)
- servers.py: Add GET /api/servers/logs global sync logs endpoint
- Branding: MultiSync → Nexus across all PHP files (sidebar, titles,
  TOTP issuer, version strings)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 23:11:30 +08:00
Your Name 814e11588e feat: P1 background tasks + server stats endpoint
1. schedule_runner.py: cron-based schedule execution every 60s
   - Parses 5-field cron expressions (*, */N, ranges, lists)
   - Triggers SyncEngineV2.sync_files for due schedules
   - Prevents re-trigger within same minute
2. retry_runner.py: automatic retry of failed pushes every 5min
   - Exponential backoff (60s base, doubles per retry, max 64x)
   - Respects max_retries from PushRetryJob model
3. GET /api/servers/stats: dashboard aggregation endpoint
   - Returns total/online/offline counts + category breakdown
   - Reads real-time status from Redis, falls back to MySQL
   - Registered before /{id} to avoid path collision
4. main.py: register schedule_runner + retry_runner as background tasks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 22:58:17 +08:00
Your Name 73c1776e1e fix: P0 critical runtime issues
1. conftest.py: add missing `from server.main import app` import
2. dependencies.py: get_db() reuses middleware session instead of
   creating independent AsyncSessionLocal (fixes double-session bug)
3. auth_jwt.py: get_optional_admin uses request.state.db instead of
   creating leaked AsyncSessionLocal session
4. config.py: default DATABASE_URL uses mysql+aiomysql (not pymysql)
5. sync_engine_v2.py: sanitize config keys with regex, escape values
   to prevent command injection in sync_config
6. sync_v2.py: add POST /api/sync/browse endpoint for remote dir listing
7. files.html: browseDir calls real API instead of placeholder stub

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 22:54:35 +08:00
Your Name ead4b2580f fix: 3 code bugs + test fixes (46/46 passing)
Nexus CI/CD / test (push) Waiting to run
Nexus CI/CD / deploy (push) Blocked by required conditions
Nexus Pre-commit Checks / quick-check (push) Waiting to run
1. infrastructure/__init__.py: remove nonexistent get_ssh_pool import,
   use lazy __getattr__ to avoid triggering MySQL engine at import time
2. auth_service.py + auth_jwt.py: JWT sub field must be string
   (PyJWT 2.12+ enforces RFC 7519), decode with int() conversion
3. session.py: lazy engine init — engine created on first access
   instead of module import time, allows testing without MySQL
4. Tests: fix Column default assertions (SQLAlchemy defaults only
   apply on DB INSERT), fix Request.url mock for Starlette

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 22:30:34 +08:00
Your Name 3ba85986ed docs: update 194 skill files with cleaned group tags + metadata
All skill files group labels cleaned (no duplicates, no garbled text).
CMS developer renamed to frontend developer in AG group.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 22:12:57 +08:00
Your Name 3ecd3d75d4 docs: reports + research + team roster + tech-stack evaluation
Add implementation progress reports, review reports (CTO/quality/deploy),
session log, signoff table, team roster, collaboration charter,
tech-stack evaluation and inventory, research reports.
Remove obsolete multisync_server.py.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 22:12:29 +08:00
Your Name 539c33ef42 feat: Nexus 6.0 6-step implementation (Step 0-5)
Step 0: Infrastructure hardening — Redis BlockingConnectionPool,
WebSocket two-layer (memory+Redis Pub/Sub), JWT auth, DB session leak fix
Step 1: Data layer — 4 new tables (platforms/nodes/command_logs/ssh_sessions),
data migration (category→Node), repos + API routes
Step 2: Auth layer — JWT middleware on all routes, TOTP JWT integration
Step 3: Web SSH — asyncssh connection pool, /ws/terminal endpoint,
xterm.js frontend, Koko protocol
Step 4: Sync engine v2 — file/command/config/SFTP modes, parallel execution
Step 5: Frontend migration — 12 Tailwind CSS v4 + Alpine.js pages,
PHP-FPM removal from nginx config

21 Python backend + 12 HTML frontend + 2 deploy configs + 3 test files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 22:11:38 +08:00
Your Name e5b0c2d4ef ci: restore gitea workflows 2026-05-21 05:55:02 +08:00
Your Name 4cfed27bf7 docs: superpowers design specs + plans 2026-05-21 05:50:24 +08:00
Your Name 003ca96f07 tests: load_test + quick_load + test_api 2026-05-21 05:49:05 +08:00
Your Name 9e20898fd0 mcp: multisync_server + bridge + firefox 2026-05-21 05:48:19 +08:00
Your Name cad49e6de1 docs: memory knowledge base + settings 2026-05-21 05:47:42 +08:00
Your Name 06f1e9ee07 docs: 194 team skills 2026-05-21 05:43:51 +08:00
Your Name 55e14805de install.php: auto-detect site URL + simplified DB config + auto-configure process guardian
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 05:42:55 +08:00
Your Name ae94101eb8 docs: add CLAUDE.md project memory for agent continuity 2026-05-20 17:29:02 +08:00
Your Name f9045a8404 refactor: 仓库结构扁平化 + PHP前端合并到Nexus仓库
- 将 Nexus/Nexus/* 移到仓库根目录(消除双层嵌套)
- 删除旧的多层空壳目录 (server/, web/, agent/, deploy/, docs/)
- 将PHP前端 (web/) 合并进Nexus仓库 — 统一管理
- 部署时 git clone Nexus 仓库即可,不再需要两个仓库

目录结构:
  server/     ← Python FastAPI后端
  web/        ← PHP前端 (install.php, config.php, etc)
  deploy/     ← Supervisor + Shell健康检查
  docs/       ← 部署文档
  tests/      ← 测试
  .env        ← 不在git中 (install.php生成)
  .gitignore  ← 排除 .env, SECRETS.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 17:24:21 +08:00
Your Name 05600232b7 feat: Nexus 6.0 Phase A+B — 心跳系统 + 3层守护 + Telegram告警 + install.php重写
Phase A (Python Backend):
- E1: WebSocket alert/recovery broadcast (server/api/websocket.py)
- E2: Agent heartbeat → Redis write + alert detection (server/api/agent.py)
- E3: Redis→MySQL 10min batch flush (server/background/heartbeat_flush.py)
- E4: load_settings_from_db() + threshold fields (server/config.py)
- E5: Python self-monitor 30s loop (server/background/self_monitor.py)
- E6: Telegram Bot push module (server/infrastructure/telegram/)
- E7: Server listing reads Redis for live status (server/api/servers.py)
- E8: /health endpoint for Shell health_monitor.sh (server/api/health.py)
- E9: Lifespan startup with background tasks (server/main.py)

Phase C (DevOps):
- D1: Supervisor config (deploy/nexus.conf)
- D2: Shell health_monitor.sh (deploy/health_monitor.sh)

Also:
- .gitignore: restored .env + SECRETS.md exclusion (never commit)
- Agent heartbeat: Redis buffer → frontend direct read → 10min → MySQL
- Alert detection: CPU/mem/disk > threshold → WebSocket + Telegram push
- Recovery detection: previously alerted metrics normal → auto-push recovery

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 17:02:45 +08:00
Your Name 98cb33c3d6 Add .env + SECRETS.md for test deployment (private repo)
Temporary: includes real credentials for deployment testing.
Will be removed from .gitignore when switching to formal repo.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 15:46:11 +08:00
Your Name 2cf7602573 Add SECRETS.md to .gitignore — prevent credential leak
SECRETS.md is a local-only file for storing database passwords,
API keys, and server credentials. It must never be committed to Git.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 15:37:47 +08:00
Your Name 669a62b17a Update DEPLOY.md: production domain + clean sensitive values
- Domain: api.synaglobal.vip (强制 HTTPS)
- Website directory: /www/wwwroot/api.synaglobal.vip
- Supervisor config using .env (no hardcoded passwords)
- MySQL create DB command uses placeholder password
- Nginx config with 宝塔 SSL path and PHP-FPM socket
- All sensitive values removed from doc — safe for Git

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 15:36:47 +08:00
Your Name 99e23d7e78 Phase 1 complete: Repository implementations + Service layer + API routes + Deploy docs
- All 11 Repository Protocol interfaces (Admin, Setting, AuditLog, PushSchedule,
  PushRetryJob, PasswordPreset + existing 5)
- All 11 async SQLAlchemy Repository implementations
- 4 Application Services (ServerService, ScriptService, AuthService, SyncService)
- FastAPI DI wiring in dependencies.py (repos → services)
- 6 API route modules (servers, auth, agent, scripts, settings/schedules/presets/audit/retries)
- Agent /api/exec endpoint for remote shell command execution
- Batch push engine with asyncio.Semaphore(10) concurrency control
- TOTP authentication + brute-force protection (5 failures / 15 min lockout)
- DB credential management with $DB_* variable substitution
- Ubuntu deployment guide (docs/DEPLOY.md) with dependency fix script

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 14:42:55 +08:00
Your Name 5ae8855894 Add CI/CD pipeline: Gitea Actions (test + lint + deploy)
CI (every push):
- pytest with coverage (>=50% gate)
- ruff lint check
- mypy type check (non-blocking)

CD (main branch only, after CI passes):
- SSH deploy to production server
- git pull + pip install + supervisorctl restart

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 14:25:31 +08:00
Your Name b2617b4e31 Nexus v6.0.0: Initialize project structure with Clean Architecture
- Project brand: Nexus (configurable via settings.SYSTEM_NAME)
- Clean Architecture 4-layer directory structure:
  server/domain/models/ — SQLAlchemy models
  server/domain/repositories/ — Abstract interfaces (Protocol)
  server/infrastructure/database/ — Async SQLAlchemy session + crypto
  server/infrastructure/redis/ — Decoupled Redis client
  server/infrastructure/ssh/ — Unified SSH connection pool
  server/application/services/ — Business logic (TODO)
  server/api/ — FastAPI routes (TODO)
- Config: Python 3.12+, PHP 8.2+, MySQL 8.4 LTS, Redis 7.0+
- Async SQLAlchemy (aiomysql) replacing sync pymysql
- Test framework: pytest + async fixtures + Playwright (conftest.py)
- MCP server address: 47.254.123.106

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 14:19:09 +08:00
6005 changed files with 96764 additions and 41007 deletions
+44 -44
View File
@@ -1,44 +1,44 @@
---
description: 减少盲目搜文件、控制 Read 次数与 token 消耗
alwaysApply: true
---
# Agent 探索约束(省 token
## 开始前
1. 读根目录 `AGENTS.md` 的「代码地图」与「问题 → 文件」表
2. 架构/API 全览只读 `docs/project/nexus-functional-development-guide.md`(或用户指定的 §),禁止为找结构全库 Grep
3. 用户已给出路径/文件名时,只读该路径,禁止扩大范围
## 搜索顺序
```
AGENTS.md / 功能指南 § → Grep(带 path)→ Read(≤3 个文件)→ 仍不够再扩一圈
```
- **禁止**无 `path` 的全仓库 `Grep` / `Glob`(除非用户明确要求全库)
- **Grep 优先于 Read**Glob 只用于定位文件名,不逐个 Read 全部匹配
- 同一任务 **Read 不超过 5 个文件**;找到答案后立即停止
- 不要重复 Read 已在本对话出现过的文件
## 分层定位(禁止跨层乱搜)
| 层 | 路径 |
|----|------|
| HTTP 路由 | `server/api/<module>.py` |
| 业务 | `server/application/services/` |
| 数据访问 | `server/infrastructure/` |
| 模型 | `server/domain/models/` |
| 前端页 | `frontend/src/pages/` |
| 前端路由 | `frontend/src/router/index.ts` |
| 前端 API 客户端 | `frontend/src/api/` |
真实前端源码在 `frontend/src/`,不是 `web/app/*.html`(那是构建产物)。
## 文档索引
- 功能 SSOT`docs/project/nexus-functional-development-guide.md`
- 文档导航:`docs/README.md`
- 本地路径/MCP`docs/project/linux-dev-paths.md`
- 运维(连机/exec):用户 Skill `Nexus平台` 或 `docs/project/nexus-1panel-operations-knowledge.md`
---
description: 减少盲目搜文件、控制 Read 次数与 token 消耗
alwaysApply: true
---
# Agent 探索约束(省 token
## 开始前
1. 读根目录 `AGENTS.md` 的「代码地图」与「问题 → 文件」表
2. 架构/API 全览只读 `docs/project/nexus-functional-development-guide.md`(或用户指定的 §),禁止为找结构全库 Grep
3. 用户已给出路径/文件名时,只读该路径,禁止扩大范围
## 搜索顺序
```
AGENTS.md / 功能指南 § → Grep(带 path)→ Read(≤3 个文件)→ 仍不够再扩一圈
```
- **禁止**无 `path` 的全仓库 `Grep` / `Glob`(除非用户明确要求全库)
- **Grep 优先于 Read**Glob 只用于定位文件名,不逐个 Read 全部匹配
- 同一任务 **Read 不超过 5 个文件**;找到答案后立即停止
- 不要重复 Read 已在本对话出现过的文件
## 分层定位(禁止跨层乱搜)
| 层 | 路径 |
|----|------|
| HTTP 路由 | `server/api/<module>.py` |
| 业务 | `server/application/services/` |
| 数据访问 | `server/infrastructure/` |
| 模型 | `server/domain/models/` |
| 前端页 | `frontend/src/pages/` |
| 前端路由 | `frontend/src/router/index.ts` |
| 前端 API 客户端 | `frontend/src/api/` |
真实前端源码在 `frontend/src/`,不是 `web/app/*.html`(那是构建产物)。
## 文档索引
- 功能 SSOT`docs/project/nexus-functional-development-guide.md`
- 文档导航:`docs/README.md`
- 本地路径/MCP`docs/project/linux-dev-paths.md`
- 运维(连机/exec):用户 Skill `Nexus平台` 或 `docs/project/nexus-1panel-operations-knowledge.md`
+1 -6
View File
@@ -38,16 +38,11 @@ FastAPI + Async SQLAlchemy + Redis · Vue 3 + Vuetify 4 SPA15 页)· Vite
## 部署
默认 **本机 rsync 直传**(不 push Gitea):
```bash
bash deploy/pre_deploy_check.sh && bash deploy/deploy-production.sh
```
仅同步源码(不重建镜像):`bash deploy/rsync-local-to-server.sh`
仍走 Gitea 拉取:`NEXUS_DEPLOY_VIA_GIT=1 bash deploy/deploy-production.sh`
前端: `cd frontend && npx vite build` → 部署脚本内 tar/scp 到 `web/app/`
前端: `cd frontend && npx vite build` → tar/scp(见 `deploy/deploy-frontend.sh`
## 进度条(改代码时输出)
+29 -40
View File
@@ -1,40 +1,29 @@
.git
.gitignore
.claude
.cursor
**/__pycache__
**/*.pyc
**/.pytest_cache
**/.mypy_cache
**/.ruff_cache
.coverage
htmlcov/
frontend/node_modules
frontend-v2/node_modules
frontend/dist
node_modules
.venv
.venv-*
venv
.pytest_cache
.ruff_cache
.playwright-mcp
2025.2
=2025.2
*.bak-
.env
docker/.env
docker/runtime
tmp/
tests/
docs/
standards/
*.md
!docker/README.md
web/uploads
backups/
deploy/gate_log.jsonl
.git
.gitignore
.claude
.cursor
**/__pycache__
**/*.pyc
**/.pytest_cache
**/.mypy_cache
**/.ruff_cache
.coverage
htmlcov/
frontend/node_modules
frontend/dist
node_modules
.env
docker/.env
docker/runtime
tests/
docs/
standards/
*.md
!docker/README.md
web/uploads
backups/
deploy/gate_log.jsonl
+63
View File
@@ -0,0 +1,63 @@
# Nexus Environment Configuration
# Copy this file to .env and modify values for your deployment.
# Or run the web installer at /app/install.html to auto-generate this file.
#
# Generate secret keys: openssl rand -hex 32
# ── Brand ──
NEXUS_SYSTEM_NAME=Nexus
NEXUS_SYSTEM_TITLE=Nexus — 服务器运维管理平台
# ── Server ──
NEXUS_HOST=0.0.0.0
NEXUS_PORT=8600
# ── Deployment (auto-set by installer) ──
NEXUS_DEPLOY_PATH=/opt/nexus
# Comma-separated frontend origins for CORS
NEXUS_CORS_ORIGINS=http://localhost:8600
# Base URL for Agent heartbeat reporting
NEXUS_API_BASE_URL=http://localhost:8600
# ── Database (MySQL, REQUIRED) ──
NEXUS_DATABASE_URL=mysql+aiomysql://root:password@127.0.0.1:3306/nexus
# Pool params: auto-calculated by installer from MySQL max_connections
# Formula: pool_size = max(20, maxConn*0.4), overflow = max(20, maxConn*0.3)
# Default below matches MySQL max_connections=400 (160+120=280 max)
# install wizard will overwrite these with values tuned to your MySQL instance
NEXUS_DB_POOL_SIZE=160
NEXUS_DB_MAX_OVERFLOW=120
# ── Security (REQUIRED — generate with: openssl rand -hex 32) ──
NEXUS_SECRET_KEY=change-me-use-openssl-rand-hex-32
NEXUS_API_KEY=change-me-use-openssl-rand-hex-32
NEXUS_ENCRYPTION_KEY=
# ── Redis (REQUIRED) ──
NEXUS_REDIS_URL=redis://127.0.0.1:6379/0
# ── SSH ──
NEXUS_SSH_STRICT_HOST_CHECKING=false
# ── Alert Thresholds (%) ──
NEXUS_CPU_ALERT_THRESHOLD=80
NEXUS_MEM_ALERT_THRESHOLD=80
NEXUS_DISK_ALERT_THRESHOLD=80
# ── Health Check ──
NEXUS_HEALTH_CHECK_INTERVAL=60
# ── Telegram Alerts (optional — configure in Settings UI) ──
NEXUS_TELEGRAM_BOT_TOKEN=
NEXUS_TELEGRAM_CHAT_ID=
# ── MySQL MCP (@yclenove/mysql-mcp-server — run: python scripts/sync_mysql_mcp_env.py) ──
# Cursor 从项目根 .env 读取;与 NEXUS_DATABASE_URL 保持一致;默认只读
# MYSQL_HOST=127.0.0.1
# MYSQL_PORT=3306
# MYSQL_USER=root
# MYSQL_PASSWORD=password
# MYSQL_DATABASE=nexus
# MYSQL_READONLY=true # production / MCP read-only
# MYSQL_READONLY=false # local dev: full DML/DDL via MCP
# MYSQL_DATABASE_ALLOWLIST=nexus
+89 -90
View File
@@ -1,90 +1,89 @@
# Nexus — Python
__pycache__/
*.py[cod]
*$py.class
*.egg-info/
build/
.eggs/
# Environment (NEVER commit — contains production credentials)
.env
.install_locked
.install_state.json
SECRETS.md
.git-askpass-nexus.sh
deploy/nexus-1panel.secrets.sh
*.pem
.env.*
.venv/
.venv-*/
venv/
ENV/
# Agent memory (local MCP persistence, do not commit)
.claude/mcp-memory.jsonl
# MCP tool data (local development artifacts)
.megamemory/
.playwright-mcp/
frontend/test-results/
frontend/e2e/.auth/
tmp/
# IDE
.vscode/
.idea/
*.swp
*.swo
*~
# OS
.DS_Store
Thumbs.db
# Logs
*.log
nexus.log
# Node offline cache for WSL install (large tarball)
.cache/
# Test
.pytest_cache/
htmlcov/
.coverage
coverage.xml
# Node (for Tailwind/Alpine.js build)
node_modules/
web/css/tailwind-output.css
# Build output (Vite/Vuetify frontend)
# SPA 构建产物纳入 Git,便于服务器 git pull 部署(见 deploy/deploy-frontend.sh
# 仍忽略本地临时文件
web/app/assets/.tmp/
# Legacy dist dir (no longer used)
**/dist/
# Uploads
web/uploads/
# Data (sensitive)
web/data/config.php
web/data/*.db
web/data/1panel-hosts.json
# Backups
backups/
# Docker local secrets
docker/.env
docker/.env.prod
!docker/.env.example
!docker/.env.prod.example
scripts/npm-proxy.env
# Deploy
deploy/*.key
# Backups
backups/
# Nexus — Python
__pycache__/
*.py[cod]
*$py.class
*.egg-info/
build/
.eggs/
# Environment (NEVER commit — contains production credentials)
.env
.install_locked
.install_state.json
SECRETS.md
.git-askpass-nexus.sh
deploy/nexus-1panel.secrets.sh
*.pem
.env.*
.venv/
venv/
ENV/
# Agent memory (local MCP persistence, do not commit)
.claude/mcp-memory.jsonl
# MCP tool data (local development artifacts)
.megamemory/
.playwright-mcp/
frontend/test-results/
frontend/e2e/.auth/
tmp/
# IDE
.vscode/
.idea/
*.swp
*.swo
*~
# OS
.DS_Store
Thumbs.db
# Logs
*.log
nexus.log
# Node offline cache for WSL install (large tarball)
.cache/
# Test
.pytest_cache/
htmlcov/
.coverage
coverage.xml
# Node (for Tailwind/Alpine.js build)
node_modules/
web/css/tailwind-output.css
# Build output (Vite/Vuetify frontend)
# SPA 构建产物纳入 Git,便于服务器 git pull 部署(见 deploy/deploy-frontend.sh
# 仍忽略本地临时文件
web/app/assets/.tmp/
# Legacy dist dir (no longer used)
**/dist/
# Uploads
web/uploads/
# Data (sensitive)
web/data/config.php
web/data/*.db
web/data/1panel-hosts.json
# Backups
backups/
# Docker local secrets
docker/.env
docker/.env.prod
!docker/.env.example
!docker/.env.prod.example
scripts/npm-proxy.env
# Deploy
deploy/*.key
# Backups
backups/
-31
View File
@@ -1,31 +0,0 @@
---
name: nexus-btpanel-review
description: Use when reviewing or changing Nexus BT/宝塔 panel integration, one-click login, API bootstrap, session keepalive fixes, or BT credential handling.
---
# Nexus BT Panel Review
Use for 宝塔/BT panel integration changes.
## Call chain to map
API one-click login -> btpanel_service -> BT API credential lookup/bootstrap -> SSH bootstrap if needed -> login URL/tmp_token -> panel session behavior.
## Required checks
- Do not log or return BT API keys, session cookies, temporary login tokens, SSH private keys, or passwords.
- One-click login should fail closed for real authentication errors, but best-effort environment repair must not block login unless required for correctness.
- Session keepalive/cleanup repair must be idempotent and throttled; do not restart or rewrite BT panel aggressively without explicit approval.
- Respect existing BT panel services and ports. Do not occupy panel, nginx, redis, or mysql ports.
- Old servers with existing BT API credentials must still receive the session-cleanup TTL check before login.
- Record bootstrap state without storing secrets.
## Regression tests
Cover:
- Existing credentials still trigger throttled TTL check.
- Missing SSH auth does not block login URL generation.
- Failed repair is throttled and retried later.
- Temporary login token TTL remains bounded.
- No secret values appear in returned bootstrap/status payloads.
-40
View File
@@ -1,40 +0,0 @@
---
name: nexus-security-review
description: Use when reviewing or changing Nexus backend/API/security-sensitive code. Focuses on FastAPI admin APIs, SQLAlchemy data access, SSH operations, file manager boundaries, logging redaction, and regression tests.
---
# Nexus Security Review
Use this skill before changing Nexus backend/API code or doing a security pass.
## Required workflow
1. Identify entrypoints: FastAPI router, service method, DB model/session, Redis/lock usage, SSH/BT panel call.
2. Draw the request path in notes: API -> schema -> service -> DB/Redis/SSH/external.
3. Check auth first: admin-only endpoints must depend on the current admin dependency; background/admin tools must still preserve audit logs.
4. Validate every user-controlled value at the schema/API boundary and again before shell/path-sensitive sinks.
5. For every fix, add pytest coverage for the dangerous case and the allowed case.
6. Run focused tests, then full pytest when practical, then git diff --check.
7. Update the Nexus Markdown report with changed files, tests, and residual risks.
## Nexus-specific rules
- Do not print secrets: passwords, SSH keys, tokens, cookies, API keys, .env values, BT panel credentials.
- script_service is an intentional administrator remote shell. Do not report arbitrary shell execution there as a vulnerability. Review only auth, audit trail, timeout, output truncation, and redaction.
- File manager APIs must not unexpectedly operate outside the target path/server chosen by the admin UI.
- Any remote shell command must use shlex.quote; add -- where command options can be confused with filenames.
- Archive extraction must list and validate members before extraction; reject absolute paths, .., backslashes, and special file types.
- Error responses must not expose stack traces or secrets.
- DB access should use SQLAlchemy parameters/query builder, not raw string interpolation.
## Review output
For each finding record:
- Severity: Critical/High/Medium/Low/Hardening
- Call chain
- Evidence file/function
- Exploit or failure boundary
- Fix summary
- Test command/result
- Commit hash if committed
-29
View File
@@ -1,29 +0,0 @@
---
name: nexus-ssh-safety
description: Use when reviewing or editing Nexus code that executes commands on managed servers over SSH, including file manager, transfer, archive, agent install, and BT panel bootstrap flows.
---
# Nexus SSH Safety
Use for any Nexus feature that builds shell commands or transfers files over SSH.
## Command construction rules
- Prefer argument arrays/local library APIs when available; otherwise quote every dynamic shell token with shlex.quote.
- Insert -- before filename/path operands for commands that parse options:
m, mv, cp, ar, zip, chmod, chown, etc.
- Never concatenate unquoted user input into shell command strings.
- Keep timeouts explicit for network/SSH work; avoid unbounded commands.
- Truncate or sanitize command output before returning it to API clients.
- Do not log secrets or full credential-bearing URLs.
## Path and archive rules
- Normalize paths with POSIX semantics for remote Linux paths.
- Reject empty paths where dangerous, root/system paths for recursive destructive operations, and traversal where the feature expects a bounded directory.
- Archive creation must protect member names beginning with -.
- Archive extraction must validate member names and types before extraction.
- Temporary files/directories must be unique and cleaned best-effort.
## script_service exception
-5
View File
@@ -1,5 +0,0 @@
Collecting tzdata
Downloading tzdata-2026.2-py2.py3-none-any.whl.metadata (1.4 kB)
Downloading tzdata-2026.2-py2.py3-none-any.whl (349 kB)
Installing collected packages: tzdata
Successfully installed tzdata-2026.2
+1 -5
View File
@@ -40,15 +40,11 @@ cd frontend && npm run dev # :3000/app/
## 部署
默认 **本机 rsync → SSH 生产机**(不 push Gitea):
```bash
bash deploy/pre_deploy_check.sh
bash deploy/deploy-production.sh # rsync + Docker upgrade --skip-git + 前端
bash deploy/deploy-production.sh # 需 SSH nexus + 用户批准
```
可选:`NEXUS_DEPLOY_VIA_GIT=1` 恢复远程 `git pull`。仅 `git push` 当你明确要求时。
详情见功能指南 §1718。
## 归档文档
+33 -46
View File
@@ -1,46 +1,33 @@
# Nexus 6.0 - API + static SPA (web/app)
FROM python:3.12-slim-bookworm
ARG DEBIAN_MIRROR=https://mirrors.aliyun.com/debian
ARG DEBIAN_SECURITY_MIRROR=https://mirrors.aliyun.com/debian-security
ARG PIP_INDEX_URL=https://mirrors.aliyun.com/pypi/simple/
ARG PIP_TRUSTED_HOST=mirrors.aliyun.com
RUN set -eux; \
sed -i \
-e "s|http://deb.debian.org/debian-security|${DEBIAN_SECURITY_MIRROR}|g" \
-e "s|http://deb.debian.org/debian|${DEBIAN_MIRROR}|g" \
/etc/apt/sources.list.d/debian.sources; \
apt-get update; \
apt-get install -y --no-install-recommends \
curl \
openssh-client \
rsync \
sshpass; \
rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --index-url "${PIP_INDEX_URL}" --trusted-host "${PIP_TRUSTED_HOST}" -r requirements.txt
COPY server/ ./server/
COPY web/app/ ./web/app/
COPY web/app-v2/ ./web/app-v2/
COPY docker/entrypoint.sh ./docker/entrypoint.sh
RUN chmod +x ./docker/entrypoint.sh
ENV PYTHONPATH=/app \
PYTHONUNBUFFERED=1 \
NEXUS_HOST=0.0.0.0 \
NEXUS_PORT=8600
EXPOSE 8600
HEALTHCHECK --interval=30s --timeout=5s --start-period=90s --retries=3 \
CMD curl -sf http://127.0.0.1:8600/health | grep -q '^ok' || exit 1
ENTRYPOINT ["/app/docker/entrypoint.sh"]
CMD ["uvicorn", "server.main:app", "--host", "0.0.0.0", "--port", "8600"]
# Nexus 6.0 API + 静态 SPA (web/app)
FROM python:3.12-slim-bookworm
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
curl \
openssh-client \
rsync \
sshpass \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY server/ ./server/
COPY web/app/ ./web/app/
COPY docker/entrypoint.sh ./docker/entrypoint.sh
RUN chmod +x ./docker/entrypoint.sh
ENV PYTHONPATH=/app \
PYTHONUNBUFFERED=1 \
NEXUS_HOST=0.0.0.0 \
NEXUS_PORT=8600
EXPOSE 8600
HEALTHCHECK --interval=30s --timeout=5s --start-period=90s --retries=3 \
CMD curl -sf http://127.0.0.1:8600/health | grep -q '^ok' || exit 1
ENTRYPOINT ["/app/docker/entrypoint.sh"]
CMD ["uvicorn", "server.main:app", "--host", "0.0.0.0", "--port", "8600"]
+64 -77
View File
@@ -1,77 +1,64 @@
# Nexus 6.0 鈥?production image (frontend build + API)
# Build: docker compose -f docker/docker-compose.prod.yml build
# See: docs/design/plans/2026-06-04-1panel-docker-production.md
# 鈹€鈹€ Stage 1: Vue/Vite SPA 鈹€鈹€
FROM node:20-bookworm-slim AS frontend
WORKDIR /build/frontend
COPY frontend/package.json frontend/package-lock.json ./
RUN npm ci --ignore-scripts
COPY frontend/ ./
RUN npx vite build
# Stage 1b: React/Vite App V2
FROM node:20-bookworm-slim AS frontend_v2
WORKDIR /build/frontend-v2
COPY frontend-v2/package.json frontend-v2/package-lock.json* ./
RUN if [ -f package-lock.json ]; then npm ci --ignore-scripts; else npm install --ignore-scripts; fi
COPY frontend-v2/ ./
RUN npx vite build
# 鈹€鈹€ Stage 2: Python API + built static assets 鈹€鈹€
FROM python:3.12-slim-bookworm
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
curl \
openssh-client \
rsync \
sshpass \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY server/ ./server/
COPY web/agent/ ./web/agent/
COPY --from=frontend /build/web/app ./web/app/
COPY --from=frontend_v2 /build/web/app-v2 ./web/app-v2/
# Login wallpaper cache (Vite does not emit this dir; sync also writes here at runtime)
COPY web/app/wallpapers/ ./web/app/wallpapers/
# Install wizard + static SPA assets not emitted by Vite
COPY web/app/install.html ./web/app/install.html
COPY web/app/servers_import_template.csv ./web/app/servers_import_template.csv
RUN mkdir -p ./web/app/vendor
COPY web/app/vendor/tailwindcss-browser.js \
web/app/vendor/theme-init.js \
web/app/vendor/theme.css \
web/app/vendor/alpinejs.min.js \
./web/app/vendor/
COPY docker/entrypoint.sh ./docker/entrypoint.sh
RUN chmod +x ./docker/entrypoint.sh \
&& test -f /app/web/app/install.html \
&& test -f /app/web/app/vendor/alpinejs.min.js \
&& test -f /app/web/app/vendor/tailwindcss-browser.js \
&& test -f /app/web/app/vendor/theme.css \
&& test -f /app/web/app/vendor/theme-init.js
ENV PYTHONPATH=/app \
PYTHONUNBUFFERED=1 \
NEXUS_HOST=0.0.0.0 \
NEXUS_PORT=8600
EXPOSE 8600
HEALTHCHECK --interval=30s --timeout=5s --start-period=90s --retries=3 \
CMD curl -sf http://127.0.0.1:8600/health | grep -q '^ok' || exit 1
ENTRYPOINT ["/app/docker/entrypoint.sh"]
CMD ["uvicorn", "server.main:app", "--host", "0.0.0.0", "--port", "8600"]
# Nexus 6.0 production image (frontend build + API)
# Build: docker compose -f docker/docker-compose.prod.yml build
# See: docs/design/plans/2026-06-04-1panel-docker-production.md
# ── Stage 1: Vue/Vite SPA ──
FROM node:20-bookworm-slim AS frontend
WORKDIR /build/frontend
COPY frontend/package.json frontend/package-lock.json ./
RUN npm ci --ignore-scripts
COPY frontend/ ./
RUN npx vite build
# ── Stage 2: Python API + built static assets ──
FROM python:3.12-slim-bookworm
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
curl \
openssh-client \
rsync \
sshpass \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY server/ ./server/
COPY web/agent/ ./web/agent/
COPY --from=frontend /build/web/app ./web/app/
# Login wallpaper cache (Vite does not emit this dir; sync also writes here at runtime)
COPY web/app/wallpapers/ ./web/app/wallpapers/
# Install wizard + static SPA assets not emitted by Vite
COPY web/app/install.html ./web/app/install.html
COPY web/app/servers_import_template.csv ./web/app/servers_import_template.csv
RUN mkdir -p ./web/app/vendor
COPY web/app/vendor/tailwindcss-browser.js \
web/app/vendor/theme-init.js \
web/app/vendor/theme.css \
web/app/vendor/alpinejs.min.js \
./web/app/vendor/
COPY docker/entrypoint.sh ./docker/entrypoint.sh
RUN chmod +x ./docker/entrypoint.sh \
&& test -f /app/web/app/install.html \
&& test -f /app/web/app/vendor/alpinejs.min.js \
&& test -f /app/web/app/vendor/tailwindcss-browser.js \
&& test -f /app/web/app/vendor/theme.css \
&& test -f /app/web/app/vendor/theme-init.js
ENV PYTHONPATH=/app \
PYTHONUNBUFFERED=1 \
NEXUS_HOST=0.0.0.0 \
NEXUS_PORT=8600
EXPOSE 8600
HEALTHCHECK --interval=30s --timeout=5s --start-period=90s --retries=3 \
CMD curl -sf http://127.0.0.1:8600/health | grep -q '^ok' || exit 1
ENTRYPOINT ["/app/docker/entrypoint.sh"]
CMD ["uvicorn", "server.main:app", "--host", "0.0.0.0", "--port", "8600"]
+71 -71
View File
@@ -1,71 +1,71 @@
# 1Panel OpenResty — Nexus reverse proxy (paste into site custom config)
# Domain: api.synaglobal.vip
# Upstream: Nexus Docker on 127.0.0.1:8600 (docker-compose.prod.yml)
#
# SSL: configure in 1Panel UI (Let's Encrypt). This snippet assumes HTTPS server block.
upstream nexus_api {
server 127.0.0.1:8600;
keepalive 32;
}
# WebSocket log without query string (JWT must not hit access_log)
log_format nexus_ws '$remote_addr - [$time_local] "$request_method $uri" $status $body_bytes_sent';
client_max_body_size 500m;
client_body_timeout 600s;
location /api/ {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_connect_timeout 10s;
}
location /ws/ {
access_log /www/sites/api.synaglobal.vip/log/ws.log nexus_ws;
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
location /health {
proxy_pass http://nexus_api;
proxy_set_header Host $host;
}
location /app/ {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /agent/ {
proxy_pass http://nexus_api;
proxy_set_header Host $host;
}
# Fallback: install mode or misc routes served by FastAPI
location / {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 1Panel OpenResty — Nexus reverse proxy (paste into site custom config)
# Domain: api.synaglobal.vip
# Upstream: Nexus Docker on 127.0.0.1:8600 (docker-compose.prod.yml)
#
# SSL: configure in 1Panel UI (Let's Encrypt). This snippet assumes HTTPS server block.
upstream nexus_api {
server 127.0.0.1:8600;
keepalive 32;
}
# WebSocket log without query string (JWT must not hit access_log)
log_format nexus_ws '$remote_addr - [$time_local] "$request_method $uri" $status $body_bytes_sent';
client_max_body_size 500m;
client_body_timeout 600s;
location /api/ {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_connect_timeout 10s;
}
location /ws/ {
access_log /www/sites/api.synaglobal.vip/log/ws.log nexus_ws;
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
location /health {
proxy_pass http://nexus_api;
proxy_set_header Host $host;
}
location /app/ {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /agent/ {
proxy_pass http://nexus_api;
proxy_set_header Host $host;
}
# Fallback: install mode or misc routes served by FastAPI
location / {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
-272
View File
@@ -1,272 +0,0 @@
#!/usr/bin/env bash
# Apply a Nexus release tarball on the production host.
#
# Usage:
# sudo bash deploy/apply-release-bundle.sh \
# --tarball /tmp/nexus-release-20260708.tar.gz \
# --sha256 6474d58fdccde668b4c91d5e7454fa08e01e20660e3bcbb363eeadbb7c2346a1 \
# --deploy-path /opt/nexus
#
# Validate only (no backup, no rsync, no rebuild):
# bash deploy/apply-release-bundle.sh --validate-only \
# --tarball /tmp/nexus-release-20260708.tar.gz \
# --sha256 6474d58fdccde668b4c91d5e7454fa08e01e20660e3bcbb363eeadbb7c2346a1
#
# This script intentionally preserves runtime secrets and data:
# - .env
# - docker/.env.prod
# - web/data
set -euo pipefail
TARBALL=""
EXPECTED_SHA256=""
DEPLOY_PATH="${NEXUS_DEPLOY_PATH:-/opt/nexus}"
BACKUP_DIR="${NEXUS_BACKUP_DIR:-/opt/nexus-backups}"
SKIP_REBUILD=0
DRY_RUN=0
VALIDATE_ONLY=0
APPLY_TMP=""
info() { echo -e "\033[0;32m[INFO]\033[0m $*"; }
warn() { echo -e "\033[1;33m[WARN]\033[0m $*"; }
error() { echo -e "\033[0;31m[ERROR]\033[0m $*" >&2; }
usage() {
sed -n '1,26p' "$0"
}
while [[ $# -gt 0 ]]; do
case "$1" in
--tarball)
TARBALL="${2:-}"
shift 2
;;
--sha256)
EXPECTED_SHA256="${2:-}"
shift 2
;;
--deploy-path)
DEPLOY_PATH="${2:-}"
shift 2
;;
--backup-dir)
BACKUP_DIR="${2:-}"
shift 2
;;
--skip-rebuild)
SKIP_REBUILD=1
shift
;;
--dry-run)
DRY_RUN=1
shift
;;
--validate-only)
VALIDATE_ONLY=1
shift
;;
-h|--help)
usage
exit 0
;;
*)
error "Unknown argument: $1"
usage
exit 2
;;
esac
done
require_cmd() {
command -v "$1" >/dev/null 2>&1 || {
error "Missing required command: $1"
exit 127
}
}
require_runtime_cmds() {
require_cmd tar
require_cmd sha256sum
if [[ "$VALIDATE_ONLY" == 1 ]]; then
return 0
fi
require_cmd rsync
require_cmd curl
}
run() {
echo "+ $*"
if [[ "$DRY_RUN" == 1 ]]; then
return 0
fi
"$@"
}
cleanup() {
if [[ -n "${APPLY_TMP:-}" && -d "$APPLY_TMP" ]]; then
rm -rf "$APPLY_TMP"
fi
}
detect_runtime() {
if [[ -f "${DEPLOY_PATH}/docker/.env.prod" ]] && command -v docker >/dev/null 2>&1; then
echo docker
return
fi
if command -v supervisorctl >/dev/null 2>&1 && supervisorctl status nexus >/dev/null 2>&1; then
echo supervisor
return
fi
echo unknown
}
verify_sha256() {
if [[ -z "$EXPECTED_SHA256" ]]; then
warn "No --sha256 provided; skipping checksum verification"
return 0
fi
local actual
actual="$(sha256sum "$TARBALL" | awk '{print $1}')"
if [[ "$actual" != "$EXPECTED_SHA256" ]]; then
error "SHA256 mismatch"
error "expected: $EXPECTED_SHA256"
error "actual: $actual"
exit 1
fi
info "SHA256 OK: $actual"
}
validate_extracted_tree() {
local src="$1"
for required in server deploy Dockerfile.prod frontend-v2 web/app-v2; do
if [[ ! -e "${src}/${required}" ]]; then
error "Release bundle missing required path: ${required}"
exit 1
fi
done
for forbidden in .env docker/.env.prod web/data .venv-py312-codex frontend-v2/node_modules 2025.2 =2025.2; do
if [[ -e "${src}/${forbidden}" ]]; then
error "Release bundle contains forbidden path: ${forbidden}"
exit 1
fi
done
info "Extracted release tree validation OK"
}
backup_current() {
if [[ ! -d "$DEPLOY_PATH" ]]; then
warn "Deploy path does not exist yet: $DEPLOY_PATH"
return 0
fi
local stamp backup
stamp="$(date +%Y%m%d-%H%M%S)"
backup="${BACKUP_DIR}/nexus-before-${stamp}.tar.gz"
run mkdir -p "$BACKUP_DIR"
info "Backup current deploy path -> $backup"
run tar czf "$backup" \
--exclude='./web/data' \
--exclude='./.venv*' \
--exclude='./venv' \
--exclude='./frontend/node_modules' \
--exclude='./frontend-v2/node_modules' \
-C "$(dirname "$DEPLOY_PATH")" "$(basename "$DEPLOY_PATH")"
}
sync_release() {
local src="$1"
run mkdir -p "$DEPLOY_PATH"
info "Sync release tree -> $DEPLOY_PATH"
run rsync -a --delete \
--exclude='.env' \
--exclude='docker/.env.prod' \
--exclude='web/data' \
"${src}/" "${DEPLOY_PATH}/"
}
rebuild_or_restart() {
if [[ "$SKIP_REBUILD" == 1 ]]; then
warn "--skip-rebuild set; not rebuilding/restarting Nexus"
return 0
fi
local runtime
runtime="$(detect_runtime)"
info "Runtime: $runtime"
case "$runtime" in
docker)
if [[ -x "${DEPLOY_PATH}/deploy/nexus-1panel.sh" || -f "${DEPLOY_PATH}/deploy/nexus-1panel.sh" ]]; then
run env NEXUS_ROOT="$DEPLOY_PATH" bash "${DEPLOY_PATH}/deploy/nexus-1panel.sh" upgrade --skip-git
else
error "Docker runtime detected but deploy/nexus-1panel.sh missing"
exit 1
fi
if [[ -f "${DEPLOY_PATH}/deploy/sync_webapp_to_container.sh" ]]; then
run env NEXUS_ROOT="$DEPLOY_PATH" bash "${DEPLOY_PATH}/deploy/sync_webapp_to_container.sh"
fi
;;
supervisor)
run supervisorctl restart nexus
;;
*)
error "Unknown runtime. Rebuild/restart manually."
exit 1
;;
esac
}
verify_local_endpoints() {
local port health app app_v2
port="$(grep -E '^NEXUS_PUBLISH_PORT=' "${DEPLOY_PATH}/docker/.env.prod" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r" ' || true)"
port="${port:-8600}"
health="$(curl -s "http://127.0.0.1:${port}/health" 2>/dev/null || true)"
app="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${port}/app/" 2>/dev/null || echo 000)"
app_v2="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${port}/app-v2/" 2>/dev/null || echo 000)"
echo " /health -> ${health}"
echo " /app/ -> ${app}"
echo " /app-v2/ -> ${app_v2}"
if [[ "$health" != "ok" || "$app" != "200" || "$app_v2" != "200" ]]; then
error "Local endpoint verification failed"
exit 1
fi
info "Local endpoint verification OK"
}
main() {
if [[ -z "$TARBALL" ]]; then
error "--tarball is required"
usage
exit 2
fi
[[ -f "$TARBALL" ]] || {
error "Tarball not found: $TARBALL"
exit 1
}
require_runtime_cmds
info "Tarball: $TARBALL"
info "Deploy path: $DEPLOY_PATH"
info "Backup dir: $BACKUP_DIR"
verify_sha256
local extracted
APPLY_TMP="$(mktemp -d /tmp/nexus-release-apply.XXXXXX)"
trap cleanup EXIT
run tar xzf "$TARBALL" -C "$APPLY_TMP"
extracted="${APPLY_TMP}/nexus-release"
validate_extracted_tree "$extracted"
if [[ "$VALIDATE_ONLY" == 1 ]]; then
info "Validate-only mode: tarball checksum and content validation passed"
return 0
fi
backup_current
sync_release "$extracted"
rebuild_or_restart
if [[ "$DRY_RUN" != 1 && "$SKIP_REBUILD" != 1 ]]; then
verify_local_endpoints
fi
info "Release applied successfully"
}
main "$@"
+26 -69
View File
@@ -1,19 +1,16 @@
#!/usr/bin/env bash
# Full production deploy: local rsync + backend upgrade + frontend + health
# Full production deploy: push (optional) + backend upgrade + frontend + health
#
# 默认从本机工作区 rsync 到生产机,不 push Gitea、不远程 git pull
# 自动识别远程 Docker/opt/nexus)或 Supervisor/www/wwwroot/...)运行时
#
# Prerequisites on YOUR machine:
# - rsync, SSH Host nexus OR export NEXUS_SSH="azureuser@20.24.218.235"
# - SSH: ~/.ssh/config Host nexus OR export NEXUS_SSH="azureuser@20.24.218.235"
# - Key: export NEXUS_SSH_KEY=~/.ssh/id_rsa_nexus
#
# Usage:
# cd "$NEXUS_ROOT"
# bash deploy/pre_deploy_check.sh
# bash deploy/deploy-production.sh
#
# 仍走 Gitea(仅当显式设置):
# NEXUS_DEPLOY_VIA_GIT=1 bash deploy/deploy-production.sh
set -euo pipefail
@@ -34,15 +31,8 @@ fi
ssh_cmd() { ssh "${SSH_OPTS[@]}" "${NEXUS_SSH_HOST}" "$@"; }
scp_cmd() { scp "${SSH_OPTS[@]}" "$@"; }
DEPLOY_VIA_GIT="${NEXUS_DEPLOY_VIA_GIT:-0}"
case "${DEPLOY_VIA_GIT}" in
1|true|yes|on) DEPLOY_VIA_GIT=1 ;;
*) DEPLOY_VIA_GIT=0 ;;
esac
echo "═══ Nexus production deploy ═══"
echo "SSH target: ${NEXUS_SSH_HOST}"
echo "Mode: $([[ "$DEPLOY_VIA_GIT" == 1 ]] && echo 'Gitea git pull' || echo 'local rsync')"
if ! ssh_cmd "echo SSH OK" >/dev/null 2>&1; then
echo "ERROR: Cannot SSH to ${NEXUS_SSH_HOST}" >&2
@@ -104,69 +94,38 @@ fi
echo "Deploy path: ${DEPLOY_PATH}"
echo "Runtime: ${RUNTIME}"
resolve_deploy_chown() {
if [[ -n "${NEXUS_DEPLOY_CHOWN:-}" ]]; then
echo "${NEXUS_DEPLOY_CHOWN}"
return
fi
if ssh_cmd "getent passwd www >/dev/null 2>&1"; then
echo "www:www"
return
fi
ssh_cmd "stat -c '%U:%G' '${DEPLOY_PATH}'" 2>/dev/null || echo "azureuser:azureuser"
}
DEPLOY_CHOWN="$(resolve_deploy_chown)"
echo "File owner: ${DEPLOY_CHOWN}"
if [[ "$RUNTIME" == "docker" ]]; then
echo "▶ Docker: git pull + 镜像重建(前端在镜像内 vite build..."
ssh_cmd "cd ${DEPLOY_PATH} && sudo git fetch --all && sudo git reset --hard origin/main && \
sudo env NEXUS_ROOT=${DEPLOY_PATH} bash ${DEPLOY_PATH}/deploy/nexus-1panel.sh upgrade"
elif [[ "$RUNTIME" == "supervisor" ]]; then
echo "▶ Supervisor: git pull + restart..."
ssh_cmd "cd ${DEPLOY_PATH} && git fetch --all && git reset --hard origin/main && supervisorctl restart nexus"
if [[ "$DEPLOY_VIA_GIT" == 1 ]]; then
echo "▶ Git mode: remote git pull..."
if [[ "$RUNTIME" == "docker" ]]; then
ssh_cmd "cd ${DEPLOY_PATH} && sudo git fetch --all && sudo git reset --hard origin/main && \
sudo env NEXUS_ROOT=${DEPLOY_PATH} bash ${DEPLOY_PATH}/deploy/nexus-1panel.sh upgrade"
elif [[ "$RUNTIME" == "supervisor" ]]; then
ssh_cmd "cd ${DEPLOY_PATH} && git fetch --all && git reset --hard origin/main && supervisorctl restart nexus"
else
echo "ERROR: 无法识别远程运行时" >&2
exit 1
echo "▶ Frontend: build + upload..."
cd frontend && npx vite build && cd ..
tar czf /tmp/nexus-frontend.tar.gz -C web/app index.html assets/
scp_cmd /tmp/nexus-frontend.tar.gz "${NEXUS_SSH_HOST}:/tmp/nexus-frontend.tar.gz"
ssh_cmd "cd ${DEPLOY_PATH}/web/app && tar xzf /tmp/nexus-frontend.tar.gz && rm /tmp/nexus-frontend.tar.gz"
if ssh_cmd "test -f ${DEPLOY_PATH}/deploy/prune_frontend_assets.py"; then
ssh_cmd "python3 ${DEPLOY_PATH}/deploy/prune_frontend_assets.py --dry-run"
ssh_cmd "python3 ${DEPLOY_PATH}/deploy/prune_frontend_assets.py"
fi
else
echo "▶ Local sync → ${DEPLOY_PATH}..."
NEXUS_DEPLOY_PATH="${DEPLOY_PATH}" bash "${ROOT}/deploy/rsync-local-to-server.sh"
if [[ "$RUNTIME" == "docker" ]]; then
echo "▶ Docker: 重建镜像(--skip-git..."
ssh_cmd "sudo env NEXUS_ROOT=${DEPLOY_PATH} bash ${DEPLOY_PATH}/deploy/nexus-1panel.sh upgrade --skip-git"
elif [[ "$RUNTIME" == "supervisor" ]]; then
echo "▶ Supervisor: restart..."
ssh_cmd "supervisorctl restart nexus"
else
echo "ERROR: 无法识别远程运行时(非 Docker 也非 Supervisor" >&2
echo " 请手动: ssh ${NEXUS_SSH_HOST} 'sudo nx update'" >&2
exit 1
fi
echo "ERROR: 无法识别远程运行时(非 Docker 也非 Supervisor" >&2
echo " 请手动: ssh ${NEXUS_SSH_HOST} 'sudo nx update'" >&2
exit 1
fi
if [[ "$RUNTIME" == "docker" || "$RUNTIME" == "supervisor" ]]; then
if [[ "$RUNTIME" == "docker" ]]; then
# Host web/app must match image build before sync_webapp_to_container (else stale assets overwrite container).
echo "▶ Frontend: local vite build + upload to host web/app..."
cd frontend && npx vite build && cd ..
tar czf /tmp/nexus-frontend.tar.gz -C web/app index.html assets/
scp_cmd /tmp/nexus-frontend.tar.gz "${NEXUS_SSH_HOST}:/tmp/nexus-frontend.tar.gz"
ssh_cmd "cd ${DEPLOY_PATH}/web/app && sudo tar xzf /tmp/nexus-frontend.tar.gz && rm /tmp/nexus-frontend.tar.gz && sudo chown -R ${DEPLOY_CHOWN} ${DEPLOY_PATH}/web/app"
ssh_cmd "cd ${DEPLOY_PATH}/web/app && sudo tar xzf /tmp/nexus-frontend.tar.gz && rm /tmp/nexus-frontend.tar.gz"
echo "▶ Frontend V2: local vite build:safe + upload to host web/app-v2..."
cd frontend-v2 && npm run build:safe && cd ..
tar czf /tmp/nexus-frontend-v2.tar.gz -C web/app-v2 index.html assets/
scp_cmd /tmp/nexus-frontend-v2.tar.gz "${NEXUS_SSH_HOST}:/tmp/nexus-frontend-v2.tar.gz"
ssh_cmd "sudo mkdir -p ${DEPLOY_PATH}/web/app-v2 && cd ${DEPLOY_PATH}/web/app-v2 && sudo tar xzf /tmp/nexus-frontend-v2.tar.gz && rm /tmp/nexus-frontend-v2.tar.gz && sudo chown -R ${DEPLOY_CHOWN} ${DEPLOY_PATH}/web/app-v2"
if ssh_cmd "test -f ${DEPLOY_PATH}/deploy/prune_frontend_assets.py"; then
ssh_cmd "sudo python3 ${DEPLOY_PATH}/deploy/prune_frontend_assets.py ${DEPLOY_PATH}/web/app --dry-run"
ssh_cmd "sudo python3 ${DEPLOY_PATH}/deploy/prune_frontend_assets.py ${DEPLOY_PATH}/web/app"
fi
fi
if [[ "$RUNTIME" == "docker" ]]; then
echo "▶ Sync host web/app and web/app-v2 into container..."
echo "▶ Sync host web/app into container..."
ssh_cmd "sudo env NEXUS_ROOT=${DEPLOY_PATH} NEXUS_PUBLISH_PORT=\$(grep -E '^NEXUS_PUBLISH_PORT=' ${DEPLOY_PATH}/docker/.env.prod 2>/dev/null | cut -d= -f2 | tr -d '\"' || echo 8600) bash ${DEPLOY_PATH}/deploy/sync_webapp_to_container.sh" || {
echo "WARN: web/app sync failed — run sync_webapp_to_container.sh on server manually" >&2
}
@@ -177,11 +136,9 @@ PORT="$(ssh_cmd "grep -E '^NEXUS_PUBLISH_PORT=' ${DEPLOY_PATH}/docker/.env.prod
PORT="${PORT:-8600}"
HEALTH=$(ssh_cmd "curl -s http://127.0.0.1:${PORT}/health" 2>/dev/null || true)
SPA=$(ssh_cmd "curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:${PORT}/app/" 2>/dev/null || echo "000")
SPA_V2=$(ssh_cmd "curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:${PORT}/app-v2/" 2>/dev/null || echo "000")
echo " /health → ${HEALTH}"
echo " /app/ → ${SPA}"
echo " /app-v2/ → ${SPA_V2}"
if [[ "${HEALTH}" == "ok" && "${SPA}" == "200" && "${SPA_V2}" == "200" ]]; then
if [[ "${HEALTH}" == "ok" && "${SPA}" == "200" ]]; then
echo "✓ Deploy successful"
if ssh_cmd "command -v crontab >/dev/null && crontab -l 2>/dev/null | grep -q nexus-health-monitor" 2>/dev/null; then
echo "✓ Ops cron (health_monitor) already installed"
-604
View File
@@ -2378,607 +2378,3 @@
{"ts":"2026-06-17T09:37:14+08:00","date":"2026-06-17","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-17T09:37:14+08:00","date":"2026-06-17","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-17T09:37:14+08:00","date":"2026-06-17","gate":"summary","result":"BLOCK","detail":"6/8"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"changelog","result":"PASS","detail":"2026-06-18-terminal-persist-navigation.md 40lines"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"shell_eol","result":"BLOCK","detail":"CR in tracked sh"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-18T12:37:07+08:00","date":"2026-06-18","gate":"summary","result":"BLOCK","detail":"5/8"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"changelog","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"security","result":"BLOCK","detail":"2 HIGH findings"}
{"ts":"2026-06-21T08:09:43+08:00","date":"2026-06-21","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"changelog","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"security","result":"BLOCK","detail":"2 HIGH findings"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"shell_eol","result":"BLOCK","detail":"CR in tracked sh"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T08:12:56+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"2/8"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-login-allowlist-deploy.md 29lines"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-login-allowlist-deploy.md"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"review","result":"BLOCK","detail":"audit missing changed files"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T08:14:10+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-login-allowlist-deploy.md 29lines"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-login-allowlist-deploy.md"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T08:14:26+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-login-allowlist-deploy.md 29lines"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-login-allowlist-deploy.md"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"review","result":"BLOCK","detail":"audit missing changed files"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T09:13:54+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"6/8"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-deploy.md 30lines"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-ssh-bootstrap.md"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T09:14:50+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-deploy.md 32lines"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-ssh-bootstrap.md"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T09:19:48+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md 33lines"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"review","result":"BLOCK","detail":"audit missing changed files"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:09:06+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"6/8"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md 33lines"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:09:38+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md 38lines"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"review","result":"BLOCK","detail":"audit missing changed files"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:17:16+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md 38lines"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-login-auto-bootstrap.md"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:17:29+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-btpanel-nav-hidden.md 23lines"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-btpanel-nav-hidden.md"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:22:14+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-file-transfer-audit-fixes.md 35lines"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-file-transfer.md"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:48:54+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-file-transfer-audit-fixes.md 35lines"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-file-transfer.md"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:49:05+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-nav-watch-metrics-under-system.md 23lines"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-page.md"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T12:59:50+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-server-picker-fix.md 24lines"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-page.md"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:05:39+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-target-path-default.md 28lines"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-page.md"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:09:48+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-dest-browser.md 20lines"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-page.md"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:15:01+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-source-site-link.md 17lines"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"audit","result":"BLOCK","detail":"missing sections"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:19:34+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-source-site-link.md 17lines"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"audit","result":"BLOCK","detail":"missing sections"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:19:43+08:00","date":"2026-06-21","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-source-site-link.md 17lines"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:20:03+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-deploy-local-rsync.md 39lines"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:25:39+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-deploy-local-rsync.md 47lines"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:28:40+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-deploy-local-rsync.md 48lines"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:35:37+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-manual-dest.md 31lines"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T13:40:17+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-dest-write-elevation.md 31lines"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T14:46:10+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-curl-tmp-staging.md 29lines"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T15:07:14+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-btpanel-download-tar-overwrite.md 39lines"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T15:28:20+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"changelog","result":"PASS","detail":"2026-06-21-server-transfer-btpanel-download-tar-overwrite.md 43lines"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"audit","result":"PASS","detail":"2026-06-21-server-transfer-ui-polish.md"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-21T15:32:54+08:00","date":"2026-06-21","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"changelog","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-22T05:47:49+08:00","date":"2026-06-22","gate":"summary","result":"BLOCK","detail":"5/8"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"changelog","result":"PASS","detail":"2026-06-22-btpanel-temp-login-24h.md 30lines"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"audit","result":"PASS","detail":"2026-06-22-btpanel-temp-login-24h.md"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-22T05:48:15+08:00","date":"2026-06-22","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"changelog","result":"PASS","detail":"2026-06-23-subscription-ip-refresh-primary-fix.md 36lines"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-23T10:39:14+08:00","date":"2026-06-23","gate":"summary","result":"BLOCK","detail":"4/8"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"changelog","result":"PASS","detail":"2026-06-23-detect-path-nginx-root.md 43lines"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-23T21:06:19+08:00","date":"2026-06-23","gate":"summary","result":"BLOCK","detail":"4/8"}
{"ts":"2026-06-23T21:06:32+08:00","date":"2026-06-23","gate":"changelog","result":"PASS","detail":"2026-06-23-detect-path-nginx-root.md 43lines"}
{"ts":"2026-06-23T21:06:32+08:00","date":"2026-06-23","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-23T21:06:32+08:00","date":"2026-06-23","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"changelog","result":"PASS","detail":"2026-06-23-detect-path-nginx-root.md 43lines"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"audit","result":"PASS","detail":"2026-06-23-detect-path-nginx-root.md"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"review","result":"BLOCK","detail":"audit missing changed files"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-23T21:09:02+08:00","date":"2026-06-23","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"changelog","result":"PASS","detail":"2026-06-23-detect-path-nginx-root.md 43lines"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"audit","result":"PASS","detail":"2026-06-23-detect-path-nginx-root.md"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-23T21:09:24+08:00","date":"2026-06-23","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"changelog","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md 42lines"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-24T02:11:18+08:00","date":"2026-06-24","gate":"summary","result":"BLOCK","detail":"5/8"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"changelog","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md 42lines"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"audit","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"review","result":"BLOCK","detail":"audit missing changed files"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-24T02:11:57+08:00","date":"2026-06-24","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"changelog","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md 42lines"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"audit","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-24T02:12:07+08:00","date":"2026-06-24","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"changelog","result":"PASS","detail":"2026-06-24-servers-unset-path-table-align.md 77lines"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"audit","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-24T15:04:07+08:00","date":"2026-06-24","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"changelog","result":"PASS","detail":"2026-06-24-servers-unset-path-table-align.md 77lines"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"audit","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-24T15:04:27+08:00","date":"2026-06-24","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"changelog","result":"PASS","detail":"2026-06-24-servers-unset-path-table-align.md 77lines"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"audit","result":"PASS","detail":"2026-06-24-ip-domain-detect-schedule.md"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"test","result":"PASS","detail":"all passed"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-24T15:08:09+08:00","date":"2026-06-24","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"changelog","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-06-29T18:22:15+08:00","date":"2026-06-29","gate":"summary","result":"BLOCK","detail":"3/8"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"changelog","result":"BLOCK","detail":"file not found"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"audit","result":"BLOCK","detail":"file not found"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"test","result":"BLOCK","detail":"tests failed"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"review","result":"BLOCK","detail":"no audit file"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-01T12:03:53+08:00","date":"2026-07-01","gate":"summary","result":"BLOCK","detail":"3/8"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"changelog","result":"PASS","detail":"2026-07-01-gate-catchup-terminal-btpanel.md 54lines"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"audit","result":"PASS","detail":"2026-07-01-gate-catchup-terminal-btpanel.md"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"ai_review","result":"BLOCK","detail":"see gate_ai_review.py output"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-01T12:09:17+08:00","date":"2026-07-01","gate":"summary","result":"BLOCK","detail":"7/8"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"changelog","result":"PASS","detail":"2026-07-01-gate-catchup-terminal-btpanel.md 54lines"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"audit","result":"PASS","detail":"2026-07-01-gate-catchup-terminal-btpanel.md"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-01T12:09:49+08:00","date":"2026-07-01","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"changelog","result":"PASS","detail":"2026-07-01-gate-catchup-terminal-btpanel.md 54lines"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"audit","result":"PASS","detail":"2026-07-01-gate-catchup-terminal-btpanel.md"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-01T12:10:11+08:00","date":"2026-07-01","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"changelog","result":"PASS","detail":"2026-07-01-agent-watch-dual-mode.md 38lines"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"audit","result":"PASS","detail":"2026-07-01-agent-watch-dual-mode.md"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-01T18:29:45+08:00","date":"2026-07-01","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"changelog","result":"PASS","detail":"2026-07-02-agent-cpu-sampling.md 35lines"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"audit","result":"PASS","detail":"2026-07-02-agent-cpu-sampling.md"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-02T00:20:36+08:00","date":"2026-07-02","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"changelog","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md 29lines"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"audit","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-02T00:36:42+08:00","date":"2026-07-02","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"changelog","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md 29lines"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"audit","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-02T00:47:58+08:00","date":"2026-07-02","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"changelog","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md 29lines"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"audit","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-02T02:45:32+08:00","date":"2026-07-02","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"changelog","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md 29lines"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"audit","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-02T03:10:05+08:00","date":"2026-07-02","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"changelog","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md 29lines"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"audit","result":"PASS","detail":"2026-07-02-stats-unset-path-offline-card.md"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"ai_review","result":"PASS","detail":"skipped no code"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-02T03:13:21+08:00","date":"2026-07-02","gate":"summary","result":"PASS","detail":"8/8"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"changelog","result":"PASS","detail":"2026-07-03-terminal-btpanel-login-button.md 29lines"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"audit","result":"PASS","detail":"2026-07-03-terminal-btpanel-login-button.md"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"test","result":"PASS","detail":"pytest fallback :8600 down"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"lint","result":"PASS","detail":"0 violations"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"import","result":"PASS","detail":"ok"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"security","result":"PASS","detail":"0 HIGH"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"review","result":"PASS","detail":"audit covers changes"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"ai_review","result":"PASS","detail":"ok"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"shell_eol","result":"PASS","detail":"all tracked sh LF"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"text_eol","result":"PASS","detail":"git index LF"}
{"ts":"2026-07-03T23:19:41+08:00","date":"2026-07-03","gate":"summary","result":"PASS","detail":"8/8"}
Regular → Executable
View File
Regular → Executable
View File
Regular → Executable
View File
+21
View File
@@ -0,0 +1,21 @@
# 复制: cp deploy/nexus-1panel.secrets.sh.example deploy/nexus-1panel.secrets.sh
# 用于 git pushscripts/git-push.sh);clone/pull 仍可匿名
# NEXUS_GITEA_HOST='66.154.115.8:3000'
# NEXUS_GITEA_REPO='admin/Nexus.git'
# admin 账号密码或 Access Token
# NEXUS_GITEA_TOKEN='你的密码或令牌'
# 新机安装勿填下面三项(install-nexus-fresh / --fresh 会自动按机生成)
# NEXUS_SECRET_KEY=''
# NEXUS_API_KEY=''
# NEXUS_ENCRYPTION_KEY=''
NEXUS_DOMAIN='api.synaglobal.vip'
NEXUS_ROOT='/opt/nexus'
NEXUS_PROFILE='2c8g'
NEXUS_FROM_ENV='/www/wwwroot/api.synaglobal.vip/.env'
# 本机生产 SSHdeploy-production.sh 读取;私钥路径勿提交真实 .pem)
# NEXUS_SSH='azureuser@20.24.218.235'
# NEXUS_SSH_KEY='/path/to/nz-admin.pem'
Regular → Executable
+5 -26
View File
@@ -50,7 +50,6 @@ error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
step() { echo -e "${CYAN}[STEP]${NC} $*"; }
SKIP_CLONE=false
SKIP_GIT=false
FRESH_INSTALL=false
REUSE_SECRETS=false
FROM_ENV="${NEXUS_FROM_ENV}"
@@ -182,13 +181,9 @@ apply_pool_to_env_prod() {
local root="$1" prof="$2"
local env_file="$root/$ENV_PROD"
[[ -f "$env_file" ]] || return 0
if [[ ! -f "$prof" ]]; then
warn "未找到资源档位文件: $prof,保留 $ENV_PROD 中现有数据库连接池配置"
return 0
fi
local pool overflow
pool="$(grep -E '^NEXUS_DB_POOL_SIZE=' "$prof" | cut -d= -f2- || true)"
overflow="$(grep -E '^NEXUS_DB_MAX_OVERFLOW=' "$prof" | cut -d= -f2- || true)"
pool="$(grep -E '^NEXUS_DB_POOL_SIZE=' "$prof" | cut -d= -f2-)"
overflow="$(grep -E '^NEXUS_DB_MAX_OVERFLOW=' "$prof" | cut -d= -f2-)"
[[ -n "$pool" ]] && sed -i "s|^NEXUS_DB_POOL_SIZE=.*|NEXUS_DB_POOL_SIZE=${pool}|" "$env_file"
[[ -n "$overflow" ]] && sed -i "s|^NEXUS_DB_MAX_OVERFLOW=.*|NEXUS_DB_MAX_OVERFLOW=${overflow}|" "$env_file"
}
@@ -1023,14 +1018,10 @@ verify_health() {
}
ensure_repo() {
if [[ ! -d "$NEXUS_ROOT" ]]; then
if [[ ! -d "$NEXUS_ROOT/.git" ]]; then
error "未找到 $NEXUS_ROOT,请先: bash $0 install"
exit 1
fi
if [[ "$SKIP_GIT" != true && ! -d "$NEXUS_ROOT/.git" ]]; then
error "未找到 $NEXUS_ROOT/.git,请先: bash $0 install;如为发布包/rsync 部署请使用 --skip-git"
exit 1
fi
if [[ ! -f "$NEXUS_ROOT/$ENV_PROD" ]]; then
error "缺少 $NEXUS_ROOT/$ENV_PROD"
exit 1
@@ -1147,12 +1138,8 @@ cmd_upgrade() {
load_saved_profile "$NEXUS_ROOT"
resolve_profile
check_ports_preflight "$NEXUS_ROOT"
if [[ "$SKIP_GIT" == true ]]; then
info "跳过 Git 同步(本机 rsync 已推送代码)"
else
git_fetch
show_pending || true
fi
git_fetch
show_pending || true
if [[ "$CHECK_ONLY" == true ]]; then
exit 0
@@ -1162,12 +1149,6 @@ cmd_upgrade() {
exit 0
fi
if [[ "$SKIP_GIT" == true ]]; then
info "本机直传模式:跳过 git reset,仍备份并重建镜像"
if [[ "$NO_BACKUP" != true ]]; then
backup_mysql "$NEXUS_ROOT"
fi
else
local behind
behind="$(commits_behind)"
if [[ "$behind" != "0" ]]; then
@@ -1179,7 +1160,6 @@ cmd_upgrade() {
backup_mysql "$NEXUS_ROOT"
fi
fi
fi
apply_pool_to_env_prod "$NEXUS_ROOT" "$(profile_env_file "$NEXUS_ROOT")"
upsert_env_var "$NEXUS_ROOT/$ENV_PROD" "NEXUS_HOST_ROOT" "$NEXUS_ROOT"
@@ -1292,7 +1272,6 @@ parse_common_upgrade() {
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--help) usage ;;
--skip-git) SKIP_GIT=true; shift ;;
--profile) NEXUS_PROFILE="$2"; shift 2 ;;
--cpus) CUSTOM_CPUS="$2"; shift 2 ;;
--mem-gb|--memory-gb) CUSTOM_MEM_GB="$2"; shift 2 ;;
Regular → Executable
View File
+5 -32
View File
@@ -131,39 +131,12 @@ else
TEST_OUTPUT=$(cd "${DEPLOY_DIR}" && env -u NEXUS_TEST_BASE NEXUS_TEST_BASE=http://127.0.0.1:8600 python3 "${TEST_SCRIPT}" 2>&1) || true
FAIL_COUNT=$(echo "${TEST_OUTPUT}" | grep -cE "^\s+\[FAIL\]" 2>/dev/null || true)
FAIL_COUNT=${FAIL_COUNT:-0}
GATE3_PASSED=0
if [ "${FAIL_COUNT}" -gt 0 ] || echo "${TEST_OUTPUT}" | grep -qE "[0-9]+ test(s) failed"; then
# 本机未起 :8600 时,若失败均为 Connection refused,回退 pytest 专项
NON_CONN_FAILS=$(echo "${TEST_OUTPUT}" | grep -E "^\s+\[FAIL\]" | grep -vcE "Connection refused|Errno 111" 2>/dev/null || true)
NON_CONN_FAILS=${NON_CONN_FAILS:-0}
if [ "${FAIL_COUNT}" -gt 0 ] && [ "${NON_CONN_FAILS}" -eq 0 ]; then
PYTEST_BIN=$(_pick_bin pytest || true)
FALLBACK_TESTS="tests/test_btpanel_ssh_bootstrap.py tests/test_terminal_quick_commands.py tests/test_gate_ai_review.py"
if [ -n "${PYTEST_BIN}" ]; then
echo -e "${YELLOW}fallback${NC}"
echo " └─ Local :8600 unreachable — running pytest gate batch"
FALLBACK_OUTPUT=$(cd "${DEPLOY_DIR}" && "${PYTEST_BIN}" ${FALLBACK_TESTS} -q 2>&1) || FALLBACK_RC=$?
FALLBACK_RC=${FALLBACK_RC:-0}
if [ "${FALLBACK_RC}" -eq 0 ]; then
echo -e " └─ ${GREEN}PASS${NC} (pytest fallback)"
GATES_PASSED=$((GATES_PASSED + 1))
gate_log "test" "PASS" "pytest fallback :8600 down"
GATE3_PASSED=1
else
echo -e " └─ ${RED}BLOCK${NC} pytest fallback failed:"
echo "${FALLBACK_OUTPUT}" | tail -15 | sed 's/^/ │ /'
BLOCKED=1
gate_log "test" "BLOCK" "pytest fallback failed"
fi
fi
fi
if [ "${GATE3_PASSED}" -eq 0 ]; then
echo -e "${RED}BLOCK${NC}"
echo " └─ Tests failed. Output:"
echo "${TEST_OUTPUT}" | head -20 | sed 's/^/ │ /'
BLOCKED=1
gate_log "test" "BLOCK" "tests failed"
fi
echo -e "${RED}BLOCK${NC}"
echo " └─ Tests failed. Output:"
echo "${TEST_OUTPUT}" | head -20 | sed 's/^/ │ /'
BLOCKED=1
gate_log "test" "BLOCK" "tests failed"
else
echo -e "${GREEN}PASS${NC}"
echo " └─ All tests passed"
-197
View File
@@ -1,197 +0,0 @@
#!/usr/bin/env bash
# Nexus production host preflight before applying a release tarball.
#
# Usage:
# bash deploy/preflight-release-host.sh \
# --tarball /tmp/nexus-release-20260708.tar.gz \
# --sha256 a4eb8f35f0b98d40c1ad83117bfc652e7686ffc7d55f6bf90fcfd433a2ad6701 \
# --deploy-path /opt/nexus
set -euo pipefail
TARBALL=""
EXPECTED_SHA256=""
DEPLOY_PATH="${NEXUS_DEPLOY_PATH:-/opt/nexus}"
MIN_FREE_MB="${NEXUS_RELEASE_MIN_FREE_MB:-1024}"
info() { echo -e "\033[0;32m[INFO]\033[0m $*"; }
warn() { echo -e "\033[1;33m[WARN]\033[0m $*"; }
error() { echo -e "\033[0;31m[ERROR]\033[0m $*" >&2; }
usage() {
sed -n '1,12p' "$0"
}
while [[ $# -gt 0 ]]; do
case "$1" in
--tarball)
TARBALL="${2:-}"
shift 2
;;
--sha256)
EXPECTED_SHA256="${2:-}"
shift 2
;;
--deploy-path)
DEPLOY_PATH="${2:-}"
shift 2
;;
--min-free-mb)
MIN_FREE_MB="${2:-}"
shift 2
;;
-h|--help)
usage
exit 0
;;
*)
error "Unknown argument: $1"
usage
exit 2
;;
esac
done
check_cmd() {
local cmd="$1"
if command -v "$cmd" >/dev/null 2>&1; then
info "command OK: $cmd"
return 0
fi
error "missing command: $cmd"
return 1
}
docker_cmd() {
if docker "$@" 2>/dev/null; then return 0; fi
sudo docker "$@" 2>/dev/null
}
detect_runtime() {
if [[ -f "${DEPLOY_PATH}/docker/.env.prod" ]] && command -v docker >/dev/null 2>&1; then
echo docker
return
fi
if command -v supervisorctl >/dev/null 2>&1 && supervisorctl status nexus >/dev/null 2>&1; then
echo supervisor
return
fi
echo unknown
}
verify_tarball() {
if [[ -z "$TARBALL" ]]; then
warn "--tarball not provided; skipping tarball checksum/content checks"
return 0
fi
[[ -f "$TARBALL" ]] || {
error "tarball not found: $TARBALL"
return 1
}
info "tarball exists: $TARBALL"
if [[ -n "$EXPECTED_SHA256" ]]; then
local actual
actual="$(sha256sum "$TARBALL" | awk '{print $1}')"
if [[ "$actual" != "$EXPECTED_SHA256" ]]; then
error "SHA256 mismatch: expected=$EXPECTED_SHA256 actual=$actual"
return 1
fi
info "SHA256 OK: $actual"
else
warn "--sha256 not provided; checksum not verified"
fi
tar tzf "$TARBALL" nexus-release/server nexus-release/deploy nexus-release/web/app-v2 >/dev/null
info "tarball required paths OK"
}
check_deploy_path() {
if [[ -d "$DEPLOY_PATH" ]]; then
info "deploy path exists: $DEPLOY_PATH"
else
warn "deploy path does not exist yet: $DEPLOY_PATH"
fi
if [[ -f "${DEPLOY_PATH}/.env" ]]; then
info "runtime .env preserved path exists"
else
warn "${DEPLOY_PATH}/.env not found"
fi
if [[ -f "${DEPLOY_PATH}/docker/.env.prod" ]]; then
info "docker/.env.prod exists"
else
warn "${DEPLOY_PATH}/docker/.env.prod not found"
fi
if [[ -d "${DEPLOY_PATH}/web/data" ]]; then
info "web/data exists"
else
warn "${DEPLOY_PATH}/web/data not found"
fi
}
check_disk_space() {
local target free_mb
target="$DEPLOY_PATH"
[[ -e "$target" ]] || target="$(dirname "$DEPLOY_PATH")"
free_mb="$(df -Pm "$target" | awk 'NR==2 {print $4}')"
if [[ -z "$free_mb" ]]; then
warn "unable to determine free disk space for $target"
return 0
fi
if (( free_mb < MIN_FREE_MB )); then
error "low disk space on $target: ${free_mb}MB < ${MIN_FREE_MB}MB"
return 1
fi
info "disk free OK: ${free_mb}MB >= ${MIN_FREE_MB}MB"
}
check_runtime() {
local runtime
runtime="$(detect_runtime)"
info "runtime detected: $runtime"
case "$runtime" in
docker)
docker_cmd ps --format '{{.Names}}' | grep -E 'nexus-prod-nexus|nexus-nexus-1' >/dev/null \
&& info "Nexus docker container found" \
|| warn "Nexus docker container not found by known name pattern"
;;
supervisor)
supervisorctl status nexus || true
;;
*)
warn "runtime unknown; apply script may require manual restart"
;;
esac
}
check_local_endpoint() {
local port health app app_v2
port="$(grep -E '^NEXUS_PUBLISH_PORT=' "${DEPLOY_PATH}/docker/.env.prod" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r" ' || true)"
port="${port:-8600}"
health="$(curl -s "http://127.0.0.1:${port}/health" 2>/dev/null || true)"
app="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${port}/app/" 2>/dev/null || echo 000)"
app_v2="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${port}/app-v2/" 2>/dev/null || echo 000)"
echo " current /health -> ${health:-<empty>}"
echo " current /app/ -> ${app}"
echo " current /app-v2/ -> ${app_v2}"
}
main() {
local failures=0
for cmd in tar sha256sum df awk grep sed curl; do
check_cmd "$cmd" || failures=$((failures + 1))
done
check_cmd rsync || failures=$((failures + 1))
verify_tarball || failures=$((failures + 1))
check_deploy_path
check_disk_space || failures=$((failures + 1))
check_runtime
check_local_endpoint
if (( failures > 0 )); then
error "preflight failed: ${failures} blocking issue(s)"
return 1
fi
info "preflight OK"
}
main "$@"
Regular → Executable
View File
-112
View File
@@ -1,112 +0,0 @@
#!/usr/bin/env bash
# Sync local Nexus working tree to production host (no Gitea push/pull).
# Transfer via tar|ssh; remote ownership auto-detected (www:www on BT, else deploy path owner).
#
# Usage:
# bash deploy/rsync-local-to-server.sh
# NEXUS_DEPLOY_PATH=/opt/nexus bash deploy/rsync-local-to-server.sh
set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT}"
SECRETS="${ROOT}/deploy/nexus-1panel.secrets.sh"
if [[ -f "$SECRETS" ]]; then
# shellcheck disable=SC1090
source "$SECRETS"
fi
NEXUS_SSH_HOST="${NEXUS_SSH:-nexus}"
SSH_OPTS=(-o BatchMode=yes -o ConnectTimeout=15)
if [[ -n "${NEXUS_SSH_KEY:-}" ]]; then
SSH_OPTS+=(-i "${NEXUS_SSH_KEY}")
fi
ssh_cmd() { ssh "${SSH_OPTS[@]}" "${NEXUS_SSH_HOST}" "$@"; }
if ! ssh_cmd "echo SSH OK" >/dev/null 2>&1; then
echo "ERROR: Cannot SSH to ${NEXUS_SSH_HOST}" >&2
exit 1
fi
DEPLOY_PATH="${NEXUS_DEPLOY_PATH:-}"
if [[ -z "$DEPLOY_PATH" ]]; then
DEPLOY_PATH="$(ssh_cmd 'for d in /opt/nexus /www/wwwroot/api.synaglobal.vip; do [[ -d "$d/server" ]] && echo "$d" && exit 0; done; echo /opt/nexus')"
fi
resolve_deploy_chown() {
if [[ -n "${NEXUS_DEPLOY_CHOWN:-}" ]]; then
echo "${NEXUS_DEPLOY_CHOWN}"
return
fi
if ssh_cmd "getent passwd www >/dev/null 2>&1"; then
echo "www:www"
return
fi
ssh_cmd "stat -c '%U:%G' '${DEPLOY_PATH}'" 2>/dev/null || echo "azureuser:azureuser"
}
DEPLOY_CHOWN="$(resolve_deploy_chown)"
echo "═══ Nexus local → server sync ═══"
echo "SSH target: ${NEXUS_SSH_HOST}"
echo "Remote path: ${DEPLOY_PATH}"
echo "Owner: ${DEPLOY_CHOWN}"
TAR_EXCLUDES=(
--exclude='.git'
--exclude='.env'
--exclude='.env.*'
--exclude='SECRETS.md'
--exclude='deploy/nexus-1panel.secrets.sh'
--exclude='docker/.env.prod'
--exclude='web/data'
--exclude='frontend/node_modules'
--exclude='frontend-v2/node_modules'
--exclude='node_modules'
--exclude='.venv'
--exclude='.venv-*'
--exclude='venv'
--exclude='__pycache__'
--exclude='.pytest_cache'
--exclude='.ruff_cache'
--exclude='.cursor'
--exclude='.playwright-mcp'
--exclude='.install_locked'
--exclude='.install_state.json'
--exclude='web/app/assets'
--exclude='tmp'
--exclude='2025.2'
--exclude='=2025.2'
--exclude='*.bak-'
--exclude='frontend/test-results'
--exclude='frontend/e2e/.auth'
)
echo "▶ tar stream → ${DEPLOY_PATH} ..."
tar -C "${ROOT}" -czf - "${TAR_EXCLUDES[@]}" . | \
ssh "${SSH_OPTS[@]}" "${NEXUS_SSH_HOST}" "sudo tar -xzf - -C '${DEPLOY_PATH}'"
echo "▶ chown ${DEPLOY_CHOWN} (skip docker/.env.prod, web/data, .env) ..."
ssh_cmd "sudo bash -s" <<REMOTE
set -euo pipefail
root='${DEPLOY_PATH}'
own='${DEPLOY_CHOWN}'
chown_tree() {
local p="\$1"
[[ -e "\$p" ]] || return 0
sudo chown -R "\$own" "\$p"
}
for top in server deploy scripts tests standards docs frontend web; do
chown_tree "\$root/\$top"
done
if [[ -d "\$root/docker" ]]; then
while IFS= read -r -d '' p; do
sudo chown -R "\$own" "\$p"
done < <(find "\$root/docker" \( -path "\$root/docker/.env.prod" \) -prune -o -print0)
fi
for f in pyproject.toml requirements.txt requirements-dev.txt AGENTS.md CLAUDE.md; do
[[ -f "\$root/\$f" ]] && sudo chown "\$own" "\$root/\$f"
done
REMOTE
echo "✓ sync complete (owner ${DEPLOY_CHOWN})"
View File
+2 -34
View File
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
# Sync Git-tracked web/app and web/app-v2 into the running Nexus Docker container.
# Sync Git-tracked web/app into the running Nexus Docker container.
#
# Root cause: Dockerfile.prod runs vite build inside the image; Docker layer cache
# can produce asset hashes that differ from committed web/app on the host.
@@ -51,25 +51,8 @@ verify_entry_bundle() {
info "入口校验 OK: ${bundle_path} → HTTP 200"
}
verify_app_v2_entry_bundle() {
local html bundle_path code
html="$(curl -sf "http://127.0.0.1:${NEXUS_PUBLISH_PORT}/app-v2/" 2>/dev/null || true)"
bundle_path="$(printf '%s' "$html" | sed -n 's/.*src="\(\/app-v2\/assets\/[^"]*\.js\)".*/\1/p' | head -1)"
if [[ -z "$bundle_path" ]]; then
error "/app-v2/ index.html 未解析到主 bundle"
exit 1
fi
code="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${NEXUS_PUBLISH_PORT}${bundle_path}" 2>/dev/null || echo 000)"
if [[ "$code" != "200" ]]; then
error "V2 主 bundle ${bundle_path} → HTTP ${code}"
exit 1
fi
info "V2 入口校验 OK: ${bundle_path} → HTTP 200"
}
main() {
local app="${NEXUS_ROOT}/web/app"
local app_v2="${NEXUS_ROOT}/web/app-v2"
if [[ ! -f "${app}/index.html" ]]; then
error "缺少 ${app}/index.html,请先 git pull"
exit 1
@@ -78,14 +61,6 @@ main() {
error "缺少 ${app}/assets"
exit 1
fi
if [[ ! -f "${app_v2}/index.html" ]]; then
error "缺少 ${app_v2}/index.html,请先构建 frontend-v2"
exit 1
fi
if [[ ! -d "${app_v2}/assets" ]]; then
error "缺少 ${app_v2}/assets"
exit 1
fi
resolve_container
@@ -99,12 +74,6 @@ main() {
docker_cmd cp "${app}/favicon.ico" "${CONTAINER}:/app/web/app/favicon.ico" 2>/dev/null || true
fi
info "同步 web/app-v2 → 容器 /app/web/app-v2 ..."
docker_cmd exec "$CONTAINER" rm -rf /app/web/app-v2/assets
docker_cmd exec "$CONTAINER" mkdir -p /app/web/app-v2
docker_cmd cp "${app_v2}/index.html" "${CONTAINER}:/app/web/app-v2/index.html"
docker_cmd cp "${app_v2}/assets" "${CONTAINER}:/app/web/app-v2/assets"
if [[ -x "${NEXUS_ROOT}/deploy/prune_frontend_assets.py" ]]; then
info "容器内 prune 未引用 assets(可选)..."
docker_cmd exec "$CONTAINER" python3 /app/deploy/prune_frontend_assets.py --dry-run 2>/dev/null || \
@@ -112,8 +81,7 @@ main() {
fi
verify_entry_bundle
verify_app_v2_entry_bundle
info "web/app 与 web/app-v2 同步完成"
info "web/app 同步完成"
}
main "$@"
View File
View File
Regular → Executable
View File
Regular → Executable
View File
+8 -15
View File
@@ -1,8 +1,8 @@
# Nexus 6.0 鈥?Docker Compose (dev / staging)
# Nexus 6.0 Docker Compose (dev / staging)
# Usage:
# cp docker/.env.example docker/.env # or: python docker/generate_env.py
# docker compose --env-file docker/.env up -d --build
# open http://localhost:18600/app/
# docker compose up -d --build
# open http://localhost:8600/app/
name: nexus
@@ -24,7 +24,7 @@ services:
retries: 8
start_period: 40s
ports:
- "${MYSQL_PUBLISH_PORT:-13306}:3306"
- "${MYSQL_PUBLISH_PORT:-3306}:3306"
redis:
image: redis:7-alpine
@@ -38,18 +38,12 @@ services:
timeout: 3s
retries: 8
ports:
- "${REDIS_PUBLISH_PORT:-16379}:6379"
- "${REDIS_PUBLISH_PORT:-6379}:6379"
nexus:
build:
context: .
dockerfile: Dockerfile
network: host
args:
DEBIAN_MIRROR: https://mirrors.aliyun.com/debian
DEBIAN_SECURITY_MIRROR: https://mirrors.aliyun.com/debian-security
PIP_INDEX_URL: https://mirrors.aliyun.com/pypi/simple/
PIP_TRUSTED_HOST: mirrors.aliyun.com
restart: unless-stopped
depends_on:
mysql:
@@ -57,7 +51,7 @@ services:
redis:
condition: service_healthy
ports:
- "${NEXUS_PUBLISH_PORT:-18600}:8600"
- "${NEXUS_PUBLISH_PORT:-8600}:8600"
environment:
MYSQL_HOST: mysql
MYSQL_PORT: "3306"
@@ -70,11 +64,11 @@ services:
NEXUS_DEPLOY_PATH: /app
NEXUS_DATABASE_URL: mysql+aiomysql://nexus:${MYSQL_PASSWORD:-nexus_dev_pass}@mysql:3306/nexus
NEXUS_REDIS_URL: redis://redis:6379/0
NEXUS_CORS_ORIGINS: ${NEXUS_CORS_ORIGINS:-http://localhost:18600,http://127.0.0.1:18600,http://localhost:8600,http://127.0.0.1:8600}
NEXUS_CORS_ORIGINS: ${NEXUS_CORS_ORIGINS:-http://localhost:8600,http://127.0.0.1:8600}
NEXUS_SECRET_KEY: ${NEXUS_SECRET_KEY:-}
NEXUS_API_KEY: ${NEXUS_API_KEY:-}
NEXUS_ENCRYPTION_KEY: ${NEXUS_ENCRYPTION_KEY:-}
NEXUS_API_BASE_URL: ${NEXUS_API_BASE_URL:-http://localhost:18600}
NEXUS_API_BASE_URL: ${NEXUS_API_BASE_URL:-http://localhost:8600}
env_file:
- path: docker/.env
required: false
@@ -93,4 +87,3 @@ volumes:
redis-data:
nexus-state:
nexus-web-data:
+18
View File
@@ -0,0 +1,18 @@
# Copy to docker/.env (or run: python docker/generate_env.py)
# Used by docker compose for nexus service — never commit docker/.env
MYSQL_ROOT_PASSWORD=change_me_root
MYSQL_PASSWORD=change_me_nexus
# Leave empty to use install wizard at http://localhost:8600/app/install.html
# Or run generate_env.py to fill these three:
NEXUS_SECRET_KEY=
NEXUS_API_KEY=
NEXUS_ENCRYPTION_KEY=
NEXUS_CORS_ORIGINS=http://localhost:8600,http://127.0.0.1:8600
NEXUS_API_BASE_URL=http://localhost:8600
# Optional host port overrides
# NEXUS_PUBLISH_PORT=8600
# MYSQL_PUBLISH_PORT=3306
+39
View File
@@ -0,0 +1,39 @@
# Production Compose env — copy to docker/.env.prod (never commit)
# Fresh install: bash deploy/install-nexus-fresh.sh (auto-generates NEXUS keys per host)
# MySQL / Redis 不在 Docker 栈 — 请在宿主机或 1Panel 自建,安装向导步骤 3 填写
# Auto-generated on fresh install (unique per server). Do NOT copy between hosts.
NEXUS_SECRET_KEY=
NEXUS_API_KEY=
NEXUS_ENCRYPTION_KEY=
# 1 = entrypoint must not write /app/.env until install wizard step 3
NEXUS_INSTALL_WIZARD_PENDING=0
# Public URL
NEXUS_CORS_ORIGINS=https://api.synaglobal.vip
NEXUS_API_BASE_URL=https://api.synaglobal.vip
# Nexus container resource profile (docker/profiles/*.env)
NEXUS_DB_POOL_SIZE=30
NEXUS_DB_MAX_OVERFLOW=20
# 1Panelnx update 自动探测并写入(安装向导步骤 3 预填)
# NEXUS_1PANEL_DB_HOST=1Panel-mysql-xxxx
# NEXUS_1PANEL_REDIS_HOST=1Panel-redis-xxxx
# 宿主机 Compose 插值/ nx update 同步用;安装向导完成后以卷内 /app/.env 为准(不经 Compose 注入)
# 1Panel 有密码时: redis://:你的密码@1Panel-redis-xxxx:6379/0
NEXUS_REDIS_URL=redis://host.docker.internal:6379/0
# 宿主机 git 仓库路径(容器内安装向导用于提示 nx cron / nx update
NEXUS_HOST_ROOT=/opt/nexus
# Optional — production probe / E2E only (host .env.prod; NOT for API runtime; never commit values)
# NEXUS_TEST_ADMIN_PASSWORD — must match admin login password
# NEXUS_PROBE_CLIENT_IP — optional; IP in login allowlist for origin probe (auto-read from DB if unset)
# NEXUS_TEST_ADMIN_PASSWORD=
# NEXUS_PROBE_CLIENT_IP=
# Optional
# NEXUS_PUBLISH_PORT=8600
+20 -20
View File
@@ -1,20 +1,20 @@
# MySQL 8.4 — Nexus production tuning for 1 vCPU / 4 GiB host (minimal)
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
innodb_buffer_pool_size = 512M
innodb_log_file_size = 128M
max_connections = 80
innodb_read_io_threads = 2
innodb_write_io_threads = 2
table_open_cache = 1000
tmp_table_size = 32M
max_heap_table_size = 32M
[client]
default-character-set = utf8mb4
# MySQL 8.4 — Nexus production tuning for 1 vCPU / 4 GiB host (minimal)
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
innodb_buffer_pool_size = 512M
innodb_log_file_size = 128M
max_connections = 80
innodb_read_io_threads = 2
innodb_write_io_threads = 2
table_open_cache = 1000
tmp_table_size = 32M
max_heap_table_size = 32M
[client]
default-character-set = utf8mb4
+25 -25
View File
@@ -1,25 +1,25 @@
# MySQL 8.4 — Nexus production tuning for 2 vCPU / 8 GiB host
# Mounted by docker/docker-compose.prod.yml (see docs/design/plans/2026-06-04-1panel-docker-production.md)
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
# ~1 GiB for InnoDB (leave RAM for Nexus, Redis, 1Panel, OS)
innodb_buffer_pool_size = 1024M
innodb_log_file_size = 256M
# Nexus async pool default 30+20; leave headroom for admin/migrations
max_connections = 120
# 2 vCPU: avoid aggressive IO threads
innodb_read_io_threads = 4
innodb_write_io_threads = 4
# Sensible defaults on small VMs
table_open_cache = 2000
tmp_table_size = 64M
max_heap_table_size = 64M
[client]
default-character-set = utf8mb4
# MySQL 8.4 — Nexus production tuning for 2 vCPU / 8 GiB host
# Mounted by docker/docker-compose.prod.yml (see docs/design/plans/2026-06-04-1panel-docker-production.md)
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
# ~1 GiB for InnoDB (leave RAM for Nexus, Redis, 1Panel, OS)
innodb_buffer_pool_size = 1024M
innodb_log_file_size = 256M
# Nexus async pool default 30+20; leave headroom for admin/migrations
max_connections = 120
# 2 vCPU: avoid aggressive IO threads
innodb_read_io_threads = 4
innodb_write_io_threads = 4
# Sensible defaults on small VMs
table_open_cache = 2000
tmp_table_size = 64M
max_heap_table_size = 64M
[client]
default-character-set = utf8mb4
+20 -20
View File
@@ -1,20 +1,20 @@
# MySQL 8.4 — Nexus production tuning for 4 vCPU / 16 GiB host
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
innodb_buffer_pool_size = 4096M
innodb_log_file_size = 512M
max_connections = 200
innodb_read_io_threads = 8
innodb_write_io_threads = 8
table_open_cache = 4000
tmp_table_size = 128M
max_heap_table_size = 128M
[client]
default-character-set = utf8mb4
# MySQL 8.4 — Nexus production tuning for 4 vCPU / 16 GiB host
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
innodb_buffer_pool_size = 4096M
innodb_log_file_size = 512M
max_connections = 200
innodb_read_io_threads = 8
innodb_write_io_threads = 8
table_open_cache = 4000
tmp_table_size = 128M
max_heap_table_size = 128M
[client]
default-character-set = utf8mb4
+5 -5
View File
@@ -1,5 +1,5 @@
# Host profile: 1 vCPU / 4 GiB
NEXUS_MEM_LIMIT=1g
NEXUS_CPUS=1
NEXUS_DB_POOL_SIZE=15
NEXUS_DB_MAX_OVERFLOW=10
# Host profile: 1 vCPU / 4 GiB
NEXUS_MEM_LIMIT=1g
NEXUS_CPUS=1
NEXUS_DB_POOL_SIZE=15
NEXUS_DB_MAX_OVERFLOW=10
+5 -5
View File
@@ -1,5 +1,5 @@
# Host profile: 2 vCPU / 8 GiB — default production
NEXUS_MEM_LIMIT=2g
NEXUS_CPUS=1.5
NEXUS_DB_POOL_SIZE=30
NEXUS_DB_MAX_OVERFLOW=20
# Host profile: 2 vCPU / 8 GiB — default production
NEXUS_MEM_LIMIT=2g
NEXUS_CPUS=1.5
NEXUS_DB_POOL_SIZE=30
NEXUS_DB_MAX_OVERFLOW=20
+5 -5
View File
@@ -1,5 +1,5 @@
# Host profile: 4 vCPU / 16 GiB
NEXUS_MEM_LIMIT=4g
NEXUS_CPUS=3
NEXUS_DB_POOL_SIZE=50
NEXUS_DB_MAX_OVERFLOW=30
# Host profile: 4 vCPU / 16 GiB
NEXUS_MEM_LIMIT=4g
NEXUS_CPUS=3
NEXUS_DB_POOL_SIZE=50
NEXUS_DB_MAX_OVERFLOW=30
+733
View File
@@ -0,0 +1,733 @@
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<title>Nexus 6.0 — 功能说明书</title>
<style>
*{box-sizing:border-box;margin:0;padding:0}
body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0f172a;color:#e2e8f0;line-height:1.6}
a{color:#60a5fa;text-decoration:none}
a:hover{text-decoration:underline}
/* Layout */
.wrap{max-width:960px;margin:0 auto;padding:32px 24px 80px}
/* Header */
.hero{text-align:center;padding:48px 0 40px;border-bottom:1px solid #1e293b;margin-bottom:40px}
.hero h1{font-size:2.2rem;font-weight:700;color:#f8fafc;letter-spacing:-0.02em}
.hero .sub{font-size:1rem;color:#64748b;margin-top:8px}
.badge{display:inline-block;margin:4px;padding:3px 10px;border-radius:999px;font-size:0.72rem;font-weight:600}
.badge-blue{background:#1e3a5f;color:#60a5fa;border:1px solid #2563eb55}
.badge-green{background:#14371f;color:#4ade80;border:1px solid #16a34a55}
.badge-amber{background:#3d2a00;color:#fbbf24;border:1px solid #d9770655}
.badge-red{background:#3b1212;color:#f87171;border:1px solid #dc262655}
/* TOC */
.toc{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:20px 24px;margin-bottom:36px}
.toc h2{font-size:0.85rem;font-weight:700;color:#94a3b8;text-transform:uppercase;letter-spacing:.08em;margin-bottom:12px}
.toc ol{padding-left:18px;column-count:2;column-gap:24px}
.toc li{margin:5px 0;font-size:0.88rem}
/* Section */
.section{margin-bottom:48px}
.section-title{font-size:1.4rem;font-weight:700;color:#f1f5f9;padding-bottom:10px;border-bottom:2px solid #334155;margin-bottom:24px;display:flex;align-items:center;gap:10px}
.section-title .icon{font-size:1.2rem}
/* Card */
.card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:24px;margin-bottom:16px}
.card-title{font-size:1.05rem;font-weight:600;color:#f1f5f9;margin-bottom:6px;display:flex;align-items:center}
.card-title .num{display:inline-flex;align-items:center;justify-content:center;width:22px;height:22px;border-radius:50%;background:#334155;font-size:0.7rem;font-weight:700;color:#94a3b8;margin-right:8px;shrink:0}
.card-desc{color:#94a3b8;font-size:0.88rem;margin-bottom:14px}
/* Info rows */
.info-grid{display:grid;grid-template-columns:1fr;gap:10px}
.info-block{border-radius:8px;padding:12px 14px}
.info-block.usage{background:#0f2d1f;border:1px solid #166534}
.info-block.warn{background:#2a1a00;border:1px solid #92400e}
.info-block.note{background:#1a1f2e;border:1px solid #4338ca}
.info-title{font-size:0.72rem;font-weight:700;text-transform:uppercase;letter-spacing:.08em;margin-bottom:6px}
.info-title.u{color:#4ade80}
.info-title.w{color:#fbbf24}
.info-title.n{color:#818cf8}
.info-block ul{padding-left:16px;font-size:0.86rem;color:#cbd5e1}
.info-block li{margin:4px 0}
.info-block p{font-size:0.86rem;color:#cbd5e1}
/* Sub table */
.feat-table{width:100%;border-collapse:collapse;font-size:0.86rem;margin-top:10px}
.feat-table th{text-align:left;color:#64748b;font-weight:600;font-size:0.75rem;text-transform:uppercase;padding:6px 10px;border-bottom:1px solid #334155}
.feat-table td{padding:7px 10px;border-bottom:1px solid #1e293b;color:#cbd5e1;vertical-align:top}
.feat-table tr:last-child td{border-bottom:none}
/* Footer */
footer{text-align:center;color:#334155;font-size:0.8rem;margin-top:60px;padding-top:24px;border-top:1px solid #1e293b}
code{background:#334155;color:#7dd3fc;padding:2px 6px;border-radius:4px;font-size:0.83em;font-family:monospace}
</style>
</head>
<body>
<div class="wrap">
<!-- HERO -->
<div class="hero">
<h1>⚡ Nexus 6.0</h1>
<p class="sub">服务器运维管理平台 — 全站功能说明书 · 2026-05-23</p>
<p class="sub" style="margin-top:10px;font-size:0.85rem">
Markdown 维护版:<code>docs/project/nexus-full-site-features.md</code> ·
AI 接续:<code>docs/project/AI-HANDOFF-2026-05-23.md</code>
</p>
<div style="margin-top:14px">
<span class="badge badge-blue">FastAPI</span>
<span class="badge badge-blue">SQLAlchemy 2.0</span>
<span class="badge badge-blue">Redis 7</span>
<span class="badge badge-blue">asyncssh</span>
<span class="badge badge-blue">Tailwind v4</span>
<span class="badge badge-green">2000+ 服务器</span>
<span class="badge badge-green">JWT + TOTP</span>
</div>
</div>
<!-- TOC -->
<div class="toc">
<h2>目录</h2>
<ol>
<li><a href="#sitemap">全站页面地图</a></li>
<li><a href="#network">网络与通道</a></li>
<li><a href="#auth">认证与访问控制</a></li>
<li><a href="#dashboard">仪表盘</a></li>
<li><a href="#alerts">告警中心</a></li>
<li><a href="#servers">服务器管理</a></li>
<li><a href="#assets">资产管理</a></li>
<li><a href="#webssh">Web SSH</a></li>
<li><a href="#commands">命令与推送日志</a></li>
<li><a href="#push">批量文件推送</a></li>
<li><a href="#scripts">脚本与执行历史</a></li>
<li><a href="#files">远程文件管理</a></li>
<li><a href="#schedules">定时调度</a></li>
<li><a href="#credentials">凭据管理</a></li>
<li><a href="#retries">重试队列</a></li>
<li><a href="#search">全局搜索</a></li>
<li><a href="#settings">系统设置</a></li>
<li><a href="#audit">审计日志</a></li>
<li><a href="#install">安装向导</a></li>
<li><a href="#guardian">3 层守护</a></li>
<li><a href="#agent">子机 Agent</a></li>
<li><a href="#background">后台任务</a></li>
<li><a href="#acceptance">开发验收标准</a></li>
<li><a href="#notimpl">未实现 / 已否决</a></li>
</ol>
</div>
<!-- 0. SITEMAP -->
<div class="section" id="sitemap">
<div class="section-title"><span class="icon">🗺</span> 全站页面地图(18 页)</div>
<div class="card">
<table class="feat-table">
<tr><th>页面</th><th>路径</th><th>功能</th></tr>
<tr><td>安装向导</td><td><code>/app/install.html</code></td><td>无 .env 时安装中心机</td></tr>
<tr><td>登录</td><td><code>/app/login.html</code></td><td>JWT + TOTP + 防暴破</td></tr>
<tr><td>仪表盘</td><td><code>/app/index.html</code></td><td>统计、WS 刷新统计</td></tr>
<tr><td>服务器</td><td><code>/app/servers.html</code></td><td>CRUD、Agent 安装/升级、漂移徽章</td></tr>
<tr><td>资产管理</td><td><code>/app/assets.html</code></td><td>Platform / Node</td></tr>
<tr><td>文件管理</td><td><code>/app/files.html</code></td><td>SSH 浏览与文件操作</td></tr>
<tr><td>推送</td><td><code>/app/push.html</code></td><td>rsync 批量 + dry-run</td></tr>
<tr><td>脚本库</td><td><code>/app/scripts.html</code></td><td>脚本 CRUD、直接执行</td></tr>
<tr><td>执行历史</td><td><code>/app/script-executions.html</code></td><td>停止/重试/日志</td></tr>
<tr><td>凭据</td><td><code>/app/credentials.html</code></td><td>DB 凭据 + 密码预设</td></tr>
<tr><td>定时调度</td><td><code>/app/schedules.html</code></td><td>Cron 推送或脚本</td></tr>
<tr><td>重试队列</td><td><code>/app/retries.html</code></td><td>推送失败重试</td></tr>
<tr><td>命令日志</td><td><code>/app/commands.html</code></td><td>WebSSH 命令 + 推送日志</td></tr>
<tr><td>告警中心</td><td><code>/app/alerts.html</code></td><td>告警历史与统计</td></tr>
<tr><td>审计</td><td><code>/app/audit.html</code></td><td>操作审计、多维过滤</td></tr>
<tr><td>设置</td><td><code>/app/settings.html</code></td><td>阈值、Telegram、白名单、TOTP</td></tr>
<tr><td>WebSSH</td><td><code>/app/terminal.html</code></td><td>xterm 终端</td></tr>
</table>
<p class="card-desc" style="margin-top:12px">共享:<code>layout.js</code>(侧栏/移动适配)、<code>api.js</code>JWT、toast、全局搜索)</p>
</div>
</div>
<!-- NETWORK -->
<div class="section" id="network">
<div class="section-title"><span class="icon">🔌</span> 网络与通道模型</div>
<div class="card">
<table class="feat-table">
<tr><th>方向</th><th>端口</th><th>用途</th><th>必须</th></tr>
<tr><td>子机 → 中心</td><td><strong>443 出站</strong></td><td>Agent 心跳、长任务 curl 回调</td><td></td></tr>
<tr><td>中心 → 子机</td><td><strong>22 入站</strong></td><td>推送、文件、脚本、健康检查、Agent 安装</td><td></td></tr>
<tr><td>子机本机</td><td><code>127.0.0.1:8601</code></td><td>Agent HTTP(可不暴露公网)</td><td>可选</td></tr>
</table>
<div class="info-block note" style="margin-top:12px"><div class="info-title n">说明</div><p>脚本执行与手动健康检查已改走 <strong>SSH</strong>,不依赖公网 8601。宝塔环境请用系统 Python 3.12 + <code>install.sh</code> venv,勿用面板 Python 项目管理器托管 Agent。</p></div>
</div>
</div>
<!-- 1. AUTH -->
<div class="section" id="auth">
<div class="section-title"><span class="icon">🔒</span> 1. 认证与访问控制</div>
<div class="card">
<div class="card-title"><span class="num">1</span> JWT 登录 + 自动刷新</div>
<p class="card-desc">管理员通过用户名+密码登录,获取 Access Token30 分钟)和 Refresh Token(7 天)。前端到期前 2 分钟自动换新 Token,无感续期。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>访问 <code>/app/login.html</code>,输入管理员账号密码</li>
<li>Token 存于 <code>localStorage</code>,关闭浏览器后 7 天内免登录</li>
<li>8 小时无操作自动退出</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>JWT 存于 localStorageXSS 漏洞可能导致 Token 泄露(已做 CSP 缓解)</li>
<li>无 RBAC:只有一个管理员角色,鉴权即信任</li>
<li>不支持多管理员角色区分</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> TOTP 双因素认证</div>
<p class="card-desc">可选启用 Google Authenticator 兼容的 TOTP。登录时先验密码,再验 6 位动态码(30 秒窗口)。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>进入「设置」→「安全设置」→ 启用 / <strong>重新绑定</strong> TOTP,扫描二维码</li>
<li>禁用 TOTP 需同时提供当前密码 + TOTP 码</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>TOTP 秘钥丢失无法恢复,需提前备份</li>
<li>系统时间偏差 &gt;30s 会导致验证失败(接受 ±1 窗口共 90s)</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">3</span> 登录防暴破</div>
<p class="card-desc">同一 IP + 用户名 15 分钟内失败 5 次,账号自动锁定并返回 HTTP 429。</p>
<div class="info-block note"><div class="info-title n">注意</div><p>锁定基于 IP + 用户名组合,更换 IP 可绕过。适合防自动化爆破,不防分布式攻击。</p></div>
</div>
<div class="card">
<div class="card-title"><span class="num">4</span> 登录 IP 白名单</div>
<p class="card-desc">可在设置中开启「仅允许白名单 IP 登录」。支持手动 IP/CIDR,以及从<strong>代理订阅 URL</strong>解析节点 IP(每 2 小时自动刷新,与手动列表合并)。</p>
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>「设置」→「登录 IP 白名单」→ 总开关 + 订阅地址 + 手动 IP</li>
<li>非白名单 IP 登录被拒绝并记审计</li>
</ul></div>
</div>
</div>
<!-- 2. DASHBOARD -->
<div class="section" id="dashboard">
<div class="section-title"><span class="icon">📊</span> 2. 仪表盘与实时告警</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 实时统计面板</div>
<p class="card-desc">首页展示服务器总数、在线数、离线数、告警中台数、最近推送记录。数据来源 Redis(实时)+ MySQL(历史),通过 WebSocket 触发刷新。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>在线状态取自 Redis <code>heartbeat:{id}</code>,子机 60s 上报一次</li>
<li>告警计数 = Redis <code>alerts:*</code> key 数量</li>
<li>WS 断线会自动重连(3 次指数退避)</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>在线状态最多滞后 60s(子机心跳间隔)</li>
<li>Redis 不可用时统计退化为 MySQL 数据,可能不准</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 告警通知(Telegram</div>
<p class="card-desc">CPU / 内存 / 磁盘超过阈值(默认 80%)时,通过 Telegram Bot 推送告警;恢复后发送恢复通知。同服务器同指标 5 分钟内不重复推送。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>「设置」配置 <code>TELEGRAM_BOT_TOKEN</code> + <code>TELEGRAM_CHAT_ID</code></li>
<li>阈值可在设置页调整(CPU/内存/磁盘各独立)</li>
<li>浏览器仪表盘<strong>只显示计数,不弹窗、不响铃</strong>(设计决策)</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>浏览器仪表盘不弹告警列表;历史见「告警中心」页</li>
<li>Telegram Bot 被封或网络不通时告警静默失败(有日志)</li>
<li>告警防抖 key 存于进程内存,重启后防抖状态重置</li>
</ul></div>
</div>
</div>
</div>
<!-- ALERTS -->
<div class="section" id="alerts">
<div class="section-title"><span class="icon">🔔</span> 告警中心</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 告警历史(alerts.html</div>
<p class="card-desc">将 CPU/内存/磁盘告警与恢复事件持久化到 <code>alert_logs</code>,支持分页、按服务器/类型/日期筛选,以及近 7 日统计图表数据。</p>
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>侧栏「告警中心」查看历史列表</li>
<li>API<code>GET /api/alert-history/</code><code>GET /api/alert-history/stats</code></li>
</ul></div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 分项 Telegram 开关</div>
<p class="card-desc">设置页可单独关闭某类告警的 Telegram 推送(告警/恢复/系统/时钟漂移等),便于后续扩展通道。</p>
</div>
</div>
<!-- 3. SERVERS -->
<div class="section" id="servers">
<div class="section-title"><span class="icon">🖥</span> 3. 服务器管理</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 服务器 CRUD</div>
<p class="card-desc">增删改查服务器配置,支持 SSH 密钥 / 密码双认证,可按平台类型(Platform)和节点(Node 树)分组。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>新增服务器:填写名称、域名/IP、SSH 端口、认证方式</li>
<li>认证方式选「密钥」时粘贴私钥内容,自动 Fernet 加密存储</li>
<li>支持 <code>platform_id</code> / <code>node_id</code> 分组归类</li>
<li>服务器列表分页显示(默认 50 条/页)</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>批量导入(CSV)未实现,2000 台需逐一或通过 API 批量添加</li>
<li>删除服务器同时删除关联推送日志(CASCADE)</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 健康检查</div>
<p class="card-desc">手动触发 <code>POST /api/servers/check</code>:经 <strong>SSH</strong> 执行 Python 采集 CPU/内存/磁盘(<code>remote_probe</code>),<strong>不需要</strong>公网 8601。</p>
<div class="info-block note"><div class="info-title n">与在线状态区别</div><p>列表「在线」主要来自 Agent <strong>443 心跳</strong>;健康检查用于即时 SSH 探活与指标快照。</p></div>
</div>
<div class="card">
<div class="card-title"><span class="num">4</span> Agent 安装与升级</div>
<p class="card-desc">服务器详情「Agent 安装」:复制 <code>install.sh</code> 命令或一键 SSH 安装(带日志);安装后轮询在线。升级通过 SSH 拉取最新 <code>agent.py</code> 并 restart。</p>
<div class="info-block warn"><div class="info-title w">注意</div><ul>
<li>安装脚本:Python 3.12 venv、监听 <code>127.0.0.1:8601</code>,无需公网放行 8601</li>
<li>时钟漂移:心跳带 <code>agent_time</code>,列表显示 warn/crit 徽章</li>
</ul></div>
</div>
<div class="card">
<div class="card-title"><span class="num">3</span> 每服务器 API Key</div>
<p class="card-desc">为每台服务器单独生成 Agent API Key(格式 <code>nxs-xxx</code>),用于该服务器子机与中心通信的专属认证。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>服务器详情 → 「生成 Agent Key」,完整 Key 仅本次显示,立即复制到子机 <code>config.json</code></li>
<li>列表页只显示前 8 位用于识别</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">注意</div><ul>
<li>Key 生成后无法再次查看(一次性展示设计)</li>
<li>丢失需重新生成并更新子机配置</li>
</ul></div>
</div>
</div>
</div>
<!-- ASSETS -->
<div class="section" id="assets">
<div class="section-title"><span class="icon">🗂</span> 资产管理</div>
<div class="card">
<div class="card-title"><span class="num">1</span> Platform 与 Node</div>
<p class="card-desc"><code>assets.html</code> 管理资产类型模板(Platform)与树形节点(Node),服务器表单可关联分组。</p>
<p class="card-desc">API<code>/api/assets/platforms</code><code>/api/assets/nodes</code>(含 tree</p>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> SSH 会话与命令(只读查询)</div>
<p class="card-desc">同页或「命令日志」可查询 <code>ssh_sessions</code><code>command_logs</code>WebSSH 产生)。</p>
</div>
</div>
<!-- 4. WEB SSH -->
<div class="section" id="webssh">
<div class="section-title"><span class="icon">💻</span> 4. Web SSH 终端</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 浏览器终端</div>
<p class="card-desc">基于 xterm.js + asyncssh,在浏览器内打开远程服务器 SSH 会话,支持全屏、自动 resize、彩色输出。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>服务器列表点击「终端」→ 弹出 <code>/app/terminal.html?server_id=X</code></li>
<li>认证:先获取短效 webssh-token(15 分钟),绑定到该服务器,再建 WebSocket</li>
<li>支持窗口 resize 自动通知远程 shell</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>Token 通过 URL 参数传递(?token=...),HTTPS 下安全;HTTP 下有风险</li>
<li>不支持文件上传 / 拖拽(需用文件管理页)</li>
<li>会话不录像(已明确否决)</li>
<li>网络中断 WebSocket 不会自动重连,需刷新页面</li>
</ul></div>
</div>
</div>
</div>
<!-- COMMANDS -->
<div class="section" id="commands">
<div class="section-title"><span class="icon">💻</span> 命令与推送日志</div>
<div class="card">
<div class="card-title"><span class="num">1</span> WebSSH 会话与命令</div>
<p class="card-desc"><code>commands.html</code>:会话列表、命令列表(危险命令高亮)、按服务器过滤。数据来自 WebSSH,直接 SSH 不记录。</p>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 推送日志</div>
<p class="card-desc">同页「推送日志」Tab:rsync 批量推送历史,支持服务器/状态/同步模式/触发方式过滤与分页。</p>
</div>
</div>
<!-- 5. PUSH -->
<div class="section" id="push">
<div class="section-title"><span class="icon">📤</span> 5. 批量文件推送</div>
<div class="card">
<div class="card-title"><span class="num">1</span> rsync 批量推送</div>
<p class="card-desc">将源目录通过 rsync-over-SSH 推送到选定的服务器列表,支持 4 种同步模式,内置分批(50 台/批)并发(10 路)控制。</p>
<table class="feat-table">
<tr><th>同步模式</th><th>rsync 参数</th><th>适用场景</th></tr>
<tr><td>增量同步</td><td><code>-az</code></td><td>日常更新,只同步有变动的文件</td></tr>
<tr><td>全量同步</td><td><code>-az --delete</code></td><td>强制目标与源完全一致,会删除目标多余文件</td></tr>
<tr><td>校验和</td><td><code>-az --checksum</code></td><td>按文件内容而非时间戳判断差异</td></tr>
<tr><td>直接覆盖</td><td><code>-az --inplace</code></td><td>不用临时文件,直接覆盖(大文件节省空间)</td></tr>
</table>
<div class="info-grid" style="margin-top:12px">
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li><strong>全量同步(--delete)会不可逆删除</strong>目标目录多余文件,务必先「预览」</li>
<li>rsync 在中心机运行,中心机需能 SSH 到所有子机</li>
<li>失败的服务器自动加入重试队列(指数退避,最多 100 次)</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 推送前预览(dry-run</div>
<p class="card-desc">选中全量/覆盖模式时,页面显示橙色警告,引导先对首台服务器运行 <code>rsync --dry-run --stats</code>,查看待传输/删除文件数量后再决定是否推送。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>选择「全量同步」→ 出现橙色预览按钮 → 点击 → 展示首台服务器变动摘要</li>
<li>可展开「详细文件列表」(最多 200 行)</li>
<li>预览不阻塞推送,看完数据自行决定是否点「开始推送」</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">注意</div><ul>
<li>仅预览第一台选中的服务器,其余服务器可能略有差异</li>
<li>预览需 SSH 连通,与真实推送消耗相同时间(通常 &lt;5s</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">3</span> 失败自动重试队列</div>
<p class="card-desc">推送失败的服务器自动进入 <code>push_retry_jobs</code> 队列,后台每 5 分钟按指数退避重试(60s → 120s → 240s...,最大 64 分钟)。</p>
<div class="info-block note"><div class="info-title n">注意</div><p>最多重试 100 次。可在「重试」页手动强制立即重试或删除任务。</p></div>
</div>
</div>
<!-- 6. SCRIPTS -->
<div class="section" id="scripts">
<div class="section-title"><span class="icon">📜</span> 脚本与执行历史</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 脚本库管理</div>
<p class="card-desc">维护可复用 Shell 脚本库(按 ops/deploy/check/cleanup 分类),一键下发到选定的服务器。</p>
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>「脚本」页 → 新建脚本 → 填写名称/类别/内容</li>
<li>点击脚本名 → 编辑;点击「执行」→ 选择服务器 → 运行</li>
<li>支持直接输入临时命令(无需保存到库)</li>
</ul></div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 批量执行(短任务 / 长任务)</div>
<p class="card-desc">短任务:同步等待结果(默认 30s 超时)。长任务:nohup 后台运行,完成后 curl 回调中心记录结果。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>选择服务器 → 填写命令 → 「执行」</li>
<li>执行走 <strong>SSH 22</strong>(结果含 <code>channel: ssh</code>),无需子机公网 8601</li>
<li>长任务:nohup + 子机 curl 回调中心(需 HTTPS <code>NEXUS_API_BASE_URL</code></li>
<li>「执行历史」页:停止 / 重试 / 标记卡住 / 拉取 nexus-job 日志</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li><code>rm -rf /</code> 等危险命令被中心<strong>拦截(400</strong>,但仅匹配预设规则</li>
<li>长任务依赖子机能访问中心 <code>NEXUS_API_BASE_URL</code>(必须配置且使用 HTTPS</li>
<li>执行历史默认保留 2 小时 Redis 热数据,60s 刷入 MySQL</li>
<li>执行命令时密码等敏感 $DB_* 变量存储时已脱敏(替换为 ***)</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">3</span> $DB_* 数据库凭据替换</div>
<p class="card-desc">脚本中使用 <code>$DB_USER</code> / <code>$DB_PASS</code> / <code>$DB_HOST</code> / <code>$DB_PORT</code> / <code>$DB_NAME</code> 占位符,执行时自动替换为选定的数据库凭据,密码不出现在脚本文本或日志中。</p>
<div class="info-block note"><div class="info-title n">注意</div><p>替换在中心机完成后发往子机,子机接收到的已是明文命令;传输通过 HTTPS,子机侧无加密保护。</p></div>
</div>
</div>
<!-- 7. FILES -->
<div class="section" id="files">
<div class="section-title"><span class="icon">📁</span> 7. 远程文件管理</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 目录浏览</div>
<p class="card-desc">通过 SSH exec<code>ls -la</code>)浏览指定服务器的远程目录,支持面包屑导航和目录点击进入。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>「文件管理」→ 选服务器 → 输入路径 → 「浏览」(或按 Enter)</li>
<li>点击目录名进入子目录,点击「..」返回上级</li>
<li>文件按 目录优先 / 字母顺序 排列</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>无左侧树状面板(每次需手动导航)</li>
<li>显示的文件大小为 <code>ls</code> 输出的字节数,大文件不友好</li>
</ul></div>
</div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 文件操作(删除/重命名/新建目录)</div>
<p class="card-desc">鼠标悬停文件/目录行显示操作按钮,通过 SSH exec 在远程执行操作。</p>
<table class="feat-table">
<tr><th>操作</th><th>命令</th><th>触发方式</th></tr>
<tr><td>删除文件</td><td><code>rm -f path</code></td><td>悬停 → 🗑 → confirm 弹窗</td></tr>
<tr><td>删除目录</td><td><code>rm -rf path</code></td><td>悬停 → 🗑 → 额外警告弹窗</td></tr>
<tr><td>重命名</td><td><code>mv src dst</code></td><td>悬停 → ✏ → prompt 输入新名</td></tr>
<tr><td>新建目录</td><td><code>mkdir -p path</code></td><td>右上角 📁+ → prompt 输入名</td></tr>
</table>
<div class="info-block warn" style="margin-top:10px"><div class="info-title w">缺点 / 注意</div><ul>
<li>删除目录(rm -rf<strong>不可恢复</strong>,浏览器弹窗确认无法替代真正的安全保障</li>
<li>无文件编辑器(已明确否决,用 WebSSH vim/nano 代替)</li>
<li>无文件上传功能(可用 SFTP API 或 WebSSH scp</li>
<li>无文件内容预览</li>
</ul></div>
</div>
</div>
<!-- 8. SCHEDULES -->
<div class="section" id="schedules">
<div class="section-title"><span class="icon"></span> 8. 定时调度</div>
<div class="card">
<div class="card-title"><span class="num">1</span> Cron 调度(推送 + 脚本)</div>
<p class="card-desc">支持两种 <code>schedule_type</code><strong>文件推送</strong><strong>脚本执行</strong>。5 字段 Cron,后台每 60s 检查(仅 Primary Worker)。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>「定时」→ 选类型 → 填 Cron、目标服务器</li>
<li>脚本型:选脚本库 ID 或内联内容,可设超时与长任务</li>
<li>示例:<code>0 2 * * *</code> = 每天凌晨 2 点</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">注意</div><ul>
<li>Cron 精度受 60s 检查间隔限制</li>
<li>脚本调度同样走 SSH 执行通道</li>
</ul></div>
</div>
</div>
</div>
<!-- RETRIES -->
<div class="section" id="retries">
<div class="section-title"><span class="icon">🔄</span> 重试队列</div>
<div class="card">
<p class="card-desc"><code>retries.html</code> 管理推送失败任务:<code>retry_runner</code> 每 5 分钟指数退避;可手动立即重试或删除。</p>
</div>
</div>
<!-- SEARCH -->
<div class="section" id="search">
<div class="section-title"><span class="icon">🔍</span> 全局搜索</div>
<div class="card">
<p class="card-desc">侧栏搜索框调用 <code>GET /api/search/</code>,跨服务器、脚本、凭据、定时任务关键字匹配。</p>
</div>
</div>
<!-- 9. CREDENTIALS -->
<div class="section" id="credentials">
<div class="section-title"><span class="icon">🔑</span> 9. 凭据管理</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 数据库凭据</div>
<p class="card-desc">存储 MySQL/PostgreSQL 连接信息,密码 Fernet 加密,API 响应不含密码(仅元数据)。供脚本执行时通过 $DB_* 变量引用。</p>
<div class="info-block warn"><div class="info-title w">注意</div><p>凭据只加密存储,子机接收到的命令已含明文连接信息(仅在中心→子机的 HTTPS 传输中受保护)。</p></div>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> 密码预设</div>
<p class="card-desc">存储 SSH 密码模板(Fernet 加密),可在推送配置中引用,避免重复输入常用密码。</p>
<div class="info-block note"><div class="info-title n">注意</div><p>密码预设不能用于脚本 $DB_PASS 替换,只用于推送密码模板。</p></div>
</div>
</div>
<!-- 10. SETTINGS -->
<div class="section" id="settings">
<div class="section-title"><span class="icon">⚙️</span> 10. 系统设置</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 可配置项</div>
<table class="feat-table">
<tr><th>设置项</th><th>说明</th><th>是否可改</th></tr>
<tr><td>系统名称 / 标题</td><td>品牌展示名称</td><td>✅ 可改</td></tr>
<tr><td>告警阈值(CPU/内存/磁盘)</td><td>超过阈值触发 Telegram 告警,默认 80%</td><td>✅ 可改</td></tr>
<tr><td>Redis URL</td><td>Redis 连接地址</td><td>✅ 可改</td></tr>
<tr><td>数据库连接池大小</td><td>pool_size / max_overflow</td><td>✅ 可改</td></tr>
<tr><td>Telegram Bot Token / Chat ID</td><td>告警推送配置</td><td>✅ 可改</td></tr>
<tr><td>SECRET_KEY / API_KEY / ENCRYPTION_KEY</td><td>核心安全密钥</td><td>❌ 不可改(需改 .env 重启)</td></tr>
<tr><td>DATABASE_URL</td><td>数据库连接</td><td>❌ 不可改</td></tr>
</table>
</div>
<div class="card">
<div class="card-title"><span class="num">2</span> Telegram</div>
<p class="card-desc">配置 Bot Token / Chat ID<strong>测试发送</strong>;通过 getUpdates <strong>检测 Chat ID</strong>;各告警类型独立开关。</p>
</div>
<div class="card">
<div class="card-title"><span class="num">3</span> TOTP 与 API Key</div>
<p class="card-desc">TOTP 启用/禁用/<strong>重新绑定</strong>;全局 API Key 需密码二次验证后查看(记审计)。</p>
</div>
<div class="card">
<div class="card-title"><span class="num">4</span> 登录 IP 白名单</div>
<p class="card-desc">总开关、订阅 URL(2h 刷新)、手动 IP、解析预览(见「认证」章节)。</p>
</div>
</div>
<!-- 11. AUDIT -->
<div class="section" id="audit">
<div class="section-title"><span class="icon">📋</span> 11. 审计日志</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 操作审计</div>
<p class="card-desc">所有 CUD 操作(创建/更新/删除服务器、推送、执行脚本、登录、改密码等)自动写入 <code>audit_logs</code>,记录操作人、IP、目标、详情。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>「审计」页:日期起止、管理员用户名、操作类型(分组下拉)</li>
<li>每页 50 条分页</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">缺点 / 注意</div><ul>
<li>无日志导出(已否决 CSV/JSON</li>
<li>审计日志不会自动清理,长期需归档</li>
</ul></div>
</div>
</div>
</div>
<!-- 12. INSTALL -->
<div class="section" id="install">
<div class="section-title"><span class="icon">🚀</span> 12. 安装向导</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 5 步安装向导</div>
<p class="card-desc"><code>.env</code> 文件时系统进入安装模式,访问 <code>/app/install.html</code> 完成 5 步配置:欢迎 → 数据库 → Redis → 管理员账号 → 完成。自动生成 API Key / Secret Key / Encryption Key。</p>
<div class="info-grid">
<div class="info-block usage"><div class="info-title u">使用说明</div><ul>
<li>安装完成后 <code>.env</code> 自动生成,安装 API 除 GET /status 外全部锁定(返回 403</li>
<li>重装需手动删除 <code>.env</code> 并重启</li>
</ul></div>
<div class="info-block warn"><div class="info-title w">注意</div><ul>
<li>安装过程未验证数据库/Redis 连接成功才允许进入下一步(应在步骤中手动验证)</li>
<li>安装模式下除 install API 和静态文件外,其余 API 返回 503</li>
</ul></div>
</div>
</div>
</div>
<!-- 13. GUARDIAN -->
<div class="section" id="guardian">
<div class="section-title"><span class="icon">🛡</span> 13. 三层守护机制</div>
<div class="card">
<div class="card-title"><span class="num">1</span> 三层守护</div>
<table class="feat-table">
<tr><th>层级</th><th>机制</th><th>触发条件</th><th>动作</th></tr>
<tr><td>Layer 1</td><td>Supervisor</td><td>Python 进程崩溃</td><td>自动重启</td></tr>
<tr><td>Layer 2</td><td>Python self_monitor30s</td><td>Redis/MySQL 不可达</td><td>发 Telegram 告警/恢复</td></tr>
<tr><td>Layer 3</td><td>Shell cron1 分钟)</td><td>连续 3 次 /health 失败</td><td>supervisorctl restart + Telegram</td></tr>
</table>
<div class="info-block warn" style="margin-top:10px"><div class="info-title w">注意</div><p>Shell cron 依赖宝塔/系统 crontab 配置,部署时需手动添加定时任务。</p></div>
</div>
</div>
<!-- 14. AGENT -->
<div class="section" id="agent">
<div class="section-title"><span class="icon">🤖</span> 14. 子机 Agent</div>
<div class="card">
<div class="card-title"><span class="num">1</span> Agent 功能</div>
<p class="card-desc">部署在每台被管服务器上的轻量服务:<strong>心跳走 443 出站</strong>HTTP 仅本机 <code>127.0.0.1:8601</code>。中心侧脚本已改 <strong>SSH</strong>/exec 端点保留供兼容。</p>
<table class="feat-table">
<tr><th>能力</th><th>说明</th></tr>
<tr><td>心跳</td><td>POST 中心 <code>/api/agent/heartbeat</code>,写 Redis,智能加急</td></tr>
<tr><td>时钟漂移</td><td><code>agent_time</code> 与中心比对,warn/crit + Telegram</td></tr>
<tr><td>IP 白名单</td><td><code>allowed_ips</code> 限制访问本机 Agent HTTP</td></tr>
<tr><td>长任务回调</td><td>POST <code>/api/agent/script-callback</code></td></tr>
<tr><td>安装</td><td><code>web/agent/install.sh</code> — python3.12 venv + systemd</td></tr>
</table>
<div class="info-block warn" style="margin-top:12px"><div class="info-title w">注意</div><ul>
<li>升级 API 存在,建议与 venv 安装脚本对齐后使用</li>
<li>长任务回调需子机出站访问中心 HTTPS</li>
</ul></div>
</div>
</div>
<!-- BACKGROUND -->
<div class="section" id="background">
<div class="section-title"><span class="icon"></span> 后台任务(Primary Worker</div>
<div class="card">
<table class="feat-table">
<tr><th>任务</th><th>间隔</th><th>说明</th></tr>
<tr><td>heartbeat_flush</td><td>10min</td><td>Redis 心跳 → MySQL</td></tr>
<tr><td>self_monitor</td><td>30s</td><td>Redis/MySQL/WS 自检 + Telegram</td></tr>
<tr><td>schedule_runner</td><td>60s</td><td>Cron 调度</td></tr>
<tr><td>retry_runner</td><td>5min</td><td>推送重试</td></tr>
<tr><td>ip_allowlist_refresh</td><td>2h</td><td>订阅 IP 刷新</td></tr>
<tr><td>script_execution_flush</td><td>60s</td><td>执行记录 Redis→MySQL</td></tr>
</table>
</div>
</div>
<!-- ACCEPTANCE -->
<div class="section" id="acceptance">
<div class="section-title"><span class="icon"></span> 标准与验收(与团队同等严谨)</div>
<div class="card">
<p class="card-desc"><strong>全量标准转接</strong><code>docs/project/standards-transfer-package.md</code> — 含 Cursor 规则、<code>standards/</code> 三件套、逐行八步 DoD、设计/上线清单。下一任 AI <strong>不得降低</strong>执行力度。</p>
<table class="feat-table">
<tr><th>类别</th><th>权威路径</th></tr>
<tr><td>标准转接包</td><td><code>docs/project/standards-transfer-package.md</code></td></tr>
<tr><td>验收 L0L5</td><td><code>development-acceptance-standard.md</code></td></tr>
<tr><td>系统开发</td><td><code>standards/system-development-standard.md</code></td></tr>
<tr><td>逐行审计 v2</td><td><code>standards/line-walk-audit-standard-v2.md</code></td></tr>
<tr><td>审计原则</td><td><code>standards/audit-core-principles.md</code></td></tr>
<tr><td>Cursor</td><td><code>.cursor/rules/*.mdc</code>(含 audit-line-review</td></tr>
</table>
<p class="card-desc" style="margin-top:12px">逐行审查:8 步/文件、Closure 全表含 SAFE、FINDING 必须 <code>文件:行号</code>、单回复 ≤5 文件。AI 接续:HANDOFF + 全站功能 + 标准转接包。</p>
</div>
</div>
<!-- 15. NOT IMPL -->
<div class="section" id="notimpl">
<div class="section-title"><span class="icon">🚫</span> 15. 未实现 / 已否决功能</div>
<div class="card">
<table class="feat-table">
<tr><th>功能</th><th>状态</th><th>原因 / 替代方案</th></tr>
<tr><td>文件编辑器(Monaco/ACE</td><td><span class="badge badge-red">已否决</span></td><td>运维场景用 WebSSH + vim/nano;嵌入编辑器增加复杂度无实质收益</td></tr>
<tr><td>会话录像(asciicast</td><td><span class="badge badge-red">已否决</span></td><td>命令日志已满足审计需求</td></tr>
<tr><td>RBAC 权限体系</td><td><span class="badge badge-red">已否决</span></td><td>鉴权即信任,单管理员模型;增加 RBAC 代价远超收益</td></tr>
<tr><td>移动端适配</td><td><span class="badge badge-red">已否决</span></td><td>2000 台服务器运维不会用手机操作</td></tr>
<tr><td>批量服务器导入(CSV</td><td><span class="badge badge-amber">未实现</span></td><td>可通过 API 批量 POST /api/servers/ 实现</td></tr>
<tr><td>文件上传到远程服务器</td><td><span class="badge badge-amber">未实现</span></td><td>可用 WebSSH scp / 推送功能代替</td></tr>
<tr><td>文件内容预览</td><td><span class="badge badge-amber">未实现</span></td><td>可通过 WebSSH cat 查看</td></tr>
<tr><td>WebSSH 断线自动重连</td><td><span class="badge badge-amber">未实现</span></td><td>当前需刷新页面;计划自动重试+按钮</td></tr>
<tr><td>仪表盘历史趋势图</td><td><span class="badge badge-amber">未实现</span></td><td>仅实时 Redis 指标</td></tr>
<tr><td>宝塔 API 监控集成</td><td><span class="badge badge-amber">未实现</span></td><td>可选;参考 btpanel-skills</td></tr>
<tr><td>Agent mTLS</td><td><span class="badge badge-amber">讨论中</span></td><td>未实现</td></tr>
<tr><td>首次部署 E2ET1T5、T-SE</td><td><span class="badge badge-amber">待验证</span></td><td>见 production-verification-checklist.md</td></tr>
</table>
</div>
</div>
<!-- FOOTER -->
<footer>
<p>Nexus 6.0 全站功能说明书 · 2026-05-23(对齐代码库)</p>
<p style="margin-top:6px">
<a href="project/nexus-full-site-features.md">全站功能</a> ·
<a href="project/standards-transfer-package.md">标准转接</a> ·
<a href="project/development-acceptance-standard.md">验收标准</a> ·
<a href="project/AI-HANDOFF-2026-05-23.md">AI 接续</a>
</p>
<p style="margin-top:4px">Python 3.12 / FastAPI 0.115 / MySQL 8.4 / Redis 7 / asyncssh 2.17 / Tailwind v4</p>
</footer>
</div>
</body>
</html>
@@ -1,48 +0,0 @@
# 审计 — 2026-06-21 宝塔一键登录自动 bootstrap
**Changelog**: `docs/changelog/2026-06-21-btpanel-login-auto-bootstrap.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `btpanel_service.py` `create_login_url` | 未配置先 bootstrap,失败显式 ValueError;审计含 bootstrapped | PASS |
| `useBtPanelLogin.ts` | 无静默吞错,成功提示区分 bootstrap | PASS |
| `BtPanelLoginPage.vue` | 移除未配置拦截,与 servers 页一致 | PASS |
| `bootstrap_server` | 复用既有锁与 immediate 源,无重复 SSH 逻辑 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 未配置仅 SSH 登录 | FIXED | login-url 先 immediate bootstrap |
| 前端需手动获取 API | FIXED | 一键登录单请求完成 |
| 宝塔页拦截未配置 | FIXED | 与 servers 行为统一 |
## 文件清单
- `server/application/services/btpanel_service.py`
- `server/infrastructure/btpanel/client.py`
- `frontend/src/App.vue`
- `frontend/src/api/btpanel.ts`
- `frontend/src/types/global.d.ts`
- `frontend/src/composables/btpanel/useBtPanelLogin.ts`
- `frontend/src/composables/btpanel/useBtPanelBatchBootstrap.ts`
- `frontend/src/components/btpanel/BtPanelBatchBootstrapDialog.vue`
- `frontend/src/components/servers/ServerBatchActionBar.vue`
- `frontend/src/components/servers/ServerUnsetPathPanel.vue`
- `frontend/src/pages/ServersPage.vue`
- `frontend/src/pages/btpanel/BtPanelLoginPage.vue`
- `frontend/src/pages/btpanel/BtPanelMonitorPage.vue`
- `tests/test_btpanel_login_url.py`
- `tests/test_btpanel_client.py`
- `tests/test_btpanel_login_url_route.py`
- `server/api/btpanel.py`
- `docs/changelog/2026-06-21-btpanel-login-auto-bootstrap.md`
## DoD
- [x] `#/servers` 一键登录未配置时自动获取 API 后打开面板
- [x] bootstrap 失败返回可读错误
- [x] `pytest tests/test_btpanel_login_url.py` 通过
- [x] changelog 已写
@@ -1,26 +0,0 @@
# 审计 — 2026-06-21 侧栏隐藏宝塔菜单
**Changelog**: `docs/changelog/2026-06-21-btpanel-nav-hidden.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `App.vue` | 仅移除导航 UI,路由与 API 未删 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 侧栏宝塔入口 | DONE | 整组菜单隐藏 |
| servers 一键登录 | OK | 未改动 |
## 文件清单
- `frontend/src/App.vue`
- `docs/changelog/2026-06-21-btpanel-nav-hidden.md`
## DoD
- [x] 侧栏无「宝塔面板」分组
- [x] changelog 已写
@@ -1,30 +0,0 @@
# 审计 — 2026-06-21 宝塔临时登录 24 小时
**Changelog**: `docs/changelog/2026-06-21-btpanel-temp-login-24h.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `constants.py` | 单点 TTL 常量 | PASS |
| `btpanel_service.py` | API 传 expire_timetoken 拼 URL | PASS |
| `ssh_login.py` | base64 远程脚本,无静默吞错 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 默认 3h 临时登录 | FIXED | API + SSH 均 86400s |
## 文件清单
- `server/infrastructure/btpanel/constants.py`
- `server/application/services/btpanel_service.py`
- `server/infrastructure/btpanel/ssh_login.py`
- `tests/test_btpanel_temp_login_ttl.py`
- `docs/changelog/2026-06-21-btpanel-temp-login-24h.md`
## DoD
- [x] expire_time = now + 86400
- [x] pytest 通过
@@ -1,46 +0,0 @@
# 审计 — 2026-06-21 跨服务器文件传输
**Changelog**: `docs/changelog/2026-06-21-server-file-transfer.md``docs/changelog/2026-06-21-server-file-transfer-audit-fixes.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `server_file_transfer_service.py` | 路径 `shlex.quote`、直传 500MB 上限、deliver 失败回滚 | PASS |
| `transfer-download` | token Redis TTLJWT 前缀白名单 | PASS(已知:前缀对所有 method 生效) |
| `useFilesActions.ts` | 模式推荐基于 `transferItems`relay/deliver 分路径缓存 | PASS |
| `test_server_file_transfer.py` | deliver 成功/回滚/超限、relay、store | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| deliver 失败泄漏归档/token | FIXED | rollback cleanup |
| deliver 成功 token 残留 | FIXED | delete_package_meta |
| 右键传输模式误判 | FIXED | transferItems |
| 直传多项中途失败无回滚 | ACCEPT | v1 文档化 |
## 文件清单
- `server/application/services/server_file_transfer_service.py`
- `server/infrastructure/redis/transfer_package_store.py`
- `server/api/sync_v2.py`
- `server/api/schemas.py`
- `server/api/auth_jwt.py`
- `frontend/src/composables/files/useFilesActions.ts`
- `frontend/src/composables/files/useFilesPage.ts`
- `frontend/src/components/files/FilesDialogs.vue`
- `frontend/src/components/files/FilesList.vue`
- `frontend/src/components/files/FilesToolbar.vue`
- `frontend/src/utils/auditLabels.ts`
- `tests/test_server_file_transfer.py`
- `docs/design/specs/2026-06-21-server-file-transfer-design.md`
- `docs/design/plans/2026-06-21-server-file-transfer.md`
- `docs/changelog/2026-06-21-server-file-transfer.md`
- `docs/changelog/2026-06-21-server-file-transfer-audit-fixes.md`
## DoD
- [x] 直传 + 打包投递 API 与前端对话框
- [x] `pytest tests/test_server_file_transfer.py` 18 passed
- [x] changelog ≥10 行
@@ -1,41 +0,0 @@
# 审计 — 2026-06-21 跨服务器传输独立页 + 侧栏调整
**Changelog**: `docs/changelog/2026-06-21-server-transfer-page.md``docs/changelog/2026-06-21-nav-watch-metrics-under-system.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `useServerFileTransfer.ts` | 路径 normalize、relay 500MB 禁用、localStorage 分模式缓存 | PASS |
| `useFilesActions.ts` | 移除内嵌传输;跳转 query 预填 | PASS |
| `ServerTransferPage.vue` | 顶层解构 ref,模板类型正确 | PASS |
| `App.vue` | 仅菜单分组调整,路由不变 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 文件页内嵌传输对话框 | REMOVED | 改独立页 |
| 监测历史菜单位置 | MOVED | 运维 → 系统 |
## 文件清单
- `frontend/src/pages/ServerTransferPage.vue`
- `frontend/src/composables/useServerFileTransfer.ts`
- `frontend/src/router/index.ts`
- `frontend/src/App.vue`
- `frontend/src/composables/files/useFilesActions.ts`
- `frontend/src/composables/files/useFilesPage.ts`
- `frontend/src/components/files/FilesDialogs.vue`
- `frontend/src/components/files/FilesToolbar.vue`
- `docs/project/nexus-functional-development-guide.md`
- `docs/changelog/2026-06-21-server-transfer-page.md`
- `docs/changelog/2026-06-21-nav-watch-metrics-under-system.md`
## DoD
- [x] 独立页 `#/server-transfer` + 侧栏入口
- [x] 文件页跳转预填 query
- [x] 监测历史归入系统分组
- [x] `npx vite build` 通过
- [x] changelog ≥10 行
@@ -1,32 +0,0 @@
# 审计 — 2026-06-21 跨服务器传输 UI 补强
**Changelog**: `docs/changelog/2026-06-21-server-transfer-dest-browser.md``docs/changelog/2026-06-21-server-transfer-source-site-link.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `useServerFileTransfer.ts` | B 机 browse 同步 destPath;站点 URL 计算 | PASS |
| `ServerTransferPage.vue` | 双端文件表;A 机站点外链 `rel=noopener` | PASS |
| `useServerList.ts` | ServerBrief 扩展 extra_attrs 供站点解析 | PASS |
## 文件清单
- `frontend/src/composables/useServerFileTransfer.ts`
- `frontend/src/composables/useServerList.ts`
- `frontend/src/pages/ServerTransferPage.vue`
- `docs/changelog/2026-06-21-server-transfer-dest-browser.md`
- `docs/changelog/2026-06-21-server-transfer-source-site-link.md`
## Closure
| 项 | 状态 |
|----|------|
| B 机目录浏览 | DONE |
| A 机站点链接 | DONE |
## DoD
- [x] B 机文件列表与路径同步
- [x] A 机下方可点击站点 URL
- [x] `vite build` 通过
@@ -1,30 +0,0 @@
# 审计 — 2026-06-22 宝塔临时登录 24 小时
**Changelog**: `docs/changelog/2026-06-22-btpanel-temp-login-24h.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `constants.py` | 单点 TTL 常量 | PASS |
| `btpanel_service.py` | API 传 expire_timetoken 拼 URL | PASS |
| `ssh_login.py` | base64 远程脚本,无静默吞错 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 默认 3h 临时登录 | FIXED | API + SSH 均 86400s |
## 文件清单
- `server/infrastructure/btpanel/constants.py`
- `server/application/services/btpanel_service.py`
- `server/infrastructure/btpanel/ssh_login.py`
- `tests/test_btpanel_temp_login_ttl.py`
- `docs/changelog/2026-06-22-btpanel-temp-login-24h.md`
## DoD
- [x] expire_time = now + 86400
- [x] pytest 通过
@@ -1,46 +0,0 @@
# 审计 — 检测路径改为 nginx 网站目录
## 范围(文件清单)
| 文件 | 变更 |
|------|------|
| `server/utils/nginx_path_detect.py` | 新增:构建远程 nginx root 检测命令 |
| `server/application/server_batch_common.py` | `detect_and_save_target_path` 改用 nginx |
| `frontend/src/pages/ServersPage.vue` | 确认对话框文案 |
| `scripts/batch_detect_target_path.py` | 脚本说明 |
| `tests/test_nginx_path_detect.py` | 单元测试 |
| `tests/test_server_onboarding.py` | mock 错误文案 |
| `server/application/services/btpanel_service.py` | 同批部署:宝塔临时登录 TTL |
| `server/infrastructure/btpanel/constants.py` | 同上 |
| `server/infrastructure/btpanel/ssh_login.py` | 同上 |
| `tests/test_btpanel_temp_login_ttl.py` | 同上 |
## Step 3 规则扫描
| H | 规则 | 结论 |
|---|------|------|
| H1 | 远程命令 domain 须 `shlex.quote` | PASS |
| H2 | 解析路径走 `normalize_remote_abs_path` | PASS |
| H3 | 非 root SSH 仍 `sudo_wrap` | PASS |
| H4 | 未静默吞 SSH 错误 | PASS — 无 stdout 返回明确错误 |
## Closure
| H | 判定 | 依据 |
|---|------|------|
| H1 | SAFE | `nginx_path_detect.py` `shlex.quote(host)` |
| H2 | SAFE | `server_batch_common.py` normalize 后写入 |
| H3 | SAFE | 沿用既有 `sudo_wrap` |
| H4 | SAFE | `未找到 nginx 网站目录` |
## DoD
- [x] pytest tests/test_nginx_path_detect.py
- [x] changelog 2026-06-23-detect-path-nginx-root.md
- [x] 功能指南 § 检测目标路径 已更新
## 验证
```bash
pytest tests/test_nginx_path_detect.py tests/test_server_onboarding.py -q
```
@@ -1,53 +0,0 @@
# 审计 — IP-only 服务器自动补全站点域名
## 范围(文件清单)
| 文件 | 变更 |
|------|------|
| `server/utils/site_host.py` | 新增:IP 判定与站点 host 解析 |
| `server/utils/nginx_domain_detect.py` | 新增:远程 nginx 域名探测命令 |
| `server/application/server_batch_common.py` | `detect_and_save_site_url` / `update_server_site_url` |
| `server/application/services/ip_domain_detect_schedule.py` | 新增:23:30 定时筛选与触发 |
| `server/background/ip_domain_detect_loop.py` | 新增:background loop |
| `server/application/services/server_batch_service.py` | batch op `detect-domain` |
| `server/config.py` | `IP_DOMAIN_DETECT_*` 配置 |
| `server/main.py` | 注册 loop |
| `tests/test_site_host.py` | 单元测试 |
| `tests/test_nginx_domain_detect.py` | 单元测试 |
| `tests/test_ip_domain_detect_schedule.py` | 单元测试 |
| `server/application/services/btpanel_service.py` | 同批未提交:宝塔临时登录 TTL |
| `server/infrastructure/btpanel/constants.py` | 同上 |
| `server/infrastructure/btpanel/ssh_login.py` | 同上 |
| `tests/test_btpanel_temp_login_ttl.py` | 同上 |
## Step 3 规则扫描
| H | 规则 | 结论 |
|---|------|------|
| H1 | 远程 shell 参数须 `shlex.quote` | PASS — `target_hint` 已 quote |
| H2 | 不改 SSH `domain` 字段 | PASS — 仅写 `extra_attrs.site_url` |
| H3 | 非 root SSH 仍 `sudo_wrap` | PASS — 沿用 detect-path 模式 |
| H4 | 未静默吞 SSH 错误 | PASS — 无 stdout 返回明确错误 |
| H5 | 每日 Redis 去重防重复 batch | PASS — `already_ran_today` |
## Closure
| H | 判定 | 依据 |
|---|------|------|
| H1 | SAFE | `nginx_domain_detect.py` `shlex.quote(hint)` |
| H2 | SAFE | `update_server_site_url` 只 merge extra_attrs |
| H3 | SAFE | `detect_and_save_site_url` 调用 `sudo_wrap` |
| H4 | SAFE | `未找到 nginx 站点域名` |
| H5 | SAFE | `ip_domain_detect_schedule.py` Redis key |
## DoD
- [x] pytest tests/test_site_host.py tests/test_nginx_domain_detect.py tests/test_ip_domain_detect_schedule.py
- [x] changelog 2026-06-24-ip-domain-detect-schedule.md
- [x] 设计文档 specs + plans
## 验证
```bash
.venv/bin/pytest tests/test_site_host.py tests/test_nginx_domain_detect.py tests/test_ip_domain_detect_schedule.py -q
```
@@ -1,31 +0,0 @@
# 审计 — 2026-06-29 宝塔 bootstrap 跳过无意义 reload
**Changelog**: `docs/changelog/2026-06-29-btpanel-bootstrap-skip-reload.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `ssh_bootstrap.py` | 有变更才 reload;仍原子写 api.json | PASS |
| `test_btpanel_ssh_bootstrap.py` | 远程脚本含 `if actions:` 先于 reload | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 重复 bootstrap 踢面板会话 | FIXED | `actions` 空则跳过写盘与 reload |
| 首次对接须 reload | OK | 新 token / 开 API / 加白名单仍 reload |
## 文件清单
- `server/infrastructure/btpanel/ssh_bootstrap.py`
- `tests/test_btpanel_ssh_bootstrap.py`
- `docs/design/specs/2026-06-20-btpanel-module-design.md`
## DoD
- [x] Step 3 规则扫描
- [x] Closure 表
- [x] 文件清单与本次改动对齐
- [x] `pytest tests/test_btpanel_ssh_bootstrap.py` 16 passed
- [x] 生产 rsync + Docker upgrade
@@ -1,44 +0,0 @@
# 审计 — 每日离线巡检发报前 SSH 复检
## 范围(文件清单)
| 文件 | 变更 |
|------|------|
| `server/application/server_connectivity.py` | `health_check_server_ids`;扫描列表 `batch_server_display_name` |
| `server/application/services/offline_daily_report_schedule.py` | preflight 后二次 snapshot |
| `server/config.py` | `OFFLINE_DAILY_REPORT_HEALTH_CHECK` |
| `server/infrastructure/telegram/__init__.py` | `preflight` 参数与文案 |
| `server/background/server_offline_monitor.py` | 告警显示名备注优先 |
| `tests/test_offline_daily_report_schedule.py` | preflight 单测 |
## Step 3 规则扫描
| H | 规则 | 结论 |
|---|------|------|
| H1 | 复用既有 SSH 探测,不新造协议 | PASS — `ssh_health_probe` + `write_ssh_health_heartbeat` |
| H2 | 并发受控 | PASS — `Semaphore(10)` 与批量健康检查一致 |
| H3 | 可配置关闭 | PASS — `OFFLINE_DAILY_REPORT_HEALTH_CHECK` |
| H4 | 日报数据为复检后 snapshot | PASS — 二次 `collect_offline_snapshot` |
| H5 | 显示名与批量任务 SSOT 一致 | PASS — `batch_server_display_name` |
## Closure
| H | 判定 | 依据 |
|---|------|------|
| H1 | SAFE | `server_connectivity.health_check_server_ids` |
| H2 | SAFE | `asyncio.Semaphore(max(1, concurrency))` |
| H3 | SAFE | `_health_check_enabled()` |
| H4 | SAFE | `offline_daily_report_schedule.run_scheduled_offline_daily_report` |
| H5 | SAFE | `scan_monitored_connectivity` / `server_offline_monitor` |
## DoD
- [x] pytest tests/test_offline_daily_report_schedule.py tests/test_batch_server_display_name.py
- [x] changelog 2026-06-30-offline-daily-preflight-health-check.md
- [x] 无 DB 迁移
## 验证
```bash
.venv/bin/pytest tests/test_offline_daily_report_schedule.py tests/test_batch_server_display_name.py -q
```
@@ -1,41 +0,0 @@
# 审计 — Agent 双模式四槽监测
**Changelog**: `docs/changelog/2026-07-01-agent-watch-dual-mode.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `agent.py` (子机) | watch 模式每 5s 全量;退出 watch 回 60s | PASS |
| `agent.py` (中心) | `watch_active` 仅查 monitoring pin 计数 | PASS |
| `watch_probe_runner` | 仅 `watch_mode`+新鲜心跳跳过 SSH | PASS |
| 进程列表 | 仍 SSH 偶发拉取 | PASS(已知限制) |
## Closure
| 项 | 状态 |
|----|------|
| 四槽长期 SSH 风控 | 有 Agent 时改走出站 5s |
| 双 Agent 并存 | 不需要,单进程双模式 |
| 旧 Agent 兼容 | SSH 兜底 |
## 文件清单
- `web/agent/agent.py`
- `web/agent/config.example.json`
- `server/api/agent.py`
- `server/background/watch_probe_runner.py`
- `server/utils/watch_metrics.py`
- `tests/test_agent_watch_mode.py`
## DoD
- [x] pytest 19 passedwatch + agent_watch_mode
- [x] 心跳响应含 watch_active
- [x] Agent 2.1.0 watch_mode 字段
## 验证
```bash
.venv/bin/pytest tests/test_agent_watch_mode.py tests/test_watch_metrics.py -q
```
@@ -1,53 +0,0 @@
# 审计 — 2026-07-01 补录门禁(宝塔 / Terminal / 快捷命令)
**Changelog**: `docs/changelog/2026-07-01-gate-catchup-terminal-btpanel.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `ssh_bootstrap.py` | 无变更不写盘、不 reload | PASS |
| `terminal.py` | 静态路由 `reorder` 先于 `{id}` | PASS |
| `useServerQuickAdd.ts` | 复用 Servers `add-by-ip` 契约 | PASS |
| `ServerQuickAddDialogs.vue` | 与 Servers 弹窗一致 | PASS |
| `TerminalPage.vue` | 成功后 `loadServers` + `newSession` | PASS |
| `TerminalQuickCommandsSettings.vue` | `@click.stop` 防列表吞事件 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 重复 bootstrap 踢宝塔会话 | FIXED | `if actions:` 才 reload |
| reorder 被 `{id}` 抢路由 | FIXED | 路由顺序调整 + 单测 |
| Terminal 无快速添加 | FIXED | TabBar 按钮 + 共用对话框 |
| 6/30 部署跳过门禁 | 补录 | 本 changelog/audit + pre_deploy |
## 文件清单
- `server/infrastructure/btpanel/ssh_bootstrap.py`
- `server/api/terminal.py`
- `tests/test_btpanel_ssh_bootstrap.py`
- `tests/test_terminal_quick_commands.py`
- `frontend/src/composables/servers/useServerQuickAdd.ts`
- `frontend/src/components/servers/ServerQuickAddDialogs.vue`
- `frontend/src/utils/openServerTerminal.ts`
- `frontend/src/components/terminal/TerminalTabBar.vue`
- `frontend/src/pages/TerminalPage.vue`
- `frontend/src/pages/ServersPage.vue`
- `frontend/src/components/TerminalQuickCommandsSettings.vue`
- `deploy/pre_deploy_check.sh`
## DoD
- [x] Step 3 规则扫描
- [x] Closure 表
- [x] 文件清单与本次批次一致
- [x] `pytest tests/test_btpanel_ssh_bootstrap.py tests/test_terminal_quick_commands.py` 通过
- [x] `pre_deploy_check.sh` 全门通过(Gate 3 回退或本机 :8600
## 验证
```bash
.venv/bin/pytest tests/test_btpanel_ssh_bootstrap.py tests/test_terminal_quick_commands.py -q
bash deploy/pre_deploy_check.sh
```
@@ -1,39 +0,0 @@
# 审计 — Agent 2.1.1 CPU 采样
**Changelog**: `docs/changelog/2026-07-02-agent-cpu-sampling.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `cpu_metrics.py` | watch 首次 1s bootstrap,后续 interval=None 对齐 ~5s 心跳 | PASS |
| `agent.py` | 进入 watch 时 `reset_watch_cpu_bootstrap()` | PASS |
| `server_batch_common` | 升级命令含 cpu_metrics.py | PASS |
| 常态 60s 心跳 | 仍用 `sample_cpu_percent(watch_mode=False)` | PASS |
## Closure
| 项 | 状态 |
|----|------|
| CPU 曲线长期 0% | 监测模式改长窗口采样 |
| 双模心跳 | 不变,仍 5s/60s |
| 旧 Agent 2.1.0 | 可继续用,仅 CPU 显示偏 0 |
## 文件清单
- `web/agent/cpu_metrics.py`
- `web/agent/agent.py`
- `server/application/server_batch_common.py`
- `tests/test_agent_cpu_metrics.py`
## DoD
- [x] pytest cpu_metrics + watch_mode 通过
- [x] AGENT_VERSION 2.1.1
- [x] 升级脚本拉取 cpu_metrics.py
## 验证
```bash
.venv/bin/pytest tests/test_agent_cpu_metrics.py tests/test_agent_watch_mode.py -q
```
@@ -1,39 +0,0 @@
# 审计 — 统计卡「未设路径·离线」
**Changelog**: `docs/changelog/2026-07-02-stats-unset-path-offline-card.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `servers.py` | `unset_path_offline` 由 fleet/main 离线差值推导 | PASS |
| `useServerStatsCards.ts` | 6 卡顺序与字段映射 | PASS |
| `ServersPage.vue` | 点击展开未设路径 + 离线筛 | PASS |
| `DashboardPage.vue` | 跳转 query 一致 | PASS |
## Closure
| 项 | 状态 |
|----|------|
| 在线+离线≠总数 | 拆出未设路径·离线后可对齐 |
| 主列表离线筛选 | 不变,仍 8 台口径 |
## 文件清单
- `server/api/servers.py`
- `frontend/src/composables/useServerStatsCards.ts`
- `frontend/src/pages/ServersPage.vue`
- `frontend/src/pages/DashboardPage.vue`
- `tests/integration/test_servers_dashboard.py`
## DoD
- [x] API 返回 `unset_path_offline`
- [x] 前后端 6 卡展示
- [x] integration test 断言差值公式
## 验证
```bash
.venv/bin/pytest tests/integration/test_servers_dashboard.py -q
```
@@ -1,39 +0,0 @@
# 审计 — 2026-07-03 Terminal 宝塔登录按钮
**Changelog**: `docs/changelog/2026-07-03-terminal-btpanel-login-button.md`
## Step 3 规则扫描
| 文件 | 规则 | 结论 |
|------|------|------|
| `TerminalToolbar.vue` | 仅 `session` 存在时显示;loading 防重复点击 | PASS |
| `TerminalPage.vue` | 复用 `useBtPanelLogin``serverId` 取自 `activeSession` | PASS |
| `useBtPanelLogin.ts` | 未改;并发去重与 `window.open` 行为不变 | PASS |
## Closure
| 项 | 状态 | 说明 |
|----|------|------|
| 终端内无法一键进宝塔 | FIXED | 工具栏「宝塔登录」+ 移动端菜单 |
| 与列表登录行为不一致 | N/A | 同一 composable / API |
## 文件清单
- `frontend/src/components/terminal/TerminalToolbar.vue`
- `frontend/src/pages/TerminalPage.vue`
## DoD
- [x] Step 3 规则扫描
- [x] Closure 表
- [x] 文件清单与本次批次一致
- [x] `npm run build-only` 通过
- [x] `pre_deploy_check.sh` 全门通过
## 验证
```bash
cd frontend && npm run build-only
bash deploy/pre_deploy_check.sh
bash deploy/deploy-frontend.sh
```
@@ -0,0 +1,21 @@
# 2026-06-06 — Gitea 推送脚本与本地 secrets
## 摘要
新增 `scripts/git-push.sh`,从 `deploy/nexus-1panel.secrets.sh` 读取 admin 凭据推送;更新 `.cursorrules` / `linux-dev-paths.md`
## 动机
公共仓库可匿名 pull,push 需写权限;凭据仅存本机 gitignore 文件,不入仓库。
## 涉及文件
- `scripts/git-push.sh`
- `deploy/nexus-1panel.secrets.sh.example`
- `.cursorrules``docs/project/linux-dev-paths.md`
## 验证
```bash
bash scripts/git-push.sh main # 需已配置 deploy/nexus-1panel.secrets.sh
```
@@ -0,0 +1,34 @@
# 2026-06-06 — 安装脚本按机自动生成唯一密钥
## 摘要
Docker / 1Panel 全新安装路径统一通过 `scripts/generate_nexus_secrets.py` 生成每台服务器独立的 `MYSQL_*``NEXUS_SECRET_KEY` / `NEXUS_API_KEY` / `NEXUS_ENCRYPTION_KEY`,写入 `docker/.env.prod` 并备份到 `/root/.nexus-install-secrets-*.env`。安装向导 `init-db` 复用容器环境内预生成密钥,避免与 Compose 不一致。
## 动机
新机安装不应从 `nexus-1panel.secrets.sh` 复制生产密钥;此前 `--fresh` 留空密钥导致 Compose 校验失败或各机密钥相同。
## 涉及文件
- `scripts/generate_nexus_secrets.py`(新建)
- `deploy/nexus-1panel.sh``write_env_prod` / `--reuse-secrets` / `--fresh` 忽略 secrets 中 NEXUS 项
- `deploy/install-nexus-fresh.sh` / `deploy/quick-install.sh`
- `docker/generate_env.py` — 复用同一生成器
- `docker/entrypoint.sh``NEXUS_INSTALL_WIZARD_PENDING=1` 时不写 `/app/.env`
- `docker/docker-compose.prod.yml` — 传递 `NEXUS_INSTALL_WIZARD_PENDING`
- `server/api/install.py``_install_keys_from_environment()`
- `deploy/README-1panel.md` · `deploy/nexus-1panel.secrets.sh.example`
## 迁移 / 重启
已部署实例无需变更。新机安装后需完成 `/app/install.html` 向导。
## 验证
```bash
python3 scripts/generate_nexus_secrets.py write-prod \
--template docker/.env.prod.example --output /tmp/t.env.prod \
--domain test.example.com --profile-env docker/profiles/2c8g.env --fresh --wizard-pending
grep NEXUS_SECRET_KEY /tmp/t.env.prod
ruff check server/api/install.py scripts/generate_nexus_secrets.py
```
@@ -0,0 +1,29 @@
# Changelog — 生产 SSH 凭据纳入 secrets + deploy 自动加载
**日期**2026-06-07
## 摘要
本机生产 SSH 私钥路径写入 `deploy/nexus-1panel.secrets.sh`gitignore);`deploy-production.sh` 启动时自动 source,与 `git-push.sh` 同一凭据文件。
## 动机
本机 `Host nexus` 未指向生产 VPS;部署脚本需 `NEXUS_SSH` / `NEXUS_SSH_KEY`,避免每次手动 export。
## 涉及文件
- `deploy/deploy-production.sh`
- `deploy/nexus-1panel.secrets.sh.example`
- `docs/project/linux-dev-paths.md`
- `deploy/nexus-1panel.secrets.sh`(本地 only,不入 git
## 迁移 / 重启
无。
## 验证
```bash
source deploy/nexus-1panel.secrets.sh
ssh -i "$NEXUS_SSH_KEY" "$NEXUS_SSH" "echo SSH_OK"
```
@@ -1,30 +0,0 @@
# 宝塔批量获取 API 并入服务器页批量栏
**日期**2026-06-21
## 变更摘要
将宝塔「全部未配置」「选中获取 API」移至 `#/servers` 批量操作栏「宝塔」分组;抽取 `useBtPanelBatchBootstrap` 与确认对话框组件。宝塔子模块列表页移除顶部重复按钮。
## 动机
运维在服务器主列表即可完成宝塔 SSH 引导,无需先切到宝塔 · 服务器列表。
## 涉及文件
- `frontend/src/composables/btpanel/useBtPanelBatchBootstrap.ts`
- `frontend/src/components/btpanel/BtPanelBatchBootstrapDialog.vue`
- `frontend/src/components/servers/ServerBatchActionBar.vue`
- `frontend/src/pages/ServersPage.vue`
- `frontend/src/components/servers/ServerUnsetPathPanel.vue`
- `frontend/src/pages/btpanel/BtPanelLoginPage.vue`
## 迁移 / 重启
仅前端构建部署。
## 验证
1. `#/servers` 勾选服务器 → 批量栏「宝塔」见全部未配置 / 选中获取 API
2. 确认对话框启动 job,任务中心可查看进度
3. 宝塔 · 服务器列表页无顶部批量按钮,一键登录仍可用
@@ -1,38 +0,0 @@
# 宝塔一键登录:未配置时自动获取 API
**日期**2026-06-21
## 摘要
`#/servers` 与宝塔连接配置页的「一键登录」在未获取宝塔 API 时,会先通过 SSH bootstrap 写入 `api.json`,再生成临时登录链接;无需用户先点「获取 API」。
## 动机
行内一键登录应一步完成;此前未配置机器仅走 SSH 临时登录或需手动 bootstrap,与批量栏「选中获取 API」能力不一致。
## 涉及文件
- `server/application/services/btpanel_service.py``create_login_url` 未配置时 `source=immediate` bootstrap
- `frontend/src/composables/btpanel/useBtPanelLogin.ts` — 未配置时顶部 snackbar 20s 倒计时(`timeout: -1` 持久显示)
- `frontend/src/App.vue` — snackbar 支持自定义 `timeout`
- `frontend/src/api/btpanel.ts` — 响应类型含 `bootstrapped`
- `frontend/src/pages/btpanel/BtPanelLoginPage.vue` — 移除未配置拦截,bootstrap 后刷新列表
- `tests/test_btpanel_login_url.py`
## 迁移 / 重启
无 schema 变更;需部署 API 与前端静态资源。
## 验证
```bash
pytest tests/test_btpanel_login_url.py -q
cd frontend && npx vite build
```
生产:对未配置宝塔 API 的子机点「一键登录」,应自动获取后打开面板;审计 `bt_panel_login_url` 的 detail 含 `bootstrapped: true`
## 2026-06-21 热修
- **根因**`login-url` 路由返回类型 `dict[str, str]`,响应含 `bootstrapped: bool` → FastAPI 校验 500
- **修复**`server/api/btpanel.py` 改为 `dict[str, Any]`
@@ -1,34 +0,0 @@
# 2026-06-21 宝塔系统监控 IP 白名单自愈
## 摘要
修复 `#/btpanel/monitor`(及全部宝塔代理 API)在子机返回 `{"status":false,"msg":"IP校验失败..."}` 时被当作正常 JSON 展示的问题;遇 IP 白名单失败时自动 SSH 追加中心 IP 并重试一次。
## 动机
生产验收:`GET /api/btpanel/servers/{id}/system/total` 对部分已 configured 服务器返回 HTTP 200 + 宝塔错误 JSON,前端「系统概览」卡片直接显示 `IP校验失败` 对象而非指标。根因:
1. 历史 bootstrap 曾写入 `data/api.json`,面板实际读 `config/api.json`,白名单未生效;
2. `BtPanelClient` 未识别宝塔 `status: false` 语义。
手动 `POST .../bootstrap` 可修复(`appended_whitelist`),但需用户逐台操作。
## 涉及文件
- `server/infrastructure/btpanel/client.py``raise_if_panel_error`
- `server/application/services/btpanel_service.py``proxy` IP 失败自愈 + `_repair_ip_whitelist`
- `frontend/src/pages/btpanel/BtPanelMonitorPage.vue` — 失败时清空卡片并 snackbar
- `tests/test_btpanel_client.py`
## 迁移 / 重启
- 需部署 API;无需 DB 迁移。
- 已 configured 且 SSH 可达的服务器:首次访问监控/站点等代理接口时自动补白名单。
## 验证
```bash
.venv/bin/pytest tests/test_btpanel_client.py -q
# 生产:对曾报 IP 校验失败的服务器 GET .../system/total 应返回 memTotal/cpuNum 等指标
# 前端:#/btpanel/monitor 选服务器后应显示指标 JSON,失败时红色 snackbar 而非假数据
```
@@ -1,23 +0,0 @@
# 侧栏隐藏宝塔面板菜单
**日期**2026-06-21
## 摘要
左侧导航移除「宝塔面板」分组及全部子菜单;宝塔能力仍通过 `#/servers` 一键登录与批量获取 API 使用,`#/btpanel/*` 路由保留(直链可访问)。
## 动机
运维入口收敛到服务器页,避免侧栏重复暴露未常用宝塔管理页。
## 涉及文件
- `frontend/src/App.vue`
## 迁移 / 重启
仅前端静态资源;`cd frontend && npx vite build` 后同步 `web/app/`
## 验证
登录后侧栏无「宝塔面板」区块;`#/servers` 一键登录与批量栏「宝塔」分组正常。
@@ -1,30 +0,0 @@
# 宝塔一键登录临时时效改为 24 小时
**日期**2026-06-21
## 摘要
一键登录生成临时 `tmp_token` 时,`expire_time` 设为当前时间 + **86400 秒**24 小时);SSH 回退不再调用 `tools.py get_temp_login_ipv4`(固定 3 小时),改为远程执行同等逻辑并传入 TTL。
## 动机
用户希望登录后面板会话与临时链接上限为 24 小时;宝塔默认 3 小时,且 `tmp_login_expire` 为生成链接时的绝对时间。
## 涉及文件
- `server/infrastructure/btpanel/constants.py``BT_TEMP_LOGIN_TTL_SECONDS = 86400`
- `server/application/services/btpanel_service.py` — API `set_temp_login``expire_time`,解析 `token` 拼 URL
- `server/infrastructure/btpanel/ssh_login.py``build_ssh_temp_login_command`
- `tests/test_btpanel_temp_login_ttl.py`
## 迁移 / 重启
仅 API 变更;部署后端镜像即可,前端无改动。
## 验证
```bash
.venv/bin/pytest tests/test_btpanel_temp_login_ttl.py tests/test_btpanel_ssh_login.py -q
```
生产:`POST /api/btpanel/servers/{id}/login-url` 后登录,约 24 小时内不应提示「临时登录已过期」(仍受面板 `session_timeout.pl` 约束)。
@@ -1,48 +0,0 @@
# 部署:本机 rsync 直传(默认不走 Gitea
**日期**2026-06-21
## 摘要
生产部署默认从本机工作区 `rsync` 到服务器,远程 `nexus-1panel.sh upgrade --skip-git` 重建镜像;不再依赖 `git push` + 远程 `git pull`
## 动机
用户要求平时不推 Gitea;部署时直接同步本机已验证代码即可。
## 涉及文件
| 路径 | 说明 |
|------|------|
| `deploy/rsync-local-to-server.sh` | 新建:rsync 到 `/opt/nexus`,排除 `.env` / `docker/.env.prod` / `web/data` |
| `deploy/deploy-production.sh` | 默认 rsync`NEXUS_DEPLOY_VIA_GIT=1` 可恢复旧流程 |
| `deploy/nexus-1panel.sh` | `upgrade --skip-git` 跳过 git fetch/reset |
| `AGENTS.md``.cursorrules` | 部署说明更新 |
## 用法
```bash
bash deploy/pre_deploy_check.sh
bash deploy/deploy-production.sh
```
## 保护项(不同步/不改属主)
- `docker/.env.prod``web/data/``.env`、secrets
## 属主
- **子机跨传**`NEXUS_RSYNC_PUSH_CHOWN`(默认 `www:www`),见 `docs/changelog/2026-06-21-server-transfer-www-permissions.md`
- **中心机部署**:有 `www` 用户则 `www:www`,否则用部署目录现有属主(Azure 为 `azureuser:azureuser`);`NEXUS_DEPLOY_CHOWN` 可覆盖
## 传输方式
本机 `tar | ssh sudo tar -x`(不依赖远程 rsync 命令)。
## 验证
`bash -n deploy/*.sh`;用户批准后执行完整 deploy 并检查 `/health``/app/`
## 回滚
服务器保留 Docker 回滚镜像;或本机 checkout 旧版再 rsync 部署。
@@ -1,23 +0,0 @@
# 侧栏:监测历史归入系统分组
**日期**2026-06-21
## 摘要
将「监测历史」从侧栏「运维」分组移至「系统」分组(位于告警中心与审计日志之间)。
## 动机
监测历史属于系统观测/留存类功能,与命令日志、告警、审计同属系统侧栏更合理。
## 涉及文件
- `frontend/src/App.vue``opsItems` / `sysItems` 调整
## 迁移 / 重启
仅前端静态资源;路由 `#/watch-metrics` 不变。
## 验证
刷新 SPA,确认侧栏「系统」下可见「监测历史」,「运维」下已无该项。
@@ -1,35 +0,0 @@
# 跨服务器文件传输 — 审计修复
## 日期
2026-06-21
## 摘要
对跨机传输首版做走读审计,修复 deliver 失败资源泄漏、token 残留、前端模式误判与路径记忆混用。
## 审计发现与处置
| 级别 | 问题 | 处置 |
|------|------|------|
| P1 | `deliver` 拉取失败后源机 `/tmp` 归档与 Redis token 未清理 | 失败时 rollback`rm` 归档 + `delete_package_meta` |
| P1 | `deliver` 成功后 token 仍有效但源归档已删,curl 重放 404 | 成功后 `delete_package_meta` |
| P2 | 右键「发送到其他服务器」未选中行时,模式推荐误用 `selectedFiles` | 引入 `transferItems`,按实际传输项判断 |
| P2 | localStorage 直传目录与打包路径共用 key,切换模式路径错乱 | 按 `relay`/`deliver` 分 key |
| P2 | 打包成功立即关对话框,`download_url` 无法复制 | 投递成功后保留对话框至用户关闭 |
| 已知限制 | 直传多项中途失败无回滚 | v1 接受;UI 已提示大目录用打包 |
| 已知限制 | 归档与直传单文件 500MB 上限 | 与现有 download 一致,未改 |
## 涉及文件
- `server/application/services/server_file_transfer_service.py`
- `frontend/src/composables/files/useFilesActions.ts`
- `frontend/src/components/files/FilesDialogs.vue`
## 验证
```bash
.venv/bin/pytest tests/test_server_file_transfer.py -v
```
**18** 项:schema、JWT 白名单、Redis store、SFTP 大小守卫、deliver 成功/失败回滚/超限、relay 同源拒绝与成功路径、`cleanup` 命令引用。
@@ -1,44 +0,0 @@
# 跨服务器文件传输
## 日期
2026-06-21
## 摘要
文件管理器新增 A→B 跨机传输:**直传**(中心 SFTP 中继,单文件 ≤500MB)与 **打包投递**(源机 tar.gz → 签名下载 URL → 目标机 curl + 可选解压,一键完成)。
## 动机
同机剪贴板无法跨服务器;运维需对标宝塔「发送到服务器 / 打包下载」能力,避免本地下载再上传。
## 涉及文件
- `server/application/services/server_file_transfer_service.py` — 直传、打包、投递编排
- `server/infrastructure/redis/transfer_package_store.py` — 下载 token 元数据
- `server/api/sync_v2.py``server-transfer``server-transfer/deliver``transfer-download`
- `server/api/schemas.py` — 请求模型
- `server/api/auth_jwt.py` — 下载端点 JWT 豁免
- `frontend/src/composables/files/useFilesActions.ts` — 对话框与 API 调用
- `frontend/src/components/files/FilesDialogs.vue``FilesToolbar.vue``FilesList.vue`
- `frontend/src/utils/auditLabels.ts`
- `tests/test_server_file_transfer.py`
- `docs/design/specs/2026-06-21-server-file-transfer-design.md`
## 迁移 / 重启
- 需重启 API(新路由 + Redis key `transfer:pkg:*`
- 无需 DB 迁移
- 前端需 `vite build` 后部署 `web/app/`
## 验证
```bash
pytest tests/test_server_file_transfer.py -q
cd frontend && npm run type-check
bash scripts/local_verify.sh
```
- 文件页选中项 →「发送到其他服务器」→ 直传 / 打包投递
- `GET /api/sync/transfer-download/{token}` 无 JWT 可 curl;过期 404
- 审计动作:`server_file_relay``server_file_deliver`
@@ -1,43 +0,0 @@
# 打包投递:tar 覆盖解压 + 宝塔签名下载通道
**日期**2026-06-21
## 摘要
1. 解压 tar 时加 `--overwrite`,修复 `404.html: Cannot open: File exists`
2. 源机已配置宝塔 API 时,打包投递改走宝塔官方 **`/download?filename=…` 签名 URL**(B 机直拉 A 机面板),不经 Nexus 中转;效果等同自动化「下载」,**不是** UI 右键分享外链(该接口无公开 API)。
## 动机
- 站点目录已有文件时默认 tar 拒绝覆盖。
- 用户希望用宝塔下载能力;分享 `/down/{token}` 无 token API,签名 `/download` 为可自动化等价方案。
## 涉及文件
| 路径 | 说明 |
|------|------|
| `server/infrastructure/btpanel/file_urls.py` | `signed_download_url` |
| `server/application/services/server_file_transfer_service.py` | `_extract_archive_on_server``_deliver_via_btpanel_download` |
| `tests/test_btpanel_file_urls.py` | 签名 URL 单测 |
| `tests/test_server_file_transfer.py` | 覆盖解压 / 宝塔投递分支 |
## 前提
- 源机 `extra_attrs.bt_panel` 已配置且 API IP 白名单允许 **B 机公网 IP** 访问面板端口。
- 未配置宝塔 API 时仍走 Nexus `transfer-download` 原流程。
## 验证
```bash
pytest tests/test_btpanel_file_urls.py tests/test_server_file_transfer.py -q
```
打包投递至已有文件的站点目录,应覆盖成功。
## 回滚
去掉 `bt_panel` 分支与 `--overwrite`,重启 API。
## 补充(2026-06-21
宝塔面板 HTTPS 多为自签证书;B 机 `curl` 下载签名 URL 时,当源机 `verify_ssl=false`(默认)自动加 `curl -k`,与 Nexus 连面板行为一致。
@@ -1,29 +0,0 @@
# 打包投递:curl 先落 /tmp 再 sudo mv
**日期**2026-06-21
## 摘要
`pull_transfer_package` / deliver 在目标机下载归档时,改为 `curl → /tmp/nexus-xfer-*``mv` 到目标路径(走 `exec_ssh_command_with_fallback` 提权),修复 `curl: (23) Failed writing body`(直写 `/www/...` 无权限)。
## 动机
打包投递时 Nexus 中心返回 200,但 B 机 `curl -o /www/...` 因 SSH 用户无写权限失败。
## 涉及文件
| 路径 | 说明 |
|------|------|
| `server/application/services/server_file_transfer_service.py` | `_download_url_to_remote_path` |
| `server/api/sync_v2.py` | deliver 未捕获异常 → 502 |
| `tests/test_server_file_transfer.py` | tmp+mv 单测 |
## 验证
```bash
pytest tests/test_server_file_transfer.py::test_pull_downloads_via_tmp_then_mv -q
```
## 回滚
恢复 `curl -o dest` 直写并重启 API。
@@ -1,20 +0,0 @@
# 跨服务器传输:目标机 B 目录浏览
**日期**2026-06-21
## 摘要
「目标与方式」区域增加 B 服务器文件列表,可浏览目录;进入目录后自动同步下方目标路径(直传为目录,打包为目录下归档名)。
## 动机
仅文本框填路径不直观;需在目标机侧像源机一样点选目录确认落点。
## 涉及文件
- `frontend/src/composables/useServerFileTransfer.ts``browseDest``destCurrentPath``syncDestPathFromBrowse`
- `frontend/src/pages/ServerTransferPage.vue` — 目标机文件表
## 验证
选 B 后出现文件列表;点目录进入并更新目标路径字段;`vite build` 通过。
@@ -1,31 +0,0 @@
# 跨服务器直传:目标机写入提权
**日期**2026-06-21
## 摘要
直传(relay)在目标机写入时改用 `remote_write_bytes`SFTP 失败自动 `sudo tee`),与文件上传一致;修复目标目录无写权限时 500 且前端仅显示「操作失败」。
## 动机
生产日志:`asyncssh.sftp.SFTPPermissionDenied``dst_sftp.open(..., "wb")`;宝塔子机常见 www 目录需 sudo 写入。
## 涉及文件
| 路径 | 说明 |
|------|------|
| `server/application/services/server_file_transfer_service.py` | relay 写入/建目录提权 |
| `server/api/sync_v2.py` | relay 未捕获异常 → 502 + detail |
| `frontend/src/composables/useServerFileTransfer.ts` | `formatApiError` 展示后端 detail |
## 验证
```bash
pytest tests/test_server_file_transfer.py -q
```
传输页直传至 B 机 `target_path` 下目录;失败时应显示具体原因而非「操作失败」。
## 回滚
恢复裸 SFTP `dst_sftp.open` 并重启 API。
@@ -1,31 +0,0 @@
# 跨服务器传输:目标机须手动选择
**日期**2026-06-21
## 摘要
移除传输页在选定源服务器后自动选中列表第一台作为目标机(B)的行为;B 机默认留空,用户须在目标下拉框中手动选择。
## 动机
用户反馈 B 服务器不应自动选择,避免误传到错误子机。
## 涉及文件
| 路径 | 说明 |
|------|------|
| `frontend/src/composables/useServerFileTransfer.ts` | `onSourceServerChange``applyRouteQuery` 去掉 `candidates[0]` |
## 行为
- 从文件页跳转(`?source=&path=&paths=`)仅预填 A 机与选中路径,B 机为空。
- 换 A 机时:若当前 B 与 A 相同则清空 B;否则保留用户已选手动 B。
- URL 显式带 `?dest=``?dest_server_id=` 时仍可预填 B(深链场景)。
## 验证
打开 `#/server-transfer?source=…`,确认目标服务器下拉为空,须手动选择后方可传输。
## 回滚
恢复 `candidates[0]` 自动赋值逻辑并重新构建前端。
@@ -1,44 +0,0 @@
# 跨服务器传输独立页面
**日期**2026-06-21
## 摘要
将「跨服务器文件直传 / 打包投递」从文件管理页内嵌对话框拆分为独立 SPA 页面 `#/server-transfer`,侧栏新增入口;文件页工具栏与右键改为跳转并预填源机与路径。
## 动机
- 传输流程涉及源机浏览、多选、目标机与模式选择,独立页比对话框更易操作与扩展。
- 与文件管理职责分离:文件页专注浏览编辑,传输页专注 A→B 编排。
## 涉及文件
| 路径 | 变更 |
|------|------|
| `frontend/src/pages/ServerTransferPage.vue` | 新建完整页(源浏览 + 目标配置 + 执行) |
| `frontend/src/composables/useServerFileTransfer.ts` | 新建页 composable;支持 query `source`/`path`/`paths` |
| `frontend/src/router/index.ts` | 路由 `/server-transfer` |
| `frontend/src/App.vue` | 侧栏「跨服务器传输」 |
| `frontend/src/composables/files/useFilesActions.ts` | 移除内嵌传输逻辑,改为 `goToServerTransfer` |
| `frontend/src/composables/files/useFilesPage.ts` | 导出 `goToServerTransfer` |
| `frontend/src/components/files/FilesToolbar.vue` | 按钮跳转独立页 |
| `frontend/src/components/files/FilesDialogs.vue` | 移除传输对话框 |
| `web/app/assets/ServerTransferPage-*` | Vite 构建产物 |
## 行为说明
- 文件页选中项后点「发送到其他服务器」→ `#/server-transfer?source=&path=&paths=`(路径 `|` 分隔)。
- 独立页可手动输入绝对路径、浏览源机目录、直传或打包投递;目标路径仍用 `localStorage``nexus:file-transfer-dest:{mode}:{serverId}`
- 后端 API 不变:`POST /sync/server-transfer``POST /sync/server-transfer/deliver`
## 迁移 / 重启
- 仅前端静态资源更新,无需 DB 迁移。
- 部署:重新 `vite build` 并同步 `web/app/`
## 验证
```bash
cd frontend && npx vite build
# 浏览器:侧栏「跨服务器传输」;文件页选中后跳转预填;直传/投递 smoke
```
@@ -1,24 +0,0 @@
# 跨服务器传输页:服务器选择与搜索修复
**日期**2026-06-21
## 摘要
修复 `#/server-transfer` 源/目标服务器下拉无法选择的问题,并对齐文件页:支持按名称、域名、路径、ID 搜索过滤。
## 动机
- `v-autocomplete` 未使用 `v-model`,选项 slot 误用 `item.raw` 导致 Vuetify 4 下点击无效。
- 2000+ 台机器无客户端搜索,无法快速定位服务器。
## 涉及文件
- `frontend/src/composables/useServerFileTransfer.ts``filteredSourceServerList` / `filteredDestServerList`
- `frontend/src/pages/ServerTransferPage.vue` — 与文件页一致的选择器 UI
## 验证
```bash
cd frontend && npx vite build
# 打开 #/server-transfer:可搜索并选择源/目标服务器
```
@@ -1,17 +0,0 @@
# 跨服务器传输:源机 A 下方展示可点击网址
**日期**2026-06-21
## 摘要
选择源服务器 A 后,在服务器选择框下方显示站点域名链接(`resolveServerSiteUrl`),新标签页打开。
## 涉及文件
- `frontend/src/composables/useServerList.ts``ServerBrief` 增加 `description` / `extra_attrs`
- `frontend/src/composables/useServerFileTransfer.ts``sourceSiteUrl` / `sourceSiteHost`
- `frontend/src/pages/ServerTransferPage.vue` — 链接展示
## 说明
未 push Gitea;需上线时由用户指示再传输。
@@ -1,28 +0,0 @@
# 跨服务器传输:默认进入各机目标路径
**日期**2026-06-21
## 摘要
选源服务器 A 后浏览目录默认进入 A 的 `target_path`;选目标服务器 B 后「目标目录/归档路径」默认填入 B 的 `target_path`(切换 B 时不用旧 localStorage 覆盖)。
## 动机
与文件管理页一致:运维以各机业务根目录为起点,减少每次手动改路径。
## 涉及文件
- `frontend/src/composables/useServerFileTransfer.ts``serverTargetPath``applyDestPathForServer`
## 行为
| 操作 | 默认路径 |
|------|----------|
| 选 A | 左侧浏览 `A.target_path`(无则 `/www/wwwroot` |
| 从文件页带 `?path=` | 仍用 query 路径 |
| 选 B | 直传 → `B.target_path`;打包 → `B.target_path/xxx.tar.gz` |
| 仅切换直传/打包 | 仍可读该 B 机上次保存的路径 |
## 验证
`cd frontend && npx vite build`;页内选 A/B 观察路径字段。
@@ -1,40 +0,0 @@
# 跨服务器传输:传输后 www 权限
**日期**2026-06-21
## 摘要
跨服务器直传(relay)与打包投递(deliver/pull)完成后,在目标机上自动执行 `chown -R www:www``NEXUS_RSYNC_PUSH_CHMOD` 对应 chmod,与 rsync 推送、文件上传后权限策略一致。
## 动机
用户要求「传输过去的文件都要是 www 权限」;此前 SFTP 中继与 curl 解压只写文件,不调整属主,导致宝塔站点无法读文件。
## 涉及文件
| 路径 | 说明 |
|------|------|
| `server/utils/files_upload_permissions.py` | 新增 `apply_transfer_permissions``parse_upload_dir_mode` |
| `server/application/services/server_file_transfer_service.py` | relay / pull 完成后调用权限修复 |
| `tests/test_files_upload_permissions.py` | 递归 chown/chmod 单测 |
| `tests/test_server_file_transfer.py` | relay mock `_apply_dest_permissions` |
| `deploy/rsync-local-to-server.sh` | 中心机无 `www` 用户时自动用部署目录属主 |
| `deploy/deploy-production.sh` | 同上,前端 tar 解压 chown |
## 配置
- `NEXUS_RSYNC_PUSH_CHOWN`(默认 `www:www`
- `NEXUS_RSYNC_PUSH_CHMOD`(默认 `D755,F755`
- 中心机部署属主:`NEXUS_DEPLOY_CHOWN` 可覆盖;未设置且无 `www` 用户时用 `stat` 检测
## 验证
```bash
pytest tests/test_files_upload_permissions.py tests/test_server_file_transfer.py -q
```
生产传输页直传/投递后,目标路径 `ls -la` 应为 `www:www`
## 回滚
还原上述 Python 文件并重启 API;部署脚本属主检测为向后兼容,可保留。
@@ -41,4 +41,3 @@
- 行按钮改 `small` + `tonal` + 字重 600,恢复「一键登录」全文
- 批量栏改 `flat` 实色按钮、分组标题加深,底卡用 surface 实底
- 行操作移除「删除」;删除请用批量栏「批量删除」
- 批量栏「已选 N 台」增加「选择」分组标题,与其他分区对齐
@@ -1,30 +0,0 @@
# 宝塔一键登录临时时效改为 24 小时
**日期**2026-06-22
## 摘要
一键登录生成临时 `tmp_token` 时,`expire_time` 设为当前时间 + **86400 秒**24 小时);SSH 回退不再调用 `tools.py get_temp_login_ipv4`(固定 3 小时),改为远程执行同等逻辑并传入 TTL。
## 动机
用户希望登录后面板会话与临时链接上限为 24 小时;宝塔默认 3 小时,且 `tmp_login_expire` 为生成链接时的绝对时间。
## 涉及文件
- `server/infrastructure/btpanel/constants.py``BT_TEMP_LOGIN_TTL_SECONDS = 86400`
- `server/application/services/btpanel_service.py` — API `set_temp_login``expire_time`,解析 `token` 拼 URL
- `server/infrastructure/btpanel/ssh_login.py``build_ssh_temp_login_command`
- `tests/test_btpanel_temp_login_ttl.py`
## 迁移 / 重启
仅 API 变更;部署后端镜像即可,前端无改动。
## 验证
```bash
.venv/bin/pytest tests/test_btpanel_temp_login_ttl.py tests/test_btpanel_ssh_login.py -q
```
生产:`POST /api/btpanel/servers/{id}/login-url` 后登录,约 24 小时内不应提示「临时登录已过期」(仍受面板 `session_timeout.pl` 约束)。
@@ -1,32 +0,0 @@
# Changelog — 宝塔改端口后一键登录失败修复
**日期**2026-06-23
## 摘要
修复子机宝塔面板改端口后,Nexus「一键登录」返回「宝塔操作失败」的问题。旧 `base_url` 连接失败时现会 SSH 同步新端口并重试 API,仍失败则走 SSH 临时登录。
## 动机
用户改宝塔面板端口后,库内 `extra_attrs.bt_panel.base_url` 仍为旧端口。`httpx.ConnectError` 未被捕获,未触发既有 SSH 回退,接口直接 500。
生产日志:`POST /api/btpanel/servers/404/login-url``httpx.ConnectError: All connection attempts failed`
## 涉及文件
- `server/infrastructure/btpanel/client.py` — 网络错误包装为 `BtPanelApiError`
- `server/application/services/btpanel_service.py``_try_login_url_via_api`:失败时 `_repair_ip_whitelist``port.pl` 更新地址后重试,再 SSH 回退
- `tests/test_btpanel_login_url.py`
- `tests/test_btpanel_client.py`
## 迁移 / 重启
- 无 DB 迁移;部署后端并重启 API 容器。
## 验证
```bash
pytest tests/test_btpanel_login_url.py tests/test_btpanel_client.py -q
```
改端口子机:服务器列表 → 一键登录宝塔 → 应打开新端口临时登录页。
@@ -1,43 +0,0 @@
# 检测路径改为 nginx 网站目录
**日期**2026-06-23
## 变更摘要
批量「检测路径」由搜索 `workerman.bat` 改为读取 nginx 虚拟主机配置中的 `root` 网站目录,并写入 `target_path`
## 动机
站点目录应以 nginx 配置为准;`workerman.bat` 并非通用标志,大量服务器检测失败。
## 检测逻辑
1. 取服务器 `domain`(域名或 IP
2. SSH 远程执行:
- 优先 `/www/server/panel/vhost/nginx/{domain}.conf`(宝塔)
- 再扫描宝塔 vhost 中 `server_name` 匹配项
- 最后尝试 `/etc/nginx/sites-enabled``/etc/nginx/conf.d`
3. 解析首个 `root` 指令,校验为合法绝对路径后写入 DB
## 涉及文件
| 文件 | 变更 |
|------|------|
| `server/utils/nginx_path_detect.py` | 新增:构建远程检测命令 |
| `server/application/server_batch_common.py` | `detect_and_save_target_path` 改用 nginx |
| `frontend/src/pages/ServersPage.vue` | 确认对话框文案 |
| `scripts/batch_detect_target_path.py` | 脚本说明 |
| `tests/test_nginx_path_detect.py` | 单元测试 |
| `docs/project/nexus-functional-development-guide.md` | 功能说明 |
## 迁移 / 重启
无需 DB 迁移;后端热更新或重启 API 即可。前端需 `vite build` 后部署。
## 验证
```bash
.venv/bin/pytest tests/test_nginx_path_detect.py tests/test_server_onboarding.py -q
```
服务器页勾选多台 →「检测路径」→ 确认说明含 nginx `root` → 任务结果 `target_path → /www/wwwroot/...`
@@ -1,36 +0,0 @@
# Changelog — 订阅 IP 自动刷新 Primary 锁与 last_refresh 持久化
**日期**2026-06-23
## 摘要
修复单 worker 生产环境下 Redis 主锁竞态导致 `ip_allowlist_refresh_loop` 永不启动、进程内存订阅 IP 与 DB/实时订阅脱节的问题;将「上次刷新」时间写入 `login_subscription_last_refresh` 并广播。
## 动机
生产排查发现:
- `GET /api/settings/ip-allowlist` 返回的 `subscription_ips` 与 DB、实时拉取订阅结果不一致(内存陈旧)。
- `last_refresh` 长期为空;`nexus:primary_worker` 锁未持有,2 小时后台刷新未运行。
- 容器重启时若 Redis 仍残留旧 PID 锁,单 worker 启动一次抢锁失败后不再重试,后台任务永久禁用。
## 涉及文件
- `server/main.py` — 单 worker 跳过 Redis 选举;多 worker 启动重试抢锁
- `server/background/ip_allowlist_refresh.py` — 持久化 `login_subscription_last_refresh`
- `server/config.py` — 新 settings 键映射
- `server/api/settings.py` — 敏感键列表
- `tests/test_ip_allowlist_sync.py`
## 迁移 / 重启
- 无 DB 迁移(新 key 首次刷新时自动写入)。
- 需重启 API 容器使 primary 修复与刷新循环生效。
## 验证
```bash
pytest tests/test_ip_allowlist_sync.py tests/test_login_access.py -q
```
生产:重启后约 5s 内应完成首次订阅刷新;设置页「上次刷新」有值且节点 IP 与订阅一致。
@@ -1,42 +0,0 @@
# IP-only 服务器自动补全站点域名
**日期**: 2026-06-24
**类型**: feat(backend)
## 背景
大量子机 SSH 地址登记为 IP,服务器列表「地址」列缺少可点击站点链接。需每日自动 SSH 探测 nginx 站点名并写入元数据。
## 改动
- 新增 `server/utils/site_host.py`:判定 IP-only 与解析已有站点 host(对齐前端 `serverSiteUrl.ts`)。
- 新增 `server/utils/nginx_domain_detect.py`:远程扫描 Baota/nginx vhost 提取域名。
- 新增 batch op `detect-domain`SSH 探测并写 `extra_attrs.site_url`(不改 SSH `domain` 字段)。
- 新增定时任务 `ip_domain_detect_loop`:北京时间 **23:30** 每日触发(`IP_DOMAIN_DETECT_CRON=30 23 * * *`)。
- 配置:`IP_DOMAIN_DETECT_ENABLED`(默认 true)。
## 涉及文件
- `server/application/services/ip_domain_detect_schedule.py`
- `server/background/ip_domain_detect_loop.py`
- `server/application/server_batch_common.py`
- `server/application/services/server_batch_service.py`
- `server/config.py`, `server/main.py`
- `docs/design/specs/2026-06-24-ip-domain-detect-schedule-design.md`
- `docs/design/plans/2026-06-24-ip-domain-detect-schedule.md`
## 迁移 / 重启
- 无 DB 迁移;部署后重启 API 容器使 background loop 生效。
## 验证
```bash
pytest tests/test_site_host.py tests/test_nginx_domain_detect.py tests/test_ip_domain_detect_schedule.py -q
```
- 生产:23:30 后审计日志应出现 `batch_detect_domain``#/servers` 中 IP-only 机器地址列下方出现域名链接。
## 回滚
`.env` 设置 `IP_DOMAIN_DETECT_ENABLED=false` 并重启。
@@ -1,77 +0,0 @@
# 2026-06-24 — 未设路径区块与服务器列表对齐
## 变更摘要
调整 `#/servers` 页面「未设置路径服务器」与「服务器列表」的布局顺序与表格列宽,使两表视觉对齐并符合设计文档区块顺序。
## 动机
用户反馈未设路径区块与主列表未对齐:区块顺序与设计(主列表 → 未设路径 → 连接失败)不一致,且两张独立 `v-data-table` 列宽各自计算导致列边界错位。
## 涉及文件
- `frontend/src/pages/ServersPage.vue` — 将 `ServerUnsetPathPanel` 移至主列表卡片之后;提示文案「上方」改「下方」
- `frontend/src/components/servers/ServerUnsetPathPanel.vue` — 标题栏样式与主表一致;统一 `server-data-table` 类;修复 install/upgrade emit 类型
- `frontend/src/constants/serverTableHeaders.ts` — 补全各列 `minWidth`
- `frontend/src/styles/server-data-table.css` — 共享 `table-layout: fixed` 与展开列隐藏
- `frontend/src/main.ts` — 全局引入表格样式
## 迁移 / 重启
无。前端 rebuild 后生效。
## 验证
1. 打开 `#/servers`,确认顺序:分类筛选 → **服务器列表****未设置路径服务器** → 连接失败列表
2. 对比两表列头(状态/名称/地址/分类/目标路径/Agent/心跳/操作)左右边界对齐
3. 分类筛选后,主表为空且存在未设路径机器时,提示「已在下方区块展示」,点击「定位」滚动至未设路径卡片
---
# 2026-06-24 — 未设路径区块工具栏与主列表对齐
## 变更摘要
「未设置路径服务器」卡片标题栏右侧增加与「服务器列表」相同的搜索、添加、凭据、检测路径、列表/分类切换;保留刷新按钮。
## 动机
用户要求未设路径区块具备与主列表一致的操作入口,避免只能在上方主表标题栏操作。
## 涉及文件
- `frontend/src/components/servers/ServerListToolbarActions.vue` — 新建共享工具栏
- `frontend/src/components/servers/ServerUnsetPathPanel.vue``#toolbar` 插槽
- `frontend/src/pages/ServersPage.vue` — 主表与未设路径表共用组件
## 迁移 / 重启
无。前端 rebuild 后生效。
## 验证
1. `#/servers` 未设路径卡片标题栏可见搜索框及添加/快速添加/批量添加/凭据/检测路径/列表·分类切换/刷新
2. 在未设路径区搜索、添加服务器,主表与未设路径表同步刷新
3. 未设路径区「检测路径」按本区勾选数启用/禁用
---
# 2026-06-24 — 未设路径工具栏内嵌修复
## 变更摘要
将工具栏从 slot 改为 `ServerUnsetPathPanel` 内直接渲染;标题栏允许换行,避免 `v-card-title` 裁切右侧按钮。
## 动机
用户反馈未设路径区块仍看不到搜索/快速添加等工具栏(slot + 单行标题溢出)。
## 涉及文件
- `frontend/src/components/servers/ServerListToolbarActions.vue` — 单根容器 + flex-wrap
- `frontend/src/components/servers/ServerUnsetPathPanel.vue` — 内嵌工具栏
- `frontend/src/pages/ServersPage.vue` — v-model 绑定搜索与视图模式
## 验证
`npx vite build` 通过后,刷新 `#/servers` 向下滚动至「未设置路径服务器」,标题行右侧应可见完整工具栏。
@@ -1,29 +0,0 @@
# 宝塔 bootstrap 无变更时跳过 bt reload
**日期**2026-06-29
## 摘要
SSH bootstrap 对接宝塔 API 时,若 `api.json` 无需变更(API 已开、token 已有、中心 IP 已在白名单),**不再写盘、不执行 `/etc/init.d/bt reload`**,避免每 5 分钟重试或重复一键登录时踢掉面板已有会话。
## 动机
商城新机 `43.138.205.6` 在 Nexus bootstrap 时 `bt reload` 导致 15:32 面板全员掉线;对已配置机器重复 bootstrap 不应 reload。
## 涉及文件
- `server/infrastructure/btpanel/ssh_bootstrap.py``if actions:` 才写 `api.json` + reloadstdout 增加 `reloaded`
- `tests/test_btpanel_ssh_bootstrap.py` — 断言远程脚本条件 reload
- `docs/design/specs/2026-06-20-btpanel-module-design.md` — 设计说明同步
## 迁移 / 重启
仅后端;`deploy-production.sh` rsync + Docker `upgrade --skip-git`
## 验证
```bash
.venv/bin/pytest tests/test_btpanel_ssh_bootstrap.py -q
```
生产:对已 bootstrap 完成的子机再触发对接,syslog 不应再出现 `bt reload``actions` 为空时)。
@@ -1,38 +0,0 @@
# 每日离线巡检:发报前 SSH 复检 + 备注优先显示
**日期**2026-06-30
## 变更摘要
定时「每日离线巡检」Telegram 日报在统计与推送前,先对当前离线子机批量执行 SSH 健康检查并刷新 Redis 心跳,再二次扫描得到最终在线/离线数;日报正文增加「巡检前 SSH 复检」一行。离线列表与离线告警的显示名与批量任务一致:**备注 description → name → domain**。
## 动机
Agent 心跳滞后或短暂网络抖动会导致误报离线;日报发送前应主动 SSH 探测确认。离线名单在 Telegram 中应优先展示运维备注,便于识别机器。
## 涉及文件
- `server/application/server_connectivity.py``health_check_server_ids()``scan_monitored_connectivity``batch_server_display_name`
- `server/application/services/offline_daily_report_schedule.py` — 日报前 preflight 健康检查
- `server/config.py``OFFLINE_DAILY_REPORT_HEALTH_CHECK`(默认 true
- `server/infrastructure/telegram/__init__.py` — 日报增加 preflight 统计行
- `server/background/server_offline_monitor.py` — 离线告警显示名备注优先
- `tests/test_offline_daily_report_schedule.py` — preflight 流程单测
## 配置
```env
OFFLINE_DAILY_REPORT_HEALTH_CHECK=true # false 可跳过复检
```
## 迁移 / 重启
无 DB 迁移;部署后 Docker 重建 API 容器即可,background loop 随进程启动。
## 验证方式
```bash
.venv/bin/pytest tests/test_offline_daily_report_schedule.py tests/test_batch_server_display_name.py -q
```
生产:手动触发 `run_scheduled_offline_daily_report(force=True)` 或等到 11:50 北京时间;Telegram 应含复检行且离线名单显示备注。
@@ -1,38 +0,0 @@
# Agent 双模式监测:四槽 5s 出站推送,跳过 SSH
**日期**2026-07-01
## 变更摘要
单 Agent 双模式落地:
1. **常态**60s 智能心跳(变化 <10% 可 skip**30s keepalive** 拉取 `watch_active`
2. **监测**:四槽 Pin 且开启实时监测 → 中心响应 `watch_active` → Agent **5s 全量上报**(含 `load_avg``watch_mode`
3. **探针**`watch_probe_runner` 在 Agent watch 心跳新鲜时 **跳过 SSH**;进程表仍偶发 SSH 拉取;无 Agent/旧版仍 SSH 兜底
## 动机
四槽 5s SSH 探针对子机形成长期连接与频繁握手,易触发风控;子机已有 nexus-agent 出站通道,应按需切高频而非双 Agent。
## 涉及文件
- `web/agent/agent.py` — v2.1.0 双模式心跳
- `web/agent/config.example.json``heartbeat_keepalive_sec` / `watch_interval_sec`
- `server/api/agent.py` — 心跳响应 `watch_active` / `watch_interval_sec`
- `server/background/watch_probe_runner.py` — Agent 路径优先
- `server/utils/watch_metrics.py``WATCH_AGENT_FRESH_SEC`、usable 判定
- `tests/test_agent_watch_mode.py`
## 迁移
- 中心:部署 API 镜像
- 子机:**仅 Pin 监测中的机器**需升级 Agent 至 2.1.0(面板推送或 batch push
- 未升级 Agent:行为与改前相同(SSH 5s
## 验证
```bash
.venv/bin/pytest tests/test_agent_watch_mode.py tests/test_watch_metrics.py -q
```
Pin 一台已装 Agent 的子机 → 开实时监测 → 探针记录 `source=agent`;移除槽后 Agent 日志恢复 60s。
@@ -1,54 +0,0 @@
# 补录门禁:宝塔 skip-reload · Terminal 快速添加 · 快捷命令排序
**日期**2026-07-01
## 变更摘要
补录 2026-06-30 / 07-01 已上线但未经完整八道门控的批次:
1. **宝塔 bootstrap**`api.json` 无变更时不 `bt reload`,避免踢面板会话
2. **Terminal**:工具栏「快速添加(IP)」与 Servers 对齐;成功后自动 `newSession` / 跳转 Terminal
3. **Settings 快捷命令**`PUT /quick-commands/reorder` 路由置于 `/{id}` 之前,修复上下箭头无效
## 动机
- 6/30 生产部署跳过 `pre_deploy_check`(无当日 changelog/audit、本机无 :8600、Gate 8 无 cursor-agent
- 用户反馈 Settings 上下箭头点击无效应从根因修复并补门禁
## 涉及文件
**后端**
- `server/infrastructure/btpanel/ssh_bootstrap.py`
- `server/api/terminal.py`
- `tests/test_btpanel_ssh_bootstrap.py`
- `tests/test_terminal_quick_commands.py`
**前端**
- `frontend/src/composables/servers/useServerQuickAdd.ts`
- `frontend/src/components/servers/ServerQuickAddDialogs.vue`
- `frontend/src/utils/openServerTerminal.ts`
- `frontend/src/components/terminal/TerminalTabBar.vue`
- `frontend/src/pages/TerminalPage.vue`
- `frontend/src/pages/ServersPage.vue`
- `frontend/src/components/TerminalQuickCommandsSettings.vue`
**门禁**
- `deploy/pre_deploy_check.sh` — Gate 3 本机 :8600 不可达时回退 pytest 专项
- `docs/changelog/2026-06-29-btpanel-bootstrap-skip-reload.md`(6/29 变更说明,一并纳入本批验证)
## 迁移 / 重启
- 宝塔 skip-reloadNexus 中心 `deploy-production.sh` 重建 API 镜像
- Terminal / 快捷命令:前端 `vite build` + 同步 `web/app`
## 验证
```bash
.venv/bin/pytest tests/test_btpanel_ssh_bootstrap.py tests/test_terminal_quick_commands.py -q
bash deploy/pre_deploy_check.sh
```
生产:Terminal 快速添加 → 自动开 SSH 标签;Settings 快捷命令上下箭头可调序。
@@ -1,35 +0,0 @@
# Agent 2.1.1:监测模式 CPU 采样优化
**日期**2026-07-02
## 变更摘要
修复四槽实时监测下 CPU 曲线长期显示 **0%** 的问题:
1. 新增 `web/agent/cpu_metrics.py`:监测模式用 `interval=None` 测约 **5s 窗口**(与心跳间隔对齐);首次进入 watch 用 **1s bootstrap**
2. `agent.py` 升至 **v2.1.1**`_build_system_info` 改用 `sample_watch_cpu_bundle`(含 `per_cpu_pct`
3. 升级/安装脚本同步下载 `cpu_metrics.py`
## 动机
v2.1.0 监测模式用 `psutil.cpu_percent(interval=0.3)`,低负载机器常四舍五入为 0;内存/负载正常,属采样窗口过短而非探针故障。
## 涉及文件
- `web/agent/cpu_metrics.py`(新建)
- `web/agent/agent.py` — v2.1.1
- `server/application/server_batch_common.py` — curl 下载 cpu_metrics
- `tests/test_agent_cpu_metrics.py`(新建)
## 迁移
- 中心:部署后 `/agent/cpu_metrics.py` 可访问
- 子机:**Pin 且开实时监测**的机器点槽内「升级 Agent」至 2.1.1
## 验证
```bash
.venv/bin/pytest tests/test_agent_cpu_metrics.py tests/test_agent_watch_mode.py -q
```
升级后探针 `cpu_pct` 在低负载下应出现非零小幅波动,不再长期贴 0。
@@ -1,29 +0,0 @@
# 统计卡:新增「未设路径·离线」
**日期**2026-07-02
## 变更摘要
仪表盘 / 服务器页顶部统计由 5 卡扩为 6 卡,新增 **未设路径·离线**
- 口径:`unset_path_offline = 全库 Agent 离线 主列表离线`
- 使 **在线 + 离线 + 未设路径·离线 ≈ 服务器总数**(消除原先 390+8≠428 的困惑)
- 点击跳转 `/servers?unset_path=1&status=offline`,定位未设路径区块并筛离线
## 动机
在线卡统计全库 Agent 在线(含未设路径),离线卡仅主列表离线;约 30 台「未设路径且离线」无处展示,用户误以为统计错误。
## 涉及文件
- `server/api/servers.py``unset_path_offline` 字段
- `frontend/src/composables/useServerStatsCards.ts`
- `frontend/src/pages/ServersPage.vue`
- `frontend/src/pages/DashboardPage.vue`
- `tests/integration/test_servers_dashboard.py`
## 验证
```bash
.venv/bin/pytest tests/integration/test_servers_dashboard.py -q
```
@@ -1,29 +0,0 @@
# Terminal 工具栏一键登录宝塔
**日期**2026-07-03
## 变更摘要
在 WebSSH 终端页,当已打开服务器会话时,于工具栏「字号」左侧增加 **宝塔登录** 按钮;复用服务器列表同一套 `useBtPanelLogin` 逻辑,对当前激活标签的 `serverId` 生成并打开宝塔面板登录链接。
## 动机
运维在终端排障时常需切到宝塔面板,此前只能回服务器列表点「一键登录」;在终端内直接登录可减少跳转。
## 涉及文件
**前端**
- `frontend/src/components/terminal/TerminalToolbar.vue` — 桌面按钮 + 移动端齿轮菜单项
- `frontend/src/pages/TerminalPage.vue` — 接入 `useBtPanelLogin`、loading 与点击处理
## 迁移 / 重启
- 仅前端静态资源:`bash deploy/deploy-frontend.sh`Docker 生产走 `nexus-1panel.sh upgrade` 重建镜像内前端)
## 验证
```bash
cd frontend && npm run build-only
# 打开 #/terminal,连接任意服务器后工具栏应显示「宝塔登录」
```
@@ -1,27 +0,0 @@
# 告警连续超阈门控(C2
**日期**2026-07-04
## 变更
CPU/内存/磁盘告警需 **连续 N 次**(默认 **3**)心跳超阈才触发 `broadcast_alert`;单次尖峰不再入库/Telegram。
| 项 | 说明 |
|----|------|
| 配置 | `alert_streak_required`(设置页「连续超阈次数」,默认 3) |
| 常态心跳 60s | 约 **3 分钟**持续超阈才告警 |
| 监测槽 5s | 约 **15 秒**持续超阈才告警 |
| 设为 1 | 恢复旧行为(单次超阈即告警) |
| Redis | `alert_streak:{server_id}:{metric}`,回落正常后清零 |
## 文件
- `server/utils/alert_metrics.py` — 阈值检测共用
- `server/utils/alert_streak.py` — 连续计数 + 告警/recovery 门控
- `server/api/agent.py` — 心跳接入
- `server/utils/watch_alerts.py` — 监测探针接入
- `tests/test_alert_streak.py`
## 部署
中心机 `nx update``deploy-production.sh`**无需**子机 Agent 升级。
@@ -1,30 +0,0 @@
# 检测路径改为搜索 crmeb 目录
**日期**2026-07-05
## 变更摘要
批量「检测路径」由在 `/www/wwwroot` 下搜索 `workerman.bat` 改为搜索名为 `crmeb` 的目录,并将其完整路径写入 `target_path`
## 检测逻辑
```bash
find /www/wwwroot -iname 'crmeb' -type d -print -quit 2>/dev/null
```
示例:`/www/wwwroot/shop.example.com/crmeb``target_path` = `/www/wwwroot/shop.example.com/crmeb`
## 涉及文件
| 文件 | 变更 |
|------|------|
| `server/application/server_batch_common.py` | `detect_and_save_target_path` |
| `frontend/src/pages/ServersPage.vue` | 确认对话框文案 |
| `scripts/batch_detect_target_path.py` | 脚本说明 |
| `tests/test_nginx_path_detect.py` | 单元测试 |
## 验证
```bash
.venv/bin/pytest tests/test_nginx_path_detect.py -q
```
+26 -26
View File
@@ -1,26 +1,26 @@
# Nexus 文件管理 — 目标机免密 sudo 示例(须运维审阅后安装)
#
# 安装步骤(在目标服务器上):
# 1. 将本文件复制为 /etc/sudoers.d/nexus-files(权限 0440
# 2. 把下面 deploy 替换为 Nexus 里该服务器的 SSH 用户名
# 3. visudo -cf /etc/sudoers.d/nexus-files
# 4. 用该 SSH 用户执行:sudo -n true && sudo -n bash -c 'command -v chmod'
#
# 说明:
# - 后端在权限失败时会执行 sudo -n bash -c '…',因此必须允许 /bin/bash 或 /usr/bin/bash
# - 写入回退还会用到 tee、mv、mkdir、rm、cat 等
# - 禁止使用 ALL=(ALL) NOPASSWD: ALL
deploy ALL=(ALL) NOPASSWD: \
/bin/bash, /usr/bin/bash, \
/bin/chmod, /usr/bin/chmod, \
/bin/chown, /usr/bin/chown, \
/bin/cp, /usr/bin/cp, \
/bin/mv, /usr/bin/mv, \
/bin/mkdir, /usr/bin/mkdir, \
/bin/rm, /usr/bin/rm, \
/bin/tar, /usr/bin/tar, \
/usr/bin/unzip, /usr/bin/zip, \
/usr/bin/tee, /bin/cat, /usr/bin/cat, \
/usr/bin/touch, /bin/touch, \
/usr/bin/rsync, /bin/rsync
# Nexus 文件管理 — 目标机免密 sudo 示例(须运维审阅后安装)
#
# 安装步骤(在目标服务器上):
# 1. 将本文件复制为 /etc/sudoers.d/nexus-files(权限 0440
# 2. 把下面 deploy 替换为 Nexus 里该服务器的 SSH 用户名
# 3. visudo -cf /etc/sudoers.d/nexus-files
# 4. 用该 SSH 用户执行:sudo -n true && sudo -n bash -c 'command -v chmod'
#
# 说明:
# - 后端在权限失败时会执行 sudo -n bash -c '…',因此必须允许 /bin/bash 或 /usr/bin/bash
# - 写入回退还会用到 tee、mv、mkdir、rm、cat 等
# - 禁止使用 ALL=(ALL) NOPASSWD: ALL
deploy ALL=(ALL) NOPASSWD: \
/bin/bash, /usr/bin/bash, \
/bin/chmod, /usr/bin/chmod, \
/bin/chown, /usr/bin/chown, \
/bin/cp, /usr/bin/cp, \
/bin/mv, /usr/bin/mv, \
/bin/mkdir, /usr/bin/mkdir, \
/bin/rm, /usr/bin/rm, \
/bin/tar, /usr/bin/tar, \
/usr/bin/unzip, /usr/bin/zip, \
/usr/bin/tee, /bin/cat, /usr/bin/cat, \
/usr/bin/touch, /bin/touch, \
/usr/bin/rsync, /bin/rsync
@@ -1,33 +0,0 @@
# 跨服务器文件传输 — 实施计划
## 涉及文件
| 文件 | 变更 |
|------|------|
| `server/infrastructure/redis/transfer_package_store.py` | 新建:打包任务 Redis |
| `server/application/services/server_file_transfer_service.py` | 新建:直传 / 打包 / 拉取 / 流 |
| `server/api/schemas.py` | 请求模型 |
| `server/api/sync_v2.py` | 四个端点 |
| `server/api/auth_jwt.py` | 下载端点 JWT 豁免 |
| `frontend/src/composables/files/useFilesActions.ts` | 对话框逻辑 |
| `frontend/src/components/files/FilesDialogs.vue` | UI |
| `frontend/src/components/files/FilesList.vue` | 右键菜单 |
| `tests/test_server_file_transfer.py` | 单元测试 |
| `docs/changelog/2026-06-21-server-file-transfer.md` | 变更记录 |
## 步骤
1. Redis store + serviceSFTP 递归中继、远程 tar、目标 curl)
2. API + 审计
3. 前端对话框(模式切换、目标服务器、路径、打包后展示链接与一键 pull)
4. pytest + `scripts/local_verify.sh` 相关用例
## 回滚
删除新端点与服务文件;Redis key `transfer:pkg:*` 自然过期。无需 DB 迁移。
## 测试要点
- 校验:同源目标、空 sources、路径非法
- token 过期 / 不存在 → 404
- mock SFTP 的 relay 字节计数(可选)
@@ -1,37 +0,0 @@
# IP 域名自动探测 — 实施说明
**日期**: 2026-06-24
## 涉及文件
| 文件 | 动作 |
|------|------|
| `server/utils/site_host.py` | 新增:IP 判定与站点 host 解析 |
| `server/utils/nginx_domain_detect.py` | 新增:远程 nginx 域名探测命令 |
| `server/application/server_batch_common.py` | 扩展:探测并写 site_url |
| `server/application/services/ip_domain_detect_schedule.py` | 新增 |
| `server/background/ip_domain_detect_loop.py` | 新增 |
| `server/application/services/server_batch_service.py` | 新增 op `detect-domain` |
| `server/config.py` | 新增配置项 |
| `server/main.py` | 注册 loop |
| `tests/test_*.py` | 单元测试 |
| `docs/changelog/2026-06-24-ip-domain-detect-schedule.md` | changelog |
## 实现步骤
1. `site_host.py` 镜像前端 `serverSiteUrl.ts` 逻辑。
2. `build_nginx_domain_detect_command` 扫描 Baota vhost 文件名 + server_name。
3. `detect_and_save_site_url` SSH 执行并更新 `extra_attrs`
4. schedule 列出候选 → `start_batch_job(op="detect-domain")`
5. main 注册 loopconfig 默认 23:30。
## 测试要点
- cron 23:30 北京时区匹配
- `list_ip_only_without_site_server_ids` 过滤逻辑
- nginx 命令含 quote、跳过 IP basename
- schedule 幂等(already_ran_today
## 回滚
- `.env``IP_DOMAIN_DETECT_ENABLED=false` 并重启 API;或删除新增 loop 注册。

Some files were not shown because too many files have changed in this diff Show More