752a24497c
Security (P0/P1/P2): - WebSSH: dedicated short-lived token, server_id binding, 4003 close code - Remove /api/agent/exec from control plane (RCE surface eliminated) - Global JWT middleware (JwtAuthMiddleware) with install-mode bypass - decrypt_value: failure returns None, never leaks ciphertext - Telegram: sanitize_external_message strips sensitive fields - Agent auth: startup enforces non-empty API key, compare_digest - Credentials: password_set bool flag, no plaintext in API responses - audit_log: writes admin_username + ip_address on all CUD ops - Install lock: all /api/install/* except GET /status return 403 post-install - WebSocket dedup: publish once, subscribers deliver locally Script execution platform: - script_jobs.py / script_job_callback.py: async batching and callback - script_execution_store.py / script_callback_rate.py: Redis-backed state - script_execution_flush.py: background flusher to MySQL - scripts.html / script-executions.html: full execution UI - agent_url.py: centralised URL builder Frontend: - All 13 pages migrated from CDN to /app/vendor/ (no external deps) - vendor/: alpinejs, tailwindcss-browser, xterm, xterm-addon-*, qrious - Dashboard WebSocket real-time alerts; 8h JWT session timeout Tests: - test_security_unit.py: 15 unit tests (JWT, sanitize, vendor, install 403) - test_api.py: env-configurable admin credentials Co-authored-by: Cursor <cursoragent@cursor.com>
12 lines
439 B
Python
12 lines
439 B
Python
"""Build Agent HTTP URLs — use HTTPS when Nexus API base URL is HTTPS."""
|
|
|
|
from server.config import settings
|
|
|
|
|
|
def agent_url(host: str, port: int, path: str) -> str:
|
|
"""Agent endpoint URL on a managed host (health, exec, etc.)."""
|
|
scheme = "https" if (settings.API_BASE_URL or "").lower().startswith("https://") else "http"
|
|
if not path.startswith("/"):
|
|
path = f"/{path}"
|
|
return f"{scheme}://{host}:{port}{path}"
|