MrSphay/intelligence-terminal
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

docs: sync issue tracker and handoff
All checks were successful
Release Dry Run / release-dry-run (push) Successful in 9s
Details
Codex Template Compliance / template-compliance (push) Successful in 6s
Details
Build / test-and-image (push) Successful in 19s
Details

Browse Source
This commit is contained in:
MrSphay
2026-05-17 13:23:33 +02:00
parent 53470cc701
commit 8605d0baab
2 changed files with 79 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
docs/agent-handoff.md
View File

@@ -19,10 +19,16 @@ origin https://git.wilkensxl.de/MrSphay/intelligence-terminal.git
upstream https://github.com/calesthio/Crucix.git upstream https://github.com/calesthio/Crucix.git
``` ```
Final pushed commit: Current branch tip:
```text ```text
e933586b220656a2858d2215b934b22d1f08a908 Run `git rev-parse HEAD` after clone/pull. This handoff was updated by the `docs: sync issue tracker and handoff` commit after the implementation commit below.
```
Latest implementation commit before issue-sync documentation:
```text
53470cc701ec322080a89d220aef449b25850590
``` ```
Both pushed branches currently point to this commit: Both pushed branches currently point to this commit:
@@ -84,6 +90,7 @@ Added or hardened:
- `GET /api/data` - `GET /api/data`
- `GET /api/metrics` - `GET /api/metrics`
- `POST /api/sweep` - `POST /api/sweep`
- `POST /api/action`
Health now reports: Health now reports:
@@ -169,6 +176,8 @@ Implemented:
- Space Watch icon/orbit toggle - Space Watch icon/orbit toggle
- map/globe filtering consistency - map/globe filtering consistency
- flat map label redraw handling - flat map label redraw handling
- live server-mode data loading from `/api/data` even when `jarvis.html` still contains an offline inline snapshot
- Terminal Actions panel with `Status`, `Sweep`, and `Brief` buttons
Important UI markers in the final code: Important UI markers in the final code:
@@ -177,6 +186,7 @@ layerModes
spaceDisplayMode spaceDisplayMode
toggleSpaceDisplay() toggleSpaceDisplay()
shouldShowType() shouldShowType()
runTerminalAction()
``` ```
### Briefings ### Briefings
@@ -228,6 +238,7 @@ Verified package tags through Gitea API:
latest latest
20260517 20260517
e933586b220656a2858d2215b934b22d1f08a908 e933586b220656a2858d2215b934b22d1f08a908
53470cc701ec322080a89d220aef449b25850590
``` ```
Successful pull test: Successful pull test:
@@ -255,7 +266,7 @@ Workflows present:
.gitea/workflows/template-compliance.yml .gitea/workflows/template-compliance.yml
``` ```
Final runs for commit `e933586b220656a2858d2215b934b22d1f08a908` were polled through the Gitea API and succeeded: Final runs for commit `53470cc701ec322080a89d220aef449b25850590` were polled through the Gitea API and succeeded:
```text ```text
build.yml on main: success build.yml on main: success
@@ -288,6 +299,46 @@ Local token note:
- `GITEA_TOKEN` was visible in the final Codex process. - `GITEA_TOKEN` was visible in the final Codex process.
- It was used only for Gitea API checks and not printed. - It was used only for Gitea API checks and not printed.
## Issue Sync
Open upstream GitHub issues were reviewed on 2026-05-17 from:
```text
https://github.com/calesthio/Crucix/issues
```
The upstream list contained 24 open issues. Issues already handled by this fork were not copied as open work, including the Docker stale-dashboard incident (#105), map label redraw (#70), Sensor Grid controls (#72), space display toggle (#51), source docs (#52), Dockge/CasaOS docs (#78), LLM timeout (#87), inject/static helper confusion (#100), network metrics (#101), Telegram polling backoff (#104), and briefing/evidence context (#75).
Issues not relevant to this fork were also not copied, including the Wallpaper Engine redesign (#41), the fork-inflation discussion (#107), empty/unclear placeholders (#79/#80), and the general use-case discussion (#93).
The following Gitea issues were created for real remaining work:
```text
#1 Reddit source must stop unauthenticated .json scraping
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/1
#2 Send operator alerts when dashboard data remains stale
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/2
#3 ACLED credentialed integration needs regression test and diagnostics
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/3
#4 Complete memory and prediction loop beyond Phase-1 SQLite
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/4
#5 Remove old inline dashboard snapshot from production builds
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/5
#6 Harden Terminal Actions for public reverse-proxy deployments
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/6
#7 Replace ADS-B stub with real disabled/degraded source handling
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/7
#8 Clean inherited public-demo and upstream marketing references
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues/8
```
## Verification Already Performed ## Verification Already Performed
Local lightweight checks: Local lightweight checks:
@@ -330,6 +381,17 @@ Smoke test observations:
- `/api/health` moved from `starting` to `degraded` with transparent source errors. - `/api/health` moved from `starting` to `degraded` with transparent source errors.
- Degraded state was expected without all optional API keys. - Degraded state was expected without all optional API keys.
Additional checks after fixing the dashboard live-data bug and Terminal Actions:
```bash
node --check server.mjs
npm run test:unit
docker compose --env-file .env.example config
git diff --check
```
The dashboard script was also syntax-checked after extracting script blocks from `dashboard/public/jarvis.html`.
## Important Commits ## Important Commits
```text ```text
@@ -342,9 +404,11 @@ f3c9331 ci: fix agent kit compliance checks
c2d572e fix: prepare runs volume before dropping privileges c2d572e fix: prepare runs volume before dropping privileges
8e096b2 ci: harden gitea workflow reruns 8e096b2 ci: harden gitea workflow reruns
e933586 merge: reconcile main with production branch e933586 merge: reconcile main with production branch
4262c7e docs: expand agent handoff
53470cc fix: load live dashboard data and add terminal actions
``` ```
The large implementation commit `85f97bb` is contained in both: The large implementation commit `85f97bb` and the dashboard/action fix `53470cc` are contained in both:
```text ```text
origin/codex/production-intelligence-terminal origin/codex/production-intelligence-terminal
@@ -370,7 +434,7 @@ git rev-parse HEAD
Expected: Expected:
```text ```text
e933586b220656a2858d2215b934b22d1f08a908 The branch tip should include commit 53470cc701ec322080a89d220aef449b25850590 and the later `docs: sync issue tracker and handoff` commit.
``` ```
3. Read these files first: 3. Read these files first:

11
docs/security-review.md
View File

@@ -5,12 +5,21 @@
- Shell execution: browser auto-open is gated by `AUTO_OPEN_BROWSER` and defaults to false. - Shell execution: browser auto-open is gated by `AUTO_OPEN_BROWSER` and defaults to false.
- Secrets: `.env` remains ignored; `.env.example` contains no real keys. - Secrets: `.env` remains ignored; `.env.example` contains no real keys.
- External network calls: source fetches use timeout/retry diagnostics and expose degraded state. - External network calls: source fetches use timeout/retry diagnostics and expose degraded state.
- Manual actions: `/api/sweep` is local-only unless `SWEEP_TOKEN` is configured. - Manual actions: `/api/sweep` and `/api/action` are gated by `TERMINAL_ACTIONS_ENABLED` and local-only or `SWEEP_TOKEN` authorization.
- File writes: runtime writes are limited to `runs/`. - File writes: runtime writes are limited to `runs/`.
- HTML injection: dashboard data is JSON-injected only by the CLI path; server mode serves data through API/SSE. - HTML injection: dashboard data is JSON-injected only by the CLI path; server mode serves data through API/SSE.
## Terminal Actions
- `TERMINAL_ACTIONS_ENABLED=true` enables dashboard-triggered `status`, `sweep`, and `brief` actions through `POST /api/action`.
- If `SWEEP_TOKEN` is set, callers must send the token through `x-sweep-token`, `Authorization: Bearer ...`, or the `token` request body field.
- If `SWEEP_TOKEN` is empty, actions are accepted only from local loopback addresses.
- For private Dockge/LAN deployments, this is intended to make the terminal operable from the browser.
- For Pangolin or other internet-exposed deployments, set `SWEEP_TOKEN` or `TERMINAL_ACTIONS_ENABLED=false` until the public reverse-proxy hardening issue is completed.
## Residual Risk ## Residual Risk
- External feeds can return malformed, stale, or adversarial content. UI rendering should continue to sanitize titles and URLs. - External feeds can return malformed, stale, or adversarial content. UI rendering should continue to sanitize titles and URLs.
- LLM outputs are advisory only and must not be treated as financial advice. - LLM outputs are advisory only and must not be treated as financial advice.
- `node:sqlite` availability depends on the Node 22 build; when unavailable the memory database degrades to a no-op placeholder. - `node:sqlite` availability depends on the Node 22 build; when unavailable the memory database degrades to a no-op placeholder.
- Browser-stored sweep tokens are acceptable for a trusted home-server UI, but should not be treated as a strong auth boundary on a public endpoint.