* feat(web): fix terminal height to fill viewport, prevent outside scrolling
* feat(web): add touch scroll, font size control, and accurate fit to DirectTerminal
* feat(web): add mobile sidebar overlay, hamburger toggle, and reconnect indicator
* feat(web): add hamburger and reconnect pill to topbar
* fix(web): use xterm instead of @xterm/xterm for terminal-touch-scroll import
Upstream uses xterm@5.3.0 (not @xterm/xterm), fix the type import accordingly.
* ci: make pnpm audit strict step non-blocking
npm's legacy audit endpoint (/npm/v1/security/audits) is returning 410 Gone
as it's being retired. Add continue-on-error until pnpm ships support for
the new bulk advisory endpoint.
* fix(web): replace TerminalLike with minimal interface compatible with xterm@5.3.0
xterm@5.3.0 does not have 'input' or 'attachCustomWheelEventHandler' methods
(those are @xterm/xterm v6 APIs). Define a minimal structural interface
matching only the members actually used in the file.
* fix(web): replace mobile back button with hamburger sidebar toggle on session page
On mobile, the session detail page now shows a hamburger button instead of a back arrow, which toggles the sidebar via SidebarContext. This provides better navigation consistency with the main dashboard.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): filter sidebar sessions strictly by projectId to prevent prefix collision
Sessions are now filtered to only show those whose projectId matches a configured project. This prevents sessions from different AO projects (e.g., 'ao-' and 'unl-' prefixes) from being incorrectly merged under the same project entry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): add ResizeObserver and deferred fit to fix blank terminal on mount
The terminal now uses a 100ms deferred fit timeout to ensure the container has been sized before measuring. Additionally, a ResizeObserver monitors the terminal container and calls fit() whenever its size changes, ensuring the terminal refits when flex layouts settle.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): debounce session refresh to prevent aborting in-flight fetch calls
The useSessionEvents hook now tracks when the last fetch was started and skips scheduling a new refresh if one was started less than 500ms ago. This prevents aggressive AbortController usage that was canceling in-flight requests unnecessarily. Also avoid rescheduling if a debounce timer is already pending.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test(web): update SessionDetail mobile test for new sidebar toggle button
Update the test to expect the new "Toggle sidebar" aria-label instead of the previous "Back to dashboard" label on the mobile floating header.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): active session amber color, compact session meta row, tighter font controls
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): address review feedback — fontSize rerender, dead code, test cleanup
- DirectTerminal: remove fontSize from main init useEffect deps. A dedicated
effect below mutates terminal.options.fontSize in place; keeping it in the
init deps tore down and recreated the terminal (and WebSocket) on every
stepper click, losing scrollback and flashing content.
- Remove dead ReconnectingPill component — it rendered null with a placeholder
comment. Delete the file, import, and render site rather than leaving a shell.
- ProjectSidebar: make the done-filter consistent by using getAttentionLevel
in the sessionsByProject collector. Previously the collector filtered by the
narrow `status === "done"` while the render sites filtered by the broader
`getAttentionLevel(s) === "done"`, so the project badge count could include
merged/killed/terminated sessions that the rendered list hid.
- Drop the two gutted tests that tested JS primitives rather than the component
(layout-height.test.tsx, DirectTerminal.test.tsx). They provided false
coverage. Update ProjectSidebar.test.tsx for the new anchor-based session
rows (click behavior now queries role="link", and clicking the project
toggle expands rather than navigates — the separate dashboard button handles
navigation).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): make SessionDetail topbar tests pass after redesign
Reconcile the rebased-upstream tests with our redesigned SessionDetail:
Component:
- Show session.id in the topbar next to the headline. The ID is a stable
identifier (useful for copy/paste) while the headline changes with PR/
issue titles.
- Gate the topbar Orchestrator link on `!isOrchestrator` so we don't link
the orchestrator page to itself.
- Convert the PR popover toggle from a <button> to an <a href={pr.url}>.
Plain click still toggles the popover; ctrl/cmd-click opens the PR on
GitHub in a new tab. aria-label="PR #N" keeps the accessible name stable
regardless of the rendered chevron.
Tests:
- Mobile tests scope orchestrator link queries to the topbar via
within(getByRole("banner")) because MobileBottomNav also has an
"Orchestrator" entry.
- Desktop test opens the PR popover before asserting the PR detail
contents (blocker chips, file count, unresolved comments) — they now
live inside the popover rather than inline.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(web): restore behavioral tests + remove dead mobileOpen prop
Adds missing behavioral coverage the reviewer flagged on Dashboard.mobile.test.tsx:
- Termination confirmation flow: clicking the kill button once enters a
confirming state (aria-label becomes "Confirm terminate session") without
firing the kill request; a second click POSTs to /api/sessions/:id/kill.
- CI check chip rendering: SessionCard renders passing CI check names as chips
when the session has an enriched PR.
Removes the dead `mobileOpen` prop from ProjectSidebar:
- It was declared but immediately aliased as `_mobileOpen` and never used —
the actual mobile overlay state is driven by the `sidebar-wrapper--mobile-open`
class on the parent wrapper div in Dashboard/SessionDetail.
- PullRequestsPage was passing it too but never wired the wrapper class, so
its hamburger buttons were silently no-ops. Wrapped its sidebar in the same
sidebar-wrapper + backdrop pattern so the buckled hamburgers now actually
open the sidebar overlay on mobile.
Not in scope for this round (per reviewer): attention bucket filter /
MobileBottomNav on Dashboard — Dashboard doesn't implement those features,
so there's no behavior to assert. Those would need a feature add, not a test.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(core): listCached stale-data bug + drop inline styles in DirectTerminal
Addresses the reviewer's critical and minor feedback on PR #1278.
Critical — listCached was stale across mutation paths
listCached() had a 35s TTL, invalidated only by spawn() and kill().
Every other metadata-writing path (claimPR, restore, send, remap,
cleanup, lifecycle-manager's direct updateMetadata calls for PR
detection and state transitions) left stale data visible to
/api/sessions for up to 35s.
Fix:
- Wrap updateMetadata / writeMetadata / deleteMetadata inside
createSessionManager() so every in-file mutation auto-invalidates
the cache. The raw imports are aliased as _rawXxx and only used
by the wrappers. No call site needs to remember to invalidate.
- Expose invalidateCache() on the SessionManager interface for
callers that write metadata outside this module.
- lifecycle-manager.ts: call sessionManager.invalidateCache() after
its two direct updateMetadata sites (PR detection, state update)
so polling-driven mutations are visible on the next poll.
- Move the _cache / invalidateCache declarations to the top of the
closure so the mutation wrappers can reference them.
- Update createMockSessionManager + api-routes.test.ts mocks to
satisfy the expanded interface.
- New regression test: external mutation + sm.invalidateCache() →
next listCached() re-reads disk.
C-02 — inline styles on the terminal-container div
DirectTerminal.tsx was using style={{ overflow, display,
flexDirection, flex, minHeight }} — all static values moved to
Tailwind utilities: "w-full p-1.5 flex flex-col flex-1 min-h-0
overflow-hidden".
Not addressed in this commit (noted as out-of-scope refactor):
C-04 400-line cap on DirectTerminal.tsx. Splitting fontSizeControls
and touch-scroll wiring into sub-components is worthwhile but
mechanical — separate PR.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous approach incorrectly used --since-commit (not a valid
gitleaks flag) and --log-opts= (equals syntax not supported). Fix by
using --log-opts with a space separator and a proper git commit range
(base..head) for PR scans.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The gitleaks/gitleaks-action@v2 requires a paid license for organization
repos, causing the Security workflow to fail on every PR. Replace it with
a direct `gitleaks detect` CLI invocation which is free and doesn't
require a license key.
On PRs, the scan is scoped to only the commits in the PR (via
--since-commit) for faster feedback. On push/schedule, it scans the
full repo history.
Closes#721
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: implement comprehensive security audit and secret leak prevention
## Changes
### Security Infrastructure
- Add Gitleaks configuration (.gitleaks.toml) for secret scanning
- Add pre-commit hook via Husky to block secret commits
- Add GitHub Actions security workflow (gitleaks, dependency review, npm audit)
- Update .gitignore to exclude secret files and credentials
### Documentation
- Create SECURITY.md with security policy and best practices
- Create README.md with project overview and security section
- Create docs/DEVELOPMENT.md with developer guide
- Create docs/SECURITY-AUDIT-SUMMARY.md with full audit report
### Dependencies
- Add husky@^9.1.7 for git hooks
## Audit Results
- ✅ Current codebase: 0 secrets found (1.47 MB scanned)
- ⚠️ Git history: 1 historical secret (OpenClaw token, documented in SECURITY.md)
- ✅ All test files use dummy values
- ✅ All example configs use environment variables
## Security Features
1. **Pre-commit Hook**: Scans staged files, blocks secrets before commit
2. **CI/CD Pipeline**: Scans full git history on every push/PR
3. **Automated Scanning**: Weekly scheduled scans for new vulnerabilities
4. **Comprehensive Docs**: Security policy, best practices, developer guide
## Testing
```bash
# Scan current files
gitleaks detect --no-git
# Test pre-commit hook
echo "token=ghp_fake" > test.txt
git add test.txt
git commit -m "test" # Should be blocked
```
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: make dependency-review job non-blocking
The dependency-review action requires GitHub Advanced Security which may
not be available on all repositories. Adding continue-on-error to prevent
workflow failure when this feature is unavailable.
The check will still run and provide useful information when available,
but won't block the PR if the repository doesn't have Advanced Security.
* feat: add workflow_dispatch trigger to security workflow
Allows manual triggering of security scans for testing and re-running.
* fix: address Cursor Bugbot security review comments
Fixes all high, medium, and low severity issues identified by Cursor Bugbot:
**High Severity:**
- Redact OpenClaw token from documentation (replace with 1af5c4f...872)
- Fix pre-commit hook to FAIL (exit 1) when gitleaks is not installed
- Previously silently skipped scanning (exit 0) providing false sense of security
- Fix bashism in pre-commit hook: replace &> with > /dev/null 2>&1 (POSIX compliant)
**Medium Severity:**
- Remove overly broad gitignore patterns (*.sql, *.db, *.sqlite)
- These would block legitimate SQL migration files and database schemas
- Keep focus on actual credential files only
**Low Severity:**
- Remove author email (samvit@hotmail.com) from audit documentation
All issues now resolved. Pre-commit hook will properly block commits when
gitleaks is missing, ensuring consistent secret scanning enforcement.
* fix: comment out dependency-review job requiring Dependency graph
The dependency-review GitHub Action requires 'Dependency graph' to be
enabled in repository settings. Since this feature may not be available
or configured on all repositories, commenting out this job to prevent
workflow failures.
To re-enable:
1. Go to Settings > Code security and analysis
2. Enable 'Dependency graph'
3. Uncomment the dependency-review job in this workflow
The npm-audit job provides similar dependency vulnerability scanning
and doesn't require special GitHub features.
* feat: re-enable dependency-review job after Dependency graph enabled
Now that Dependency graph is enabled in repo settings, uncomment the
dependency-review job to scan PRs for vulnerable dependencies.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>