Draft
Conversation
Removed the banner image from the README.
- Platform detection: compile-time BUILD_TARGET (web vs electron) - vite.config.ts: conditional base, outDir, strip service key from web builds - Fix: SecurityMonitor window.electron bug → IS_ELECTRON - Fix: conditional pt-8 padding (no wasted space on web) - Fix: landing page copy (9 agents, web-first messaging) - Add: .env.staging + .env.production (no secrets) - Add: ci.yml (typecheck + lint + dual build + secret audit) - Add: deploy-web.yml (main→staging, v*→production) - Update: release.yml (per-platform VITE_PLATFORM, VPS backup) - Update: docker.yml (build-args for target/platform) - Branding: CrowByte Terminal → CrowByte - README: cleanup (remove tech stack, screenshots, fix AI infra table, fix contacts)
README: - Rewrite all feature claims to match actual code - Remove false claims: auto-capture, CSPM scanning, SBOM gen, pre-built SIEM connectors - Security section: remove X25519 (uses P-256), remove audit logging (not implemented), remove no-telemetry - Add accurate claims: ECDH+AES-256-GCM, credential encryption, activity logging, conversation encryption - Move unfinished features to Roadmap where they belong Tor removal: - Remove checkTorStatus/checkTorIndicators from ip-status.ts - Remove isTor from IPStatusData interface - Remove Tor status UI from Dashboard - Remove check-tor IPC handler from main.cjs - Remove checkTor from preload.js and global.d.ts - Remove check.torproject.org from CSP whitelist
- analytics.ts: all methods now explicit no-ops, clear NO TELEMETRY header - Logs page: add Export dropdown (CSV + JSON) with timestamped filenames - ip-status.ts: add loggingService calls for network events (success + warnings) - README: add 'No Telemetry' + 'Exportable as CSV or JSON' claims (now true) - README: update roadmap (export done, cloud sync still pending)
- Install @sentry/browser SDK (GlitchTip-compatible) - Create glitchtip.ts service with: - Auto error capture via Sentry SDK - Manual captureError/captureMessage methods - User context (set on login, clear on logout) - Breadcrumb tracking - API client for AI agent: getIssues, getIssueEvents, getErrorSummary - resolveIssue API for triage - getIssuesForAgent — formatted output for AI consumption - Initialize in App.tsx on mount - Add DSN to .env, .env.production, .env.staging - Add app.glitchtip.com to nginx CSP connect-src - Filter noisy errors (ResizeObserver, extensions) - Bridge: errors go to both GlitchTip AND local logging service
- Add @sentry/electron SDK - Initialize Sentry in electron/main.cjs (main process crash capture) - Set autoSessionTracking: false (GlitchTip requirement) - Lower tracesSampleRate to 0.01 (1% in production) - Renderer uses @sentry/browser (works for both web + Electron renderer)
- Enable sourcemap generation in Vite build - @sentry/vite-plugin auto-uploads maps to GlitchTip on SENTRY_AUTH_TOKEN - Maps auto-deleted post-upload (don't ship to users) - GlitchTip MCP server added to Claude Code settings - Permissions for mcp__glitchtip__* tools
…porter - Removed @sentry/browser, @sentry/electron, @sentry/vite-plugin - Renderer: custom error reporter using fetch() to GlitchTip store API - Global error + unhandledrejection handlers - Stack trace parsing (Chrome + Firefox) - Breadcrumb tracking, user context, noise filtering - Main process: same pattern, pure Node fetch() - Bundle size: -76 KB (2,531 → 2,455 KB) - Zero external dependencies for error monitoring - GlitchTip MCP server still configured for AI-assisted debugging
- sourcemap: 'hidden' — generates .map files without URL refs in bundles - scripts/upload-sourcemaps.sh archives maps per version, strips from dist - Proper filenames: chart-vendor-oyh-UeQZ.js.map (not GUIDs) - sourcemaps/ dir gitignored (local debugging only) - GlitchTip SaaS doesn't support release file uploads — archive locally
- Agent can now call glitchtip_get_issues, glitchtip_get_issue_events, glitchtip_error_summary - System prompt updated with app error monitoring capability - Scan instructions include GlitchTip checks (steps 6-8) - Agent auto-checks for production bugs during every monitoring cycle - Deep-dives into critical issues with stack traces via getIssueEvents - Zero new deps — uses existing glitchtip.ts API client
SECURITY FIXES: - inoreader.ts: OAuth client_secret moved to env var (was hardcoded) - license-guard.ts: AES-GCM encryption replaces btoa() for license cache - credentialStorage.ts: per-device generated salt replaces hardcoded string - encryption.ts: HMAC key derived from password, not hardcoded - remote-control.ts: random per-session HKDF salt (was zero bytes) - CVE.tsx: dynamic user_id from auth session (was hardcoded UUID) SHELL/PARTIAL FIXES: - CloudSecurity: preview banner — marks as demo with sample data - Missions: preview banner — tool execution is simulated - Connectors: preview banner — integrations not yet active - DetectionLab: honest label — 'pattern-based, AI coming soon' - Tools.tsx: loadData() actually calls service, graceful error handling - AgentBuilder: loadAgents() uncommented with try/catch fallback UX: - macOS download marked 'Coming Soon' (not yet tested) - HardHat icon for preview banners (Construction doesn't exist in phosphor)
The grep catches 'service_role' in .map files (Supabase SDK type definitions, not actual keys). Maps are stripped before audit and never deployed to users.
app.isPackaged is always false when running Electron from source (Docker, dev). The OR-based isDev check ignored NODE_ENV=production. Now NODE_ENV=production short-circuits the check, so Docker containers load dist/index.html instead of trying localhost:8081 dev server. - electron/main.cjs: isForceProduction guard on both isDev checks - docker/entrypoint.sh: export NODE_ENV=production before electron
Xvfb + Fluxbox positions the 1400x900 window off-screen. When running from source in production mode (Docker), auto-maximize so the TitleBar and full UI are visible through noVNC.
- Set app.name='crowbyte' so userData path is consistent (~/.config/crowbyte/) instead of ~/.config/Electron/ when running unpackaged - Pre-seed crowbyte-config.json in entrypoint to skip onboarding wizard - setFullScreen(true) for Docker/headless environments - Add --start-maximized flag to electron CLI args
New support-agent.ts service with: - RAG search over 35 doc chunks (docs-knowledge.json) - Intent classification (docs/diagnostic/escalation/general) - 6 diagnostic checks (Supabase, Auth, OpenClaw, Electron, Storage, ErrorReporter) - OpenClaw AI chat with system prompt + RAG context - Escalation to Supabase support_tickets + Discord webhook - Push notification system via Supabase Realtime - Ticket CRUD for user-facing ticket history docs-knowledge.json: 35 chunks extracted from all doc sections (~70KB)
…alation, notifications
Agent-Logs-Url: https://github.com/hlsitechio/crowbyte/sessions/e9657fca-bd05-4cb1-b1b9-d5bdfa697dfe Co-authored-by: hlsitechio <68784598+hlsitechio@users.noreply.github.com>
Agent-Logs-Url: https://github.com/hlsitechio/crowbyte/sessions/e9657fca-bd05-4cb1-b1b9-d5bdfa697dfe Co-authored-by: hlsitechio <68784598+hlsitechio@users.noreply.github.com>
…revents crash on bad data
…ross RedTeam + CVE pages
…events crash on null DB values
- fix: shell injection in memory bridge (exec → execFile) - fix: /api/errors endpoints now require JWT auth - fix: arg sanitization no longer skips --prefixed args - fix: scan target format validation added - fix: SSL verification configurable in Python agent - feat: startup warnings for default credentials and missing JWT_SECRET - feat: explicit CSP directives instead of disabled Helmet - chore: noFallthroughCasesInSwitch enabled in tsconfig
Agent-Logs-Url: https://github.com/hlsitechio/crowbyte/sessions/95d303ec-05ae-4dbd-9f04-eebc2b9cc963 Co-authored-by: hlsitechio <68784598+hlsitechio@users.noreply.github.com>
Agent-Logs-Url: https://github.com/hlsitechio/crowbyte/sessions/95d303ec-05ae-4dbd-9f04-eebc2b9cc963 Co-authored-by: hlsitechio <68784598+hlsitechio@users.noreply.github.com>
Agent-Logs-Url: https://github.com/hlsitechio/crowbyte/sessions/dd46796a-8e66-4bea-b779-71a9c3b639ff Co-authored-by: hlsitechio <68784598+hlsitechio@users.noreply.github.com>
… VNC auth - Remove /api/docker/, /api/system/, /api/memory/, /api/setup/ from PUBLIC_PREFIXES All now require JWT authentication (CWE-306) - Remove curl from ALLOWED_TOOLS — prevents authenticated SSRF (CWE-918) - Add MAX_CONCURRENT_EXECUTIONS (10) limit on tool exec/scan (CWE-400) - Rate-limit /api/errors telemetry endpoint (60/min per IP) - Add auth check on POST /api/setup/complete - Flag requiresPasswordChange when using default credentials - Docker: bind VNC to 127.0.0.1 only, require VNC_PASSWORD in .env
- Playwright: smoke test all 38 routes (load, assert no crash) - Vitest: data contract tests (STATUS_BADGE fallbacks, null array safety) - CI: add unit test step + npm audit (critical) - Deploy: post-deploy health check (curl prod/staging, assert 200) - package.json: test, test:watch, test:e2e, test:e2e:headed scripts
…oning - 4 Supabase tables: agent_teams, agent_tasks, agent_instances, agent_schedules - agent-orchestrator.ts: task queue, agent dispatch (OpenClaw VPS), scheduling, tier enforcement - AgentTeams.tsx: full dashboard with overview, tasks, agents, schedules tabs - useOrchestrator hook: starts queue processor on auth - Auto-provision free security team on first login - 22 agent types across 4 team types (security/dev/ops/support) - 3 tiers: free (50 tasks/mo), pro (500, $29), enterprise (unlimited, $99) - RLS + service_role bypass policies on all tables
…iewer - Server route /api/agents/dispatch — SSH relay to OpenClaw VPS - Server route /api/agents/status — VPS health check - Server route /api/agents/batch — multi-task dispatch - SSH key exchange: CrowByte VPS → OpenClaw VPS - agent-dispatch wrapper on OpenClaw VPS - Robust JSON extraction from openclaw --json output - Orchestrator uses server relay API (web-compatible) - Electron IPC SSH fallback for desktop mode - TaskRow expandable output viewer (input/output/error panels) - VPS online indicator in dashboard header - Tested E2E: recon agent resolved crowbyte.io DNS via tool-calling
- Fix HTTP 400 from processQueue(): strip milliseconds from ISO timestamp in .or() filter to prevent PostgREST dot-parsing confusion (.867Z) - Add /api/proxy/ip route: proxies ipinfo.io for web client (CORS bypass) - Add /api/proxy/openclaw/* route: proxies OpenClaw VPS gateway for web client with SSE streaming support - Fixes ~200 HTTP 400 errors per QA session from 10s queue polling - Fixes HTTP 401 on /api/proxy/ip and /api/proxy/openclaw (routes now exist)
…status - ALTER TABLE agent_tasks: add team_id, agent_type, task_type, input, output, scheduled_at, updated_at, max_retries, retries, timeout_ms, assigned_at, duration_ms (columns orchestrator expects) - CREATE TABLE custom_agents with RLS + realtime (was 404) - Add /api/agents/status to PUBLIC_PREFIXES (was 401 from web client) - Root cause of ALL 400 errors: table schema mismatch, not filter syntax - All 40 QA errors now resolved
- CSP: allow fonts.googleapis.com in style-src, remove duplicate fontSrc - Add /api/proxy/nvd/* route for NVD API CORS bypass on web - Analytics.tsx: route NVD check through proxy on web builds - /api/errors added to PUBLIC_PREFIXES (error telemetry shouldn't need auth) - useOrchestrator: use ref + user.id dep to prevent start/stop flapping
…mic insight - CREATE TABLE profiles (user profile with tier, role, avatar) - CREATE TABLE analytics (event tracking with page/tool/duration) - Seed: 8 agent tasks (7 completed, 1 failed — real dispatch results) - Seed: 3 agent schedules (daily recon, VPS check, CVE intel) - Seed: 3 custom agents (Header Analyzer, JS Deobfuscator, Report Writer) - Seed: 15 analytics events, 1 user profile - Dashboard: dynamic daily insight from live Supabase data - All 24 tables now populated with real data (0 empty, 0 missing)
… analytics service - AlertCenter: sparkData now derived from source.alerts_ingested count - Analytics: apiUsage computed from real api_usage_stats weekly data - analyticsService: rewired from no-op stub to real Supabase writes (logActivity, logSearch, logApiCall, logChat → analytics table) - All UI data now sourced from Supabase or live services
…on titles, AI routes - Fix 'activeModel is not defined': move declaration before try/catch block - ALTER TABLE conversations: add folder_id, provider, model, message_count - CREATE TABLE folders: chat organization with RLS - Fix messages INSERT RLS: allow authenticated users to insert - Add /api/ai/models + /api/ai/usage routes (CrowByte AI provider) - Make /api/proxy/* and /api/ai/* public (web client has no server JWT) - Clean up 20 empty 'New Conversation' entries - Fix remaining conversations to use first message as title
…earch, OpenClaw proxy fix - Extract chat components: CodeBlock (syntax highlighting), ChatMessage (actions), ChatInput (auto-resize), EmptyState (suggested prompts) - CodeBlock: react-syntax-highlighter with oneDark theme, language detection, line numbers, copy button - ChatMessage: regenerate, delete actions, better thinking blocks, date separators - ChatInput: auto-resize textarea, word/char counter, keyboard shortcut hints - EmptyState: provider-specific suggested prompts (4 per provider) - ConversationsSidebar: search filter, narrower width (w-72), cleaner styling - Chat.tsx: collapsible sidebar, better header layout, provider toggle pills - Fix OpenClaw proxy: use Traefik hostname instead of raw IP+port (gateway binds 127.0.0.1)
…inject NVIDIA API key - Create POST /api/ai/chat route that proxies to NVIDIA via Traefik - Stream SSE responses back to client (OpenAI-compatible format) - Fix model IDs to match NVIDIA API (lowercase: z-ai/glm5, moonshotai/kimi-k2-instruct) - Add Qwen 3.5 397B and Kimi K2.5 to model list - Inject NVIDIA_API_KEY from env for auth - Fix /api/ai/usage response format (tier/current/limit fields)
…ting, billing page - tiers.ts: free/pro/enterprise tier config, Supabase JWT validation, usage tracking, rate limiting middleware - ai.ts: /models (tier-aware), /usage, /tier, /chat routes with auth pipeline - Chat: locked model UI with lock icons, tier badge, usage counter, Crown badge for pro models - BillingSettings: plan comparison, usage progress bar, model list, upgrade prompts - web-ai-chat.ts: getTierInfo(), updated getModels() with tier awareness - Supabase tables: ai_usage, subscriptions, api_keys + profiles tier columns - Server deployed with Supabase service key + NVIDIA API key
…xy fix - Landing Pricing: 3 tiers (Free/Pro Beta $19/Enterprise Coming Soon) - BillingSettings: desktop beta access request form with email notification - /api/beta-request: stores in Supabase + Resend email to admin - beta_requests table created in Supabase - Express trust proxy enabled (fixes rate limiter behind nginx) - Enterprise marked 'Coming Soon' everywhere
…b, redirect to billing - Terminal, CyberOps, NetworkScanner, RedTeam, SecurityMonitor, Fleet: beta-locked on web - Dimmed icons + 'beta' badge in sidebar - Click → redirects to Settings > Billing (beta access form) - Tooltip shows '(Beta)' for collapsed sidebar - No functionality blocked on Electron builds
…itional hooks, bump warning threshold
…rix, CI badge, beta callouts
…esend, waitlist position, landing CTAs updated
… direct API (VPS stays private)
…ashboard, CrowByte-only chat tab
Agent-Logs-Url: https://github.com/hlsitechio/crowbyte/sessions/06c147a9-43d7-4ea3-afe7-a3f06993590d Co-authored-by: hlsitechio <68784598+hlsitechio@users.noreply.github.com>
|
To view this pull requests documentation preview, visit the following URL: docs.page/hlsitechio/crowbyte~6 Documentation is deployed and generated using docs.page. |
Owner
|
remove image |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes the
og-image.pngbanner from the README.Changes
<p align="center"><img ... /></p>block containinghttps://crowbyte.io/og-image.png