Legt de volledige stack-redeploy vast als één flow: scrum4me-web
(pull/migrate/build/restart) gevolgd door de MCP-worker.
Onderweg een echte bug gevonden en gefixt: update_mcp_worker.yml deed
`docker_compose_build worker-idea` zónder cache-bust. De worker-idea
Dockerfile clonet scrum4me-mcp van GitHub in een aparte laag; zolang
MCP_GIT_REF gelijk blijft ('main') hergebruikt Docker die laag, dus
nieuwe MCP-commits werden NIET opgepikt. Een schijnbaar geslaagde
rebuild draaide stilletjes op oude MCP-code.
Wijzigingen:
- commands.yml.example: nieuw command docker_compose_build_worker_fresh
dat via `sh -c` MCP_CACHE_BUST=$(date +%s) meegeeft — invalideert de
clone-laag zodat de laatste MCP-code wordt gepulld
- update_mcp_worker.yml: gebruikt nu de fresh-build; pullt ook
scrum4me-mcp lokaal (on_failure: continue, sync-only)
- redeploy_all.yml: nieuwe gecombineerde flow (16 stappen, web → worker)
- app/flows/redeploy-all/: UI-pagina + panel, zelfde patroon als de
bestaande flow-pagina's
- app/flows/page.tsx: Redeploy All bovenaan de flows-lijst
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the plain textarea on /caddy/edit with a CodeMirror 6 component
that provides live Caddyfile syntax highlighting (keywords, named matchers,
comments). The editor is dynamically imported (ssr: false) to prevent
hydration errors. The write/validate/save/reload state machine and content
flow remain unchanged.
Bundle impact: ~300 kB additional for the /caddy/edit route (CodeMirror 6
core + @uiw/react-codemirror).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Defines a minimal StreamLanguage tokenizer for CodeMirror 6 that
recognises Caddy directives, named-matchers (@-prefix), comments,
strings and braces via cm6 highlight-tags.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds codemirror@6.0.2, @codemirror/view@6.42.1, @codemirror/state@6.6.0,
@codemirror/language@6.12.3, @codemirror/legacy-modes@6.5.2 and
@uiw/react-codemirror@4.25.9. No peer-dep conflicts; @uiw/react-codemirror
v4.x is compatible with React 19.2.4 in this project.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace inline createHighlighter() call with a module-level singleton
so the Caddyfile grammar is parsed only once across requests. Add
type Highlighter import for proper TypeScript typing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds lib/grammars/caddyfile.json with scopes for directives, named-matchers
(@prefix), placeholders, strings, and comments. Updates /caddy page to use
createHighlighter with the local grammar instead of the nginx fallback.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Drie nieuwe markdown-bestanden onder /docs:
- handleiding.md — voor de dagelijkse gebruiker: eerste login, modules,
veelvoorkomende taken (Caddy editen, sprint mergen via flow), wat
expliciet niet vanuit de UI kan, log-locaties bij incidenten,
veiligheidsadvies.
- specs/functional.md — wat de app doet: scope per module met
acceptatiecriteria, flow state-machine (pending/running/success/
failed/cancelled/timeout), hard limits (1 actieve flow, 64KB log
knippen, 24u session), expliciete buiten-scope-lijst.
- specs/technical.md — hoe het werkt: 3-process architectuur
(dashboard container + agent op host + Postgres), stack-tabel met
versies en redenen, data-model (User/Session/FlowRun/FlowStep),
auth-flow met CSRF, agent-protocol over SSE, security-eigenschappen
per laag.
Lengtes pragmatisch gekozen — geen completeness-fetisj, wel genoeg
om iemand die nieuw is in de codebase binnen 30 min te oriënteren.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Shiki 1.29 bundelt geen 'caddyfile' grammar — runtime error "Language
'caddyfile' is not included in this bundle". Nginx-grammar is syntactisch
het dichtst bij (directives + nested braces + reverse_proxy lijkt op
location-blocks), dus levert acceptabele kleuring zonder dependency
toe te voegen. Echte Caddyfile-grammar zou via een externe TextMate
JSON moeten worden geladen — later.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fastify-handler returnde direct na het attachen van event handlers.
Fastify finaliseerde dan de reply waardoor `req.raw.on('close')` direct
firede en `child.kill()` aanriep voordat het kind iets kon produceren.
Symptoom: SSE bevatte alleen `event:exit code:null` zonder stdout/stderr,
audit-log toonde `exit_code:null duration_ms:0`, dashboard-modules
toonden "No containers running" / "No data" terwijl handmatige command
prima werkte.
Wrap de event-handlers in een Promise zodat de async route-handler wacht
op child close/error voordat ie returnt. Verplaats client-disconnect
detectie van `req.raw.on('close')` naar `reply.raw.on('close')` — die
fired bij echte connectie-sluiting, niet bij request body parse.
Bevestigd: `docker_ps` retourneert nu volledige container-lijst, dashboard
/docker pagina rendert alle 6 containers.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Vervang `reverse_proxy 172.18.0.1:3001` door `reverse_proxy ops-dashboard:3000`
zodat de reverse-proxy stabiel werkt via Docker service-name resolution.
Voeg comments toe als pre-conditie: Caddy moet op hetzelfde Docker-netwerk zitten.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- SystemdWidget: groen als N=M healthy, oranje als 0<N<M, rood als N=0
- GitWidget: groen als 0 dirty repos, oranje als >0; toon K/M formaat
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- relativeTime(date: Date) helper toegevoegd aan lib/utils.ts
- AuditWidget gebruikt nu gedeelde relativeTime in plaats van inline functie
- CaddyWidget toont rode badge als soonest cert-expiry <30 dagen
- app/page.tsx berekent expiringWarning voor CaddyInitial
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Parallel server-side fetches via Promise.allSettled voor Docker, Caddy,
systemd, Git en Audit. Iedere widget toont geaggregeerde status en
refresht elke 30s client-side onafhankelijk van de andere widgets.
- lib/agent-fetch.ts: gedeelde client-side streaming helper
- app/api/audit/latest/route.ts: GET endpoint voor AuditWidget refresh
- app/_components/DockerWidget.tsx: running/total containers
- app/_components/CaddyWidget.tsx: soonest cert expiry in dagen
- app/_components/SystemdWidget.tsx: healthy/total units (of niet geconfigureerd)
- app/_components/GitWidget.tsx: dirty repo count (of niet geconfigureerd)
- app/_components/AuditWidget.tsx: laatste FlowRun status + relatief tijdstip
- app/page.tsx: vervangt SECTIONS-grid, doet parallel fetches, rendert widgets
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Importeer AppNav in root-layout, render boven <main className="flex-1">.
Metadata bijgewerkt naar title "Ops Dashboard" en ops-beschrijving.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implementeert de globale top-navbar met 8 NAV_ITEMS (Dashboard + 7 modules),
actieve-link-detectie via usePathname, en Tailwind sticky/backdrop-blur styling.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Beide routes hadden alleen sub-pages; /flows en /settings zelf gaven
404. Minimale index met kaartjes naar de bestaande sub-routes,
consistent met het home-dashboard. Onderdeel van IDEA-060 voor een
rijkere indexering later.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`npm ci --omit=dev` voor `npx tsc` faalde omdat TypeScript in
devDependencies zit. npx probeerde de typo-squatter `tsc@2.0.4` te
installeren. Nu: volledige install → tsc → prune --omit=dev voor
slanke runtime.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SP-1 maakte 7 module-routes (docker/git/systemd/caddy/flows/
audit/settings) maar liet app/page.tsx de create-next-app starter
houden. Tijdelijke kaartjes-grid die auth-check doet en doorlinkt
naar elke module. IDEA-060 is gelogd voor een rijke dashboard met
live status per module.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Prisma v7 vereist DATABASE_URL bij prisma generate (config-load via
prisma.config.ts) zelfs als generate niet daadwerkelijk verbindt.
Container-builds zonder env-file faalden hierop. Echte URL wordt nog
steeds runtime gezet via env_file in docker-compose.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Next.js 16 staat alleen proxy.ts toe als de twee co-existeren; build
faalt met "Both middleware file and proxy file are detected". De CSP-
en CSRF-logica uit middleware.ts is samengevoegd in proxy.ts en de
auth-redirect blijft. CSRF-validatie geldt nu alleen voor POST /api/*,
auth-redirect alleen buiten /api — matcher uitgebreid om beide te
dekken.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Server component fetches backup list via list_ops_backups agent command
and parses filename/size output. Client BackupsPanel component shows a
backup table and a Backup now button that triggers the backup_ops_db
flow with streaming terminal output and audit log link.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds pg_dump_ops_db, list_ops_backups, and cleanup_ops_backups to the
agent command whitelist. Includes a backup_ops_db flow YAML (dump +
30-day retention), and a systemd service/timer for daily automated
backups at 02:00.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rate-limit /api/flows/start to 10 req/min per user (in-memory, matches login pattern)
- Add middleware.ts: validates x-csrf-token header against csrf_token cookie on all
API POST requests; issues the cookie on GET if missing; sets CSP, X-Frame-Options,
X-Content-Type-Options, and Referrer-Policy on all responses
- Add lib/csrf.ts: client-side apiFetch() wrapper that injects the CSRF header
- Update all client components (login, useFlowRun, docker, caddy, git, systemd)
to use apiFetch() for POST requests
- Cookie config in login route already correct (NODE_ENV check, httpOnly, sameSite=strict)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Update ops-agent/flows.example/update_scrum4me_web.yml with full
deployment steps: git_status, git_fetch, git_log_ahead, git_pull,
npm_ci, prisma_migrate_deploy, npm_run_build, systemctl_restart,
and smoke test against thuis.jp-visser.nl/api/products
- Add npm_ci, prisma_migrate_deploy, npm_run_build, and
curl_smoke_scrum4me_thuis to commands.yml.example
- Add /flows/update-scrum4me-web UI page with Run and Dry Run buttons,
streaming terminal output, and link to audit log on completion
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ops-agent/src/lib/flow-runner.ts: loads YAML flows, validates all steps
against the command whitelist, executes sequentially; supports dry_run
(emits WOULD RUN lines) and on_failure: abort|continue per step
- ops-agent/src/routes/flow.ts: POST /agent/v1/flow { flow_key, dry_run }
streams step_start/stdout/stderr/step_done/done SSE events
- ops-agent/src/index.ts: register flow route, add FLOWS_PATH env var
- ops-agent/flows.example/: three flow definitions — update_scrum4me_web,
update_mcp_worker, update_caddy_config; deploy to /etc/ops-agent/flows/
- ops-agent/commands.yml.example: add curl_smoke_scrum4me_web and
docker_compose_ps_worker smoke-test commands
- app/api/flows/run/route.ts: Next.js proxy — creates FlowRun/FlowStep
DB records per step, forwards SSE stream to browser
- hooks/useFlowRun.ts: add startFlow(flowKey, dryRun) method; handle
step_start events to display step headers in the terminal
- components/StreamingTerminal.tsx: add 'info' line type (sky-400) for
step headers
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Docker table: Restart and Stop buttons per container row (docker_compose_restart / docker_compose_stop)
- Git repos list: Fetch and Pull buttons per repo; Pull disabled when working tree is dirty
- systemd units list: Restart button per unit (systemctl_restart)
- Caddy: Edit link on /caddy page, new /caddy/edit page with textarea + 3-step Validate → Save+Reload flow
- All buttons open ConfirmDialog with exact agent-call preview, then stream output via StreamingTerminal
- Add docker_compose_stop to ops-agent/commands.yml.example
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Truncate accumulated stdout/stderr to last 64KB before persisting FlowStep
to prevent unbounded DB growth on verbose commands
- Add @@index([user_id, started_at(sort: Desc)]) to FlowRun schema so audit
list queries (WHERE user_id = ? ORDER BY started_at DESC) use the index
- Add migration 20260513200000_flowrun_user_idx
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/etc/sudoers.d/ops-agent grants NOPASSWD to ops-agent for the exact
systemctl restart invocations whitelisted in commands.yml.
setup.sh installs and validates it via visudo -c.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds docker_compose_restart/build/up, git_pull (guarded by
git_status_clean precondition), systemctl_restart (via sudo),
caddy_validate, caddy_reload, and caddy_write_config (atomic
stdin→Caddyfile.new→Caddyfile write).
- CommandDef gains preconditions[] and stdin_from_body fields
- exec route checks git_status_clean before git_pull; returns 409 on
dirty tree with a clear message
- stdin field in ExecBody is piped to child stdin for caddy_write_config
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add journalctl_recent command and scrum4me-web to whitelist in commands.yml.example
- Add SYSTEMD_UNITS env var to .env.example
- lib/parse-systemd.ts: parse activeState, subState, uptime, description
- /app/systemd: server page reading SYSTEMD_UNITS, client list with 10s polling and status badges
- /app/systemd/[unit]: server detail page, client component showing systemctl status + last 100 journal lines (polling 10s)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add validateCwd() to whitelist.ts for dynamic-cwd validation, update
exec.ts to resolve first arg as cwd when cwd_pattern is set, and extend
commands.yml.example with git_status, git_log_ahead, git_diff, git_fetch.
Add REPO_PATHS to .env.example.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
