security+feat: v1.3.0 — pentest remediation, container reliability, UI overhaul
Security (33 pentest findings addressed): - CRITICAL: backend binds 127.0.0.1, path traversal in tor.rs/dwn fixed - HIGH: federation requires signatures, XSS login redirect, RBAC viewer restricted - HIGH: tar slip prevention, S3 SSRF validation, backup ID validation - MEDIUM: remember-me random secret, TOTP session rotation, password re-auth - LOW: CSP unsafe-inline removed, CORS dev-only, onion/webhook validation Container reliability: - Memory limits on all 37 containers (OOM prevention) - Exited vs stopped state distinction with health-aware status badges - Crash recovery coordination (no more restart cascade) - User-stopped tracking survives reboots - Tiered boot recovery (databases → core → services → apps) UI: - Wallet TransactionsModal, health-aware app status badges - Restart button on containers, exited/crashed red state - Mesh view overhaul, glass button updates, BaseModal/ToggleSwitch - Apps sticky header removed, dev faucet, mutable mock wallet Infrastructure: - LND REST port 8080 exposed over Tor (LND Connect fix) - Nginx cookie_session fix, deploy script Tor config updated - Dev environment: podman auto-start, boot mode simulation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@
|
||||
- [deploy-automation.md](deploy-automation.md) — Deploy script automation TODOs (API key, AIUI nginx, swap)
|
||||
|
||||
## Servers & Deploy
|
||||
- [project_environments.md](project_environments.md) — Four environments: dev mode, dev server/prod, demo
|
||||
- [tailscale_servers.md](tailscale_servers.md) — Tailscale server details (archipelago-2, archipelago-3)
|
||||
- [reference_tailscale_nodes.md](reference_tailscale_nodes.md) — All node IPs and SSH commands
|
||||
- [second-server.md](second-server.md) — Second dev server (archipelago-2 via Tailscale)
|
||||
|
||||
21
.claude/memory/project_environments.md
Normal file
21
.claude/memory/project_environments.md
Normal file
@@ -0,0 +1,21 @@
|
||||
---
|
||||
name: Four Environments
|
||||
description: Clear distinction between dev mode (local mock), dev server (228), demo (Portainer), and prod (same as dev server)
|
||||
type: project
|
||||
---
|
||||
|
||||
Four distinct environments — use correct terminology:
|
||||
|
||||
| Name | What | Where | Backend | Deploy |
|
||||
|------|------|-------|---------|--------|
|
||||
| **Dev mode** | Local macOS, mock backend | `localhost:8100` | `mock-backend.js` on `:5959` | `npm run dev:mock` |
|
||||
| **Dev server / Prod** | Primary build/test/live server | `192.168.1.228` (+ fleet) | Real Rust backend + Podman | `deploy-to-target.sh --live` |
|
||||
| **Demo** | Public demo instance | Remote server | Mock Node.js via Docker | Portainer Stacks / `docker-compose.demo.yml` |
|
||||
|
||||
- Dev server and prod are the SAME machine (192.168.1.228) — "prod" just means "the live deployment"
|
||||
- Demo is completely separate — user deploys via Portainer UI, Claude has no SSH access
|
||||
- Dev mode is local-only, no containers needed, fastest iteration
|
||||
|
||||
**Why:** User corrected ambiguous usage of "dev servers (prod)" — these are the same thing, not two separate environments.
|
||||
|
||||
**How to apply:** Always say "dev mode" for local mock, "dev server" or "prod" for 228, "demo" for the Portainer instance. Never conflate them.
|
||||
78
.claude/memory/project_repo_cleanup_and_dev_env.md
Normal file
78
.claude/memory/project_repo_cleanup_and_dev_env.md
Normal file
@@ -0,0 +1,78 @@
|
||||
---
|
||||
name: Repo Cleanup & Dev Environment Overhaul (2026-03-18)
|
||||
description: Major session — repo cleanup to archy-archive, demo seeding, dev-start.sh rewrite, ThunderHub/Fedimint/ecash, Podman install, wallet mock endpoints
|
||||
type: project
|
||||
---
|
||||
|
||||
## What Was Done
|
||||
|
||||
### 1. Repo Cleanup
|
||||
- Moved ~200 files (docs, scripts, loops, legacy Docker UIs, duplicate videos) to `~/Projects/archy-archive/` (outside repo)
|
||||
- Kept: all active docs (BETA-PROGRESS, MASTER_PLAN, architecture, ADRs, api-reference, developer-guide, troubleshooting, operations-runbook), all source code, active scripts
|
||||
- Three "user's call" docs kept: `multi-node-architecture.md`, `marketplace-protocol.md`, `app-developer-guide.md`
|
||||
|
||||
### 2. docker-compose.yml Switched from Regtest to Signet
|
||||
- All Bitcoin/LND/Fedimint containers now use **signet** (not regtest)
|
||||
- Ports updated: RPC 38332, P2P 38333
|
||||
- Removed archived `bitcoin-ui` and `lnd-ui` nginx services (referenced deleted `docker/` dir)
|
||||
- Added ThunderHub service (port 3010) to main compose
|
||||
|
||||
### 3. New Testnet Compose (`docker-compose.testnet.yml`)
|
||||
- Standalone signet stack: bitcoind + LND + ThunderHub + Fedimint
|
||||
- Config at `testnet/thunderhub-config.yaml`
|
||||
- README at `testnet/README.md` with faucet links and commands
|
||||
|
||||
### 4. Mock Backend Enhancements (`neode-ui/mock-backend.js`)
|
||||
- **Container socket auto-detection**: tries `DOCKER_HOST` → Podman TMPDIR socket → Docker socket → null (simulation). No more `/var/run/docker.sock` spam
|
||||
- **8 static dev apps** (was 6): added ThunderHub (port 3010) and Fedimint (port 8175)
|
||||
- **25+ new RPC endpoints**: lnd.getinfo, lnd.newaddress, lnd.createinvoice, lnd.payinvoice, lnd.sendcoins, lnd.listchannels, lnd.openchannel, lnd.closechannel, wallet.ecash-balance, wallet.ecash-send, wallet.ecash-receive, wallet.ecash-history, wallet.networking-profits, bitcoin.getinfo, system.stats, update.status, network.list-requests, dev.faucet, etc.
|
||||
- **Fedimint version** synced to 0.10.0, port fixed from 8174 → 8175
|
||||
- **5 realistic notifications** (was empty array)
|
||||
- **Mock ThunderHub UI** at `/app/thunderhub/` — full HTML dashboard
|
||||
|
||||
### 5. Dev Scripts Fixed
|
||||
- `neode-ui/start-dev.sh`: removed broken `start-docker-apps.sh` call, fixed EAGAIN via safe `while read` loop
|
||||
- `neode-ui/stop-dev.sh`: removed broken `stop-docker-apps.sh` call
|
||||
- `neode-ui/package.json`: removed stale `prebuild`, added `--raw` to concurrently (fixes EAGAIN pgrep spawn)
|
||||
- `scripts/dev-start.sh`: complete rewrite with 8 options including boot mode and testnet stack
|
||||
|
||||
### 6. ThunderHub Added Everywhere
|
||||
- Icon: `neode-ui/public/assets/img/app-icons/thunderhub.svg`
|
||||
- Mock backend: portMappings, marketplaceMetadata, staticDevApps, marketplace.get()
|
||||
- Marketplace.vue: getCuratedAppList(), recommended tier
|
||||
- appLauncher.ts: PORT_TO_APP_ID `'3010': 'thunderhub'`
|
||||
|
||||
### 7. Podman Installed on Mac
|
||||
- `podman 5.8.1` + `podman-compose 1.5.0` via Homebrew
|
||||
- Machine initialized and running
|
||||
|
||||
### 8. Home Wallet Card
|
||||
- Fixed `lnd.getinfo` response to include `balance_sats` and `channel_balance_sats`
|
||||
- Fixed `lnd.gettransactions` to use `amount_sats` and include `incoming_pending_count`
|
||||
- Added **Faucet button** (green) — calls `dev.faucet` RPC
|
||||
- Grid changed from 3-col to 4-col (Send, Receive, Faucet, Web5)
|
||||
|
||||
### 9. Developer Onboarding Docs
|
||||
- `neode-ui/README.md`: full rewrite
|
||||
- `neode-ui/DEV-SCRIPTS.md`: updated with actual 8 static apps
|
||||
|
||||
## Current State / Resume Here
|
||||
- **`npm start` works** — no Docker needed, all wallet actions mocked, 8 apps visible
|
||||
- **Send/Receive modals** open from Home wallet card — if still issues, check browser console
|
||||
- **Faucet button** calls dev.faucet and refreshes balances
|
||||
- **Not yet tested**: `podman-compose -f docker-compose.testnet.yml up` (signet sync ~10 min)
|
||||
- **Not yet committed** — all changes are local, uncommitted
|
||||
- **Demo prod server** not redeployed — push changes then redeploy via Portainer
|
||||
|
||||
## Key Files Modified This Session
|
||||
- `neode-ui/mock-backend.js` (major — container socket, 25+ RPC endpoints, ThunderHub mock UI)
|
||||
- `neode-ui/src/views/Home.vue` (faucet button, 4-col grid)
|
||||
- `neode-ui/src/views/Marketplace.vue` (ThunderHub entry)
|
||||
- `neode-ui/src/stores/appLauncher.ts` (ThunderHub port)
|
||||
- `neode-ui/start-dev.sh`, `neode-ui/stop-dev.sh`, `neode-ui/package.json`
|
||||
- `scripts/dev-start.sh` (complete rewrite)
|
||||
- `docker-compose.yml` (regtest→signet, ThunderHub, removed archived UIs)
|
||||
- `docker-compose.testnet.yml` (new)
|
||||
- `testnet/thunderhub-config.yaml`, `testnet/README.md` (new)
|
||||
- `neode-ui/public/assets/img/app-icons/thunderhub.svg` (new)
|
||||
- `neode-ui/README.md`, `neode-ui/DEV-SCRIPTS.md` (rewrites)
|
||||
Reference in New Issue
Block a user