chiguyong
7beac62b08
fix(security): apply code review fixes and rewrite README
...
Deploy EternalAI / deploy (push) Failing after 30s
Details
- fix(P1): prevent YAML injection in adaptToHermesConfig via yamlString() and sanitizeComment()
- fix(P2): add @@index([userId, createdAt]) to ApiKey model
- fix(P2): change Hermes error responses from text/plain to JSON
- fix(P2): set .env file permissions to 600 in setup-server.sh
- fix(P2): remove dead model fallback code
- fix(P2): unify API Key response naming (GET returns { apiKeys })
- fix(P3): add console.warn to fire-and-forget catch
- fix(P3): correct keyPrefix comment (8 -> 12 chars)
- fix(P3): move require() to file top in auth.js
- fix(P3): stop printing database password in setup-server.sh
- docs: rewrite README with architecture, operation flow, and Hermes interaction flow
2026-06-21 14:05:11 +08:00
chiguyong
6d3d735c9c
feat: add Hermes Agent cross-machine deployment via CLI pull
Deploy EternalAI / deploy (push) Failing after 22s
Details
2026-06-21 13:31:19 +08:00
chiguyong
e7423f602f
fix(security): resolve 2 P0 issues - hardcoded JWT secret and stored XSS
...
Deploy EternalAI / deploy (push) Failing after 55m27s
Details
P0-1: JWT secret hardcoded fallback (src/lib/auth.js)
- Remove insecure hardcoded default 'eternalai_jwt_secret_2026_change_in_prod'
- Fail-fast in production: throw error if JWT_SECRET env var is missing
- Dev/test: print security warning and use dev-only temporary secret
P0-2: Stored XSS via innerHTML (app.js)
- Add escapeHtml() utility function (escapes & < > " ')
- Escape all user-controlled data in innerHTML templates:
- Role library list (id, displayName, desc, avatar, price)
- Creator center role list (id, displayName, avatar, status)
- Role detail price
- Income records (role, time)
- Error messages in catch blocks
All 35 E2E tests pass.
2026-06-21 00:08:30 +08:00
chiguyong
bf114820f3
feat: add PostgreSQL + JWT backend, fix 4 critical issues (auth/role persistence/edit/library)
Deploy EternalAI / deploy (push) Has been cancelled
Details
2026-06-20 20:39:09 +08:00
chiguyong
5a7155ecbc
fix(a11y): improve accessibility across all views
...
- FAQ: add aria-expanded/aria-controls/role=region via initFaqA11y()
- TabBar/Auth/Center/Preview tabs: add role=tablist/tab/aria-selected
- View switching: focus management + aria-live announcement region
- Role cards: role=button, tabindex=0, Enter/Space keyboard support
- Login form: autocomplete=username/current-password (was off)
- Register form: autocomplete=username/new-password
- Add skip-link for keyboard users
- Add :focus-visible outlines on all interactive elements
- Improve placeholder contrast (0.45 → 0.7 opacity)
- Add prefers-reduced-motion media query
- Add aria-live=polite on dynamic role-list/income-list containers
- Add aria-label on all view sections
2026-06-20 18:40:51 +08:00
chiguyong
7725cf1f65
feat: implement full navigation and PRD P2-P7 pages
...
- U1: 我的 XXX 根据登录态分流(未登录→auth,已登录→role-library/creator-center)
- U2: 新增角色库页(P2),含角色卡片列表与空态
- U3: 新增角色详情页(P3),含付款态切换
- U4: 新增关于 Eternal AI 页(P5),含 FAQ 折叠
- U5: 重构创作者入驻页(P6)为微信联系引导
- U6: 人设蒸馏表单重新定位为创作者中心-角色编辑
- U7: 新增创作者管理中心(P7),含角色/收入/我的 三 tab
- U8: 新增底部 tabBar 导航(首页/蒸馏前任/我的)
- U9: 统一 showView 路由、history 返回、localStorage 状态持久化
2026-06-20 18:19:34 +08:00
Eternal AI Builder
6ce6b8a464
Add distinct auth and distill-ex views per PRD
2026-06-20 17:01:20 +08:00
Eternal AI Builder
7db0dab973
Initial commit: Eternal AI landing page and character creator
2026-06-20 16:30:12 +08:00