chiguyong
2055b62afd
fix(security): apply code review fixes and rewrite README
...
Deploy EternalAI / deploy (push) Failing after 29s
Details
- fix(P1): prevent YAML injection in adaptToHermesConfig via yamlString() and sanitizeComment()
- fix(P2): add @@index([userId, createdAt]) to ApiKey model
- fix(P2): change Hermes error responses from text/plain to JSON
- fix(P2): set .env file permissions to 600 in setup-server.sh
- fix(P2): remove dead model fallback code
- fix(P2): unify API Key response naming (GET returns { apiKeys })
- fix(P3): add console.warn to fire-and-forget catch
- fix(P3): correct keyPrefix comment (8 -> 12 chars)
- fix(P3): move require() to file top in auth.js
- fix(P3): stop printing database password in setup-server.sh
- docs: rewrite README with architecture, operation flow, and Hermes interaction flow
2026-06-21 14:05:37 +08:00
chiguyong
6037bf2bd6
feat: add Hermes Agent cross-machine deployment via CLI pull
2026-06-21 14:05:37 +08:00
chiguyong
d6f222c2e0
fix(security): resolve 2 P0 issues - hardcoded JWT secret and stored XSS
...
P0-1: JWT secret hardcoded fallback (src/lib/auth.js)
- Remove insecure hardcoded default 'eternalai_jwt_secret_2026_change_in_prod'
- Fail-fast in production: throw error if JWT_SECRET env var is missing
- Dev/test: print security warning and use dev-only temporary secret
P0-2: Stored XSS via innerHTML (app.js)
- Add escapeHtml() utility function (escapes & < > " ')
- Escape all user-controlled data in innerHTML templates:
- Role library list (id, displayName, desc, avatar, price)
- Creator center role list (id, displayName, avatar, status)
- Role detail price
- Income records (role, time)
- Error messages in catch blocks
All 35 E2E tests pass.
2026-06-21 14:05:37 +08:00
chiguyong
0028091f34
ci: add CI/CD deployment scripts with PM2, Nginx, and auto-setup
...
- Add ecosystem.config.js for PM2 process management
- Add deploy/setup-server.sh for one-shot server initialization (auto-detects OS, installs Node.js 20/PostgreSQL 15/PM2/Nginx)
- Add deploy/deploy.sh for repeatable deployments (pull -> install -> migrate -> reload -> health check)
- Add deploy/nginx.conf reverse proxy template with security headers
- Rewrite .gitea/workflows/deploy.yml with full CI/CD pipeline (checkout -> build -> migrate -> deploy -> health check)
- Add .env.example template with DATABASE_URL/JWT_SECRET/PORT/ALLOWED_ORIGINS
- Add docs/deployment.md (full deployment guide) and docs/business-processes.md
- Update package.json scripts (db:generate, test:e2e, deploy)
- Add logs/ to .gitignore
2026-06-21 14:05:37 +08:00
chiguyong
0bcba03393
test: add 35 E2E tests (auth/roles/creator/navigation) and fix temperature validation bug
2026-06-21 14:05:37 +08:00
chiguyong
6234c27138
feat: add PostgreSQL + JWT backend, fix 4 critical issues (auth/role persistence/edit/library)
2026-06-21 14:05:37 +08:00
chiguyong
9f4ee690db
chore: clean up repo structure and fix config
...
- Remove node_modules/ from git tracking (was committed by mistake)
- Delete stub files: src/index.js, scripts/deploy.sh (empty)
- Fix CI/CD: trigger on master (not main), remove nonexistent build step
- Rewrite README to match actual HTML5 SPA project
- Fix package.json: remove embedded credentials from repo URL
- Update .gitignore: add .DS_Store, *.log, .env
2026-06-21 14:05:37 +08:00
chigulong
a272c62b97
Merge master branch with actual project content
Deploy EternalAI / deploy (push) Failing after 3h0m0s
Details
2026-06-20 20:07:26 +08:00
chigulong
18a46c9af5
Initial deployment setup with Express server and basic UI
2026-06-20 19:38:15 +08:00
chigulong
0ac78360a1
Update README in main branch
2026-06-20 18:28:13 +08:00
root
1710562c54
Initial commit
2026-06-20 16:21:57 +08:00