slackhive 0.1.37 → 0.1.39

package/.dockerignore

@@ -0,0 +1,14 @@
+.git
+node_modules
+**/node_modules
+.next
+**/.next
+**/dist
+coverage
+*.log
+.env
+.env.local
+.env.*.local
+.DS_Store
+docs
+cli

package/.env.example

@@ -0,0 +1,44 @@
+# ============================================================
+# SlackHive — Environment Configuration
+# ============================================================
+# 1. Copy this file:  cp .env.example .env
+# 2. Fill in ALL required values marked with <...>
+# 3. Never commit .env to version control.
+# ============================================================
+
+# ------------------------------------------------------------
+# Claude Code Authentication (choose ONE)
+# ------------------------------------------------------------
+
+# Option A — Anthropic API Key (pay-per-use)
+# ANTHROPIC_API_KEY=<sk-ant-api03-...>
+
+# Option B — Claude Subscription
+# Leave ANTHROPIC_API_KEY unset. Run `claude login` on your host first.
+# Set CLAUDE_BIN to the path of your claude binary:
+# CLAUDE_BIN=<path-to-claude-binary>  # e.g. /usr/local/bin/claude
+
+# ------------------------------------------------------------
+# PostgreSQL
+# ------------------------------------------------------------
+POSTGRES_DB=slackhive
+POSTGRES_USER=slackhive
+POSTGRES_PASSWORD=<strong-random-password>
+
+# ------------------------------------------------------------
+# Redis
+# ------------------------------------------------------------
+REDIS_PASSWORD=<strong-random-password>
+
+# ------------------------------------------------------------
+# Web UI Auth
+# ------------------------------------------------------------
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=<strong-random-password>
+AUTH_SECRET=<output-of-openssl-rand-hex-32>
+ENV_SECRET_KEY=<output-of-openssl-rand-hex-32>
+
+# ------------------------------------------------------------
+# Platform
+# ------------------------------------------------------------
+NODE_ENV=production

package/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,65 @@
+name: Bug Report
+description: Something isn't working as expected
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to report a bug! Please fill in as much detail as possible.
+        See [GitHub's guide on writing good issues](https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-an-issue).
+
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: A clear description of the bug.
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      placeholder: |
+        1. Go to '...'
+        2. Click on '...'
+        3. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen?
+    validations:
+      required: true
+
+  - type: input
+    id: version
+    attributes:
+      label: SlackHive version
+      placeholder: "e.g. 0.1.18"
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      placeholder: "e.g. Ubuntu 22.04, macOS 14"
+    validations:
+      required: true
+
+  - type: input
+    id: docker
+    attributes:
+      label: Docker version
+      placeholder: "e.g. 25.0.3"
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: Paste any relevant logs (runner logs, browser console, etc.)
+      render: shell

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Ask a question / Discussion
+    url: https://github.com/pelago-labs/slackhive/discussions
+    about: Use GitHub Discussions for questions, ideas, and show-and-tell

package/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,38 @@
+name: Feature Request
+description: Suggest an idea or improvement
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Have a great idea? We'd love to hear it!
+        Please search [existing issues](https://github.com/pelago-labs/slackhive/issues) first to avoid duplicates.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or motivation
+      description: What problem does this solve? What's missing?
+      placeholder: "I'm always frustrated when..."
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: Describe what you'd like to see.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any other approaches you've thought about?
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Screenshots, mockups, or links that help explain your idea.

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,27 @@
+## Description
+
+<!-- What does this PR do? Why is it needed? -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Breaking change
+- [ ] Documentation update
+- [ ] Refactor / chore
+
+## Checklist
+
+- [ ] Tested locally with Docker Compose
+- [ ] TypeScript compiles without errors (`tsc --noEmit`)
+- [ ] No new ESLint warnings
+- [ ] **Tests added or updated** — new logic has unit/integration tests in `__tests__/`
+- [ ] DB schema changes include a migration file in `packages/shared/src/db/`
+- [ ] API changes follow existing guard patterns (`guardAgentWrite` / `guardAdmin`)
+- [ ] Screenshots included for UI changes
+- [ ] CHANGELOG.md updated (for user-facing changes)
+- [ ] No breaking changes (or clearly documented in description)
+
+## Tests
+
+<!-- Describe what tests cover this change, or explain why tests are not applicable (e.g. pure UI tweak, docs-only change). -->

package/.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+
+updates:
+  # Root workspace + cli
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+      time: "09:00"
+      timezone: Asia/Singapore
+    open-pull-requests-limit: 5
+    groups:
+      dev-dependencies:
+        dependency-type: development
+      production-dependencies:
+        dependency-type: production
+    ignore:
+      # Major version bumps require manual review
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]

package/.github/workflows/audit.yml

@@ -0,0 +1,149 @@
+# Dependency vulnerability audit — runs on every PR and weekly on main.
+# If vulnerabilities are found on the weekly schedule, auto-creates a fix PR.
+
+name: Security Audit
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Every Monday at 08:00 UTC
+    - cron: '0 8 * * 1'
+  workflow_dispatch:
+
+jobs:
+  audit:
+    name: npm audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run audit
+        id: audit
+        run: |
+          set +e
+          npm audit --json > audit.json 2>&1
+          EXIT_CODE=$?
+          set -e
+
+          VULN_COUNT=$(node -e "
+            const r = require('./audit.json');
+            const m = r.metadata?.vulnerabilities ?? {};
+            console.log((m.critical||0) + (m.high||0) + (m.moderate||0) + (m.low||0));
+          " 2>/dev/null || echo "0")
+
+          echo "vuln_count=$VULN_COUNT" >> "$GITHUB_OUTPUT"
+          echo "audit_exit=$EXIT_CODE" >> "$GITHUB_OUTPUT"
+
+          if [ "$VULN_COUNT" -gt 0 ]; then
+            echo "### Security Audit" >> "$GITHUB_STEP_SUMMARY"
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+            echo "Found **$VULN_COUNT** vulnerabilit$([ $VULN_COUNT -eq 1 ] && echo 'y' || echo 'ies')." >> "$GITHUB_STEP_SUMMARY"
+            node -e "
+              const r = require('./audit.json');
+              const v = r.metadata?.vulnerabilities ?? {};
+              const lines = [];
+              if (v.critical) lines.push('- Critical: ' + v.critical);
+              if (v.high)     lines.push('- High: '     + v.high);
+              if (v.moderate) lines.push('- Moderate: ' + v.moderate);
+              if (v.low)      lines.push('- Low: '      + v.low);
+              console.log(lines.join('\n'));
+            " >> "$GITHUB_STEP_SUMMARY" 2>/dev/null || true
+          else
+            echo "### Security Audit" >> "$GITHUB_STEP_SUMMARY"
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+            echo "No vulnerabilities found." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+          # Fail on PR if critical or high vulnerabilities exist
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            CRITICAL=$(node -e "const r=require('./audit.json'); console.log(r.metadata?.vulnerabilities?.critical||0)" 2>/dev/null || echo "0")
+            HIGH=$(node -e "const r=require('./audit.json'); console.log(r.metadata?.vulnerabilities?.high||0)" 2>/dev/null || echo "0")
+            if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
+              echo "❌ Critical or high severity vulnerabilities found — blocking merge."
+              exit 1
+            fi
+          fi
+
+  auto-fix:
+    name: Auto-fix vulnerabilities
+    runs-on: ubuntu-latest
+    # Only run on the weekly schedule, not on PRs
+    if: github.event_name == 'schedule'
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Check for vulnerabilities
+        id: check
+        run: |
+          VULN_COUNT=$(npm audit --json 2>/dev/null | node -e "
+            let d=''; process.stdin.on('data',c=>d+=c).on('end',()=>{
+              try { const r=JSON.parse(d); const v=r.metadata?.vulnerabilities??{}; console.log((v.critical||0)+(v.high||0)+(v.moderate||0)+(v.low||0)); }
+              catch { console.log(0); }
+            });
+          " || echo "0")
+          echo "vuln_count=$VULN_COUNT" >> "$GITHUB_OUTPUT"
+
+      - name: Apply audit fix
+        if: steps.check.outputs.vuln_count != '0'
+        run: npm audit fix
+
+      - name: Check for changes
+        if: steps.check.outputs.vuln_count != '0'
+        id: diff
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create fix PR
+        if: steps.check.outputs.vuln_count != '0' && steps.diff.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH="fix/npm-audit-$(date +%Y-%m-%d)"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH"
+          git add package-lock.json
+          git commit -m "fix: apply npm audit fix for dependency vulnerabilities"
+          git push origin "$BRANCH"
+
+          PR_BODY="## Automated vulnerability fix\n\nThis PR was created automatically by the weekly security audit workflow.\n\n### What changed\n\`npm audit fix\` was applied to resolve known vulnerabilities in \`package-lock.json\`.\n\n### Review checklist\n- [ ] Check the \`package-lock.json\` diff for unexpected version changes\n- [ ] Run \`npm audit\` locally to confirm 0 vulnerabilities after merge\n- [ ] Verify the build and tests still pass (CI will run automatically)\n\n> Generated by the **Security Audit** workflow."
+
+          gh pr create \
+            --base main \
+            --head "$BRANCH" \
+            --title "fix: npm audit — dependency vulnerability fixes ($(date +%Y-%m-%d))" \
+            --body "$PR_BODY"

package/.github/workflows/ci.yml

@@ -0,0 +1,135 @@
+# GitHub Actions CI — Build & type-check on every push/PR
+# Docs: https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-nodejs
+
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Build & Type Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build shared package
+        run: cd packages/shared && npm run build
+
+      - name: Type-check web
+        run: cd apps/web && npx tsc --noEmit
+
+      - name: Build web
+        run: cd apps/web && npm run build
+        env:
+          # Required by Next.js build — use dummy values for CI
+          POSTGRES_URL: postgresql://user:pass@localhost:5432/slackhive
+          REDIS_URL: redis://localhost:6379
+          SESSION_SECRET: ci-secret-not-used
+          ADMIN_USERNAME: admin
+          ADMIN_PASSWORD: admin
+
+      - name: Type-check runner
+        run: cd apps/runner && npx tsc --noEmit
+
+      - name: Type-check cli
+        run: cd cli && npx tsc --noEmit
+
+  test:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      - run: cd packages/shared && npm run build
+      - name: Run web unit tests
+        run: cd apps/web && npm test
+      - name: Run runner unit tests
+        run: cd apps/runner && npm test
+
+  check-tests:
+    name: Test Coverage Check
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check that source changes include tests
+        run: |
+          BASE=${{ github.event.pull_request.base.sha }}
+          HEAD=${{ github.event.pull_request.head.sha }}
+
+          # Files changed in this PR
+          CHANGED=$(git diff --name-only "$BASE" "$HEAD")
+
+          # Source files changed (lib/ and api routes, excluding test files)
+          SRC_CHANGED=$(echo "$CHANGED" | grep -E '^apps/web/src/(lib|app/api)/' | grep -v '__tests__' || true)
+
+          # Test files changed
+          TEST_CHANGED=$(echo "$CHANGED" | grep '__tests__' || true)
+
+          echo "=== Source files changed ==="
+          echo "${SRC_CHANGED:-none}"
+          echo ""
+          echo "=== Test files changed ==="
+          echo "${TEST_CHANGED:-none}"
+
+          if [ -n "$SRC_CHANGED" ] && [ -z "$TEST_CHANGED" ]; then
+            echo ""
+            echo "⚠️  WARNING: Source files were changed but no test files were added or updated."
+            echo "Please add tests for new logic in apps/web/src/lib/__tests__/"
+            echo ""
+            echo "If tests are genuinely not applicable (docs-only, pure UI tweak, config change),"
+            echo "add a note in the PR description under the 'Tests' section."
+            # Exit 1 to fail the check — reviewers can override by merging anyway
+            exit 1
+          fi
+
+          echo "✅ Test files present for source changes."
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint web
+        run: cd apps/web && npm run lint || true
+
+      - name: Lint runner
+        run: cd apps/runner && npm run lint || true

package/CHANGELOG.md

@@ -0,0 +1,52 @@
+# Changelog
+
+All notable changes to SlackHive will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [Unreleased]
+
+---
+
+## [0.1.19] - 2026-03-31
+
+### Added
+
+- **MCP secret masking** — env vars and headers in MCP server configs are now masked (`"********"`) in all API responses; secrets are stored in the database but never exposed to the browser client.
+- **220+ unit tests** — comprehensive Vitest test suite covering `compile`, `diff`, `boss-registry`, `mcp-mask`, `auth`, `api-guard`, `slack-manifest`, `skill-templates`, and Slack message formatting across both `apps/web` and `apps/runner`.
+- **CI pipeline** — GitHub Actions workflow running build, type-check, unit tests, lint, and a PR test-coverage enforcement check on every push and pull request.
+- **OSS community files** — `CONTRIBUTING.md`, `CHANGELOG.md`, `CODE_OF_CONDUCT.md`, `SECURITY.md`, GitHub issue templates, and PR template added for open-source readiness.
+
+### Fixed
+
+- **Boss registry empty description** — `??` operator replaced with `||` so an empty-string description correctly falls back to `"No description provided."`.
+- **Slack `formatMessage` code block corruption** — using `__CODE_BLOCK_N__` as placeholder caused the italic regex (`/__([^_]+)__/g`) to match across adjacent placeholders, corrupting multi-block messages; fixed by using null-byte delimited placeholders (`\x00CBn\x00`).
+
+### Security
+
+- MCP server configs containing env vars and HTTP headers are sanitized before any API response. Only non-secret fields (name, command, args, type) are sent in plaintext; secrets require an explicit admin PATCH to update.
+
+---
+
+## [0.1.18] - 2026-03-31
+
+### Added
+
+- **Per-agent write access control** — each agent can now be independently granted or restricted from write access, giving team admins fine-grained control over what individual agents can modify in a workspace.
+- **CLAUDE.md editor** — a dedicated in-dashboard editor for the agent's `CLAUDE.md` context file, separate from the skills editor, allowing independent management of agent identity and instructions.
+- **Slash command skills** — agents now support slash command-style skill definitions, enabling structured, triggerable capabilities alongside free-form instructions.
+- **Version control and snapshots with diff view** — agent configurations (instructions, skills, CLAUDE.md) are now versioned. Users can create named snapshots, browse history, and view a syntax-highlighted diff between any two versions.
+- **User role management** — workspace admins can assign and modify roles (admin, member, viewer) for all users directly from the dashboard, without requiring database access.
+- **Collapsible sidebar** — the main navigation sidebar can now be collapsed to icon-only mode, freeing horizontal space on smaller screens and dense workflows.
+- **Scheduled jobs** — agents support cron-style scheduled tasks, allowing recurring automation (e.g., daily summaries, periodic checks) to be configured per agent from the UI.
+- **Memory viewer** — a dedicated UI panel to inspect an agent's active memory entries, making it easier to understand and debug long-running agent context.
+- **Responsive design** — the web dashboard is now fully responsive and usable on tablet and mobile viewports, with adapted layouts for the sidebar, agent cards, and configuration panels.
+
+---
+
+[Unreleased]: https://github.com/pelago-labs/slackhive/compare/v0.1.19...HEAD
+[0.1.19]: https://github.com/pelago-labs/slackhive/compare/v0.1.18...v0.1.19
+[0.1.18]: https://github.com/pelago-labs/slackhive/releases/tag/v0.1.18

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,37 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as contributors and maintainers pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity, level of experience, nationality, personal appearance, race, religion, or sexual identity.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior:
+
+- Harassment, insults, or derogatory comments
+- Public or private harassment
+- Publishing others' private information without permission
+- Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers at **conduct@slackhive.dev**. All complaints will be reviewed and investigated promptly and fairly.
+
+This Code of Conduct is adapted from the [Contributor Covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/).
+
+## Enforcement Guidelines
+
+Maintainers will follow these guidelines when determining consequences:
+
+1. **Correction** — Private warning for first-time, unintentional violations
+2. **Warning** — Formal warning with no interaction for a specified period
+3. **Temporary Ban** — Temporary ban from all community interaction
+4. **Permanent Ban** — Permanent removal for severe or repeated violations