docs: update project docs, NC Talk guide, Tina persona, and gitignore

- CLAUDE.md: add new auth/onboarding files to directory map, update security section (JWT/bcrypt/invite details), expand recently completed - README.md: fix Web UI auth description, add User Management section - TODO__Agents.md: mark NC Talk docs and auth/onboarding complete, update Holly onboarding plan to reflect single-instance multi-user approach - docs/NEXTCLOUD_TALK_BOT.md: complete guide — occ commands, nginx config, clarify incoming vs outgoing HMAC difference, multi-user note, full troubleshooting table - home/holly/persona/tina/: flesh out all four persona files with real content (DCC name origin, metal music, reading, foster cats, Holly's profile) - .gitignore: exclude home/**/auth.json, invite.json, profile.json Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 00:13:35 -04:00
parent 8c61c28b7d
commit c2825194d4
11 changed files with 386 additions and 80 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -31,6 +31,10 @@ Cortex_and_Inara_dev/
    cron_runner.py       ← Cron job storage, schedule parsing, job execution
    scheduler.py         ← APScheduler setup (distill + user crons)
    event_bus.py         ← Internal SSE pub/sub (NC Talk → browser)
+    auth_utils.py        ← bcrypt passwords, JWT create/decode, invite token system
+    auth_middleware.py   ← SessionAuthMiddleware — JWT cookie validation on all routes
+    persona_template.py  ← Bootstrap a new persona directory from string templates
+    email_utils.py       ← SMTP_SSL email helpers (invite emails, future notifications)
    routers/
      chat.py            ← POST /chat (streaming SSE)
      orchestrator.py    ← POST /orchestrate, GET /orchestrate/{job_id}
@@ -39,6 +43,8 @@ Cortex_and_Inara_dev/
      files.py           ← GET /files (persona file browser)
      nextcloud_talk.py  ← POST /webhook/nextcloud (NC Talk bot)
      google_chat.py     ← POST /webhook/google (Google Chat Add-on)
+      ui.py              ← Login/logout, /{user}/{persona} UI route, /api/personas
+      onboarding.py      ← /setup/{token} password step + /setup/persona creation
    tools/
      __init__.py        ← Tool registry (Gemini FunctionDeclarations + dispatcher)
      web.py             ← DuckDuckGo web_search tool
@@ -48,6 +54,8 @@ Cortex_and_Inara_dev/
      system.py          ← Local machine tools (claude_allow_dir)
    tests/               ← pytest test suite (80 tests)
    static/              ← Single-page web UI (index.html, style.css, app.js)
+                           login.html — login form (dark theme, POST /login)
+                           setup.html — onboarding form (password + persona creation)
    data/sessions/       ← Persisted session JSON files

  home/                  ← User and persona data (Linux home layout)
@@ -146,7 +154,10 @@ http://localhost:8000/docs
 - **Never commit secrets** — `.env` is gitignored; use `.env.default` as the reference
 - `NEXTCLOUD_TALK_BOT_SECRET` and `GEMINI_API_KEY` live in `.env` only
 - `/channels/*` and `/health` are publicly exposed (webhook auth is handled at app layer — JWT/HMAC)
- All other Cortex routes are behind nginx basic auth and should stay that way
+- `/login`, `/logout`, `/setup/*`, `/static/*` are public — all other routes require a valid JWT session cookie
+- `SessionAuthMiddleware` (`auth_middleware.py`) validates the cookie on every request; browsers are redirected to `/login`, API calls get 401
+- Passwords are bcrypt-hashed and stored in `home/{username}/auth.json` — never in `.env` or the DB
+- Invite tokens are one-time-use, 72-hour expiry, stored in `home/{username}/invite.json`

 ---

@@ -217,10 +228,14 @@ See `documentation/TODO__Agents.md` for the full list. Current priorities:
 - **[High]** Ollama backend — local LLM via `scott_gaming` over WireGuard
 - **[Medium]** NC Talk — complete bot registration docs (`docs/NEXTCLOUD_TALK_BOT.md`)
 - **[Medium]** Knowledge consolidation — markdown → AE Journals
- **[Medium]** Persona onboarding flow — CLI or POST endpoint to bootstrap a new user/persona

 ### Recently Completed

+- ✅ Session auth — bcrypt passwords, JWT cookies, login/logout, `SessionAuthMiddleware` — 2026-03-20
+- ✅ Persona onboarding — invite tokens, self-service password setup, persona creation form — 2026-03-20
+- ✅ Multi-persona switcher — dropdown in UI header, `/api/personas` endpoint — 2026-03-20
+- ✅ SMTP invite email — `noreply@oneskyit.com`, HTML + plain text, `manage_passwords.py invite` — 2026-03-20
+- ✅ CSS routing fix — `/static/*` mount must precede wildcard `/{user}/{persona}` route — 2026-03-20
 - ✅ Multi-user/multi-persona support (`home/{username}/persona/{name}/` two-level layout) — 2026-03-20
 - ✅ Scratchpad, task management, and cron/scheduled job tools — 2026-03-20
 - ✅ Test suite (80 tests) covering API, persona routing, tools, security — 2026-03-20