Cortex-Inara

Scott.Idem/Cortex-Inara

Fork 0

Commit Graph

Author	SHA1	Message	Date
Scott Idem	a9bbb668b5	feat: session auth + per-user/persona UI at /{user}/{persona} Replaces nginx basic auth with a proper per-user session system: - auth_utils.py: bcrypt password hashing, JWT cookie creation/decode - auth_middleware.py: validates JWT cookie on all routes except /login, /health, /static/, and webhook endpoints (/channels/, /webhook/) - routers/ui.py: GET /login, POST /login, POST /logout, GET /{username}/{persona} — serves index.html with CORTEX_CONFIG injected - static/login.html: minimal login form (dark theme, matches UI) - main.py: registers SessionAuthMiddleware + ui.router - config.py: jwt_secret, jwt_expire_days settings - manage_passwords.py: CLI tool to set/check/list user passwords - app.js: reads window.CORTEX_CONFIG (user + persona), sends both on every /chat and /orchestrate request; persona name shown in header; logout button (⏏) added to header - requirements.txt: bcrypt, PyJWT, python-multipart - .env.default: JWT_SECRET, JWT_EXPIRE_DAYS documented - tests: client fixture injects JWT cookie; security test assertions updated for URL-normalized path traversal paths (still secure, codes differ) All 80 tests pass. Setup for a new user: python manage_passwords.py set scott python manage_passwords.py set holly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 22:54:12 -04:00
Scott Idem	92a8f5d894	test: add Cortex test suite (77 tests, no LLM calls) Tests cover: - Smoke: /health, /auth/status, /distill/status (test_health.py) - Persona validation: path traversal, bad names, list_personas (test_persona.py) - Chat API: persona routing, session persistence, error handling (test_api_chat.py) - Files API: ALLOWED set enforcement, read/write, missing files (test_api_files.py) - Webhooks: NC Talk HMAC accept/reject, Google Chat JWT (test_webhooks.py) - Tools: scratch read/write/append/clear, tasks CRUD, cron parser + tools (test_tools.py) - Security: path traversal, replay attack, known gaps documented (test_security.py) All LLM calls mocked — suite runs in ~1.4s. Run: cd cortex && .venv/bin/pytest Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 22:03:42 -04:00

Author

SHA1

Message

Date

Scott Idem

a9bbb668b5

feat: session auth + per-user/persona UI at /{user}/{persona}

Replaces nginx basic auth with a proper per-user session system:

- auth_utils.py: bcrypt password hashing, JWT cookie creation/decode
- auth_middleware.py: validates JWT cookie on all routes except /login,
  /health, /static/, and webhook endpoints (/channels/, /webhook/)
- routers/ui.py: GET /login, POST /login, POST /logout,
  GET /{username}/{persona} — serves index.html with CORTEX_CONFIG injected
- static/login.html: minimal login form (dark theme, matches UI)
- main.py: registers SessionAuthMiddleware + ui.router
- config.py: jwt_secret, jwt_expire_days settings
- manage_passwords.py: CLI tool to set/check/list user passwords
- app.js: reads window.CORTEX_CONFIG (user + persona), sends both on
  every /chat and /orchestrate request; persona name shown in header;
  logout button (⏏) added to header
- requirements.txt: bcrypt, PyJWT, python-multipart
- .env.default: JWT_SECRET, JWT_EXPIRE_DAYS documented
- tests: client fixture injects JWT cookie; security test assertions
  updated for URL-normalized path traversal paths (still secure, codes differ)

All 80 tests pass.

Setup for a new user:
  python manage_passwords.py set scott
  python manage_passwords.py set holly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 22:54:12 -04:00

Scott Idem

92a8f5d894

test: add Cortex test suite (77 tests, no LLM calls)

Tests cover:
  - Smoke: /health, /auth/status, /distill/status (test_health.py)
  - Persona validation: path traversal, bad names, list_personas (test_persona.py)
  - Chat API: persona routing, session persistence, error handling (test_api_chat.py)
  - Files API: ALLOWED set enforcement, read/write, missing files (test_api_files.py)
  - Webhooks: NC Talk HMAC accept/reject, Google Chat JWT (test_webhooks.py)
  - Tools: scratch read/write/append/clear, tasks CRUD, cron parser + tools (test_tools.py)
  - Security: path traversal, replay attack, known gaps documented (test_security.py)

All LLM calls mocked — suite runs in ~1.4s.
Run: cd cortex && .venv/bin/pytest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 22:03:42 -04:00

2 Commits