Conversation
Introduce a plugin installation and management system. Backend: add InstalledPlugin model, plugin_service with download/install/enable/disable/uninstall, dynamic blueprint registration and frontend manifest generation, and plugins API endpoints (list/get/install/enable/disable/uninstall). Register plugins blueprint and attempt to hot-load installed plugin blueprints at app startup. Frontend: add PluginLoader component (Vite import.meta.glob) to render plugin widgets, extend Marketplace UI to install/manage plugins, add API client methods for plugins, and update styles for the marketplace plugin UI. This enables installing plugins from GitHub/repos/zips and managing them from the app.
There was a problem hiding this comment.
Pull request overview
Adds an install/manage plugin system spanning backend (install, persist, dynamically register blueprints) and frontend (plugin UI + loader + API client), integrating plugin management into the existing Marketplace flow.
Changes:
- Backend: introduce
InstalledPluginmodel, plugin download/install/enable/disable/uninstall service, and/api/v1/pluginsendpoints; attempt to load active plugin blueprints at startup. - Frontend: add plugins API client methods, Marketplace “Plugins” tab with install/manage UI, and a
PluginLoaderto render plugin UI components. - Styling/version: extend Marketplace styles for the plugins UI and bump VERSION to 1.4.14.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/src/styles/pages/_marketplace.scss | Adds styles for the new Marketplace “Plugins” install/manage section. |
| frontend/src/services/api/plugins.js | Introduces frontend API methods for plugin management endpoints. |
| frontend/src/services/api/index.js | Registers the new plugin API methods into the ApiService. |
| frontend/src/plugins/PluginLoader.jsx | Adds Vite glob-based discovery and rendering of plugin UI components. |
| frontend/src/pages/Marketplace.jsx | Adds “Plugins” tab UI and actions to install/enable/disable/uninstall plugins. |
| frontend/src/layouts/DashboardLayout.jsx | Renders PluginLoader in the main dashboard layout. |
| backend/app/services/plugin_service.py | Implements plugin download, zip extraction, (optional) pip deps install, and blueprint registration + frontend manifest generation. |
| backend/app/models/plugin.py | Adds InstalledPlugin model and serialization. |
| backend/app/api/plugins.py | Adds plugin management API endpoints. |
| backend/app/init.py | Registers the plugins blueprint and loads plugin blueprints at startup. |
| VERSION | Bumps app version. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
8
to
+12
| const toast = useToast(); | ||
| const { user } = useAuth(); | ||
| const [extensions, setExtensions] = useState([]); | ||
| const [myExtensions, setMyExtensions] = useState([]); | ||
| const [plugins, setPlugins] = useState([]); |
There was a problem hiding this comment.
user is destructured from useAuth() but never used, which can trigger lint/build failures. Either remove it or use it to gate plugin install/enable/disable UI to admins (since the backend endpoints return 403 for non-admins).
Comment on lines
+228
to
+242
| if rel_path.startswith('backend/'): | ||
| has_backend = True | ||
| out_path = os.path.join(backend_dest, rel_path[len('backend/'):]) | ||
| os.makedirs(os.path.dirname(out_path), exist_ok=True) | ||
| with zf.open(member) as src, open(out_path, 'wb') as dst: | ||
| dst.write(src.read()) | ||
|
|
||
| elif rel_path.startswith('frontend/'): | ||
| has_frontend = True | ||
| out_path = os.path.join(frontend_dest, rel_path[len('frontend/'):]) | ||
| os.makedirs(os.path.dirname(out_path), exist_ok=True) | ||
| with zf.open(member) as src, open(out_path, 'wb') as dst: | ||
| dst.write(src.read()) | ||
|
|
||
| elif rel_path == 'requirements.txt': |
There was a problem hiding this comment.
Zip extraction is vulnerable to path traversal (Zip Slip): rel_path comes from the archive and can contain ../ or absolute paths, allowing writes outside backend_dest/frontend_dest. Validate/sanitize each member path (e.g., reject absolute paths and .. segments, and ensure the resolved output path stays within the destination root) before writing.
Suggested change
| if rel_path.startswith('backend/'): | |
| has_backend = True | |
| out_path = os.path.join(backend_dest, rel_path[len('backend/'):]) | |
| os.makedirs(os.path.dirname(out_path), exist_ok=True) | |
| with zf.open(member) as src, open(out_path, 'wb') as dst: | |
| dst.write(src.read()) | |
| elif rel_path.startswith('frontend/'): | |
| has_frontend = True | |
| out_path = os.path.join(frontend_dest, rel_path[len('frontend/'):]) | |
| os.makedirs(os.path.dirname(out_path), exist_ok=True) | |
| with zf.open(member) as src, open(out_path, 'wb') as dst: | |
| dst.write(src.read()) | |
| elif rel_path == 'requirements.txt': | |
| # Basic Zip Slip protection: reject absolute paths and traversal segments | |
| normalized_rel = rel_path.replace('\\', '/') | |
| if os.path.isabs(normalized_rel) or '..' in normalized_rel.split('/'): | |
| logger.warning(f'Skipping suspicious zip member path in plugin {slug}: {rel_path}') | |
| continue | |
| if normalized_rel.startswith('backend/'): | |
| has_backend = True | |
| rel_backend = normalized_rel[len('backend/'):] | |
| out_path = os.path.normpath(os.path.join(backend_dest, rel_backend)) | |
| # Ensure the final path is still within backend_dest | |
| backend_root = os.path.join(backend_dest, '') | |
| if not out_path.startswith(backend_root): | |
| logger.warning(f'Skipping backend file escaping plugin directory in {slug}: {rel_path}') | |
| continue | |
| os.makedirs(os.path.dirname(out_path), exist_ok=True) | |
| with zf.open(member) as src, open(out_path, 'wb') as dst: | |
| dst.write(src.read()) | |
| elif normalized_rel.startswith('frontend/'): | |
| has_frontend = True | |
| rel_frontend = normalized_rel[len('frontend/'):] | |
| out_path = os.path.normpath(os.path.join(frontend_dest, rel_frontend)) | |
| # Ensure the final path is still within frontend_dest | |
| frontend_root = os.path.join(frontend_dest, '') | |
| if not out_path.startswith(frontend_root): | |
| logger.warning(f'Skipping frontend file escaping plugin directory in {slug}: {rel_path}') | |
| continue | |
| os.makedirs(os.path.dirname(out_path), exist_ok=True) | |
| with zf.open(member) as src, open(out_path, 'wb') as dst: | |
| dst.write(src.read()) | |
| elif normalized_rel == 'requirements.txt': |
Comment on lines
+243
to
+246
| # Install Python dependencies | ||
| req_content = zf.read(member).decode('utf-8') | ||
| _install_requirements(req_content, slug) | ||
|
|
There was a problem hiding this comment.
Installing requirements.txt from an untrusted plugin archive runs arbitrary code with the ServerKit backend’s privileges (pip can execute setup hooks / build steps). Consider disabling this by default and/or installing into an isolated per-plugin virtualenv/container with allowlisted packages, plus clear admin warnings and logging.
Suggested change
| # Install Python dependencies | |
| req_content = zf.read(member).decode('utf-8') | |
| _install_requirements(req_content, slug) | |
| # Handle Python dependencies from plugin requirements.txt | |
| req_content = zf.read(member).decode('utf-8') | |
| # By default, do NOT install requirements from untrusted plugins, | |
| # as this may execute arbitrary code with backend privileges. | |
| allow_untrusted = os.getenv( | |
| "SERVERKIT_ENABLE_UNTRUSTED_PLUGIN_REQUIREMENTS", "" | |
| ).lower() in ("1", "true", "yes") | |
| if not allow_untrusted: | |
| logger.warning( | |
| "Skipping installation of requirements.txt for plugin '%s' " | |
| "because SERVERKIT_ENABLE_UNTRUSTED_PLUGIN_REQUIREMENTS is not enabled. " | |
| "The requirements file will be extracted for manual review/installation.", | |
| slug, | |
| ) | |
| # Optionally persist requirements.txt into the backend directory | |
| # so administrators can inspect and install dependencies manually. | |
| os.makedirs(backend_dest, exist_ok=True) | |
| req_out_path = os.path.join(backend_dest, "requirements.txt") | |
| with open(req_out_path, "w", encoding="utf-8") as req_file: | |
| req_file.write(req_content) | |
| else: | |
| logger.warning( | |
| "Installing requirements.txt for plugin '%s' as " | |
| "SERVERKIT_ENABLE_UNTRUSTED_PLUGIN_REQUIREMENTS is enabled. " | |
| "This may execute arbitrary code during package installation.", | |
| slug, | |
| ) | |
| _install_requirements(req_content, slug) |
Comment on lines
+444
to
+464
| def enable_plugin(plugin_id): | ||
| """Enable a disabled plugin.""" | ||
| plugin = InstalledPlugin.query.get(plugin_id) | ||
| if not plugin: | ||
| return None | ||
| plugin.status = InstalledPlugin.STATUS_ACTIVE | ||
| plugin.error_message = None | ||
| db.session.commit() | ||
| _regenerate_frontend_manifest() | ||
| return plugin | ||
|
|
||
|
|
||
| def disable_plugin(plugin_id): | ||
| """Disable a plugin without removing files.""" | ||
| plugin = InstalledPlugin.query.get(plugin_id) | ||
| if not plugin: | ||
| return None | ||
| plugin.status = InstalledPlugin.STATUS_DISABLED | ||
| db.session.commit() | ||
| _regenerate_frontend_manifest() | ||
| return plugin |
There was a problem hiding this comment.
disable_plugin()/enable_plugin() only flip DB status + regenerate the frontend manifest; they do not actually disable/enable already-registered Flask blueprints. Once a plugin blueprint is registered, its backend routes will remain reachable until process restart, which makes the “disabled” state misleading (and potentially unsafe). Consider enforcing status at request time (middleware) or requiring/recommending a restart for backend changes.
Comment on lines
+7
to
+15
| class InstalledPlugin(db.Model): | ||
| """Tracks plugins installed from external sources (zips/URLs).""" | ||
| __tablename__ = 'installed_plugins' | ||
|
|
||
| id = db.Column(db.Integer, primary_key=True) | ||
| name = db.Column(db.String(128), nullable=False, unique=True) | ||
| display_name = db.Column(db.String(256), nullable=False) | ||
| slug = db.Column(db.String(128), nullable=False, unique=True) | ||
| version = db.Column(db.String(32), nullable=False) |
There was a problem hiding this comment.
A new SQLAlchemy model/table is introduced, but there is no Alembic migration for installed_plugins, and the model isn’t imported in app/models/__init__.py (used for model discovery). Add a migration revision and include InstalledPlugin in the models package exports so migrations and metadata include it.
| plugin.status = InstalledPlugin.STATUS_INSTALLING | ||
| plugin.error_message = None | ||
| plugin.version = manifest['version'] | ||
| plugin.source_url = url |
There was a problem hiding this comment.
When reinstalling an existing plugin record, only status, version, source_url, and manifest are updated. Fields like display_name, description, author, etc. can become stale if the new manifest changes them; update these fields from the manifest during reinstall to keep the DB consistent.
Suggested change
| plugin.source_url = url | |
| plugin.source_url = url | |
| plugin.name = manifest['name'] | |
| plugin.display_name = manifest['display_name'] | |
| plugin.description = manifest.get('description', '') | |
| plugin.author = manifest.get('author', '') | |
| plugin.homepage = manifest.get('homepage', '') | |
| plugin.repository = manifest.get('repository', '') | |
| plugin.license = manifest.get('license', '') | |
| plugin.category = manifest.get('category', 'utility') |
Comment on lines
+79
to
+82
| except ValueError as e: | ||
| return jsonify({'error': str(e)}), 400 | ||
| except Exception as e: | ||
| return jsonify({'error': f'Installation failed: {e}'}), 500 |
There was a problem hiding this comment.
The 500-path returns the raw exception string in the response (Installation failed: {e}), which can leak internal details. Log the exception server-side and return a generic message (optionally with a correlation id) while storing the detailed error in InstalledPlugin.error_message.
| * - A default component (the widget/UI to render) | ||
| * - Optionally a Provider component for context wrapping | ||
| */ | ||
| import React, { Suspense, useMemo } from 'react'; |
There was a problem hiding this comment.
Suspense is imported but never used, which will fail linting/build in many setups. Remove the unused import or actually wrap plugin rendering in a <Suspense> boundary if you plan to lazy-load plugin components.
Suggested change
| import React, { Suspense, useMemo } from 'react'; | |
| import React, { useMemo } from 'react'; |
| // Plugin management API methods | ||
|
|
||
| export async function getInstalledPlugins(status) { | ||
| const params = status ? `?status=${status}` : ''; |
There was a problem hiding this comment.
Query param values should be URL-encoded. status is interpolated directly into the query string here; use encodeURIComponent(status) to avoid malformed URLs (and to match existing patterns like encodeURIComponent used elsewhere).
Suggested change
| const params = status ? `?status=${status}` : ''; | |
| const params = status ? `?status=${encodeURIComponent(status)}` : ''; |
Comment on lines
+283
to
+289
| # Load installed plugins (dynamic blueprints) | ||
| try: | ||
| from app.services.plugin_service import load_all_plugins | ||
| load_all_plugins(app) | ||
| except Exception as e: | ||
| import logging | ||
| logging.getLogger(__name__).warning(f'Plugin loader: {e}') |
There was a problem hiding this comment.
load_all_plugins(app) is invoked before Alembic migrations run. On upgrade (when installed_plugins table doesn’t exist yet), this will fail and plugins won’t be loaded even after migrations are applied later in the same startup. Move plugin loading to after MigrationService.check_and_prepare(app) (or rerun after migrations) so plugin blueprints reliably register.
Introduce a comprehensive Style Guide (frontend/src/pages/StyleGuide.jsx) as a developer-only design system reference, plus new SCSS modules (_style-guide.scss, _alerts.scss, _tables.scss) and updates to existing component styles. Register the page route and title in App.jsx and add a DEV-only sidebar link (import.meta.env.DEV) in Sidebar.jsx; also import SIDEBAR_ITEMS from sidebarItems. These changes centralize UI patterns, components and utilities for easier visual QA and consistent styling without exposing the guide in production builds.
Add loading and size props to EmptyState (imports Spinner, shows spinner when loading, adjusts icon sizes) and add a large variant styling. Update StyleGuide to demonstrate loading, large/not-installed/unavailable states, and card contexts. Refactor SCSS across pages/components to use Sass theme variables ($bg-card, $border-subtle, $text-secondary, $accent-primary, etc.) replacing many var(...) usages and tweak related spacing/typography styles.
Add end-to-end support for removing remote Docker networks and volumes and normalize remote API responses. Server: new Flask endpoints to DELETE remote networks/volumes and helpers to compute external base/ws URLs and v1 API paths. Agent: register new handler docker:network:remove and Client.RemoveNetwork implementation. Backend service: RemoteDockerService.remove_network uses agent registry for remote servers and falls back to local DockerService. Models: expand Server permission logic to map agent actions to profile/legacy scopes (DOCKER_READ_ACTIONS, scope expansion and wildcard matching) and add unit tests covering permission mappings. Frontend: handle agent-backed response shapes (unwrapRemoteData, normalizeListResponse), call new removeRemoteNetwork/removeRemoteVolume API methods, update download/install URLs to /api/v1, and tweak several UI texts. Install scripts: change config/log directories, pass --config when registering/starting agent, and update systemd/service/unit and Windows service install paths. README: small wording updates about fleet/remote deployment and monitoring.
Introduce a deployment jobs system to support cross-server template installations and remote execution. Adds DeploymentJob and DeploymentJobLog models, DeploymentJobService for job lifecycle, and DeploymentPlanRunner to execute plans locally or via agents. TemplateService gains build_install_plan and related helpers to produce executable plans; Template installs can run async (202) or synchronously. Backend API/CLI updated: new deployment-jobs endpoints, apps API uses RemoteDockerService for remote compose actions, and CLI commands (deploy-template, deployment-status, list-servers) were added. Agent and config changes: file access validation with allowed_paths, file write create_dirs option, default allowed paths, and install script/systemd read-write paths updated to permit /var/lib/serverkit and /var/serverkit. Migration file for deployment_jobs schema included.
Introduce a centralized Deployments page that lists all deployment jobs across local and remote agents with real-time status, step progress, and live log tail. Adds route /deployments, sidebar link under Services, and command palette entry. Fixes undefined $primary variable in _templates.scss by switching to $accent-primary, restoring the frontend build. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add ngrok 'tunnel' mode to dev scripts and documentation, plus a large UI overhaul for the Servers pages. - Add .gitattributes and new scripts/setup-wsl.sh helper. - Extend dev.ps1 and dev.sh with a new 'tunnel' mode that starts backend+frontend and launches an ngrok tunnel (supports NGROK_DOMAIN, NGROK_AUTHTOKEN, and sets sensible CORS_ORIGINS). Includes polling of ngrok API, process cleanup, and helpful error messages. - Update docs/LOCAL_DEVELOPMENT.md with an "Exposing Your Local Control Plane (ngrok)" guide and WSL setup notes. - Revamp frontend pages: ServerDetail.jsx and Servers.jsx refactored with new header layouts, status/avatars, status pills, telemetry rows, selectable table rows, bulk actions, confirm dialogs, improved add-server modal, new icons (FolderTinyIcon, MoreIcon), utilities (formatLastSeen, clamp), and accessibility/interaction improvements (menus, selection, copy install command). - Update servers SCSS to support the new layouts and loading states. These changes add a developer-friendly tunnel mode for remote testing and significantly improve the server management UX in the frontend.
Implements a RustDesk-style short-code pairing feature across agent, backend, frontend and docs. Key changes: - Agent CLI: adds `serverkit-agent pair` command (agent/cmd/agent/pair.go) that generates/loads an Ed25519 keypair, enrolls with the panel, shows a rotating pair code, and saves credentials on claim. Adds passphrase marker handling and interactive/headless modes. - Agent internals: new pairing package with client and keypair (agent/internal/pairing/*.go). Keypair files are encrypted using new exported config EncryptBytes/DecryptBytes utilities and MachineID() helper in agent/internal/config/config.go. go.mod/go.sum updated (Go version and x/term, x/sys bumps). - Backend API: new pairing blueprint exposing endpoints for enroll, poll, code refresh/freeze, lookup and claim (backend/app/api/pairing.py). Adds PendingAgent model (backend/app/models/pending_agent.py) to track enrollments and their lifecycle. - Backend service: pairing_service (backend/app/services/pairing_service.py) implements enrollment, rotation, long-polling, claim handling, credential minting and one-shot delivery. Adds a background pairing pruner thread to remove expired pending enrollments (registered in backend/app/__init__.py). - Frontend: add API client support and page changes to integrate pairing flow (frontend/src/services/api/pairing.js, modifications to Servers.jsx and api index). - Docs: adds pairing.md explaining the pairing flow. Why: provide a secure, user-friendly mechanism for operators to claim new agents via short rotating codes and a passphrase, simplifying server onboarding while protecting credentials and preventing brute-force attempts.
The previous commit accidentally bumped the toolchain to Go 1.25 via `go get`. Downgrade golang.org/x/term and golang.org/x/sys to versions that work on Go 1.23 and update the agent-release workflow to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- python-dotenv 1.0.0 -> 1.2.2 (CVE-2026-28684, arbitrary file overwrite via symlinks) - cryptography 46.0.5 -> 46.0.7 (CVE-2026-39892 buffer overflow, CVE-2026-34073 cert validation) - requests 2.32.5 -> 2.33.1 (CVE-2026-25645, insecure temp file reuse) - Authlib 1.6.9 -> 1.6.11 (CVE: missing CSRF protection) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- agent/Dockerfile: bump golang base from 1.21 to 1.23 to match go.mod - agent-release.yml: pin WiX to 5.0.2 to avoid the OSMF EULA prompt introduced in WiX 7 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduce a local-loopback pairing wizard and related installer/packaging changes. - Add a new CLI command `setup` (agent/cmd/agent/main.go) that launches a small HTTP server and opens a browser/native window to run a pairing wizard. - Implement the setup UI server and wizard HTML (agent/internal/setupui/*). The wizard runs a local HTTP API to start pairing, poll status, save credentials, and on Windows attempts to open a native WebView2 window (github.com/jchv/go-webview2) falling back to the system browser. After successful pairing the agent service is switched to auto-start (best-effort on Windows). - Add platform-specific helpers: WebView2 window on Windows and no-op stubs on other OSes, plus service-start helper for Windows. - Update go.mod/go.sum to include WebView2/winloader deps. - MSI changes: add Start Menu shortcuts (Setup/Status), do not auto-start the service on install (start remains demand), add an Icon entry, and adjust build.ps1 to resolve the output directory to an absolute path for stable output paths. Packaged MSI outputs were added under packaging/msi/output/. - Frontend additions: add shadcn/ui configuration, jsconfig, new globals and UI components used by the wizard (frontend/src/... and assets). These changes provide an easier desktop pairing flow while keeping CLI pairing available for headless servers, and tweak the installer so the service isn't started before credentials exist.
Add diagnostic setup logging and Windows-friendly error UI, plus a large refactor of security frontend components. - Agent: introduce openSetupDebugLog, write diagnostics during runSetup, LockOSThread for Windows WebView2, and catch panics to surface failures. Add platform-specific showFatalError implementations (MessageBox on Windows, stderr elsewhere). Update setup UI Run behavior to create the native WebView2 window synchronously and fall back to the browser. - Frontend: replace raw HTML buttons/badges/inputs/selects/textareas across many security-related components with shared UI primitives (Button, Badge, Input, Label, Select, Textarea) and update modal forms to use them. - Misc: add /agent/packaging to .gitignore. These changes improve diagnostics for the setup wizard (especially when launched without a console), provide clearer error surfacing on Windows, and standardize the security UI on the new component library.
Replace ad-hoc HTML controls with shared UI primitives across multiple frontend components. Migrated buttons, inputs, textareas, checkboxes, switches, badges, skeletons and selects to components from '@/components/ui/*'. Rewrote CommandPalette to use CommandDialog/CommandList primitives (removed manual keyboard handling and focus/scroll logic). Updated EnvironmentVariables, LogsDrawer, LogsTab, CommandsTab, EventsTab, GitConnectModal, GunicornTab, PackagesTab, SettingsTab, ShellTab, Setup steps, WordPress components and various workflow panels to use the new UI components and variants; improved UI consistency and badge/skeleton usage. Also tightened error handling in a few places (explicit catch param) and cleaned up modal form layouts and action buttons.
Refactor Tabs styles to use an underline-style tab bar and make the tab list horizontally scrollable. TabsList switched from a pill background to a border-bottom layout, hides scrollbars and adds spacing; TabsTrigger was updated to remove the pill active background, add an accent underline (data-[state=active]), hover/focus/disabled states, and cleaner spacing; TabsContent focus styles were slightly adjusted for consistent focus rounding. This improves visual consistency, accessibility (focus states), and usability for overflowed tab sets.
Introduce a native Windows desktop pairing experience and add ARM64 Windows builds/MSI. Key changes: - Add native Windows UI support: app.manifest, walk/win deps, icons, header image, and foreground activation helpers. - Replace the old local HTTP/webview wizard with a native setup UI (remove wizard.html, refactor setupui). Add setupui.Run integration. - Implement desktop/tray behavior: runDesktop/runTray refactor, single-instance mutex, detached spawn for the pairing wizard, desktop file-backed logging, and MessageBox wrapper for early errors. - Build/CI updates: add windows/arm64 to build matrix, include -H=windowsgui for windows builds, produce per-arch MSI artifacts, and update release workflow summaries. - Packaging & resources: add .syso resources for amd64/arm64, MSI build script updates, icon generation script and packaging tweaks, and update .gitignore to ignore dist and MSI outputs. - Dependency and version bumps: update agent/go.mod/go.sum for walk/win and other indirect deps; bump VERSION to 1.5.4. These changes enable a native pairing wizard on Windows (no browser/WebView2 required), keep the tray visible while the wizard runs, and add ARM64 support end-to-end (binary and MSI installers).
Add Windows-specific theming and dark-mode helpers and refactor the setup wizard to use a palette-based layout (new theme_windows.go, darkmode_windows.go and layout updates in window_windows.go). Improve pair-code rendering (displayCode) and various UI spacing, fonts and controls. Add a SmartScreen-bypass launcher (launcher.vbs), wire it into the MSI (Product.wxs) and copy it during the MSI build (build.ps1); Start menu shortcut and auto-start now invoke wscript.exe with the launcher to avoid SmartScreen killing the unsigned exe. Frontend: minor guard in Servers.jsx to avoid empty lookups, add a dev-only Style Guide link in Settings and small SCSS tweak for settings nav items. Bump VERSION to 1.5.8.
Generate an 8-char cryptographically-random passphrase (using a reduced alphabet that excludes ambiguous chars) on the agent side and show it in the Windows setup wizard instead of asking the user to type one. Adds generatePassphrase(), updates wizard UI to display the passphrase (and clear it on cancel), and removes the passphrase input/validation. Also improves the web UI pairing form to auto-lookup the pair code once 6 characters are entered (using useEffect with cancellation to avoid premature "must be 6 chars" errors), updates instructional text/placeholders to reflect the agent-displayed passphrase, and tweaks lookup error/loading handling.
Bump version to 1.5.9 and add a Windows-only WebView2-based desktop console driven by an embedded React SPA. Introduces agent/internal/agentui with an embedded dist, an HTTP asset server, and platform-specific WebView2 launcher; adds console CLI command to open the window. Adds a new agent/ui React app (source, package.json, lockfile) and .gitignore entries for built UI. Update Go modules to include WebView2/winloader deps and update go.sum. Improve pairing wizard UX: use lowercase passphrase alphabet and add Copy buttons/clipboard support with transient feedback. Harden websocket client: disable permessage-deflate and set ngrok header to avoid tunnel interstitials. Update MSI packaging to auto-start service, grant user permissions for service and ProgramData config, and include Wix util extension in build script.
Introduce a lightweight metricSampler (1 Hz, 300-sample ring buffer) to record recent CPU/memory samples for the desktop console and integrate it into Agent (field, startup loop, and GetMetricsHistory accessor). Add IPC types/route for MetricSample and a /metrics/history handler to expose the ring buffer. Implement samplerLoop with resilient collection and a thread-safe snapshot API. Revamp the React UI: remove the old ConsolePage, add a Shell with Sidebar and new pages (Overview, Activity, Logs, Actions, About), plus IPC client/hooks for polling (including metrics history). Overview renders sparklines using the sampled data. Update main.scss with layout, sidebar, cards, pills and metrics styling to support the new UI.
Introduce a small append-only events store and surface agent lifecycle/activity events to the UI. Adds internal/events with a concurrent ring buffer (capacity 200) and optional JSON persistence (events.json next to agent data), plus Append/Snapshot/Clear APIs. Wire the store into Agent (create store, GetEvents, append service start/stop/restart and connection transition events) and add connectionWatcher to emit WS connect/disconnect events. Expose events via IPC (/events) and update the IPC client and hooks (ipc.events, useEvents) so the frontend can poll for new events. Implement a complete Activity page UI (list, icons, severity filter) and corresponding styles. Persistence is best-effort and safe (temp-file rename); malformed or missing files are ignored to avoid startup failures.
The agent reports a rich capability payload (sudo mode, runtime managers, detected runtimes, allowed paths, systemd JSON support) that the panel was discarding once the WebSocket disconnected. The Overview tab also gave no visibility into what the agent had discovered, which left users guessing why a feature tab was missing or a Docker call returned empty. Backend: - Server model gains seven nullable columns: cached_capabilities, cached_runtimes, cached_runtime_managers, cached_allowed_paths, cached_sudo, cached_systemd_json, capabilities_at. Migration 005 is idempotent (checks existing columns before adding) so it's safe on already-bootstrapped databases. - agent_registry.update_capabilities() now persists a snapshot to the Server row whenever the agent reports state. Wrapped in try/except so a DB hiccup doesn't drop the in-memory update. - /servers/<id> falls back to the cached snapshot when the agent is offline and exposes capabilities_stale + capabilities_at so the UI can badge stale data. Frontend: - New SystemStatusCard renders sudo mode, package manager, runtime managers, detected runtime versions, capability map (as colored chips), and file-access roots. "Stale" badge + relative timestamp + Refresh button (calls agent:recapabilities). - DockerTab now distinguishes "agent online but no docker daemon" from "no containers found", with concrete remediation hints. Load errors surface as a banner instead of being swallowed to console. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The connectionWatcher only fired sendCapabilities() on a single false→true transition of IsConnected(). When the WS→poll fallback dance briefly raised IsConnected() against the WS backend right before it died, the message landed on a transport whose Send() silently buffered it forever — the panel ended up with an empty capability map for the lifetime of the agent process. Add a parallel resend ticker that fires every 5s for the first minute then backs off to every 60s thereafter. The panel's update_capabilities is a pure overwrite, so re-shipping the same payload costs nothing; the worst case is a 60s gap before the next refresh once the agent has been up for a minute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Server.ip_address column was never written: register_polling captured the source IP into the in-memory ConnectedAgent but didn't copy it to the Server row, so the Overview tab showed "IP Address: N/A" for every connected agent forever. Persist it on agent registration; existing rows backfill on the next reconnect. The agent never actually pushed a system_info message either — it only answered system:info synchronously on demand, so update_ system_info was never called from the request/response path. CPU, memory, disk, kernel version, and docker version stayed N/A on the Server row no matter how long the agent had been online. - New sendSystemInfo() in agent.go builds a typed SystemInfoMessage and pushes via the transport. Wired into connectionWatcher alongside sendCapabilities so the data flows on connect and on the periodic resend cadence (5s for the first minute, 60s thereafter). - poll.Send() gains a typed branch for SystemInfoMessage that marshals to a map and stashes for the next /poll body, mirroring the CapabilitiesMessage path. - agent_registry.register_polling now writes ip_address to the Server row when present. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Users had to SSH in to run `cloudflared tunnel login` before any of
the Tunnels tab worked. Wire up the OAuth flow so the panel can
trigger it and surface the auth URL for the user to open from their
own browser.
Agent:
- New cloudflared.LoginEvent + Manager.Login() that spawns the
process, regex-matches the dash.cloudflare.com/argotunnel URL on
stdout/stderr, and watches cert.pem in parallel as a reliable
completion signal. 15-minute hard ceiling.
- New cloudflared:login action returns {job_id, channel} immediately;
the goroutine emits start → status (with auth_url) → done events
on the job channel.
- Non-linux stub returns "unsupported".
- jobs.HasTerminated() helper so handler shutdown paths can avoid
double-emitting the terminator.
Panel:
- POST /servers/<id>/cloudflared/login + RemoteCloudflaredService.login
- ApiService.startRemoteCloudflaredLogin
Frontend:
- CloudflaredTab gains a "Login to Cloudflare" CTA when not authed.
Click → starts the agent flow, joins the job's Socket.IO room,
listens for the auth_url event, and renders an Open-in-Browser
button. Once the agent emits done, refreshes capabilities + status
+ tunnel list automatically — the rest of the tab unlocks itself.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Refresh button on the System Status card was returning 403 because the per-server permissions allowlist (e.g. 'docker_manager' profile) doesn't include 'agent:recapabilities' and the scope expander has no rule for the agent: namespace. The action is purely panel-driven discovery — it doesn't mutate the host — so it shouldn't be subject to the same ACL as install/exec actions. - Add Server.CONTROL_PLANE_ACTIONS bypass set: agent:recapabilities, agent:update. has_permission() returns True for these unconditionally; JWT auth at the API layer is what gates access. - /poll endpoint now logs the keys it received in metrics / system_info / capabilities so we can debug "panel says N/A" failure modes from the panel logs without instrumenting the agent. - Agent's sendCapabilities now logs at INFO with sudo mode + capability count + runtime count so the agent.log shows whether the periodic resend is firing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three wins exposed by the redeployed panel showing real data: 1. Permission expansion now covers every namespace, not just docker and system. Extend _expand_permission_scope so any action with a read-style verb (list, list_installed, list_units, status, info, inspect, search, logs, stats, available, current) accepts a `<ns>:read` or `<ns>:<sub>:read` candidate. Mutating verbs add a `<ns>:write` candidate. This unblocks docker:image:list, system:info, packages:list_installed, systemd:list_units, and the pyenv read paths for users on read-style profiles. 2. Go runtime probe was using `--version` (a flag), but Go takes `version` as a subcommand. The agent's runtime detector tries each form and falls back gracefully; Go is now correctly identified by `go version` and the panel shows a real version string instead of the "go flag provided but not defined" error text. 3. SystemInfo gains Platform + CPUModel fields (pushed alongside the existing hostname/cores/memory/disk). OverviewTab now reads from the persisted server row first and falls back to the synchronous getRemoteSystemInfo response — so CPU and memory render even when the system:info action is permission-denied or the agent is offline. metrics.GetSystemInfo also gets a runtime.NumCPU() fallback so CPU cores never reports 0 on Windows hosts where gopsutil's WMI queries flake. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pollOnce was clearing c.caps and c.sysInfo *before* postJSON ran, so any failed /poll request (tunnel reconnect, transient 5xx, timeout) silently lost the buffered payload. The agent's periodic resend would only repopulate it 5 seconds later, and if the panel was checking just before that tick the capability map looked empty. Plus the very first /poll after auth happens before the connectionWatcher's 1Hz tick gets a chance to fire sendCapabilities, so /poll #1 had nothing to ship. Fix: don't clear the buffers on /poll. The agent re-populates them on every 5–60s tick, the panel's update_capabilities is a pure overwrite, and re-sending the same payload twice is free. This trades a few unnecessary writes for "your capabilities never go missing because of a flaky network." Also harden update_system_info: only overwrite a column when the new value is truthy. Previously a single probe failure (Docker briefly unreachable, gopsutil WMI hiccup) would wipe a healthy value to empty/0 and leave it that way until the next successful probe — see the regression where Docker Version went 27.3.1 → N/A across builds. And: log the top-level keys + inner caps count + sudo mode in update_capabilities so we can diagnose the "panel says empty" failure mode from the panel logs without instrumenting further. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When the panel restarts or the agent process crashes without a clean disconnect, Server.status stays 'online' in the DB even though agent_registry has no in-memory record. The UI then shows a contradiction: "online" pill in the header, "Agent not connected" on the Docker tab. Reconcile in get_server: if there's no in-memory agent and the row says online, flip to offline and persist. The capabilities cache + last_seen still surface so the user sees the last known state, but the UI now correctly reflects that the agent isn't reachable right now. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The current Manager only falls back on hard handshake failures (RSV1 / engine.io). It doesn't catch the more common CF-tunnel failure mode the user observed in events.json: WS authenticates fine, stays alive 2-3 minutes, drops, reconnects, drops again, forever. Each cycle pays an auth round-trip and burns bandwidth on retry/backoff loops without ever delivering live streams. Add a stability monitor that samples IsConnected() at 1Hz, records disconnect timestamps in a sliding 10-minute window, and triggers runFallback() permanently after 3 disconnects in window. Once on poll, no more reconnect churn — heartbeat + buffered capability/ sysinfo get delivered cleanly through the REST endpoint that the intermediary doesn't mangle. Restart-to-recover semantics preserved (matches the existing "stay on poll until process restart" rule). Threshold (3 drops / 10 min) is conservative: a single drop or two from a brief network blip won't trigger; only sustained unreliability does. Users with healthy direct WS connections never hit this path at all. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Four real root causes that produced the symptoms we've been chasing: 1. agent.log was 0 bytes because io.MultiWriter aborts the entire write chain on the first writer error. On Windows services where os.Stdout writes can transiently fail, the lumberjack file writer never got the slog records — events.json (direct os.File) worked fine while agent.log silently stayed empty for the entire process lifetime. Replace io.MultiWriter with resilientWriter that independently writes to each underlying writer and swallows per-writer errors. Also surface logger init failures (MkdirAll, OpenFile) instead of silently falling back to stdout-only, and emit an explicit "logger initialized" startup line so an empty file is now an obvious bug rather than ambiguous. 2. WS connections appeared to "drop every 2-3 minutes" but actually the read loop had no ReadDeadline at all — ReadMessage() blocked forever on a network-killed connection until the OS-level TCP timeout fired, which is exactly what produced the ws_connected → ws_disconnected pattern in events.json. Add readWait = pingInterval*2.5 + 5s, reset it on every successful read AND in SetPongHandler. Now CF/ngrok killing the conn at the network layer (without sending a WS close frame) is detected within seconds, the read errors out cleanly, the Manager's flap detector counts it, and we fall back to polling far faster. 3. Newly-registered servers defaulted to permissions=[] which made every action 403. The user hit "Permission denied" on docker:image:list, system:info, agent:recapabilities, and probably half the rest. Default to ['*'] when no profile or list is specified — single-tenant deployments shouldn't need to manually open a profile editor before anything works. 4. Migration 006 retroactively fixes already-stuck servers: any row with permissions=[] gets ['*']. Non-empty admin-defined ACLs are left alone. Solves "I registered before this fix and now I can't do anything" without bulldozing legitimate configurations. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Introduce connstring package and tests to decode panel "connection strings" and add UI/CLI hooks to accept them. Move file access handlers into a dedicated file_handlers.go with strict allowlist checks that resolve symlinks and validate parent dirs to prevent escapes; add unit tests covering symlink and allowlist behaviour. Add credential-rotation HMAC verification, command blocking and configurable exec timeout resolution, gate system:exec registration by feature flag, and fix Docker logs reading to use io.ReadAll with a size cap. Misc: buffer restart channel to avoid IPC hangs, improve UDP discovery error handling, expose IPC token via a local endpoint and add IPCTokenPath, and wire the pairer to handle connection-string pairing and persist credentials. Overall changes focus on security hardening, UX for single-string pairing, and reliability fixes.
Add dev toggle for IPC auth and fix CORS Authorization header; introduce SERVERKIT_IPC_NO_AUTH to skip bearer checks in dev and log a warning. Frontend: wide UI refactor — convert Sheet-based modals to Dialogs, restyle ConfirmDialog, update Badge and Button variants (sizes, rounded tokens, data attributes), improve Tabs overflow trigger handling, and add ARIA labels for process action buttons. Docker page: unify/normalize ports formatting for multiple agent shapes and render safely. ServerDetail: add Alerts tab, load and manage security alerts (acknowledge/resolve), and restructure overview into KPI tiles, info rows, and SystemStatusCard. Replace several ad-hoc modals in Cron/Cloudflared with Dialog + Select forms and tidy Settings/agent sections. Also add UI_REPORT.md to .gitignore.
Introduce SCSS for alerts and notification UI on the servers page. Adds .alerts-tab layout and .alerts-section (including header, count badge and muted modifier) and .notification rules (head, title, time, actions and button sizing). Uses existing design tokens (spacing, font-size, colors, radii) to match app styling.
SystemStatusCard.jsx: wrap the heading and stale Badge inside a new .system-status-card__title container to better group title and status metadata. button.jsx: tweak button variant classes to use text-center and increase disabled opacity (50% -> 60%) to adjust visual weight. _server-packages.scss: comprehensive style refinements — added header bottom padding and border, tightened typographic scale for headings and labels, adjusted probed-at numeric styling, changed rows to remove extra gap and introduced row padding/bottom borders, increased first column width, and updated colors, spacing and alignment for row values and chips. These changes improve spacing, alignment and visual hierarchy in the server packages/system status UI.
Normalize button vertical alignment and spacing: add leading-none to root styles and set vertical padding to py-0 for default/sm/lg sizes. Remove conditional has-[>svg] px adjustments and instead set a dedicated icon size variant (size-10) with an explicit SVG sizing rule ([&_svg:not([class*="size-"])]:size-[18px]) to ensure consistent icon rendering and spacing across variants.
Refactor: move component styling out of inline Tailwind/CVA classes into SCSS utility classes. Many UI components (dialog, alert-dialog, card, button, badge, checkbox, input, label, select, sheet, switch, table, tabs, textarea, etc.) now use stable .ui-*-prefixed classes and data-slot/data-variant attributes. Removed several class-variance-authority usages and simplified JS by mapping variant/size to SCSS classes (e.g. Button.buttonVariants) and adding a backwards-compat shim for badgeVariants. Added a new styles/components/_ui.scss containing the style surface for the .ui-* classes and expanded styles/components/_buttons.scss to implement the new button API. main.scss now imports the new _ui.scss. Small behavioral tweaks: Radix primitives keep animation-related attributes, icon sizing cleaned up (removed many explicit size classes), and sheet/dialog close buttons use .ui-* classes. Overall this centralizes geometry/color in SCSS and keeps JSX as thin wrappers.
Consolidate and expand .empty-state-sm styling: removed the earlier duplicate block and added a single rule that uses a flex column layout with centered alignment, gap, and consistent padding/text color. Also adds specific SVG (color, opacity, no shrink) and paragraph (reset margin) rules to improve alignment, spacing, and icon appearance for empty-state UI.
Add a unified, cross-platform development launcher and update docs/styles to SCSS. - Add dev/dev.sh: comprehensive Bash dev launcher with stable non-default ports, port resolution/cleanup, WSL-aware behavior, ngrok support, and validation tooling. - Rewrite Windows entrypoint (dev.ps1) to require WSL and delegate to dev/dev.sh; make top-level dev.sh a thin wrapper that execs dev/dev.sh. - Add AGENTS.md with project overview, architecture, and development instructions for assistance tools. - Update docs (CLAUDE.md, CONTRIBUTING.md) to reflect migration from LESS to SCSS and update style guidance. - Update .gitignore to ignore backend/.venv-wsl, frontend.env.development.local, and /.agents. - Frontend: add new pages and page-specific SCSS files, update main.scss, components, pages, client/socket services, and vite.config.js to support the SCSS-based frontend changes. These changes unify local development workflows (especially via WSL), improve port stability, and complete the frontend styling migration from LESS to SCSS.
Add backend support for listing Docker Compose projects: new /docker/compose/list endpoint and DockerService.compose_list with a JSON-parsing path and a fallback that builds projects from container labels for older compose binaries. Fix RemoteDockerService to use DockerService.get_container for remote/local inspection. Large frontend updates: DashboardLayout supports full-page routes; Databases page received a visual refresh with engine status badges and a summary grid; Docker page refactored extensively — normalize container fields, consistent ID/name/image helpers, table-based resource list, inspector sidebar (ports/mounts/env), resource bars, improved logs/exec handling, and disabled actions for remote targets. Compose tab now uses the new compose list API and streamlines compose actions. File Manager now keeps current path in the URL (search params), tracks previous target changes, and manages selection state more robustly. Miscellaneous UX fixes and icon updates across pages.
Backend: add POST /docker/containers/stats and DockerService.get_containers_stats to fetch resource metrics for multiple containers in a single docker stats call (parses JSON lines and returns a map keyed by ID/Name). Validates input and logs errors. Frontend: refactor Docker page into a two-column workspace with a left sidebar for targets, resources and maintenance, and a main area with workbar and panel. Add support for multiple targets (default local), fetch available servers, and expose selection UI. Implement bulk stats fetching via api.getContainersStats for local hosts, periodic refresh, per-container stats caching, sorting controls for the container list (status/name/image/cpu/memory/created), and improvements to the container inspector (drawer behavior, loading timer, close action). Update API client with getContainersStats and adjust container stats parsing to handle multiple shapes. Styles: add comprehensive SCSS for the new workspace, sidebar, inspector drawer, inventory and sort control, and responsive behavior.
Introduce creating services from Git repositories and related UI changes. Backend: add /apps/from-repository endpoint to validate input, clone repositories, detect build/app type (via BuildService), configure build and deploy (via GitService), persist Application records, and perform cleanup on failure. Add helper utilities for slugifying, safe repo URLs, path validation, and attaching deploy configs to app responses. Make git clone command branch optional. Frontend: add NewService page, route (/services/new), sidebar entry and buttons for creating a new repo-based service, API client method createAppFromRepository, and import new styles. Update Services, ServiceDetail, Deployments, and Servers pages with UI/UX improvements (deploy actions, repo display sanitization, new icons, deployment CTA, and extensive servers rail/refactor). Add _new-service.scss and include it in main styles.
Introduce source provider connections to allow OAuth-backed GitHub repository selection and authenticated cloning. Backend: add SourceConnection model, SettingsService keys for GitHub OAuth, and a SourceConnectionService that handles OAuth flow, token storage (encrypted), repo/branch listing, and authenticated clone URL generation. Expose new API blueprint under /api/v1/source-connections with endpoints for status, authorize, callback, repos, branches, disconnect, and admin config. Update app creation flow to accept source_connection_id and repository_full_name, use authenticated clone URLs for cloning/deploy, and sanitize clone errors to show public repo URLs. Frontend: add SourceConnectionsTab UI, source connection callback route/component, extend App routes, and revamp New Service page to support connecting GitHub, picking repositories/branches, or using a manual git remote; update API client and styles accordingly. Note: database migration will be required to create the source_connections table and admins must configure GitHub client ID/secret.
Introduce RepositoryManifestService to detect deployment manifests (ServerKit, Render, Railway, Compose, app.json, Dockerfile, Nixpacks) and recommend app/build settings. Add backend integration: analyze repo during import (apps.create_app_from_repository), new GitHub manifest API route, and SourceConnectionService helpers to list root files and fetch file contents from GitHub. Pass resolved dockerfile_path/custom build/start commands into build configuration. Add unit tests for the manifest service. Frontend: add template support and manifest UI in NewService.jsx, new API call inspectGithubRepositoryManifest, and related SCSS styles for templates/manifest display. Misc: updated imports and minor UX messaging changes.
Introduce a first-class plugin contribution system and SDK, plus frontend integration and installer enhancements. Backend: - Add /plugins/manifest-spec and /plugins/contributions endpoints to expose the plugin.json contract and merged active-plugin UI contributions. - Add app/plugins_sdk for plugin authors (current_user, logger, audit, jwt helpers). - Add ContributionService to aggregate active plugin contributions (nav, routes, page_titles, command_palette, widgets). - Marketplace now hands off to plugin installer when an extension has a source URL and enforces admin-only installs in the marketplace API. - PluginService: run lifecycle hooks (install/uninstall) and install declared template dependencies (best-effort, recorded/logged) during plugin installs; surface template/manifest fields on InstalledPlugin.to_dict; surface linked InstalledPlugin status on ExtensionInstall.to_dict. Frontend: - Add runtime contributions loader (plugins/contributions.js) with useContributions hook and resolveComponent/getPluginModule helpers. - Add SDK re-exports for plugin frontends (plugins/sdk/index.js) and Vite alias 'serverkit-sdk'. - Integrate contributions across UI: Sidebar, CommandPalette, PluginLoader (declared widgets + legacy fallback), PageTitleUpdater, DashboardLayout (refreshContributions), and route injection via new ExtensionRoutes hook loaded in App.jsx. - Add API client getPluginContributions and adjust PluginLoader discovery patterns. Other: - Add .extension-platform-plan/ to .gitignore. Overall this enables declarative plugin-driven UI integration (sidebar items, SPA routes, page titles, command palette entries, and widgets), lifecycle hooks, and template dependency installs while keeping legacy behavior for older plugins.
Introduce fallback audit logging and enrich audit tooling; add builtin extension discovery/install; and update default launcher ports and related docs/config. Key changes: - New middleware app.middleware.audit registers an after-request fallback that records authenticated mutating API requests when routes don't emit explicit audit logs. - Audit model/action constants extended and AuditService enhanced (request context handling, redaction for sensitive settings, optional commit flag, sets g.audit_logged, emits events). - Routes/services updated to create explicit audit entries for marketplace and plugin operations (create/update/publish/install/uninstall/enable/disable) and SSO/settings flows switched to use AuditService. - Added tests for audit logging behavior and redaction (backend/tests/test_audit_log.py). - Plugin service: added BUILTIN_EXTENSIONS_DIR, list_builtin_extensions and install_builtin_extension; plugin API endpoints to list/install builtin extensions. - Contribution system extended to support layouts and route layout metadata; frontend wiring updated to surface standalone/custom layouts and extension routes. - Launcher port defaults changed (backend -> 47927, frontend -> 41921). Updated backend .env.example, config CORS defaults, Dockerfiles and docker-compose to use SERVERKIT_BACKEND_PORT, and many docs/README files and frontend envs to reflect new ports. - Minor frontend cleanups and new builtin extension example (serverkit-git) plus associated manifest and frontend re-export. These changes improve observability/security for mutating APIs, enable opt-in builtin plugins, and align local dev/run ports with the launcher defaults.
Several changes to plugin handling, API client behavior, and the marketplace UI: - Backend: added explicit '' route decorators for marketplace and plugins endpoints (GET/POST) to ensure routes mount at both '' and '/'. - Frontend: make Git page accept a basePath prop and update serverkit-git plugin export to render GitPage at /git-ext. - Auth/API: normalize API base URL, update token-expiry handling to dispatch a global serverkit:auth-expired event (client) and listen for it in AuthContext to clear user state; refresh token logic preserved on JWT 401s. - Plugins/contributions: add build-time plugin manifest support and fallback for contributions when backend endpoint is unavailable; parse local plugin manifests and tag contributions with plugin slugs. - Plugin loader: internalize getInstalledPlugins function signature. - Marketplace UI: remove the submit-extension modal and form, replace with an Import ZIP flow and make tabs controlled via state; remove related SCSS styles. - API & sockets: fix plugin API URL encoding/format and compute socket URL robustly for dev/prod. These changes improve offline/dev experience (Vite dev server), make plugin contributions resilient when the backend is absent, and simplify the marketplace extension import workflow.
Backend: accept and persist an 'enabled' flag when updating monitoring config; add slug normalization and validation in StatusPageService to enforce lowercase alphanumeric-hyphen slugs. Frontend: add PublicStatusPage component and route (/status/:slug). Major overhaul of Monitoring.jsx: introduce defaults for thresholds, improved state handling (loading/saving/checking flags), reworked UI and tabs (Alert Rules, Delivery, History), add Check Now, Refresh, toasts, and Switch UI for enabling checks; persist and validate thresholds on save. App.jsx imports the public page and registers the route. StatusPages.jsx refactor: slug normalization, autosync slug from name, improved page/component/incident flows (create, load, run checks, copy public URL, delete handling), UI/ux improvements and additional metadata. Overall implements better validation, UX, and public status page support.
Promote the serverkit-git extension to own the canonical /git route and migrate legacy /git-ext usage. Adds an Alembic migration that updates the installed_plugins manifest for serverkit-git to the canonical /git contributions. Frontend changes: plugin manifests and build-time plugin list use the new display name and /git routes; plugin entry exports now expose GitExtensionPage (and keep GitExtPage as a compatibility alias); contribution normalization rewrites older plugin contributions that referenced /git-ext to the canonical /git and provides fallback normalization for build-time contributions; App routing adds redirects for legacy git-ext routes to /git and removes the host's hardcoded /git page from core routes; Command Palette and Sidebar code updated to remove the static core Git item and to respect plugin-contributed nav items (including new hidden-item handling and Set-based sidebar helpers). Small backend docstring wording tweak.
Switch connection string encoding from the old base64 blob to a readable sk1:// URL format (host/token[?exp&insecure]) across agent, backend, and frontend. Update encode/decode logic and extensive tests to validate port preservation, insecure/http handling, expiry parsing, and input validation; adjust agent pairing UI to accept the new scheme. Add ServerKit Agent GUI plugin: backend blueprint endpoints for capabilities, frame capture and synthetic desktop, plugin metadata; frontend plugin components (ServerGui, Launcher, SyntheticDesktop), styles, and manifest entry to enable streaming screenshots with a synthetic fallback. Also add Windows service stop waiting to avoid start races after pairing, and document SERVERKIT_PUBLIC_URL in env examples.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce a plugin installation and management system.
Backend: add InstalledPlugin model, plugin_service with download/install/enable/disable/uninstall, dynamic blueprint registration and frontend manifest generation, and plugins API endpoints (list/get/install/enable/disable/uninstall). Register plugins blueprint and attempt to hot-load installed plugin blueprints at app startup.
Frontend: add PluginLoader component (Vite import.meta.glob) to render plugin widgets, extend Marketplace UI to install/manage plugins, add API client methods for plugins, and update styles for the marketplace plugin UI. This enables installing plugins from GitHub/repos/zips and managing them from the app.