pulse

LotusGuild/pulse

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jared Vititoe	2d6a0f1054	Add rate limiting, cron scheduling, webhooks, dry-run, execution filtering, and UX improvements - Rate limiting: 300 req/15min general, 20 req/min on POST /api/executions - Cron schedule type support using cron-parser for full cron expressions - Webhook notifications: POST to workflow webhook_url on execution complete/failed - Dry-run mode: simulate workflow execution without running any commands - Global execution timeout via EXECUTION_MAX_MINUTES env var (default 60min) - Execution filtering: status, workflow_id, started_by, after, before, search - Event-driven command result delivery (replaces 500ms DB polling) - Atomic log appends via JSON_ARRAY_APPEND (no read-modify-write race) - Separate browserClients/workerClients sets (workers no longer receive broadcasts) - Stale execution cleanup on startup (mark running→failed after crash) - Scheduler overlap prevention (skip if same workflow already running) - Frontend: webhook_url field in create/edit workflow modals - Frontend: dry-run checkbox in workflow param modal - Frontend: ESC closes modals, ws.onerror handler added - Frontend: selectedExecutions changed from Array to Set (O(1) ops) - Frontend: XSS fixes via escapeHtml() on all user-controlled innerHTML - Frontend: param modal keydown listener deduplication fix - Remove unused npm packages (bcryptjs, body-parser, cors, js-yaml, jsonwebtoken) - Add express-rate-limit and cron-parser dependencies Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-11 23:06:09 -04:00
Jared Vititoe	58c172e131	Security hardening, bug fixes, and performance improvements Security fixes: - Replace new Function() condition eval with vm.runInNewContext() (RCE fix) - Add admin checks to DELETE executions, all scheduled-commands endpoints - Remove api_key from GET /api/workers response (was exposed to all employees) - Separate browserClients/workerClients sets; broadcast() now sends to browsers only - Add worker WebSocket auth: reject if api_key provided but invalid - Fix XSS: escapeHtml() on step_name, duration, worker_id, user info, execution_id Bug fixes: - Replace DB-polling waitForCommandResult with event-driven _commandResolvers Map - Replace non-atomic addExecutionLog with JSON_ARRAY_APPEND (fixes concurrent write race) - Add stale execution recovery on startup: running→failed with log entry - Fix calculateNextRun returning null for unknown types (now throws) - Fix scheduler overlap: skip if previous execution still running - Fix JSON double-parse on worker_ids column - Fix switchTab() bare event.target reference - Fix selectedExecutions Array→Set (O(1) lookups, fixes performance regression) - Fix param modal event listener leak (delegated handler, removes before re-adding) - Add ws.onerror handler (was silently swallowing WebSocket errors) - Move misplaced routes to before server.listen() Performance/cleanup: - DB connection pool 10→50 - EXECUTION_RETENTION_DAYS default 1→30 (matches docs) - Remove unused packages: bcryptjs, body-parser, cors, js-yaml, jsonwebtoken - Remove generateUUID() wrapper, use crypto.randomUUID() directly - Remove dead example workflow constants - Add ESC key handler to close modals - Fix clearCompletedExecutions limit 1000→9999 - Add security notice to README.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-11 22:53:25 -04:00
jared	dcca2b9e50	Initial PULSE server commit with Authelia SSO integration	2025-11-29 19:26:20 -05:00

Author

SHA1

Message

Date

Jared Vititoe

2d6a0f1054

Add rate limiting, cron scheduling, webhooks, dry-run, execution filtering, and UX improvements

- Rate limiting: 300 req/15min general, 20 req/min on POST /api/executions
- Cron schedule type support using cron-parser for full cron expressions
- Webhook notifications: POST to workflow webhook_url on execution complete/failed
- Dry-run mode: simulate workflow execution without running any commands
- Global execution timeout via EXECUTION_MAX_MINUTES env var (default 60min)
- Execution filtering: status, workflow_id, started_by, after, before, search
- Event-driven command result delivery (replaces 500ms DB polling)
- Atomic log appends via JSON_ARRAY_APPEND (no read-modify-write race)
- Separate browserClients/workerClients sets (workers no longer receive broadcasts)
- Stale execution cleanup on startup (mark running→failed after crash)
- Scheduler overlap prevention (skip if same workflow already running)
- Frontend: webhook_url field in create/edit workflow modals
- Frontend: dry-run checkbox in workflow param modal
- Frontend: ESC closes modals, ws.onerror handler added
- Frontend: selectedExecutions changed from Array to Set (O(1) ops)
- Frontend: XSS fixes via escapeHtml() on all user-controlled innerHTML
- Frontend: param modal keydown listener deduplication fix
- Remove unused npm packages (bcryptjs, body-parser, cors, js-yaml, jsonwebtoken)
- Add express-rate-limit and cron-parser dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-11 23:06:09 -04:00

Jared Vititoe

58c172e131

Security hardening, bug fixes, and performance improvements

Security fixes:
- Replace new Function() condition eval with vm.runInNewContext() (RCE fix)
- Add admin checks to DELETE executions, all scheduled-commands endpoints
- Remove api_key from GET /api/workers response (was exposed to all employees)
- Separate browserClients/workerClients sets; broadcast() now sends to browsers only
- Add worker WebSocket auth: reject if api_key provided but invalid
- Fix XSS: escapeHtml() on step_name, duration, worker_id, user info, execution_id

Bug fixes:
- Replace DB-polling waitForCommandResult with event-driven _commandResolvers Map
- Replace non-atomic addExecutionLog with JSON_ARRAY_APPEND (fixes concurrent write race)
- Add stale execution recovery on startup: running→failed with log entry
- Fix calculateNextRun returning null for unknown types (now throws)
- Fix scheduler overlap: skip if previous execution still running
- Fix JSON double-parse on worker_ids column
- Fix switchTab() bare event.target reference
- Fix selectedExecutions Array→Set (O(1) lookups, fixes performance regression)
- Fix param modal event listener leak (delegated handler, removes before re-adding)
- Add ws.onerror handler (was silently swallowing WebSocket errors)
- Move misplaced routes to before server.listen()

Performance/cleanup:
- DB connection pool 10→50
- EXECUTION_RETENTION_DAYS default 1→30 (matches docs)
- Remove unused packages: bcryptjs, body-parser, cors, js-yaml, jsonwebtoken
- Remove generateUUID() wrapper, use crypto.randomUUID() directly
- Remove dead example workflow constants
- Add ESC key handler to close modals
- Fix clearCompletedExecutions limit 1000→9999
- Add security notice to README.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-11 22:53:25 -04:00

jared

dcca2b9e50

Initial PULSE server commit with Authelia SSO integration

2025-11-29 19:26:20 -05:00

3 Commits