8 Commits

Author SHA1 Message Date
myron 90e4ded7c9 Fix 8 issues from code review
- ha-poller: replace recursive main() retry with while loop (stack overflow fix)
- ha-poller: advance last_push on empty HA response (log spam fix)
- ha-poller: use datetime.now(timezone.utc) instead of deprecated utcnow()
- ping-probe: always call update_status() unconditionally so offline devices register as offline
- agent.php: heartbeat reads status from payload instead of hardcoding 'online'
- phone-probe: delegate JSON building to python3 (bash concatenation injection fix)
- netscan + phone-probe: read registration key from /etc/jarvis-agent/reg-key
- admin/index.php: sync ha_list skipDomains with ha.php (14 missing domains added)
- facts_collector: self-check JARVIS via 127.0.0.1 instead of Cloudflare hairpin
2026-06-29 20:58:22 -05:00
myron 188f6f8f10 fix: persist agent version on every heartbeat
update_agent_seen() now updates version column when agents include it
in their heartbeat payload. Previously version was only stored on
registration, leaving the Workers tab showing NULL for agents that
hadn't re-registered since v3.1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-17 17:19:56 +00:00
myron f304ada4d3 Fix chat URL routing and agent.php fact_type column error
- sendMessage() was fetching /api.php?action=chat which bypasses the
  /api/* rewrite rule; api.php parsed endpoint as "api.php" → 404.
  Fixed to /api/chat so the rewrite routes it correctly to chat.php.

- agent.php HA entity map INSERT used non-existent fact_type column,
  causing PDOException on every agent heartbeat. Fixed to use the
  correct (category, fact_key, fact_value) columns.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-17 12:33:09 +00:00
myron 0469b31829 Agent version tracking — workers tab shows current vs latest version
- Add version column to registered_agents table
- Agents send version on registration (Linux 3.1, Windows 3.0, macOS 3.0)
- workers_list API returns latest_versions per platform
- Workers tab: VERSION column with green check (up-to-date) or red (outdated)
- Outdated agents highlight row and show blue UPDATE button
- Up-to-date agents show dimmed UPDATE button
- Update button dispatches update command immediately

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-12 01:44:59 +00:00
myron e08b80a6c6 Fix agent detection: real client IP via CF header, tablet/iPad support, subnet fallback match 2026-05-30 03:23:12 +00:00
myron ecbc2e09a5 Fix 8 code-review findings: security + reliability
1. agent.py: shell allow-check reads cfg, not server payload (RCE fix)
2. webhook.php: move WEBHOOK_SECRET to gitignored config.php; rotate secret
3. agent.py: replace recursive main() with while loop (RecursionError fix)
4. jarvis-deploy.sh: push force-revert to GitHub on syntax fail (loop fix)
5. agent.py: self_update() verifies SHA-256 before exec (integrity fix)
6. agent.php: remove JARVIS_IP from browser-action bypass (auth fix)
7. jarvis-watchdog.sh: escape SQL vars in alert() to prevent injection
8. jarvis-deploy.sh: atomic mv instead of cat+truncate (TOCTOU fix)

Also: distribute jarvis-agent.py.sha256 alongside agent for integrity checks
2026-05-25 14:27:27 +00:00
myron 6b6b6fcc3b Security fixes: SSL verification, SQL injection, auth bypass, hash_equals
- Enable CURLOPT_SSL_VERIFYPEER on Groq and Claude API calls (MITM fix)
- Parameterize agent_commands IN clause to prevent SQL injection
- Add session/IP check for list/status/myip endpoints (auth bypass fix)
- Use hash_equals() for registration key comparison (timing attack fix)
2026-05-25 13:46:11 +00:00
myron dc55e6c45b Initial commit: JARVIS AI dashboard v2.3
- 4-tier chat: HA control → Ollama → Groq → Claude
- Push-based agent system with heartbeat/metrics
- Network monitoring, alerts, Proxmox, Home Assistant
- Windows + Linux agent installers
- Stats cache cron, facts collector, KB engine
2026-05-25 13:22:57 +00:00