mirror of
https://github.com/AmruthPillai/Reactive-Resume.git
synced 2026-06-22 04:11:55 +10:00
Amruth Pillai
6d8d8f6e55
* chore(ai): remove local AI store now that providers live server-side
The Zustand-based useAIStore has been replaced by the server-side
aiProviders oRPC router (encrypted credentials persisted in DB).
Delete the dead store + tests, drop the ./store export, and remove
zustand/immer deps which are no longer referenced anywhere in
packages/ai/src/.
* feat(agent): archive/delete actions and read-only state for agent threads
- Backend: mark archived threads as read-only in threads.get and reject
messages.send with CONFLICT when the thread is archived.
- Frontend: render archived threads in the sidebar with muted styling and
an Archived badge; add a per-thread dropdown menu in the chat header
with Archive (non-destructive) and Delete (with confirmation); show a
read-only banner above the message list that disambiguates archived
vs. missing-resource causes; suppress the Retry and Stop buttons in
read-only mode.
- Tests: new packages/api/src/services/agent.test.ts covering the
archived-thread isReadOnly flag and the archived-thread send refusal.
* fix(agent): abort run on archive and verify ownership before deleting thread
- threads.archive: before flipping status, abort any in-flight run controller
and clear the active-run state on the thread; cleanup failures are logged
but do not block the status update.
- threads.delete: assert thread ownership via getThread before destructive
work so an authenticated user cannot wipe another user's attachment rows
by passing a foreign threadId.
Adds focused tests for both behaviors.
* feat(agent): display patch diffs and surface revert conflicts
Render apply_resume_patch tool messages with a status-aware card (applied/
reverted/conflicted), expandable operation list, and a Revert button that
correctly handles RESUME_VERSION_CONFLICT responses. Adds unit tests for
the inverse-patch builder and the agentService.actions.revert flow.
* chore(agent): remove out-of-scope attachment tests accidentally added in Task 6
The Task 6 commit (73ef1acca) accidentally re-introduced three attachment-
related tests that belong to a separate task:
- `buildAttachmentModelParts > converts text, image, supported binary, and
unsupported attachments into model parts`
- `agentService.messages.send > persists the user message with file UI parts
and links selected attachments to it` (was failing — the `ToolLoopAgent`
mock is not callable as a constructor)
- `agentService.messages.send > rejects attachments that are missing, foreign,
or already linked before persisting a message`
These were likely re-added during a stash recovery and were not requested
for Task 6, whose scope was limited to the `agentService.actions.revert`
flow. Remove them along with the helpers/fixtures (`buildAttachment`,
`buildActiveThread`, `selectWhereResult`, `selectOrderByResult`) that they
were the only consumers of. `selectLimitResult` is preserved because it is
used by the revert tests.
* chore(agent): configure runtime dependencies
* feat(db): add agent workspace schema
* feat(api): add agent backend services
* feat(web): add agent workspace UI
* chore(agent): remove legacy builder assistant
* test(agent): make agent stream mocks constructible
* chore(web): remove unused resume replacement hook
* feat(api): add unsafe AI base URL flag
* chore(dev): expose local services in compose
* fix(web): normalize resume preview gaps
* feat(api): improve agent tool handling
* feat(web): polish agent workspace UI
* chore: update dependencies
* fix(api,web): address PR review feedback for agent workspace
Security/correctness:
- Restrict AI provider URLs to http/https even in unsafe mode
- Stop exposing Redis on host network by default
- Make .env.local optional and drop app profile in compose.dev.yml
- Store agent attachments with private ACL on S3
- Reset provider test status when provider/model/baseURL changes
- Decouple non-agent AI endpoints from REDIS_URL requirement
- Fix JSON Patch add inverse for existing object members
- Wrap resume patch + agent action insert in db transaction
- Validate partialMessage at runtime and rate-limit attachment uploads
- Add unique index on agent_messages (thread_id, sequence)
UX/bugs:
- Mark agent thread route as ssr: false and guard SSE chunk parsing
- Show config-specific banner only on known configuration error
- Gate AI provider checks behind loading state in resume import
- Fix relative-time formatter blank gap between 45-59 seconds
- Clarify thread delete confirmation message
Polish:
- Raise ENCRYPTION_SECRET minimum to 32 characters
- Bucket AI rate limits by resumeId/threadId/messageId
- Trim form values before submitting AI provider config
- Use single key identifier and nullish-coalesce baseURL display
* fix: address ai agent review feedback
* fix: preserve mobile agent chat state
* docs: add ai agent workspace guides
* feat: introduce design system for Reactive Resume
117 lines
4.1 KiB
Bash
117 lines
4.1 KiB
Bash
# --- Application ---
|
|
# Port used by the web server in local development and self-hosted containers.
|
|
PORT="3000"
|
|
|
|
# Public URL where the app is served. Used for auth callbacks, OAuth issuer URLs,
|
|
# OpenGraph metadata, and absolute upload URLs.
|
|
APP_URL="http://localhost:3000"
|
|
|
|
# --- Database (PostgreSQL) ---
|
|
# PostgreSQL connection URL. In Docker Compose, the hostname is usually `postgres`;
|
|
# when running directly on your machine, `localhost` is typical.
|
|
DATABASE_URL="postgresql://postgres:postgres@localhost:5432/postgres"
|
|
|
|
# --- Authentication ---
|
|
# Generated using `openssl rand -hex 32`
|
|
AUTH_SECRET="change-me-to-a-secure-secret-key-in-production"
|
|
|
|
# Better Auth Dashboard (optional)
|
|
# Enables the Better Auth Dashboard plugin when set, you probably don't need this.
|
|
BETTER_AUTH_API_KEY=""
|
|
|
|
# Social Auth (Google, optional)
|
|
# Set both values to enable Google sign-in.
|
|
GOOGLE_CLIENT_ID=""
|
|
GOOGLE_CLIENT_SECRET=""
|
|
|
|
# Social Auth (GitHub, optional)
|
|
# Set both values to enable GitHub sign-in.
|
|
GITHUB_CLIENT_ID=""
|
|
GITHUB_CLIENT_SECRET=""
|
|
|
|
# Social Auth (LinkedIn, optional)
|
|
# Set both values to enable LinkedIn sign-in.
|
|
LINKEDIN_CLIENT_ID=""
|
|
LINKEDIN_CLIENT_SECRET=""
|
|
|
|
# Custom OAuth Provider (optional)
|
|
# Set OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET plus either OAUTH_DISCOVERY_URL or
|
|
# the three manual endpoint URLs below.
|
|
OAUTH_PROVIDER_NAME=""
|
|
OAUTH_CLIENT_ID=""
|
|
OAUTH_CLIENT_SECRET=""
|
|
OAUTH_DISCOVERY_URL=""
|
|
OAUTH_AUTHORIZATION_URL=""
|
|
OAUTH_TOKEN_URL=""
|
|
OAUTH_USER_INFO_URL=""
|
|
|
|
# Space-separated scopes requested from the custom OAuth provider.
|
|
OAUTH_SCOPES="openid profile email"
|
|
|
|
# Comma-separated extra hosts/origins allowed for dynamic OAuth client redirect URIs.
|
|
# By default, only the APP_URL origin is allowed.
|
|
OAUTH_DYNAMIC_CLIENT_REDIRECT_HOSTS=""
|
|
|
|
# --- Email (optional) ---
|
|
# If SMTP_HOST, SMTP_USER, SMTP_PASS, or SMTP_FROM is missing, the app logs the
|
|
# email to the console instead.
|
|
SMTP_HOST="localhost"
|
|
SMTP_PORT="1025"
|
|
SMTP_USER=""
|
|
SMTP_PASS=""
|
|
SMTP_FROM="Reactive Resume <noreply@rxresu.me>"
|
|
SMTP_SECURE="false"
|
|
|
|
# --- Storage (optional) ---
|
|
# If all S3 keys are disabled, the app uses local filesystem storage instead.
|
|
# Make sure to mount this directory to a volume or the host filesystem to ensure data integrity.
|
|
# LOCAL_STORAGE_PATH overrides where local uploads/cache are written.
|
|
# Defaults to /app/data in the official Docker image; in dev, defaults to <workspace>/data.
|
|
# LOCAL_STORAGE_PATH="/app/data"
|
|
|
|
# Seaweedfs
|
|
S3_ACCESS_KEY_ID="seaweedfs"
|
|
S3_SECRET_ACCESS_KEY="seaweedfs"
|
|
S3_REGION="us-east-1"
|
|
S3_ENDPOINT="http://localhost:8333"
|
|
S3_BUCKET="reactive-resume"
|
|
S3_FORCE_PATH_STYLE="true"
|
|
|
|
# --- AI Agent Workspace (optional) ---
|
|
# Required only for the authenticated /agent workspace and saved AI providers.
|
|
REDIS_URL="redis://localhost:6379"
|
|
ENCRYPTION_SECRET="change-me-to-a-secure-agent-secret-in-production"
|
|
|
|
# Optional Cloudflare Browser Run credentials used as a URL extraction fallback for agent web access.
|
|
CLOUDFLARE_ACCOUNT_ID=""
|
|
CLOUDFLARE_API_TOKEN=""
|
|
|
|
# --- Feature Flags ---
|
|
# This flag disables new signups, both on the web app and the server.
|
|
FLAG_DISABLE_SIGNUPS="false"
|
|
|
|
# This flag disables email/password login. Disables email verification, forgot password, and reset password flows.
|
|
# Users can still sign up via social auth (Google/GitHub/Custom OAuth), unless FLAG_DISABLE_SIGNUPS is also set to true.
|
|
FLAG_DISABLE_EMAIL_AUTH="false"
|
|
|
|
# This flag disables the image processing.
|
|
# This is useful if you are using a machine with limited resources, like a Raspberry Pi.
|
|
FLAG_DISABLE_IMAGE_PROCESSING="false"
|
|
|
|
# Allows AI providers to be configured with any base URL, including http:// and
|
|
# private/loopback addresses (e.g. http://localhost:11434 for a local Ollama instance).
|
|
# WARNING: Enabling this on a multi-tenant deployment is a Server-Side Request Forgery (SSRF)
|
|
# risk. Only enable this on a trusted, single-tenant self-hosted instance.
|
|
FLAG_ALLOW_UNSAFE_AI_BASE_URL="false"
|
|
|
|
# --- Others ---
|
|
# Google Cloud API Key (optional)
|
|
# For font-list generation tooling.
|
|
# Requires "Google Fonts Developer API" to be enabled.
|
|
GOOGLE_CLOUD_API_KEY=""
|
|
|
|
# Crowdin (optional)
|
|
# For translation tooling.
|
|
CROWDIN_PROJECT_ID=""
|
|
CROWDIN_PERSONAL_TOKEN=""
|