🔒 Security
- Brute-force protection — rate limiter on
/loginand/setupendpoints (10 attempts / 15 min) - Race-condition-safe setup —
_setupInProgressguard prevents concurrent setup requests - Session cap — max 20 concurrent sessions; LRU eviction of oldest unused sessions
- bcrypt byte-length validation — enforces 72-byte limit by UTF-8 byte count (not char count) to prevent silent truncation of multi-byte passwords
- Generic login errors —
"Invalid credentials"instead of distinguishing "not configured" vs "wrong password" (prevents user enumeration) - Stricter display name sanitization — strips C1 controls, zero-width chars, bidi overrides, BOM
⚡ Performance
- In-memory sessions cache (
auth.js) — eliminates stale-read race windows between concurrent logins - Merged config cache with invalidation — removes 2×
readFileSyncper chat turn - Prepared statements for hot-path task queries (
getTodoTasks,getInProgressTasks,setTaskSession,setTaskInProgress) - Database indexes —
idx_task_status,idx_task_session,idx_msg_created - Lazy
lastUsedflush — session timestamp written to disk every 5 min instead of every request
🛡️ Reliability
- CLI subprocess global timeout (
CLAUDE_TIMEOUT_MS, default 30 min) — kills hanging Claude processes StringDecoderfor stdout/stderr — safe multi-byte UTF-8 handling- try-catch on all event callbacks — ensures Promises always settle even if
ws.sendthrows on closed socket - Atomic DB transactions for task startup (create session + link task + mark in_progress)
- SIGKILL guard — checks
exitCode/signalCodebefore killing to avoid hitting a reused PID - Graceful WebSocket watcher cleanup — removes CLOSING/CLOSED sockets, deletes empty watcher sets
- Max line buffer (10 MB) for subprocess stdout — prevents OOM on runaway output
onDonealways fires — safety-net_settledflag prevents double-resolve in CLI and multi-agent flows
🎨 UI
- Rate limit badge — real-time display of API rate limit status with hover tooltip showing requests remaining, tokens remaining, and reset time
- Chat reconnect buffer —
chatBuffers+partial_textcolumn persist in-flight text so page refresh doesn't lose streamed content - Clipboard paste in Kanban — paste screenshots directly into task attachments (Ctrl+V)
- Streaming delta deduplication —
content_block_deltaevents no longer duplicate text fromassistantmessage blocks - i18n navigation labels —
nav.chat,nav.kanban,nav.ariakeys in UA/EN/RU - Paste-flash animation on Kanban attachment dropzone
📦 Other
- Expanded
.dockerignore— excludes secrets, IDE files, docs from production image CLAUDE_TIMEOUT_MSdocumented in.env.exampleand all READMEs- Early
claude_session_idpersistence — open-terminal works during active chat/task - Orchestrator no longer pollutes conversation context (uses disposable session for planning)