Mission Control launch-gate: API key rotation with zero downtime#1
Closed
krusty-agent wants to merge 246 commits intomainfrom
Closed
Mission Control launch-gate: API key rotation with zero downtime#1krusty-agent wants to merge 246 commits intomainfrom
krusty-agent wants to merge 246 commits intomainfrom
Conversation
- Reduced checkbox size from w-7 to w-5 - Reduced item text from text-sm to text-xs - Removed 'Press Enter' hint, simplified to 'Add item...' placeholder - Checked items already sort below unchecked (was already implemented)
1. Fix Profile DID display inconsistency - ProfileBadge now uses useCurrentUser() instead of useAuth() - Shows canonical DID (did:webvh) consistently 2. Move new item input to top of list - AddItemInput now appears above items, not below - Better UX for adding items 3. Link PRs/URLs to items - Added url field to items schema - Shows 🔗 indicator when item has a link 4. Notes/Details for items - Added description field to items schema - Shows 📝 indicator when item has notes 5. Due dates for items - Added dueDate field to items schema - Shows date badge with color coding (overdue = red) 6. Recurring items - Added recurrence field to items schema - Supports daily/weekly/monthly frequency - Shows 🔁 indicator for recurring items New components: - ItemDetailsModal: Edit item details (notes, due date, URL, recurrence) Schema changes: - items table: added description, dueDate, url, recurrence fields - New updateItem mutation for editing item details
The upsertUser mutation wasn't upgrading DIDs from did:key to did:webvh, only from did:temp. This caused the profile to show did:key while the client-side auth had the correct did:webvh. Now any user with a non-webvh DID will be upgraded when did:webvh is provided.
Without this, items/lists created with the old did:key would become inaccessible after the DID upgrade. The legacyDid field is used for permission checks and ownership lookups.
- Server now creates did:webvh during OTP verification instead of did:key - Removed DID upgrade logic (no longer needed) - New users get their canonical DID immediately, no client-side upgrade
Quick Fixes: - Fix item modal overlay (higher z-index, scrollable, backdrop blur) - Add items to top of list instead of bottom - Add touch drag support for mobile reordering Major Features: - 🔁 Recurring items - already supported in item modal - 🏷️ Tags/Labels - colorful tag system (backend ready, UI placeholder) - 📦 Sub-items - nested checklists within items (UI placeholder) - 🚨 Priority levels - high/medium/low with visual indicators - 📷 Attachments - file upload support (backend ready) - 🔔 Notifications - push subscription endpoints (backend ready) - 📆 Calendar view - see items with due dates on calendar - ✅ Batch operations - select multiple items toolbar - 📁 List templates - save/reuse list structures (UI placeholder) - ⌨️ Keyboard shortcuts - power user hotkeys hook Note: Some features require Convex backend deployment to fully function. The backend files (tags.ts, templates.ts, attachments.ts, notifications.ts) are ready and will work once the Convex service is available.
When a recurring item is checked off, automatically creates a new unchecked copy with the next due date calculated based on the recurrence frequency (daily/weekly/monthly) and interval. - Updated checkItem mutation to detect recurrence and create next occurrence - Updated batchCheckItems for consistency - New item inherits all properties (name, description, priority, tags, etc.) - New item placed at top of list with next calculated due date - Attachments are not copied (belong to original item)
Vite's content hashing already handles browser caching for these assets. Caching them in the service worker causes issues when deployments have interdependent bundles (e.g., ListView-ABC.js references ItemDetailsModal-XYZ.js but the new deployment only has ItemDetailsModal-NEW.js). - Bump cache version to invalidate old caches - Skip caching /assets/*.js and *.css files with content hashes - Let browser HTTP caching handle these (immutable, long-lived)
- Connect TagSelector to useQuery for fetching list tags - Add useMutation for createTag, addTagToItem, removeTagFromItem - Implement tag toggle functionality (click to add/remove) - Auto-add newly created tags to the current item - Add visual feedback (checkmark) for selected tags The component was previously stubbed out with TODO comments and an empty tags array. Now it actually works.
- Add Attachments component with upload/view/delete functionality - Integrate Convex file storage (backend already exists) - Show attachment indicator (📎 count) on list items - Support images, PDFs, and text files (max 10MB) - Add to ItemDetailsModal alongside other item properties
React Router may not parse 'list-:listId' correctly as a partial segment param. Changed to '/:userPath/resources/:resourceId' and parse the 'list-' prefix in the component instead.
When opening /user-*/resources/list-*, resolve by didLogs first. If missing, fallback to list+publication lookup and validate publication DID matches the requested userPath/listId URL. This unblocks existing users whose DID logs were never backfilled.
- Add public shared-list mutations: checkSharedItem/uncheckSharedItem
- Add POST endpoints:
/d/{userPath}/resources/list-{listId}/items/{itemId}/check
/d/{userPath}/resources/list-{listId}/items/{itemId}/uncheck
- Include item _id in shared resource payload
- Make shared list items clickable with optimistic toggle UI
Updated the link to the features backlog for clarity.
…, retention enforcement
…racts (aviarytech#139) * docs: revise Mission Control PRD for Orgo-first runtime * docs: add 'Really Good Employee' abstraction and capability checklist * docs: add required V1.1 launch gates for controls, reliability, schema, security * docs: add Phase 1 acceptance tests and observability dashboard spec * docs: tighten ownership, env policy, schema versioning, alert routing, retention enforcement * test: expand mission control phase1 acceptance harness for block 2 * Add Phase 1 observability baseline wiring and dashboard config * chore: harden phase1 observability contract and block4 tracker * chore: close mission control block5 with PR link --------- Co-authored-by: krusty-agent <krusty-agent@users.noreply.github.com>
…iews (aviarytech#142) * fix: use parent org ID for Turnkey signing to fix org mismatch Turnkey requires the organizationId in signRawPayload to match the API key's organization (parent org), not the sub-org where the wallet lives. The parent org key has authority over sub-org wallets. * feat: support multi-file uploads and stable non-image attachment previews * fix: use wallet account org for Turnkey signing context --------- Co-authored-by: Krusty <krusty@clawdbot.com>
…ls (aviarytech#145) Co-authored-by: Krusty <krusty@clawdbot.com>
…ech#143) Co-authored-by: krusty-agent <krusty-agent@users.noreply.github.com>
aviarytech#146) Co-authored-by: Krusty <krusty@clawdbot.com>
…#149) * feat(mission-control): add team dashboard and agent status/team API * feat(mission-control): add phase 3 memory store APIs and browser UI --------- Co-authored-by: Krusty <krusty@clawdbot.com> Co-authored-by: Brian Richter <brian@aviary.tech>
…ytech#148) * feat(schedule): add schedule entries API and calendar schedule pills * feat(schedule): add scheduleEntries schema table --------- Co-authored-by: Krusty <krusty@clawdbot.com> Co-authored-by: Brian Richter <brian@aviary.tech>
…health dashboard (aviarytech#150) * feat(mission-control): add launch controls API and audit events * feat(mission-control): add run-health surfaces and readiness drill baseline * chore(merge-hygiene): preserve agent team quickAction mutation * chore(merge-hygiene): integrate schedule API and owner query surfaces * chore(merge-hygiene): fold in dashboard and schedule integration updates * fix: remove stale parse helper in mission control api * feat(mission-runs): add filtered paginated dashboard UI and API docs * feat(team): wire mission run controls to runtime endpoints --------- Co-authored-by: Krusty <krusty@clawdbot.com>
…ytech#151) * feat(mission-control): add openclaw bidirectional memory sync with conflict policy * feat(mission-control): add key rotation state + artifact retention audit primitives --------- Co-authored-by: Krusty <krusty@clawdbot.com>
…drill wiring (aviarytech#152) Co-authored-by: Krusty <krusty@clawdbot.com>
Owner
Author
|
Closing to keep all Mission Control work tracked in aviarytech/todo PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements a launch-gate slice for API key rotation with zero downtime in Mission Control:
gracePeriodMinutes) while keeping existing hour-based windows.gracePeriodHoursXORgracePeriodMinutes) with 400 validation.gracePeriodMsin rotate response for explicit operator/audit visibility.Changes
convex/missionControlApi.tsPOST /api/v1/auth/keys/:id/rotatenow accepts:gracePeriodHours(1..168) ORgracePeriodMinutes(1..10080)gracePeriodMsin response payload.scripts/validate-api-key-rotation.mjsdocs/mission-control/api-key-rotation-zero-downtime.mddocs/mission-control/mission-runs-api.md(link to launch-gate doc)API.md(updated rotate payload contract)package.jsonmission-control:validate-key-rotationscript.Validation Evidence
Executed locally:
Output: