12 Commits

Author	SHA1	Message	Date
Shaun Arman	249d20bf85	fix: audit PII redaction metadata, safe bubble update, update ticket ... Add was_pii_redacted and pii_types_redacted to the ai_chat audit log entry. Both are tracked through the full_message build block (typed message + attachments) so any redaction that occurs is always reflected in the compliance record. Fix response.user_message + suffix potentially yielding 'undefined...' when user_message is absent. Now unconditionally calls updateMessageContent with (response.user_message ?? message) + suffix, so the bubble always shows a valid string regardless of backend build. Update TICKET-pii-bypass-chat-attachments.md to reflect the final auto-redact design (not block/warn) so automated review comparisons against the ticket stop flagging design decisions as defects.	2026-05-31 20:14:23 -05:00
Shaun Arman	631221dbf1	fix(security): full-content PII scan, clippy, IPC null fix, scan size cap ... Remove frontend detectPiiCmd pre-scan loop — backend is sole redaction authority; bubble update via response.user_message covers user feedback. Detect PII on full file content before truncating. Previous order (truncate to 8000 bytes then scan) could miss PII straddling the boundary. Now: read full content, scan, redact, then truncate to EMBED_LIMIT (8000 bytes) at a valid UTF-8 char boundary. logFileIds IPC: pass undefined (not null) for empty array so Tauri serialises it correctly to Rust Option::None. Add MAX_TEXT_SCAN_BYTES (32 KB) guard in scan_text_for_pii to prevent unbounded regex evaluation on oversized payloads. Fix clippy uninlined_format_args in ai.rs.	2026-05-31 20:01:07 -05:00
Shaun Arman	e9c576f606	fix(security): frontend attachment scan notice, bubble redaction update, fmt fix ... Addresses three findings from the third automated review: [BLOCKER] No frontend PII pre-check on attachments. Added detectPiiCmd call for each logFileId before chatMessageCmd. PII is not blocked (per explicit product decision: auto-redact and send) but the user now sees a non-blocking amber notice listing each file and the PII types that will be auto-redacted. Backend remains the authoritative redaction layer. [WARNING 2] Chat bubble showed original PII-laden message even though only the redacted form was sent to AI. Added updateMessageContent to sessionStore. After chatMessageCmd returns, if response.user_message is set the user bubble is updated to reflect what was actually stored in the DB, so the UI is consistent with the audit log. CI fix: cargo fmt changes to analysis.rs were not staged in the prior commit. Committed here — fmt check now passes cleanly.	2026-05-31 19:49:21 -05:00
Shaun Arman	a04d6fc8f5	fix(security): backend-only PII redaction; fix fmt CI failure ... Resolves all three findings from the second automated review and fixes the cargo fmt --check CI failure (formatting drift in analysis.rs from a prior merge). [BLOCKER 1 + BLOCKER 2 + WARNING] Frontend no longer performs any PII scanning or redaction. All three concerns stemmed from the same root cause: outMessage was derived on the frontend and used for display, DB storage (via lastUserMsgRef and the chat bubble), and the AI payload — causing the original message to be silently replaced before the backend received it. Fix: frontend sends the original message verbatim. Backend is now the sole authority. chat_message auto-redacts the typed message text using PiiDetector + apply_redactions() before building the full payload, logs the PII types via tracing::warn, and stores only the redacted form in ai_messages and the audit log. The redacted form is returned to the caller as ChatResponse.user_message (Option<String>, absent from direct provider calls). Frontend uses message (original) for the chat bubble and lastUserMsgRef — resolution steps show natural language, not [Password] tokens. The AI and DB see only the redacted version. CI fix: cargo fmt applied to analysis.rs; all format checks now pass.	2026-05-31 19:36:44 -05:00
Shaun Arman	f05b954250	fix(security): address PR review — move attachment handling to backend, auto-redact PII ... Resolves all four findings from the automated review: [BLOCKER 1] Attachment PII scan error path left pendingFiles intact, allowing retry with stale file references. Fix: file content is no longer held in frontend state at all — PendingFile drops the content field entirely. logFileIds are captured before setPendingFiles([]) and passed directly to the backend. [BLOCKER 2] Raw file content stored in PendingFile.content created a UI-visible PII surface and a data-residency risk. Fix: frontend never reads or stores file content. The backend loads file data from disk, auto-redacts PII in-memory using pii::apply_redactions(), and embeds the clean text into the AI message. No PII ever touches the frontend. [WARNING 1] String-based attachment header parsing was fragile and bypassable. Fix: parsing is gone — backend identifies attachments by log_file_id, reads them directly from the DB/disk path, and applies redaction at that level. [WARNING 2] Error message disclosed PII type list to the caller. Fix: PII types are logged via tracing::warn only; no type details in the user-facing error or API response. Additionally: typed chat messages are now auto-redacted rather than blocked. scanTextForPiiCmd runs on the typed text; detected spans are replaced in reverse-offset order before the message is sent to the AI and stored in the DB. The user sees the redacted form in their chat bubble. Architecture: - chat_message now accepts log_file_ids: Option<Vec<String>> - Backend reads file → detects PII → redacts in memory → embeds - Frontend: no readTextFile, no content field, no frontend PII gate	2026-05-31 19:20:46 -05:00
Shaun Arman	cd26801a39	fix(security): block PII in chat attachments and typed messages ... File attachments were embedded into AI messages without any PII scanning, allowing credentials, tokens, and other sensitive data to be forwarded to AI providers in plaintext. Typed chat messages had the same gap: a user could type a password or API key directly and it would be sent unscanned. Changes: - chat_message (Rust): defence-in-depth scan of all attachment body content (between --- Attached: markers); hard rejects if PII found - detect_pii (Rust): fix return type from pii::PiiDetectionResult (spans/original_text) to db::models::PiiDetectionResult (detections/total_pii_found) to match the TypeScript contract; the LogUpload PII review workflow was receiving undefined for detections - scan_text_for_pii (Rust): new command — scans arbitrary text for PII without creating DB records; used for typed message warnings - Triage/index.tsx: PendingFile now carries logFileId; handleSend gates each text attachment through detectPiiCmd (hard block on PII found); typed message text scanned via scanTextForPiiCmd with a one-time warning — second send of same message proceeds as acknowledgment	2026-05-31 19:05:51 -05:00
Shaun Arman	0b7f1cd9ab	feat(ai): add devops-incident-responder agent with domain auto-detection ... - Implement AgentRegistry system with devops-incident-responder agent - Add domain detection based on conversation keywords - Inject devops-incident-responder as primary system prompt - Auto-switch domain prompts silently when context shifts - Fix version update script to handle JSON format correctly - Always display version in bottom-left corner - Add release notes fallback to git commits if CHANGELOG empty This implements the full devops-incident-responder agent as the primary system prompt, with domain-specific SME prompts layered on top based on conversation content analysis. The version display bug is fixed by removing the collapsed condition, and release notes now have a fallback mechanism.	2026-04-29 19:41:47 -05:00
Shaun Arman	13c4969e31	feat: wire incident response methodology into AI and record triage events ... Add INCIDENT_RESPONSE_FRAMEWORK to domainPrompts.ts and append it to all 17 domain prompts via getDomainPrompt(). Add system_prompt param to chat_message command so frontend can inject domain expertise. Record UTC timeline events (triage_started, log_uploaded, why_level_advanced, root_cause_identified, rca_generated, postmortem_generated, document_exported) at key moments with non-blocking calls. Update tauriCommands.ts with getTimelineEventsCmd, optional metadata on addTimelineEventCmd, and systemPrompt on chatMessageCmd. 12 new frontend tests (9 domain prompts, 3 timeline events).	2026-04-19 18:13:47 -05:00
Shaun Arman	f04b5dfe06	fix: close from chat works before issue loads; save user reason as resolution step; dynamic version ... - Triage: move close intent check before the currentIssue guard so closing works even if the session hasn't fully initialized yet - Triage: save the user's close reason as a resolution step via addFiveWhyCmd before marking resolved, ensuring Resolution page is never empty - App: read version from Tauri getVersion() instead of hardcoded v0.1.1	2026-03-31 13:06:12 -05:00
Shaun Arman	47af97b68e	feat: close issues, restore history, auto-save resolution steps ... - db.rs: add get_issue_messages command (joins ai_conversations + ai_messages) - tauriCommands.ts: fix updateIssueCmd to pass updates as nested object (was spreading inline — Rust expects {issueId, updates}); fix addFiveWhyCmd parameter names to match Rust (stepOrder, whyQuestion, answer, evidence); add getIssueMessagesCmd and IssueMessage interface - Dashboard: X button on each open issue row to close (mark resolved) inline - Triage: restore conversation history from DB when revisiting existing issues; detect close intent patterns and mark issue resolved + navigate home; auto-save resolution step via addFiveWhyCmd when AI advances why level - tests: add issueActions.test.ts covering IPC arg structure and close intent	2026-03-31 12:50:39 -05:00
Shaun Arman	5537b0b042	feat: inline file/screenshot attachment in triage chat ... - NewIssue navigates directly to /triage — log upload is never a blocker - ChatWindow: paperclip button opens Tauri file dialog; pending files shown as removable chips above the input; send enabled with files and no text - Triage: uploads selected files via uploadLogFileCmd, reads text content (capped at 8KB), appends file contents to AI message for context while showing only filenames in the chat bubble - Images/binary files are referenced by name with a prompt for the user to describe them	2026-03-31 08:40:36 -05:00
Shaun Arman	8839075805	feat: initial implementation of TFTSR IT Triage & RCA application ... Implements Phases 1-8 of the TFTSR implementation plan. Rust backend (Tauri 2.x, src-tauri/): - Multi-provider AI: OpenAI-compatible, Anthropic, Gemini, Mistral, Ollama - PII detection engine: 11 regex patterns with overlap resolution - SQLCipher AES-256 encrypted database with 10 versioned migrations - 28 Tauri IPC commands for triage, analysis, document, and system ops - Ollama: hardware probe, model recommendations, pull/delete with events - RCA and blameless post-mortem Markdown document generators - PDF export via printpdf - Audit log: SHA-256 hash of every external data send - Integration stubs for Confluence, ServiceNow, Azure DevOps (v0.2) Frontend (React 18 + TypeScript + Vite, src/): - 9 pages: full triage workflow NewIssue→LogUpload→Triage→Resolution→RCA→Postmortem→History+Settings - 7 components: ChatWindow, TriageProgress, PiiDiffViewer, DocEditor, HardwareReport, ModelSelector, UI primitives - 3 Zustand stores: session, settings (persisted), history - Type-safe tauriCommands.ts matching Rust backend types exactly - 8 IT domain system prompts (Linux, Windows, Network, K8s, DB, Virt, HW, Obs) DevOps: - .woodpecker/test.yml: rustfmt, clippy, cargo test, tsc, vitest on every push - .woodpecker/release.yml: linux/amd64 + linux/arm64 builds, Gogs release upload Verified: - cargo check: zero errors - tsc --noEmit: zero errors - vitest run: 13/13 unit tests passing Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>	2026-03-14 22:36:25 -05:00