feat(dev): align local dashboard flow with prod proxy

[yacosta738]

This pull request updates the local development workflow and the dashboard app to use a same-origin, proxied setup at http://corvus.localhost for both the gateway API and dashboard UI. It standardizes the default base URL to /api, updates documentation and UI to match the new flow, and improves security by defaulting to proxied endpoints. There are also related build and configuration improvements.

Development workflow and proxy changes:

• Updated the dev environment to start a proxy at corvus.localhost that routes /api requests to the backend and serves the dashboard UI on the same origin, matching production reverse proxy setups. Added Caddyfile configs for proxying and clarified Makefile/dev scripts. [1] [2] [3]
• Updated documentation (README.md, dashboard and agent-runtime READMEs, guides) to instruct using make dev-up and ./dev/cli.sh up-dashboard, and to use http://corvus.localhost as the entry point for both the dashboard and API. [1] [2] [3] [4] [5] [6] [7] [8] [9]

Dashboard app improvements:

• Changed the dashboard's default base URL to /api, making all API requests use same-origin proxied endpoints by default. Updated placeholder text, translations, and pairing logic to match. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
• Added tests to verify that the dashboard uses the proxied /api endpoints by default.

Build and configuration changes:

• Improved dashboard build process to use filtered build commands and updated pnpm usage, and excluded test files from production builds. [1] [2] [3]
• Added missing devDependency @vue/tsconfig for UI package and updated lockfile. [1] [2]

Minor changes:

• Cleaned up unused config lines in the agent-runtime Dockerfile.

Closes: #213

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	ba8a8f2
Status:	✅  Deploy successful!
Preview URL:	https://993e1026.corvus-42x.pages.dev
Branch Preview URL:	https://feat-dev-proxy-localhost.corvus-42x.pages.dev

View logs

[coderabbitai]

Warning

Rate limit exceeded

@yacosta738 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2dd36da2-ac92-4a12-87f9-4fd8378f9f86

📥 Commits

Reviewing files that changed from the base of the PR and between 67f623c and ba8a8f2.

📒 Files selected for processing (13)

• clients/agent-runtime/README.md
• clients/web/apps/dashboard/README.md
• clients/web/apps/dashboard/package.json
• clients/web/apps/dashboard/src/composables/useConfig.spec.ts
• clients/web/apps/dashboard/src/composables/useConfig.ts
• clients/web/apps/dashboard/tsconfig.app.json
• clients/web/apps/dashboard/tsconfig.node.json
• clients/web/apps/docs/src/content/docs/es/guides/cli-reference.md
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md
• clients/web/apps/docs/src/content/docs/guides/getting-started.md
• clients/web/packages/locales/tsconfig.json
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md
• openspec/specs/dashboard/spec.md

📝 Walkthrough

Walkthrough

Refactors local dev to run dashboard and gateway behind a single Caddy reverse proxy at corvus.localhost. Adds caddy-dev service, two Caddyfiles, landing page, CLI activation, docker-compose changes, and updates dashboard frontend, tests, locales, docs, and build scripts to use proxied /api endpoints.

Changes

Cohort / File(s)	Summary
Reverse proxy & compose dev/docker-compose.yml, dev/Caddyfile.dashboard, dev/Caddyfile.landing	Add caddy-dev service; remove direct host port publishes for corvus/dashboard; route /api/* to corvus-dev and proxied dashboard traffic.
CLI / orchestration scripts dev/cli.sh, Makefile, .gitignore	Add ACTIVE_CADDYFILE and activate_caddyfile; new up/up-dashboard flows that activate chosen Caddyfile, recreate listed services, and report corvus.localhost endpoints. Update help text and .gitignore to ignore active Caddyfile.
Dev config & runtime dev/config.template.toml, clients/agent-runtime/Dockerfile	Remove workspace_dir and config_path from template/runtime config; change gateway bind/allow flags (allow_public_bind) and ensure gateway binds 0.0.0.0 internally for proxying.
Dashboard frontend & tests clients/web/apps/dashboard/src/composables/useConfig.ts, .../useConfig.spec.ts, src/App.vue, package.json, tsconfig.app.json, Dockerfile	Introduce DEFAULT_GATEWAY_BASE_URL and gatewayUrl(...) helper; prefer relative /api base; adjust isUrlSafeForSecrets; update fetch calls; add same-origin test; update build scripts and Dockerfile to use workspace-scoped pnpm build.
Localization & UI packages clients/web/packages/locales/src/en.json, .../es.json, clients/web/packages/ui/package.json	Change form.baseUrlPlaceholder from "http://127.0.0.1:3000" to "/api"; add @vue/tsconfig devDependency.
Landing page dev/landing/index.html	Add static Corvus Dev landing page served by landing Caddyfile with info and links guiding proxied flow.
Docs & specs README.md, clients/agent-runtime/README.md, clients/web/apps/dashboard/README.md, clients/web/apps/docs/src/content/docs/guides/*, openspec/.../first-run-web-dashboard-activation/*, openspec/specs/dashboard/spec.md	Replace direct localhost/127.0.0.1 references and dashboard-dev commands with corvus.localhost and proxied /api flows; update pairing, health, and CLI instructions.
Tests (chat app) clients/web/apps/chat/src/App.spec.ts	Switch tests to use test-scoped i18n and assertions against translated placeholders rather than hardcoded literals.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
actor User
participant Browser
participant Caddy as "Caddy (caddy-dev)"
participant Gateway as "Corvus Gateway (corvus-dev)"
participant Dashboard as "Dashboard (dashboard-dev)"
User->>Browser: Open http://corvus.localhost
Browser->>Caddy: GET / (landing or dashboard)
alt request /api/*
Caddy->>Gateway: proxy /api/* -> corvus-dev:3000
Gateway->>Gateway: handle /api request (pair/health/config)
Gateway-->>Caddy: response
Caddy-->>Browser: proxied response
else non-/api
Caddy->>Dashboard: proxy -> dashboard-dev:8080 (or serve static landing)
Dashboard-->>Caddy: response
Caddy-->>Browser: dashboard/landing content
end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• perf: Enhance Docker setup for dashboard with improved config bindings #151: Modifies dev environment tooling (dev/cli.sh, docker-compose.yml, dashboard Docker setup) for local proxy and dashboard orchestration — strong overlap with proxy/orchestration changes.
• fix: update project structure and rename dashboard to chat #58: Touches dashboard web app files (placeholders, tests, build scripts) and may conflict with frontend/locale/build edits made here.
• feat: add basic chat UI with vue.js #24: Adjusts dashboard UI/i18n surface (App.vue, locale placeholders), closely related to the localization and placeholder changes in this PR.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Linked Issues check	❓ Inconclusive	The linked issue #213 defines product architecture for a Cerebro memory system with MCP implementation, but the PR focuses on local dev workflow and dashboard proxy setup, making alignment assessment ambiguous.	Clarify whether this PR is prerequisite infrastructure for issue #213 or if the scope mismatch indicates incorrect issue linking. Confirm the relationship between the proxy setup and Cerebro architecture goals.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(dev): align local dashboard flow with prod proxy' follows Conventional Commits style with clear imperative language and is under 72 characters.
Description check	✅ Passed	The PR description is comprehensive, covering development workflow changes, dashboard improvements, build changes, and references related issue #213 with detailed sections matching expected documentation quality.
Out of Scope Changes check	✅ Passed	All changes directly support the stated PR objective: configuring a same-origin proxied local dev environment at corvus.localhost that mirrors production architecture.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/dev-proxy-localhost

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3064 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	421	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	90%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	158	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-18 to 2026-03-18}

[coderabbitai]

Actionable comments posted: 11

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/README.md`:
- Around line 85-88: In clients/agent-runtime README.md the dashboard command
uses a repo-root invocation ('./dev/cli.sh up-dashboard') while the section is
scoped to clients/agent-runtime; update the README so the command is accurate
for readers—either instruct users to run the dashboard command from the
repository root (explicitly say "run from repo root: dev/cli.sh up-dashboard")
or change the example to the correct relative invocation when executed from the
clients/agent-runtime directory; update the text around the Proxy/Dashboard
lines to remove the misleading repo-root path and ensure the command and
working-directory context match.

In `@clients/web/apps/dashboard/package.json`:
- Line 12: The dashboard package.json build script uses "vue-tsc -p
tsconfig.app.json --noEmit && vite build" which skips referenced composite
projects; update the build script in package.json to run vue-tsc with the -b
(build) flag instead of -p so it type-checks all referenced projects (matching
the chat app pattern) and preserves --noEmit before running vite build; locate
the "build" script entry in package.json to apply this change.

In `@clients/web/apps/dashboard/README.md`:
- Around line 31-33: Edit the README sentence to add missing articles for
smoother Spanish: change "completa el pairing para obtener bearer token" to
"completa el pairing para obtener el bearer token" (or "un bearer token"), and
change "con mismo origen" to "con el mismo origen" and "detrás de reverse proxy"
to "detrás de un reverse proxy"; update the sentence containing "Base URL" and
the following sentence about "El dashboard y el gateway" accordingly.

In `@clients/web/apps/dashboard/src/composables/useConfig.ts`:
- Around line 15-18: isUrlSafeForSecrets currently treats any root-relative URL
(rawUrl starting with "/") as safe; instead resolve relative URLs against
window.location and only allow sending secrets if the resolved origin is a
trusted local/dev host. Update isUrlSafeForSecrets to: if rawUrl starts with "/"
create new URL(rawUrl, window.location.href) and then only return true when the
URL.hostname is a loopback/localhost variant (e.g., "localhost", "127.0.0.1",
"::1") or endsWith(".localhost") or otherwise matches your local dev host
pattern; for absolute rawUrl parse it with new URL(rawUrl) and apply the same
hostname checks. Use the function name isUrlSafeForSecrets and the rawUrl
parameter to locate where to change the logic.
- Around line 177-182: gatewayUrl currently only handles leading-slash bases and
fails for absolute bases like "http://host/api" because new URL(path, base) will
discard the base's path; update gatewayUrl (which calls normalizeBaseUrl) to
detect absolute bases and join paths safely by ensuring the base ends with a
trailing slash and the path does not start with a slash before calling new URL,
i.e., normalizeBaseUrl(), if the returned base is absolute (contains "://" or
startsWith "http"), trim trailing slashes on the base then append a single "/"
and the path stripped of leading slashes so new URL receives a base with a
trailing slash; keep the existing branch for relative bases (startsWith "/")
that use window.location.origin.

In `@clients/web/apps/docs/src/content/docs/es/guides/getting-started.md`:
- Around line 72-75: Change the bullet that currently labels `/api` as "Base URL
del dashboard" to correctly call it the API base (e.g., "Base URL de la API:
`/api`"), update the other bullets to use the same technical terms from the diff
(`http://corvus.localhost`, `/api/health`, `/api/pair`) and replace "Ruta de
pairing: proxied por `/api/pair`" with a clear Spanish phrasing like "Ruta de
emparejamiento: enrutada/proxy por `/api/pair`" (or similar) so the meaning of
proxied is explicit; ensure the Spanish text matches the English source wording
and resolves the translation gap around "pairing"/"proxied".

In `@clients/web/apps/docs/src/content/docs/guides/cli-reference.md`:
- Around line 86-88: Update the Spanish copy to mirror the English CLI changes:
add the same three user-facing entries ("`make dev-up` then `./dev/cli.sh
up-dashboard`", "`http://corvus.localhost` + secure proxied `/api/pair` flow",
and "`corvus --help` for command help") in the Spanish CLI reference (or insert
a clear "pending translation" note next to them if translation will be done
later); also apply the same update to the other segment referenced (the
corresponding entries around the second location mentioned, i.e., the items
analogous to lines 114–116).

In `@clients/web/apps/docs/src/content/docs/guides/getting-started.md`:
- Around line 70-74: Update the Spanish "Getting Started" doc to mirror the EN
changes for activation/resume URLs and commands: ensure the Local entrypoint
(`http://corvus.localhost`), Gateway check URL
(`http://corvus.localhost/api/health`), Dashboard base URL (`/api`), and Pairing
path (proxied via `/api/pair`) are reflected identically in the Spanish file for
parity with the English doc; if you cannot translate immediately, add an
explicit "pending translation" note in the Spanish Getting Started doc next to
these entries so readers know the EN values are authoritative until translated.
- Around line 72-73: The doc incorrectly labels `/api` as the "Dashboard base
URL"; update the bullet to correctly identify `/api` as the API gateway/proxy
base path (e.g., change "Dashboard base URL: `/api`" to "API gateway base URL:
`/api`" or "Proxied API base path: `/api`") while leaving the pairing path
bullet ("Pairing path: proxied via `/api/pair`") unchanged; verify the revised
wording appears where the current "Dashboard base URL" bullet exists so readers
won't conflate dashboard vs. gateway endpoints.

In
`@openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md`:
- Around line 203-204: Onboarding currently probes only the proxied entrypoint
`http://corvus.localhost/api/health`, which conflates gateway vs UI/Caddy
failures and collapses states like GatewayNotRunning, GatewayRunning*, and
DashboardUiUnavailable; update the probe logic to separate concerns by adding a
direct gateway health/pairing probe (call it e.g. gatewayHealthProbe or
probeGatewayPairing) that queries the gateway's native health/pairing API and
returns gateway-specific status, then keep the existing proxied/UI probe to
layer proxy/UI reachability on top and combine their results to determine the
deterministic state machine transitions for GatewayNotRunning, GatewayRunning*,
and DashboardUiUnavailable.

In `@openspec/specs/dashboard/spec.md`:
- Around line 185-186: The line "Resolved in implementation: optional
browser-open targets the local proxied entrypoint (`http://corvus.localhost`)
only." currently lives under the "Open Decisions" section in
openspec/specs/dashboard/spec.md; move that sentence out of the Open Decisions
block and place it under a new or existing "Resolved Decisions" or
"Implementation Notes" subsection so the Open Decisions list contains only
unresolved items, and ensure the surrounding headings and any table-of-contents
references are adjusted so traceability between the original undecided item and
this resolved note is preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: de1abbce-a09a-435f-8825-0c24868d0b99

📥 Commits

Reviewing files that changed from the base of the PR and between bd59b4c and 7947227.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (30)

• .gitignore
• Makefile
• README.md
• clients/agent-runtime/Dockerfile
• clients/agent-runtime/README.md
• clients/web/apps/dashboard/Dockerfile
• clients/web/apps/dashboard/README.md
• clients/web/apps/dashboard/package.json
• clients/web/apps/dashboard/src/App.vue
• clients/web/apps/dashboard/src/composables/useConfig.spec.ts
• clients/web/apps/dashboard/src/composables/useConfig.ts
• clients/web/apps/dashboard/tsconfig.app.json
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md
• clients/web/apps/docs/src/content/docs/guides/cli-reference.md
• clients/web/apps/docs/src/content/docs/guides/getting-started.md
• clients/web/packages/locales/src/en.json
• clients/web/packages/locales/src/es.json
• clients/web/packages/ui/package.json
• dev/Caddyfile.dashboard
• dev/Caddyfile.landing
• dev/cli.sh
• dev/config.template.toml
• dev/docker-compose.yml
• dev/landing/index.html
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/exploration.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/proposal.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/tasks.md
• openspec/specs/dashboard/spec.md

💤 Files with no reviewable changes (1)

• clients/agent-runtime/Dockerfile

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (3)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• dev/Caddyfile.landing
• clients/web/apps/dashboard/src/App.vue
• clients/web/packages/ui/package.json
• clients/web/apps/docs/src/content/docs/guides/cli-reference.md
• clients/web/apps/dashboard/src/composables/useConfig.spec.ts
• dev/Caddyfile.dashboard
• dev/docker-compose.yml
• dev/landing/index.html
• clients/web/apps/dashboard/README.md
• clients/agent-runtime/README.md
• clients/web/apps/dashboard/package.json
• openspec/specs/dashboard/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/exploration.md
• clients/web/apps/dashboard/src/composables/useConfig.ts
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/tasks.md
• Makefile
• clients/web/apps/dashboard/tsconfig.app.json
• clients/web/packages/locales/src/es.json
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md
• clients/web/apps/dashboard/Dockerfile
• dev/config.template.toml
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/spec.md
• clients/web/packages/locales/src/en.json
• README.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md
• clients/web/apps/docs/src/content/docs/guides/getting-started.md
• dev/cli.sh
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/proposal.md

**/*.vue

⚙️ CodeRabbit configuration file

**/*.vue: Enforce Vue 3 Composition API with <script setup>.
Ensure accessibility (A11y) and proper use of Tailwind CSS classes.
Check for proper prop validation and emitted events documentation.

Files:

• clients/web/apps/dashboard/src/App.vue

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/guides/cli-reference.md
• clients/web/apps/dashboard/README.md
• clients/agent-runtime/README.md
• openspec/specs/dashboard/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/exploration.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/tasks.md
• clients/web/apps/docs/src/content/docs/es/guides/getting-started.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/spec.md
• README.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md
• clients/web/apps/docs/src/content/docs/guides/getting-started.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/proposal.md

🧠 Learnings (11)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/README.md
• openspec/specs/dashboard/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/proposal.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• openspec/specs/dashboard/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/spec.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Include threat/risk notes and rollback strategy for security, runtime, and gateway changes; add or update tests for boundary checks and failure modes

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/tasks.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md
• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/proposal.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools}/**/*.rs : Treat `src/security/`, `src/gateway/`, `src/tools/` as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/channels/**/*.rs : Implement `Channel` trait in `src/channels/` with consistent `send`, `listen`, and `health_check` semantics and cover auth/allowlist/health behavior with tests

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Keep startup path lean and avoid heavy initialization in command parsing flow

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/**/*.rs : Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/providers/**/*.rs : Implement `Provider` trait in `src/providers/` and register in `src/providers/mod.rs` factory when adding a new provider

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/tools/**/*.rs : Implement `Tool` trait in `src/tools/` with strict parameter schema, validate and sanitize all inputs, and return structured `ToolResult` without panics in runtime path

Applied to files:

• openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/design.md

🪛 ast-grep (0.41.1)

dev/landing/index.html

[warning] 120-120: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context: http://corvus.localhost/api/health
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)

🪛 LanguageTool

clients/web/apps/dashboard/README.md

[grammar] ~31-~31: Cambia la palabra o signo.
Context: .../api` y completa el pairing para obtener bearer token. El dashboard y el gateway ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~32-~32: Aquí puede haber un error.
Context: ... gateway se comunican a través de Caddy con mismo origen, igual que en un despliegu...

(QB_NEW_ES)

---

[grammar] ~32-~32: Elimina la palabra o signo.
Context: ...vés de Caddy con mismo origen, igual que en un despliegue productivo detrás de re...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

clients/web/apps/docs/src/content/docs/es/guides/getting-started.md

[grammar] ~72-~72: Cambia la palabra o signo.
Context: ...ts locales canonicos: - Entrada local: http://corvus.localhost - URL de chequeo del gateway: `http://corv...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~73-~73: Cambia la palabra o signo.
Context: ...ocalhost- URL de chequeo del gateway:http://corvus.localhost/api/health` - Base URL del dashboard: /api - Ruta de...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~74-~74: Cambia la palabra o signo.
Context: ...t/api/health- Base URL del dashboard:/api- Ruta de pairing: proxied por/api/pair`...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~75-~75: Aquí puede haber un error.
Context: ...: /api - Ruta de pairing: proxied por /api/pair Si rechazas, Corvus mantiene el flujo CL...

(QB_NEW_ES)

🔇 Additional comments (22)

clients/web/packages/ui/package.json (1)

15-15: Good dependency alignment for shared Vue TS config.

Line 15 correctly adds @vue/tsconfig to devDependencies, which supports consistent TypeScript config resolution in the UI package.

Makefile (1)

312-312: Help text update is accurate and low-risk.

Line 312 now correctly describes the proxied local entrypoint (corvus.localhost) without changing command behavior.

clients/web/packages/locales/src/es.json (1)

35-35: Spanish locale placeholder now matches proxied default.

Line 35 correctly switches the base URL placeholder to /api, aligning the UI hint with same-origin proxy usage.

clients/web/packages/locales/src/en.json (1)

35-35: English locale update is consistent with the new /api default.

Line 35 correctly reflects the proxied same-origin base path.

clients/web/apps/dashboard/src/App.vue (1)

45-45: Nice i18n improvement for the Base URL placeholder.

Line 45 removes the hardcoded URL and correctly uses t('form.baseUrlPlaceholder'), keeping placeholder text locale-driven.

openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/proposal.md (1)

83-83: Risk mitigation text is aligned with the new local proxy defaults.

Line 83 correctly updates canonical onboarding messaging to http://corvus.localhost + /api, reducing stale setup guidance.

clients/web/apps/dashboard/tsconfig.app.json (1)

11-12: Config scoping looks intentional for production app checks.

Lines 11-12 keep app compilation focused on runtime sources while excluding test specs from this tsconfig.

openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/spec.md (2)

185-186: Same section-semantics concern as the active spec file.

Resolved decisions under “Open Decisions” reduce clarity for future readers.

---

56-57: Archived spec correctly mirrors canonical proxied defaults.

This keeps historical spec text aligned with implemented local entrypoint behavior.

openspec/specs/dashboard/spec.md (1)

56-57: Canonical proxied defaults are correctly specified.

This aligns the spec with the same-origin local flow and keeps endpoint guidance consistent.

clients/web/apps/docs/src/content/docs/guides/cli-reference.md (1)

86-88: Proxied resume flow docs are aligned and actionable.

The updated commands and /api/pair guidance are consistent with the same-origin dashboard activation path.

Also applies to: 114-116

dev/Caddyfile.landing (1)

1-19: Routing layout looks correct for same-origin dev proxy flow.

The /api redirect + /api/* proxy handling and static fallback are clean and deterministic.

README.md (1)

170-172: Local dev workflow update is clear and consistent.

The new make dev-up + ./dev/cli.sh up-dashboard sequence matches the single-origin proxy setup.

clients/web/apps/dashboard/src/composables/useConfig.spec.ts (1)

116-141: Good regression coverage for default same-origin /api routing.

This test guards the expected pair/options/config endpoint construction and helps prevent URL regression.

dev/landing/index.html (1)

1-135: LGTM!

Static landing page is well-structured. The HTTP link flagged by static analysis is appropriate here—corvus.localhost is a local-only domain resolving to 127.0.0.1, and requiring HTTPS for local dev would add unnecessary cert management friction.

openspec/changes/archive/2026-03-06-first-run-web-dashboard-activation/exploration.md (1)

32-86: LGTM!

Documentation updates are accurate and consistent with the new proxy-based architecture. References to corvus.localhost, /api base path, and CLI commands (make dev-up, ./dev/cli.sh up-dashboard) align with the implementation.

dev/docker-compose.yml (2)

13-27: Caddy service setup looks solid.

Security is handled well: port 80 bound to 127.0.0.1 only, and the volume mount path for Caddyfile.active correctly aligns with cli.sh's ACTIVE_CADDYFILE variable when executed from either the repo root or dev/ directory.

One minor suggestion: consider adding a healthcheck for caddy-dev to enable proper dependency ordering if other services need to wait for the proxy to be ready.

---

38-38: Verify --host 0.0.0.0 is intentional.

Binding to 0.0.0.0 inside the container is fine since there's no port mapping to the host—traffic is only accessible within dev-net. Just confirming this is the intended isolation model (all external access must go through caddy-dev).

dev/cli.sh (4)

69-78: LGTM!

The activate_caddyfile function has proper error handling—it validates the source file exists before copying. The synchronous cp ensures the file is written before docker compose starts, and --force-recreate guarantees Caddy picks up the fresh configuration.

---

104-116: Clean proxy-first workflow.

The up command correctly:

1. Activates the landing Caddyfile before starting services
2. Uses --force-recreate to ensure config changes are picked up
3. Explicitly lists services to start (avoids pulling in dashboard profile)

Output URLs now correctly point to the proxied entrypoint.

---

118-128: up-dashboard flow is consistent.

Mirrors the up command structure with dashboard-specific Caddyfile activation. The --profile dashboard flag correctly enables the optional dashboard service.

---

164-190: Smoke checks correctly use proxied endpoints.

Health checks now target http://corvus.localhost/api/health and http://corvus.localhost, which validates the full proxy chain is working—not just individual services. Good end-to-end verification.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Please ensure EN/ES parity for these user-facing command changes.

I don’t see an explicit translation note in this segment; mirror these updates in the Spanish CLI reference (or add a clear pending-translation note).

As per coding guidelines For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Also applies to: 114-116

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/src/content/docs/guides/cli-reference.md` around lines
86 - 88, Update the Spanish copy to mirror the English CLI changes: add the same
three user-facing entries ("`make dev-up` then `./dev/cli.sh up-dashboard`",
"`http://corvus.localhost` + secure proxied `/api/pair` flow", and "`corvus
--help` for command help") in the Spanish CLI reference (or insert a clear
"pending translation" note next to them if translation will be done later); also
apply the same update to the other segment referenced (the corresponding entries
around the second location mentioned, i.e., the items analogous to lines
114–116).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Ensure EN/ES parity for the updated activation and resume instructions.

Please mirror these URL/command changes in the Spanish Getting Started doc (or add an explicit pending-translation note).

As per coding guidelines For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Also applies to: 93-95

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/src/content/docs/guides/getting-started.md` around
lines 70 - 74, Update the Spanish "Getting Started" doc to mirror the EN changes
for activation/resume URLs and commands: ensure the Local entrypoint
(`http://corvus.localhost`), Gateway check URL
(`http://corvus.localhost/api/health`), Dashboard base URL (`/api`), and Pairing
path (proxied via `/api/pair`) are reflected identically in the Spanish file for
parity with the English doc; if you cannot translate immediately, add an
explicit "pending translation" note in the Spanish Getting Started doc next to
these entries so readers know the EN values are authoritative until translated.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate failed

Failed conditions
11 Security Hotspots
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud