EleSync v1.7.0
Added
-
Web dashboard authentication, fully wired up —
ele web adduser <name>
turns on login for that vault's dashboard;ele web listusers/
ele web removeusermanage it. No users configured means no change from
today: the dashboard stays open on127.0.0.1exactly as before.- Passwords are bcrypt-hashed (
elesync[webauth]extra), work factor
configurable viaELE_BCRYPT_ROUNDSfor fast test runs. - Sessions are cookie-based (
HttpOnly,SameSite=Strict), and the
token itself is never written to disk —web_sessions.jsonstores
SHA-256 hashes, so reading that file doesn't hand out a live session. - Role-based access:
--role vieweraccounts can browse/search but get
a real server-side 403 on any write — enforced at the API layer, not
just hidden in the UI. - Auth state lives in
<vault>/.web_auth/, so it travels with the vault
(matters for USB vaults and multiple named vaults). - Removed the wildcard
Access-Control-Allow-Origin: *from the web
server while in there — the dashboard is same-origin by design (you
open127.0.0.1:7477directly), so the wildcard only ever served to
let any webpage's JavaScript read/write your vault via a background
fetch()call. Latent gap, independent of the auth work; closed now
rather than left for later.
- Passwords are bcrypt-hashed (
-
ele doctor --fix— the health check can now repair fixable
diagnostics (e.g. re-wiring a missing or stalemcpServersentry in a
client config) instead of only reporting them. Runele doctoralone
for a read-only check, add--fixto apply repairs and re-verify.
Fixed
elesync/__init__.py's module docstring read "unified elesync" instead
of "unified memory system" — copy-paste artifact from early in the
project, harmless but silly every time you saw it.cmd_vault_list's f-string used the same quote character for both the
outer f-string and an inner dict key (f"{"Name":<20}..."), which is
only valid on Python 3.12+ despite this project targeting 3.10 — would
have crashed onele vault listfor anyone on 3.10 or 3.11.