[codex] stabilize repository browsing and settings workflows

.env.example

@@ -159,8 +159,8 @@ WEBHOOK_SECRET=changeme_to_random_webhook_secret
 # CORS 配置
 # ============================================
 
-# 允许的源 (逗号分隔)
-CORS_ORIGINS=http://localhost:3000
+# 允许的源 (逗号分隔，支持多个可信域名或 * )
+CORS_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
 
 # 允许的方法
 CORS_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS
@@ -169,19 +169,19 @@ CORS_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS
 # LLM 服务配置
 # ============================================
 
-# LLM 提供商 (openai, anthropic, deepseek, etc.)
+# LLM 提供商（用于初始化默认 LLM 配置；更多配置可在设置页新增和切换）
 LLM_PROVIDER=openai
 
-# LLM API 密钥
+# LLM API 密钥（用于初始化默认 LLM 配置）
 LLM_API_KEY=your_llm_api_key
 
-# LLM 模型名称
+# LLM 模型名称（用于初始化默认 LLM 配置）
 LLM_MODEL=gpt-4
 
-# LLM API 端点 (如果使用自定义端点)
+# LLM API 端点（如果使用自定义端点，用于初始化默认 LLM 配置）
 LLM_API_BASE_URL=
 
-# LLM 最大重试次数
+# LLM 最大重试次数（用于初始化默认 LLM 配置）
 LLM_MAX_RETRIES=3
 
 # ============================================

AGENTS.md

@@ -0,0 +1,43 @@
+# CodaGraph-lite Project Memory
+
+## Required Workflow
+
+- Reproduce the exact bug on the current branch before changing code.
+- For interaction bugs, inspect browser behavior first: focus, active element, DOM replacement, network request, and backend log.
+- Do not claim a fix based on a different branch, worktree, or prior patch. Verify the current branch contains the change.
+- Do not report "fixed" until the same user path has been re-tested in the browser or with a direct request.
+
+## Known Failure Modes
+
+### Settings Password Inputs
+
+- Symptom: on `/dashboard/settings`, the admin password fields only accept one character, then lose focus or appear to clear.
+- Real root cause: helper components defined inside `SettingsPage()` can cause subtree remounts on every `setPasswordForm`.
+- First things to check:
+  - whether local helper components are declared inside the page component
+  - whether the active input node/id changes after one keystroke
+  - whether password form updates use functional state updates
+- Current fix location: `web/app/dashboard/settings/page.tsx`
+
+### Failed Login Returning 500
+
+- Symptom: wrong admin password returns `500 {"details":"FOREIGN KEY constraint failed"}` instead of `401`.
+- Real root cause: failed login activity log attempted to insert an invalid `admin_id`.
+- First things to check:
+  - `POST /api/auth/login` response code
+  - backend log stack under `server/src/auth/routes.ts`
+  - `server/src/models/ActivityLog.ts`
+- Current fix locations:
+  - `server/src/auth/routes.ts`
+  - `server/src/models/ActivityLog.ts`
+
+### Local Frontend / Backend Validation
+
+- Prefer `http://localhost:3000`, not `http://127.0.0.1:3000`, when validating the real app flow.
+- Reason: the backend CORS configuration commonly allows `http://localhost:3000`; using `127.0.0.1` can create a false negative during login and settings verification.
+
+## Response Discipline
+
+- Separate symptom from root cause.
+- Fix one proven root cause at a time.
+- If a patch only addresses an adjacent issue, do not present it as the root fix.

deploy/start.sh

@@ -124,14 +124,19 @@ main() {
         ((attempt++))
         sleep 2
 
-        # 检查前端
-        if curl -sf http://localhost:3000/api/health >/dev/null 2>&1; then
-            log_success "前端健康检查通过"
-            break
+        local frontend_ok=false
+        local backend_ok=false
+
+        if curl -sf "http://localhost:${FRONTEND_PORT}/api/health" >/dev/null 2>&1; then
+            frontend_ok=true
         fi
 
-        # 检查后端
-        if curl -sf http://localhost:7900/api/health >/dev/null 2>&1; then
+        if curl -sf "http://localhost:${BACKEND_PORT}/health" >/dev/null 2>&1; then
+            backend_ok=true
+        fi
+
+        if [ "$frontend_ok" = true ] && [ "$backend_ok" = true ]; then
+            log_success "前端健康检查通过"
             log_success "后端健康检查通过"
             break
         fi

deploy/systemd/codagraph-lite-frontend.service

@@ -8,16 +8,18 @@ After=network.target
 Wants=network.target
 
 [Service]
-Type=notify
+Type=simple
 NotifyAccess=all
 WorkingDirectory=/opt/codagraph-lite/web
 
 # 环境变量
 Environment="NODE_ENV=production"
 Environment="NODE_OPTIONS=--max-old-space-size=200"
+Environment="PORT=3000"
+Environment="HOSTNAME=0.0.0.0"
 
 # 启动命令
-ExecStart=/usr/bin/node /opt/codagraph-lite/web/node_modules/.bin/next start
+ExecStart=/usr/bin/node /opt/codagraph-lite/web/node_modules/next/dist/bin/next start -p 3000 -H 0.0.0.0
 ExecReload=/bin/kill -s HUP $MAINPID
 
 # 2u2g 资源限制

deploy/verify.sh

@@ -368,7 +368,7 @@ check_api_health() {
     check
     log_info "检查 API 健康状态..."
 
-    local backend_url="http://localhost:${BACKEND_PORT:-7900}/api/health"
+    local backend_url="http://localhost:${BACKEND_PORT:-7900}/health"
     local frontend_url="http://localhost:${FRONTEND_PORT:-3000}"
 
     # 检查后端 API

docs/configuration.md

@@ -392,6 +392,8 @@ WORKSPACE_ROOT=/opt/codagraph-lite/workspace
 
 ### LLM 提供商
 
+这些环境变量会初始化后台里的默认 LLM 配置。需要多套 LLM API 时，可以在设置页继续新增、保存并切换。
+
 | 环境变量 | 默认值 | 可选值 |
 |-----------|---------|--------|
 | `LLM_PROVIDER` | `openai` | `openai`, `anthropic`, `deepseek`, `自定义` |
@@ -611,9 +613,9 @@ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
 **配置示例**：
 ```bash
 # 开发环境
-CORS_ORIGINS=http://localhost:3000
+CORS_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
 
-# 生产环境（多个域名）
+# 生产环境（多个可信域名）
 CORS_ORIGINS=https://app1.com,https://app2.com
 
 # 允许所有（不推荐生产环境）

e2e/dashboard-pages.spec.ts

@@ -1,6 +1,8 @@
 import { test, expect } from '@playwright/test';
 import { execSync } from 'child_process';
 
+const seededRepositoryName = 'codagraph-lite-e2e-fixture';
+
 test.beforeAll(() => {
   execSync('node scripts/seed-e2e-data.js', { stdio: 'inherit' });
 });
@@ -19,9 +21,10 @@ test('repositories page renders seeded repository', async ({ page }) => {
 
   await page.goto('/dashboard/repositories');
   await expect(page.getByRole('heading', { name: '仓库管理' })).toBeVisible();
-  await expect(page.getByText('mars167')).toBeVisible();
-  await expect(page.getByText('codagraph-lite')).toBeVisible();
-  await expect(page.getByText('已连接', { exact: true })).toBeVisible();
+  await page.getByRole('textbox', { name: 'Search' }).fill(`mars167/${seededRepositoryName}`);
+  await expect(page.getByText('搜索命中 1', { exact: true })).toBeVisible();
+  await expect(page.getByRole('link', { name: seededRepositoryName, exact: true })).toBeVisible();
+  await expect(page.getByRole('button', { name: '开启 Watch' })).toBeVisible();
   expect(pageErrors).toEqual([]);
 });
 
@@ -31,7 +34,11 @@ test('jobs page renders seeded job stats and row', async ({ page }) => {
 
   await page.goto('/dashboard/jobs');
   await expect(page.getByRole('heading', { name: '作业状态' })).toBeVisible();
-  await expect(page.getByText('analyze_pr')).toBeVisible();
+  await expect(
+    page.getByRole('link', {
+      name: new RegExp(`Job #\\d+ · ${seededRepositoryName} · PR #\\d+`),
+    })
+  ).toBeVisible();
   expect(pageErrors).toEqual([]);
 });
 
@@ -40,7 +47,8 @@ test('history page renders seeded analysis entry', async ({ page }) => {
   page.on('pageerror', (error) => pageErrors.push(error.message));
 
   await page.goto('/dashboard/history');
-  await expect(page.getByRole('heading', { name: '分析历史' })).toBeVisible();
+  await expect(page.getByRole('heading', { name: '按 PR 维度回看 Review 历史' })).toBeVisible();
+  await expect(page.getByRole('link', { name: `mars167/${seededRepositoryName}` })).toBeVisible();
   await expect(page.getByText('E2E validation PR')).toBeVisible();
   expect(pageErrors).toEqual([]);
 });

package.json

@@ -13,12 +13,16 @@
     "build:web": "npm --prefix web run build",
     "build:server": "npm --prefix server run build",
     "build": "npm run build:web && npm run build:server",
+    "check:web": "npm --prefix web run lint",
+    "check:server": "npm --prefix server run typecheck",
+    "check": "npm run check:web && npm run check:server && npm run build",
     "start:web": "npm --prefix web run start",
     "start:server": "npm --prefix server run start",
     "start": "concurrently \"npm run start:web\" \"npm run start:server\"",
     "seed:e2e": "node scripts/seed-e2e-data.js",
     "e2e:playwright": "npm run seed:e2e && playwright test e2e/dashboard-pages.spec.ts",
-    "e2e:puppeteer": "npm run seed:e2e && node scripts/puppeteer-dashboard-smoke.js"
+    "e2e:puppeteer": "npm run seed:e2e && node scripts/puppeteer-dashboard-smoke.js",
+    "test:e2e": "NEXT_PUBLIC_API_URL=http://127.0.0.1:7901 npm run build && npm run e2e:playwright"
   },
   "repository": {
     "type": "git",

playwright.config.ts

@@ -4,7 +4,21 @@ export default defineConfig({
   testDir: './e2e',
   timeout: 30_000,
   use: {
-    baseURL: 'http://localhost:3000',
+    baseURL: 'http://127.0.0.1:3001',
     headless: true,
   },
+  webServer: [
+    {
+      command: 'SKIP_REMOTE_REPOSITORY_SYNC=1 BACKEND_PORT=7901 FRONTEND_PORT=3001 CORS_ORIGINS=http://127.0.0.1:3001 npm run start:server',
+      url: 'http://127.0.0.1:7901/api/health',
+      reuseExistingServer: !process.env.CI,
+      timeout: 30_000,
+    },
+    {
+      command: 'cd web && mkdir -p .next/standalone/.next && if [ -d .next/static ]; then ln -sfn ../../static .next/standalone/.next/static; fi && PORT=3001 HOSTNAME=127.0.0.1 NEXT_PUBLIC_API_URL=http://127.0.0.1:7901 node .next/standalone/server.js',
+      url: 'http://127.0.0.1:3001/api/health',
+      reuseExistingServer: !process.env.CI,
+      timeout: 30_000,
+    },
+  ],
 });

scripts/seed-e2e-data.js

@@ -1,10 +1,45 @@
 const path = require('path');
-const Database = require('../server/node_modules/better-sqlite3');
+const crypto = require('crypto');
+const Database = require(require.resolve('better-sqlite3', {
+  paths: [path.join(__dirname, '..', 'server')],
+}));
 
 const dbPath = path.join(__dirname, '..', 'server', 'data', 'codagraph-lite.db');
 const db = new Database(dbPath);
+// Keep fixture data ahead of existing rows so the e2e smoke tests can locate it deterministically.
+const seededTimestamp = "datetime('now', 'localtime', '+1 day')";
+const seededAdminPasswordHash = crypto
+  .createHash('sha256')
+  .update('changeme')
+  .digest('hex');
+
+try {
+  db.exec(`
+  CREATE TABLE IF NOT EXISTS admin (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    username TEXT UNIQUE NOT NULL,
+    password_hash TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now', 'localtime')),
+    updated_at TEXT NOT NULL DEFAULT (datetime('now', 'localtime')),
+    last_login_at TEXT
+  );
+
+  CREATE TABLE IF NOT EXISTS oauth_installations (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    platform TEXT NOT NULL CHECK(platform IN ('github', 'gitee', 'gitlab')),
+    auth_type TEXT DEFAULT 'oauth',
+    github_app_installation_id TEXT,
+    account_id TEXT NOT NULL,
+    account_name TEXT,
+    access_token TEXT NOT NULL,
+    refresh_token TEXT,
+    token_expires_at DATETIME,
+    permissions TEXT,
+    is_active INTEGER DEFAULT 1,
+    created_at DATETIME DEFAULT (datetime('now', 'localtime')),
+    updated_at DATETIME DEFAULT (datetime('now', 'localtime'))
+  );
 
-db.exec(`
   CREATE TABLE IF NOT EXISTS repository (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     platform TEXT NOT NULL,
@@ -60,31 +95,45 @@ db.exec(`
     updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
   );
 
+  INSERT OR REPLACE INTO admin (
+    id, username, password_hash, created_at, updated_at, last_login_at
+  ) VALUES (
+    1, 'admin', '${seededAdminPasswordHash}', ${seededTimestamp}, ${seededTimestamp}, NULL
+  );
+
+  INSERT OR REPLACE INTO oauth_installations (
+    id, platform, auth_type, account_id, account_name, access_token, permissions, is_active, created_at, updated_at
+  ) VALUES (
+    9001, 'github', 'oauth', 'mars167-e2e', 'mars167 E2E', 'e2e-token', 'repo', 1, ${seededTimestamp}, ${seededTimestamp}
+  );
+
   INSERT OR REPLACE INTO repository (
     id, platform, owner, name, full_name, installation_id, webhook_url, is_active, created_at, updated_at, last_analyzed_at
   ) VALUES (
-    9101, 'github', 'mars167', 'codagraph-lite', 'mars167/codagraph-lite',
-    9001, 'https://example.com/webhook', 1, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP
+    9101, 'github', 'mars167', 'codagraph-lite-e2e-fixture', 'mars167/codagraph-lite-e2e-fixture',
+    9001, 'https://example.com/webhook', 1, ${seededTimestamp}, ${seededTimestamp}, ${seededTimestamp}
   );
 
   INSERT OR REPLACE INTO analysis (
     id, platform, owner, repo_name, pr_number, pr_title, pr_author, base_commit, head_commit,
     status, analysis_result, comment_count, file_count, issue_count, started_at, completed_at,
     error_message, created_at, updated_at
   ) VALUES (
-    9201, 'github', 'mars167', 'codagraph-lite', 42, 'E2E validation PR', 'mars167',
-    'main', 'feature/e2e', 'completed', '{}', 3, 5, 1, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP,
-    NULL, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP
+    9201, 'github', 'mars167', 'codagraph-lite-e2e-fixture', 42, 'E2E validation PR', 'mars167',
+    'main', 'feature/e2e', 'completed', '{}', 3, 5, 1, ${seededTimestamp}, ${seededTimestamp},
+    NULL, ${seededTimestamp}, ${seededTimestamp}
   );
 
   INSERT OR REPLACE INTO jobs (
     id, type, payload, status, priority, attempts, max_attempts,
     error_message, created_at, updated_at, started_at, completed_at
   ) VALUES (
-    9301, 'pr_analysis', '{"platform":"github","repo_name":"codagraph-lite","pr_number":"42"}',
-    'completed', 3, 1, 3, NULL, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP
+    9301, 'pr_analysis', '{"platform":"github","repo_name":"codagraph-lite-e2e-fixture","pr_number":"42"}',
+    'completed', 3, 1, 3, NULL, ${seededTimestamp}, ${seededTimestamp}, ${seededTimestamp}, ${seededTimestamp}
   );
-`);
+  `);
 
-console.log(`Seeded E2E data into ${dbPath}`);
-db.close();
+  console.log(`Seeded E2E data into ${dbPath}`);
+} finally {
+  db.close();
+}