Search
One paraphrase-friendly query across every @feature block, repo summary, manifest goal, museum achievement, knowledge note, and lab digest. Ask in plain language — BAAI/bge-m3 ranks the closest matches by cosine similarity across all six domains at once.
0 hits
972ms · BGE-M3 1024d cosine- feature71%auth.oauth.youtube_startopenalice-platform · auth/oauth · crates/identity/src/handlers/oauth.rs:113
Begin a YouTube (Google) OAuth flow — generates a state nonce, persists it server-side, returns the Google authorize URL the client should redirect to. The callback will create a `chat_sources` row with the user's refresh + access tokens.
- feature60%auth.token.refreshopenalice-platform · auth/tokens · crates/identity/src/handlers/session.rs:29
Exchange a refresh token for a fresh access+refresh JWT pair (rotation).
- feature56%auth.user.loginopenalice-platform · auth/users · crates/identity/src/handlers/login.rs:74
Verify email+password and issue access+refresh JWT pair.
- feature54%auth.sessions.revokeopenalice-platform · auth/sessions · crates/identity/src/handlers/session.rs:230
Revoke a specific refresh-token session by id. Marks the row revoked and blacklists its current jti so the next /auth/refresh from that device fails. Existing access tokens on that device survive until natural expiry (≤1h).
- feature54%auth.mfa.setupopenalice-platform · auth/mfa · crates/identity/src/handlers/mfa.rs:21
Begin MFA enrollment — generates a fresh TOTP secret, stores it ENCRYPTED at rest (AES-256-GCM, mfa_secret_encrypted; the legacy plaintext mfa_secret column is no longer written and is NULLed), NOT yet enabled, and returns the secret + otpauth URL so the client can render a QR. Re-running before /auth/mfa/verify rotates the secret. Idempotent against an already-enabled user — returns 409 so the client tells the user to disable first.
- feature53%auth.sessions.listopenalice-platform · auth/sessions · crates/identity/src/handlers/session.rs:188
List the authenticated user's active refresh-token sessions (one per browser/device login). Each row carries user_agent, created_at, last_used_at, and a `current` flag marking the device this request came from.
- repo53%openalice-ml-gateway
ML Gateway — API key auth, rate limiting, and usage tracking in front of embed/rerank/NER backends.
- knowledge53%Streaming product modularization wave — overnight blitz 2026-05-23learnings/2026-05-23-streaming-product-modularization-wave · 2026-05-23
13 refactor waves + 1 ecosystem fix landed in a single overnight session (~6h wall clock). Roughly **22,000 LOC** of monolithic Rust/TypeScript reshaped into **~90 focused submodules** across **13 rep
- feature52%auth.user.registeropenalice-platform · auth/users · crates/identity/src/handlers/register.rs:24
Register a new user with email + username + password (Argon2id), returns access+refresh JWT pair.
- feature52%auth.broadcast_config.putopenalice-platform · auth/broadcast · crates/identity/src/handlers/config.rs:288
Upsert the user's studio broadcast config. Validates preset_id against the @openalicelabs/presets allowlist; rejects unknown ids with 400. Returns the persisted row so the client can mirror updated_at.
- feature52%auth.realtime.chat_eventopenalice-platform · auth/realtime · crates/identity/src/handlers/admin.rs:91
Service-to-service entry — POST a normalized chat message from any platform connector (openalice-chat-bridge for YouTube/Twitch/Kick/TikTok) and the broadcast owner's connected agent receives it as a `chat_message` event over /auth/ws. Bypasses the notification cooldown (chat is a stream). Authenticated by X-Internal-Secret.
- knowledge52%OpenAlice Embed — Optimizations & Basics Backlogresearch/openalice-embed-roadmap-backlog-2026-05-29 · 2026-05-29
Captured 2026-05-29 (Alex + NAO brainstorm, post-design-handoff). Feeds Tycho **after** MVP (Action 1-3) works end-to-end — except §0 which are MVP-blocking basics.
- feature52%dashboard.shell.root-layoutopenalice-platform · dashboard/shell · apps/dashboard/src/app/layout.tsx:2
Root layout — mounts AuthProvider (JWT lifecycle) + ToastProvider around the entire app. Binds the SDK client to NEXT_PUBLIC_API_URL (default api.blal.pro). Sets Open Graph metadata and forces `robots: noindex` (internal tool).
- feature52%auth.user.meopenalice-platform · auth/users · crates/identity/src/handlers/profile.rs:22
Return current authenticated user's profile (id, email, username, status). Side effect — bumps users.last_seen so the user surfaces in the online-users feed.
- feature51%auth.password.resetopenalice-platform · auth/password · crates/identity/src/handlers/email.rs:374
Consume a password-reset token (looked up by SHA-256 hash) and rewrite the user's password. Marks the token used and revokes ALL outstanding refresh tokens for the user (forces re-login on every device).
- achievement51%Backend security hardening wave — RS256, RLS, CI gates across 7 reposinfra · 2026-06-15 · breakthrough · openalice-tenants
A coordinated security wave landed across the backend fleet: openalice-auth deployed RS256 + validate_aud=true across all services (closing the HS256 mint-anywhere gap); openalice-tenants enforced team roles (owner/admin/member/viewer) in all /me/* handlers, activated set_tenant_context + FORCE ROW LEVEL SECURITY, and moved the app off the superuser platform role to NOSUPERUSER/NOBYPASSRLS; openalice-rag added GDPR Art.17 purge of vector chunks on tenant erasure; recurring billing money-flow fixed end-to-end; distributed tracing (Tempo) enabled for auth + tenants + agent-lite; and CI security gates (cargo-deny + audit + clippy) went live across all 7 backend repos.
- feature51%auth.internal.mfa.activateopenalice-platform · auth/internal · crates/identity/src/handlers/account.rs:260
Internal X-Internal-Secret-gated sibling for the embed dashboard's MFA activate (openalice-tenants POST /me/account/mfa/activate). Verifies a TOTP code (±1 step skew, constant-time) against the pending encrypted secret, then flips mfa_enabled=true so subsequent logins require a second factor. Replay-aware: persists the matched TOTP step to mfa_last_step so the activate code can't be replayed at the login verify challenge. 400 if no setup is pending.
- feature50%auth.broadcast_config.getopenalice-platform · auth/broadcast · crates/identity/src/handlers/config.rs:250
Read the user's current studio broadcast config (preset_id + per-stream overrides). Defaults to {preset_id="qa-host", overrides={}} when no row has been saved yet — first-time streamers don't have to click anything before going live.
- feature50%dashboard.auth.loginopenalice-platform · dashboard/auth · apps/dashboard/src/app/login/page.tsx:2
Login page — email + password form using useLoginAction from @openalicelabs/ui. Auto-redirects authenticated users to /. Displays inline Banner on auth failure. Entry point for the entire dashboard; all protected pages redirect here on 401.
- achievement50%Landing audit fix wave — 15 viewport fixes + infinite hero chatproduct · 2026-06-12 · medium · openalice-landing
openalice-landing audit-and-fix wave: 15 viewport fixes, added delights, and an infinite hero-chat surface — part of the brand wave that moved the landing visuals to living surfaces.
- feature50%auth.devices.pair_startopenalice-platform · auth/devices · crates/identity/src/devices.rs:75
Generate a short-lived pairing code (8 chars, 10 min TTL) the user types into openalice-stream-host. Code is single-use; claiming it issues a 90-day device-scoped JWT.
- feature50%auth.internal.api_keys.createopenalice-platform · auth/internal · crates/identity/src/handlers/account.rs:42
Internal X-Internal-Secret-gated sibling for the embed dashboard's "create API key" flow (openalice-tenants POST /me/account/api-keys). Mints a fresh key, persists ONLY its SHA-256 hash + non-secret prefix + scopes (never the plaintext), and returns the PLAINTEXT key exactly once so the UI can show "copy now — it won't be shown again". Owner is the path {user_id}; IDOR-safe.
- feature50%auth.realtime.broadcastopenalice-platform · auth/realtime · crates/identity/src/handlers/admin.rs:40
Service-to-service entry point — POST a notification (optionally targeted at a specific user) and the auth WS hub fans it out to every connected client. Authenticated by a shared secret in the `X-Internal-Secret` header (env `INTERNAL_BROADCAST_SECRET`). Producers: social-api on DM, persona on session events, billing on plan changes.
- knowledge50%💰 20 клиентов = €5k MRR = default-aliveroadmaps/embed
Источник исполнения: `marketing/campaigns/openalice-embed-launch/EMBED-LAUNCH-IRON-PLAN-2026-07-01.md` (война-комната `alex-x-tycho`; волны Тихо W1-W5 ≈ 2-3 недели до пилота). Золотая тропа помечена `
- feature50%landing.api.waitlistopenalice-platform · landing/api · apps/landing/src/test/waitlist-route.test.ts:2
Tests for POST /api/waitlist — the real lead-capture endpoint. Contract under test: 1. A valid {email, product} appends one JSONL line and returns { ok:true, status:"added" } (email lowercased + trimmed in the record). 2. A re-submit of the same (email, product) returns status:"already" without a second append. 3. Invalid email → 400 { error:{ code:"invalid_email" } }. 4. Unknown product → 400 { error:{ code:"invalid_product" } }. 5. Malformed JSON → 400 { error:{ code:"bad_json" } }. 6. Over the per-IP rate limit → 429 { error:{ code:"rate_limited" } }. 7. De-dupe survives a "restart": a fresh module load whose readFile returns a persisted lead reads that lead back as "already" with no second append (the boot-replay hydration of the seen-set, W1.2). fs is mocked so the test never touches disk; we assert the appended payload.
- feature50%auth.user.login_mfaopenalice-platform · auth/users · crates/identity/src/handlers/login.rs:322
Exchange a pre-MFA token + TOTP code for a full session. Issued only when /auth/login responds with mfa_required=true. Pre-MFA token is audience-restricted so it can't be used against any downstream service if leaked.
- feature50%auth.portalopenalice-platform · auth/portal · crates/identity/src/handlers/portal.rs:5
The dashboard's data API, carved onto openalice-auth so the
- feature49%axum-common.crate.shared-http-plumbingopenalice-platform · axum-common/crate · crates/oa-framework/src/lib.rs:1
Shared Axum HTTP plumbing crate consumed by every OpenAlice backend service. Centralises JWT auth, SSO cookies, CORS, health, Prometheus metrics, per-tenant rate limiting, circuit breaking, and cluster-wide audit logging so security fixes and ecosystem-wide changes land in one place. Consumers: openalice-auth, social-api, voice, persona, atlas-api, rt, a2a.
- feature49%auth.internal.mfa.setupopenalice-platform · auth/internal · crates/identity/src/handlers/account.rs:188
Internal X-Internal-Secret-gated sibling for the embed dashboard's MFA setup (openalice-tenants POST /me/account/mfa/setup). Mints a fresh TOTP secret stored ENCRYPTED (AES-256-GCM), plus backup codes stored HASHED, in the `pending` state (NOT enabled). Returns secret + otpauth_uri (for QR) + plaintext backup codes ONCE. 409 if MFA is already enabled — disable first.
- knowledge49%OpenAlice Embed — Visitor Identity & Memory Spec (§0.1)research/openalice-embed-visitor-identity-memory-spec-2026-05-29 · 2026-05-29
> **For Tycho (engineering) + Norbert (persona/memory model).** > Resolves the §0.1 spec conflict flagged in `openalice-embed-roadmap-backlog-2026-05-29.md`. > Status: **proposed** (NAO greenlit writi