- Replace undefined get_current_user() with existing g.current_publisher
- Replace undefined log_admin_action() with existing log_audit() function
- Remove redundant role checks (already handled by @require_admin decorator)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The @require_auth decorator doesn't exist - should use @require_admin
for admin-only endpoints.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CLI Commands:
- cmdforge collections list - List available collections
- cmdforge collections info <name> - Show collection details
- cmdforge collections install <name> - Install all tools in a collection
Admin API:
- GET /api/v1/admin/collections - List all collections (admin)
- POST /api/v1/admin/collections - Create collection
- PUT /api/v1/admin/collections/<name> - Update collection
- DELETE /api/v1/admin/collections/<name> - Delete collection
Admin Web UI:
- /dashboard/admin/collections - List and manage collections
- /dashboard/admin/collections/new - Create new collection form
- /dashboard/admin/collections/<name>/edit - Edit collection form
- Added "Manage collections" link to admin dashboard
Registry Client:
- Added get_collections() method
- Added get_collection(name) method
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Search terms now automatically get a * suffix for prefix matching.
E.g., searching "summ" matches "summarize", "summary", etc.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Registry Features:
- Fork tracking with forked_from/forked_version metadata
- Forked tools show "Forked from" notice on detail page
- Original tools display "Forks" section listing all forks
- Fork count in tool stats
- API: GET /api/v1/tools/<owner>/<name>/forks
GUI Improvements:
- Version selector dropdown for registry installs
- Fetch available versions via GET /api/v1/tools/<owner>/<name>/versions
- "Latest" option plus all available versions listed
Admin Features:
- POST /api/v1/admin/cleanup/rejected endpoint
- Maintenance section in admin dashboard
- "Dry Run" and "Run Cleanup" buttons for rejected version cleanup
- Configurable grace period (default 7 days)
Documentation:
- Updated CHANGELOG.md with all recent changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Make publish endpoint idempotent: return success if same content
already exists instead of VERSION_EXISTS error (fixes retry issues)
- Always refresh tools page after publish dialog closes
- Consolidate My Tools page to group versions by tool name
- Show version count and list instead of separate rows per version
- Sum downloads across all versions for accurate totals
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Show local and registry version in publish dialog
- Add +Patch/+Minor/+Major bump buttons
- Auto-fetch registry version on dialog open
- Suggest next version based on latest registry version
- Add fork detection and forked_from metadata support
- Update registry schema for forked_from/forked_version fields
- Display fork indicator when publishing forked tools
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add POST /api/v1/admin/tools/{id}/request-changes endpoint
- Sets moderation_status to 'changes_requested' with feedback
- Extend /me/tools/{name}/status to return feedback when status is
changes_requested or rejected
- Add Request Changes button and modal in admin pending UI
- Make changes modal draggable like other modals
This allows admins to send feedback to publishers instead of just
approving or rejecting tools outright.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The AI review was failing because it referenced 'config' which doesn't
exist in the publish endpoint scope. Changed to 'data' which is the
actual variable containing the parsed tool configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change nargs="*" to REMAINDER for tool_args to stop argparse from
intercepting --flag style arguments meant for the tool
- Add -- separator handling to distinguish cmdforge args from tool args
- Map flag names to variable names using tool argument definitions
- Update AI review subprocess calls to use -- separator
Fixes scrutiny-ai-review tool arguments not being passed correctly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create scrutiny-ai-review tool that uses AI to analyze warnings
- Integrate AI review into publish flow (app.py)
- Integrate AI review into Fabric sync script
- If AI review returns APPROVE with >=80% confidence, auto-approve
- Display AI review results in admin pending tools modal
- Shows verdict (APPROVE/REJECT/NEEDS_HUMAN_REVIEW) with confidence
- Shows per-finding analysis (FALSE_POSITIVE/LEGITIMATE_CONCERN)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Click tool name to view full details in modal
- Shows description, arguments, steps (prompt/code), and README
- Approve/Reject buttons in detail modal
- New API endpoint GET /api/v1/admin/tools/<id> returns full tool config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Track moderation status (pending/approved/rejected) in local tool config
- Add new "pending" state indicator (◐ yellow) distinct from "published" (✓ green)
- Add "Sync Status" button to check registry for updated moderation status
- Add /me/tools/<name>/status API endpoint for checking tool status
- Improve admin panel error handling with better error messages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add config_hash to publish API response
- Save registry_hash to local tool config after successful publish
- Show appropriate message based on moderation status (approved vs pending)
This enables the GUI to show publish state indicators (✓ published, ● modified)
for tools that have been published to the registry.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Registry API improvements:
- Add /api/v1/me POST endpoint for profile updates
- Add /api/v1/me/password POST endpoint for password changes
- Fix visibility filtering on categories and tags endpoints to only
show approved public tools
- Allow underscores in tool names for fabric pattern compatibility
- Fix sqlite3.Row access (use bracket notation instead of .get())
Web UI improvements:
- Add tag filter to /tools page with three-state buttons
(include/exclude/neutral)
- Add mobile-friendly tag filter in responsive view
- Display tags on tool cards in the tools listing
- Add dashboard settings form handlers for profile and password
Admin improvements:
- Add scrutiny audit page for reviewing tool safety analysis
- Improve pending tools page with scrutiny report display
- Add scrutiny stats to admin dashboard
Fabric sync improvements:
- Add direct database publishing with scrutiny vetting
- Support auto-approve for tools passing scrutiny
- Improve error handling and logging
- Add source attribution for imported tools
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add hash_utils.py module for SHA256 content hashing with normalized YAML
- Store config_hash in registry database on publish
- Include hash in download response for client verification
- Verify downloaded content matches registry hash on install
- Store registry_hash in local tool config for publish state tracking
- Show publish state indicators in Tools page UI:
- Green checkmark: Published and up to date
- Orange dot: Modified since last publish
- No indicator: Local tool (never published)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add pairing_requests table and hostname column to api_tokens
- Add pairing API endpoints: initiate, check, status, connected-apps
- Add cmdforge config connect <username> CLI command
- Rewrite tokens.html as Connected Apps with pairing flow
- Update TUI: Connect button when not authenticated, Publish when connected
- Add private sync option after save in TUI when connected
- Add visibility parameter to publish_tool in registry_client
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Was using werkzeug's generate_password_hash which creates incompatible
hashes. Now uses the same argon2 password_hasher as registration/login.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix create token modal z-index so it's not covered by backdrop
- Rename session tokens from "login" to "Web Session" for clarity
- Delete old session tokens when logging in (prevents accumulation)
- Filter out session tokens from dashboard display (users only see
their manually created API tokens)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- TUI: Use list_tools for browsing (no query), search_tools only when
user enters a search term. Fixes 500 error on initial registry load.
- API: Sanitize FTS5 queries by escaping special characters (* " ( ) etc)
Prevents SQL errors from malformed search queries like "*"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Categories API now includes dynamic categories from database
(categories used by tools but not in predefined list)
- Add total_tools to categories API meta for accurate All Tools count
- Fix web routes to use total_tools instead of summing category counts
- Dynamic categories get auto-generated descriptions
This fixes:
- "All Tools" showing 2 instead of 4
- Categories like "code-analysis" and "education" not appearing
- Incorrect category counts in sidebar
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /api/v1/tags endpoint for listing available tags
- Enhance search API with tag filtering (AND logic), multi-category
filtering (OR logic), owner filter, download range, and date range
- Add faceted response support (category/tag/owner counts)
- Update registry client with new search parameters and get_tags method
- Add CLI search options: -t/--tag, -o/--owner, --min-downloads,
--popular, --new, --since, --before, --json, --show-facets
- Add new 'registry tags' CLI subcommand
- Add web UI filter sidebar with checkboxes, dropdowns, and active
filter chips with URL-based state management
- Display clickable tags on tool cards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New /api/v1/webhook/deploy endpoint
- Verifies Gitea HMAC-SHA256 signature
- Only deploys on push to main/master branch
- Runs git pull and service restart in background
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add source_json column to store complete source attribution
- Update publish API to accept source object or legacy string
- Update get_tool API to return parsed source object
- Update web UI to display type, author, license, url, original_tool
- Add gunicorn config and dependency for production server
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Major rename operation:
- Rename Python package: smarttools -> cmdforge
- Update CLI entry point: smarttools -> cmdforge
- Update all imports and module references
- Update pyproject.toml with new name, URLs, entry point
- Update all HTML templates with new branding
- Update documentation (CLAUDE.md, README.md, docs/*, wiki/*)
- Update environment variables:
- SMARTTOOLS_ENV -> CMDFORGE_ENV
- SMARTTOOLS_REGISTRY_DB -> CMDFORGE_REGISTRY_DB
- SMARTTOOLS_TOKEN -> CMDFORGE_TOKEN
- SMARTTOOLS_REGISTRY_* -> CMDFORGE_REGISTRY_*
- Update Dockerfile and docker-compose.yml
- Update tests to use new package name
- Update scripts and examples
- Update package.json and tailwind.config.js
All 158 unit tests pass. The CLI is working correctly with the
new cmdforge command.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
rob