- Security logging to /var/log/llm-team-security.log for fail2ban
- Email alerts for security events via SMTP
- Exploit pattern detection (scanner probes, SQL injection, path traversal)
- Use X-Real-IP header for accurate client IP behind nginx
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- brain-backup: daily borg + pg_dump, 7d/4w/3m retention, cron at 3AM
- brain-triage: full system health check (services, ports, firewall,
headers, kernel, app, DB, disk, backups, security scan)
- brain-recover: restore from backup (full/db/configs/app) + emergency
lockdown mode that blocks all external access except LAN SSH
All accessible via /usr/local/bin/brain-{backup,triage,recover}
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Nginx configs with security headers (X-Frame-Options, CSP, etc.)
- fail2ban jails for nginx (botsearch, bad-request, forbidden)
- Kernel hardening via sysctl (rp_filter, no redirects, log martians)
- SSH hardening (no root, max 3 attempts, no X11)
- UFW rules export
- Idempotent setup.sh to restore all configs on fresh install
- Flask bound to 127.0.0.1 (nginx-only access)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Output panel renders first on mobile (CSS order swap)
- Prompt + Run button immediately below output
- Mode/config hidden behind "Mode: Brainstorm" collapsible toggle
- Tapping toggle expands full mode grid + model config
- Compact header nav with smaller text
- 3-column mode grid on mobile (was 4)
- Larger run button (16px font, 14px padding) for touch
- Full-width repipe modal and history panel on mobile
- Desktop layout unchanged (toggle hidden, collapse always open)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- GoAccess installed and running as systemd service (goaccess.service)
- Real-time HTML report at /var/www/html/report.html
- /logs route serves GoAccess dashboard, protected by @admin_required
- "Logs" link added to admin panel nav (orange)
- Auto-starts on boot, reads nginx access.log
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Consistent nav across all pages (Team UI / Lab / Admin / Logout)
- Main header: separator between nav and auth actions, smaller text
- Login box: subtle purple glow shadow, wider card
- Demo banner: gradient background, bolder text, larger font
- Lab + Admin: matching nav with logout link
- Reduced visual clutter in main header
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Demo mode toggle: admin can enable public access without login
- Demo users can view/run everything but cannot modify admin settings
- Admin write routes (config saves, API keys) blocked for non-admins in demo
- IP allowlist: LAN (192.168.1.*) and localhost never rate-limited
- Admin panel gets Security tab: demo toggle, allowlist management
- Main UI shows "Demo ON" button (green) + top banner when active
- Demo mode state is in-memory, resets on restart (safe default)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
