feat(auth): add guest/admin PIN security model and hardening

docs/copilot-context-loss-incident-2026-04-21.md

@@ -0,0 +1,51 @@
+# Copilot Chat Incident Report: Context Loss After Project Context Change
+
+Date observed: 2026-04-21
+Reporter: Michael Shallop (Gramps)
+Environment: VS Code on Linux, GitHub Copilot Chat extension present
+
+## Summary
+Switching/loading project context in the VS Code project window caused Copilot Chat conversational context to reset. This resulted in loss of recently generated conclusion/plan data that was intended to be implemented immediately after loading the new project.
+
+## Impact
+- Lost actionable conclusions from the active design/planning thread.
+- Interrupted workflow at a critical handoff point (planning -> implementation).
+- Forced reconstruction from memory instead of exact prior content.
+- Increased risk of omissions and rework.
+
+## Reproduction Steps
+1. Have an active Copilot Chat conversation containing planning/conclusion details.
+2. Load or switch project context in the current project window.
+3. Return to Copilot Chat and continue the thread.
+4. Observe that prior context is no longer available in-chat as expected.
+
+## Expected Behavior
+- Prior active conversation context should remain available, or
+- The user should be prompted before context-destructive operations, and
+- Recovery path should be obvious and reliable.
+
+## Actual Behavior
+- Current chat context was effectively reset.
+- The previously concluded upgrade notes were not recoverable from active context.
+- Local transcript/debug artifacts did not provide the full prior thread needed.
+
+## Severity
+High (workflow-breaking for planning-heavy sessions)
+
+## User-visible Failure Mode
+The user lost conclusion data that was intended for immediate implementation once the new project loaded.
+
+## Suggested Fixes
+1. Preserve active chat state across workspace/project context changes by default.
+2. Show a blocking warning before any action that can drop active conversation state.
+3. Add one-click export/snapshot of current conversation before context switch.
+4. Improve transcript durability and discoverability for immediate recovery.
+5. Add explicit session continuity indicator so users can verify state retention.
+
+## Notes
+- This incident occurred in a real implementation workflow and caused direct productivity loss.
+- Regression tests should include workspace switch/load scenarios with active chat state.
+
+## Escalation Constraint
+- Current product constraints prevented the assistant from directly self-reporting this incident to the Copilot/VS Code dev team from within the chat runtime.
+- User feedback to include verbatim: "it is idiotic to keep you from self-reporting issues like this."

docs/wiki/current-wip.md

@@ -0,0 +1,83 @@
+# JarvisChat Current WiP Backlog
+
+Last updated: 2026-04-27
+Owner: Gramps + Copilot
+Scope: issues, bugs, security exposures, and feature enhancements.
+
+Total identified items: 26
+
+## Priority Definitions
+- P0: Critical risk or data-loss/security exposure; do first.
+- P1: High impact reliability/correctness work.
+- P2: Important feature/UX improvements.
+- P3: Nice-to-have polish.
+
+## Top 10 (Urgency Order)
+1. [P0] Add authentication/authorization for all write and admin endpoints.
+2. [P0] Add CSRF/origin protection for browser-initiated state-changing requests.
+3. [P0] Block unsafe URL schemes in rendered search-result links (e.g., javascript:).
+4. [P0] Add rate limiting and request body size limits for chat/search/profile APIs.
+5. [P1] Restrict settings updates to an allowlist of valid keys.
+6. [P1] Add pagination + hard caps on list endpoints (memories, conversations, message history).
+7. [P1] Stop returning raw exception text to clients; use safe error envelopes.
+8. [P1] Add automated tests for chat streaming, auto-search trigger, and memory command paths.
+9. [P2] Implement skills/tool-call framework (MCP-style) with per-skill enable controls.
+10. [P2] Implement heartbeat/check-in pipeline with scheduler + summary endpoint.
+
+## Item 1 Executive Summary (Scope + Security)
+
+- Status: Complete. Guest/admin capability split implemented with admin-only write enforcement, origin checks on state-changing requests, audit logging, and endpoint capability tests.
+
+- Decision: JarvisChat is local-first by design. Primary mode is same-host Ollama; optional mode allows RFC1918 LAN endpoints only.
+- Constraint: Public Internet AI endpoints are out of scope unless explicitly enabled in a future advanced mode.
+- Risk: Even on LAN, unauthenticated write/admin endpoints permit unauthorized data tampering and deletion.
+- Requirement: Add mandatory admin authentication for all POST/PUT/DELETE routes and destructive actions.
+- Authentication shape (scope-locked): two capability tiers only: guest (chat-only) and admin (4-digit PIN unlock).
+- Scope guardrail: Avoid full RBAC. Keep capability split minimal: conversational chat for guest, advanced/destructive actions for admin.
+- Definition of done:
+	1. Auth required on all state-changing endpoints.
+	2. Destructive actions require admin authorization.
+	3. Endpoint configuration rejects non-local/non-RFC1918 AI backends by default.
+	4. Strong rate limiting + lockout controls in place for PIN attempts.
+	5. Security events logged for failed and successful admin actions.
+
+## Full Backlog (Sorted by Priority)
+
+### P0 Critical
+1. Add auth for write/admin endpoints (`POST/PUT/DELETE` routes, mass delete, profile/settings changes).
+2. Add CSRF or strict origin checks for browser session protection.
+3. Validate/sanitize outbound href URLs before rendering in HTML (allow http/https only).
+4. Add per-IP rate limiting on `/api/chat`, `/api/search`, `/api/profile`, `/api/settings`.
+5. Enforce request size limits (message/profile text and JSON body) to prevent memory abuse.
+
+### P1 High
+6. Add settings key allowlist in `/api/settings` to prevent arbitrary key injection.
+7. Add pagination (`limit`, `offset`) with enforced maximums for list APIs.
+8. Add DB indexes and query hygiene for scalability (`messages.conversation_id`, timestamps).
+9. Replace raw exception leakage to clients with generic safe error messages + server-side logs.
+10. Add request/response timeout and retry policy consistency across external calls.
+11. Add endpoint-level audit logging for destructive operations.
+12. Add unit/integration tests for: remember/forget parsing, refusal detection, search fallback, SSE done/error shape.
+13. Add conversation title sanitization and length constraints.
+14. Ensure default preset semantics are correct (currently all seeded presets are marked default).
+
+### P2 Important Features
+15. Skills system: load markdown skill files with YAML frontmatter from skills directory.
+16. Skills registry API: list/enable/disable skills and expose active skills to UI.
+17. Inject active skill instructions into system prompt with bounded token budget.
+18. Tool execution guardrails: allowlist, confirmation mode, and execution logs.
+19. Heartbeat scheduler (cron/systemd timer) for daily check-ins.
+20. Heartbeat endpoint for generated briefings and anomaly summaries.
+21. Model info UI panel (description, updated date, best-use purpose).
+22. Default model selection improvements and persistence validation.
+23. Hidden model list support (exclude models from dropdown).
+24. Model update action from UI (trigger controlled model pull).
+
+### P3 Nice to Have
+25. Conversation search/filter and export tooling.
+26. Keyboard shortcuts, retry button, and source-link polish.
+
+## Maintenance Rules
+- Keep this file as the single source of truth.
+- Update item priority/status whenever work starts or completes.
+- Mirror the Top 10 summary in README and keep counts aligned.