feat(dashboard): paginate accounts and harden release scans

Author: dwgx

.github/workflows/release.yml

@@ -5,11 +5,30 @@ on:
     tags: ['v*']
 
 jobs:
-  # ──────────────────────────────────────────────
-  # Job 1: Build & Push Docker Image (GHCR)
-  # ──────────────────────────────────────────────
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Secret scan
+        run: npm run secret-scan
+
+      - name: Run tests
+        run: node --test test/*.test.js
+
   docker:
     name: Docker Build & Push
+    needs: test
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -19,6 +38,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Build metadata
+        run: |
+          echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_ENV"
+          echo "COMMIT_DATE=$(git log -1 --pretty=%cI)" >> "$GITHUB_ENV"
+          echo "BUILD_BRANCH=${GITHUB_REF_NAME}" >> "$GITHUB_ENV"
+          {
+            echo "COMMIT_MESSAGE<<EOF"
+            git log -1 --pretty=%s
+            echo "EOF"
+          } >> "$GITHUB_ENV"
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -55,21 +85,25 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_VERSION=${{ env.VERSION }}
+            BUILD_COMMIT=${{ github.sha }}
+            BUILD_COMMIT_MESSAGE=${{ env.COMMIT_MESSAGE }}
+            BUILD_COMMIT_DATE=${{ env.COMMIT_DATE }}
+            BUILD_BRANCH=${{ env.BUILD_BRANCH }}
 
       - name: Summary
         run: |
-          echo "## 🐳 Docker Image Published" >> "$GITHUB_STEP_SUMMARY"
+          echo "## Docker Image Published" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "**Tags:**" >> "$GITHUB_STEP_SUMMARY"
           echo '${{ steps.meta.outputs.tags }}' | tr ',' '\n' | sed 's/^/- `/' | sed 's/$/`/' >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "**Platform:** \`linux/amd64\`" >> "$GITHUB_STEP_SUMMARY"
 
-  # ──────────────────────────────────────────────
-  # Job 2: Create GitHub Release with source code
-  # ──────────────────────────────────────────────
   release:
     name: GitHub Release
+    needs: docker
     runs-on: ubuntu-latest
     permissions:
       contents: write

.gitignore

@@ -10,6 +10,7 @@ scripts/*
 !scripts/special-agent-smoke.mjs
 !scripts/lsp-capacity-matrix.mjs
 !scripts/web-search-direct-probe.mjs
+!scripts/secret-scan.mjs
 src/get-token.js
 src/test-cascade.js
 src/runtime-config.json

docs/native-bridge-protocol-notes.md

@@ -149,6 +149,19 @@ hashes, and safe classifications such as `looksPathLike` and
 `looksPromptLike`. Do not use the global raw-string trace switch for production
 traffic; it can capture prompts.
 
+v2.0.137 adds a parser-aligned evidence block at
+`semantic.steps[].readWrapperField19.candidateSummary`:
+
+- `acceptedField` = the field current production parsing would accept
+  (`1`/`2` only, and only when path-like), otherwise `null`
+- `pathLikeFields` = fields whose string payload looks like a path/file URI
+- `rejectedPromptFields` = prompt-like string fields not accepted by the parser
+- `ambiguous` = more than one accepted field, which is a trace investigation
+  signal rather than a license to widen production parsing
+
+This lets a gated canary answer "which field would the current Read parser
+use?" without printing the actual file path or prompt text.
+
 Error trajectory steps also have a dedicated redacted summary. For `type=17`
 or any step carrying `error_message` field `24` / `error` field `31`, traces
 now expose `semantic.steps[].errorStep` with source field numbers, byte
@@ -338,10 +351,27 @@ User settings that influence auto-approval:
 
 `WINDSURFAPI_PROTO_TRACE` now summarizes `requested_interaction=56` and its
 read-url body with byte lengths and hashes only. It also summarizes
-`HandleCascadeUserInteraction` requests, including cascade/trajectory ID hashes,
-step index, action enum, and URL/origin hashes. The next valid WebFetch canary
-decision point is: after approval, did the LS emit a completed `field=40` step
-with `web_document`, an error step, or another requested interaction?
+`HandleCascadeUserInteraction` requests, including cascade/trajectory ID
+hashes, step index, action enum, and URL/origin hashes.
+
+v2.0.137 adds
+`semantic.steps[].webFetchTrace` so a canary can classify the post-approval
+trajectory without raw URL text:
+
+- `pending_permission`
+- `completed_web_document`
+- `auto_run_decision_only`
+- `legacy_summary_only`
+- `native_oneof_no_document`
+- `error` with redacted `permissionDenied` / `failedPrecondition` style flags
+
+Use this field after `HandleCascadeUserInteraction` to decide whether the LS
+advanced to a real `read_url_content.web_document`, repeated the permission
+prompt, or failed a precondition.
+
+The next valid WebFetch canary decision point is: after approval, did the LS
+emit a completed `field=40` step with `web_document`, an error step, or another
+requested interaction?
 
 v2.0.135 adds a lab-only auto-approval hook for this canary:
 

docs/releases/RELEASE_NOTES_2.0.137.md

@@ -0,0 +1,23 @@
+# v2.0.137 - dashboard pagination and protocol trace evidence
+
+## What changed
+
+- Dashboard accounts now load a lightweight paged summary list instead of the full heavy account payload.
+- Account row expansion and model block editing now lazy-load one full account detail via `GET /dashboard/api/accounts/:id`.
+- The abnormal accounts panel now loads only flagged summary rows and uses server-side account stats.
+- Added safe Read wrapper trace evidence for `type=14 / field=19`: accepted field, path-like fields, prompt-like rejected fields, and ambiguity, without raw path or prompt text by default.
+- Added WebFetch trajectory branch evidence for pending permission, completed `web_document`, auto-run-only, legacy-summary-only, and permission/precondition error states.
+- Replaced real-looking email/password examples in `docs/releases/RELEASE_NOTES_2.0.39.md` with non-login placeholders.
+- Added `scripts/secret-scan.mjs` and `npm run secret-scan` for tracked-file secret scanning.
+- Secret scan findings print only `path:line rule`; matched secret values are never printed.
+- Added regression tests for secret-scan output redaction and release workflow ordering.
+- Release workflow now runs tests first, makes Docker depend on tests, and makes GitHub Release depend on Docker.
+- Docker builds now receive `BUILD_VERSION`, `BUILD_COMMIT`, `BUILD_COMMIT_MESSAGE`, `BUILD_COMMIT_DATE`, and `BUILD_BRANCH`.
+
+## Validation
+
+- `npm.cmd run secret-scan`
+- `node --test test/dashboard-api.test.js`
+- `node --test test/proto-trace.test.js`
+- `node --test test/secret-scan.test.js test/release-workflow.test.js`
+- `node --test test/*.test.js`

docs/releases/RELEASE_NOTES_2.0.39.md

@@ -7,9 +7,9 @@ VPS 实测 `/auth/login` 邮箱密码模式提交三个真实账号：
 ```
 POST /auth/login
 { "accounts":[
-  {"email":"qxl.n257570.722@gmail.com","password":"..."},
-  {"email":"tc.vmb.7687617@gmail.com","password":"..."},
-  {"email":"ge.jgpmnelfiyo9.15@gmail.com","password":"..."}
+  {"email":"user1@example.com","password":"<password>"},
+  {"email":"user2@example.com","password":"<password>"},
+  {"email":"user3@example.com","password":"<password>"}
 ]}
 ```
 
@@ -55,7 +55,7 @@ throw new Error('Direct email/password login is not supported. Use token-based a
 ```bash
 $ curl -X POST https://windsurf.com/_backend/exa.seat_management_pb.SeatManagementService/CheckUserLoginMethod \
     -H 'Content-Type: application/json' -H 'Connect-Protocol-Version: 1' \
-    -d '{"email":"qxl.n257570.722@gmail.com"}'
+    -d '{"email":"user1@example.com"}'
 {}
 ```
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "windsurf-api",
-  "version": "2.0.136",
+  "version": "2.0.137",
   "description": "Windsurf to OpenAI + Anthropic compatible API proxy. Turns Windsurf's 107 AI models (Claude, GPT, Gemini, DeepSeek, Grok, Qwen, Kimi, GLM, SWE) into dual-protocol API endpoints. Zero npm deps.",
   "type": "module",
   "main": "src/index.js",
@@ -11,7 +11,8 @@
     "smoke:native-bridge": "node scripts/native-bridge-smoke.mjs",
     "smoke:special-agent": "node scripts/special-agent-smoke.mjs",
     "smoke:lsp-matrix": "node scripts/lsp-capacity-matrix.mjs",
-    "probe:web-search": "node scripts/web-search-direct-probe.mjs"
+    "probe:web-search": "node scripts/web-search-direct-probe.mjs",
+    "secret-scan": "node scripts/secret-scan.mjs"
   },
   "engines": {
     "node": ">=20.0.0"

scripts/secret-scan.mjs

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync, statSync } from 'node:fs';
+import { relative, resolve, sep } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const root = resolve(fileURLToPath(new URL('..', import.meta.url)));
+const args = process.argv.slice(2);
+
+const RULES = [
+  {
+    id: 'openai-api-key',
+    regex: /sk-[A-Za-z0-9_-]{20,}/g,
+  },
+  {
+    id: 'literal-credential-assignment',
+    regex: /\b(?:secret|token|password)\b\s*[:=]\s*["'][A-Za-z0-9_./+=-]{16,}["']/gi,
+  },
+  {
+    id: 'private-key-block',
+    regex: /-----BEGIN [A-Z ]*PRIVATE KEY-----/g,
+  },
+  {
+    id: 'credentialed-email-example',
+    regex: /[A-Za-z0-9._%+-]+@(?!example\.(?:com|org|net)\b)[A-Za-z0-9.-]+\.[A-Za-z]{2,}["']?\s*,\s*["']?password["']?\s*:/gi,
+  },
+];
+
+const IGNORED_PATHS = new Set([
+  'scripts/secret-scan.mjs',
+  'test/secret-scan.test.js',
+]);
+
+const IGNORED_PREFIXES = [
+  'test/',
+  'test/_research/',
+];
+
+const IGNORED_EXTENSIONS = new Set([
+  '.png', '.jpg', '.jpeg', '.gif', '.webp', '.ico', '.zip', '.db',
+]);
+
+function toRepoPath(file) {
+  return relative(root, resolve(root, file)).split(sep).join('/');
+}
+
+function isIgnored(file) {
+  const repoPath = toRepoPath(file);
+  if (!repoPath || repoPath.startsWith('..') || repoPath.includes('\0')) return true;
+  if (IGNORED_PATHS.has(repoPath)) return true;
+  if (IGNORED_PREFIXES.some(prefix => repoPath.startsWith(prefix))) return true;
+  const lower = repoPath.toLowerCase();
+  return [...IGNORED_EXTENSIONS].some(ext => lower.endsWith(ext));
+}
+
+function trackedFiles() {
+  const output = execFileSync('git', ['ls-files', '-z'], {
+    cwd: root,
+    encoding: 'utf8',
+    maxBuffer: 16 * 1024 * 1024,
+  });
+  return output.split('\0').filter(Boolean);
+}
+
+function inputFiles() {
+  if (args.length) return args;
+  return trackedFiles();
+}
+
+function lineForOffset(text, offset) {
+  let line = 1;
+  for (let i = 0; i < offset; i += 1) {
+    if (text.charCodeAt(i) === 10) line += 1;
+  }
+  return line;
+}
+
+function scanFile(file) {
+  if (isIgnored(file)) return [];
+  const abs = resolve(root, file);
+  if (!existsSync(abs) || !statSync(abs).isFile()) return [];
+  const text = readFileSync(abs, 'utf8');
+  const findings = [];
+  for (const rule of RULES) {
+    rule.regex.lastIndex = 0;
+    for (const match of text.matchAll(rule.regex)) {
+      findings.push({
+        path: toRepoPath(file),
+        line: lineForOffset(text, match.index || 0),
+        rule: rule.id,
+      });
+    }
+  }
+  return findings;
+}
+
+const findings = inputFiles().flatMap(scanFile)
+  .sort((a, b) => a.path.localeCompare(b.path) || a.line - b.line || a.rule.localeCompare(b.rule));
+
+for (const finding of findings) {
+  console.log(`${finding.path}:${finding.line} ${finding.rule}`);
+}
+
+if (findings.length) process.exitCode = 1;