WAF anomaly scoring accumulates across the entire request body. After 2-3 turns,
assistant responses containing infrastructure terms (security, scanning, etc.)
push the total past the threshold. Added per-assistant trim (1500 chars) and a
12000-char sliding window that drops oldest messages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
vLLM requires system messages to be at the beginning. When Axon merges
conversation history with new messages, duplicate system messages cause
a 400 error. Strip all but the first system message.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The vLLM backend at Bank Dhofar runs behind an Istio/Envoy WAF with
ModSecurity-style anomaly scoring. The ChatWidget's 41KB system prompt
accumulates enough infrastructure/security keywords to trigger a 403.
Trim system messages to 6000 chars (70% head + 30% tail) before
forwarding to vLLM — preserves identity/behavior instructions at the
start and FAQ/response guidelines at the end.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Clients (e.g. ChatWidget) send OpenAI model names like gpt-4o-mini which
vLLM doesn't recognize. The provider now queries available models on
startup and remaps any unrecognized name to the configured default.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces a provider abstraction so Axon can proxy to either Claude SDK
(existing behavior) or a vLLM-compatible endpoint. Toggled via
AXON_PROVIDER env var ("claude" | "vllm"). When vllm, requests pass
through as-is (no prompt translation), session pool and OAuth are skipped.
Closesopenova-io/openova#36
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Part of the brand-consistency sweep (openova-private#116). All brand
surfaces must use the swirl mark with gradient #3B82F6 → #818CF8.
- public/favicon.svg: replaced with canonical mark (was a purple
placeholder logo)
- OOLogo.tsx: default c1 coerced from #38BDF8 → #3B82F6 to match the
brand/logo-mark.svg canonical gradient
- AuthLayout.tsx: OctagonAlert in blue-square placeholder → OOLogo;
label 'OpenOva Corporate' → 'OpenOva Sovereign'
- AppLayout.tsx: same — OctagonAlert → OOLogo; 'Corporate' → 'OpenOva Sovereign'
Part of the tier-URL cutover (openova-private issue #116). Catalyst UI moves
from catalyst.openova.io to console.openova.io/sovereign.
- vite.config.ts: base '/sovereign/' so built HTML/asset refs are prefixed
- src/app/router.tsx: TanStack Router basepath '/sovereign' so Link/navigate
emit /sovereign-prefixed URLs
- src/shared/config/urls.ts (NEW): central BASE / API_BASE / path() helper
- StepReview.tsx: fetch('/api/v1/deployments') → fetch(`${API_BASE}/v1/deployments`)
and window.location.href = '/provision.html' → path('provision.html')
- StepCredentials.tsx: same treatment for /api/v1/credentials/validate
- nginx.conf SPA fallback simplified to try_files $uri /index.html — avoids
nginx's directory trailing-slash redirect that would strip the /sovereign
prefix client-side
No more hardcoded URLs in the source (see feedback_never_hardcode_urls rule).
Footer used to be rendered inside StepShell — every step navigation
unmounted the old footer and mounted a new one, which produced a
visible flicker (the 'bounce' the user reported).
Architecture change:
- New shared/lib/wizardNav.ts — tiny Zustand store holding the active
step's nav handlers (onNext, onBack, disabled, loading, label, title)
- StepShell now publishes its nav state via useEffect; renders no footer
- WizardLayout renders ONE persistent footer that reads from wizardNav
Result: footer DOM is stable across step transitions. Buttons swap
behavior synchronously (no remount, no fade-in flicker). Stepper
counter and progress pill stay in place too.
User: 'I don't think anyone will read that section. If you believe
the info is required, put it at the bottom.'
Matching SME's pattern now:
- Compact 1.1rem title with subtle border-bottom divider
- Description paragraph removed from the top
- Description re-rendered at the BOTTOM of the step content as muted
helper text (0.82rem, dashed border-top), so users who want the
context can still read it after completing the main task
- Reclaims ~70-90 px of vertical space above the step content
User requested Corporate inherit every polish element where SME is
better. Changes (all minimum-touch):
Palette (globals.css):
- Accent channel: sky-400 (56,189,248) → SME blue-500 (59,130,246)
- Light-mode accent: sky-600 (2,132,199) → SME blue-600 (37,99,235)
- New --wiz-success-ch: SME emerald (16,185,129 dark / 5,150,105 light)
- Unifies green dots and blue pills with SME on sight
WizardLayout.tsx:
- Stepper circle 'done' state: #22C55E → rgba(var(--wiz-success-ch))
- Stepper separator 'done': same
- Driven entirely by CSS vars — light/dark flips automatically
_shared.tsx (StepShell flat + SME footer):
- Removed outer card wrapper (no bg, no border, no shadow, no blur)
- Content flows flat — child cards are the only surfaces now
- Nav buttons moved to a sticky bottom footer (like SME):
• Back: transparent outline, SME border style
• Continue: solid SME accent, subtle shadow, no gradient
- Backdrop-blur on footer matches the header
- Loading spinner inline in Continue button
User preferred the previous approach — stepper as its own centered
row below the header, matching SME's current pattern exactly.
Reverts the in-header stepper change; restores WizardLayout.tsx to
the state from commit 7ed9239.
User wanted the stepper to live in the header area to reclaim
vertical space, not as a separate row below. Now:
- Header: 3-zone grid (logo · stepper · actions) in one row
- Stepper: inline pills (row: circle + label side-by-side)
- Active pill has accent bg + ring; done shows green circle with check
- Responsive: labels hide below 980px, pill strips to compact dots
- Phone: header reflows to 2 rows (logo/actions + stepper below)
- All chrome fits in ~56 px of header height total
User request: unify both wizards on the horizontal pattern and bring
Corporate in line with SME's look-and-feel (dark/light mode, colors,
cards) with minimum changes.
Minimum-touch changes:
- globals.css: flatten --wiz-page-bg from radial gradient to solid
#0b1220 (dark) / #f8fafc (light) — matches SME's flat bg.
--wiz-panel-bg bumped to #111827 (dark) / #ffffff (light) to match
SME card surfaces.
- WizardLayout.tsx: complete rewrite as a horizontal top-stepper
(header + stepper row + content), mirroring the SME stepper pattern
(32px numbered circles + labels below + 44px connecting lines).
Done circles turn green with a check; active is accent blue with a
soft ring; pending stays as a hollow circle.
- Responsive: labels hide below 720px, circles shrink to 28px so 6
steps remain legible on tablets and phones.
Step content components (StepOrganisation, StepTopology, ...) are
unchanged — they inherit the new palette via the existing --wiz-*
variables.
User feedback: 1km gap between balls and main card, and vertical spacing
between balls was too tight at 22px.
- Body padding-left 40px → 8px (desktop)
- Content wrapper: margin: 0 auto → marginLeft: 0 (left-align to hug
the sidebar; card right edge now rests against the balls)
- Desktop step gap: 22 → 28 (+27%)
- Tablet step gap: 18 → 24 (+33%)
- Content maxWidth 960 → 1000 to fill the extra breathing room
User feedback: previous revision brought back a subtle sidebar pane
(tint + right border) which was wrong direction. Also gaps between
balls stretched to fill full viewport height, making spacing excessive.
Redesign:
- Sidebar width 260 → 200 px, NO bg, NO border (fully transparent)
- Fixed 22 px gap between balls — no more flex:1 stretch
- Stepper right-aligned within sidebar so balls sit flush against
the main content card (tight visual proximity, as requested)
- Labels rendered LEFT of balls (one word each — dropped the
two-line title+description pattern)
- Logo also right-aligned to match direction
- Progress bar compact at the bottom, right-aligned
- Tablet variant: icon-only balls, same transparent + centered pattern
Previous redesign killed sidebar bg entirely — content read as left-aligned
because the left 260px was visually empty (no counterbalance).
Also: pending rails used --wiz-border-sub (rgba 255/0.06) for a dashed
pattern, which rendered as invisible. User reported 'no lines between
balls when not selected'.
Fixes:
- Sidebar: subtle tint rgba(var(--wiz-ch), 0.015) + thin right border
rgba(var(--wiz-ch), 0.08). Enough weight to balance the page without
returning to 'menu' feel.
- Rail thickness: 1.5px → 2px for cleaner rendering
- Pending rail: solid rgba(var(--wiz-ch), 0.2) instead of invisible
dashed. Always visible regardless of state.
- Border radius 1px on rails for softer edges.
- Applied consistently to desktop and tablet variants.
Sidebar:
- Removed distinct bg + border + backdrop-filter that made it read as a menu
- Added vertical connecting rail between step circles (solid gradient for
done/current, dashed grey for pending) — clearly signals journey, not nav
- Distributed steps with flex: 1 grow on each item so the rail fills
the full viewport height instead of clustering at top
- Active step circle has a soft pulse ring animation
- Progress bar integrated at rail's end (no hard divider)
- Same rail pattern applied to tablet variant
Rename (user-facing only — internal codename stays "catalyst"):
- index.html title: OpenOva Catalyst → OpenOva Corporate
- WizardLayout logo sub-label: Catalyst → Corporate
- AuthLayout brand text: OpenOva Catalyst → OpenOva Corporate
- AppLayout sidebar label: Catalyst → Corporate
- LoginPage subtitle: "Catalyst account" → "Corporate account"
Not renamed (internal): store names, CSS vars, repo paths, k8s namespace,
catalyst.openova.io domain — avoids SEO/DNS/infra churn.
Replace the live-SSE phase+log view with a static DAG animation page
at /provision.html. Launch OpenOva now redirects there via
window.location. The old React ProvisionPage and /provision route are
removed. Backend POST /api/v1/deployments still fires so the API side
is unchanged; only the rendered provisioning view is swapped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Skip refresh gracefully when .credentials.json doesn't exist (e.g. CI
smoke test with no Claude auth mounted).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Claude Agent SDK does not refresh OAuth tokens. Axon now:
1. Refreshes the token on startup before creating session pool
2. Runs a periodic refresh every 4 hours
3. Writes refreshed credentials to disk so session subprocesses use them
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Claude Agent SDK does not handle OAuth token refresh. Adds a CronJob
(every 4h) that refreshes the token via Anthropic's OAuth endpoint and
updates the K8s secret. Disabled by default.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Claude Agent SDK does not handle OAuth token refresh — it reads the
accessToken from .credentials.json and uses it directly. When the token
expires (~8h), Axon returns 401 until manually refreshed.
Adds a CronJob (every 4h by default) that:
1. Reads the refreshToken from the K8s secret
2. Calls Anthropic's OAuth token endpoint to get a fresh accessToken
3. Updates the K8s secret with the new credentials
4. Restarts the Axon deployment to pick up the new token
Includes ServiceAccount, Role, and RoleBinding for least-privilege access.
Disabled by default (axon.tokenRefresh.enabled: false).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The credentials were mounted as a read-only K8s secret subPath. When the
Claude SDK refreshed the OAuth token, it couldn't persist the new token
back to disk. On pod restart, the stale expired token was loaded again,
causing 401 auth failures.
Fix: initContainer copies credentials from secret to a writable emptyDir
volume. The SDK can now refresh tokens and persist them within the pod
lifecycle. Also creates the debug/ directory the SDK requires.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Valkey was crash-looping (372 restarts) because the 521MB RDB exceeded
the 512Mi memory limit. Adds maxmemory and maxmemory-policy args to
the valkey deployment template with configurable defaults.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace all rgba(sch,opacity) template literals in the sidebar with
semantic --wiz-text-* CSS variables that are pre-calibrated for WCAG AA
in both dark and light mode:
rgba(sch,0.85) → --wiz-text-hi (21:1 on light)
rgba(sch,0.45) → --wiz-text-md (9.5:1 on light, was 3.3:1 — FAILED)
rgba(sch,0.20) → --wiz-text-sub (4.7:1 on light, was 1.5:1 — FAILED)
rgba(sch,0.05) → --wiz-bg-input
rgba(sch,0.10) → --wiz-border
rgba(sch,0.06) → --wiz-border-sub
rgba(sch,0.08) → --wiz-bg-input
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The left nav sidebar was forced dark (#0c1525→#0f172a gradient) in light
mode via a hardcoded LIGHT_SIDEBAR_BG constant. Remove it entirely and let
`--wiz-bg-sub` (#f4f6f8) and `--wiz-ch` (0,0,0 channel) take over, giving
proper light text-on-light-bg contrast via the existing CSS variable system.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Line 1: product name left-aligned + M/R/O color badges right-aligned
Line 2: conceptual product family subtitle (GitOps & IaC, Networking & Service Mesh, etc.)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Component mini-cards: M/R/O color badges on first line, product name
(PILOT, SPINE, etc.) on second line — numbers lead, label follows
- Infrastructure section: topology name and AIR-GAP badge moved into
the section header bar — eliminates the separate summary block and
its whitespace; region cards start immediately below the header
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Each option card: explicit height:62px + overflow:hidden — guaranteed
equal height for all 5 regardless of tagline length
- Tagline: whiteSpace:nowrap + textOverflow:ellipsis — 1 line max,
full text visible in the detail panel on the right
- Outer container: alignItems flex-start — right panel height changes
on selection no longer affect left panel (root cause of jumping)
- Canvas: fixed height:200px — substantial diagram, consistent size
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- TopologyDetail canvas: flex:1 so SVG grows to fill all space between
header and bullets — eliminates bottom whitespace
- TopologyDetail bullets: flexShrink:0 (fixed at bottom, doesn't flex)
- Legend font size: 8px → 11px, dot size 8px → 10px, better readability
- Left panel options: CSS grid repeat(5,1fr) so all 5 rows are equal
height on desktop — tallest item sets the row height for all five
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1. StepTopology — fixed-height diagram canvas (152px) with SVG height=100%; all topologies
render at identical visual size regardless of viewBox aspect ratio
2. StepTopology — outer container alignItems stretch; left panel and right panel bottoms
always aligned consistently
3. StepTopology — air-gap toggle no longer expands; pure toggle with no diagram overlay
4. StepProvider — max 3 region cards per row, wraps to 2nd line for CITADEL (4 regions);
when air-gap enabled, amber-styled air-gap region card appended
5. StepReview — redesigned as 2-row layout:
- Row 1: Organisation (1fr) + Components (2fr) — 3x3 group mini-cards with M/R/O counts
- Row 2: Infrastructure full-width — topology/airgap summary + flex region cards
(1-5 cards, all equal height via alignItems stretch)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- StepTopology: add VBOX helper — dashed inner border + vC badge on every
physical cluster box; shows 3 vClusters (MGMT/DMZ/RTZ) inside SOLO and
COMPACT clusters; 1 vCluster per physical cluster in ZONED/DUAL/CITADEL
- Add vclusters count stat to topology option list and detail panel
- Add vCluster legend below each diagram explaining dashed border semantics
- componentGroups: add vcluster (mandatory) to PILOT group
- componentGroups: replace MinIO with SeaweedFS (multi-protocol) in SILO group
- model: update DEFAULT_COMPONENT_GROUPS pilot + silo defaults accordingly
- store: migrate persisted state — minio → seaweedfs, inject vcluster into pilot
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Architecture:
- Add CITADEL topology — 4 regions, 6 clusters: 2 dedicated CP regions
(MGMT-only, HA pair, no workload) + 2 DP regions (DMZ+RTZ each); replaces
the broken TRIANGLE which had single-site MGMT; Tier-1 Bank tag
- Keep DUAL (6 clusters, 2 regions) as recommended Enterprise option
- Topology range: CITADEL (4r/6c) → DUAL (2r/6c) → ZONED (2r/4c) →
COMPACT (2r/2c) → SOLO (1r/1c)
- Register 'citadel' in TopologyTemplate, TOPOLOGY_REGION_COUNT (4),
TOPOLOGY_REGION_LABELS (CP1/CP2/DP1/DP2), and store sanitize list
Cosmetic:
- Diagram area background changed from rgba(0,0,0,0.25) grey to a proper
dark canvas (linear-gradient #0a1628→#0f172a) so topology SVG colours
pop in both light and dark modes — no more passive greyed-out look
- SVG helpers use hardcoded white fill/stroke instead of CSS vars so the
diagrams are always crisp on the dark canvas regardless of theme
- Default topology reset to null (no pre-selected value)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove TRIANGLE topology (single-site MGMT is architecturally unsound);
DUAL (6 clusters) is now the top option, MGMT active in both regions;
range is now 6→4→2→1 building blocks (DUAL, ZONED, COMPACT, SOLO)
- Topology step: equal-height left/right columns via alignItems:stretch +
flex:1 on each option card so all cards share the same height
- Provider step: region cards always fill 100% width (Array(n).fill('1fr'));
remove 420px single-region cap; remove 'Credentials required next' card
- Provider dropdown: fix active-item text (#fff→var(--wiz-text-hi)) so it
reads on white panel in light mode; lighten panel shadow for light mode
- Add --wiz-accent CSS token (dark: rgba(56,189,248,0.8) / light: #0284c7
WCAG AA ✓); replace all rgba(56,189,248,0.X) text colours across every
wizard step so they are readable in light mode
- Review step: rename button to 'Launch OpenOva'
- --wiz-panel-bg in light mode → #f1f5f9 so dropdown panel is distinct
from surrounding white card background
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- StepReview: add cloud provider logos to Infrastructure and Credentials rows,
replace boring "X selected" with M/R/O color-coded tier breakdown chips,
rename button to "Launch OpenOva ecosystem", update step title/description
- componentGroups.ts: extract shared GROUPS data (Tier/ComponentDef/GroupDef)
so StepComponents and StepReview both import from a single source of truth
- StepComponents: import GROUPS from componentGroups.ts, fix Zustand stale
state bug (use getState() after toggleGroupComponent to read live state,
eliminating Livekit→Stunner mis-selection and similar Fabric group issues)
- StepTopology: fix selected item text turning white on light background
(isSelected color: '#fff' → 'var(--wiz-text-hi)' which is #0f172a in light)
- WizardLayout: remove A/B/C light mode picker, lock in Option B (Midnight
Split dark sidebar) permanently as LIGHT_SIDEBAR_BG constant
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All `rgba(var(--wiz-ch),X)` patterns replaced with named semantic tokens
across all 7 wizard step components + WizardLayout:
- --wiz-text-hi / md / lo / sub / hint — text tiers with WCAG AA light values
- --wiz-border / --wiz-border-sub — border tiers
- --wiz-bg-card / input / sub / xs — background tiers
- --wiz-card-shadow — eliminates the 0 32px 80px rgba(0,0,0,0.5) blotch in light mode
Light mode values: #0f172a (21:1) → #64748b (4.7:1 AA). Dark mode behaviour
unchanged — tokens resolve to same rgba(255,255,255,X) values as before.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Floating A·B·C toggle appears top-right in light mode only.
A = Slate Pro (cool gradient), B = Midnight Split (dark sidebar),
C = Cloud Paper (white sidebar + slate bg). Persisted in localStorage.
Option B properly restores dark sidebar with white channel text.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduce --wiz-ch CSS channel variable (255,255,255 dark / 0,0,0 light) and
matching --wiz-page-bg, --wiz-panel-bg, --wiz-deep-bg overrides in
[data-theme="light"]. Replace every hardcoded rgba(255,255,255,X) inline style
across WizardLayout, all 7 step components, and _shared with
rgba(var(--wiz-ch),X) so text, borders, and surface tints automatically invert
when the theme toggles. Fix SVG diagram helpers (BOX/REGION) to use style={{}}
attributes instead of presentation attributes so CSS custom properties resolve
correctly. Replace hardcoded dark panel backgrounds (#131320, #0f1117) with
var(--wiz-panel-bg) / var(--wiz-deep-bg).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each component now shows its official brand color + recognisable inline SVG
mark (18×18) in the component selection list. Logos dim when deselected and
reach full opacity when selected, giving clear visual feedback.
Covers all 9 blocks: PILOT, SPINE, SURGE, SILO, GUARDIAN, INSIGHTS,
FABRIC, CORTEX, RELAY — all 52 components.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Custom dropdown component with provider logos, chevron animation, dark
panel with check indicator. Region auto-selected on provider change
(HQ-suggested or first available). Fallback to first provider+region
when no HQ hint matches.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- All region cards always fully expanded side-by-side (no accordion)
- Grid layout: 1/2/3 columns matching topology region count
- Radio button semantics: dot indicator for provider + cloud region selection
- HQ-based pre-selection: parses orgHeadquarters to suggest nearest provider
and stagger cloud regions across topology regions for built-in redundancy
(e.g. Frankfurt → Hetzner FSN1/NBG1/HEL1 across 3 regions)
- '★ nearest' badge on recommended provider when not yet configured
- HQ hint banner at top shows which location drove the suggestions
- Credentials summary shown once all regions are fully configured
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Recommended items now pre-selected by default in all blocks; optional items off
- Profile-based defaults: industry/compliance/size adjusts which optional blocks
(FABRIC, CORTEX) are pre-enabled and which recommended components are selected
e.g. Financial Services → FABRIC(cnpg/valkey/strimzi/debezium) + openmeter + strongSwan
e.g. Tech/Large orgs → CORTEX(kserve/knative/axon) enabled
- Re-applies automatically when org profile fields change
- Card header: PRODUCT NAME — Subtitle on line 1, 1-line description on line 2
- Added componentsAppliedForProfile to store to avoid overwriting user customizations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove Required/Optional tag badge from card header
- Subtitle now occupies that space (conceptual name, truncated 1 line = equal heights)
- Tier chips (Xm/Yr/Zo) replace selection count text, color-coded:
M = always grey/muted (user cannot change mandatory), R = blue, O = indigo
Chips light up only when items are actually selected
- Locked mandatory items: grey checked checkbox (opacity 0.6) instead of green
so user clearly understands these cannot be toggled
- Lock icon changed from green to muted white
- Remove SelectionDot (replaced by tier chips as selection indicator)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
