Only the zap VM remains in the fleet. Remove orb/sun from the README
architecture/config docs, the getVMClassName allowlist, and their
.timeline-vm-tag color styles.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Ship the in-progress ES-module refactor of the web-ui (new static/modules/
layout, Usage/Settings pages, uplot-based dashboard) alongside a round of
security and UX fixes:
- main.go: add CSP + X-Frame-Options: DENY + X-Content-Type-Options:
nosniff + Referrer-Policy middleware on every response; WS CheckOrigin
now requires Origin host to match Host (blocks cross-site WebSocket
hijacking); upgrade client before dialing upstream so origin check
runs first; fatal on unparseable AGENTMON_QUERY_BASE.
- app.js: delegated click handler intercepts same-origin <a> clicks for
SPA navigation (prev. every nav link caused a full page reload,
dropping WS + in-memory state); delegated .copy-btn[data-copy]
handler replaces inline onclick=; removed window.navigate /
window.copyToClipboard globals and the duplicated handleGlobalSearch.
- modules/nav-signal.js: per-route AbortController so in-flight fetches
are cancelled when the user navigates away, preventing stale toasts
and wasted renders.
- modules/api.js: honours the nav signal by default; AbortError is
silent.
- modules/router.js: resets the nav controller on every route; dropped
the fixed 80ms transition delay; breadcrumbs no longer emit inline
onclick= (delegated handler picks them up).
- modules/utils.js: renderCopyButton emits data-copy=\"...\" instead of
nesting a JS string inside an HTML attribute — fixes an XSS where
values containing ' broke out via ' decoding.
Verified: go build clean; `node --check` clean on all modified modules;
manual curl probes confirm security headers present on every response
and WS upgrade returns 403 for cross-origin/missing Origin while 101
for same-origin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
William Valentin