feat: comprehensive codebase improvements and features

Major enhancements across the entire codebase:

**Security & Authentication:**
- Add UI authentication system (LoginPage, useAuth hook, auth endpoints)
- Implement security self-protection module
- Add heartbeat service for monitoring
- Add UI session middleware and service

**Channel System:**
- Add message normalizers (base, telegram) with comprehensive tests
- Enhance channel service implementation
- Improve attachment handling

**Database & Migration:**
- Fix unused variable warnings in seed-database script
- Improve migration script error handling
- Add database adapter improvements

**AI Provider Updates:**
- Update provider configs (alibaba, azure, github-copilot, opencode, siliconflow, togetherai, venice)
- Add new provider capabilities

**Core Services:**
- Add file-system tool improvements
- Enhance event system
- Improve sandbox code validator
- Add security index exports

**Documentation:**
- Update API routes documentation
- Revise architecture docs
- Update UI components documentation

**Infrastructure:**
- Update Docker configuration
- Improve docker-compose setup
- Update package.json dependencies
- Add version bump scripts

**Code Quality:**
- Remove _fix.js temporary file
- Clean up unused code
- Improve error handling across services

Includes 100+ new files and extensive refactoring across all packages.

Author: ersinkoc

.env.example

@@ -21,14 +21,18 @@ NODE_ENV=development
 # ===========================================
 # Database (PostgreSQL)
 # ===========================================
-# Option 1: Full connection URL
+# These defaults match docker-compose.yml so both paths work out of the box.
+#
+# Option 1: Full connection URL (overrides individual settings)
 # DATABASE_URL=postgresql://ownpilot:ownpilot_secret@localhost:25432/ownpilot
 
 # Option 2: Individual settings
+# For "From Source" dev: localhost + exposed port 25432
+# For Docker: docker-compose.yml hardcodes host=postgres, port=5432 internally
 POSTGRES_HOST=localhost
 POSTGRES_PORT=25432
 POSTGRES_USER=ownpilot
-POSTGRES_PASSWORD=your-secure-password-here
+POSTGRES_PASSWORD=ownpilot_secret
 POSTGRES_DB=ownpilot
 # POSTGRES_POOL_SIZE=10
 # DB_VERBOSE=false

Dockerfile

@@ -56,23 +56,34 @@ RUN pnpm install --frozen-lockfile --prod
 
 # Copy built files from builder
 COPY --from=builder /app/packages/core/dist ./packages/core/dist
+COPY --from=builder /app/packages/core/data ./packages/core/data
 COPY --from=builder /app/packages/gateway/dist ./packages/gateway/dist
+COPY --from=builder /app/packages/gateway/data ./packages/gateway/data
 COPY --from=builder /app/packages/channels/dist ./packages/channels/dist
 COPY --from=builder /app/packages/cli/dist ./packages/cli/dist
 
 # Copy UI static assets (no node_modules needed — pre-built by Vite)
 COPY --from=builder /app/packages/ui/dist ./packages/ui/dist
 
+# Create non-root user
+RUN addgroup -g 1001 -S ownpilot && adduser -S ownpilot -u 1001 -G ownpilot
+
+# Create data directory with proper ownership
+RUN mkdir -p /app/data && chown -R ownpilot:ownpilot /app/data
+
 # Set environment variables
 ENV NODE_ENV=production
 ENV PORT=8080
 ENV HOST=0.0.0.0
 
+# Switch to non-root user
+USER ownpilot
+
 # Expose port
 EXPOSE 8080
 
 # Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
   CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
 
 # OCI labels for GHCR

README.md

@@ -162,18 +162,19 @@ All messages (web UI chat, Telegram, trigger-initiated chats) flow through the s
 ```bash
 git clone https://github.com/ownpilot/ownpilot.git
 cd ownpilot
-cp .env.example .env
 
-# Start OwnPilot + PostgreSQL
+# Start OwnPilot + PostgreSQL (uses defaults, no .env needed)
 docker compose --profile postgres up -d
 
 # UI + API: http://localhost:8080
 ```
 
-Or use the pre-built image:
+To customize settings (auth, Telegram, etc.), copy and edit `.env` before starting:
 
 ```bash
-docker pull ghcr.io/ownpilot/ownpilot:latest
+cp .env.example .env
+# Edit .env — docker-compose.yml defaults match .env.example
+docker compose --profile postgres up -d
 ```
 
 ### From Source
@@ -182,7 +183,7 @@ docker pull ghcr.io/ownpilot/ownpilot:latest
 
 - **Node.js** >= 22.0.0
 - **pnpm** >= 10.0.0
-- **PostgreSQL** (via Docker or native)
+- **PostgreSQL** 16+ (via Docker Compose or native install)
 
 #### Setup
 
@@ -194,8 +195,10 @@ pnpm install
 
 # Configure
 cp .env.example .env
-# Edit .env with database connection details
-# AI provider API keys are configured via the Config Center UI after setup
+# Edit .env if needed (defaults work with docker compose PostgreSQL)
+
+# Start PostgreSQL (if you don't have one already)
+docker compose --profile postgres up -d
 
 # Start development (gateway + ui)
 pnpm dev
@@ -204,6 +207,8 @@ pnpm dev
 # API: http://localhost:8080
 ```
 
+AI provider API keys are configured via the **Config Center UI** (Settings page) after setup.
+
 ### Configuration via CLI
 
 ```bash
@@ -448,23 +453,35 @@ All API keys are managed via the **Config Center UI** (Settings page) or the `ow
 
 ### Supported Providers
 
-| Provider           | Integration Type               | Key Models                                                            |
-| ------------------ | ------------------------------ | --------------------------------------------------------------------- |
-| **OpenAI**         | Native                         | GPT-4o, GPT-4o-mini, o1, o3-mini                                      |
-| **Anthropic**      | Native (with prompt caching)   | Claude Sonnet 4.6, Claude Opus 4.6, Claude 3.7 Sonnet, Claude 3 Haiku |
-| **Google**         | Native (with OAuth)            | Gemini 2.0 Flash, Gemini 1.5 Pro                                      |
-| **Zhipu AI**       | Native                         | GLM-4                                                                 |
-| **Together AI**    | Aggregator (OpenAI-compatible) | Llama 3.3 70B, DeepSeek R1/V3, Qwen 2.5 Coder                         |
-| **Groq**           | Aggregator (ultra-fast LPU)    | Llama 3.3 70B, Mixtral 8x7B, Gemma 2 9B                               |
-| **Fireworks AI**   | Aggregator                     | Llama 3.3 70B, Qwen 2.5, FLUX image models                            |
-| **DeepInfra**      | Aggregator                     | Serverless open-source inference                                      |
-| **OpenRouter**     | Aggregator                     | Unified API for all providers                                         |
-| **Perplexity**     | Aggregator                     | Sonar Pro, Sonar Reasoning (with citations)                           |
-| **Cerebras**       | Aggregator (fastest inference) | Llama 3.3 70B, Llama 3.1 8B                                           |
-| **fal.ai**         | Aggregator (image/video)       | FLUX Pro/Dev/Schnell, Stable Diffusion, Recraft v3                    |
-| **Ollama**         | Local (auto-discovered)        | Any GGUF model                                                        |
-| **LM Studio**      | Local (auto-discovered)        | Any loaded model                                                      |
-| **LocalAI / vLLM** | Local                          | Self-hosted models                                                    |
+**96 providers** with auto-synced model catalogs from [models.dev](https://models.dev). Key providers:
+
+| Provider | Integration Type | Key Models |
+| --- | --- | --- |
+| **OpenAI** | Native | GPT-5.3 Codex, GPT-5.2, GPT-5.1, o4-mini, o3 |
+| **Anthropic** | Native (prompt caching) | Claude Sonnet 4.6, Claude Opus 4.6, Claude Sonnet 4.5, Claude Haiku 4.5 |
+| **Google** | Native | Gemini 3.1 Pro, Gemini 3 Flash, Gemini 2.5 Flash/Pro |
+| **xAI** | Native | Grok 4.1 Fast, Grok 4, Grok 3 |
+| **DeepSeek** | Native | DeepSeek Chat, DeepSeek Reasoner |
+| **Mistral** | Native | Devstral 2, Mistral Medium 3.1, Mistral Large 3, Codestral |
+| **Zhipu AI** | Native | GLM-5, GLM-4.7, GLM-4.6 |
+| **Cohere** | Native | Command A, Command A Reasoning, Command R+ |
+| **Together AI** | Aggregator | Qwen3.5 397B, GLM-5, Kimi K2.5, DeepSeek V3.1 |
+| **Groq** | Aggregator (LPU) | Kimi K2, GPT OSS 120B, Llama 4 Scout, Qwen3 32B |
+| **Fireworks AI** | Aggregator | MiniMax-M2.5, GLM 5, Kimi K2.5, DeepSeek V3.2 |
+| **DeepInfra** | Aggregator | Kimi K2.5, GLM-4.7, DeepSeek-V3.2, Qwen3 Coder |
+| **OpenRouter** | Aggregator (161+ models) | Unified API for all providers |
+| **Perplexity** | Aggregator | Sonar Deep Research, Sonar Pro, Sonar Reasoning Pro |
+| **Cerebras** | Aggregator (fastest) | GLM-4.7, GPT OSS 120B, Qwen 3 235B |
+| **NVIDIA** | Aggregator (65+ models) | GLM5, Kimi K2.5, DeepSeek V3.2, Nemotron |
+| **Amazon Bedrock** | Cloud (96+ models) | Claude 4.6, DeepSeek-V3.2, Kimi K2.5, Nova Pro |
+| **Azure** | Cloud (85+ models) | GPT-5.2, Claude 4.6, DeepSeek-V3.2, Grok 4 |
+| **GitHub Models** | Cloud | GPT-4.1, DeepSeek-R1, Llama 4, Mistral |
+| **Hugging Face** | Aggregator | MiniMax-M2.5, GLM-5, Qwen3.5, DeepSeek-V3.2 |
+| **SiliconFlow** | Aggregator (66+ models) | GLM-5, Kimi K2.5, DeepSeek V3.2, Qwen3 VL |
+| **Novita AI** | Aggregator (80+ models) | Qwen3.5, GLM-5, Kimi K2.5, ERNIE-4.5 |
+| **Nebius** | Aggregator (45+ models) | DeepSeek-V3.2, GLM-4.7, Qwen3, FLUX |
+| **Ollama** | Local | qwen3.5, minimax-m2.5, glm-5, kimi-k2.5 |
+| **LM Studio** | Local | GPT OSS 20B, Qwen3 30B, Qwen3 Coder 30B |
 
 Any OpenAI-compatible endpoint can be added as a custom provider.
 
@@ -1015,7 +1032,7 @@ NODE_ENV=development
 POSTGRES_HOST=localhost
 POSTGRES_PORT=25432
 POSTGRES_USER=ownpilot
-POSTGRES_PASSWORD=ownpilot_secret
+POSTGRES_PASSWORD=ownpilot_secret     # Change in production
 POSTGRES_DB=ownpilot
 # POSTGRES_POOL_SIZE=10
 # DB_VERBOSE=false

_fix.js

@@ -5,7 +5,6 @@
 # Default credentials: ownpilot / ownpilot_secret
 #
 # Then in your .env:
-#   DB_TYPE=postgres
 #   POSTGRES_HOST=localhost
 #   POSTGRES_PORT=25432
 #   POSTGRES_USER=ownpilot

docker-compose.db.yml

@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   # PostgreSQL Database
   postgres:
@@ -42,9 +40,9 @@ services:
       - PORT=8080
       - HOST=0.0.0.0
       - OWNPILOT_DATA_DIR=/app/data
-      # Database
+      # Database (always connects to the postgres service inside Docker network)
       - DATABASE_URL=${DATABASE_URL:-}
-      - POSTGRES_HOST=${POSTGRES_HOST:-postgres}
+      - POSTGRES_HOST=postgres
       - POSTGRES_PORT=5432
       - POSTGRES_USER=${POSTGRES_USER:-ownpilot}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-ownpilot_secret}

docker-compose.yml

@@ -939,7 +939,7 @@ LLM usage cost tracking and budget management. Tracks tokens, costs, latency, an
 **Mount:** `/api/v1/channels`
 **Source:** `packages/gateway/src/routes/channels.ts`
 
-Communication channel management for Telegram, Discord, Slack, and other messaging platforms. Manages channel configurations, message inbox, and webhook endpoints.
+Communication channel management for Telegram. Manages channel configurations, message inbox, and webhook endpoints.
 
 ### Endpoints
 

docs/API_ROUTES.md

@@ -69,15 +69,15 @@ OwnPilot is a self-hosted, privacy-first personal AI assistant platform. It conn
  +---------------------------------------------------------------------------+
  |                                                                           |
  |   CLIENTS                                                                 |
- |   +----------+  +----------+  +----------+  +----------+  +----------+   |
- |   |  Web UI  |  |   CLI    |  | Telegram |  | Discord  |  |  Slack   |   |
- |   | (React)  |  |(commander|  |  (grammy)|  |(discord.js|  |(@slack/  |   |
- |   |          |  |inquirer) |  |          |  |          |  | bolt)    |   |
- |   +----+-----+  +----+-----+  +----+-----+  +----+-----+  +----+-----+   |
- |        |             |             |             |             |           |
- |        |   HTTP/WS   |    HTTP     |    Events   |   Events   |  Events   |
- |        +------+------+------+------+------+------+------+-----+           |
- |               |                    |                    |                  |
+ |   +----------+  +----------+  +----------+                               |
+ |   |  Web UI  |  |   CLI    |  | Telegram |                               |
+ |   | (React)  |  |(commander|  |  (grammy)|                               |
+ |   |          |  |inquirer) |  |          |                               |
+ |   +----+-----+  +----+-----+  +----+-----+                               |
+ |        |             |             |                                      |
+ |        |   HTTP/WS   |    HTTP     |    Events                            |
+ |        +------+------+------+------+                                      |
+ |               |                    |                                      |
  +---------------|--------------------|--------------------|------------------+
                  v                    v                    v
  +---------------------------------------------------------------------------+
@@ -190,7 +190,7 @@ ownpilot/
 |   |   |   |-- assistant/        # Gateway-level assistant orchestrator
 |   |   |   |-- audit/            # Audit trail persistence
 |   |   |   |-- autonomy/         # Autonomy levels and risk assessment
-|   |   |   |-- channels/         # Channel adapters (Discord, Slack, Telegram)
+|   |   |   |-- channels/         # Channel adapters (Telegram)
 |   |   |   |-- db/               # Database layer
 |   |   |   |   |-- adapters/     # PostgreSQL adapter (DatabaseAdapter interface)
 |   |   |   |   |-- migrations/   # SQL schema migrations (47 tables)
@@ -285,16 +285,14 @@ Detailed dependency table:
 | ws                | ^8.19   | gateway  | WebSocket server                    |
 | jose              | ^6.0    | gateway  | JWT authentication                  |
 | dotenv            | ^16.4   | gateway  | Environment variable loading        |
-| discord.js        | ^14.16  | gateway  | Discord channel adapter             |
-| @slack/bolt       | ^4.1    | gateway  | Slack channel adapter               |
 | nodemailer        | ^7.0    | gateway  | Email sending                       |
 | imapflow          | ^1.2    | gateway  | Email receiving (IMAP)              |
 | archiver          | ^7.0    | gateway  | File archival                       |
 | grammy            | ^1.36   | channels | Telegram bot framework              |
 | react             | ^19.0   | ui       | UI framework                        |
 | react-router-dom  | ^7.1    | ui       | Client-side routing                 |
 | tailwindcss       | ^4.0    | ui       | Utility-first CSS                   |
-| vite              | ^6.0    | ui       | Build tool and dev server           |
+| vite              | ^7.3    | ui       | Build tool and dev server           |
 | commander         | ^13.1   | cli      | CLI framework                       |
 | @inquirer/prompts | ^7.0    | cli      | Interactive CLI prompts             |
 | vitest            | ^2.1    | all      | Test framework (dev)                |
@@ -1090,15 +1088,9 @@ The `ChannelManager` (`packages/gateway/src/channels/manager.ts`) provides a uni
 
 **Supported Channel Types:**
 
-| Channel  | Library     | Adapter Location                                    |
-| -------- | ----------- | --------------------------------------------------- |
-| Telegram | grammy      | `packages/channels/src/telegram/bot.ts`             |
-| Discord  | discord.js  | `packages/gateway/src/channels/adapters/discord.ts` |
-| Slack    | @slack/bolt | `packages/gateway/src/channels/adapters/slack.ts`   |
-| WhatsApp | (planned)   | --                                                  |
-| Matrix   | (planned)   | --                                                  |
-| Signal   | (planned)   | --                                                  |
-| Webchat  | (built-in)  | Via WebSocket                                       |
+| Channel  | Library | Adapter Location                        |
+| -------- | ------- | --------------------------------------- |
+| Telegram | grammy  | `packages/channels/src/telegram/bot.ts` |
 
 **Architecture:**
 
@@ -1114,11 +1106,9 @@ The `ChannelManager` (`packages/gateway/src/channels/manager.ts`) provides a uni
               | send(message)                |
               +------------------------------+
                        |
-          +------------+------------+
-          |            |            |
-     TelegramAdapter  DiscordAdapter  SlackAdapter
-          |            |            |
-     grammy Bot     discord.js   @slack/bolt
+                TelegramAdapter
+                       |
+                  grammy Bot
 ```
 
 Each adapter converts platform-specific messages into the unified `IncomingMessage` / `OutgoingMessage` types defined in `packages/gateway/src/ws/types.ts`.
@@ -1215,7 +1205,7 @@ The frontend is a single-page application built with modern React.
 | -------------------- | ------- | ----------------------------------- |
 | React                | 19.x    | UI framework                        |
 | React Router         | 7.x     | Client-side routing                 |
-| Vite                 | 6.x     | Build tool and dev server           |
+| Vite                 | 7.x     | Build tool and dev server           |
 | Tailwind CSS         | 4.x     | Utility-first CSS framework         |
 | @tailwindcss/vite    | 4.x     | Vite integration for Tailwind       |
 | prism-react-renderer | 2.x     | Syntax highlighting for code blocks |
@@ -1560,8 +1550,6 @@ Channel adapters use factories for registration:
 
 ```typescript
 channelManager.registerFactory('telegram', (config) => new TelegramAdapter(config));
-channelManager.registerFactory('discord', (config) => new DiscordAdapter(config));
-channelManager.registerFactory('slack', (config) => new SlackAdapter(config));
 
 // Later:
 const adapter = await channelManager.connect({ type: 'telegram', id: '...', ... });
@@ -1800,7 +1788,6 @@ pnpm --filter @ownpilot/cli start
 | `HOST`                      | No       | `0.0.0.0`              | HTTP server bind address            |
 | `DATA_DIR`                  | No       | `./data`               | Persistent data directory           |
 | **Database**                |          |                        |                                     |
-| `DB_TYPE`                   | No       | `postgres`             | Database type (PostgreSQL only)     |
 | `DATABASE_URL`              | No       | --                     | PostgreSQL connection string        |
 | `POSTGRES_HOST`             | No       | `postgres`             | PostgreSQL host                     |
 | `POSTGRES_PORT`             | No       | `5432`                 | PostgreSQL port                     |