mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-04-10 21:03:01 +00:00

Files

Chuck 885fdeed62 feat(starlark): schema-driven config forms + critical security fixes

## Schema-Driven Config UI
- Render type-appropriate form inputs from schema.json (text, dropdown, toggle, color, datetime, location)
- Pre-populate config.json with schema defaults on install
- Auto-merge schema defaults when loading existing apps (handles schema updates)
- Location fields: 3-part mini-form (lat/lng/timezone) assembles into JSON
- Toggle fields: support both boolean and string "true"/"false" values
- Unsupported field types (oauth2, photo_select) show warning banners
- Fallback to raw key/value inputs for apps without schema

## Critical Security Fixes (P0)
- **Path Traversal**: Verify path safety BEFORE mkdir to prevent TOCTOU
- **Race Conditions**: Add file locking (fcntl) + atomic writes to manifest operations
- **Command Injection**: Validate config keys/values with regex before passing to Pixlet subprocess

## Major Logic Fixes (P1)
- **Config/Manifest Separation**: Store timing keys (render_interval, display_duration) ONLY in manifest
- **Location Validation**: Validate lat [-90,90] and lng [-180,180] ranges, reject malformed JSON
- **Schema Defaults Merge**: Auto-apply new schema defaults to existing app configs on load
- **Config Key Validation**: Enforce alphanumeric+underscore format, prevent prototype pollution

## Files Changed
- web_interface/templates/v3/partials/starlark_config.html — schema-driven form rendering
- plugin-repos/starlark-apps/manager.py — file locking, path safety, config validation, schema merge
- plugin-repos/starlark-apps/pixlet_renderer.py — config value sanitization
- web_interface/blueprints/api_v3.py — timing key separation, safe manifest updates

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-18 21:38:57 -05:00

blueprints

feat(starlark): schema-driven config forms + critical security fixes

2026-02-18 21:38:57 -05:00

static/v3

fix(store): move storeFilterState to global scope to fix scoping bug

2026-02-18 16:14:41 -05:00

templates/v3

feat(starlark): schema-driven config forms + critical security fixes

2026-02-18 21:38:57 -05:00

__init__.py

Plugins (#145 )

2025-12-27 14:15:49 -05:00

app.py

fix(web-ui): Fix file upload widget and plugin action buttons (#165 )

2025-12-30 19:04:21 -05:00

cache.py

Plugins (#145 )

2025-12-27 14:15:49 -05:00

logging_config.py

Plugins (#145 )

2025-12-27 14:15:49 -05:00

README.md

Plugins (#145 )

2025-12-27 14:15:49 -05:00

requirements.txt

Plugins (#145 )

2025-12-27 14:15:49 -05:00

run.sh

Plugins (#145 )

2025-12-27 14:15:49 -05:00

start.py

Plugins (#145 )

2025-12-27 14:15:49 -05:00

README.md

LED Matrix Web Interface V3

Modern, production web interface for controlling the LED Matrix display.

Overview

This directory contains the active V3 web interface with the following features:

Real-time display preview via Server-Sent Events (SSE)
Plugin management and configuration
System monitoring and logs
Modern, responsive UI
RESTful API

Directory Structure

web_interface/
├── app.py                    # Main Flask application
├── start.py                  # Startup script
├── run.sh                    # Shell runner script
├── requirements.txt          # Python dependencies
├── blueprints/               # Flask blueprints
│   ├── api_v3.py            # API endpoints
│   └── pages_v3.py          # Page routes
├── templates/                # HTML templates
│   └── v3/
│       ├── base.html
│       ├── index.html
│       └── partials/
└── static/                   # CSS/JS assets
    └── v3/
        ├── app.css
        └── app.js

Running the Web Interface

Standalone (Development)

From the project root:

python3 web_interface/start.py

Or using the shell script:

./web_interface/run.sh

As a Service (Production)

The web interface can run as a systemd service that starts automatically based on the web_display_autostart configuration setting:

sudo systemctl start ledmatrix-web
sudo systemctl enable ledmatrix-web  # Start on boot

Accessing the Interface

Once running, access the web interface at:

Local: http://localhost:5000
Network: http://:5000

Configuration

The web interface reads configuration from:

config/config.json - Main configuration
config/secrets.json - API keys and secrets

API Documentation

The V3 API is available at /api/v3/ with the following endpoints:

Configuration

GET /api/v3/config/main - Get main configuration
POST /api/v3/config/main - Save main configuration
GET /api/v3/config/secrets - Get secrets configuration
POST /api/v3/config/secrets - Save secrets configuration

Display Control

POST /api/v3/display/start - Start display service
POST /api/v3/display/stop - Stop display service
POST /api/v3/display/restart - Restart display service
GET /api/v3/display/status - Get display service status

Plugins

GET /api/v3/plugins - List installed plugins
GET /api/v3/plugins/<id> - Get plugin details
POST /api/v3/plugins/<id>/config - Update plugin configuration
GET /api/v3/plugins/<id>/enable - Enable plugin
GET /api/v3/plugins/<id>/disable - Disable plugin

Plugin Store

GET /api/v3/store/plugins - List available plugins
POST /api/v3/store/install/<id> - Install plugin
POST /api/v3/store/uninstall/<id> - Uninstall plugin
POST /api/v3/store/update/<id> - Update plugin

Real-time Streams (SSE)

GET /api/v3/stream/stats - System statistics stream
GET /api/v3/stream/display - Display preview stream
GET /api/v3/stream/logs - Service logs stream

Development

When making changes to the web interface:

Edit files in this directory
Test changes by running python3 web_interface/start.py
Restart the service if running: sudo systemctl restart ledmatrix-web

Notes

Templates and static files use the v3/ prefix to allow for future versions
The interface uses Flask blueprints for modular organization
SSE streams provide real-time updates without polling