Fix admin memory showing 0 facts; add pagination/search/sort ...

Bug fix:
- get_all_facts(user_id=None) was filtering for user_id IS NULL only,
  so admin panel showed 0 facts when facts had user_ids set.
- Added all_users parameter to get_all_facts and fact_count.
- Admin endpoint now passes all_users=True to return all facts.

Memory pagination:
- Extended get_all_facts with offset, search, sort_by, sort_order params.
- Extended fact_count with search and all_users params.
- /admin/memory endpoint now accepts limit, offset, search, sort_by,
  sort_order and returns {total, limit, offset, items}.

Admin panel frontend:
- Added server-side search with debounce for memory facts.
- Added sortable column headers (category, key, source, confidence, updated).
- Added pagination controls (prev/next, page size selector).
- Switched memory display from grouped tables to flat sortable table.

Tests:
- Added unit tests for get_all_facts(all_users=True) and
  fact_count(all_users=True).
- All 219 tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add pagination, search, and sorting to admin sessions ...

Backend:
- Add count_all and search_list abstract methods to SessionStore
- Implement count_all and search_list in PgSessionStore (SQL with ILIKE)
- Implement count_all and search_list in InMemorySessionStore
- Update /admin/sessions to accept limit, offset, search, sort_by, sort_order
- Return {total, limit, offset, items} from /admin/sessions

Frontend:
- Add search input for sessions in admin panel
- Add clickable sortable column headers with asc/desc toggle
- Add pagination controls (prev/next, page size selector, item count)
- Debounce search input (300ms)

Tests:
- Add integration tests for pagination, offset, search, and sorting
- All 217 tests pass

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix memory system bugs: deterministic summary id, skip legacy extraction ...

- _summary.py: replace non-deterministic hash() with zlib.crc32 so
  summary id stays stable across server restarts, preventing duplicate
  summary rows.
- extractor.py: skip memory extraction for legacy sessions (user_id=None)
  — ON CONFLICT(user_id, category, key) does not catch NULL duplicates
  in PostgreSQL (NULL != NULL).
- sessions.py: _process_stale_sessions skips legacy sessions.
- _facts.py: remove dead code (user_clause/user_param variables).
- test_extractor.py: add user_id to test sessions + new test for
  legacy session skip.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix memory system multi-user bugs: summary PK conflict and vector search params ...

- _summary.py: generate deterministic per-user id (hash(user_id)+2) instead of
  hardcoded id=1, preventing UniqueViolationError on memory_summary_pkey
  for multi-user sessions.
- _facts.py: split vector search into user_id=None / user_id!=None branches
  with correct parameter counts, fixing InterfaceError "expects 3 arguments".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix missing columns in navi_users: add boot-time ALTER TABLE migration ...

The navi_users table already existed on this deployment, so the updated
CREATE TABLE IF NOT EXISTS was a no-op. Run ALTER TABLE ADD COLUMN for
username, first_name, last_name, phone, birth_date, country, city, locale
if they are missing (checked via information_schema.columns).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Propagate user profile to LLM context via current_user_info ContextVar ...

- Extend User model: username, first_name, last_name, phone, birth_date,
  country, city, locale (all from gnexus-auth profile)
- navi_users DDL: add new profile columns
- auth/deps + auth/callback: populate new fields on upsert
- /auth/me: return all profile fields
- Add current_user_info ContextVar for full user profile propagation
- websocket + messages: set current_user_info before agent.run()
- run_ephemeral: inherit and restore current_user_info
- ContextBuilder: _user_context_msg() injects [User context] with name,
  email, location, locale, role into LLM system messages
- _security_policy_msg: reads user_id/role from ContextVar directly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add multi-user sandbox: filesystem, terminal, code_exec, security policy ...

- filesystem, share_file: sandbox non-admin users to user_data/<user_id>/
- terminal: working_dir sandbox + allowlist + dangerous pattern block for users
- code_exec: sandbox CWD and temp files to user_data/<user_id>/ for users
- context_builder: inject dynamic security policy into LLM context (user/admin)
- config: terminal_user_allowed_commands setting
- agent: wire user_id/user_role through ContextBuilder.build()
- base: add current_user_role ContextVar; run_ephemeral inherits role

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add per-user filesystem sandbox via current_user_id ContextVar ...

- tools/base.py: add current_user_id ContextVar (set by Agent before
  every tool call, cleared after)
- core/agent.py: set current_user_id in run_stream from session.user_id
  and in run_ephemeral from parent_session.user_id; restore in finally
- tools/filesystem.py: _check_path resolves all paths inside
  user_data/<user_id>/ when current_user_id is present; legacy mode
  (no user_id) falls back to FS_ALLOWED_PATHS
- tools/share_file.py: validate source path is inside user sandbox

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Use configured GNAUTH_REDIRECT_URI instead of dynamic base_url ...

_get_redirect_uri was building the redirect_uri from request.base_url,
which returns the internal address when behind a reverse proxy. This
caused gnexus-auth to reject the redirect_uri as invalid.

Now _get_redirect_uri always returns settings.gnauth_redirect_uri,
so the public URL configured in .env is used consistently.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add missing playwright dependency to pyproject.toml ...

playwright is used by navi/tools/web_view.py but was not declared.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix stop_session 422: use get_current_user instead of get_current_user_ws ...

stop_session is an HTTP endpoint but was using Depends(get_current_user_ws),
whose websocket parameter caused FastAPI to demand it as a query param.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix NameError in run_ephemeral: session was undefined ...

run_ephemeral doesn't have a session variable. Pass user_id from the
parent session (looked up via parent_session_id) instead of referencing
non-existent session variable.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Dark login screen: #111 overlay, transparent card ...

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add full-screen login overlay for unauthenticated users ...

- Backend: new endpoint GET /auth/status returns {configured: bool}
- Webclient auth store: add authConfigured ref + fetchStatus()
- LoginScreen.vue: centered card with logo, title, and login button
- App.vue: show LoginScreen overlay when auth is configured but
  user is not authenticated (z-index 9999, blocks all UI)
- App.vue onMounted: fetch auth status before trying to resolve user

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix WebSocket 403 — bypass FastAPI Depends for WS auth ...

- websocket.py: resolve user by calling get_current_user_ws directly
  inside the handler instead of using Depends(). This avoids FastAPI
  returning HTTP 403 on the upgrade request when auth resolution fails.
- websocket.py: accept WebSocket before access check, close with 4003
  for auth failures instead of HTTP 403.
- auth/deps.py: remove debug logging from get_current_user_ws.
- tests/conftest.py: monkeypatch get_current_user_ws directly since
  Depends() is no longer used on the WebSocket endpoint.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix WebSocket 403 and restore dependency resolution for auth ...

- websocket.py: restore Depends(get_current_user_ws) in endpoint signature
  so FastAPI dependency_overrides work correctly in tests
- websocket.py: accept WebSocket before access check; reject anonymous
  only for owned sessions, allow anonymous for legacy (user_id=None)
- auth/deps.py: add info-level logging to get_current_user_ws entry/exit

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix WebSocket 403 by accepting before access check ...

- websocket.py: move await websocket.accept() before check_session_access
  so auth failures close the WebSocket with 4003 instead of returning
  HTTP 403 on the upgrade request
- Reject anonymous WebSocket connections explicitly (4003)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix legacy session visibility and add WebSocket auth debug logging ...

- pg_session_store: remove OR user_id IS NULL from list_all/list_page
  so legacy sessions are no longer visible to all users
- auth/deps.py: add debug logging at every step of _resolve_user
- websocket.py: add debug logging at every stage of websocket_session

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix memory_summary ON CONFLICT and WebSocket 403 from auth deps ...

- memory/_ddl.py: add UNIQUE(id, user_id) constraint migration for
  memory_summary so ON CONFLICT in set_summary works on existing tables
- auth/deps.py: wrap _resolve_user body in broad try/except so any
  auth resolution failure returns None instead of raising, preventing
  FastAPI dependency system from returning HTTP 403 on WebSocket upgrades

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix default gnauth profile path to /account/profile ...

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Use gnexus-auth client library avatar_url property ...

- deps.py: use auth_user.avatar_url from gnexus-gauth DTO instead
  of guessing profile fields or Gravatar
- CLAUDE.md: add working rules section

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Revert "Fix avatar: use Gravatar instead of non-existent profile fields" ...

This reverts commit f485e54.

Fix avatar: use Gravatar instead of non-existent profile fields ...

Investigated gnexus-auth UserinfoController and found that the profile
response only contains: username, display_name, first_name, last_name,
phone, birth_date, country, city, locale, timezone. There is no picture
or avatar_url field.

- Add make_gravatar_url() helper in navi/auth/__init__.py
- Update deps.py to generate Gravatar URL from user email
- Update config.py default gnauth_profile_path to /account/profile
- Update .env.example comment accordingly
- Frontend already handles avatar_url correctly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add avatar display and gnexus-auth profile link ...

Backend:
- User model: add avatar_url field
- auth/deps.py: extract avatar_url from auth_user.profile (picture/avatar_url)
- auth.py /auth/me: return avatar_url + computed profile_url
- config.py: add gnauth_profile_path setting
- .env.example: document GNAUTH_PROFILE_PATH

Frontend:
- AppSidebar.vue: show user avatar (or initial fallback) next to name
- Clicking user info opens gnexus-auth profile in new tab
- Rebuild dist/

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Revert "Force login prompt in gnexus-auth OAuth flow" ...

This reverts commit f232f21.

Force login prompt in gnexus-auth OAuth flow ...

Add prompt=login to authorization URL so gnexus-auth always shows the
login form instead of silently re-authenticating via existing session.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Rebuild webclient dist with btn-primary fix ...

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix missing Annotated/Depends imports in auth.py and UI button class ...

- auth.py: add from typing import Annotated and from fastapi import Depends
  to fix 422 Unprocessable Content on /auth/me and /auth/logout
- AppSidebar.vue: replace btn-ghost with btn-primary for login/logout buttons

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix pydantic-settings env var name mapping for auth ...

Pydantic-settings converts snake_case field names to UPPER_CASE env vars
by removing underscores.  gnexus_auth_client_id became GNEXUS_AUTH_CLIENT_ID
but .env used GNAUTH_CLIENT_ID.  Rename all Settings fields from
 gnexus_auth_* to gnauth_* so they map correctly to GNAUTH_* env vars.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add graceful auth-not-configured guards ...

- auth_login/auth_callback return 503 when GNAUTH_CLIENT_ID/SECRET are empty
- webhooks return 503 when OAuth not configured
- _resolve_user returns None early if auth not configured, avoiding crash
  during anonymous requests when gnexus-auth is not set up

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>