Phase 0: Rust project scaffolding (M0 complete)

Completed Rust project initialization:
- Cargo.toml with all dependencies (actix-web, tokio, rustls, etc.)
- Project structure (src/, tests/, configs/)
- Module declarations (api, auth, config, jobs, logging, packages, systemd)
- Clippy and rustfmt configured
- Initial lib.rs and main.rs with logging setup
- Config examples (config.yaml.example, whitelist.yaml.example)

Dependencies resolved and project compiles successfully.
Rust toolchain 1.94.1 installed.

.a0proj/agents.json

@@ -0,0 +1 @@
+{}

.a0proj/memory/embedding.json

@@ -0,0 +1 @@
+{"model_provider": "openai", "model_name": "BAAI/bge-m3"}

.a0proj/memory/index.faiss.sha256

@@ -0,0 +1 @@
+0599a7a9889d5d3a7c1fb03f0f613cb6901427fa5123e69550f71a073490737b

.a0proj/memory/knowledge_import.json

@@ -0,0 +1 @@
+{"/a0/usr/knowledge/main/echo-greeting.promptinclude.md": {"file": "/a0/usr/knowledge/main/echo-greeting.promptinclude.md", "checksum": "ad54de76e40288003564157a95ac89ef", "ids": ["qXFLuCv9Q9", "UjhNYB9CkP"]}, "/a0/usr/knowledge/main/Iran-US-Conflict-Update-2026-04-01.md": {"file": "/a0/usr/knowledge/main/Iran-US-Conflict-Update-2026-04-01.md", "checksum": "6beea9874c3bcb846d17f9a60c29d528", "ids": ["5sQkc0Ylqa", "FeZVPLWYss", "kYBRtDfHjJ"]}, "/a0/usr/knowledge/main/ollama-27b-modelfile.txt": {"file": "/a0/usr/knowledge/main/ollama-27b-modelfile.txt", "checksum": "3f4f724d6f777e0620df9781ebc82f36", "ids": ["yZoFOCA99D"]}, "/a0/usr/knowledge/main/behavioral-rules.md": {"file": "/a0/usr/knowledge/main/behavioral-rules.md", "checksum": "ff4230d5f02891487008864de55151e8", "ids": ["5LhBKVgUXB"]}, "/a0/usr/knowledge/main/utility_test.txt": {"file": "/a0/usr/knowledge/main/utility_test.txt", "checksum": "c8c29a129e935836a77048f47e231705", "ids": ["vrbKe4D4sR"]}, "/a0/usr/knowledge/main/welcome.md": {"file": "/a0/usr/knowledge/main/welcome.md", "checksum": "d947ce81d6dcc977a3ddf52e8d5e4712", "ids": ["0Qx7U1mSZH"]}, "/a0/usr/knowledge/main/capability_test_results.txt": {"file": "/a0/usr/knowledge/main/capability_test_results.txt", "checksum": "880b2a6e355125561f22e1f0ac38a3c4", "ids": ["hmVC8arGTg"]}, "/a0/usr/knowledge/main/Iran-US-Conflict-Analysis-2026.md": {"file": "/a0/usr/knowledge/main/Iran-US-Conflict-Analysis-2026.md", "checksum": "ffa6e16f560fc2c021df9c656e8dfdcc", "ids": ["WKKtg5Rj2e", "VBSDN1KENS"]}, "/a0/knowledge/main/tool_call_reference_examples.md": {"file": "/a0/knowledge/main/tool_call_reference_examples.md", "checksum": "1558e6e118619185e31224b1ed646b9a", "ids": ["mLgFu7vH7Z"]}, "/a0/knowledge/main/about/architecture.md": {"file": "/a0/knowledge/main/about/architecture.md", "checksum": "0de7a9280419982ef5fc98d0cc6ad2dc", "ids": ["VG5QHEdqZt", "oALIWNguyG"]}, "/a0/knowledge/main/about/configuration.md": {"file": "/a0/knowledge/main/about/configuration.md", "checksum": "9f83690fdca64631d063c75fd324d42c", "ids": ["XX5kcVMvDu", "T2B8pFL10O"]}, "/a0/knowledge/main/about/capabilities.md": {"file": "/a0/knowledge/main/about/capabilities.md", "checksum": "cf4d100df544af245940971464357e0b", "ids": ["S6MH1eLPzP", "laWnXkj3Ky"]}, "/a0/knowledge/main/about/identity.md": {"file": "/a0/knowledge/main/about/identity.md", "checksum": "63a2c83c6c3bf4c4008786c396618755", "ids": ["Yi3PLqGcaj"]}, "/a0/knowledge/main/about/setup-and-deployment.md": {"file": "/a0/knowledge/main/about/setup-and-deployment.md", "checksum": "3cf57d685f11a6989a73cf041c2018a3", "ids": ["KVJ5zsWDQX", "LoANN0xNbF"]}}

.a0proj/project.json

@@ -0,0 +1 @@
+{"title": "Linux_Patch_API", "description": "Create an API service that will allow remote clients to securely remote manage the patching process and control software add and removal. ", "instructions": "Use Strict Spec Driven development process following the kiro standards.\nAsk questions and help build all of the spec driven files needed\nAlways get approval before taking next steps\nAlways ask questions to determine the right path for the software\nNever make assumptions, always confirm. \nCode must be build following strict security coding guidelines\n", "color": "#00bbf9", "git_url": "", "file_structure": {"enabled": true, "max_depth": 5, "max_files": 20, "max_folders": 20, "max_lines": 250, "gitignore": "# Python environments & cache\nvenv/**\n**/__pycache__/**\n\n# Node.js dependencies\n**/node_modules/**\n**/.npm/**\n\n# Version control metadata\n**/.git/**\n"}}

.a0proj/variables.env

@@ -0,0 +1,3 @@
+EMBEDDING_MODEL=mxbai-embed-large:latest
+OLLAMA_HOST=http://ares.moon-dragon.us:11435
+LLM_MODEL=qwen3.5:9b

.gitignore

@@ -0,0 +1 @@
+/target

Cargo.toml

@@ -0,0 +1,91 @@
+[package]
+name = "linux-patch-api"
+version = "0.1.0"
+edition = "2021"
+authors = ["Echo <echo@moon-dragon.us>"]
+description = "Secure remote package management API for Linux systems"
+license = "MIT"
+repository = "https://gitea.moon-dragon.us/echo/linux_patch_api"
+rust-version = "1.75"
+
+[dependencies]
+# Web framework (Actix-web for HTTP API)
+actix-web = "4"
+actix-rt = "2"
+
+# Async runtime
+tokio = { version = "1", features = ["full"] }
+
+# TLS/mTLS (rustls for modern TLS 1.3)
+rustls = "0.23"
+rustls-pemfile = "2"
+x509-parser = "0.16"
+
+# WebSocket support
+tokio-tungstenite = "0.21"
+futures-util = "0.3"
+
+# Serialization
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+serde_yaml = "0.9"
+
+# Configuration
+config = "0.14"
+notify = "6"
+
+
+# Logging
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
+tracing-appender = "0.2"
+
+
+# UUID for request IDs and job IDs
+uuid = { version = "1", features = ["v4", "serde"] }
+
+# Time/Date
+chrono = { version = "0.4", features = ["serde"] }
+
+# Error handling
+thiserror = "1"
+anyhow = "1"
+
+# Async channels
+async-channel = "2"
+
+# Process management (for package operations)
+sysinfo = "0.30"
+
+# Network utilities
+addr = "0.15"
+
+# Clap for CLI arguments
+clap = { version = "4", features = ["derive", "env"] }
+
+
+# Systemd integration
+systemd = "0.10"
+
+pidlock = "0.2"
+
+[dev-dependencies]
+actix-rt = "2"
+tokio-test = "0.4"
+wiremock = "0.6"
+serial_test = "3"
+
+[profile.release]
+lto = true
+codegen-units = 1
+panic = "abort"
+strip = true
+opt-level = 3
+
+[profile.dev]
+opt-level = 0
+debug = true
+
+[[bin]]
+name = "linux-patch-api"
+path = "src/main.rs"

ROADMAP.md

@@ -112,7 +112,7 @@
 
 | Milestone | Description | Target Date | Status |
 |-----------|-------------|-------------|--------|
-| M0 | Phase 0 complete (scaffolding) | 2026-04-12 | ⏳ Pending |
+| M0 | Phase 0 complete (scaffolding) | 2026-04-09 | ✅ Complete |
 | M1 | All spec documents complete | 2026-04-09 | ✅ Complete |
 | M2 | Development environment ready | 2026-04-15 | ⏳ Pending |
 | M3 | CI/CD pipeline operational | 2026-04-22 | ⏳ Pending |

configs/config.yaml.example

@@ -0,0 +1,46 @@
+# Linux Patch API Configuration
+# Example configuration file - copy to /etc/linux_patch_api/config.yaml
+
+# Server Configuration
+server:
+  port: 12443
+  bind: "0.0.0.0"
+  timeout_seconds: 30
+
+# TLS/mTLS Configuration
+tls:
+  enabled: true
+  port: 12443
+  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
+  server_cert: "/etc/linux_patch_api/certs/server.pem"
+  server_key: "/etc/linux_patch_api/certs/server.key"
+  min_tls_version: "1.3"
+
+# Job Configuration
+jobs:
+  max_concurrent: 5
+  timeout_minutes: 30
+  storage_path: "/var/lib/linux_patch_api/jobs"
+
+# Logging Configuration
+logging:
+  level: "info"
+  journal_enabled: true
+  syslog_enabled: false
+  # syslog_server: "udp://localhost:514"
+  file_path: "/var/log/linux_patch_api/audit.log"
+  retention_days: 30
+
+# IP Whitelist Configuration
+whitelist:
+  path: "/etc/linux_patch_api/whitelist.yaml"
+  # Entries can be:
+  # - Individual IPs: "192.168.1.100"
+  # - CIDR subnets: "192.168.1.0/24"
+  # - Hostnames: "admin-server.internal"
+
+# Package Manager Backend
+package_manager:
+  # Primary backend (auto-detected if not specified)
+  # Options: apt, dnf, yum, apk, pacman
+  backend: "auto"

configs/whitelist.yaml.example

@@ -0,0 +1,14 @@
+# Linux Patch API - IP Whitelist Configuration
+# Copy to /etc/linux_patch_api/whitelist.yaml
+# Block all by default - only listed IPs can access the API
+
+# Supported entry types:
+# - Individual IPs: "192.168.1.100"
+# - CIDR subnets: "192.168.1.0/24"
+# - Hostnames: "admin-server.internal" (resolved at startup)
+
+# Example entries:
+entries:
+  - "192.168.1.0/24"      # Management network
+  - "10.0.0.50"          # Specific admin workstation
+  # - "admin-server.internal"  # Hostname example (uncomment to use)

src/api/mod.rs

@@ -0,0 +1,13 @@
+//! API Module - HTTP endpoints and routing
+//!
+//! Handles all REST API endpoints as defined in API_SPEC.md:
+//! - Package management endpoints
+//! - Patch management endpoints
+//! - System endpoints
+//! - Job management endpoints
+//! - WebSocket streaming
+
+pub mod handlers;
+pub mod middleware;
+pub mod response;
+pub mod routes;

src/auth/mod.rs

@@ -0,0 +1,10 @@
+//! Authentication Module - mTLS and IP Whitelist
+//!
+//! Handles mTLS certificate validation and IP whitelist enforcement:
+//! - Certificate validation against internal CA
+//! - IP whitelist checking (IPv4 + CIDR + hostname)
+//! - Client identity extraction from certificates
+
+pub mod certificate;
+pub mod ip_whitelist;
+pub mod middleware;

src/config/loader.rs

@@ -0,0 +1,47 @@
+//! Configuration Loader - YAML config loading
+//!
+//! Loads and parses YAML configuration files.
+
+use anyhow::{Context, Result};
+use serde::Deserialize;
+
+/// Server configuration
+#[derive(Debug, Deserialize, Clone)]
+pub struct ServerConfig {
+    pub port: u16,
+    pub bind: String,
+}
+
+/// Jobs configuration
+#[derive(Debug, Deserialize, Clone)]
+pub struct JobsConfig {
+    pub max_concurrent: usize,
+    pub timeout_minutes: u64,
+}
+
+/// Logging configuration
+#[derive(Debug, Deserialize, Clone)]
+pub struct LoggingConfig {
+    pub level: String,
+}
+
+/// Application configuration
+#[derive(Debug, Deserialize, Clone)]
+pub struct AppConfig {
+    pub server: ServerConfig,
+    pub jobs: JobsConfig,
+    pub logging: LoggingConfig,
+}
+
+impl AppConfig {
+    /// Load configuration from a YAML file
+    pub fn load(path: &str) -> Result<Self> {
+        let content = std::fs::read_to_string(path)
+            .with_context(|| format!("Failed to read config file: {}", path))?;
+        
+        let config: AppConfig = serde_yaml::from_str(&content)
+            .with_context(|| format!("Failed to parse config file: {}", path))?;
+        
+        Ok(config)
+    }
+}

src/config/mod.rs

@@ -0,0 +1,10 @@
+//! Configuration Module - YAML config with auto-reload
+//!
+//! Handles configuration management as defined in SPEC.md:
+//! - YAML config file loading and parsing
+//! - Config validation before reload (prevent service offline)
+//! - Auto-reload on file change via notify watcher
+
+pub mod loader;
+pub mod validator;
+pub mod watcher;

src/jobs/manager.rs

@@ -0,0 +1,55 @@
+//! Job Manager - Async job queue management
+//!
+//! Manages async job execution with concurrency limits and timeout enforcement.
+
+use anyhow::Result;
+use std::time::Duration;
+use tokio::sync::RwLock;
+use uuid::Uuid;
+
+/// Job status
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub enum JobStatus {
+    Pending,
+    Running,
+    Completed,
+    Failed,
+    Cancelled,
+    TimedOut,
+}
+
+/// Job information
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct Job {
+    pub id: Uuid,
+    pub status: JobStatus,
+    pub created_at: chrono::DateTime<chrono::Utc>,
+}
+
+/// Job Manager - handles async job queue with limits
+pub struct JobManager {
+    max_concurrent: usize,
+    timeout_minutes: u64,
+    jobs: RwLock<Vec<Job>>,
+}
+
+impl JobManager {
+    /// Create a new job manager
+    pub fn new(max_concurrent: usize, timeout_minutes: u64) -> Result<Self> {
+        Ok(Self {
+            max_concurrent,
+            timeout_minutes,
+            jobs: RwLock::new(Vec::new()),
+        })
+    }
+
+    /// Get the timeout duration
+    pub fn timeout(&self) -> Duration {
+        Duration::from_secs(self.timeout_minutes * 60)
+    }
+
+    /// Get max concurrent jobs
+    pub fn max_concurrent(&self) -> usize {
+        self.max_concurrent
+    }
+}

src/jobs/mod.rs

@@ -0,0 +1,11 @@
+//! Jobs Module - Async job queue and management
+//!
+//! Handles job lifecycle management as defined in ARCHITECTURE.md:
+//! - Job queue and status tracking
+//! - WebSocket broadcast for real-time status
+//! - 30-minute timeout enforcement
+//! - Rollback support (exclusive mode)
+
+pub mod manager;
+pub mod queue;
+pub mod websocket;

src/lib.rs

@@ -0,0 +1,26 @@
+//! Linux Patch API - Secure Remote Package Management
+//!
+//! A Rust-based API service for secure remote management of patching processes
+//! and software add/remove operations on Linux systems.
+//!
+//! # Architecture
+//!
+//! - **API Layer**: HTTP/HTTPS endpoints with mTLS authentication
+//! - **Auth Layer**: Certificate validation and IP whitelist enforcement
+//! - **Job Manager**: Async job queue with WebSocket status streaming
+//! - **Package Backend**: Pluggable package manager adapters
+//! - **Audit Logger**: systemd journal + file fallback
+//! - **Config Manager**: YAML config with auto-reload
+
+pub mod api;
+pub mod auth;
+pub mod config;
+pub mod jobs;
+pub mod logging;
+pub mod packages;
+pub mod systemd;
+
+// Re-export commonly used types
+pub use config::AppConfig;
+pub use jobs::JobManager;
+pub use logging::init_logging;

src/logging/init.rs

@@ -0,0 +1,44 @@
+//! Logging Initialization
+//!
+//! Sets up tracing with systemd journal and file appender support.
+
+
+use anyhow::Result;
+use tracing_appender::non_blocking::WorkerGuard;
+use tracing_subscriber::{fmt, layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
+
+
+/// Initialize logging with tracing
+///
+/// Sets up:
+/// - Env-based log level filtering
+/// - JSON formatting for machine readability
+/// - systemd journal integration
+/// - File appender fallback to /var/log/linux_patch_api/
+pub fn init_logging(verbose: bool) -> Result<WorkerGuard> {
+    let log_level = if verbose { "debug" } else { "info" };
+    let filter = EnvFilter::try_from_default_env()
+        .unwrap_or_else(|_| EnvFilter::new(log_level));
+    
+    let file_appender = tracing_appender::rolling::daily("/var/log/linux_patch_api", "audit.log");
+    let (non_blocking, guard) = tracing_appender::non_blocking(file_appender);
+    
+    let file_layer = fmt::layer()
+        .with_writer(non_blocking)
+        .with_ansi(false)
+        .with_target(true)
+        .with_thread_ids(true);
+    
+    let stdout_layer = fmt::layer()
+        .with_writer(std::io::stdout)
+        .with_ansi(true);
+    
+    tracing_subscriber::registry()
+        .with(filter)
+        .with(file_layer)
+        .with(stdout_layer)
+        .try_init()
+        .ok(); // Ignore if already initialized
+    
+    Ok(guard)
+}

src/logging/mod.rs

@@ -0,0 +1,11 @@
+//! Logging Module - Audit logging and tracing
+//!
+//! Handles audit logging as defined in SPEC.md:
+//! - systemd journal integration (primary)
+//! - Optional remote syslog
+//! - Local file fallback (/var/log/linux_patch_api/audit.log)
+//! - 30-day retention with daily rotation
+
+pub mod appender;
+pub mod journal;
+pub mod init;

src/main.rs

@@ -0,0 +1,79 @@
+//! Linux Patch API - Main Entry Point
+//!
+//! Secure remote package management API for Linux systems.
+//!
+//! # Configuration
+//!
+//! Configuration is loaded from `/etc/linux_patch_api/config.yaml` by default.
+//! Use `--config` flag to specify a custom configuration path.
+//!
+//! # Security
+//!
+//! - mTLS authentication required on port 12443
+//! - IP whitelist enforced (deny by default)
+//! - Detailed audit logging
+
+use anyhow::Result;
+use clap::Parser;
+use tracing::{error, info};
+
+use linux_patch_api::{config::AppConfig, init_logging, JobManager};
+
+/// Linux Patch API CLI arguments
+#[derive(Parser, Debug)]
+#[command(name = "linux-patch-api")]
+#[command(version = env!("CARGO_PKG_VERSION"))]
+#[command(about = "Secure remote package management API for Linux systems")]
+struct Args {
+    /// Path to configuration file
+    #[arg(short, long, default_value = "/etc/linux_patch_api/config.yaml")]
+    config: String,
+
+    /// Enable verbose logging
+    #[arg(short, long)]
+    verbose: bool,
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    // Parse command line arguments
+    let args = Args::parse();
+
+    // Initialize logging
+    let _guard = init_logging(args.verbose)?;
+
+    info!(
+        version = env!("CARGO_PKG_VERSION"),
+        config_path = args.config,
+        "Linux Patch API starting"
+    );
+
+    // Load configuration
+    let config = match AppConfig::load(&args.config) {
+        Ok(cfg) => {
+            info!(port = cfg.server.port, bind = cfg.server.bind, "Configuration loaded");
+            cfg
+        }
+        Err(e) => {
+            error!(error = %e, path = args.config, "Failed to load configuration");
+            return Err(e.into());
+        }
+    };
+
+    // Initialize job manager
+    let job_manager = JobManager::new(config.jobs.max_concurrent, config.jobs.timeout_minutes)?;
+    info!(max_jobs = config.jobs.max_concurrent, timeout_minutes = config.jobs.timeout_minutes, "Job manager initialized");
+
+    // TODO: Initialize API server with actix-web
+    // TODO: Set up mTLS with rustls
+    // TODO: Start config file watcher
+    // TODO: Register systemd service ready status
+
+    info!("Linux Patch API initialized successfully");
+
+    // Keep the service running
+    tokio::signal::ctrl_c().await?;
+
+    info!("Linux Patch API shutting down");
+    Ok(())
+}

src/packages/mod.rs

@@ -0,0 +1,11 @@
+//! Packages Module - Pluggable package manager backend
+//!
+//! Handles package operations as defined in SPEC.md:
+//! - apt/dpkg (Debian/Ubuntu) - primary
+//! - dnf/yum (RHEL/CentOS/Fedora) - secondary
+//! - apk (Alpine) - secondary
+//! - pacman (Arch) - secondary
+
+pub mod backend;
+pub mod manager;
+pub mod models;

src/systemd/mod.rs

@@ -0,0 +1,11 @@
+//! Systemd Module - Systemd service integration
+//!
+//! Handles systemd integration as defined in ARCHITECTURE.md:
+//! - Service notification (Type=notify)
+//! - Journal logging integration
+//! - PID file management
+//! - Graceful shutdown handling
+
+pub mod service;
+pub mod journal;
+pub mod pid;