12 Commits

Author	SHA1	Message	Date
Draco-Lunaris-Echo	efaac33c47	fix: remove committed private keys and add runtime cert generation (closes #12) ... - Remove all private key files from git tracking (git rm --cached) - configs/certs/ca.key.pem, server.key.pem, client001.key.pem - tests/e2e/certs/client.key - Also remove public certs from configs/certs/ (generated at runtime) - Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl - Add scripts/generate-dev-certs.sh for runtime test cert generation - Update Python e2e test to generate certs on demand (ensure_certs()) - Update test_wrong_cert_connection to generate wrong-CA certs at runtime - Add gitleaks secret scanning job to CI workflow - Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12 - Update SECURITY_CONTROLS_MATRIX.md evidence references - Add README.md to configs/certs/ and tests/e2e/certs/ Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 13:20:43 -05:00
Draco-Lunaris-Echo	624f9017b3	fix: add ca_chain and crl_pem to enrollment response and persist CRL to disk ... Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 00:38:43 -05:00
git-echo	cfdb874062	fix(ci): add crl_path to test TlsConfig and fix clippy field_reassign_with_default	2026-06-05 14:02:53 -05:00
Echo	0de47b966b	style: apply cargo fmt formatting	2026-05-18 02:06:25 +00:00
Echo	64187b03bd	fix(enrollment): filter Docker bridge IPs and add report_interface/report_ip config ... - identity.rs: filter 172.16.0.0/12 (Docker bridge) and 169.254.0.0/16 (link-local) from get_ip_addresses() auto-detection - identity.rs: add is_container_bridge(), is_link_local(), get_ip_for_interface(), get_primary_ip() functions - client.rs: add report_interface/report_ip fields to EnrollmentClient, new with_ip_overrides() constructor, register() uses get_primary_ip() - loader.rs: add report_interface/report_ip to EnrollmentConfig - mod.rs: wire config overrides through to EnrollmentClient - config.yaml.example: document new report_interface/report_ip options - Tests: add 18 new bridge filtering/IP override tests, fix Docker container compatibility in existing tests	2026-05-18 02:02:54 +00:00
Echo	8bfa5f2273	fix(tests): resolve all clippy warnings for CI compliance ... - Remove needless borrows on format!() in set_body_string() calls (needless_borrows_for_generic_args) - Replace assert!(false, ...) with collected assertion (assertions_on_constants + never_loop) - Use direct Method::POST comparison instead of to_string() (cmp_owned) - Simplify negated equality to != operator (nonminimal_bool) CI pipeline now passes with -D warnings enabled	2026-05-17 16:02:57 +00:00
Echo	5c670cbd0c	fix: apply cargo fmt to resolve CI formatting failures ... Format all enrollment module source files and tests per rustfmt standards. Resolves Gitea CI workflow cargo fmt check failures.	2026-05-17 05:49:26 +00:00
Echo	75ec2b8e3c	feat: add self-enrollment workflow for automated PKI provisioning ... - Phase 1: CLI args (--enroll flag), enroll module skeleton, config support - Phase 2: Registration request, polling loop (24h timeout), main.rs integration - Phase 3: PKI extraction, atomic cert writing, whitelist auto-append, mTLS transition - Phase 4: E2E test suite, README/DEPLOYMENT docs, CI pipeline - Phase 5: SPEC.md, API_DOCUMENTATION.md, CHANGELOG.md, ROADMAP.md sync Security review: APPROVED (0 critical, 0 high findings) Cross-distro compatible: Debian/Ubuntu, RHEL/CentOS/Fedora, Alpine, Arch Linux	2026-05-17 05:30:42 +00:00
Echo	949cbb2632	docs: add self-enrollment client workflow to API documentation	2026-05-16 19:18:25 +00:00
Echo	165db77a14	Add GET /api/v1/system/services/{name} endpoint for service health checks ... - Add ServiceStatus struct with name, display_name, active_state, sub_state, load_state, enabled_state, main_pid, healthy fields - Add get_service_status() to PackageManagerBackend trait - Implement get_service_status() in AptBackend with systemd and OpenRC support - Add get_service_status HTTP handler in system.rs - Add /system/services/{name} route - Add E2E test for service status endpoint - Bump version to 0.3.6	2026-05-04 23:44:26 +00:00
Echo	42e2f8989a	fix: remove all systemd capability restrictions blocking package management ... - Remove CapabilityBoundingSet and AmbientCapabilities (apt needs full root capabilities) - Remove ReadWritePaths (unnecessary without ProtectSystem=strict) - Fix E2E test: properly FAIL on status=failed package operations - Fix E2E test: require status=completed for install/update/remove lifecycle - Update dpkg packaging service file to match configs/ - Bump version to 0.3.5	2026-05-03 04:13:50 +00:00
Echo	b2ace87ee9	v0.2.0: Fix List Jobs bug, TLS 1.3 enforcement, client_disconnect_timeout, RwLock contention ... Bug fixes: - Fix List Jobs connection reset: Add client_disconnect_timeout (5s) to prevent TLS write truncation - Enforce TLS 1.3 only: Add with_protocol_versions(&[&TLS13]) to rustls ServerConfig - Fix RwLock contention: Release read lock before sorting in list_jobs() - Fix systemd service: Remove ProtectSystem=strict (blocks package management) - Fix systemd service: Change Type=notify to Type=simple (fixes restart hangs) - Fix systemd service: Add DEBIAN_FRONTEND=noninteractive - Fix systemd service: Add ReadWritePaths for apt/dpkg paths CI/CD: - Add Ubuntu 22.04 build job to CI workflow E2E Testing: - Add comprehensive E2E test suite (test_e2e.py) - Tests cover health, packages, patches, jobs, security, and reboot endpoints Other: - Bump version to 0.2.0 - Add lessons learned documentation	2026-05-02 20:59:02 +00:00