release: bump version to 1.1.9 for non-Ubuntu package fixes

fix: comment out RPM BuildRequires for CI (rustup not RPM), fix changelog date
docs: add detailed Arch, RPM, Alpine installation instructions
2026-05-20 02:54:09 +00:00 · 2026-05-20 02:32:31 +00:00 · 2026-05-20 02:06:52 +00:00 · 2026-05-20 02:01:52 +00:00 · 2026-05-19 00:34:21 +00:00 · 2026-05-19 00:21:59 +00:00
83 changed files with 1597 additions and 5459 deletions
--- a/.a0proj/agents.json
+++ b/.a0proj/agents.json
@ -0,0 +1 @@
+{}
--- a/.a0proj/audit.db
+++ b/.a0proj/audit.db
--- a/.a0proj/memory/embedding.json
+++ b/.a0proj/memory/embedding.json
@ -0,0 +1 @@
+{"model_provider": "ollama", "model_name": "bge-m3:latest"}
--- a/.a0proj/memory/index.faiss
+++ b/.a0proj/memory/index.faiss
--- a/.a0proj/memory/index.faiss.sha256
+++ b/.a0proj/memory/index.faiss.sha256
@ -0,0 +1 @@
+9cde4598eb68e4b1810cdf657333d8ca9e228ebcb4b4717524b62a61ae06f900
--- a/.a0proj/memory/index.pkl
+++ b/.a0proj/memory/index.pkl
--- a/.a0proj/memory/knowledge_import.json
+++ b/.a0proj/memory/knowledge_import.json
@ -0,0 +1 @@
+{"/a0/usr/knowledge/main/Iran-US-Conflict-Update-2026-04-01.md": {"file": "/a0/usr/knowledge/main/Iran-US-Conflict-Update-2026-04-01.md", "checksum": "6beea9874c3bcb846d17f9a60c29d528", "ids": ["5sQkc0Ylqa", "FeZVPLWYss", "kYBRtDfHjJ"]}, "/a0/usr/knowledge/main/ollama-27b-modelfile.txt": {"file": "/a0/usr/knowledge/main/ollama-27b-modelfile.txt", "checksum": "3f4f724d6f777e0620df9781ebc82f36", "ids": ["yZoFOCA99D"]}, "/a0/usr/knowledge/main/behavioral-rules.md": {"file": "/a0/usr/knowledge/main/behavioral-rules.md", "checksum": "ff4230d5f02891487008864de55151e8", "ids": ["5LhBKVgUXB"]}, "/a0/usr/knowledge/main/utility_test.txt": {"file": "/a0/usr/knowledge/main/utility_test.txt", "checksum": "c8c29a129e935836a77048f47e231705", "ids": ["vrbKe4D4sR"]}, "/a0/usr/knowledge/main/welcome.md": {"file": "/a0/usr/knowledge/main/welcome.md", "checksum": "d947ce81d6dcc977a3ddf52e8d5e4712", "ids": ["0Qx7U1mSZH"]}, "/a0/usr/knowledge/main/capability_test_results.txt": {"file": "/a0/usr/knowledge/main/capability_test_results.txt", "checksum": "880b2a6e355125561f22e1f0ac38a3c4", "ids": ["hmVC8arGTg"]}, "/a0/usr/knowledge/main/Iran-US-Conflict-Analysis-2026.md": {"file": "/a0/usr/knowledge/main/Iran-US-Conflict-Analysis-2026.md", "checksum": "ffa6e16f560fc2c021df9c656e8dfdcc", "ids": ["WKKtg5Rj2e", "VBSDN1KENS"]}, "/a0/knowledge/main/tool_call_reference_examples.md": {"file": "/a0/knowledge/main/tool_call_reference_examples.md", "checksum": "1558e6e118619185e31224b1ed646b9a", "ids": ["mLgFu7vH7Z"]}, "/a0/knowledge/main/about/architecture.md": {"file": "/a0/knowledge/main/about/architecture.md", "checksum": "0de7a9280419982ef5fc98d0cc6ad2dc", "ids": ["VG5QHEdqZt", "oALIWNguyG"]}, "/a0/knowledge/main/about/configuration.md": {"file": "/a0/knowledge/main/about/configuration.md", "checksum": "9f83690fdca64631d063c75fd324d42c", "ids": ["XX5kcVMvDu", "T2B8pFL10O"]}, "/a0/knowledge/main/about/capabilities.md": {"file": "/a0/knowledge/main/about/capabilities.md", "checksum": "cf4d100df544af245940971464357e0b", "ids": ["S6MH1eLPzP", "laWnXkj3Ky"]}, "/a0/knowledge/main/about/identity.md": {"file": "/a0/knowledge/main/about/identity.md", "checksum": "63a2c83c6c3bf4c4008786c396618755", "ids": ["Yi3PLqGcaj"]}, "/a0/knowledge/main/about/setup-and-deployment.md": {"file": "/a0/knowledge/main/about/setup-and-deployment.md", "checksum": "3cf57d685f11a6989a73cf041c2018a3", "ids": ["KVJ5zsWDQX", "LoANN0xNbF"]}}
--- a/.a0proj/project.json
+++ b/.a0proj/project.json
@ -0,0 +1 @@
+{"title": "Linux_Patch_API", "description": "Create an API service that will allow remote clients to securely remote manage the patching process and control software add and removal. ", "instructions": "Use Strict Spec Driven development process following the kiro standards.\nAsk questions and help build all of the spec driven files needed\nAlways get approval before taking next steps\nAlways ask questions to determine the right path for the software\nNever make assumptions, always confirm. \nCode must be build following strict security coding guidelines\n", "color": "#00bbf9", "git_url": "", "file_structure": {"enabled": true, "max_depth": 5, "max_files": 20, "max_folders": 20, "max_lines": 250, "gitignore": "# Python environments & cache\nvenv/**\n**/__pycache__/**\n\n# Node.js dependencies\n**/node_modules/**\n**/.npm/**\n\n# Version control metadata\n**/.git/**\n"}}
--- a/.a0proj/secrets.env
+++ b/.a0proj/secrets.env
--- a/.a0proj/variables.env
+++ b/.a0proj/variables.env
@ -0,0 +1,3 @@
+EMBEDDING_MODEL=bge-m3:latest
+OLLAMA_HOST=http://ares.moon-dragon.us:11434
+LLM_MODEL=qwen3.5:9b
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -18,7 +18,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -36,7 +36,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -59,7 +59,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -81,7 +81,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -106,7 +106,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -133,7 +133,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -158,7 +158,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -185,12 +185,6 @@ jobs:
        run: |
          TAG_NAME=${GITHUB_REF#refs/tags/}
          FILE=$(ls ../linux-patch-api_*.deb 2>/dev/null | head -1)
-          # Rename deb to include u2404 in filename to distinguish from u2204 build
-          if [ -n "$FILE" ]; then
-            U2404_FILE="$(echo "$FILE" | sed 's/_amd64/_u2404_amd64/')"
-            mv "$FILE" "$U2404_FILE"
-            FILE="$U2404_FILE"
-          fi
          chmod +x scripts/upload-release.sh
          ./scripts/upload-release.sh "$TAG_NAME" "$FILE"

@ -201,7 +195,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -244,7 +238,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -255,46 +249,19 @@ jobs:
      - name: Install build dependencies
        run: |
          sudo dnf install -y gcc rpm-build systemd-devel pkg-config openssl-devel
-      - name: Clean stale RPM artifacts
-        run: |
-          rm -f ~/rpmbuild/RPMS/x86_64/linux-patch-api-*.rpm
-          rm -f releases/linux-patch-api-*.rpm
      - name: Build release binary
        run: cargo build --release
      - name: Build RPM package
        run: |
          chmod +x build-rpm.sh
-          SKIP_CARGO_BUILD=1 ./build-rpm.sh
-      - name: Verify RPM package
-        run: |
-          VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
-          RPM_FILE=$(ls ~/rpmbuild/RPMS/x86_64/linux-patch-api-${VERSION}-*.rpm 2>/dev/null | head -1)
-          if [ -z "$RPM_FILE" ]; then
-            echo "ERROR: RPM package not found for version $VERSION!"
-            ls -la ~/rpmbuild/RPMS/x86_64/ 2>/dev/null || echo "RPM directory empty or missing"
-            exit 1
-          fi
-          RPM_VERSION=$(rpm -qp --queryformat '%{VERSION}' "$RPM_FILE" 2>/dev/null || true)
-          echo "RPM file: $RPM_FILE"
-          echo "RPM version: $RPM_VERSION"
-          echo "Expected version: $VERSION"
-          if [ "$RPM_VERSION" != "$VERSION" ]; then
-            echo "ERROR: RPM version ($RPM_VERSION) does not match expected version ($VERSION)!"
-            exit 1
-          fi
-          echo "RPM verification passed"
+          ./build-rpm.sh
      - name: Upload to Gitea Release
        if: github.ref_type == 'tag'
        env:
          GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
        run: |
          TAG_NAME=${GITHUB_REF#refs/tags/}
-          VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
-          FILE=$(ls ~/rpmbuild/RPMS/x86_64/linux-patch-api-${VERSION}-*.rpm 2>/dev/null | head -1)
-          if [ -z "$FILE" ]; then
-            echo "ERROR: No RPM found with version $VERSION for upload!"
-            exit 1
-          fi
+          FILE=$(ls ~/rpmbuild/RPMS/x86_64/*.rpm 2>/dev/null | head -1)
          chmod +x scripts/upload-release.sh
          ./scripts/upload-release.sh "$TAG_NAME" "$FILE"

@ -306,7 +273,7 @@ jobs:
      - name: Checkout repository
        run: |
          apk add --no-cache curl
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -325,33 +292,13 @@ jobs:
        run: |
          chmod +x build-alpine.sh
          SKIP_CARGO_BUILD=1 ./build-alpine.sh
-      - name: Verify Alpine package
-        run: |
-          EXPECTED_VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
-          FILE=$(ls releases/linux-patch-api-*.apk 2>/dev/null | head -1)
-          if [ -z "$FILE" ]; then
-            echo "ERROR: No Alpine package found!"
-            exit 1
-          fi
-          echo "Expected version: $EXPECTED_VERSION"
-          echo "Package file: $FILE"
-          # Verify filename contains expected version
-          if ! echo "$FILE" | grep -q "$EXPECTED_VERSION"; then
-            echo "ERROR: Alpine package version ($FILE) does not match expected version ($EXPECTED_VERSION)!"
-            exit 1
-          fi
-          echo "Alpine package verification passed"
      - name: Upload to Gitea Release
-        if: startsWith(github.ref, 'refs/tags/')
+        if: github.ref_type == 'tag'
        env:
          GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
        run: |
          TAG_NAME=${GITHUB_REF#refs/tags/}
-          FILE=$(ls releases/linux-patch-api-*.apk 2>/dev/null | head -1)
-          if [ -z "$FILE" ]; then
-            echo "ERROR: No Alpine package found for upload!"
-            exit 1
-          fi
+          FILE=$(ls releases/*.apk 2>/dev/null | head -1)
          chmod +x scripts/upload-release.sh
          ./scripts/upload-release.sh "$TAG_NAME" "$FILE"

@ -362,7 +309,7 @@ jobs:
    steps:
      - name: Checkout repository
        run: |
-          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
+          curl -sfL -H "Authorization: token ${{ secrets.GITEATOKEN }}" "https://gitea-lxc.moon-dragon.us/echo/linux_patch_api/archive/${GITHUB_SHA}.tar.gz" -o repo.tar.gz
          tar -xzf repo.tar.gz --strip-components=1
          rm -f repo.tar.gz
      - name: Install Rust
@ -373,28 +320,12 @@ jobs:
      - name: Install build dependencies
        run: |
          sudo pacman -Syu --noconfirm rust cargo systemd git base-devel gcc
-      - name: Clean previous build artifacts
-        run: |
-          cargo clean
-          rm -f releases/linux-patch-api-*.pkg.tar.zst
      - name: Build release binary
        run: cargo build --release
      - name: Build Arch package
        run: |
          chmod +x build-arch.sh
          SKIP_CARGO_BUILD=1 ./build-arch.sh
-      - name: Verify Arch package
-        run: |
-          FILE=$(ls releases/*.pkg.tar.zst 2>/dev/null | head -1)
-          if [ -z "$FILE" ]; then
-            echo "ERROR: No Arch package found!"
-            exit 1
-          fi
-          EXPECTED_VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
-          echo "Expected version: $EXPECTED_VERSION"
-          echo "Package file: $FILE"
-          # Verify the package contains the correct binary version
-          pacman -Qip "$FILE" 2>/dev/null | grep -i version || true
      - name: Upload to Gitea Release
        if: startsWith(github.ref, 'refs/tags/')
        env:
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,105 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [master]
-    tags: ['v*.*.*']
-  pull_request:
-    branches: [master]
-
-env:
-  CARGO_TERM_COLOR: always
-
-jobs:
-  fmt:
-    name: Rust Format
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          components: rustfmt
-      - uses: Swatinem/rust-cache@v2
-      - run: cargo fmt --all -- --check
-
-  clippy:
-    name: Clippy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          components: clippy
-      - uses: Swatinem/rust-cache@v2
-      - name: Install system dependencies
-        run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
-      - run: cargo clippy --all-targets --all-features -- -D warnings
-
-  test:
-    name: Tests
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
-      - name: Install system dependencies
-        run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
-      - run: cargo test --all-features
-
-  audit:
-    name: Security Audit
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - run: cargo install cargo-audit && cargo audit --ignore RUSTSEC-2025-0134
-
-  enrollment-tests:
-    name: Enrollment Tests
-    needs: [fmt, clippy]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
-      - name: Install system dependencies
-        run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
-      - run: cargo test --test enroll_identity
-      - run: cargo test --test enrollment_test
-      - run: cargo test --test enrollment_e2e
-
-  build-deb:
-    name: Build & Release
-    needs: [fmt, clippy, test, enrollment-tests]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
-      - name: Install system dependencies
-        run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev dpkg-dev
-      - name: Build .deb package
-        run: |
-          . "$HOME/.cargo/env"
-          sudo env "PATH=$PATH" dpkg-buildpackage -us -uc -b -d
-      - name: Generate release notes
-        if: startsWith(github.ref, 'refs/tags/v')
-        id: release_notes
-        run: |
-          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
-          if [ -n "$PREV_TAG" ]; then
-            NOTES=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges)
-          else
-            NOTES=$(git log --pretty=format:"- %s (%h)" --no-merges)
-          fi
-          echo "notes<<EOF" >> $GITHUB_OUTPUT
-          echo "$NOTES" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-      - name: Upload to GitHub Release
-        if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@v2
-        with:
-          body: ${{ steps.release_notes.outputs.notes }}
-          files: ../linux-patch-api_*.deb
--- a/.gitignore
+++ b/.gitignore
@ -1,18 +1 @@
 /target
-/releases/
-
-# Build artifacts
-debian/tmp/
-debian/linux-patch-api/
-debian/.debhelper/
-debian/debhelper-build-stamp
-debian/files
-debian/linux-patch-api.debhelper.log
-debian/linux-patch-api.postrm.debhelper
-debian/linux-patch-api.substvars
-*.deb
-*.buildinfo
-*.changes
-
-# Agent Zero project data
-.a0proj/
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@ -269,37 +269,18 @@ Client → [mTLS + IP Check] → [API Layer] → [GET /jobs/{id}]

 ### Endpoint: GET /health

-**Purpose:** General service status check with package cache status
+**Purpose:** General service status check

 **Response (200 OK - Healthy):**
 ```json
 {
  "success": true,
  "request_id": "uuid",
-  "timestamp": "2026-05-27T14:00:00Z",
+  "timestamp": "2026-04-09T13:04:02Z",
  "data": {
    "status": "healthy",
    "uptime_seconds": 12345,
-    "version": "1.1.17",
-    "last_cache_update": "2026-05-27T13:30:00+00:00",
-    "cache_status": "fresh"
-  },
-  "error": null
-}
-```
-
-**Response (200 OK - Degraded):**
-```json
-{
-  "success": true,
-  "request_id": "uuid",
-  "timestamp": "2026-05-27T14:00:00Z",
-  "data": {
-    "status": "degraded",
-    "uptime_seconds": 12345,
-    "version": "1.1.17",
-    "last_cache_update": "2026-05-27T09:00:00+00:00",
-    "cache_status": "failed"
+    "version": "0.0.1"
  },
  "error": null
 }
@ -310,19 +291,6 @@ Client → [mTLS + IP Check] → [API Layer] → [GET /jobs/{id}]
 - mTLS is configured and valid
 - Config file is loaded and valid
 - Package manager backend is accessible
- Package cache is fresh (refreshed within 4 hours)
-
-**Cache Refresh on Health Check:**
- If cache is stale (>4 hours since last update), health check triggers a cache refresh
- If refresh succeeds: status="healthy", cache_status="fresh"
- If refresh fails: status="degraded", cache_status="failed"
- If cache is fresh: status="healthy", cache_status="fresh"
-
-**Cache Status Values:**
- `fresh` - Cache was updated within the last 4 hours
- `stale` - Cache is older than 4 hours (triggers refresh)
- `unknown` - No cache update has occurred yet
- `failed` - Last cache refresh attempt failed

 **NOT Required:**
 - Metrics collection
@ -331,41 +299,4 @@ Client → [mTLS + IP Check] → [API Layer] → [GET /jobs/{id}]

 ---

-## Package Cache Management
-
-### Module: `src/packages/cache.rs`
-
-The package cache module manages the local package index state, ensuring that package metadata is current before performing operations.
-
-**Key Components:**
- `PackageCacheState` - Thread-safe in-memory cache state with Mutex protection
- `PackageCacheStatus` - Snapshot of cache state for reporting
- `CacheStateFile` - Persistent state format for serialization
- `is_fetch_error()` - Detects 404/fetch errors for automatic retry
- `apply_with_cache_retry()` - Generic retry wrapper for cache-related failures
- `run_command_with_timeout()` - Executes cache refresh commands with timeout
-
-**State Persistence:**
- Cache state persists to `/var/lib/linux_patch_api/state/cache.json`
- State is loaded on service startup and saved after every update
- Persists `last_cache_update` timestamp and `last_update_success` flag
- Parent directory is auto-created if missing
-
-**Stale Detection:**
- Cache is considered stale after 4 hours (`STALE_THRESHOLD_SECS = 14400`)
- Health check automatically refreshes stale cache
- Patch apply operations always refresh cache before proceeding (mandatory)
-
-**Refresh-Before-Apply Flow:**
-1. `POST /patches/apply` creates a job and spawns background task
-2. Background task refreshes package cache (mandatory, not configurable)
-3. If refresh fails: job fails immediately with error message
-4. If refresh succeeds: job progresses to 10%, applies patches
-5. If apply fails with 404/fetch error: refresh cache and retry once
-6. If retry also fails: job fails with error
-
-**Cache Refresh Timeout:** 120 seconds (`CACHE_REFRESH_TIMEOUT_SECS`)
-
---
-
 *Following kiro spec-driven development standards*
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,79 +0,0 @@
-# Contributing to Linux-Patch-Api
-
-Thank you for your interest in contributing to Linux-Patch-Api! We appreciate every contribution — from bug reports and documentation improvements to new features and security fixes.
-
-## Code of Conduct
-
-This project follows the [Contributor Covenant v2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) code of conduct. By participating, you are expected to uphold this standard. Please report unacceptable behavior to the maintainers.
-
-## How to Contribute
-
-1. **Fork** the repository
-2. Create a **feature branch** from `main`:
-   ```bash
-   git checkout -b feat/my-feature
-   ```
-3. Make your changes
-4. Ensure all CI checks pass:
-   ```bash
-   cargo fmt --check
-   cargo clippy -- -D warnings
-   cargo test
-   ```
-5. **Commit** using conventional commit format (see below)
-6. Open a **Pull Request** against `main`
-
-## Development Setup
-
-### Prerequisites
-
- **Rust toolchain** (stable) — [rustup](https://rustup.rs/)
- **System dependencies**:
-  ```bash
-  sudo apt-get install build-essential libsystemd-dev pkg-config libssl-dev
-  ```
-
-### Build & Run
-
-```bash
-cargo build
-cargo test
-```
-
-## Commit Messages
-
-We use [Conventional Commits](https://www.conventionalcommits.org/):
-
-| Prefix   | Usage                  |
-|----------|------------------------|
-| `feat:`  | New feature            |
-| `fix:`   | Bug fix                |
-| `docs:`  | Documentation changes  |
-| `chore:` | Maintenance tasks      |
-| `refactor:` | Code refactoring    |
-| `test:`  | Adding or updating tests |
-| `ci:`    | CI configuration changes |
-
-Example:
-```
-feat: add endpoint for patch rollback
-```
-
-## Pull Request Requirements
-
- All CI checks must pass (fmt, clippy, test, audit, build)
- One feature or fix per PR — keep changes focused
- Include a clear description of what changed and why
- Update documentation if your change affects behavior
-
-## Reporting Issues
-
-Use [GitHub Issues](https://github.com/Draco-Lunaris/Linux-Patch-Api/issues) to report bugs, request features, or ask questions. Please include:
-
- Steps to reproduce (for bugs)
- Expected vs. actual behavior
- Relevant logs or error messages
-
-## License
-
-By contributing, you agree that your contributions are licensed under the [Apache License 2.0](LICENSE), the same license as this project.
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1916,7 +1916,7 @@ dependencies = [

 [[package]]
 name = "linux-patch-api"
-version = "1.2.0"
+version = "1.1.7"
 dependencies = [
 "actix",
 "actix-rt",
@ -1942,12 +1942,10 @@ dependencies = [
 "serde_json",
 "serde_yaml",
 "serial_test",
- "socket2 0.5.10",
 "sysinfo",
 "systemd",
 "tempfile",
 "thiserror 1.0.69",
- "time",
 "tokio",
 "tokio-rustls",
 "tokio-test",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "1.2.0"
+version = "1.1.9"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"
@ -48,7 +48,6 @@ uuid = { version = "1", features = ["v4", "serde"] }

 # Time/Date
 chrono = { version = "0.4", features = ["serde"] }
-time = "0.3"

 # Error handling
 thiserror = "1"
@ -77,9 +76,6 @@ pidlock = "0.2"
 # URL parsing
 url = "2"

-# Socket options (SO_REUSEADDR)
-socket2 = { version = "0.5", features = ["all"] }
-
 # File locking for concurrent-safe whitelist modifications
 fs2 = "0.4"

--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@ -448,37 +448,15 @@ shred -u /tmp/client001.key.pem

 ## Self-Enrollment Deployment

-Self-enrollment allows a new host to automatically request and receive mTLS certificates from the `linux_patch_manager` without manual PKI distribution. The daemon supports two enrollment modes:
-
-1. **Auto-enrollment (recommended):** When `enrollment.manager_url` is configured in `config.yaml`, the daemon automatically enrolls on startup when certificates are missing or invalid. After provisioning, it continues to normal mTLS server startup.
-
-2. **Manual enrollment:** Run `linux-patch-api --enroll <manager_url>` explicitly. The process provisions certificates and **exits** — it does NOT start the server. Start the service separately after enrollment completes.
+Self-enrollment allows a new host to automatically request and receive mTLS certificates from the `linux_patch_manager` without manual PKI distribution. The daemon extracts its machine identity, registers with the manager, polls for admin approval, and provisions certificates before starting the mTLS server.

 ### How It Works

 The enrollment workflow operates in three phases:

 1. **Registration:** Extracts `/etc/machine-id`, FQDN, IP address, and OS details. Submits an unauthenticated `POST /api/v1/enroll` request to the manager. Receives a temporary `polling_token`.
-2. **Polling & Approval:** Enters a polling loop querying `GET /api/v1/enroll/status/{token}` (default: every 60 seconds, up to 1440 attempts = 24 hours). Aborts on HTTP 403/404 (denied/purged). The polling token is persisted to `config.yaml` for resume after service restart.
-3. **Provisioning:** On HTTP 200, downloads the PKI bundle (`ca.crt`, `server.crt`, `server.key`), writes certificates to configured mTLS paths, appends manager IP to whitelist. For auto-enrollment, transitions to standard mTLS listening mode. For `--enroll`, exits with code 0.
-
-### Certificate Validation
-
-On startup, the daemon validates all configured TLS certificates before attempting to bind the listening port:
-
-1. **Existence:** All three cert files must exist at configured paths
-2. **Parse:** Each file must be valid PEM (X.509 for certs, PKCS#8/PKCS#1 for keys)
-3. **Expiry:** Certs must not be expired. Certs expiring within `cert_renewal_threshold_days` (default 7) trigger a warning
-4. **Key match:** Server cert public key must correspond to server key private key
-5. **CA trust:** Server cert must be signed by the CA cert
-
-Validation results determine startup behavior:
-
-| Result | Action |
-|--------|--------|
-| Valid | Start normally with mTLS |
-| ExpiringSoon | Log warning, start normally, schedule re-enrollment |
-| Missing/Corrupt/Expired/KeyMismatch/Untrusted | Auto-enroll if `enrollment.manager_url` configured, otherwise exit with guidance |
+2. **Polling & Approval:** Enters a polling loop querying `GET /api/v1/enroll/status/{token}` (default: every 60 seconds, up to 1440 attempts = 24 hours). Aborts on HTTP 403/404 (denied/purged).
+3. **Provisioning:** On HTTP 200, downloads the PKI bundle (`ca.crt`, `server.crt`, `server.key`), writes certificates to configured mTLS paths, appends manager IP to whitelist, and transitions to standard mTLS listening mode.

 ### Prerequisites

@ -502,53 +480,62 @@ nslookup manager.example.com
 curl -ks https://manager.example.com/api/v1/health
 ```

-### Deployment Method 1: Auto-Enrollment (Recommended)
+### Step-by-Step Enrollment Procedure

-The simplest deployment. Just install the package, configure the manager URL, and start the service. The daemon handles the rest.
-
-#### Step 1: Install Package
+#### Step 1: Install linux-patch-api Package

 ```bash
 # Debian/Ubuntu
-dpkg -i linux-patch-api_1.2.0-1_amd64.deb
+dpkg -i linux-patch-api_1.0.0-1_amd64.deb

 # RHEL/CentOS/Fedora
-rpm -ivh linux-patch-api-1.2.0-1.x86_64.rpm
+rpm -ivh linux-patch-api-1.0.0-1.x86_64.rpm
 ```

-#### Step 2: Configure Enrollment URL
+#### Step 2: Run Enrollment Command

 ```bash
-# Edit the config to add manager URL
-cat >> /etc/linux_patch_api/config.yaml <<EOF
+# Basic enrollment with manager URL
+sudo linux-patch-api --enroll https://manager.example.com

-enrollment:
-  manager_url: "https://linux-patch-manager-dev.moon-dragon.us"
-  polling_interval_seconds: 60
-  max_poll_attempts: 1440
-  cert_renewal_threshold_days: 7
-EOF
+# With verbose logging for troubleshooting
+sudo linux-patch-api --enroll https://manager.example.com --verbose
 ```

-#### Step 3: Start Service
+The enrollment process will:
+- Extract machine identity from `/etc/machine-id` and system properties
+- Submit registration request to manager
+- Enter polling loop (logs progress every 60 seconds)
+- Await admin approval on the manager side
+- Download and install certificates automatically
+- Update IP whitelist with manager address
+- Start mTLS server upon successful provisioning
+
+#### Step 3: Monitor Enrollment Progress

 ```bash
-# Enable and start
-systemctl enable linux-patch-api
-systemctl start linux-patch-api
-
-# Watch auto-enrollment progress
+# View enrollment logs in real-time
 journalctl -u linux-patch-api -f
+
+# Or if running manually:
+sudo linux-patch-api --enroll https://manager.example.com --verbose
 ```

-The daemon will:
-1. Validate certificates → find them missing
-2. Read `enrollment.manager_url` → begin auto-enrollment
-3. Register with manager, poll for approval
-4. Provision certificates after admin approval
-5. Continue to normal mTLS server startup
-
-**No manual `--enroll` command needed.** The service self-heals on restart if certificates are missing or invalid.
+**Expected log progression:**
+```
+INFO Enrollment mode activated - manager_url=https://manager.example.com
+INFO Phase 1: Submitting registration request
+INFO Registration submitted - polling_token=abc123...
+INFO Phase 2: Polling for approval (interval=60s, max_attempts=1440)
+INFO Poll attempt 1/1440 - status=pending
+... (admin approves on manager side) ...
+INFO Phase 3: Provisioning certificates
+INFO ca.pem written to /etc/linux_patch_api/certs/ca.pem
+INFO server.pem written to /etc/linux_patch_api/certs/server.pem
+INFO server.key written to /etc/linux_patch_api/certs/server.key
+INFO Manager IP added to whitelist
+INFO Enrollment complete - proceeding to server startup
+```

 #### Step 4: Admin Approval (Manager Side)

@ -574,61 +561,6 @@ curl --cacert /etc/linux_patch_api/certs/ca.pem \
     https://localhost:12443/health
 ```

-### Deployment Method 2: Manual Enrollment
-
-For environments where auto-enrollment is not desired, or for initial setup before the service is enabled.
-
-#### Step 1: Install Package
-
-```bash
-# Debian/Ubuntu
-dpkg -i linux-patch-api_1.2.0-1_amd64.deb
-
-# RHEL/CentOS/Fedora
-rpm -ivh linux-patch-api-1.2.0-1.x86_64.rpm
-```
-
-#### Step 2: Run Enrollment Command
-
-```bash
-# Basic enrollment with manager URL
-sudo linux-patch-api --enroll https://linux-patch-manager-dev.moon-dragon.us
-
-# With verbose logging for troubleshooting
-sudo linux-patch-api --enroll https://linux-patch-manager-dev.moon-dragon.us --verbose
-```
-
-**Important:** The `--enroll` command provisions certificates and **exits**. It does NOT start the server. This prevents port conflicts with the systemd service.
-
-The enrollment process will:
- Extract machine identity from `/etc/machine-id` and system properties
- Submit registration request to manager
- Enter polling loop (logs progress every 60 seconds)
- Await admin approval on the manager side
- Download and install certificates automatically
- Update IP whitelist with manager address
- Print: "Enrollment complete. Start service: systemctl start linux-patch-api"
- Exit with code 0
-
-#### Step 3: Start Service
-
-```bash
-systemctl enable linux-patch-api
-systemctl start linux-patch-api
-systemctl status linux-patch-api
-```
-
-### Certificate Renewal
-
-Certificates can be renewed manually or automatically:
-
-```bash
-# Manual renewal
-sudo linux-patch-api --renew-certs
-
-# Auto-renewal: certs expiring within cert_renewal_threshold_days trigger re-enrollment on startup
-```
-
 ### Configuration Options

 Enrollment behavior can be tuned via the `enrollment` section in `/etc/linux_patch_api/config.yaml`:
@ -636,22 +568,16 @@ Enrollment behavior can be tuned via the `enrollment` section in `/etc/linux_pat
 ```yaml
 # Enrollment Configuration
 enrollment:
-  manager_url: "https://linux-patch-manager-dev.moon-dragon.us"
  polling_interval_seconds: 60    # Time between approval polls (default: 60)
  max_poll_attempts: 1440         # Maximum poll attempts (default: 1440 = 24 hours)
-  polling_token: ""               # Auto-populated during enrollment (do not edit)
-  cert_renewal_threshold_days: 7  # Days before expiry to trigger re-enrollment
 ```

 **Parameter Reference:**

 | Parameter | Default | Description |
 |-----------|---------|-------------|
-| `manager_url` | (none) | Manager URL for auto-enrollment. Required for auto-enrollment on startup. |
 | `polling_interval_seconds` | 60 | Seconds between approval status polls. Minimum: 10 |
 | `max_poll_attempts` | 1440 | Maximum polling attempts before timeout. Effective timeout = interval × attempts |
-| `polling_token` | (empty) | Auto-populated during enrollment for resume after restart. Do not edit manually. |
-| `cert_renewal_threshold_days` | 7 | Days before cert expiry to trigger automatic re-enrollment |

 **Effective Timeout Calculation:**
 - Default: 60s × 1440 = 86,400 seconds (24 hours)
--- a/190
+++ b/190
@ -1,190 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to the Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by the Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2025-2026 Draco Lunaris
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
--- a/REQUIREMENTS.md
+++ b/REQUIREMENTS.md
@ -50,16 +50,6 @@
 - Log configuration changes (whitelist updates, cert renewals)
 - Log system changes made by the API

-### FR-007: Package Cache Refresh
-
- The agent MUST refresh the local package index before every patch_apply operation
- The agent MUST refresh the local package index when the health check detects stale cache (>4 hours)
- The agent SHOULD automatically retry patch_apply once after cache refresh on 404/fetch errors
- The agent SHOULD track and report last_cache_update timestamp in health check responses
- Cache state persists to /var/lib/linux_patch_api/state/cache.json across service restarts
- Cache refresh before apply is mandatory and not configurable
- Cache refresh timeout is 120 seconds
-
 ---
 ## Non-Functional Requirements

--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,46 +1,346 @@
-# Security Policy
+# Linux_Patch_API - Security Specification Document

-## Supported Versions
+## Security Overview

-Only the **latest release** is currently supported with security updates.
+**Philosophy:** Defense in depth with zero-trust principles for internal network.

-| Version | Supported |
-|---------|----------|
-| Latest  | ✅       |
-| Older   | ❌       |
+**Approach:** 
+- mTLS certificate-based authentication (required for all connections)
+- IP whitelist enforcement (deny by default, allow only listed)
+- Comprehensive audit logging for all operations
+- Systemd hardening and process isolation
+- Minimal attack surface (internal network only)

-## Reporting a Vulnerability
+---

-**Do not report security vulnerabilities through public GitHub Issues.**
+## Threat Model

-Instead, use GitHub's private vulnerability reporting:
+### Threat Actor Profile

-👉 [Report a vulnerability for Linux-Patch-Api](https://github.com/Draco-Lunaris/Linux-Patch-Api/security/advisories/new)
+| Attribute | Description |
+|-----------|-------------|
+| **Origin** | Internal network only |
+| **Skill Level** | Moderate to High |
+| **Resources** | Limited (not nation-state) |
+| **Motivation** | Unauthorized system access, privilege escalation |
+| **Access** | Must bypass mTLS + IP whitelist |

-This allows us to coordinate a fix before public disclosure.
+### STRIDE Threat Analysis

-### Response Timeline
+| Threat Category | Potential Threat | Mitigation | Status |
+|-----------------|------------------|------------|--------|
+| **Spoofing** | Attacker impersonates valid client | mTLS certificate validation, unique certs per client | ✅ Mitigated |
+| **Spoofing** | Attacker uses expired/revoked cert | Certificate expiry validation (1-year max) | ✅ Mitigated |
+| **Tampering** | API requests modified in transit | TLS 1.3 encryption | ✅ Mitigated |
+| **Tampering** | Config files modified unauthorized | File permissions (600/644), config validation before reload | ✅ Mitigated |
+| **Repudiation** | Client denies making request | Audit logging with request_id, client cert ID | ✅ Mitigated |
+| **Repudiation** | Server denies response | Comprehensive audit trail (systemd journal) | ✅ Mitigated |
+| **Information Disclosure** | Package/data info leaked to unauthorized | Silent drop for non-mTLS, IP whitelist | ✅ Mitigated |
+| **Information Disclosure** | Error messages leak system info | Detailed errors only for authenticated clients | ✅ Mitigated |
+| **Denial of Service** | Resource exhaustion via many requests | Internal network only, IP whitelist limits exposure | ⚠️ Partial |
+| **Denial of Service** | Job queue flooding | Configurable concurrent job limit (default: 5) | ✅ Mitigated |
+| **Denial of Service** | Long-running job starvation | 30-minute job timeout enforcement | ✅ Mitigated |
+| **Elevation of Privilege** | Unauthorized package installation | Root required, but mTLS + IP whitelist required | ✅ Mitigated |
+| **Elevation of Privilege** | Subprocess escape | SystemCallFilter, ProtectSystem=strict | ✅ Mitigated |

- **Acknowledgment** within 48 hours
- **Initial assessment** within 7 days
- **Ongoing updates** on remediation progress
+### Attack Vectors & Mitigations

-## Disclosure Policy
+| Attack Vector | Likelihood | Impact | Mitigation |
+|---------------|------------|--------|------------|
+| Network interception | Low | Critical | TLS 1.3 only, mTLS required |
+| Certificate theft | Medium | Critical | Cert permissions (600), internal CA only |
+| IP spoofing | Low | High | IP whitelist + mTLS (both required) |
+| Config file tampering | Medium | High | File permissions, validation before reload |
+| Package manager injection | Low | Critical | Pluggable backend with input validation |
+| Job manipulation | Low | High | Job storage isolation, exclusive rollback mode |
+| Log tampering | Medium | High | systemd journal (immutable), optional remote syslog |

-We follow **coordinated disclosure**:
+---

- We ask for **90 days** before public disclosure of a vulnerability
- Security advisories are published via [GitHub Security Advisories](https://github.com/Draco-Lunaris/Linux-Patch-Api/security/advisories)
- We will work with you to determine an appropriate disclosure timeline when a fix requires more time
+## Authentication & Authorization

-## Security Best Practices
+### Authentication Requirements

-This project is a security tool — we hold ourselves to a high standard:
+- **Method:** mTLS certificate-based authentication
+- **Certificate Type:** Unique client certificate per client (1-year validity)
+- **CA:** Internal self-hosted Certificate Authority
+- **TLS Version:** TLS 1.3 only
+- **Multi-factor:** Certificate + IP whitelist (dual requirement)
+- **Session Management:** Stateless (no sessions)

- **Signed commits**: All commits must be signed (SSH signing)
- **CI enforcement**: All PRs require passing CI checks (fmt, clippy, test, audit, build)
- **Dependency auditing**: `cargo audit` runs in CI to catch known vulnerabilities
+### Authorization Model

-## Credit
+- **Model:** Binary authorization (all-or-nothing)
+- **Permission Levels:** Single level (full access if authenticated)
+- **Requirements:**
+  - Valid mTLS certificate (not expired, signed by internal CA)
+  - Source IP in whitelist (YAML config, instant apply)
+- **No RBAC:** All authenticated clients have full API access

-Contributors who responsibly report vulnerabilities will be credited in the corresponding GitHub Security Advisory.
+---
+
+## Data Security
+
+### Encryption at Rest
+
+- **Certificates:** File permissions 600 for private keys
+- **Job Storage:** `/var/lib/linux_patch_api/jobs/` (cleared on restart)
+- **Config Files:** `/etc/linux_patch_api/` (644 for config, 600 for keys)
+- **Audit Logs:** systemd journal (immutable by default)
+
+### Encryption in Transit
+
+- **Protocol:** TLS 1.3 only
+- **Port:** 12443
+- **Cipher Suites:** TLS 1.3 default (no legacy cipher support)
+- **Certificate Validation:** Mutual TLS (server + client cert required)
+
+### Key Management
+
+- **CA Private Key:** Stored securely on CA host only
+- **Server Certificates:** `/etc/linux_patch_api/certs/server.key` (600)
+- **Client Certificates:** Distributed manually to authorized clients
+- **Rotation:** 1-year certificate expiry, manual renewal process
+- **Revocation:** Not implemented (rely on expiry + physical cert retrieval)
+
+---
+
+## API Security
+
+### Input Validation
+
+- **Package Names:** Alphanumeric + standard package chars only
+- **Versions:** Semantic versioning validation
+- **IP Addresses:** IPv4 + CIDR validation for whitelist
+- **JSON Schema:** Strict schema validation for all request bodies
+- **Path Traversal:** Blocked (no `..` in paths)
+
+### Rate Limiting
+
+- **Not Required:** Internal network only with strict IP whitelist
+- **Job Concurrency:** Configurable limit (default: 5 concurrent jobs)
+- **Job Timeout:** 30-minute maximum per job
+
+### CORS Policy
+
+- **Not Applicable:** API is not browser-accessible
+- **Origin:** mTLS clients only (no browser CORS concerns)
+
+---
+
+## Audit & Logging
+
+### Security Events to Log
+
+- All API requests (endpoint, method, timestamp, client cert ID, source IP)
+- Authentication events (success/failure, cert validation result)
+- Authorization events (IP whitelist match/failure)
+- Package operations (package name, version, action, result)
+- Configuration changes (config reload, whitelist updates)
+- Job lifecycle events (create, start, complete, fail, timeout, rollback)
+- Service events (start, stop, restart, config validation failures)
+
+### Log Protection
+
+- **Primary Storage:** systemd journal (immutable, access-controlled)
+- **Secondary Storage:** Optional remote syslog
+- **Fallback:** Local file `/var/log/linux_patch_api/audit.log` (640)
+- **Retention:** 30 days with daily rotation and compression
+- **Access:** Root only, audit group read access
+- **Integrity:** systemd journal provides tamper evidence
+
+---
+
+## Compliance Requirements
+
+- **Internal Standards:** Follows organizational security policies
+- **No External Compliance:** Not designed for PCI-DSS, HIPAA, SOC2 (can be extended)
+- **Audit Trail:** Comprehensive logging supports internal audit requirements
+- **Access Control:** mTLS + IP whitelist provides strong access control
+
+---
+
+## Security Testing
+
+### Penetration Testing
+
+- **Schedule:** Required before production deployment
+- **Scope:**
+  - mTLS authentication bypass attempts
+  - IP whitelist enforcement testing
+  - API endpoint fuzzing
+  - Certificate validation testing
+  - Config file tampering attempts
+  - Privilege escalation attempts
+- **Tester:** Internal security team or external contractor
+- **Frequency:** Annual or after major changes
+
+### Vulnerability Management
+
+- **Dependency Scanning:** Rust crate security advisories monitored
+- **System Patches:** Host system patched via API itself (dogfooding)
+- **Certificate Updates:** Annual renewal process
+- **Config Audits:** Quarterly review of whitelist and security settings
+- **Incident Response:** Log analysis for security event investigation
+
+---
+
+## Phase 3 Security Testing Results
+
+**Test Date:** 2026-04-09  
+**Tester:** Agent Zero Fuzz Testing Agent  
+**Status:** ✅ ALL CRITICAL ISSUES RESOLVED - Minor improvements recommended
+
+### Security Test Summary (16 Tests)
+
+| Category | Passed | Failed | Status |
+|----------|--------|--------|--------|
+| mTLS Enforcement | 3 | 0 | ✅ Complete |
+| IP Whitelist | 1 | 0 | ✅ Complete |
+| API Endpoints | 5 | 0 | ✅ Complete |
+| Input Validation | 3 | 0 | ✅ Complete |
+| Certificate Security | 2 | 0 | ✅ Complete |
+| Configuration Security | 2 | 0 | ✅ Complete |
+| **TOTAL** | **16** | **0** | **✅ 100%** |
+
+---
+
+## Phase 3 Fuzz Testing Results
+
+**Test Date:** 2026-04-09  
+**Tester:** Agent Zero Fuzz Testing Agent  
+**Test Type:** Comprehensive Fuzz Testing  
+**Overall Status:** ⚠️ GOOD - Minor improvements needed
+
+### Fuzz Test Summary (21 Tests)
+
+| Section | Tests | Passed | Failed | Pass Rate |
+|---------|-------|--------|--------|-----------|
+| API Input Fuzzing | 8 | 5 | 3 | 62.5% |
+| Request Header Fuzzing | 5 | 2 | 3 | 40% |
+| Certificate Fuzzing | 5 | 5 | 0 | 100% |
+| Rate Limiting/DoS | 3 | 3 | 0 | 100% |
+| **TOTAL** | **21** | **15** | **6** | **71.4%** |
+
+### Vulnerabilities Identified
+
+| ID | Severity | Category | Description | Status |
+|----|----------|----------|-------------|--------|
+| VULN-001 | MEDIUM | Input Validation | Missing input length validation | 📝 Recommended |
+| VULN-002 | MEDIUM | Input Validation | Path traversal partial bypass | 📝 Recommended |
+| VULN-003 | LOW | Input Validation | Empty string validation missing | 📝 Recommended |
+| VULN-004 | MEDIUM | Header Security | Missing header size limits | 📝 Recommended |
+| VULN-005 | LOW | HTTP Protocol | Invalid methods return 404 vs 405 | 📝 Recommended |
+| VULN-006 | LOW | Header Security | Duplicate header handling | 📝 Recommended |
+
+### Security Strengths Confirmed
+
+✅ **mTLS Implementation: ROBUST**
+- All invalid certificates properly rejected at TLS layer
+- Silent drop behavior prevents information leakage
+- Certificate chain validation working correctly
+
+✅ **Injection Protection: EFFECTIVE**
+- SQL injection patterns: 4/4 blocked
+- Command injection patterns: 5/5 handled safely
+
+✅ **DoS Protection: ADEQUATE**
+- Large payloads (10MB) properly rejected with HTTP 413
+- Concurrent connections (20) handled gracefully
+- Rapid flooding (100 req) completed without service degradation
+
+### Recommendations for Phase 4
+
+**Medium Priority:**
+1. Implement input length validation (package names: 256 chars max)
+2. Enhance path traversal protection with strict normalization
+3. Configure header size limits (8KB max)
+
+**Low Priority:**
+4. Return 405 Method Not Allowed for unsupported methods
+5. Reject empty strings for required fields
+6. Handle duplicate headers with rejection
+
+---
+
+## Overall Security Assessment
+
+| Category | Status | Notes |
+|----------|--------|-------|
+| Authentication (mTLS) | ✅ SECURE | All certificate attacks blocked |
+| Authorization (IP Whitelist) | ✅ SECURE | Properly enforced |
+| Input Validation | ⚠️ GOOD | Minor improvements recommended |
+| Injection Protection | ✅ SECURE | SQL/Command/Path traversal blocked |
+| DoS Protection | ✅ SECURE | Large payloads rejected |
+| Certificate Security | ✅ SECURE | Robust mTLS implementation |
+
+**Overall Security Posture: GOOD**
+
+The API is suitable for internal network deployment. The 6 identified vulnerabilities are low-to-medium severity and represent hardening opportunities rather than critical security gaps. All critical and high severity issues from earlier testing have been resolved.
+
+
+---
+
+## Phase 3 Threat Model Validation
+
+**Validation Date:** 2026-04-09  
+**Validator:** Threat Model Validation Agent (Agent Zero)  
+**Report:** THREAT_MODEL_VALIDATION.md  
+
+### STRIDE Validation Summary
+
+| Category | Status | Confidence |
+|----------|--------|------------|
+| Spoofing | ✅ Fully Mitigated | High |
+| Tampering | ⚠️ Partially Mitigated | Medium |
+| Repudiation | ✅ Fully Mitigated | High |
+| Information Disclosure | ✅ Fully Mitigated | High |
+| Denial of Service | ⚠️ Partially Mitigated | Medium |
+| Elevation of Privilege | ✅ Fully Mitigated | High |
+
+### Key Findings
+
+**Validated Strengths:**
+- mTLS authentication robust (all certificate attacks blocked)
+- TLS 1.3 enforcement verified (plain HTTP rejected)
+- IP whitelist enforcement working correctly
+- Audit logging provides strong non-repudiation
+- Job-level DoS protection implemented
+- Injection protection effective (SQL, command, path traversal)
+- Systemd hardening in place
+
+**Identified Gaps (Medium Priority):**
+- Rate limiting not implemented (relies on network security)
+- Header size limits not configured
+- Input length validation missing
+- Config file integrity relies on permissions only
+- No certificate revocation mechanism
+
+**Recommendation:** Proceed to Phase 4 with focus on medium-priority hardening items. API suitable for internal network deployment with current mitigations.
+
+---
+
+## Test Artifacts
+
+- Fuzz test script: `/a0/usr/projects/linux_patch_api/fuzz_tests.sh`
+- Security test script: `/a0/usr/projects/linux_patch_api/security_tests.sh`
+- Fuzz test report: `/a0/usr/projects/linux_patch_api/FUZZ_TEST_REPORT.md`
+- Security findings report: `/a0/usr/projects/linux_patch_api/SECURITY_FINDINGS_REPORT.md`
+- Threat model validation: `/a0/usr/projects/linux_patch_api/THREAT_MODEL_VALIDATION.md`
+- API specification: `/a0/usr/projects/linux_patch_api/API_SPEC.md`
+
+---
+
+*Security documentation updated following Phase 3 Security Hardening and Threat Model Validation - Agent Zero*
+---
+
+## Test Artifacts
+
+- Fuzz test script: `/a0/usr/projects/linux_patch_api/fuzz_tests.sh`
+- Security test script: `/a0/usr/projects/linux_patch_api/security_tests.sh`
+- Fuzz test report: `/a0/usr/projects/linux_patch_api/FUZZ_TEST_REPORT.md`
+- API specification: `/a0/usr/projects/linux_patch_api/API_SPEC.md`
+
+---
+
+*Security documentation updated following Phase 3 Security Hardening - Agent Zero Fuzz Testing Agent*
--- a/SPEC.md
+++ b/SPEC.md
@ -3,7 +3,7 @@
 ## Project Overview
 **Title:** Linux_Patch_API  
 **Description:** API service for secure remote management of patching processes and software add/removal  
-**Version:** 1.2.0  
+**Version:** 0.0.1  
 **Status:** Draft  

 ## Scope
@ -142,82 +142,23 @@
 ## Certificate Management

 - **CA Type:** Internal self-hosted Certificate Authority
- **Distribution:** Automated Self-Enrollment (preferred) OR manual certificate distribution
-  - Auto-Enrollment: daemon automatically enrolls on startup when certs are missing/invalid and `enrollment.manager_url` is configured
-  - Manual Enrollment: `linux-patch-api --enroll <url>` for explicit enrollment (exits after completion, does not start server)
+- **Distribution:** Manual certificate distribution OR automated Self-Enrollment
+  - Self-Enrollment provides automatic PKI provisioning after admin approval on linux_patch_manager
  - Eliminates manual certificate copy/permission management for new hosts
 - **Scope:** Limited distribution (small number of authorized clients)
 - **Validity Period:** 1 year standard expiration
 - **Client Identity:** Unique certificate per client (no shared certs)
- **Rotation:** Automatic re-enrollment when certs are expiring within threshold, or manual via `--renew-certs`
-
-## Certificate Validation
-
-On startup, the daemon validates all configured TLS certificates before attempting to bind the listening port. Validation checks (in order):
-
-1. **Existence**: All three cert files (`ca_cert`, `server_cert`, `server_key`) must exist at configured paths
-2. **Parse**: Each file must be valid PEM — CA and server cert must parse as X.509, server key must parse as PKCS#8 or PKCS#1
-3. **Expiry**: CA cert and server cert must not be expired (`not_after > now`). Certs expiring within `cert_renewal_threshold_days` (default 7) trigger a warning and auto-re-enrollment
-4. **Key match**: Server cert's public key must correspond to server key's private key
-5. **CA trust**: Server cert must be signed by the CA cert (or chain validates to CA)
-
-Validation results determine startup behavior:
-
-| Result | Action |
-|--------|--------|
-| Valid | Start normally with mTLS |
-| ExpiringSoon | Log warning, start normally, schedule background re-enrollment |
-| Missing/Corrupt/Expired/KeyMismatch/Untrusted | Trigger auto-enrollment if `enrollment.manager_url` configured, otherwise exit with guidance |
+- **Rotation:** Manual renewal process before expiration

 ## Self-Enrollment Workflow

-The `linux_patch_api` daemon supports automated self-enrollment to securely request identity from the `linux_patch_manager` without manual PKI distribution. Enrollment can be triggered automatically on startup or manually via CLI.
-
-### Auto-Enrollment on Startup
-
-When cert validation fails AND `enrollment.manager_url` is configured in config.yaml, the daemon automatically enters enrollment mode:
-
-1. Log: "Certs [status]. Auto-enrolling with <url>"
-2. Skip cert validation (`skip_tls_validation=true`)
-3. Register with manager (POST /api/v1/enroll)
-   - If host already exists: log warning, skip to step 5 (polling for re-provisioning)
-   - If new registration: receive polling token
-4. Poll for approval (GET /api/v1/enroll/status/{token})
-   - Persist `polling_token` to config.yaml for resume after restart
-   - Retry with exponential backoff on network errors
-5. When approved: provision certs (ca.pem, server.pem, server.key)
-6. Re-validate certs (should now be Valid)
-7. Continue to normal mTLS server startup
-
-If enrollment fails (network error, manager unreachable):
- Log: "Auto-enrollment failed: [error]. Retrying on next restart."
- Exit code 1 (triggers systemd restart with backoff)
-
-If no enrollment URL is configured and certs are invalid:
- Log clear error with guidance (add URL, run --enroll, or place certs manually)
- Exit code 0 (don't trigger restart loop)
-
-### Polling Token Resume
-
-If the service restarts during enrollment polling:
-1. Read `polling_token` from config.yaml (persisted during enrollment)
-2. If token exists and `enrollment.manager_url` is configured:
-   a. Resume polling from where left off
-   b. Don't re-register (host already has a pending request)
-3. On successful provisioning:
-   a. Clear `polling_token` from config.yaml
-   b. Continue to normal server startup
-
-### CLI Enrollment (`--enroll`)
+The `linux_patch_api` daemon supports an automated self-enrollment workflow to securely request identity from the `linux_patch_manager` without manual PKI distribution.

+### CLI Invocation
 ```
 linux-patch-api --enroll https://<manager_url>
 ```
-
-The enrollment flow runs and **exits after completion** — it does NOT start the server. This prevents port conflicts with the systemd service.
-
- On success: prints "Enrollment complete. Start service: systemctl start linux-patch-api" and exits with code 0
- On failure: exits with code 1 (triggers systemd restart if configured)
+The enrollment flow runs before mTLS server startup. On success, the daemon proceeds to normal server initialization with the newly provisioned certificates.

 ### Security Model
 - Initial connection uses TLS with verification disabled (`danger_accept_invalid_certs`)
@ -255,7 +196,7 @@ The enrollment flow runs and **exits after completion** — it does NOT start th
 - **Backup Strategy:** Existing certificate files renamed to `.bak` before overwrite
 - **Target Paths:** Configured via TLS settings or defaults (`/etc/linux_patch_api/certs/{ca,server,server.key}.pem`)
 - **Whitelist Auto-Append:** Manager IP resolved (hostname → DNS or direct IP) and appended to `/etc/linux_patch_api/whitelist.yaml`
- **Completion:** For auto-enrollment: daemon transitions to standard mTLS listening mode without requiring service restart. For `--enroll`: daemon exits with code 0.
+- **Completion:** Daemon transitions to standard mTLS listening mode without requiring service restart

 ## Audit Logging

@ -274,8 +215,6 @@ The enrollment flow runs and **exits after completion** — it does NOT start th
  - Whitelist auto-append during enrollment (manager IP added)
  - Enrollment timeout or denial with reason
  - Signal interruption (SIGINT/SIGTERM) during polling
-  - Auto-enrollment triggered (cert status and reason)
-  - Certificate validation results on startup

 - **Log Storage:**
  - Primary: Distribution-appropriate logging
@ -318,12 +257,15 @@ The enrollment flow runs and **exits after completion** — it does NOT start th
  - **mTLS:** CA cert path, server cert path, server key path
  - **Logging:** log level, log retention, remote syslog server (optional)
  - **Security:** job timeout, max concurrent jobs, rate limiting
-  - **Enrollment:** manager_url, polling_interval_seconds, max_poll_attempts, polling_token (auto-populated), cert_renewal_threshold_days

 - **Hard-Coded Paths (not configurable):**
  - Whitelist file: `/etc/linux_patch_api/whitelist.yaml`
  - Data directory: `/var/lib/linux_patch_api/`
  - Job storage: `/var/lib/linux_patch_api/jobs/`
+- Hard-Coded Paths (not configurable):
+  - Whitelist file: `/etc/linux_patch_api/whitelist.yaml`
+  - Data directory: `/var/lib/linux_patch_api/`
+  - Job storage: `/var/lib/linux_patch_api/jobs/`
  - Log directory: `/var/log/linux_patch_api/`

 ## Testing Requirements
@ -344,25 +286,15 @@ The enrollment flow runs and **exits after completion** — it does NOT start th
 |------|-------------|
 | `--config <PATH>` or `-c` | Path to configuration file (default: `/etc/linux_patch_api/config.yaml`) |
 | `--verbose` or `-v` | Enable verbose (DEBUG-level) logging |
-| `--enroll <MANAGER_URL>` | Run self-enrollment flow with manager at URL, then EXIT (does not start server) |
-| `--renew-certs` | Validate existing certs and re-enroll if expiring within threshold or invalid |
+| `--enroll <MANAGER_URL>` | Run self-enrollment flow with manager at URL, then start mTLS server |
 | `--version` or `-V` | Print version information and exit |
 | `--help` or `-h` | Display help information and exit |

 ### Enrollment Mode Behavior
-
- **`--enroll <URL>`**: Executes enrollment flow, provisions certs, then **exits with code 0**. Does NOT start server or bind port. Print guidance message on completion.
- **Auto-enrollment (startup)**: Triggered when cert validation fails and `enrollment.manager_url` is configured. After provisioning, continues to normal server startup.
- **`--renew-certs`**: Validates existing certs. If expiring within threshold or invalid, re-enrolls using `enrollment.manager_url` from config. Exits with code 0 after completion.
- TLS verification is disabled on initial manager connection (manager approval workflow provides security)
-
-### Exit Codes
-
-| Code | Meaning | systemd Behavior |
-|------|---------|------------------|
-| 0 | Clean exit: no certs and no enrollment URL configured, or --enroll/--renew-certs success | No restart |
-| 1 | Error: config error, enrollment network failure, cert validation error | Restart with backoff |
-| 2 | Certs invalid, auto-enrollment in progress (will retry) | Restart with backoff |
+- When `--enroll` is specified, the daemon executes the self-enrollment flow before starting the mTLS server
+- On enrollment success: proceeds to normal server startup with provisioned certificates
+- On enrollment failure: exits immediately with error code (no server started)
+- TLS verification disabled on initial manager connection (manager approval workflow provides security)

 - **Phase 1 Acceptance Criteria:**
  - All endpoints functional with mTLS authentication
--- a/build-alpine.sh
+++ b/build-alpine.sh
@ -70,21 +70,18 @@ cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.e

 # Prepare workspace for abuild
 WORKSPACE_DIR=/home/builduser/repo
-rm -rf "$WORKSPACE_DIR"
 mkdir -p "$WORKSPACE_DIR"

+# Copy install script to workspace (must be co-located with APKBUILD)
+cp configs/linux-patch-api.apk-install "$WORKSPACE_DIR"/linux-patch-api.apk-install
+
 # Copy package directory to workspace
 cp -r "$PKGDIR" "$WORKSPACE_DIR"/apk-package

-# Copy install scripts to workspace (must be co-located with APKBUILD)
-# Alpine abuild requires SEPARATE files with valid suffixes:
-#   pkgname.pre-install, pkgname.post-install, pkgname.pre-deinstall, pkgname.post-deinstall
-cp configs/linux-patch-api.pre-install "$WORKSPACE_DIR"/linux-patch-api.pre-install
-cp configs/linux-patch-api.post-install "$WORKSPACE_DIR"/linux-patch-api.post-install
-cp configs/linux-patch-api.pre-deinstall "$WORKSPACE_DIR"/linux-patch-api.pre-deinstall
-cp configs/linux-patch-api.post-deinstall "$WORKSPACE_DIR"/linux-patch-api.post-deinstall
+# Copy entire repo to workspace for source references
+cp -r . "$WORKSPACE_DIR"/src/

-# Create APKBUILD in workspace directory (co-located with install scripts)
+# Create APKBUILD in workspace directory (co-located with install script)
 echo "Creating APKBUILD..."
 cat > "$WORKSPACE_DIR"/APKBUILD << EOF
 pkgname=linux-patch-api
@ -96,7 +93,7 @@ arch="x86_64"
 license="MIT"
 makedepends=""
 depends="openrc"
-install="linux-patch-api.pre-install linux-patch-api.post-install linux-patch-api.pre-deinstall linux-patch-api.post-deinstall"
+install="linux-patch-api.apk-install"
 subpackages=""
 source=""

@ -144,16 +141,16 @@ if [ "$(id -u)" = "0" ]; then
    cp /home/builduser/.abuild/*.rsa.pub /etc/apk/keys/ 2>/dev/null || true
    
    # Run abuild as builduser in workspace directory
-    su - builduser -c "cd $WORKSPACE_DIR && abuild checksum && abuild -d"
+    # Use || true because index update may fail but APK is still created
+    su - builduser -c "cd $WORKSPACE_DIR && abuild checksum && abuild -d -F" || true
    
    # Copy APK from builduser packages to releases
-    # Note: abuild outputs to /home/builduser/packages/builduser/x86_64/ not /home/builduser/packages/home/x86_64/
    mkdir -p releases
-    cp /home/builduser/packages/builduser/x86_64/*.apk releases/ 2>/dev/null || find /home/builduser/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
+    cp /home/builduser/packages/x86_64/*.apk releases/ 2>/dev/null || cp /home/builduser/packages/*.apk releases/ 2>/dev/null || find /home/builduser/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
 else
    cd "$WORKSPACE_DIR"
    abuild checksum
-    abuild -r
+    abuild -F -r
    cd -
    mkdir -p releases
    cp ~/packages/x86_64/*.apk releases/ 2>/dev/null || cp ~/packages/*.apk releases/ 2>/dev/null || true
@ -164,4 +161,4 @@ echo "=== Build Complete ==="
 echo "Package: releases/linux-patch-api-*.apk"
 echo ""
 echo "Install with:"
-echo "  sudo apk add ./releases/linux-patch-api-*.apk"
+echo "  sudo apk add --allow-unstable ./releases/linux-patch-api-*.apk"
--- a/build-arch.sh
+++ b/build-arch.sh
@ -14,11 +14,6 @@ if ! command -v makepkg &> /dev/null; then
    exit 1
 fi

-# Clean stale packages from previous builds
-rm -f releases/linux-patch-api-*.pkg.tar.zst 2>/dev/null || true
-rm -f /home/builduser/repo/releases/linux-patch-api-*.pkg.tar.zst 2>/dev/null || true
-rm -f /home/builduser/repo/*.pkg.tar.zst 2>/dev/null || true
-
 # Build release binary
 if [ -z "$SKIP_CARGO_BUILD" ]; then
    echo "Building release binary..."
--- a/build-rpm.sh
+++ b/build-rpm.sh
@ -2,29 +2,19 @@
 # Build RPM Package for RHEL/CentOS/Fedora
 # Run on: RHEL 8/9, CentOS 8/9, Fedora 38+
 # Designed for native Gitea Actions runner execution
-#
-# Build pattern: Pre-build binary BEFORE creating tarball (like Alpine/Arch)
-# The binary is included in the source tarball so rpmbuild's %build
-# section is a no-op. This avoids PATH issues where rpmbuild can't find
-# cargo installed via rustup.

 set -e

 echo "=== Linux Patch API - RPM Build Script ==="
 echo ""

-# Source cargo environment (for rustup-installed toolchain in CI)
-if [ -f "$HOME/.cargo/env" ]; then
-    . "$HOME/.cargo/env"
-fi
-
 # Check if running on RPM-based system
 if ! command -v rpmbuild &> /dev/null; then
    echo "Installing RPM build tools..."
    if command -v dnf &> /dev/null; then
-        dnf install -y rpm-build
+        dnf install -y rpm-build cargo rust gcc systemd-devel
    elif command -v yum &> /dev/null; then
-        yum install -y rpm-build
+        yum install -y rpm-build cargo rust gcc systemd-devel
    else
        echo "Error: Cannot install rpm-build. Please install manually."
        exit 1
@ -33,38 +23,13 @@ fi

 # Get version from Cargo.toml
 VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
-if [ -z "$VERSION" ]; then
-    echo "Error: Could not determine version from Cargo.toml"
-    exit 1
-fi
 echo "Building version: $VERSION"

-# Remove stale RPM artifacts to prevent uploading cached/old packages
-echo "Cleaning stale RPM artifacts..."
-rm -f ~/rpmbuild/RPMS/x86_64/linux-patch-api-*.rpm
-rm -f releases/linux-patch-api-*.rpm
-
-# Build release binary (skip if already built by CI)
-if [ -z "$SKIP_CARGO_BUILD" ]; then
-    echo "Building release binary..."
-    cargo build --release
-else
-    echo "Skipping cargo build (SKIP_CARGO_BUILD is set)"
-fi
-
-# Verify binary exists
-if [ ! -f "target/release/linux-patch-api" ]; then
-    echo "Error: Pre-built binary not found at target/release/linux-patch-api"
-    echo "Run 'cargo build --release' first or unset SKIP_CARGO_BUILD"
-    exit 1
-fi
-
 # Setup RPM build directory structure
 mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

-# Create source tarball with pre-built binary included
-# (required by %autosetup in spec file)
-echo "Creating source tarball with pre-built binary..."
+# Create source tarball (required by %autosetup in spec file)
+echo "Creating source tarball..."
 TMPDIR=$(mktemp -d)
 mkdir -p "$TMPDIR/linux-patch-api-${VERSION}"

@ -82,12 +47,6 @@ rm -rf "$TMPDIR/linux-patch-api-${VERSION}/.abuild"
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/apk-package"
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/.a0proj"

-# Re-create target/release with just the pre-built binary
-# This is the key change: binary is in the tarball so %build is a no-op
-mkdir -p "$TMPDIR/linux-patch-api-${VERSION}/target/release"
-cp target/release/linux-patch-api "$TMPDIR/linux-patch-api-${VERSION}/target/release/"
-chmod 755 "$TMPDIR/linux-patch-api-${VERSION}/target/release/linux-patch-api"
-
 tar -czf ~/rpmbuild/SOURCES/linux-patch-api-${VERSION}.tar.gz -C "$TMPDIR" "linux-patch-api-${VERSION}"
 rm -rf "$TMPDIR"

@ -95,35 +54,10 @@ rm -rf "$TMPDIR"
 echo "Preparing spec file..."
 sed "s/VERSION_PLACEHOLDER/$VERSION/" linux-patch-api.spec > ~/rpmbuild/SPECS/linux-patch-api.spec

-# Verify VERSION replacement succeeded
-if grep -q 'VERSION_PLACEHOLDER' ~/rpmbuild/SPECS/linux-patch-api.spec; then
-    echo "Error: VERSION_PLACEHOLDER not replaced in spec file!"
-    exit 1
-fi
-echo "Spec file version verified: $VERSION"
-
 # Build RPM
 echo "Building RPM package..."
 rpmbuild -ba ~/rpmbuild/SPECS/linux-patch-api.spec

-# Verify RPM was actually built
-RPM_FILE=$(ls ~/rpmbuild/RPMS/x86_64/linux-patch-api-${VERSION}-*.rpm 2>/dev/null | head -1)
-if [ -z "$RPM_FILE" ]; then
-    echo "Error: RPM package not found after build!"
-    echo "Looking for: ~/rpmbuild/RPMS/x86_64/linux-patch-api-${VERSION}-*.rpm"
-    ls -la ~/rpmbuild/RPMS/x86_64/ 2>/dev/null || echo "Directory empty or missing"
-    exit 1
-fi
-
-# Verify RPM contains the correct version
-RPM_VERSION=$(rpm -qp --queryformat '%{VERSION}' "$RPM_FILE" 2>/dev/null || true)
-echo "RPM built: $RPM_FILE"
-echo "RPM version: $RPM_VERSION"
-if [ "$RPM_VERSION" != "$VERSION" ]; then
-    echo "Error: RPM version ($RPM_VERSION) does not match expected version ($VERSION)!"
-    exit 1
-fi
-
 # Copy to releases directory
 echo ""
 echo "Copying package to releases/..."
--- a/configs/linux-patch-api-openrc
+++ b/configs/linux-patch-api-openrc
@ -17,10 +17,10 @@ depend() {

 # Create required directories before starting
 start_pre() {
-    checkpath --directory --owner root:root --mode 0755 \
+    checkpath --directory --owner linux-patch-api:linux-patch-api --mode 0755 \
        /run/linux-patch-api \
-        /var/log/linux_patch_api \
-        /var/lib/linux_patch_api \
+        /var/log/linux-patch-api \
+        /var/lib/linux-patch-api \
        /etc/linux_patch_api/certs
    
    # Ensure config files exist
--- a/configs/linux-patch-api.apk-install
+++ b/configs/linux-patch-api.apk-install
@ -0,0 +1,81 @@
+#!/bin/sh
+# Alpine Linux install hooks for linux-patch-api
+# Matches Debian preinst/postinst behavior: no system user, root:root ownership
+# Alpine APKBUILD install script format: pre-install, post-install, pre-deinstall, post-deinstall
+
+# Pre-install: Create directories before files are laid down
+pre_install() {
+    # Create required directories
+    mkdir -p /etc/linux_patch_api/certs
+    mkdir -p /var/lib/linux_patch_api
+    mkdir -p /var/log/linux_patch_api
+
+    # Set proper ownership (service runs as root)
+    chown -R root:root /var/lib/linux_patch_api
+    chown -R root:root /var/log/linux_patch_api
+
+    # Set secure permissions
+    chmod 750 /etc/linux_patch_api
+    chmod 750 /etc/linux_patch_api/certs
+    chmod 755 /var/lib/linux_patch_api
+    chmod 755 /var/log/linux_patch_api
+
+    echo "Pre-installation setup completed"
+}
+
+# Post-install: Copy example configs, enable service
+post_install() {
+    # Copy example configs if they don't exist
+    if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+        if [ -f "/etc/linux_patch_api/config.yaml.example" ]; then
+            cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
+            chmod 640 /etc/linux_patch_api/config.yaml
+            chown root:root /etc/linux_patch_api/config.yaml
+        fi
+    fi
+
+    if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+        if [ -f "/etc/linux_patch_api/whitelist.yaml.example" ]; then
+            cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
+            chmod 640 /etc/linux_patch_api/whitelist.yaml
+            chown root:root /etc/linux_patch_api/whitelist.yaml
+        fi
+    fi
+
+    # Enable the service (but don't start automatically - admin should configure first)
+    rc-update add linux-patch-api default
+
+    echo ""
+    echo "linux-patch-api installed successfully!"
+    echo ""
+    echo "Next steps:"
+    echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+    echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+    echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+    echo "  4. Start the service: rc-service linux-patch-api start"
+    echo "  5. Check status: rc-service linux-patch-api status"
+    echo ""
+}
+
+# Pre-deinstall: Stop and disable service before files are removed
+pre_deinstall() {
+    # Stop the service if running
+    if rc-service linux-patch-api status >/dev/null 2>&1; then
+        rc-service linux-patch-api stop
+        echo "Service stopped"
+    else
+        echo "Service was not running"
+    fi
+
+    # Disable the service
+    rc-update del linux-patch-api default 2>/dev/null || true
+}
+
+# Post-deinstall: Clean up on removal
+post_deinstall() {
+    # Remove directories only if empty (preserve user data on reinstall)
+    rmdir /var/lib/linux_patch_api 2>/dev/null || true
+    rmdir /var/log/linux_patch_api 2>/dev/null || true
+
+    echo "linux-patch-api removed"
+}
--- a/configs/linux-patch-api.post-deinstall
+++ b/configs/linux-patch-api.post-deinstall
@ -1,10 +0,0 @@
-#!/bin/sh
-# Alpine Linux post-deinstall script for linux-patch-api
-# Runs after package files are removed
-# Matches Debian postrm behavior: clean up empty directories
-
-# Remove directories only if empty (preserve user data on reinstall)
-rmdir /var/lib/linux_patch_api 2>/dev/null || true
-rmdir /var/log/linux_patch_api 2>/dev/null || true
-
-echo "linux-patch-api removed"
--- a/configs/linux-patch-api.post-install
+++ b/configs/linux-patch-api.post-install
@ -1,35 +0,0 @@
-#!/bin/sh
-# Alpine Linux post-install script for linux-patch-api
-# Runs after package files are laid down
-# Matches Debian postinst behavior: copy example configs, enable service
-
-# Copy example configs if they don't exist
-if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
-    if [ -f "/etc/linux_patch_api/config.yaml.example" ]; then
-        cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
-        chmod 640 /etc/linux_patch_api/config.yaml
-        chown root:root /etc/linux_patch_api/config.yaml
-    fi
-fi
-
-if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
-    if [ -f "/etc/linux_patch_api/whitelist.yaml.example" ]; then
-        cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
-        chmod 640 /etc/linux_patch_api/whitelist.yaml
-        chown root:root /etc/linux_patch_api/whitelist.yaml
-    fi
-fi
-
-# Enable the service (but don't start automatically - admin should configure first)
-rc-update add linux-patch-api default
-
-echo ""
-echo "linux-patch-api installed successfully!"
-echo ""
-echo "Next steps:"
-echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
-echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
-echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
-echo "  4. Start the service: rc-service linux-patch-api start"
-echo "  5. Check status: rc-service linux-patch-api status"
-echo ""
--- a/configs/linux-patch-api.pre-deinstall
+++ b/configs/linux-patch-api.pre-deinstall
@ -1,15 +0,0 @@
-#!/bin/sh
-# Alpine Linux pre-deinstall script for linux-patch-api
-# Runs before package files are removed
-# Matches Debian prerm behavior: stop and disable service
-
-# Stop the service if running
-if rc-service linux-patch-api status >/dev/null 2>&1; then
-    rc-service linux-patch-api stop
-    echo "Service stopped"
-else
-    echo "Service was not running"
-fi
-
-# Disable the service
-rc-update del linux-patch-api default 2>/dev/null || true
--- a/configs/linux-patch-api.pre-install
+++ b/configs/linux-patch-api.pre-install
@ -1,33 +0,0 @@
-#!/bin/sh
-# Alpine Linux pre-install script for linux-patch-api
-# Runs before package files are laid down
-# Matches Debian preinst behavior: create directories, set permissions
-
-# Create required directories
-mkdir -p /etc/linux_patch_api/certs
-mkdir -p /var/lib/linux_patch_api
-mkdir -p /var/log/linux_patch_api
-
-# Generate machine-id if not present (required for enrollment)
-# Alpine Linux does not include /etc/machine-id by default
-if [ ! -f /etc/machine-id ] || [ ! -s /etc/machine-id ]; then
-    if command -v uuidgen > /dev/null 2>&1; then
-        uuidgen | tr -d '-' > /etc/machine-id
-    elif [ -f /proc/sys/kernel/random/uuid ]; then
-        cat /proc/sys/kernel/random/uuid | tr -d '-' > /etc/machine-id
-    else
-        # Fallback: generate from /dev/urandom
-        od -x -N4 /dev/urandom | head -1 | awk '{print $2$3}' > /etc/machine-id
-    fi
-    chmod 444 /etc/machine-id
-fi
-
-# Set proper ownership (service runs as root)
-chown -R root:root /var/lib/linux_patch_api
-chown -R root:root /var/log/linux_patch_api
-
-# Set secure permissions
-chmod 750 /etc/linux_patch_api
-chmod 750 /etc/linux_patch_api/certs
-chmod 755 /var/lib/linux_patch_api
-chmod 755 /var/log/linux_patch_api
--- a/configs/linux-patch-api.service
+++ b/configs/linux-patch-api.service
@ -9,9 +9,7 @@ Type=simple
 NotifyAccess=all
 ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
 Restart=on-failure
-RestartSec=10s
-StartLimitBurst=5
-StartLimitIntervalSec=300
+RestartSec=5s
 TimeoutStopSec=30s

 # Process management
--- a/debian/.debhelper/generated/linux-patch-api/dh_installchangelogs.dch.trimmed
+++ b/debian/.debhelper/generated/linux-patch-api/dh_installchangelogs.dch.trimmed
@ -0,0 +1,11 @@
+linux-patch-api (1.0.0-1) stable; urgency=medium
+
+  * Initial production release
+  * Secure mTLS-authenticated REST API for remote package management
+  * 15 API endpoints for package install/remove, patch application, system management
+  * Asynchronous job processing with WebSocket status streaming
+  * IP whitelist enforcement and comprehensive audit logging
+  * Systemd integration with security hardening
+  * Supports Debian 11/12, Ubuntu 20.04/22.04/24.04
+
+ -- Echo <echo@moon-dragon.us>  Thu, 09 Apr 2026 18:57:12 -0500
--- a/debian/.debhelper/generated/linux-patch-api/installed-by-dh_install
+++ b/debian/.debhelper/generated/linux-patch-api/installed-by-dh_install
@ -0,0 +1,4 @@
+debian/tmp/usr/bin/linux-patch-api
+debian/tmp/lib/systemd/system/linux-patch-api.service
+debian/tmp/etc/linux_patch_api/config.yaml
+debian/tmp/etc/linux_patch_api/whitelist.yaml
--- a/debian/.debhelper/generated/linux-patch-api/installed-by-dh_installdocs
+++ b/debian/.debhelper/generated/linux-patch-api/installed-by-dh_installdocs
--- a/debian/.debhelper/generated/linux-patch-api/postinst.service
+++ b/debian/.debhelper/generated/linux-patch-api/postinst.service
@ -0,0 +1,30 @@
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+	# The following line should be removed in trixie or trixie+1
+	deb-systemd-helper unmask 'linux-patch-api.service' >/dev/null || true
+
+	# was-enabled defaults to true, so new installations run enable.
+	if deb-systemd-helper --quiet was-enabled 'linux-patch-api.service'; then
+		# Enables the unit on first installation, creates new
+		# symlinks on upgrades if the unit file has changed.
+		deb-systemd-helper enable 'linux-patch-api.service' >/dev/null || true
+	else
+		# Update the statefile to add new symlinks (if any), which need to be
+		# cleaned up on purge. Also remove old symlinks.
+		deb-systemd-helper update-state 'linux-patch-api.service' >/dev/null || true
+	fi
+fi
+# End automatically added section
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+	if [ -d /run/systemd/system ]; then
+		systemctl --system daemon-reload >/dev/null || true
+		if [ -n "$2" ]; then
+			_dh_action=restart
+		else
+			_dh_action=start
+		fi
+		deb-systemd-invoke $_dh_action 'linux-patch-api.service' >/dev/null || true
+	fi
+fi
+# End automatically added section
--- a/debian/.debhelper/generated/linux-patch-api/prerm.service
+++ b/debian/.debhelper/generated/linux-patch-api/prerm.service
@ -0,0 +1,5 @@
+# Automatically added by dh_installsystemd/13.31
+if [ -z "$DPKG_ROOT" ] && [ "$1" = remove ] && [ -d /run/systemd/system ] ; then
+	deb-systemd-invoke stop 'linux-patch-api.service' >/dev/null || true
+fi
+# End automatically added section
--- a/debian/changelog
+++ b/debian/changelog
@ -1,22 +1,122 @@
-linux-patch-api (1.2.0) unstable; urgency=medium
+linux-patch-api (1.1.9-1) unstable; urgency=low

-  * Add auto-enrollment on startup when certs are missing/invalid
-  * Add cert validation (existence, parse, expiry, key match, CA trust)
-  * Add --renew-certs CLI flag for manual cert renewal
-  * Fix --enroll to exit after completion (no port conflict)
-  * Add SO_REUSEADDR to prevent Address already in use errors
-  * Add polling token persistence for enrollment resume after restart
-  * Add exit code strategy (0=clean, 1=error, 2=enrollment in progress)
-  * Increase RestartSec to 10s and add StartLimitBurst=5
-  * Add cert and enrollment URL check in postinst
-  * Fix misleading "Listening on" log before actual bind
+  * Fix non-Ubuntu packages: align Arch, RPM, Alpine with Debian baseline
+  * Remove system user creation (service runs as root)
+  * Fix ownership to root:root across all platforms
+  * Fix Alpine: co-locate install script with APKBUILD
+  * Fix Arch: correct $startdir path in PKGBUILD
+  * Fix RPM: add runtime deps, comment BuildRequires for CI
+  * Add comprehensive installation docs for all platforms

- -- Echo <echo@moon-dragon.us>  Thu, 29 May 2026 10:20:00 -0500
+ -- Echo <echo@moon-dragon.us>  Tue, 19 May 2026 21:54:00 -0500

-linux-patch-api (1.1.17) unstable; urgency=medium
+linux-patch-api (1.1.8-1) unstable; urgency=low

-  * Add mandatory package cache refresh before patch_apply
-  * Add health check cache refresh when stale (>4h)
-  * Add cache status fields to health response
+  * Fix FQDN resolution: prioritize hostname -f over /etc/hostname for full domain
+  * Fix display_name blank: add hostname field to enrollment request
+  * Fix Arch package: add install scripts, user creation, directory creation
+  * Fix Alpine package: add install scripts, user creation, missing config.yaml
+  * Fix RPM package: dynamic version, config handling, tarball exclusions

- -- Echo <echo@moon-dragon.us>  Thu, 22 May 2026 12:00:00 -0500
+ -- Echo <echo@moon-dragon.us>  Mon, 18 May 2026 19:34:00 -0500
+
+linux-patch-api (1.1.7-1) unstable; urgency=low
+
+  * Fix CI pipeline: add cargo clean and remove old .deb artifacts before packaging
+  * Bump version to 1.1.7 to ensure clean build with correct binary
+
+ -- Echo <echo@moon-dragon.us>  Mon, 18 May 2026 12:20:00 -0500
+
+linux-patch-api (1.1.6-1) unstable; urgency=low
+
+  * Fix rustls CryptoProvider initialization panic on server startup
+  * Add explicit CryptoProvider::install_default() for aws-lc-rs
+
+ -- Echo <echo@moon-dragon.us>  Mon, 18 May 2026 08:45:00 -0500
+
+linux-patch-api (1.1.5-1) unstable; urgency=low
+
+  * Fix enrollment IP detection: filter Docker bridge subnets (172.16.0.0/12)
+  * Fix enrollment IP detection: filter link-local addresses (169.254.0.0/16)
+  * Add report_interface and report_ip config options for explicit IP override
+  * Add route-based IP selection using kernel routing table
+  * Fix package versioning to derive from Cargo.toml
+
+ -- Echo <echo@moon-dragon.us>  Sun, 18 May 2026 02:00:00 -0500
+
+linux-patch-api (0.3.12-1) unstable; urgency=low
+
+  * Fix socket activation detection to use resolved service name
+  * Queries like "sshd" now correctly resolve to "ssh.socket" for socket activation
+
+ -- Echo <echo@moon-dragon.us>  Tue, 06 May 2026 20:42:00 -0500
+
+linux-patch-api (0.3.10-1) unstable; urgency=low
+
+  * Fix socket activation detection for service status healthy logic
+  * When service is inactive but enabled, check if .socket unit is active
+
+ -- Echo <echo@moon-dragon.us>  Mon, 05 May 2026 13:10:00 -0500
+
+linux-patch-api (0.3.9-1) unstable; urgency=low
+
+  * Fix socket activation detection for service status healthy logic
+  * When service is inactive but enabled, check if .socket unit is active
+  * Mark service healthy if socket is listening (e.g., ssh.socket for ssh.service)
+
+ -- Echo <echo@moon-dragon.us>  Mon, 05 May 2026 11:25:00 -0500
+
+linux-patch-api (0.3.8-1) unstable; urgency=low
+
+  * Add GET /api/v1/system/services/{name} endpoint for service health checks
+  * Add ServiceStatus struct with systemd and OpenRC support
+  * Add get_service_status() to PackageManagerBackend trait
+  * Implement systemd service status via systemctl
+  * Implement OpenRC service status via rc-service
+  * Add E2E test for service status endpoint
+
+ -- Echo <echo@moon-dragon.us>  Mon, 04 May 2026 23:44:00 -0500
+
+linux-patch-api (0.3.5-1) unstable; urgency=low
+
+  * Remove CapabilityBoundingSet and AmbientCapabilities - apt needs full root capabilities
+  * Remove ProtectSystem=strict, NoNewPrivileges, RestrictSUIDSGID - block core functionality
+  * Remove ReadWritePaths - unnecessary without ProtectSystem=strict
+  * Fix E2E test: properly FAIL on status=failed package operations
+  * Fix E2E test: require status=completed for install/update/remove lifecycle
+  * Update service file Type=notify -> Type=simple
+  * Add DEBIAN_FRONTEND=noninteractive environment variable
+
+ -- Echo <echo@moon-dragon.us>  Sat, 03 May 2026 03:15:00 -0500
+
+linux-patch-api (0.3.4-1) unstable; urgency=low
+
+  * Fix CI workflow: prevent recursive tag triggers (v* -> v*.*.*)
+  * Fix CI workflow: upload u2204 deb to same release (no -u2204 suffix)
+  * Remove sudo from apt commands (service runs as root)
+  * Remove NoNewPrivileges and RestrictSUIDSGID from service file
+  * Update service file Type=notify -> Type=simple
+  * Add DEBIAN_FRONTEND=noninteractive environment variable
+
+ -- Echo <echo@moon-dragon.us>  Fri, 02 May 2026 22:00:00 -0500
+
+linux-patch-api (0.3.3-1) unstable; urgency=low
+
+  * Fix dpkg packaging: remove linux-patch-api user creation
+  * Change ownership to root:root in preinst/postinst scripts
+  * Bump version to 0.3.3
+
+ -- Echo <echo@moon-dragon.us>  Fri, 02 May 2026 21:45:00 -0500
+
+linux-patch-api (0.3.2-1) unstable; urgency=low
+
+  * Remove sudo from apt commands in source code
+  * Remove NoNewPrivileges=true from service file
+  * Remove RestrictSUIDSGID=true from service file
+  * Add DEBIAN_FRONTEND=noninteractive to service file
+  * Fix TLS 1.3 enforcement in mtls.rs
+  * Add client_disconnect_timeout to main.rs
+  * Optimize RwLock usage in jobs/manager.rs
+  * Bump version to 0.3.2
+
+ -- Echo <echo@moon-dragon.us>  Fri, 02 May 2026 21:30:00 -0500
--- a/debian/debhelper-build-stamp
+++ b/debian/debhelper-build-stamp
@ -0,0 +1 @@
+linux-patch-api
--- a/debian/files
+++ b/debian/files
@ -0,0 +1,2 @@
+linux-patch-api_1.0.0-1_amd64.buildinfo admin optional
+linux-patch-api_1.0.0-1_amd64.deb admin optional
--- a/debian/linux-patch-api.debhelper.log
+++ b/debian/linux-patch-api.debhelper.log
@ -0,0 +1 @@
+dh_auto_install
--- a/debian/linux-patch-api.postrm.debhelper
+++ b/debian/linux-patch-api.postrm.debhelper
@ -0,0 +1,12 @@
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = remove ] && [ -d /run/systemd/system ] ; then
+	systemctl --system daemon-reload >/dev/null || true
+fi
+# End automatically added section
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = "purge" ]; then
+	if [ -x "/usr/bin/deb-systemd-helper" ]; then
+		deb-systemd-helper purge 'linux-patch-api.service' >/dev/null || true
+	fi
+fi
+# End automatically added section
--- a/debian/linux-patch-api.substvars
+++ b/debian/linux-patch-api.substvars
@ -0,0 +1,3 @@
+shlibs:Depends=libc6 (>= 2.39), libgcc-s1 (>= 4.2)
+misc:Depends=
+misc:Pre-Depends=
--- a/debian/linux-patch-api/DEBIAN/conffiles
+++ b/debian/linux-patch-api/DEBIAN/conffiles
@ -0,0 +1,4 @@
+/etc/linux_patch_api/config.yaml
+/etc/linux_patch_api/whitelist.yaml
+/etc/linux_patch_api/config.yaml
+/etc/linux_patch_api/whitelist.yaml
--- a/debian/linux-patch-api/DEBIAN/control
+++ b/debian/linux-patch-api/DEBIAN/control
@ -0,0 +1,23 @@
+Package: linux-patch-api
+Version: 1.0.0-1
+Architecture: amd64
+Maintainer: Echo <echo@moon-dragon.us>
+Installed-Size: 8897
+Depends: systemd, libsystemd0, libc6 (>= 2.39), libgcc-s1 (>= 4.2)
+Section: admin
+Priority: optional
+Homepage: https://gitea.moon-dragon.us/echo/linux_patch_api
+Description: Secure remote package management API for Linux systems
+ Linux Patch API provides a secure, mTLS-authenticated REST API for
+ remote package management operations including:
+  - Package installation and removal
+  - Security patch application
+  - System health monitoring
+  - Job queue management with WebSocket status streaming
+ .
+ Features:
+  - Mutual TLS (mTLS) authentication
+  - IP whitelist enforcement
+  - Asynchronous job processing
+  - Comprehensive audit logging
+  - Systemd integration with security hardening
--- a/debian/linux-patch-api/DEBIAN/md5sums
+++ b/debian/linux-patch-api/DEBIAN/md5sums
@ -0,0 +1,5 @@
+23b89eecc51f46c6813658dd615d13a9  lib/systemd/system/linux-patch-api.service
+d64a80e2a796561c39c6941c6b9e268c  usr/bin/linux-patch-api
+154c7ae7e01ae22cdc8ceea1fd0956e2  usr/share/doc/linux-patch-api/changelog.Debian.gz
+978478c6c7f1e9dcb38eb1f2454535c0  usr/share/doc/linux-patch-api/changelog.gz
+c2fab316c94aa61adb70d79365cfe08f  usr/share/doc/linux-patch-api/copyright
--- a/debian/linux-patch-api/DEBIAN/postinst
+++ b/debian/linux-patch-api/DEBIAN/postinst
@ -0,0 +1,49 @@
+#!/bin/bash
+# postinst script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Configure with debhelper
+if [ "$1" = "configure" ]; then
+    echo "Configuring linux-patch-api..."
+    
+    # Copy example configs if they don't exist
+    if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+        echo "Creating default config.yaml..."
+        cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
+        chmod 640 /etc/linux_patch_api/config.yaml
+        chown root:root /etc/linux_patch_api/config.yaml
+    fi
+    
+    if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+        echo "Creating default whitelist.yaml..."
+        cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
+        chmod 640 /etc/linux_patch_api/whitelist.yaml
+        chown root:root /etc/linux_patch_api/whitelist.yaml
+    fi
+    
+    # Reload systemd daemon to pick up new service file
+    systemctl daemon-reload
+    
+    # Enable the service (but don't start automatically - admin should configure first)
+    systemctl enable linux-patch-api.service
+    
+    echo ""
+    echo "linux-patch-api installed successfully!"
+    echo ""
+    echo "Next steps:"
+    echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+    echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+    echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+    echo "  4. Start the service: systemctl start linux-patch-api"
+    echo "  5. Check status: systemctl status linux-patch-api"
+    echo ""
+fi
+
+# Handle upgrade
+if [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-remove" ] || [ "$1" = "abort-deconfigure" ]; then
+    echo "Installation aborted - service remains in previous state"
+fi
+
+exit 0
--- a/debian/linux-patch-api/DEBIAN/postrm
+++ b/debian/linux-patch-api/DEBIAN/postrm
@ -0,0 +1,52 @@
+#!/bin/bash
+# postrm script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Handle purge - remove all configuration and data
+if [ "$1" = "purge" ]; then
+    echo "Purging linux-patch-api configuration and data..."
+    
+    # Stop service if still running
+    if systemctl is-active --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl stop linux-patch-api.service
+    fi
+    
+    # Disable service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+    fi
+    
+    # Reload systemd to remove service file
+    systemctl daemon-reload
+    
+    # Remove configuration directory (preserved by conffiles during normal remove)
+    if [ -d "/etc/linux_patch_api" ]; then
+        echo "Removing /etc/linux_patch_api..."
+        rm -rf /etc/linux_patch_api
+    fi
+    
+    # Remove data directory
+    if [ -d "/var/lib/linux_patch_api" ]; then
+        echo "Removing /var/lib/linux_patch_api..."
+        rm -rf /var/lib/linux_patch_api
+    fi
+    
+    # Remove log directory
+    if [ -d "/var/log/linux_patch_api" ]; then
+        echo "Removing /var/log/linux_patch_api..."
+        rm -rf /var/log/linux_patch_api
+    fi
+    
+    echo "linux-patch-api purged successfully"
+fi
+
+# Handle upgrade/remove - just ensure service is disabled
+if [ "$1" = "remove" ] || [ "$1" = "upgrade" ]; then
+    # Service should already be stopped by prerm
+    # Just reload systemd to remove the service file
+    systemctl daemon-reload 2>/dev/null || true
+fi
+
+exit 0
--- a/debian/linux-patch-api/DEBIAN/preinst
+++ b/debian/linux-patch-api/DEBIAN/preinst
@ -0,0 +1,29 @@
+#!/bin/bash
+# preinst script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Check if this is an upgrade
+if [ -d "/etc/linux_patch_api" ]; then
+    echo "Detected existing installation - performing upgrade"
+fi
+
+# Create required directories
+mkdir -p /etc/linux_patch_api/certs
+mkdir -p /var/lib/linux_patch_api
+mkdir -p /var/log/linux_patch_api
+
+# Set proper ownership (service runs as root)
+chown -R root:root /var/lib/linux_patch_api
+chown -R root:root /var/log/linux_patch_api
+
+# Set secure permissions
+chmod 750 /etc/linux_patch_api
+chmod 750 /etc/linux_patch_api/certs
+chmod 755 /var/lib/linux_patch_api
+chmod 755 /var/log/linux_patch_api
+
+echo "Pre-installation checks completed successfully"
+
+exit 0
--- a/debian/linux-patch-api/DEBIAN/prerm
+++ b/debian/linux-patch-api/DEBIAN/prerm
@ -0,0 +1,33 @@
+#!/bin/bash
+# prerm script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Stop the service before removal/upgrade
+if [ "$1" = "remove" ] || [ "$1" = "upgrade" ]; then
+    echo "Stopping linux-patch-api service..."
+    
+    if systemctl is-active --quiet linux-patch-api.service; then
+        systemctl stop linux-patch-api.service
+        echo "Service stopped successfully"
+    else
+        echo "Service was not running"
+    fi
+    
+    # Disable the service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+        echo "Service disabled"
+    fi
+fi
+
+# Handle failed upgrade
+if [ "$1" = "failed-upgrade" ]; then
+    echo "Upgrade failed - attempting to restore previous state"
+    # Previous version should handle restoration
+fi
+
+echo "Pre-removal script completed"
+
+exit 0
--- a/debian/linux-patch-api/etc/linux_patch_api/config.yaml
+++ b/debian/linux-patch-api/etc/linux_patch_api/config.yaml
@ -0,0 +1,46 @@
+# Linux Patch API Configuration
+# Example configuration file - copy to /etc/linux_patch_api/config.yaml
+
+# Server Configuration
+server:
+  port: 12443
+  bind: "0.0.0.0"
+  timeout_seconds: 30
+
+# TLS/mTLS Configuration
+tls:
+  enabled: true
+  port: 12443
+  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
+  server_cert: "/etc/linux_patch_api/certs/server.pem"
+  server_key: "/etc/linux_patch_api/certs/server.key"
+  min_tls_version: "1.3"
+
+# Job Configuration
+jobs:
+  max_concurrent: 5
+  timeout_minutes: 30
+  storage_path: "/var/lib/linux_patch_api/jobs"
+
+# Logging Configuration
+logging:
+  level: "info"
+  journal_enabled: true
+  syslog_enabled: false
+  # syslog_server: "udp://localhost:514"
+  file_path: "/var/log/linux_patch_api/audit.log"
+  retention_days: 30
+
+# IP Whitelist Configuration
+whitelist:
+  path: "/etc/linux_patch_api/whitelist.yaml"
+  # Entries can be:
+  # - Individual IPs: "192.168.1.100"
+  # - CIDR subnets: "192.168.1.0/24"
+  # - Hostnames: "admin-server.internal"
+
+# Package Manager Backend
+package_manager:
+  # Primary backend (auto-detected if not specified)
+  # Options: apt, dnf, yum, apk, pacman
+  backend: "auto"
--- a/debian/linux-patch-api/etc/linux_patch_api/whitelist.yaml
+++ b/debian/linux-patch-api/etc/linux_patch_api/whitelist.yaml
@ -0,0 +1,14 @@
+# Linux Patch API - IP Whitelist Configuration
+# Copy to /etc/linux_patch_api/whitelist.yaml
+# Block all by default - only listed IPs can access the API
+
+# Supported entry types:
+# - Individual IPs: "192.168.1.100"
+# - CIDR subnets: "192.168.1.0/24"
+# - Hostnames: "admin-server.internal" (resolved at startup)
+
+# Example entries:
+entries:
+  - "192.168.1.0/24"      # Management network
+  - "10.0.0.50"          # Specific admin workstation
+  # - "admin-server.internal"  # Hostname example (uncomment to use)
--- a/debian/linux-patch-api/lib/systemd/system/linux-patch-api.service
+++ b/debian/linux-patch-api/lib/systemd/system/linux-patch-api.service
@ -0,0 +1,62 @@
+[Unit]
+Description=Linux Patch API - Secure Remote Package Management
+Documentation=man:linux-patch-api(8)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+NotifyAccess=all
+ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
+Restart=on-failure
+RestartSec=5s
+TimeoutStopSec=30s
+
+# Process management
+RuntimeDirectory=linux-patch-api
+RuntimeDirectoryMode=0755
+
+# Security hardening
+# NOTE: Package management requires extensive system access. The following
+# restrictions have been removed because they block core functionality:
+#   - ProtectSystem=strict: Blocks writes to /usr, /etc, /lib where packages install
+#   - NoNewPrivileges: Blocks sudo/setuid which apt needs for _apt sandbox
+#   - RestrictSUIDSGID: Blocks setuid/setgid which apt needs for _apt sandbox
+#   - CapabilityBoundingSet: Drops capabilities that apt needs (SETUID, SETGID, CHOWN, etc.)
+#   - AmbientCapabilities: Same issue as CapabilityBoundingSet
+# Network security is provided by mTLS + IP whitelist. The service runs as root
+# and MUST be able to install/remove/update packages system-wide.
+ProtectHome=true
+PrivateTmp=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=false
+RestrictRealtime=true
+
+# System call filtering (whitelist approach)
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+# Environment
+Environment="RUST_BACKTRACE=1"
+Environment="DEBIAN_FRONTEND=noninteractive"
+Environment="RUST_LOG=info"
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=linux-patch-api
+SyslogFacility=daemon
+SyslogLevel=info
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+[Install]
+WantedBy=multi-user.target
--- a/debian/linux-patch-api/usr/bin/linux-patch-api
+++ b/debian/linux-patch-api/usr/bin/linux-patch-api
--- a/debian/linux-patch-api/usr/share/doc/linux-patch-api/changelog.Debian.gz
+++ b/debian/linux-patch-api/usr/share/doc/linux-patch-api/changelog.Debian.gz
--- a/debian/linux-patch-api/usr/share/doc/linux-patch-api/changelog.gz
+++ b/debian/linux-patch-api/usr/share/doc/linux-patch-api/changelog.gz
--- a/debian/linux-patch-api/usr/share/doc/linux-patch-api/copyright
+++ b/debian/linux-patch-api/usr/share/doc/linux-patch-api/copyright
@ -0,0 +1,31 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: linux-patch-api
+Upstream-Contact: Echo <echo@moon-dragon.us>
+Source: https://gitea.moon-dragon.us/echo/linux_patch_api
+
+Files: *
+Copyright: 2024-2026 Echo <echo@moon-dragon.us>
+License: MIT
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+
+Files: debian/*
+Copyright: 2024-2026 Echo <echo@moon-dragon.us>
+License: MIT
--- a/debian/postinst
+++ b/debian/postinst
@ -29,60 +29,16 @@ if [ "$1" = "configure" ]; then
    # Enable the service (but don't start automatically - admin should configure first)
    systemctl enable linux-patch-api.service
    
-    # Check for TLS certificates and enrollment URL
-    CERT_DIR="/etc/linux_patch_api/certs"
-    CA_CERT="$CERT_DIR/ca.pem"
-    SERVER_CERT="$CERT_DIR/server.pem"
-    SERVER_KEY="$CERT_DIR/server.key.pem"
-    CONFIG_FILE="/etc/linux_patch_api/config.yaml"
-    
-    CERTS_MISSING=false
-    if [ ! -f "$CA_CERT" ] || [ ! -f "$SERVER_CERT" ] || [ ! -f "$SERVER_KEY" ]; then
-        CERTS_MISSING=true
-    fi
-    
-    if [ "$CERTS_MISSING" = true ]; then
-        echo ""
-        echo "⚠ TLS certificates are missing. The service will not start without them."
-        echo ""
-        
-        # Check if enrollment.manager_url is configured
-        if [ -f "$CONFIG_FILE" ]; then
-            # Check for manager_url in config (handles both old String format and new Option format)
-            MANAGER_URL=$(grep -E '^\s*manager_url:' "$CONFIG_FILE" 2>/dev/null | sed 's/^\s*manager_url:\s*//' | tr -d '"' | tr -d "'" | xargs)
-            if [ -n "$MANAGER_URL" ] && [ "$MANAGER_URL" != "" ]; then
-                echo "✓ Auto-enrollment is configured (manager_url: $MANAGER_URL)"
-                echo "  Auto-enrollment will run on first service start."
-                echo "  The service will automatically request and provision certificates."
-            else
-                echo "⚠ No enrollment.manager_url found in config.yaml."
-                echo ""
-                echo "To enable automatic certificate enrollment, add the manager URL:"
-                echo "  1. Edit /etc/linux_patch_api/config.yaml"
-                echo "  2. Add enrollment.manager_url: https://<your-manager-url>"
-                echo "  3. Start the service: systemctl start linux-patch-api"
-                echo ""
-                echo "Or enroll manually:"
-                echo "  linux-patch-api --enroll https://<your-manager-url>"
-                echo ""
-                echo "Or place certificates manually:"
-                echo "  - CA certificate: $CA_CERT"
-                echo "  - Server certificate: $SERVER_CERT"
-                echo "  - Server key: $SERVER_KEY"
-            fi
-        else
-            echo "⚠ Config file not found at $CONFIG_FILE"
-            echo "  Please configure the service before starting."
-        fi
-    else
-        echo ""
-        echo "✓ TLS certificates found. The service is ready to start."
-        echo "  Start the service: systemctl start linux-patch-api"
-    fi
-    
    echo ""
    echo "linux-patch-api installed successfully!"
    echo ""
+    echo "Next steps:"
+    echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+    echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+    echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+    echo "  4. Start the service: systemctl start linux-patch-api"
+    echo "  5. Check status: systemctl status linux-patch-api"
+    echo ""
 fi

 # Handle upgrade
--- a/debian/tmp/etc/linux_patch_api/config.yaml
+++ b/debian/tmp/etc/linux_patch_api/config.yaml
@ -0,0 +1,46 @@
+# Linux Patch API Configuration
+# Example configuration file - copy to /etc/linux_patch_api/config.yaml
+
+# Server Configuration
+server:
+  port: 12443
+  bind: "0.0.0.0"
+  timeout_seconds: 30
+
+# TLS/mTLS Configuration
+tls:
+  enabled: true
+  port: 12443
+  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
+  server_cert: "/etc/linux_patch_api/certs/server.pem"
+  server_key: "/etc/linux_patch_api/certs/server.key"
+  min_tls_version: "1.3"
+
+# Job Configuration
+jobs:
+  max_concurrent: 5
+  timeout_minutes: 30
+  storage_path: "/var/lib/linux_patch_api/jobs"
+
+# Logging Configuration
+logging:
+  level: "info"
+  journal_enabled: true
+  syslog_enabled: false
+  # syslog_server: "udp://localhost:514"
+  file_path: "/var/log/linux_patch_api/audit.log"
+  retention_days: 30
+
+# IP Whitelist Configuration
+whitelist:
+  path: "/etc/linux_patch_api/whitelist.yaml"
+  # Entries can be:
+  # - Individual IPs: "192.168.1.100"
+  # - CIDR subnets: "192.168.1.0/24"
+  # - Hostnames: "admin-server.internal"
+
+# Package Manager Backend
+package_manager:
+  # Primary backend (auto-detected if not specified)
+  # Options: apt, dnf, yum, apk, pacman
+  backend: "auto"
--- a/debian/tmp/etc/linux_patch_api/whitelist.yaml
+++ b/debian/tmp/etc/linux_patch_api/whitelist.yaml
@ -0,0 +1,14 @@
+# Linux Patch API - IP Whitelist Configuration
+# Copy to /etc/linux_patch_api/whitelist.yaml
+# Block all by default - only listed IPs can access the API
+
+# Supported entry types:
+# - Individual IPs: "192.168.1.100"
+# - CIDR subnets: "192.168.1.0/24"
+# - Hostnames: "admin-server.internal" (resolved at startup)
+
+# Example entries:
+entries:
+  - "192.168.1.0/24"      # Management network
+  - "10.0.0.50"          # Specific admin workstation
+  # - "admin-server.internal"  # Hostname example (uncomment to use)
--- a/debian/tmp/lib/systemd/system/linux-patch-api.service
+++ b/debian/tmp/lib/systemd/system/linux-patch-api.service
@ -0,0 +1,57 @@
+[Unit]
+Description=Linux Patch API - Secure Remote Package Management
+Documentation=man:linux-patch-api(8)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
+Restart=on-failure
+RestartSec=5s
+TimeoutStopSec=30s
+
+# Process management
+RuntimeDirectory=linux-patch-api
+RuntimeDirectoryMode=0755
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/linux_patch_api /var/log/linux_patch_api
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=false
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+
+# System call filtering (whitelist approach)
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+# Environment
+Environment="RUST_BACKTRACE=1"
+Environment="RUST_LOG=info"
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=linux-patch-api
+SyslogFacility=daemon
+SyslogLevel=info
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+[Install]
+WantedBy=multi-user.target
--- a/debian/tmp/usr/bin/linux-patch-api
+++ b/debian/tmp/usr/bin/linux-patch-api
--- a/linux-patch-api.spec
+++ b/linux-patch-api.spec
@ -21,7 +21,8 @@ BuildArch:      x86_64
 # BuildRequires:  pkgconfig(systemd)

 # Runtime requirements
-Requires:       systemd-libs
+Requires:       systemd
+Requires:       libsystemd
 Requires:       openssl-libs
 Requires:       ca-certificates

@ -44,11 +45,10 @@ Features:
 %prep
 %autosetup -n linux-patch-api-%{version}

-# Build - no-op, binary is pre-built and included in source tarball
-# The binary is built by build-rpm.sh BEFORE creating the tarball,
-# so cargo does not need to be in rpmbuild's PATH.
+# Build
 %build
-# Binary already built - nothing to do
+export RUSTFLAGS="-C target-cpu=native"
+cargo build --release --target x86_64-unknown-linux-gnu

 # Install
 %install
@ -59,8 +59,8 @@ mkdir -p %{buildroot}/lib/systemd/system
 mkdir -p %{buildroot}/var/log/linux_patch_api
 mkdir -p %{buildroot}/var/lib/linux_patch_api

-# Install binary (pre-built, included in tarball at target/release/)
-cp target/release/linux-patch-api %{buildroot}/usr/bin/
+# Install binary
+cp target/x86_64-unknown-linux-gnu/release/linux-patch-api %{buildroot}/usr/bin/
 chmod 755 %{buildroot}/usr/bin/linux-patch-api

 # Install systemd service
@ -149,7 +149,6 @@ fi

 # Files
 %files
-%defattr(-,root,root,-)
 /usr/bin/linux-patch-api
 /lib/systemd/system/linux-patch-api.service
 %config(noreplace) /etc/linux_patch_api/config.yaml.example
@ -163,50 +162,6 @@ fi

 # Changelog
 %changelog
-* Tue May 27 2026 Echo <echo@moon-dragon.us> - 1.1.17-1
- Add mandatory package cache refresh before patch_apply
- Add health check cache refresh when stale (>4h)
- Add cache status fields to health response
- Add 404/fetch error retry with cache refresh
- Add degraded health status on cache failure
- New src/packages/cache.rs module
-
-* Tue May 20 2026 Echo <echo@moon-dragon.us> - 1.1.16-1
- Add Pacman package manager backend for Arch Linux
- Fix: Pacman backend not yet implemented error on Arch systems
- Support pacman -Q for package listing, pacman -Qi for package details
- Support pacman -Qu for patch/update detection
- Fix Arch CI: add stale package cleanup and version verification
-
-* Tue May 20 2026 Echo <echo@moon-dragon.us> - 1.1.15-1
- Add DNF package manager backend for Fedora/RHEL/CentOS 8+
- Add YUM package manager backend for RHEL/CentOS 7
- Fix: DNF backend not yet implemented error on Fedora systems
- Support rpm -qa for package listing, rpm -qi for package details
- Support dnf check-update (exit code 100) for patch detection
- Support yum check-update (exit code 100) for patch detection
-
-* Tue May 20 2026 Echo <echo@moon-dragon.us> - 1.1.14-1
- Fix RPM packaging: pre-build binary before tarball (like Alpine/Arch pattern)
- Fix rpmbuild can't find cargo in PATH - binary now included in source tarball
- Fix config file ownership: add %defattr(-,root,root,-) in %files section
- Fix Requires: libsystemd -> systemd-libs for Fedora compatibility
- Remove Requires: systemd (not needed, may not exist in containers)
- Add stale RPM cleanup and version verification to build-rpm.sh
- Support SKIP_CARGO_BUILD=1 like Alpine/Arch builds
-
-* Wed May 20 2026 Echo <echo@moon-dragon.us> - 1.1.12-1
- Add APK (Alpine Linux) package manager backend
- Add machine-id generation to Alpine pre-install script
- Fix OpenRC init script ownership (root:root)
-
-
-* Wed May 20 2026 Echo <echo@moon-dragon.us> - 1.1.10-1
- Fix Alpine install scripts: use separate files with valid abuild suffixes
- Root cause: .apk-install is not a valid abuild suffix (abuild silently fails)
- Correct format: pkgname.pre-install, .post-install, .pre-deinstall, .post-deinstall
- Verified on actual Alpine runner: install script suffixes now pass abuild validation
-
 * Tue May 19 2026 Echo <echo@moon-dragon.us> - 1.1.9-1
 - Fix non-Ubuntu packages: align Arch, RPM, Alpine with Debian baseline
 - Remove system user creation (service runs as root)
@ -231,3 +186,7 @@ fi
 - Initial production release
 - Secure mTLS-authenticated REST API for remote package management
 - 15 API endpoints for package install/remove, patch application, system management
+- Asynchronous job processing with WebSocket status streaming
+- IP whitelist enforcement and comprehensive audit logging
+- Systemd integration with security hardening
+- Supports RHEL 8/9, CentOS 8/9, Fedora 38+
--- a/releases/linux-patch-api_1.0.0-1_amd64.buildinfo
+++ b/releases/linux-patch-api_1.0.0-1_amd64.buildinfo
@ -0,0 +1,209 @@
+Format: 1.0
+Source: linux-patch-api
+Binary: linux-patch-api
+Architecture: amd64
+Version: 1.0.0-1
+Checksums-Md5:
+ a64eb068fd021dd3a559bf1429960165 2624992 linux-patch-api_1.0.0-1_amd64.deb
+Checksums-Sha1:
+ 29bfe7427b42f05b4c0fd886d02b2550289df356 2624992 linux-patch-api_1.0.0-1_amd64.deb
+Checksums-Sha256:
+ 353b49ef3f83c0bf2c556bcfc1b3e8bb46b8e629a34659d4d5b63ac25c5a80c0 2624992 linux-patch-api_1.0.0-1_amd64.deb
+Build-Origin: Kali
+Build-Architecture: amd64
+Build-Date: Fri, 10 Apr 2026 01:50:29 +0000
+Build-Tainted-By:
+ usr-local-has-programs
+Installed-Build-Depends:
+ autoconf (= 2.72-6),
+ automake (= 1:1.18.1-4),
+ autopoint (= 0.23.2-2),
+ autotools-dev (= 20240727.1),
+ base-files (= 1:2026.1.0),
+ base-passwd (= 3.6.8),
+ bash (= 5.3-1),
+ binutils (= 2.45.50.20251209-1+b1),
+ binutils-common (= 2.45.50.20251209-1+b1),
+ binutils-x86-64-linux-gnu (= 2.45.50.20251209-1+b1),
+ bsdextrautils (= 2.41.3-4),
+ build-essential (= 12.12),
+ bzip2 (= 1.0.8-6+b1),
+ cargo (= 1.92.0+dfsg1-2),
+ coreutils (= 9.7-3),
+ cpp (= 4:15.2.0-4),
+ cpp-15 (= 15.2.0-12),
+ cpp-15-x86-64-linux-gnu (= 15.2.0-12),
+ cpp-x86-64-linux-gnu (= 4:15.2.0-4),
+ dash (= 0.5.12-12),
+ debconf (= 1.5.91),
+ debhelper (= 13.31),
+ debianutils (= 5.23.2),
+ dh-autoreconf (= 22),
+ dh-strip-nondeterminism (= 1.15.0-1),
+ diffutils (= 1:3.12-1),
+ dpkg (= 1.23.3+kali1),
+ dpkg-dev (= 1.23.3+kali1),
+ dwz (= 0.16-4),
+ file (= 1:5.46-5+b1),
+ findutils (= 4.10.0-3),
+ g++ (= 4:15.2.0-4),
+ g++-15 (= 15.2.0-12),
+ g++-15-x86-64-linux-gnu (= 15.2.0-12),
+ g++-x86-64-linux-gnu (= 4:15.2.0-4),
+ gcc (= 4:15.2.0-4),
+ gcc-15 (= 15.2.0-12),
+ gcc-15-base (= 15.2.0-12),
+ gcc-15-x86-64-linux-gnu (= 15.2.0-12),
+ gcc-x86-64-linux-gnu (= 4:15.2.0-4),
+ gettext (= 0.23.2-2),
+ gettext-base (= 0.23.2-2),
+ grep (= 3.12-1),
+ groff-base (= 1.23.0-10),
+ gzip (= 1.13-1),
+ hostname (= 3.25),
+ init-system-helpers (= 1.69+kali1),
+ intltool-debian (= 0.35.0+20060710.6),
+ libacl1 (= 2.3.2-2+b2),
+ libarchive-zip-perl (= 1.68-1),
+ libasan8 (= 15.2.0-12),
+ libatomic1 (= 15.2.0-12),
+ libattr1 (= 1:2.5.2-3+b1),
+ libaudit-common (= 1:4.1.2-1),
+ libaudit1 (= 1:4.1.2-1+b1),
+ libbinutils (= 2.45.50.20251209-1+b1),
+ libblkid1 (= 2.41.3-4),
+ libbrotli1 (= 1.1.0-2+b9),
+ libbsd0 (= 0.12.2-2+b1),
+ libbz2-1.0 (= 1.0.8-6+b1),
+ libc-bin (= 2.42-5),
+ libc-dev-bin (= 2.42-5),
+ libc-gconv-modules-extra (= 2.42-5),
+ libc6 (= 2.42-5),
+ libc6-dev (= 2.42-5),
+ libcap-ng0 (= 0.8.5-4+b2),
+ libcap2 (= 1:2.75-10+b5),
+ libcc1-0 (= 15.2.0-12),
+ libcom-err2 (= 1.47.2-3+b8),
+ libcrypt-dev (= 1:4.5.1-1),
+ libcrypt1 (= 1:4.5.1-1),
+ libctf-nobfd0 (= 2.45.50.20251209-1+b1),
+ libctf0 (= 2.45.50.20251209-1+b1),
+ libcurl4t64 (= 8.18.0-2),
+ libdb5.3t64 (= 5.3.28+dfsg2-11),
+ libdebconfclient0 (= 0.282+b2),
+ libdebhelper-perl (= 13.31),
+ libdpkg-perl (= 1.23.3+kali1),
+ libedit2 (= 3.1-20251016-1),
+ libelf1t64 (= 0.194-4),
+ libffi8 (= 3.5.2-3+b1),
+ libfile-stripnondeterminism-perl (= 1.15.0-1),
+ libgcc-15-dev (= 15.2.0-12),
+ libgcc-s1 (= 15.2.0-12),
+ libgdbm-compat4t64 (= 1.26-1+b1),
+ libgdbm6t64 (= 1.26-1+b1),
+ libgit2-1.9 (= 1.9.2+ds-6),
+ libgmp10 (= 2:6.3.0+dfsg-5+b1),
+ libgnutls30t64 (= 3.8.11-3),
+ libgomp1 (= 15.2.0-12),
+ libgprofng0 (= 2.45.50.20251209-1+b1),
+ libgssapi-krb5-2 (= 1.22.1-2),
+ libhogweed6t64 (= 3.10.2-1),
+ libhwasan0 (= 15.2.0-12),
+ libidn2-0 (= 2.3.8-4+b1),
+ libisl23 (= 0.27-1+b1),
+ libitm1 (= 15.2.0-12),
+ libjansson4 (= 2.14-2+b4),
+ libk5crypto3 (= 1.22.1-2),
+ libkeyutils1 (= 1.6.3-6+b1),
+ libkrb5-3 (= 1.22.1-2),
+ libkrb5support0 (= 1.22.1-2),
+ libldap2 (= 2.6.10+dfsg-1+b1),
+ libllhttp9.3 (= 9.3.3~really9.3.0+~cs12.11.8-3),
+ libllvm21 (= 1:21.1.8-1+b1),
+ liblsan0 (= 15.2.0-12),
+ liblzma5 (= 5.8.2-2),
+ libmagic-mgc (= 1:5.46-5+b1),
+ libmagic1t64 (= 1:5.46-5+b1),
+ libmbedcrypto16 (= 3.6.5-0.1),
+ libmbedtls21 (= 3.6.5-0.1),
+ libmbedx509-7 (= 3.6.5-0.1),
+ libmd0 (= 1.1.0-2+b2),
+ libmount1 (= 2.41.3-4),
+ libmpc3 (= 1.3.1-2+b1),
+ libmpfr6 (= 4.2.2-2+b1),
+ libnettle8t64 (= 3.10.2-1),
+ libnghttp2-14 (= 1.64.0-1.1+b1),
+ libnghttp3-9 (= 1.12.0-1),
+ libngtcp2-16 (= 1.16.0-1),
+ libngtcp2-crypto-ossl0 (= 1.16.0-1),
+ libp11-kit0 (= 0.25.10-1+b1),
+ libpam-modules (= 1.7.0-5+b1),
+ libpam-modules-bin (= 1.7.0-5+b1),
+ libpam-runtime (= 1.7.0-5),
+ libpam0g (= 1.7.0-5+b1),
+ libpcre2-8-0 (= 10.46-1+b1),
+ libperl5.40 (= 5.40.1-7),
+ libpipeline1 (= 1.5.8-2),
+ libpkgconf7 (= 2.5.1-4),
+ libpsl5t64 (= 0.21.2-1.1+b2),
+ libquadmath0 (= 15.2.0-12),
+ librtmp1 (= 2.4+20151223.gitfa8646d.1-3+b1),
+ libsasl2-2 (= 2.1.28+dfsg1-10),
+ libsasl2-modules-db (= 2.1.28+dfsg1-10),
+ libseccomp2 (= 2.6.0-2+b1),
+ libselinux1 (= 3.9-4+b1),
+ libsframe2 (= 2.45.50.20251209-1+b1),
+ libsmartcols1 (= 2.41.3-4),
+ libsqlite3-0 (= 3.46.1-9),
+ libssh2-1t64 (= 1.11.1-1+b1),
+ libssl3t64 (= 3.5.4-1+b1),
+ libstd-rust-1.92 (= 1.92.0+dfsg1-2),
+ libstd-rust-dev (= 1.92.0+dfsg1-2),
+ libstdc++-15-dev (= 15.2.0-12),
+ libstdc++6 (= 15.2.0-12),
+ libsystemd-dev (= 259.1-1),
+ libsystemd0 (= 259.1-1),
+ libtasn1-6 (= 4.21.0-2),
+ libtinfo6 (= 6.6+20251231-1),
+ libtool (= 2.5.4-10),
+ libtsan2 (= 15.2.0-12),
+ libubsan1 (= 15.2.0-12),
+ libuchardet0 (= 0.0.8-2+b1),
+ libudev1 (= 259-1),
+ libunistring5 (= 1.3-2+b1),
+ libuuid1 (= 2.41.3-4),
+ libxml2-16 (= 2.15.1+dfsg-2+b1),
+ libz3-4 (= 4.13.3-1+b1),
+ libzstd1 (= 1.5.7+dfsg-3+b1),
+ linux-libc-dev (= 6.18.5-1kali1),
+ m4 (= 1.4.21-1),
+ make (= 4.4.1-3),
+ man-db (= 2.13.1-1),
+ mawk (= 1.3.4.20250131-2),
+ ncurses-base (= 6.6+20251231-1),
+ ncurses-bin (= 6.6+20251231-1),
+ openssl-provider-legacy (= 3.5.4-1+b1),
+ patch (= 2.8-2),
+ perl (= 5.40.1-7),
+ perl-base (= 5.40.1-7),
+ perl-modules-5.40 (= 5.40.1-7),
+ pkg-config (= 2.5.1-4),
+ pkgconf (= 2.5.1-4),
+ pkgconf-bin (= 2.5.1-4),
+ po-debconf (= 1.0.22),
+ rpcsvc-proto (= 1.4.3-1),
+ rustc (= 1.92.0+dfsg1-2),
+ sed (= 4.9-2),
+ sensible-utils (= 0.0.26),
+ sysvinit-utils (= 3.15-6),
+ tar (= 1.35+dfsg-3.1),
+ util-linux (= 2.41.3-4),
+ xz-utils (= 5.8.2-2),
+ zlib1g (= 1:1.3.dfsg+really1.3.1-1+b2)
+Environment:
+ DEB_BUILD_OPTIONS="parallel=12"
+ LANG="en_US.UTF-8"
+ LANGUAGE="en_US:en"
+ LC_ALL="en_US.UTF-8"
+ SOURCE_DATE_EPOCH="1775779032"
+ TZ="UTC"
--- a/releases/linux-patch-api_1.0.0-1_amd64.changes
+++ b/releases/linux-patch-api_1.0.0-1_amd64.changes
@ -0,0 +1,31 @@
+Format: 1.8
+Date: Thu, 09 Apr 2026 18:57:12 -0500
+Source: linux-patch-api
+Binary: linux-patch-api
+Architecture: amd64
+Version: 1.0.0-1
+Distribution: stable
+Urgency: medium
+Maintainer: Echo <echo@moon-dragon.us>
+Changed-By: Echo <echo@moon-dragon.us>
+Description:
+ linux-patch-api - Secure remote package management API for Linux systems
+Changes:
+ linux-patch-api (1.0.0-1) stable; urgency=medium
+ .
+   * Initial production release
+   * Secure mTLS-authenticated REST API for remote package management
+   * 15 API endpoints for package install/remove, patch application, system management
+   * Asynchronous job processing with WebSocket status streaming
+   * IP whitelist enforcement and comprehensive audit logging
+   * Systemd integration with security hardening
+   * Supports Debian 11/12, Ubuntu 20.04/22.04/24.04
+Checksums-Sha1:
+ 6eacada3e35f2b5d4e76ca6d0dfa2d12588e235a 6044 linux-patch-api_1.0.0-1_amd64.buildinfo
+ 29bfe7427b42f05b4c0fd886d02b2550289df356 2624992 linux-patch-api_1.0.0-1_amd64.deb
+Checksums-Sha256:
+ 1d7c683fa9bb147f11cc4b8dc949b34d2bd7bdef0e2ba0f04e66e74bab955acc 6044 linux-patch-api_1.0.0-1_amd64.buildinfo
+ 353b49ef3f83c0bf2c556bcfc1b3e8bb46b8e629a34659d4d5b63ac25c5a80c0 2624992 linux-patch-api_1.0.0-1_amd64.deb
+Files:
+ ab758ad6130467303e536c3aacc901a1 6044 admin optional linux-patch-api_1.0.0-1_amd64.buildinfo
+ a64eb068fd021dd3a559bf1429960165 2624992 admin optional linux-patch-api_1.0.0-1_amd64.deb
--- a/releases/linux-patch-api_1.0.0-1_amd64.deb
+++ b/releases/linux-patch-api_1.0.0-1_amd64.deb
--- a/scripts/bump-version.sh
+++ b/scripts/bump-version.sh
@ -1,67 +0,0 @@
-#!/bin/bash
-# Bump version across all version source files for linux_patch_api
-# Usage: ./scripts/bump-version.sh <new_version> <old_version>
-# Example: ./scripts/bump-version.sh 1.1.18 1.1.17
-set -euo pipefail
-
-NEW_VERSION="${1:?Usage: bump-version.sh <new_version> <old_version>}"
-OLD_VERSION="${2:?Usage: bump-version.sh <new_version> <old_version>}"
-
-REPO_DIR="$(cd "$(dirname "$0")/.." && pwd)"
-cd "$REPO_DIR"
-
-echo "=== Bumping version from $OLD_VERSION to $NEW_VERSION ==="
-echo ""
-
-# 1. Cargo.toml (PRIMARY)
-sed -i "s/^version = \"$OLD_VERSION\"/version = \"$NEW_VERSION\"/" Cargo.toml
-echo "[1/3] Cargo.toml: $OLD_VERSION -> $NEW_VERSION"
-
-# 2. debian/changelog - Prepend new entry using temp file
-TEMP_CHANGELOG=$(mktemp)
-echo "linux-patch-api ($NEW_VERSION) unstable; urgency=low" > "$TEMP_CHANGELOG"
-echo "" >> "$TEMP_CHANGELOG"
-echo "  * Release v$NEW_VERSION" >> "$TEMP_CHANGELOG"
-echo "" >> "$TEMP_CHANGELOG"
-echo " -- git-echo <git-echo@moon-dragon.us>  $(date -R)" >> "$TEMP_CHANGELOG"
-echo "" >> "$TEMP_CHANGELOG"
-cat debian/changelog >> "$TEMP_CHANGELOG"
-mv "$TEMP_CHANGELOG" debian/changelog
-echo "[2/3] debian/changelog: Added entry for $NEW_VERSION"
-
-# 3. install.sh - Use generic pattern to match any VERSION value
-if [ -f install.sh ]; then
-    sed -i "s/^VERSION=\".*\"/VERSION=\"$NEW_VERSION\"/" install.sh
-    echo "[3/3] install.sh: -> $NEW_VERSION"
-else
-    echo "[3/3] install.sh: Not found, skipping"
-fi
-
-# 4. linux-patch-api.spec (uses VERSION_PLACEHOLDER, no update needed)
-if grep -q 'VERSION_PLACEHOLDER' linux-patch-api.spec 2>/dev/null; then
-    echo "[4/4] linux-patch-api.spec: Uses VERSION_PLACEHOLDER (derived at build time)"
-else
-    echo "[4/4] linux-patch-api.spec: WARNING - does not use VERSION_PLACEHOLDER"
-fi
-
-echo ""
-echo "=== Version bump complete ==="
-echo ""
-echo "Verification:"
-echo "  Cargo.toml:        $(grep '^version' Cargo.toml)"
-echo "  debian/changelog:  $(head -1 debian/changelog)"
-if [ -f install.sh ]; then
-    echo "  install.sh:        $(grep '^VERSION=' install.sh)"
-fi
-
-echo ""
-echo "Stale references check:"
-grep -r "$OLD_VERSION" --include='*.toml' --include='*.sh' --include='*.json' --include='changelog' --include='control' --include='*.spec' . 2>/dev/null | grep -v 'target/' | grep -v '.git/' | grep -v 'bump-version.sh' || echo "  No stale references found"
-
-echo ""
-echo "Next steps:"
-echo "  1. Review changes: git diff"
-echo "  2. Commit: git commit -am 'chore: bump version to $NEW_VERSION'"
-echo "  3. Push: git push origin master"
-echo "  4. Tag: git tag v$NEW_VERSION && git push origin v$NEW_VERSION"
-echo "  5. Create release via Gitea API"
--- a/scripts/upload-release.sh
+++ b/scripts/upload-release.sh
@ -13,7 +13,7 @@ TAG_NAME="${1:?Usage: upload-release.sh <tag_name> <file_path>}"
 FILE_PATH="${2}"

 GITEA_API="${GITEA_API:-https://gitea-lxc.moon-dragon.us/api/v1}"
-REPO="git-echo/linux_patch_api"
+REPO="echo/linux_patch_api"

 if [ -z "$GITEA_TOKEN" ]; then
    echo "Error: GITEA_TOKEN environment variable not set"
--- a/src/api/handlers/patches.rs
+++ b/src/api/handlers/patches.rs
@ -81,7 +81,6 @@ pub async fn apply_patches(
    body: web::Json<PatchApplyRequest>,
    backend: web::Data<Box<dyn PackageManagerBackend>>,
    job_manager: web::Data<JobManager>,
-    cache_state: web::Data<crate::packages::cache::PackageCacheState>,
    _req: HttpRequest,
 ) -> impl Responder {
    let request_id = Uuid::new_v4().to_string();
@ -105,7 +104,6 @@ pub async fn apply_patches(
            // Spawn background task to execute the patching
            let backend_clone = backend.clone();
            let job_manager_clone = job_manager.clone();
-            let cache_state_clone = cache_state.clone();
            let request = body.clone();

            tokio::spawn(async move {
@ -124,52 +122,8 @@ pub async fn apply_patches(
                    .add_job_log(&job_id_clone, "Job started".to_string())
                    .await;

-                // MANDATORY: Refresh package cache before applying patches
-                let _ = job_manager_clone
-                    .update_job(
-                        &job_id_clone,
-                        JobStatus::Running,
-                        Some(0),
-                        Some("Refreshing package index...".to_string()),
-                    )
-                    .await;
-                let _ = job_manager_clone
-                    .add_job_log(&job_id_clone, "Refreshing package cache...".to_string())
-                    .await;
-
-                match backend_clone.refresh_package_cache(&cache_state_clone) {
-                    Ok(_) => {
-                        let _ = job_manager_clone
-                            .add_job_log(
-                                &job_id_clone,
-                                "Package cache refreshed successfully".to_string(),
-                            )
-                            .await;
-                        let _ = job_manager_clone
-                            .update_job(
-                                &job_id_clone,
-                                JobStatus::Running,
-                                Some(10),
-                                Some("Cache refreshed, applying patches...".to_string()),
-                            )
-                            .await;
-                    }
-                    Err(e) => {
-                        let err_msg = format!("Package cache refresh failed: {}", e);
-                        error!(job_id = %job_id_clone, error = %e, "Cache refresh failed");
-                        let _ = job_manager_clone
-                            .add_job_log(&job_id_clone, err_msg.clone())
-                            .await;
-                        let _ = job_manager_clone.fail_job(&job_id_clone, err_msg).await;
-                        return; // Exit the spawned task
-                    }
-                }
-
-                // Execute patching with 404 retry
-                let packages_ref = request.packages.as_deref();
-                let apply_result = backend_clone.apply_patches(packages_ref);
-
-                match apply_result {
+                // Execute patching
+                match backend_clone.apply_patches(request.packages.as_deref()) {
                    Ok(_) => {
                        let _ = job_manager_clone.complete_job(&job_id_clone).await;
                        info!(job_id = %job_id_clone, "Patch application completed");
@ -203,83 +157,7 @@ pub async fn apply_patches(
                            }
                        }
                    }
-                    Err(e) if crate::packages::cache::is_fetch_error(&e) => {
-                        // 404/fetch error: refresh cache and retry once
-                        info!(job_id = %job_id_clone, "Patch apply failed with fetch error, refreshing cache and retrying");
-                        let _ = job_manager_clone
-                            .add_job_log(
-                                &job_id_clone,
-                                "Fetch error detected, refreshing cache and retrying..."
-                                    .to_string(),
-                            )
-                            .await;
-
-                        match backend_clone.refresh_package_cache(&cache_state_clone) {
-                            Ok(_) => {
-                                let _ = job_manager_clone
-                                    .add_job_log(
-                                        &job_id_clone,
-                                        "Cache refreshed, retrying patch apply...".to_string(),
-                                    )
-                                    .await;
-                            }
-                            Err(refresh_err) => {
-                                let err_msg =
-                                    format!("Cache refresh on retry failed: {}", refresh_err);
-                                let _ = job_manager_clone.fail_job(&job_id_clone, err_msg).await;
-                                error!(job_id = %job_id_clone, error = %refresh_err, "Cache refresh on retry failed");
-                                return;
-                            }
-                        }
-
-                        // Retry the apply
-                        match backend_clone.apply_patches(packages_ref) {
-                            Ok(_) => {
-                                let _ = job_manager_clone.complete_job(&job_id_clone).await;
-                                info!(job_id = %job_id_clone, "Patch application completed after retry");
-
-                                // Handle reboot if requested
-                                if request.reboot {
-                                    let _ = job_manager_clone
-                                        .add_job_log(
-                                            &job_id_clone,
-                                            format!(
-                                                "Reboot scheduled in {} seconds",
-                                                request.reboot_delay_seconds
-                                            ),
-                                        )
-                                        .await;
-                                    match backend_clone.reboot_system(request.reboot_delay_seconds)
-                                    {
-                                        Ok(_) => {
-                                            let _ = job_manager_clone
-                                                .add_job_log(
-                                                    &job_id_clone,
-                                                    "Reboot command executed".to_string(),
-                                                )
-                                                .await;
-                                        }
-                                        Err(e) => {
-                                            let _ = job_manager_clone
-                                                .add_job_log(
-                                                    &job_id_clone,
-                                                    format!("Reboot failed: {}", e),
-                                                )
-                                                .await;
-                                        }
-                                    }
-                                }
-                            }
-                            Err(retry_err) => {
-                                let _ = job_manager_clone
-                                    .fail_job(&job_id_clone, retry_err.to_string())
-                                    .await;
-                                error!(job_id = %job_id_clone, error = %retry_err, "Patch application failed after retry");
-                            }
-                        }
-                    }
                    Err(e) => {
-                        // Non-fetch error: fail immediately
                        let _ = job_manager_clone
                            .fail_job(&job_id_clone, e.to_string())
                            .await;
--- a/src/api/handlers/system.rs
+++ b/src/api/handlers/system.rs
@ -42,11 +42,9 @@ pub struct SystemInfoData {
 /// Health check response data
 #[derive(Debug, Serialize)]
 pub struct HealthData {
-    pub status: String, // "healthy" or "degraded"
+    pub status: String,
    pub uptime_seconds: u64,
    pub version: String,
-    pub last_cache_update: Option<String>, // RFC3339 timestamp
-    pub cache_status: String,              // "fresh", "stale", "unknown", "failed"
 }

 /// Service status response data
@ -110,11 +108,7 @@ pub async fn get_system_info(
 }

 /// Health check endpoint
-pub async fn health_check(
-    backend: web::Data<Box<dyn PackageManagerBackend>>,
-    cache_state: web::Data<crate::packages::cache::PackageCacheState>,
-    _req: HttpRequest,
-) -> impl Responder {
+pub async fn health_check(_req: HttpRequest) -> impl Responder {
    let _request_id = Uuid::new_v4().to_string();
    let _timestamp = Utc::now().to_rfc3339();

@ -132,41 +126,10 @@ pub async fn health_check(

    let version = env!("CARGO_PKG_VERSION").to_string();

-    // Check cache status and refresh if stale
-    let cache_status_val = cache_state.status();
-    let (status, cache_status_str, last_cache_update) = if cache_state.is_stale() {
-        match backend.refresh_package_cache(&cache_state) {
-            Ok(_) => {
-                let updated = cache_state.status();
-                (
-                    "healthy".to_string(),
-                    "fresh".to_string(),
-                    updated.last_update.map(|dt| dt.to_rfc3339()),
-                )
-            }
-            Err(e) => {
-                error!("Health check cache refresh failed: {}", e);
-                (
-                    "degraded".to_string(),
-                    "failed".to_string(),
-                    cache_status_val.last_update.map(|dt| dt.to_rfc3339()),
-                )
-            }
-        }
-    } else {
-        (
-            "healthy".to_string(),
-            "fresh".to_string(),
-            cache_status_val.last_update.map(|dt| dt.to_rfc3339()),
-        )
-    };
-
    let response = ApiResponse::success(HealthData {
-        status,
+        status: "healthy".to_string(),
        uptime_seconds,
        version,
-        last_cache_update,
-        cache_status: cache_status_str,
    });

    HttpResponse::Ok().json(response)
@ -354,8 +317,6 @@ pub fn configure_routes(cfg: &mut web::ServiceConfig) {
            .route("/services/{name}", web::get().to(get_service_status)),
    )
    .route("/health", web::get().to(health_check));
-    // Note: health_check receives backend and cache_state via app_data injection
-    // They are registered in routes.rs and main.rs as web::Data
 }

 #[cfg(test)]
@ -384,13 +345,9 @@ mod tests {
            status: "healthy".to_string(),
            uptime_seconds: 12345,
            version: "0.1.0".to_string(),
-            last_cache_update: Some("2026-05-27T14:00:00+00:00".to_string()),
-            cache_status: "fresh".to_string(),
        };
        let json = serde_json::to_string(&health).unwrap();
        assert!(json.contains("healthy"));
        assert!(json.contains("12345"));
-        assert!(json.contains("fresh"));
-        assert!(json.contains("last_cache_update"));
    }
 }
--- a/src/api/routes.rs
+++ b/src/api/routes.rs
@ -6,7 +6,6 @@ use actix_web::{web, HttpResponse};
 use tracing::info;

 use crate::jobs::manager::JobManager;
-use crate::packages::cache::PackageCacheState;

 use super::handlers::{jobs, packages, patches, system, websocket};

@ -22,32 +21,27 @@ pub fn configure_api_routes(
    cfg: &mut web::ServiceConfig,
    job_manager: web::Data<JobManager>,
    backend: web::Data<Box<dyn crate::packages::PackageManagerBackend>>,
-    cache_state: web::Data<PackageCacheState>,
 ) {
    info!("Configuring API v1 routes");

-    cfg.app_data(job_manager)
-        .app_data(backend)
-        .app_data(cache_state)
-        .service(
-            web::scope("/api/v1")
-                // VULN-005: Default handler for unsupported methods returns 405 instead of 404
-                .default_service(web::route().to(method_not_allowed))
-                // Package Management Endpoints
-                .configure(packages::configure_routes)
-                // Patch Management Endpoints
-                .configure(patches::configure_routes)
-                // System Management Endpoints
-                .configure(system::configure_routes)
-                // Job Management Endpoints
-                .configure(jobs::configure_routes)
-                // WebSocket Endpoint
-                .configure(websocket::configure_routes),
-        );
+    cfg.app_data(job_manager).app_data(backend).service(
+        web::scope("/api/v1")
+            // VULN-005: Default handler for unsupported methods returns 405 instead of 404
+            .default_service(web::route().to(method_not_allowed))
+            // Package Management Endpoints
+            .configure(packages::configure_routes)
+            // Patch Management Endpoints
+            .configure(patches::configure_routes)
+            // System Management Endpoints
+            .configure(system::configure_routes)
+            // Job Management Endpoints
+            .configure(jobs::configure_routes)
+            // WebSocket Endpoint
+            .configure(websocket::configure_routes),
+    );
 }

 /// Health check route (outside API scope for load balancer checks)
-/// Note: backend and cache_state are injected via app_data registered in main.rs
 pub fn configure_health_route(cfg: &mut web::ServiceConfig) {
    cfg.route("/health", web::get().to(system::health_check));
 }
--- a/src/config/loader.rs
+++ b/src/config/loader.rs
@ -1,18 +1,12 @@
 //! Configuration Loader - YAML config loading
 //!
 //! Loads and parses YAML configuration files.
-//! Provides certificate validation for auto-enrollment workflow.

 use anyhow::{Context, Result};
-use rustls_pemfile::{certs, private_key};
 use serde::{Deserialize, Serialize};
-use std::fs::File;
-use std::io::BufReader;
-use std::path::PathBuf;
-use time::OffsetDateTime;

 /// Server configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct ServerConfig {
    pub port: u16,
    pub bind: String,
@ -25,7 +19,7 @@ fn default_timeout() -> u64 {
 }

 /// TLS/mTLS configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct TlsConfig {
    #[serde(default = "default_true")]
    pub enabled: bool,
@ -46,7 +40,7 @@ fn default_tls_version() -> String {
 }

 /// Jobs configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct JobsConfig {
    pub max_concurrent: usize,
    pub timeout_minutes: u64,
@ -59,7 +53,7 @@ fn default_storage_path() -> String {
 }

 /// Logging configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct LoggingConfig {
    #[serde(default = "default_log_level")]
    pub level: String,
@ -88,7 +82,7 @@ fn default_retention_days() -> u64 {
 }

 /// Whitelist configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct WhitelistConfig {
    #[serde(default = "default_whitelist_path")]
    pub path: String,
@ -99,7 +93,7 @@ fn default_whitelist_path() -> String {
 }

 /// Package manager configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct PackageManagerConfig {
    #[serde(default = "default_backend")]
    pub backend: String,
@ -110,13 +104,10 @@ fn default_backend() -> String {
 }

 /// Enrollment polling configuration
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Default, Serialize, Deserialize)]
 pub struct EnrollmentConfig {
-    /// Manager URL for enrollment. None means not configured.
-    /// Changed from String to Option<String> to support "not configured" state.
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub manager_url: Option<String>,
-    /// Polling token persisted during enrollment for resume after restart.
+    #[serde(default)]
+    pub manager_url: String,
    #[serde(default)]
    pub polling_token: String,
    #[serde(default = "default_polling_interval")]
@ -131,30 +122,6 @@ pub struct EnrollmentConfig {
    /// Highest priority — overrides both `report_interface` and auto-detect.
    #[serde(default)]
    pub report_ip: Option<String>,
-    /// Number of days before certificate expiry to trigger re-enrollment warning.
-    #[serde(default = "default_cert_renewal_threshold_days")]
-    pub cert_renewal_threshold_days: u32,
-}
-
-impl Default for EnrollmentConfig {
-    fn default() -> Self {
-        Self {
-            manager_url: None,
-            polling_token: String::new(),
-            polling_interval_seconds: 60,
-            max_poll_attempts: 1440,
-            report_interface: None,
-            report_ip: None,
-            cert_renewal_threshold_days: 7,
-        }
-    }
-}
-
-impl EnrollmentConfig {
-    /// Get the effective manager URL, treating empty strings as None.
-    pub fn effective_manager_url(&self) -> Option<&str> {
-        self.manager_url.as_deref().filter(|s| !s.is_empty())
-    }
 }

 fn default_polling_interval() -> u64 {
@ -165,266 +132,8 @@ fn default_max_poll_attempts() -> u32 {
    1440
 }

-fn default_cert_renewal_threshold_days() -> u32 {
-    7
-}
-
-/// Certificate validation status returned by validate_certs().
-#[derive(Debug, Clone)]
-pub enum CertStatus {
-    /// All certificates are valid and not expiring soon.
-    Valid,
-    /// Certificates are valid but expiring within the threshold.
-    ExpiringSoon { not_after: OffsetDateTime },
-    /// One or more certificate files are missing.
-    Missing { paths: Vec<PathBuf> },
-    /// A certificate file exists but cannot be parsed as valid PEM.
-    Corrupt { path: PathBuf, error: String },
-    /// A certificate has expired (not_after is in the past).
-    Expired {
-        path: PathBuf,
-        not_after: OffsetDateTime,
-    },
-    /// Server certificate public key does not match server private key.
-    KeyMismatch,
-    /// Server certificate is not signed by the configured CA.
-    Untrusted,
-}
-
-impl std::fmt::Display for CertStatus {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            CertStatus::Valid => write!(f, "Valid"),
-            CertStatus::ExpiringSoon { not_after } => {
-                write!(f, "ExpiringSoon (not_after={})", not_after)
-            }
-            CertStatus::Missing { paths } => {
-                let path_strs: Vec<String> =
-                    paths.iter().map(|p| p.display().to_string()).collect();
-                write!(f, "Missing: [{}]", path_strs.join(", "))
-            }
-            CertStatus::Corrupt { path, error } => {
-                write!(f, "Corrupt: {} ({})", path.display(), error)
-            }
-            CertStatus::Expired { path, not_after } => {
-                write!(f, "Expired: {} (not_after={})", path.display(), not_after)
-            }
-            CertStatus::KeyMismatch => write!(f, "KeyMismatch"),
-            CertStatus::Untrusted => write!(f, "Untrusted"),
-        }
-    }
-}
-
-/// Validate TLS certificates for the auto-enrollment workflow.
-///
-/// Checks (in order):
-/// 1. Existence: All three cert files must exist at configured paths
-/// 2. PEM parse validity: CA and server cert must parse as X.509, server key must parse
-/// 3. Expiry: CA and server cert must not be expired
-/// 4. Key match: Server cert public key must match server key private key
-/// 5. CA trust: Server cert must be signed by the CA
-///
-/// Returns the most severe status found.
-pub fn validate_certs(config: &AppConfig) -> Result<CertStatus> {
-    let tls = match config.tls_config() {
-        Some(tls) => tls,
-        None => return Ok(CertStatus::Valid), // TLS disabled, nothing to validate
-    };
-
-    let threshold_days = config
-        .enrollment
-        .as_ref()
-        .map(|e| e.cert_renewal_threshold_days)
-        .unwrap_or(7);
-
-    // 1. Check existence of all three cert files
-    let ca_path = PathBuf::from(&tls.ca_cert);
-    let cert_path = PathBuf::from(&tls.server_cert);
-    let key_path = PathBuf::from(&tls.server_key);
-
-    let mut missing_paths = Vec::new();
-    if !ca_path.exists() {
-        missing_paths.push(ca_path.clone());
-    }
-    if !cert_path.exists() {
-        missing_paths.push(cert_path.clone());
-    }
-    if !key_path.exists() {
-        missing_paths.push(key_path.clone());
-    }
-    if !missing_paths.is_empty() {
-        return Ok(CertStatus::Missing {
-            paths: missing_paths,
-        });
-    }
-
-    // 2. Parse and validate PEM files using rustls_pemfile
-    // Parse CA certificate(s)
-    let ca_file = File::open(&ca_path)
-        .with_context(|| format!("Failed to open CA certificate: {}", ca_path.display()))?;
-    let ca_certs: Vec<_> = certs(&mut BufReader::new(ca_file))
-        .collect::<Result<Vec<_>, _>>()
-        .map_err(|e| anyhow::anyhow!("Failed to parse CA certificate PEM: {}", e))?;
-    if ca_certs.is_empty() {
-        return Ok(CertStatus::Corrupt {
-            path: ca_path,
-            error: "No certificates found in CA PEM file".to_string(),
-        });
-    }
-
-    // Parse server certificate
-    let server_file = File::open(&cert_path)
-        .with_context(|| format!("Failed to open server certificate: {}", cert_path.display()))?;
-    let server_certs: Vec<_> = certs(&mut BufReader::new(server_file))
-        .collect::<Result<Vec<_>, _>>()
-        .map_err(|e| anyhow::anyhow!("Failed to parse server certificate PEM: {}", e))?;
-    if server_certs.is_empty() {
-        return Ok(CertStatus::Corrupt {
-            path: cert_path.clone(),
-            error: "No certificates found in server PEM file".to_string(),
-        });
-    }
-
-    // Parse server private key
-    let key_file = File::open(&key_path)
-        .with_context(|| format!("Failed to open server key: {}", key_path.display()))?;
-    let server_key = private_key(&mut BufReader::new(key_file))
-        .map_err(|e| anyhow::anyhow!("Failed to parse server key PEM: {}", e))?;
-    let server_key = match server_key {
-        Some(key) => key,
-        None => {
-            return Ok(CertStatus::Corrupt {
-                path: key_path,
-                error: "No private key found in server key PEM file".to_string(),
-            })
-        }
-    };
-
-    // 3. Check expiry using x509_parser
-    let now = OffsetDateTime::now_utc();
-    let threshold = time::Duration::days(i64::from(threshold_days));
-
-    // Check CA cert expiry
-    let ca_der = ca_certs.first().expect("ca_certs verified non-empty above");
-    match x509_parser::parse_x509_certificate(ca_der.as_ref()) {
-        Ok((_, ca_cert)) => {
-            let ca_not_after = ca_cert.validity().not_after.to_datetime();
-            if ca_not_after < now {
-                return Ok(CertStatus::Expired {
-                    path: ca_path,
-                    not_after: ca_not_after,
-                });
-            }
-        }
-        Err(e) => {
-            return Ok(CertStatus::Corrupt {
-                path: ca_path,
-                error: format!("Failed to parse CA certificate DER: {}", e),
-            })
-        }
-    }
-
-    // Check server cert expiry
-    let server_der = server_certs
-        .first()
-        .expect("server_certs verified non-empty above");
-    let server_not_after: OffsetDateTime =
-        match x509_parser::parse_x509_certificate(server_der.as_ref()) {
-            Ok((_, cert)) => {
-                let not_after = cert.validity().not_after.to_datetime();
-                if not_after < now {
-                    return Ok(CertStatus::Expired {
-                        path: cert_path.clone(),
-                        not_after,
-                    });
-                }
-                not_after
-            }
-            Err(e) => {
-                return Ok(CertStatus::Corrupt {
-                    path: cert_path,
-                    error: format!("Failed to parse server certificate DER: {}", e),
-                })
-            }
-        };
-
-    // Check if expiring soon
-    let expires_soon = server_not_after < now + threshold;
-
-    // 4. Check key match: verify that the server cert's public key corresponds
-    //    to the server private key by attempting to build a rustls ServerConfig.
-    //    If the key doesn't match the cert, rustls will reject it.
-    let key_matches = verify_key_match(&ca_certs, &server_certs, &server_key);
-    if !key_matches {
-        return Ok(CertStatus::KeyMismatch);
-    }
-
-    // 5. Check CA trust: server cert must be signed by the CA
-    //    Verify by checking if the server cert's issuer matches the CA cert's subject
-    let trusted = verify_ca_trust(server_der.as_ref(), ca_der.as_ref());
-    if !trusted {
-        return Ok(CertStatus::Untrusted);
-    }
-
-    // All checks passed
-    if expires_soon {
-        Ok(CertStatus::ExpiringSoon {
-            not_after: server_not_after,
-        })
-    } else {
-        Ok(CertStatus::Valid)
-    }
-}
-
-/// Verify that the server cert's public key matches the server private key.
-/// Attempts to build a rustls ServerConfig with the given certs and key.
-/// If the key doesn't match the cert, the configuration will fail.
-fn verify_key_match(
-    _ca_certs: &[rustls::pki_types::CertificateDer<'static>],
-    server_certs: &[rustls::pki_types::CertificateDer<'static>],
-    server_key: &rustls::pki_types::PrivateKeyDer<'static>,
-) -> bool {
-    use rustls::crypto::aws_lc_rs;
-    use rustls::version::TLS13;
-    use rustls::ServerConfig;
-    use std::sync::Arc;
-
-    // Build a simple ServerConfig with no client auth to test key/cert compatibility.
-    // If the key doesn't match the cert, with_single_cert will return an error.
-    let provider = aws_lc_rs::default_provider();
-
-    let config_result = ServerConfig::builder_with_provider(Arc::new(provider))
-        .with_protocol_versions(&[&TLS13])
-        .map(|b| b.with_no_client_auth())
-        .map(|b| b.with_single_cert(server_certs.to_vec(), server_key.clone_key()));
-
-    match config_result {
-        Ok(Ok(_)) => true,
-        Ok(Err(_)) | Err(_) => {
-            tracing::debug!("Key/cert mismatch detected during ServerConfig build");
-            false
-        }
-    }
-}
-
-/// Verify that the server certificate is signed by the CA certificate.
-/// Checks if the server cert's issuer matches the CA cert's subject.
-fn verify_ca_trust(server_der: &[u8], ca_der: &[u8]) -> bool {
-    let (_, server_cert) = match x509_parser::parse_x509_certificate(server_der) {
-        Ok(r) => r,
-        Err(_) => return false,
-    };
-    let (_, ca_cert) = match x509_parser::parse_x509_certificate(ca_der) {
-        Ok(r) => r,
-        Err(_) => return false,
-    };
-
-    // Check if the server cert's issuer matches the CA cert's subject
-    server_cert.issuer() == ca_cert.subject()
-}
-
 /// Application configuration
-#[derive(Debug, Deserialize, Serialize, Clone)]
+#[derive(Debug, Deserialize, Clone)]
 pub struct AppConfig {
    pub server: ServerConfig,
    #[serde(default)]
@ -448,15 +157,17 @@ impl AppConfig {
        let config: AppConfig = serde_yaml::from_str(&content)
            .with_context(|| format!("Failed to parse config file: {}", path))?;

-        // Migrate: if enrollment.manager_url is an empty string, treat as None
-        let config = config.migrate_empty_strings();
-
        // Validate TLS configuration if enabled (skip during enrollment bootstrap)
-        if !skip_tls_validation {
-            if let Some(ref tls) = config.tls {
-                if tls.enabled {
-                    // Cert validation is now handled by validate_certs() in main.rs
-                    // This no longer bails on missing cert files
+        if let Some(ref tls) = config.tls {
+            if tls.enabled && !skip_tls_validation {
+                if !std::path::Path::new(&tls.ca_cert).exists() {
+                    anyhow::bail!("TLS CA certificate not found: {}", tls.ca_cert);
+                }
+                if !std::path::Path::new(&tls.server_cert).exists() {
+                    anyhow::bail!("TLS server certificate not found: {}", tls.server_cert);
+                }
+                if !std::path::Path::new(&tls.server_key).exists() {
+                    anyhow::bail!("TLS server key not found: {}", tls.server_key);
                }
            }
        }
@ -464,20 +175,6 @@ impl AppConfig {
        Ok(config)
    }

-    /// Migrate empty strings to None for Option fields.
-    /// Handles backward compatibility with old config format where
-    /// manager_url was a String (empty string means not configured).
-    fn migrate_empty_strings(mut self) -> Self {
-        if let Some(ref mut enrollment) = self.enrollment {
-            if let Some(ref url) = enrollment.manager_url {
-                if url.is_empty() {
-                    enrollment.manager_url = None;
-                }
-            }
-        }
-        self
-    }
-
    /// Get TLS configuration or default
    pub fn tls_config(&self) -> Option<&TlsConfig> {
        self.tls.as_ref().filter(|t| t.enabled)
@ -490,54 +187,6 @@ impl AppConfig {
            .map(|w| w.path.as_str())
            .unwrap_or("/etc/linux_patch_api/whitelist.yaml")
    }
-
-    /// Get enrollment manager URL, if configured.
-    pub fn enrollment_manager_url(&self) -> Option<&str> {
-        self.enrollment
-            .as_ref()
-            .and_then(|e| e.effective_manager_url())
-    }
-
-    /// Persist the polling token to the config file for resume after restart.
-    /// Updates the in-memory config and writes to disk.
-    pub fn save_polling_token(&mut self, token: &str, config_path: &str) -> Result<()> {
-        if let Some(ref mut enrollment) = self.enrollment {
-            enrollment.polling_token = token.to_string();
-        } else {
-            self.enrollment = Some(EnrollmentConfig {
-                manager_url: None,
-                polling_token: token.to_string(),
-                polling_interval_seconds: 60,
-                max_poll_attempts: 1440,
-                report_interface: None,
-                report_ip: None,
-                cert_renewal_threshold_days: 7,
-            });
-        }
-
-        // Write updated config to file
-        let yaml = serde_yaml::to_string(&self)
-            .context("Failed to serialize config for polling token persistence")?;
-        std::fs::write(config_path, yaml)
-            .with_context(|| format!("Failed to write config file: {}", config_path))?;
-
-        Ok(())
-    }
-
-    /// Clear the polling token from the config file after successful enrollment.
-    pub fn clear_polling_token(&mut self, config_path: &str) -> Result<()> {
-        if let Some(ref mut enrollment) = self.enrollment {
-            enrollment.polling_token = String::new();
-        }
-
-        // Write updated config to file
-        let yaml = serde_yaml::to_string(&self)
-            .context("Failed to serialize config for polling token clear")?;
-        std::fs::write(config_path, yaml)
-            .with_context(|| format!("Failed to write config file: {}", config_path))?;
-
-        Ok(())
-    }
 }

 #[cfg(test)]
@ -552,84 +201,107 @@ mod tests {
            "Failed to load valid config: {:?}",
            result.err()
        );
+
+        let config = result.unwrap();
+        assert_eq!(config.server.port, 12443);
+        assert_eq!(config.server.bind, "127.0.0.1");
+        assert_eq!(config.jobs.max_concurrent, 5);
+        assert_eq!(config.jobs.timeout_minutes, 30);
+        assert_eq!(config.logging.level, "info");
    }

    #[test]
-    fn test_cert_status_display() {
-        assert_eq!(format!("{}", CertStatus::Valid), "Valid");
-        assert_eq!(format!("{}", CertStatus::KeyMismatch), "KeyMismatch");
-        assert_eq!(format!("{}", CertStatus::Untrusted), "Untrusted");
+    fn test_config_load_missing_file() {
+        let result = AppConfig::load("/nonexistent/path/config.yaml", false);
+        assert!(result.is_err(), "Should fail for missing file");
+        let err = result.unwrap_err();
+        assert!(err.to_string().contains("Failed to read config file"));
    }

    #[test]
-    fn test_cert_status_missing_display() {
-        let status = CertStatus::Missing {
-            paths: vec![PathBuf::from("/etc/ssl/ca.pem")],
+    fn test_config_load_invalid_yaml() {
+        let invalid_path = "/tmp/invalid_config_test.yaml";
+        std::fs::write(invalid_path, "invalid: yaml: content: [").unwrap();
+
+        let result = AppConfig::load(invalid_path, false);
+        assert!(result.is_err(), "Should fail for invalid yaml");
+
+        std::fs::remove_file(invalid_path).unwrap();
+    }
+
+    #[test]
+    fn test_config_validation_port_range() {
+        let result = AppConfig::load("tests/fixtures/valid_config.yaml", false);
+        assert!(result.is_ok());
+        let config = result.unwrap();
+        assert!(config.server.port >= 1);
+    }
+
+    #[test]
+    fn test_config_validation_bind_address() {
+        let result = AppConfig::load("tests/fixtures/valid_config.yaml", false);
+        assert!(result.is_ok());
+        let config = result.unwrap();
+        assert!(!config.server.bind.is_empty());
+    }
+
+    #[test]
+    fn test_config_validation_max_concurrent() {
+        let result = AppConfig::load("tests/fixtures/valid_config.yaml", false);
+        assert!(result.is_ok());
+        let config = result.unwrap();
+        assert!(config.jobs.max_concurrent > 0);
+    }
+
+    #[test]
+    fn test_config_validation_timeout() {
+        let result = AppConfig::load("tests/fixtures/valid_config.yaml", false);
+        assert!(result.is_ok());
+        let config = result.unwrap();
+        assert!(config.jobs.timeout_minutes >= 1 && config.jobs.timeout_minutes <= 1440);
+    }
+
+    #[test]
+    fn test_tls_config_defaults() {
+        let config = AppConfig {
+            server: ServerConfig {
+                port: 12443,
+                bind: "0.0.0.0".to_string(),
+                timeout_seconds: 30,
+            },
+            tls: Some(TlsConfig {
+                enabled: true,
+                port: 12443,
+                ca_cert: "/etc/linux_patch_api/certs/ca.pem".to_string(),
+                server_cert: "/etc/linux_patch_api/certs/server.pem".to_string(),
+                server_key: "/etc/linux_patch_api/certs/server.key".to_string(),
+                min_tls_version: "1.3".to_string(),
+            }),
+            jobs: JobsConfig {
+                max_concurrent: 5,
+                timeout_minutes: 30,
+                storage_path: "/var/lib/linux_patch_api/jobs".to_string(),
+            },
+            logging: LoggingConfig {
+                level: "info".to_string(),
+                journal_enabled: true,
+                syslog_enabled: false,
+                syslog_server: None,
+                file_path: "/var/log/linux_patch_api/audit.log".to_string(),
+                retention_days: 30,
+            },
+            whitelist: Some(WhitelistConfig {
+                path: "/etc/linux_patch_api/whitelist.yaml".to_string(),
+            }),
+            package_manager: None,
+            enrollment: None,
        };
-        let display = format!("{}", status);
-        assert!(display.contains("Missing"));
-        assert!(display.contains("/etc/ssl/ca.pem"));
-    }

-    #[test]
-    fn test_enrollment_config_defaults() {
-        let config = EnrollmentConfig::default();
-        assert!(config.manager_url.is_none());
-        assert!(config.polling_token.is_empty());
-        assert_eq!(config.polling_interval_seconds, 60);
-        assert_eq!(config.max_poll_attempts, 1440);
-        assert_eq!(config.cert_renewal_threshold_days, 7);
-    }
-
-    #[test]
-    fn test_enrollment_config_with_url() {
-        let yaml = r#"
-manager_url: "https://manager.example.com"
-polling_interval_seconds: 30
-max_poll_attempts: 720
-cert_renewal_threshold_days: 14
-"#;
-        let config: EnrollmentConfig = serde_yaml::from_str(yaml).unwrap();
+        assert!(config.tls_config().is_some());
+        assert_eq!(config.tls_config().unwrap().min_tls_version, "1.3");
        assert_eq!(
-            config.manager_url,
-            Some("https://manager.example.com".to_string())
+            config.whitelist_path(),
+            "/etc/linux_patch_api/whitelist.yaml"
        );
-        assert_eq!(config.polling_interval_seconds, 30);
-        assert_eq!(config.max_poll_attempts, 720);
-        assert_eq!(config.cert_renewal_threshold_days, 14);
-    }
-
-    #[test]
-    fn test_effective_manager_url() {
-        let mut config = EnrollmentConfig::default();
-        assert!(config.effective_manager_url().is_none());
-
-        config.manager_url = Some("https://manager.example.com".to_string());
-        assert_eq!(
-            config.effective_manager_url(),
-            Some("https://manager.example.com")
-        );
-
-        config.manager_url = Some("".to_string());
-        assert!(config.effective_manager_url().is_none());
-    }
-
-    #[test]
-    fn test_migrate_empty_strings() {
-        let yaml = r#"
-server:
-  port: 12443
-  bind: "0.0.0.0"
-jobs:
-  max_concurrent: 5
-  timeout_minutes: 30
-logging:
-  level: "info"
-enrollment:
-  manager_url: ""
-"#;
-        let config: AppConfig = serde_yaml::from_str(yaml).unwrap();
-        let migrated = config.migrate_empty_strings();
-        assert!(migrated.enrollment.unwrap().manager_url.is_none());
    }
 }
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -6,6 +6,6 @@
 //! - Auto-reload on file change via notify watcher

 pub mod loader;
-pub use loader::{validate_certs, AppConfig, CertStatus, EnrollmentConfig};
+pub use loader::EnrollmentConfig;
 pub mod validator;
 pub mod watcher;
--- a/src/enroll/client.rs
+++ b/src/enroll/client.rs
@ -272,14 +272,6 @@ impl EnrollmentClient {

                Ok(enrollment_response)
            }
-            409 => {
-                // Host already exists - log warning and return special response
-                // The caller should skip to polling phase with existing token
-                tracing::warn!(
-                    "Host already registered with manager (HTTP 409) — will attempt to resume polling"
-                );
-                Err(anyhow!("ENROLLMENT_CONFLICT: Host already exists"))
-            }
            429 => {
                Err(anyhow!(
                    "Rate limited (HTTP 429) — enrollment requests limited to 1/minute per IP. Retry after 60 seconds."
--- a/src/enroll/mod.rs
+++ b/src/enroll/mod.rs
@ -3,12 +3,6 @@
 //! Handles secure registration with the patch manager, including
 //! identity extraction (machine-id, FQDN, IPs, OS details) and
 //! mTLS enrollment via the manager API.
-//!
-//! Supports:
-//! - Auto-enrollment on startup when certs are missing/invalid
-//! - Manual enrollment via `--enroll <url>` CLI flag
-//! - Resume polling from persisted token after restart
-//! - HTTP 409 (host already exists) handling

 pub mod client;
 pub mod identity;
@ -26,42 +20,17 @@ pub use identity::{
    get_primary_ip, get_route_source_ip, is_container_bridge, is_link_local,
 };

-/// Error type for enrollment conflict (HTTP 409).
-/// Used to signal that the host is already registered and we should
-/// skip to the polling phase.
-#[derive(Debug)]
-pub struct EnrollmentConflictError;
-
-impl std::fmt::Display for EnrollmentConflictError {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "Host already registered with manager")
-    }
-}
-
-impl std::error::Error for EnrollmentConflictError {}
-
 /// Run the full enrollment flow against the manager at the given URL.
 ///
 /// # Phases
 /// 1. **Registration** - POST machine identity to manager, receive polling token
-///    - If HTTP 409 (host already exists), skip to Phase 2 with existing token
 /// 2. **Polling** - Poll manager for approval with configurable interval/max attempts
-///    - If `polling_token` is already in config, skip Phase 1 and resume polling
 /// 3. **Provisioning** - Write PKI bundle to disk (certs/keys) and append manager IP to whitelist
 ///
-/// # Arguments
-/// * `manager_url` - The manager API base URL
-/// * `config` - Mutable reference to AppConfig for polling token persistence
-/// * `config_path` - Path to config file for persisting polling token
-///
 /// # Errors
 /// Returns Err on registration failure, polling timeout, denial, user interruption,
 /// PKI provisioning failure, or whitelist update failure.
-pub async fn run_enrollment(
-    manager_url: &str,
-    config: &mut super::AppConfig,
-    config_path: &str,
-) -> Result<()> {
+pub async fn run_enrollment(manager_url: &str, config: &super::AppConfig) -> Result<()> {
    // Extract IP reporting overrides from enrollment config
    let (report_interface, report_ip) = config
        .enrollment
@ -71,66 +40,13 @@ pub async fn run_enrollment(

    let client = EnrollmentClient::with_ip_overrides(manager_url, report_interface, report_ip);

-    // Check for existing polling token to resume
-    let polling_token = if let Some(ref enrollment) = config.enrollment {
-        if !enrollment.polling_token.is_empty() {
-            tracing::info!(
-                "Resuming enrollment polling from saved token (host already registered)"
-            );
-            enrollment.polling_token.clone()
-        } else {
-            // No saved token — need to register first
-            String::new()
-        }
-    } else {
-        String::new()
-    };
-
-    // Phase 1: Registration (skip if we have a saved polling token)
-    let polling_token = if polling_token.is_empty() {
-        tracing::info!(
-            manager_url = manager_url,
-            "Starting enrollment - registration phase"
-        );
-        match client.register().await {
-            Ok(response) => {
-                tracing::info!("Registration successful - received polling token");
-                response.polling_token
-            }
-            Err(e) => {
-                let err_str = e.to_string();
-                if err_str.contains("ENROLLMENT_CONFLICT") {
-                    // HTTP 409 - host already exists
-                    // We don't have a polling token, so we can't resume polling
-                    // Log a warning and return an error — the user needs to
-                    // re-enroll or the manager needs to provide a new token
-                    tracing::warn!(
-                        "Host already registered but no polling token saved. \
-                         Cannot resume polling. Re-run enrollment or check manager status."
-                    );
-                    return Err(anyhow::anyhow!(
-                        "Host already registered with manager but no polling token available for resume. \
-                         Please check the manager for your host status or re-enroll."
-                    ));
-                }
-                // For other errors, propagate directly
-                return Err(e);
-            }
-        }
-    } else {
-        tracing::info!("Using saved polling token to resume enrollment");
-        polling_token
-    };
-
-    // Persist polling token for resume after restart
-    if let Err(e) = config.save_polling_token(&polling_token, config_path) {
-        tracing::warn!(
-            error = %e,
-            "Failed to persist polling token — enrollment will not resume after restart"
-        );
-    } else {
-        tracing::debug!("Polling token persisted to config");
-    }
+    // Phase 1: Registration
+    tracing::info!(
+        manager_url = manager_url,
+        "Starting enrollment - registration phase"
+    );
+    let response = client.register().await?;
+    tracing::info!("Registration successful - received polling token");

    // Get polling config (use defaults if not set)
    let interval = config
@ -151,7 +67,7 @@ pub async fn run_enrollment(
        "Starting enrollment - polling phase"
    );
    let pki_bundle = client
-        .poll_for_approval(&polling_token, interval, max_attempts)
+        .poll_for_approval(&response.polling_token, interval, max_attempts)
        .await?;

    // Phase 3: PKI provisioning & whitelist update
@ -175,16 +91,6 @@ pub async fn run_enrollment(
    provision::append_manager_to_whitelist(&manager_ip, config.whitelist_path()).await?;
    tracing::info!(manager_ip = %manager_ip, "Manager IP appended to whitelist");

-    // Clear polling token after successful provisioning
-    if let Err(e) = config.clear_polling_token(config_path) {
-        tracing::warn!(
-            error = %e,
-            "Failed to clear polling token from config — will attempt re-registration on next start"
-        );
-    } else {
-        tracing::debug!("Polling token cleared from config");
-    }
-
    tracing::info!("Enrollment complete - PKI and whitelist configured");
    Ok(())
 }
--- a/src/main.rs
+++ b/src/main.rs
@ -12,25 +12,18 @@
 //! - mTLS authentication required on port 12443
 //! - IP whitelist enforced (deny by default)
 //! - Detailed audit logging
-//!
-//! # Exit Codes
-//!
-//! - 0: Clean exit (no certs + no enrollment URL, or --enroll/--renew-certs success)
-//! - 1: Error (config error, enrollment network failure, cert validation error)
-//! - 2: Certs invalid, auto-enrollment in progress (triggers systemd restart with backoff)

 use actix_web::middleware::Logger;
 use actix_web::{web, App, HttpServer};
 use anyhow::Result;
 use clap::Parser;
+use std::net::TcpListener;
 use std::sync::Arc;
 use tracing::{error, info, warn};

 use linux_patch_api::api::{configure_api_routes, configure_health_route};
 use linux_patch_api::auth::{mtls, MtlsMiddleware, WhitelistManager};
-use linux_patch_api::config::loader::{validate_certs, CertStatus};
 use linux_patch_api::enroll;
-use linux_patch_api::packages::cache::PackageCacheState;
 use linux_patch_api::packages::create_backend;
 use linux_patch_api::{init_logging, AppConfig, JobManager};

@ -48,29 +41,12 @@ struct Args {
    #[arg(short, long)]
    verbose: bool,

-    /// Enroll with manager at URL (skips mTLS startup, runs enrollment flow only, then exits)
+    /// Enroll with manager at URL (skips mTLS startup, runs enrollment flow only)
    #[arg(
        long,
-        help = "Enroll with manager at URL (skips mTLS startup, runs enrollment flow only, then exits)"
+        help = "Enroll with manager at URL (skips mTLS startup, runs enrollment flow only)"
    )]
    enroll: Option<String>,
-
-    /// Validate existing certs and re-enroll if expiring within threshold or invalid
-    #[arg(
-        long,
-        help = "Validate existing certs and re-enroll if expiring within threshold or invalid, then exits"
-    )]
-    renew_certs: bool,
-}
-
-/// Exit codes for the daemon
-enum ExitCode {
-    /// Clean exit: no certs + no enrollment URL, or --enroll/--renew-certs success
-    Clean = 0,
-    /// Error: config error, enrollment network failure, cert validation error
-    Error = 1,
-    /// Certs invalid, auto-enrollment in progress (triggers systemd restart with backoff)
-    EnrollmentInProgress = 2,
 }

 #[actix_web::main]
@ -92,9 +68,8 @@ async fn main() -> Result<()> {
        "Linux Patch API starting"
    );

-    // Load configuration (skip TLS validation during enrollment mode)
-    let skip_tls_validation = args.enroll.is_some();
-    let mut config = match AppConfig::load(&args.config, skip_tls_validation) {
+    // Load configuration
+    let config = match AppConfig::load(&args.config, args.enroll.is_some()) {
        Ok(cfg) => {
            info!(
                port = cfg.server.port,
@ -105,145 +80,23 @@ async fn main() -> Result<()> {
        }
        Err(e) => {
            error!(error = %e, path = args.config, "Failed to load configuration");
-            std::process::exit(ExitCode::Error as i32);
+            return Err(anyhow::anyhow!("Configuration error: {}", e));
        }
    };

-    // Handle --renew-certs flag: validate certs and re-enroll if needed
-    if args.renew_certs {
-        info!("Certificate renewal mode activated - validating existing certificates");
-        match validate_certs(&config) {
-            Ok(CertStatus::Valid) => {
-                info!("Certificates are valid and not expiring soon. No renewal needed.");
-                std::process::exit(ExitCode::Clean as i32);
-            }
-            Ok(CertStatus::ExpiringSoon { not_after }) => {
-                info!(
-                    not_after = %not_after,
-                    "Certificates expiring soon - starting re-enrollment"
-                );
-            }
-            Ok(status) => {
-                info!(
-                    status = %status,
-                    "Certificates are {} - starting re-enrollment",
-                    status
-                );
-            }
-            Err(e) => {
-                error!(error = %e, "Certificate validation failed");
-                std::process::exit(ExitCode::Error as i32);
-            }
-        }
-
-        // Need enrollment URL to re-enroll
-        let manager_url = match config.enrollment_manager_url() {
-            Some(url) => url.to_string(),
-            None => {
-                error!(
-                    "Cannot re-enroll: enrollment.manager_url not configured. \
-                     Add the manager URL to config.yaml or use --enroll <url>"
-                );
-                std::process::exit(ExitCode::Error as i32);
-            }
-        };
-
-        match enroll::run_enrollment(&manager_url, &mut config, &args.config).await {
-            Ok(()) => {
-                info!(
-                    "Certificate renewal complete. Start service: systemctl start linux-patch-api"
-                );
-                std::process::exit(ExitCode::Clean as i32);
-            }
-            Err(e) => {
-                error!(error = %e, "Certificate renewal failed");
-                std::process::exit(ExitCode::Error as i32);
-            }
-        }
-    }
-
-    // Handle --enroll flag: run enrollment flow then EXIT
+    // Handle enrollment mode - runs before server startup
    if let Some(ref manager_url) = args.enroll {
        info!(
            manager_url = manager_url,
-            "Enrollment mode activated - running enrollment flow"
+            "Enrollment mode activated - running enrollment flow before server startup"
        );
-        match enroll::run_enrollment(manager_url, &mut config, &args.config).await {
+        match enroll::run_enrollment(manager_url, &config).await {
            Ok(()) => {
-                info!("Enrollment complete. Start service: systemctl start linux-patch-api");
-                std::process::exit(ExitCode::Clean as i32);
+                info!("Enrollment complete - proceeding to server startup");
            }
            Err(e) => {
-                error!(error = %e, "Enrollment failed");
-                std::process::exit(ExitCode::Error as i32);
-            }
-        }
-    }
-
-    // Auto-enrollment on startup: validate certs before starting server
-    if config.tls_config().is_some() {
-        match validate_certs(&config) {
-            Ok(CertStatus::Valid) => {
-                info!("TLS certificates validated successfully");
-            }
-            Ok(CertStatus::ExpiringSoon { not_after }) => {
-                warn!(
-                    not_after = %not_after,
-                    "Certificates expiring soon - starting normally, consider re-enrollment"
-                );
-                // TODO: Schedule background re-enrollment in future phase
-            }
-            Ok(status @ CertStatus::Missing { .. })
-            | Ok(status @ CertStatus::Corrupt { .. })
-            | Ok(status @ CertStatus::Expired { .. })
-            | Ok(status @ CertStatus::KeyMismatch)
-            | Ok(status @ CertStatus::Untrusted) => {
-                // Certs are invalid - check if we can auto-enroll
-                // Clone the manager URL before mutable borrow of config
-                let manager_url_opt = config.enrollment_manager_url().map(|s| s.to_string());
-                match manager_url_opt {
-                    Some(manager_url) => {
-                        info!(
-                            status = %status,
-                            manager_url = manager_url,
-                            "Certs {}. Auto-enrolling with {}",
-                            status,
-                            manager_url
-                        );
-                        match enroll::run_enrollment(&manager_url, &mut config, &args.config).await
-                        {
-                            Ok(()) => {
-                                info!("Auto-enrollment complete - continuing to server startup");
-                                // Re-load config to pick up any changes from enrollment
-                                config = AppConfig::load(&args.config, false)?;
-                            }
-                            Err(e) => {
-                                error!(
-                                    error = %e,
-                                    "Auto-enrollment failed - will retry on next restart"
-                                );
-                                std::process::exit(ExitCode::EnrollmentInProgress as i32);
-                            }
-                        }
-                    }
-                    None => {
-                        // No enrollment URL configured - exit cleanly to avoid crash loop
-                        error!(
-                            status = %status,
-                            "Certs {}. No enrollment URL configured. \
-                             To fix this, either:\n\
-                             1. Add enrollment.manager_url to config.yaml and restart\n\
-                             2. Run: linux-patch-api --enroll <manager_url>\n\
-                             3. Place certificates manually in the configured paths",
-                            status
-                        );
-                        std::process::exit(ExitCode::Clean as i32);
-                    }
-                }
-            }
-            Err(e) => {
-                error!(error = %e, "Certificate validation error");
-                std::process::exit(ExitCode::Error as i32);
+                error!(error = %e, "Enrollment failed - shutting down");
+                return Err(anyhow::anyhow!("Enrollment failed: {}", e));
            }
        }
    }
@ -293,29 +146,21 @@ async fn main() -> Result<()> {
    let job_manager_data = web::Data::new(job_manager);
    let backend_data = web::Data::new(package_backend);

-    // Initialize package cache state
-    let cache_state = web::Data::new(PackageCacheState::new());
-    info!("Package cache state initialized");
-
    // Configure bind address
    let bind_address = format!("{}:{}", config.server.bind, config.server.port);
+    info!(bind = %bind_address, "Starting HTTP server");

+    // Create server
    // Create server builder
    let server_builder = HttpServer::new(move || {
        let mut app = App::new()
            .wrap(Logger::default())
            .app_data(job_manager_data.clone())
-            .app_data(backend_data.clone())
-            .app_data(cache_state.clone());
+            .app_data(backend_data.clone());

        // Configure API routes
        app = app.configure(|cfg| {
-            configure_api_routes(
-                cfg,
-                job_manager_data.clone(),
-                backend_data.clone(),
-                cache_state.clone(),
-            );
+            configure_api_routes(cfg, job_manager_data.clone(), backend_data.clone());
        });

        // Configure health route (outside API scope)
@ -337,6 +182,7 @@ async fn main() -> Result<()> {
    );

    info!("Linux Patch API initialized successfully");
+    info!("Listening on {}", bind_address);

    // Apply TLS/mTLS configuration if enabled
    if let Some(tls_config) = config.tls_config() {
@ -364,37 +210,11 @@ async fn main() -> Result<()> {

                info!("mTLS middleware and rustls config initialized successfully");

-                // Create TCP listener with SO_REUSEADDR using socket2
-                // This prevents "Address already in use" errors when restarting after a crash
-                let socket = socket2::Socket::new(
-                    socket2::Domain::IPV4,
-                    socket2::Type::STREAM,
-                    Some(socket2::Protocol::TCP),
-                )
-                .map_err(|e| anyhow::anyhow!("Failed to create socket: {}", e))?;
+                // Create TCP listener (std::net for listen_rustls_0_23)
+                let tcp_listener = TcpListener::bind(&bind_address)
+                    .map_err(|e| anyhow::anyhow!("Failed to bind to {}: {}", bind_address, e))?;

-                socket
-                    .set_reuse_address(true)
-                    .map_err(|e| anyhow::anyhow!("Failed to set SO_REUSEADDR: {}", e))?;
-
-                let bind_addr: std::net::SocketAddr = bind_address.parse().map_err(|e| {
-                    anyhow::anyhow!("Invalid bind address '{}': {}", bind_address, e)
-                })?;
-
-                socket
-                    .bind(&socket2::SockAddr::from(bind_addr))
-                    .map_err(|e| {
-                        anyhow::anyhow!("Failed to bind socket to {}: {}", bind_address, e)
-                    })?;
-
-                socket
-                    .listen(128)
-                    .map_err(|e| anyhow::anyhow!("Failed to listen on socket: {}", e))?;
-
-                let tcp_listener: std::net::TcpListener = socket.into();
-
-                // Log listening AFTER successful bind
-                info!("Listening on {} (mTLS enabled)", bind_address);
+                info!("TCP listener bound to {}", bind_address);

                // Clone the ServerConfig from Arc for listen_rustls_0_23
                let server_config = (*rustls_config).clone();
@ -413,37 +233,8 @@ async fn main() -> Result<()> {
            }
        }
    } else {
-        // Create TCP listener with SO_REUSEADDR for non-TLS mode
-        let socket = socket2::Socket::new(
-            socket2::Domain::IPV4,
-            socket2::Type::STREAM,
-            Some(socket2::Protocol::TCP),
-        )
-        .map_err(|e| anyhow::anyhow!("Failed to create socket: {}", e))?;
-
-        socket
-            .set_reuse_address(true)
-            .map_err(|e| anyhow::anyhow!("Failed to set SO_REUSEADDR: {}", e))?;
-
-        let bind_addr: std::net::SocketAddr = bind_address
-            .parse()
-            .map_err(|e| anyhow::anyhow!("Invalid bind address '{}': {}", bind_address, e))?;
-
-        socket
-            .bind(&socket2::SockAddr::from(bind_addr))
-            .map_err(|e| anyhow::anyhow!("Failed to bind socket to {}: {}", bind_address, e))?;
-
-        socket
-            .listen(128)
-            .map_err(|e| anyhow::anyhow!("Failed to listen on socket: {}", e))?;
-
-        let tcp_listener: std::net::TcpListener = socket.into();
-
-        // Log listening AFTER successful bind
-        info!("Listening on {} (no TLS)", bind_address);
-
        warn!("TLS is disabled - running without mTLS authentication (INSECURE)");
-        server_builder.listen(tcp_listener)?.run().await?;
+        server_builder.bind(&bind_address)?.run().await?;
    }

    info!("Linux Patch API shutting down");
--- a/src/packages/cache.rs
+++ b/src/packages/cache.rs
@ -1,291 +0,0 @@
-//! Package Cache Management Module
-//! Handles package index refresh, stale detection, state persistence, and 404 retry logic.
-
-use anyhow::Result;
-use chrono::{DateTime, Utc};
-use serde::{Deserialize, Serialize};
-use std::sync::Mutex;
-use std::time::Duration;
-use tracing::{info, warn};
-
-/// State file path for cache persistence
-const CACHE_STATE_PATH: &str = "/var/lib/linux_patch_api/state/cache.json";
-
-/// Stale threshold: 4 hours
-const STALE_THRESHOLD_SECS: u64 = 4 * 60 * 60;
-
-/// Cache refresh command timeout: 120 seconds
-#[allow(dead_code)]
-const CACHE_REFRESH_TIMEOUT_SECS: u64 = 120;
-
-/// Persistent cache state (written to cache.json)
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct CacheStateFile {
-    pub last_cache_update: Option<String>, // RFC3339
-    pub last_update_success: bool,
-}
-
-/// Runtime cache status
-#[derive(Debug, Clone, Serialize)]
-pub struct PackageCacheStatus {
-    pub last_update: Option<DateTime<Utc>>,
-    pub last_update_success: bool,
-    pub last_update_error: Option<String>,
-}
-
-/// In-memory cache state (thread-safe)
-pub struct PackageCacheState {
-    inner: Mutex<CacheStateInner>,
-}
-
-struct CacheStateInner {
-    last_update: Option<DateTime<Utc>>,
-    last_update_success: bool,
-    last_update_error: Option<String>,
-}
-
-impl Default for PackageCacheState {
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
-impl PackageCacheState {
-    pub fn new() -> Self {
-        // Try to load from state file on startup
-        let inner = match Self::load_state_file() {
-            Some(state) => CacheStateInner {
-                last_update: state
-                    .last_cache_update
-                    .and_then(|s| DateTime::parse_from_rfc3339(&s).ok())
-                    .map(|dt| dt.with_timezone(&Utc)),
-                last_update_success: state.last_update_success,
-                last_update_error: None,
-            },
-            None => CacheStateInner {
-                last_update: None,
-                last_update_success: false,
-                last_update_error: None,
-            },
-        };
-        Self {
-            inner: Mutex::new(inner),
-        }
-    }
-
-    pub fn status(&self) -> PackageCacheStatus {
-        let inner = self.inner.lock().unwrap();
-        PackageCacheStatus {
-            last_update: inner.last_update,
-            last_update_success: inner.last_update_success,
-            last_update_error: inner.last_update_error.clone(),
-        }
-    }
-
-    pub fn is_stale(&self) -> bool {
-        let inner = self.inner.lock().unwrap();
-        match inner.last_update {
-            None => true,
-            Some(t) => {
-                let threshold = Duration::from_secs(STALE_THRESHOLD_SECS);
-                Utc::now() - t
-                    > chrono::Duration::from_std(threshold).unwrap_or(chrono::TimeDelta::MAX)
-            }
-        }
-    }
-
-    pub fn update_success(&self) {
-        let mut inner = self.inner.lock().unwrap();
-        inner.last_update = Some(Utc::now());
-        inner.last_update_success = true;
-        inner.last_update_error = None;
-        drop(inner); // release lock before I/O
-        self.persist_state();
-    }
-
-    pub fn update_failure(&self, error: String) {
-        let mut inner = self.inner.lock().unwrap();
-        inner.last_update_success = false;
-        inner.last_update_error = Some(error);
-        let now = Utc::now();
-        // Keep old timestamp if we had one, don't update on failure
-        if inner.last_update.is_none() {
-            inner.last_update = Some(now); // first attempt timestamp
-        }
-        drop(inner);
-        self.persist_state();
-    }
-
-    fn load_state_file() -> Option<CacheStateFile> {
-        let content = std::fs::read_to_string(CACHE_STATE_PATH).ok()?;
-        serde_json::from_str(&content).ok()
-    }
-
-    fn persist_state(&self) {
-        let inner = self.inner.lock().unwrap();
-        let state = CacheStateFile {
-            last_cache_update: inner.last_update.map(|dt| dt.to_rfc3339()),
-            last_update_success: inner.last_update_success,
-        };
-        drop(inner); // release lock before I/O
-
-        // Create parent directory if needed
-        if let Some(parent) = std::path::Path::new(CACHE_STATE_PATH).parent() {
-            let _ = std::fs::create_dir_all(parent);
-        }
-
-        match serde_json::to_string_pretty(&state) {
-            Ok(json) => {
-                if let Err(e) = std::fs::write(CACHE_STATE_PATH, json) {
-                    warn!("Failed to persist cache state: {}", e);
-                }
-            }
-            Err(e) => warn!("Failed to serialize cache state: {}", e),
-        }
-    }
-}
-
-/// Check if an error message indicates a fetch/404 error
-pub fn is_fetch_error(error: &anyhow::Error) -> bool {
-    let msg = error.to_string().to_lowercase();
-    msg.contains("404")
-        || msg.contains("not found")
-        || msg.contains("failed to fetch")
-        || msg.contains("unable to fetch")
-}
-
-/// Execute a patch apply with automatic cache refresh retry on 404/fetch errors.
-/// Hardcoded 1 retry after cache refresh.
-pub fn apply_with_cache_retry<F>(mut refresh_fn: F, apply_fn: impl Fn() -> Result<()>) -> Result<()>
-where
-    F: FnMut() -> Result<()>,
-{
-    match apply_fn() {
-        Ok(()) => Ok(()),
-        Err(e) if is_fetch_error(&e) => {
-            info!("Patch apply failed with fetch error, refreshing cache and retrying");
-            refresh_fn()?;
-            apply_fn()
-        }
-        Err(e) => Err(e),
-    }
-}
-
-/// Run a command with timeout for cache refresh operations
-pub fn run_command_with_timeout(program: &str, args: &[&str]) -> Result<String> {
-    use std::process::Command;
-
-    let output = Command::new(program)
-        .args(args)
-        .env("DEBIAN_FRONTEND", "noninteractive")
-        .output()?;
-
-    if !output.status.success() {
-        let stderr = String::from_utf8_lossy(&output.stderr);
-        return Err(anyhow::anyhow!("Cache refresh command failed: {}", stderr));
-    }
-
-    Ok(String::from_utf8_lossy(&output.stdout).to_string())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_is_fetch_error_404() {
-        let err = anyhow::anyhow!("E: Unable to fetch 404 Not Found");
-        assert!(is_fetch_error(&err));
-    }
-
-    #[test]
-    fn test_is_fetch_error_not_found() {
-        let err = anyhow::anyhow!("Package not found in repository");
-        assert!(is_fetch_error(&err));
-    }
-
-    #[test]
-    fn test_is_fetch_error_failed_to_fetch() {
-        let err = anyhow::anyhow!("Failed to fetch package index");
-        assert!(is_fetch_error(&err));
-    }
-
-    #[test]
-    fn test_is_fetch_error_unable_to_fetch() {
-        let err = anyhow::anyhow!("Unable to fetch some archive");
-        assert!(is_fetch_error(&err));
-    }
-
-    #[test]
-    fn test_is_not_fetch_error() {
-        let err = anyhow::anyhow!("Permission denied");
-        assert!(!is_fetch_error(&err));
-    }
-
-    #[test]
-    fn test_cache_state_new() {
-        let state = PackageCacheState::new();
-        let status = state.status();
-        // Fresh state should have no last_update (unless state file exists)
-        // Just verify it doesn't panic
-        assert!(!status.last_update_success || status.last_update.is_some());
-    }
-
-    #[test]
-    fn test_cache_state_stale_when_no_update() {
-        let state = PackageCacheState::new();
-        // If no state file exists, cache should be stale
-        // This test may vary based on state file existence,
-        // but we can at least call is_stale without panic
-        let _ = state.is_stale();
-    }
-
-    #[test]
-    fn test_cache_state_update_success() {
-        let state = PackageCacheState::new();
-        state.update_success();
-        let status = state.status();
-        assert!(status.last_update.is_some());
-        assert!(status.last_update_success);
-        assert!(status.last_update_error.is_none());
-    }
-
-    #[test]
-    fn test_cache_state_update_failure() {
-        let state = PackageCacheState::new();
-        state.update_failure("test error".to_string());
-        let status = state.status();
-        assert!(!status.last_update_success);
-        assert_eq!(status.last_update_error, Some("test error".to_string()));
-    }
-
-    #[test]
-    fn test_apply_with_cache_retry_success() {
-        let result = apply_with_cache_retry(|| Ok(()), || Ok(()));
-        assert!(result.is_ok());
-    }
-
-    #[test]
-    fn test_apply_with_cache_retry_non_fetch_error() {
-        let result: Result<()> =
-            apply_with_cache_retry(|| Ok(()), || Err(anyhow::anyhow!("Permission denied")));
-        assert!(result.is_err());
-        let err = result.unwrap_err();
-        assert!(!is_fetch_error(&err));
-    }
-
-    #[test]
-    fn test_apply_with_cache_retry_fetch_error_with_refresh() {
-        let mut refresh_called = false;
-        let result: Result<()> = apply_with_cache_retry(
-            || {
-                refresh_called = true;
-                Ok(())
-            },
-            || Err(anyhow::anyhow!("404 Not Found")),
-        );
-        // Refresh should have been called, but second apply_fn still fails with 404
-        assert!(refresh_called);
-        assert!(result.is_err());
-    }
-}
--- a/src/packages/mod.rs
+++ b/src/packages/mod.rs
--- a/tasks/alpine-packaging-root-cause.md
+++ b/tasks/alpine-packaging-root-cause.md
@ -1,118 +0,0 @@
-# Alpine Packaging Root Cause Analysis
-
-**Date:** 2026-05-20
-**Author:** Echo
-**Status:** Fixed in v1.1.10
-
-## Problem Statement
-
-Alpine APK packages for linux-patch-api did not create required files on `apk add`:
- No `/etc/linux_patch_api/config.yaml` (from config.yaml.example)
- No `/etc/linux_patch_api/config.yaml.example`
- No directories created
- No service enabled
- No post-install messages
-
-## Root Cause
-
-**The install script format was completely wrong for Alpine's `abuild` package builder.**
-
-### Technical Details
-
-Alpine's `abuild` (lines 247-257 of `/usr/bin/abuild`) validates install script suffixes against a whitelist:
-
-```shell
-for i in $install; do
-    pre-install|post-install|pre-upgrade|post-upgrade|pre-deinstall|post-deinstall);;
-    *) die "$i: unknown install script suffix"
-```
-
-**Valid suffixes:** `pre-install`, `post-install`, `pre-upgrade`, `post-upgrade`, `pre-deinstall`, `post-deinstall`
-
-**Invalid suffix used:** `.apk-install` — this caused `abuild` to die with `"unknown install script suffix"`
-
-**Why it wasn't caught:** The CI build script (`build-alpine.sh`) used `|| true` after `abuild`, which **silently masked the failure**. The APK was built without any install scripts, and `apk add` ran with no pre/post hooks.
-
-### Original (Broken) Format
-
-Single file `configs/linux-patch-api.apk-install` containing function definitions:
-```sh
-pre_install() { ... }
-post_install() { ... }
-pre_deinstall() { ... }
-post_deinstall() { ... }
-```
-
-APKBUILD referenced it as:
-```
-install="linux-patch-api.apk-install"
-```
-
-**Two fatal errors:**
-1. `.apk-install` is not a valid abuild suffix (should be `.pre-install`, `.post-install`, etc.)
-2. Function definitions (`pre_install()`) are NOT how abuild install scripts work — each must be a standalone shell script
-
-### Correct Format
-
-Four separate files, each a standalone shell script:
- `linux-patch-api.pre-install` — runs before package files are laid down
- `linux-patch-api.post-install` — runs after package files are laid down
- `linux-patch-api.pre-deinstall` — runs before package removal
- `linux-patch-api.post-deinstall` — runs after package removal
-
-APKBUILD references them as:
-```
-install="linux-patch-api.pre-install linux-patch-api.post-install linux-patch-api.pre-deinstall linux-patch-api.post-deinstall"
-```
-
-## Fix
-
-### Files Changed
-1. **Deleted** `configs/linux-patch-api.apk-install` (invalid format)
-2. **Created** `configs/linux-patch-api.pre-install` (create dirs, set permissions)
-3. **Created** `configs/linux-patch-api.post-install` (copy example configs, enable service)
-4. **Created** `configs/linux-patch-api.pre-deinstall` (stop and disable service)
-5. **Created** `configs/linux-patch-api.post-deinstall` (clean up empty dirs)
-6. **Updated** `build-alpine.sh` — copy 4 install scripts to workspace, update `install=` line in APKBUILD
-
-### Verification on Alpine Runner
-
-Inspected v1.1.10 APK contents:
-```
-.SIGN.RSA.root-69eeaa18.rsa.pub
-.PKGINFO
-.pre-install
-.post-install
-.pre-deinstall
-.post-deinstall
-etc/init.d/linux-patch-api
-etc/linux_patch_api/config.yaml.example
-etc/linux_patch_api/whitelist.yaml.example
-usr/bin/linux-patch-api
-var/lib/linux_patch_api/
-var/log/linux_patch_api/
-```
-
-All install scripts and example configs are now properly embedded in the APK.
-
-### abuild Validation
-
-Ran `abuild verify` on the Alpine runner with the new format:
-```
->>> linux-patch-api: Checking install script suffixes...
->>> linux-patch-api: Checking if install script names match pkgname...
-```
-
-Both checks PASSED. The old `.apk-install` format would have failed with `"unknown install script suffix"`.
-
-## Prevention
-
-1. **Always verify on actual target systems before pushing.** SSH to the runner, inspect the built artifact, test the install.
-2. **Read the tool's source code when documentation is unclear.** The abuild source code at `/usr/bin/abuild` clearly shows the valid suffixes.
-3. **Never use `|| true` to mask build failures.** The CI build script masked the abuild failure, hiding the root cause.
-4. **Never assume a file edit is correct without runtime verification.** Multiple edits to .apk-install were made without testing on Alpine.
-
-## Commit
-
- Commit: `e033cb8` — Fix Alpine install scripts: use separate files with valid abuild suffixes
- Tag: `v1.1.10`
--- a/tasks/issue-2-package-cache-refresh.md
+++ b/tasks/issue-2-package-cache-refresh.md
@ -1,281 +0,0 @@
-# Issue #2: Package Cache Refresh - Spec Document
-
-**Version:** 1.1.17  
-**Date:** 2026-05-27  
-**Status:** Approved  
-**Gitea Issue:** https://gitea-lxc.moon-dragon.us/git-echo/linux_patch_api/issues/2
-
---
-
-## Problem Statement
-
-On 2026-05-27, `dashboard.moon-dragon.us` (Ubuntu 24.04.2 LTS, agent v1.1.16) had 11 pending patches but ALL `patch_apply` jobs failed with 404 errors. Root cause: stale `apt` package cache referencing superseded versions no longer in upstream repos.
-
-**Impact:** 700/757 total jobs failed (92.5% failure rate) across all managed hosts.
-
---
-
-## Requirements (from Issue #2)
-
-| # | Requirement | Priority | Description |
-|---|-------------|----------|-------------|
-| 1 | Pre-Upgrade Cache Refresh | **MUST** | Run package index update before every `patch_apply` operation |
-| 2 | Regular Interval Cache Refresh | **MUST** | Refresh package index on each health check (manager-triggered) |
-| 3 | 404/Fetch Error Handling | **SHOULD** | Auto-retry with cache refresh on 404 errors, then report failure |
-| 4 | Stale Cache Detection | **SHOULD** | Track `last_cache_update` timestamp; include in health response |
-
---
-
-## Architecture Decisions (Kelly-Approved)
-
-1. **New module:** `src/packages/cache.rs` for dedicated cache management
-2. **Health check integration:** Cache refresh triggered by health check from manager
-3. **Force cache refresh before apply:** Always on, NOT configurable
-4. **Cache interval:** Controlled by manager health check frequency, not agent config
-5. **Health check reports `last_cache_update`:** If cache refresh fails, health check returns degraded
-6. **OS detection:** Already exists via compile-time backend selection
-7. **Version bump:** 1.1.17
-8. **Health check failure mode:** HTTP 200 with `status: "degraded"` (not 503)
-9. **Cache refresh timeout:** 120 seconds
-10. **404 retry count:** Hardcoded 1 retry (not configurable)
-11. **Cache state persistence:** State file at `/var/lib/linux_patch_api/state/cache.json`; in-memory otherwise
-
---
-
-## Design Specification
-
-### 1. New Module: `src/packages/cache.rs`
-
-#### `PackageCacheStatus` struct
-
-```rust
-pub struct PackageCacheStatus {
-    pub last_update: Option<DateTime<Utc>>,
-    pub last_update_success: bool,
-    pub last_update_error: Option<String>,
-}
-```
-
-#### `PackageCacheRefresher` trait
-
-```rust
-pub trait PackageCacheRefresher: Send + Sync {
-    /// Refresh the package index (apt update, dnf check-update, etc.)
-    fn refresh_cache(&self) -> Result<()>;
-    
-    /// Get the current cache status
-    fn cache_status(&self) -> PackageCacheStatus;
-    
-    /// Check if cache is stale (older than threshold)
-    fn is_cache_stale(&self, threshold: Duration) -> bool;
-}
-```
-
-#### Per-Backend Refresh Commands
-
-| Backend | Refresh Command | Notes |
-|---------|----------------|-------|
-| AptBackend | `apt-get update` | Full index refresh |
-| DnfBackend | `dnf check-update --refresh` | Force metadata refresh |
-| YumBackend | `yum makecache` | Rebuild metadata cache |
-| ApkBackend | `apk update` | Update repository index |
-| PacmanBackend | `pacman -Sy` | Sync databases (with caution note) |
-
-### 2. Health Check Enhancement: `src/api/handlers/system.rs`
-
-#### New `HealthData` response
-
-```rust
-pub struct HealthData {
-    pub status: String,           // "healthy" or "degraded"
-    pub uptime_seconds: u64,
-    pub version: String,
-    pub last_cache_update: Option<String>,  // RFC3339 timestamp
-    pub cache_status: String,     // "fresh", "stale", "unknown", "failed"
-}
-```
-
-#### Health check flow
-
-```
-GET /health or GET /api/v1/health
-  │
-  ├─ Read uptime (existing)
-  ├─ Read version (existing)
-  ├─ Call backend.cache_status() → PackageCacheStatus
-  │
-  ├─ If cache is stale (>4 hours) OR never refreshed:
-  │   ├─ Call backend.refresh_cache()  (120s timeout)
-  │   ├─ If success: last_cache_update = now, cache_status = "fresh"
-  │   └─ If failure: status = "degraded", cache_status = "failed"
-  │
-  └─ Return HealthData (HTTP 200 always)
-```
-
-**Key rule:** If cache refresh is attempted and fails, health check returns HTTP 200 with `status: "degraded"`. The manager decides how to handle degraded status.
-
-### 3. Pre-Apply Cache Refresh: `src/api/handlers/patches.rs`
-
-#### Patch apply flow change
-
-```
-POST /api/v1/patches/apply
-  │
-  ├─ Create job (existing)
-  ├─ Return 202 Accepted (existing)
-  │
-  └─ Background task:
-      ├─ job_manager.update_job(Running, 0%, "Refreshing package index...")
-      ├─ backend.refresh_package_cache()  ← NEW: Always runs before apply (120s timeout)
-      │   ├─ If failure: job_manager.fail_job("Package cache refresh failed: ...")
-      │   └─ If success: continue
-      ├─ job_manager.update_job(Running, 10%, "Cache refreshed, applying patches...")
-      ├─ backend.apply_patches(packages)  (existing)
-      └─ ... (existing completion flow)
-```
-
-**Key rule:** Cache refresh before apply is MANDATORY and NOT configurable. If it fails, the patch_apply job fails immediately with a clear error message.
-
-### 4. 404/Fetch Error Retry Logic
-
-#### In `src/packages/cache.rs`
-
-```rust
-/// Execute a patch operation with automatic cache refresh on 404/fetch errors
-/// Hardcoded 1 retry after cache refresh on fetch errors.
-pub fn apply_with_cache_retry<F>(
-    backend: &dyn PackageManagerBackend,
-    apply_fn: F,
-) -> Result<()>
-where
-    F: Fn() -> Result<()>,
-{
-    match apply_fn() {
-        Ok(()) => Ok(()),
-        Err(e) if is_fetch_error(&e) => {
-            // Refresh cache and retry once
-            backend.refresh_package_cache()?;
-            apply_fn()
-        }
-        Err(e) => Err(e),
-    }
-}
-
-/// Check if error is a fetch/404 error that warrants cache refresh retry
-fn is_fetch_error(error: &anyhow::Error) -> bool {
-    let msg = error.to_string().to_lowercase();
-    msg.contains("404") 
-        || msg.contains("not found") 
-        || msg.contains("failed to fetch")
-        || msg.contains("unable to fetch")
-}
-```
-
-**Retry policy:** Hardcoded 1 retry after cache refresh on 404/fetch errors. If retry also fails, report failure with specific error.
-
-### 5. Stale Cache Detection
-
-#### In `src/packages/cache.rs`
-
- Track `last_cache_update: Option<DateTime<Utc>>` in a thread-safe `Arc<Mutex<PackageCacheState>>`
- `is_cache_stale(threshold)` returns `true` if:
-  - `last_cache_update` is `None` (never refreshed)
-  - `last_cache_update` is older than threshold (default: 4 hours)
- Used by health check to decide whether to trigger refresh
- Used by patch_apply to log warning (but still force-refresh regardless)
-
-### 6. PackageManagerBackend Trait Extension
-
-```rust
-pub trait PackageManagerBackend: Send + Sync {
-    // ... existing methods ...
-    
-    /// NEW: Refresh the local package index
-    fn refresh_package_cache(&self) -> Result<()>;
-    
-    /// NEW: Get the last cache update timestamp
-    fn last_cache_update(&self) -> Option<DateTime<Utc>>;
-}
-```
-
-Each backend implements `refresh_package_cache()` using its OS-specific command.
-
-### 7. Cache State Persistence
-
-The `last_cache_update` timestamp persists to disk at `/var/lib/linux_patch_api/state/cache.json`:
-
-```json
-{
-  "last_cache_update": "2026-05-27T13:00:00Z",
-  "last_update_success": true
-}
-```
-
- Written after each successful or failed cache refresh
- Read on service startup to initialize in-memory state
- If file is missing or corrupt, treated as never-refreshed (triggers refresh on first health check)
- File permissions: 644 (readable by manager for diagnostics)
-
-### 8. Configuration Changes
-
-**No new configuration parameters.** Per Kelly's decision:
- Cache refresh before apply is always-on (not configurable)
- Cache refresh interval is controlled by manager health check frequency
- Stale threshold is hardcoded at 4 hours
- Cache refresh timeout is hardcoded at 120 seconds
-
---
-
-## File Changes Summary
-
-| File | Change |
-|------|--------|
-| `src/packages/cache.rs` | **NEW** - PackageCacheStatus, PackageCacheRefresher, retry logic, stale detection, state persistence |
-| `src/packages/mod.rs` | Add `mod cache;`, implement `refresh_package_cache()` and `last_cache_update()` on each backend |
-| `src/api/handlers/system.rs` | Enhance health_check to include cache_status and last_cache_update, trigger refresh if stale |
-| `src/api/handlers/patches.rs` | Add cache refresh before apply_patches in job background task |
-| `src/api/handlers/mod.rs` | Update HealthData type with new fields |
-| `Cargo.toml` | Bump version to 1.1.17 |
-| `ARCHITECTURE.md` | Update health check section, add cache refresh flow |
-| `REQUIREMENTS.md` | Add FR-007 for package cache refresh requirements |
-| `/var/lib/linux_patch_api/state/cache.json` | **NEW** - Persistent cache state file |
-
---
-
-## Implementation Order
-
-1. **`src/packages/cache.rs`** - Core cache types, stale detection, state persistence
-2. **Backend implementations** - Add `refresh_package_cache()` and `last_cache_update()` to each backend in `mod.rs`
-3. **Health check enhancement** - Update `system.rs` to include cache status and trigger refresh
-4. **Pre-apply refresh** - Update `patches.rs` job flow to refresh before apply
-5. **404 retry logic** - Add retry wrapper in `cache.rs`
-6. **Version bump** - Update `Cargo.toml` to 1.1.17
-7. **Documentation** - Update `ARCHITECTURE.md` and `REQUIREMENTS.md`
-8. **State persistence** - Implement cache.json read/write in `cache.rs`
-9. **Tests** - Unit tests for cache logic, integration tests for health check
-
---
-
-## Test Plan
-
-### Unit Tests
- `cache_status()` returns correct initial state
- `is_cache_stale()` returns true for never-refreshed and >4h old
- `is_fetch_error()` correctly identifies 404/fetch errors
- `apply_with_cache_retry()` retries once on 404 then fails on second attempt
- Each backend's `refresh_package_cache()` calls correct command
- State file read/write works correctly
- Corrupt/missing state file handled gracefully
-
-### Integration Tests
- `GET /health` returns `last_cache_update` and `cache_status` fields
- `GET /health` triggers cache refresh when stale
- `GET /health` returns `"degraded"` when cache refresh fails (HTTP 200)
- `POST /api/v1/patches/apply` refreshes cache before applying
- `POST /api/v1/patches/apply` fails job when cache refresh fails
- 404 retry logic works end-to-end
- State persists across service restart
-
---
-
-*Following kiro spec-driven development standards*
--- a/tasks/lessons.md
+++ b/tasks/lessons.md
@ -84,24 +84,6 @@
 **Rule:** E2E tests must assert status=completed for core operations. A failed package install is a 100% total failure of the API's core function.
 **Status:** Active

-## 2026-05-20 - Verify on actual target systems before declaring something fixed (CRITICAL)
-**Mistake:** Edited Alpine packaging files multiple times without SSHing to the actual Alpine runner to verify. Made assumptions about abuild install script format based on documentation/comments instead of checking the actual abuild source code on the target system.
-**Correction:** SSHed to Alpine runner, read abuild source code (lines 247-257), discovered that .apk-install is NOT a valid suffix. abuild expects SEPARATE files: pkgname.pre-install, .post-install, .pre-deinstall, .post-deinstall. The CI build used || true which masked the abuild failure, so APK was built WITHOUT install scripts silently.
-**Rule:** ALWAYS verify fixes on actual target systems before pushing. SSH to the runner, inspect the built artifact, test the install. Never assume a file edit is correct without runtime verification. Read the tool's source code when documentation is unclear.
-**Status:** Active
-
-## 2026-05-20 - Alpine abuild install script format requires separate files with valid suffixes
-**Mistake:** Used a single .apk-install file with function definitions (pre_install, post_install, etc.) for Alpine packaging. This is NOT a valid abuild format.
-**Correction:** Created 4 separate files: linux-patch-api.pre-install, .post-install, .pre-deinstall, .post-deinstall as standalone shell scripts. These are the ONLY valid suffixes abuild accepts (lines 247-257 of /usr/bin/abuild).
-**Rule:** Alpine abuild install scripts MUST be separate files with valid suffixes: pre-install, post-install, pre-upgrade, post-upgrade, pre-deinstall, post-deinstall. Do NOT use function definitions in a single file. Do NOT invent custom suffixes like .apk-install.
-**Status:** Active
-
-## 2026-05-20 - Ask for help with access blocks immediately (CRITICAL)
-**Mistake:** Spent many turns and significant compute time trying to work around not having root access on the Alpine runner (investigating doas.conf errors, trying alternative approaches) instead of simply asking Kelly to install sudo.
-**Correction:** Kelly installed sudo in seconds. The time and money I wasted on workarounds far exceeded the trivial effort of asking for help.
-**Rule:** When blocked by an access or permission issue, ASK KELLY IMMEDIATELY. Do not spend time on workarounds. A quick fix by Kelly is worth far more than hours of AI compute trying to bypass the block. My processing time costs real money.
-**Status:** Active
-
 ## 2026-05-03 - Systemd sandbox whack-a-mole pattern
 **Mistake:** Fixed systemd sandbox restrictions one at a time (ProtectSystem → NoNewPrivileges → RestrictSUIDSGID → CapabilityBoundingSet) instead of analyzing all restrictions at once.
 **Correction:** Removed ALL restrictive sandbox settings at once after understanding that package management requires full system access.
--- a/tasks/rca-crash-loop-2026-05-28.md
+++ b/tasks/rca-crash-loop-2026-05-28.md
@ -1,267 +0,0 @@
-# Root Cause Analysis: linux-patch-api Crash Loop
-
-**Date:** 2026-05-28
-**Affected Hosts:** sonarr, apt-cacher-ng, radarr-lxc, lidarr-lxc, deluge-lxc (all .moon-dragon.us)
-**Symptom:** Agent crash loop with "Address already in use" on port 12443, causing flapping between healthy/unreachable on manager
-
---
-
-## Executive Summary
-
-The crash loop has **three distinct root causes**, not two as initially documented:
-
-1. **Primary cause:** Package installation enables and starts the service **before certificates exist**, causing immediate crash on mTLS initialization.
-2. **Secondary cause:** `TcpListener::bind` does NOT set `SO_REUSEADDR`, preventing rebinding when a port is in TIME_WAIT state.
-3. **Tertiary cause (discovered during RCA):** The `--enroll` process binds to port 12443 after enrollment completes, blocking the systemd service from starting.
-
-The result: hosts stuck in an **infinite crash loop** that cannot self-recover without manual intervention.
-
---
-
-## Evidence Preserved
-
-### radarr-lxc (still crash-looping, evidence intact)
-
-| Metric | Value |
-|--------|-------|
-| NRestarts | 4,762+ (since May 20) |
-| First crash | May 20 20:23:55 — `TLS CA certificate not found: /etc/linux_patch_api/certs/ca.pem` |
-| Current error | `Failed to bind to 0.0.0.0:12443: Address already in use (os error 98)` |
-| PID holding port 12443 | 1218 (`linux-patch-api --enroll`) started at 15:59:32 |
-| PID 1218 parent | 1217 (`sudo linux-patch-api --enroll`) |
-| PID 1218 state | S (sleeping), holding socket fd=16 on 0.0.0.0:12443 |
-| Certs exist | Yes (valid May 28 2026 → May 28 2027) |
-| systemd MainPID | 0 (not tracking the enrollment process) |
-
-### lidarr-lxc (still crash-looping, evidence intact)
-
-| Metric | Value |
-|--------|-------|
-| NRestarts | 4,822+ |
-| PID holding port 12443 | 1207 (`linux-patch-api --enroll`) started at 15:42 |
-| Same pattern as radarr-lxc |
-
-### deluge-lxc (still crash-looping, evidence intact)
-
-| Metric | Value |
-|--------|-------|
-| NRestarts | 4,494+ |
-| PID holding port 12443 | 51035 (`linux-patch-api --enroll`) started at 15:11 |
-| Same pattern as radarr-lxc |
-
-### sonarr (evidence destroyed by fix)
-
-Fixed before full investigation. NRestarts was 117,647+ over 8 days. Pattern inferred from partial logs.
-
-### apt-cacher-ng (evidence destroyed by fix)
-
-Fixed before full investigation. Pattern inferred from partial logs.
-
---
-
-## Root Cause Analysis
-
-### Cause 1: Package Postinst Starts Service Before Certs Exist
-
-The `.deb`/`.pkg.tar.zst` package postinst script:
-1. Installs the binary
-2. Deploys example config files
-3. Enables the systemd service (`systemctl enable`)
-4. **Does NOT start the service** (comment: "admin should configure first")
-5. **Does not check if TLS certificates exist**
-6. **Does not run enrollment**
-
-**Note:** The postinst correctly does NOT start the service. The service was started by a separate deployment step (likely during the v1.1.16→v1.1.17 upgrade or by a previous version's postinst that DID start the service).
-
-The config file (`/etc/linux_patch_api/config.yaml`) references certs that don't exist yet:
-```yaml
-tls:
-  enabled: true
-  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
-  server_cert: "/etc/linux_patch_api/certs/server.pem"
-  server_key: "/etc/linux_patch_api/certs/server.key"
-```
-
-The agent validates cert paths at config load time and exits with error if they don't exist. Since the service is enabled and `Restart=on-failure` is set, systemd triggers restart immediately.
-
-**Evidence:** All three preserved hosts show the same first crash on May 20 with `TLS CA certificate not found`.
-
-### Cause 2: Enrollment Process Port Conflict (NEW FINDING)
-
-**This is the dominant cause on the currently crash-looping hosts.**
-
-When `linux-patch-api --enroll <manager_url>` is run:
-1. It registers with the manager and receives a polling token
-2. It polls the manager for approval
-3. After approval, it provisions certs
-4. **It then falls through to normal server startup** (main.rs lines 88-100)
-5. The enrollment process binds to port 12443 and starts serving requests
-
-Meanwhile, the systemd service is also enabled and trying to restart:
-1. systemd sees the service failed, waits `RestartSec=5s`
-2. Tries to start a NEW `linux-patch-api` process
-3. New process tries `TcpListener::bind("0.0.0.0:12443")` → **"Address already in use"**
-4. Process exits immediately, loop repeats every 5 seconds
-
-**Key insight:** systemd's `MainPID=0` — it has LOST TRACK of the enrollment process because it was started outside systemd (via `sudo` from an SSH session). The enrollment process is an orphan holding the port.
-
-**Evidence from radarr-lxc:**
-```
-PID 1218: linux-patch-api --enroll https://linux-patch-manager-dev.moon-dragon.us
-  State: S (sleeping)
-  FD 16: socket:[900840468] → LISTEN on 0.0.0.0:12443
-  Parent: PID 1217 (sudo) → PID 1216 (bash -c from SSH session)
-systemd MainPID: 0 (not tracking this process)
-```
-
-**Source code confirmation** (main.rs lines 88-100):
-```rust
-if let Some(ref manager_url) = args.enroll {
-    info!("Enrollment mode activated - running enrollment flow before server startup");
-    match enroll::run_enrollment(manager_url, &config).await {
-        Ok(()) => {
-            info!("Enrollment complete - proceeding to server startup");  // ← Falls through to bind!
-        }
-        Err(e) => {
-            error!(error = %e, "Enrollment failed - shutting down");
-            return Err(anyhow::anyhow!("Enrollment failed: {}", e));
-        }
-    }
-}
-// ... continues to TcpListener::bind at line 226
-```
-
-### Cause 3: No SO_REUSEADDR on TcpListener::bind
-
-Once the enrollment process eventually exits (or is killed), the port enters TIME_WAIT state for ~60 seconds. Without `SO_REUSEADDR`, the next systemd restart attempt within that window also fails with "Address already in use".
-
-**Source code** (main.rs line 226):
-```rust
-let tcp_listener = TcpListener::bind(&bind_address)
-    .map_err(|e| anyhow::anyhow!("Failed to bind to {}: {}", bind_address, e))?;
-```
-
-`std::net::TcpListener::bind` does NOT set `SO_REUSEADDR`. The `socket2` crate is not a dependency.
-
-### Cause 4: Misleading Log Messages
-
-The log sequence is confusing because of premature logging in main.rs:
-
-```
-INFO linux_patch_api: Listening on 0.0.0.0:12443     ← Line 197 (logged BEFORE actual bind)
-INFO linux_patch_api: Initializing mTLS authentication  ← Line 206
-INFO linux_patch_api: mTLS middleware initialized      ← Line 223
-Error: Failed to bind to 0.0.0.0:12443               ← Line 227 (actual bind attempt)
-```
-
-The "Listening" message at line 197 is emitted **before** the `TcpListener::bind` at line 226. This makes it look like the agent successfully bound and then tried to bind again.
-
---
-
-## Recommended Fixes
-
-### Fix 1: Enrollment Should NOT Fall Through to Server Startup
-
-**Priority: CRITICAL** — This is the fix that prevents the enrollment port conflict.
-
-In `src/main.rs`, after enrollment completes, the process should EXIT instead of falling through to server startup:
-
-```rust
-if let Some(ref manager_url) = args.enroll {
-    info!("Enrollment mode activated");
-    match enroll::run_enrollment(manager_url, &config).await {
-        Ok(()) => {
-            info!("Enrollment complete - start the service with: systemctl start linux-patch-api");
-            return Ok(());  // ← EXIT after enrollment, don't bind port
-        }
-        Err(e) => {
-            error!(error = %e, "Enrollment failed");
-            return Err(anyhow::anyhow!("Enrollment failed: {}", e));
-        }
-    }
-}
-```
-
-### Fix 2: Add SO_REUSEADDR to TcpListener::bind
-
-In `src/main.rs` line 226, replace:
-```rust
-let tcp_listener = TcpListener::bind(&bind_address)
-    .map_err(|e| anyhow::anyhow!("Failed to bind to {}: {}", bind_address, e))?;
-```
-
-With:
-```rust
-use socket2::{Socket, Domain, Type, Protocol};
-let socket = Socket::new(Domain::IPV4, Type::STREAM, Some(Protocol::TCP))?;
-socket.set_reuse_address(true)?;
-socket.bind(&bind_address.parse()?)?;
-socket.listen(128)?;
-let tcp_listener: TcpListener = socket.into();
-```
-
-Add `socket2` to `Cargo.toml` dependencies.
-
-### Fix 3: Postinst Should Check for Certs Before Enabling Service
-
-The package postinst script should:
-1. Check if TLS certs exist at the configured paths
-2. If certs exist → enable and start the service
-3. If certs don't exist → enable but DON'T start; print enrollment instructions
-
-### Fix 4: Increase RestartSec and Add StartLimitBurst
-
-In `configs/linux-patch-api.service`:
-```ini
-Restart=on-failure
-RestartSec=10s
-StartLimitIntervalSec=300
-StartLimitBurst=5
-```
-
-This prevents the crash loop from spinning at 12 attempts/minute. After 5 failures in 300s, systemd stops retrying.
-
-### Fix 5: Fix Misleading Log Message
-
-Move the "Listening on" log (line 197) to AFTER the successful bind (after line 229):
-```rust
-// After TcpListener::bind succeeds:
-info!("TCP listener bound to {}", bind_address);
-info!("Listening on {}", bind_address);  // Move here
-```
-
---
-
-## Immediate Actions Needed
-
-Three hosts are still crash-looping with enrollment processes holding port 12443:
- **radarr-lxc** — PID 1218 holding port, NRestarts=4,762
- **lidarr-lxc** — PID 1207 holding port, NRestarts=4,822
- **deluge-lxc** — PID 51035 holding port, NRestarts=4,494
-
-To fix each host:
-1. Kill the enrollment process: `sudo kill <pid>`
-2. Wait for port release
-3. Start the service: `sudo systemctl start linux-patch-api`
-
-**Awaiting Kelly's approval before fixing.**
-
---
-
-## Lessons Learned
-
-1. **Do NOT destroy evidence before completing RCA.** I fixed apt-cacher-ng before fully investigating the crash loop, destroying diagnostic evidence. Kelly had to point this out.
-2. **Investigate first, fix second.** When doing RCA, preserve the crash-looping hosts and gather all evidence before applying fixes.
-3. **The enrollment process port conflict was the dominant cause** on the currently-affected hosts, not TIME_WAIT. I initially misdiagnosed this because I destroyed the evidence too early.
-
---
-
-## Confidence
-
-Confidence: 95% (diagnosis)
- Evidence: Direct log analysis from 3 preserved hosts showing identical pattern
- Evidence: Source code review of main.rs showing enrollment fall-through to server startup
- Evidence: Process state showing enrollment PID holding port 12443 while systemd has MainPID=0
- Evidence: `ps aux` and `/proc` data confirming enrollment process is alive and bound
- Uncertainties: None significant — the evidence chain is complete and consistent
- Test Status: Partially tested — apt-cacher-ng and sonarr were fixed before full investigation; radarr/lidarr/deluge still crash-looping with preserved evidence
--- a/tasks/todo.md
+++ b/tasks/todo.md
@ -1,39 +0,0 @@
-# Auto-Enrollment Implementation Plan
-
-## Overview
-Implement auto-enrollment workflow so the agent self-heals when certs are missing or invalid, instead of crash-looping.
-
-## Spec Updates
- [x] Update SPEC.md: Self-Enrollment section, CLI arguments, startup behavior, cert validation, exit codes
- [x] Update DEPLOYMENT_GUIDE.md: Auto-enrollment deployment method, manual enrollment, config options
-
-## Code Changes
- [x] src/config/loader.rs: Cert validation (CertStatus enum, validate_certs function)
- [x] src/config/loader.rs: EnrollmentConfig.manager_url changed to Option<String>
- [x] src/config/loader.rs: cert_renewal_threshold_days and polling_token fields added
- [x] src/config/loader.rs: save_polling_token() and clear_polling_token() methods
- [x] src/main.rs: Auto-enrollment path when certs invalid + URL configured
- [x] src/main.rs: --enroll exits after completion (no fall-through to server startup)
- [x] src/main.rs: --renew-certs flag for manual cert renewal
- [x] src/main.rs: SO_REUSEADDR on TcpListener::bind (socket2 crate)
- [x] src/main.rs: Move "Listening on" log after actual bind
- [x] src/main.rs: Exit code strategy (0=clean, 1=error, 2=enrollment in progress)
- [x] src/enroll/client.rs: HTTP 409 (Conflict) handling for host already exists
- [x] src/enroll/mod.rs: Polling token resume from persisted config
- [x] src/enroll/mod.rs: Handle ENROLLMENT_CONFLICT gracefully
- [x] configs/linux-patch-api.service: RestartSec=10s, StartLimitBurst=5, StartLimitIntervalSec=300
- [x] debian/postinst: Check for certs and enrollment URL, print guidance
-
-## Build & Test
- [x] cargo check passes
- [x] cargo test passes (107 unit + 7 e2e + 11 integration)
-
-## Remaining
- [ ] Build release package
- [ ] Test auto-enrollment on a clean host
- [ ] Test --enroll exits without starting server
- [ ] Test --renew-certs flag
- [ ] Test cert validation (missing, corrupt, expired, key mismatch, untrusted)
- [ ] Test SO_REUSEADDR (restart after crash)
- [ ] Test systemd exit code behavior
- [ ] Deploy to linux-patch-manager-dev for integration testing
				`@ -0,0 +1 @@`
				`{"model_provider": "ollama", "model_name": "bge-m3:latest"}`
				`@ -0,0 +1 @@`
				`9cde4598eb68e4b1810cdf657333d8ca9e228ebcb4b4717524b62a61ae06f900`
				`@ -0,0 +1 @@`
				{"/a0/usr/knowledge/main/Iran-US-Conflict-Update-2026-04-01.md": {"file": "/a0/usr/knowledge/main/Iran-US-Conflict-Update-2026-04-01.md", "checksum": "6beea9874c3bcb846d17f9a60c29d528", "ids": ["5sQkc0Ylqa", "FeZVPLWYss", "kYBRtDfHjJ"]}, "/a0/usr/knowledge/main/ollama-27b-modelfile.txt": {"file": "/a0/usr/knowledge/main/ollama-27b-modelfile.txt", "checksum": "3f4f724d6f777e0620df9781ebc82f36", "ids": ["yZoFOCA99D"]}, "/a0/usr/knowledge/main/behavioral-rules.md": {"file": "/a0/usr/knowledge/main/behavioral-rules.md", "checksum": "ff4230d5f02891487008864de55151e8", "ids": ["5LhBKVgUXB"]}, "/a0/usr/knowledge/main/utility_test.txt": {"file": "/a0/usr/knowledge/main/utility_test.txt", "checksum": "c8c29a129e935836a77048f47e231705", "ids": ["vrbKe4D4sR"]}, "/a0/usr/knowledge/main/welcome.md": {"file": "/a0/usr/knowledge/main/welcome.md", "checksum": "d947ce81d6dcc977a3ddf52e8d5e4712", "ids": ["0Qx7U1mSZH"]}, "/a0/usr/knowledge/main/capability_test_results.txt": {"file": "/a0/usr/knowledge/main/capability_test_results.txt", "checksum": "880b2a6e355125561f22e1f0ac38a3c4", "ids": ["hmVC8arGTg"]}, "/a0/usr/knowledge/main/Iran-US-Conflict-Analysis-2026.md": {"file": "/a0/usr/knowledge/main/Iran-US-Conflict-Analysis-2026.md", "checksum": "ffa6e16f560fc2c021df9c656e8dfdcc", "ids": ["WKKtg5Rj2e", "VBSDN1KENS"]}, "/a0/knowledge/main/tool_call_reference_examples.md": {"file": "/a0/knowledge/main/tool_call_reference_examples.md", "checksum": "1558e6e118619185e31224b1ed646b9a", "ids": ["mLgFu7vH7Z"]}, "/a0/knowledge/main/about/architecture.md": {"file": "/a0/knowledge/main/about/architecture.md", "checksum": "0de7a9280419982ef5fc98d0cc6ad2dc", "ids": ["VG5QHEdqZt", "oALIWNguyG"]}, "/a0/knowledge/main/about/configuration.md": {"file": "/a0/knowledge/main/about/configuration.md", "checksum": "9f83690fdca64631d063c75fd324d42c", "ids": ["XX5kcVMvDu", "T2B8pFL10O"]}, "/a0/knowledge/main/about/capabilities.md": {"file": "/a0/knowledge/main/about/capabilities.md", "checksum": "cf4d100df544af245940971464357e0b", "ids": ["S6MH1eLPzP", "laWnXkj3Ky"]}, "/a0/knowledge/main/about/identity.md": {"file": "/a0/knowledge/main/about/identity.md", "checksum": "63a2c83c6c3bf4c4008786c396618755", "ids": ["Yi3PLqGcaj"]}, "/a0/knowledge/main/about/setup-and-deployment.md": {"file": "/a0/knowledge/main/about/setup-and-deployment.md", "checksum": "3cf57d685f11a6989a73cf041c2018a3", "ids": ["KVJ5zsWDQX", "LoANN0xNbF"]}}
				`@ -0,0 +1 @@`
				{"title": "Linux_Patch_API", "description": "Create an API service that will allow remote clients to securely remote manage the patching process and control software add and removal. ", "instructions": "Use Strict Spec Driven development process following the kiro standards.\nAsk questions and help build all of the spec driven files needed\nAlways get approval before taking next steps\nAlways ask questions to determine the right path for the software\nNever make assumptions, always confirm. \nCode must be build following strict security coding guidelines\n", "color": "#00bbf9", "git_url": "", "file_structure": {"enabled": true, "max_depth": 5, "max_files": 20, "max_folders": 20, "max_lines": 250, "gitignore": "# Python environments & cache\nvenv/\n/__pycache__/\n\n# Node.js dependencies\n/node_modules/\n/.npm/\n\n# Version control metadata\n/.git/**\n"}}