feat: add bump-version.sh script for version management

Automates version bumps across all version source files:
- Cargo.toml (PRIMARY - workspace.package.version)
- debian/changelog (prepend new entry)
- debian/control (update Version field)
- scripts/build-package.sh (update VERSION variable)
- frontend/package.json (update version field)
- Stale references check after bump

Usage: ./scripts/bump-version.sh <new_version> <old_version>

debian/changelog

@@ -0,0 +1,41 @@
+linux-patch-manager (0.1.9-1) noble; urgency=medium
+
+  * Fix: Replace broken DashMap rate limiting with tower-governor middleware
+  * Fix: Enrollment rate limiting was global (0.0.0.0 fallback) instead of per-IP
+  * Fix: Use SmartIpKeyExtractor for proper X-Forwarded-For support behind HAProxy
+  * Add: Configurable rate limit tiers via [rate_limit] in config.toml
+  * Add: Standard X-RateLimit-* and Retry-After headers on 429 responses
+
+ -- Echo <echo@moon-dragon.us>  Wed, 21 May 2026 02:38:00 +0000
+
+linux-patch-manager (0.1.7-1) noble; urgency=medium
+
+  * Host Self-Enrollment: Added REST API and UI for automated agent enrollment
+  * Database: Added enrollment_requests table and migration 016
+  * Security: Implemented IP-based rate limiting on public enrollment endpoints
+  * Backend: Added background worker to purge expired enrollment requests (24h)
+  * Frontend: Integrated pending enrollment queue with conflict resolution modal
+  * Specs: Updated SPEC.md for manager and linux_patch_api self-enrollment workflows
+
+ -- Echo <echo@moon-dragon.us>  Fri, 16 May 2026 11:44:08 -0500
+
+linux-patch-manager (0.1.6-1) noble; urgency=medium
+
+  * Phase 4: Exhaustive analysis fixes, security hardening, and code quality improvements
+  * Implemented CRL generation and verification for mTLS agent certificates
+  * Added IP-based rate limiting middleware using governor crate
+  * Hardened error handling and removed silent unwrap_or_default failures
+  * Fixed blocking I/O in agent_loader to use async tokio::fs
+  * Made allow_reboot configurable per job via database column
+  * Improved audit integrity verification and reporting limits
+
+ -- Echo <echo@moon-dragon.us>  Fri, 15 May 2026 22:11:45 +0000
+
+linux-patch-manager (1.0.0-1) noble; urgency=medium
+
+  * Initial release of Linux Patch Manager
+  * Full M1-M12 feature set implemented
+  * MFA, RBAC, mTLS, CA, reporting, audit integrity
+  * HIPAA/PCI-DSS compliance mapping documented
+
+ -- Echo <echo@moon-dragon.us>  Thu, 24 Apr 2026 00:00:00 +0000

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,26 @@
+Package: linux-patch-manager
+Version: 1.0.0-1
+Architecture: amd64
+Maintainer: Moon Dragon <echo@moon-dragon.us>
+Installed-Size: 45000
+Depends: postgresql-16, libssl3, libc6 (>= 2.39), libfontconfig1
+Recommends: postgresql-client-16, fonts-dejavu-core
+Suggests: gpg
+Section: admin
+Priority: optional
+Description: Enterprise Linux Patch Management System
+ Linux Patch Manager is a secure, web-based management interface for
+ controlling patching and updates on Linux servers and workstations.
+ .
+ Features include:
+  - Multi-factor authentication (TOTP + WebAuthn)
+  - Role-based access control (Admin/Operator)
+  - Mutual TLS agent communication
+  - Internal Certificate Authority
+  - Automated patch deployment with rollback
+  - Maintenance window scheduling
+  - Real-time WebSocket job monitoring
+  - CSV/PDF compliance reporting
+  - Audit logging with hash-chain integrity
+  - Email notifications
+  - Azure SSO (OAuth2/OIDC with PKCE)

debian/install

@@ -0,0 +1,9 @@
+usr/local/bin/pm-web
+usr/local/bin/pm-worker
+usr/local/bin/backup.sh
+usr/share/patch-manager/frontend/*
+usr/share/patch-manager/config.example.toml
+usr/share/patch-manager/migrations/*
+lib/systemd/system/patch-manager-web.service
+lib/systemd/system/patch-manager-worker.service
+lib/systemd/system/patch-manager.target

debian/postinst

@@ -0,0 +1,102 @@
+#!/bin/bash
+set -e
+
+# =============================================================================
+# Linux Patch Manager — Post-install script
+# =============================================================================
+
+case "$1" in
+    configure)
+        # Create service user if not exists
+        if ! id patch-manager &>/dev/null; then
+            useradd --system --no-create-home --shell /usr/sbin/nologin \
+                --comment "Linux Patch Manager service account" patch-manager
+        fi
+
+        # Create required directories
+        mkdir -p /etc/patch-manager/ca /etc/patch-manager/certs \
+                 /etc/patch-manager/jwt /etc/patch-manager/tls \
+                 /var/log/patch-manager /opt/patch-manager \
+                 /var/backups/patch-manager
+
+        chown -R patch-manager:patch-manager \
+            /etc/patch-manager /var/log/patch-manager \
+            /opt/patch-manager /usr/share/patch-manager/frontend
+
+        chmod 750 /etc/patch-manager/ca /etc/patch-manager/jwt
+        chmod 700 /var/backups/patch-manager
+
+        # Generate JWT signing key if not present
+        if [[ ! -f /etc/patch-manager/jwt/signing.pem ]]; then
+            openssl genpkey -algorithm ed25519 -out /etc/patch-manager/jwt/signing.pem 2>/dev/null
+            openssl pkey -in /etc/patch-manager/jwt/signing.pem -pubout -out /etc/patch-manager/jwt/verify.pem 2>/dev/null
+            chown patch-manager:patch-manager /etc/patch-manager/jwt/signing.pem /etc/patch-manager/jwt/verify.pem
+            chmod 600 /etc/patch-manager/jwt/signing.pem
+            chmod 644 /etc/patch-manager/jwt/verify.pem
+        fi
+
+        # Write default config if not present
+        if [[ ! -f /etc/patch-manager/config.toml ]]; then
+            cp /usr/share/patch-manager/config.example.toml /etc/patch-manager/config.toml
+            chown patch-manager:patch-manager /etc/patch-manager/config.toml
+            chmod 640 /etc/patch-manager/config.toml
+        fi
+
+        # Install backup cron if not present
+        if ! crontab -l 2>/dev/null | grep -qF "backup.sh"; then
+            (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1") | crontab -
+        fi
+
+        # Reload systemd
+        systemctl daemon-reload
+
+        # Restart services if this is an upgrade (not a fresh install)
+        if systemctl is-active --quiet patch-manager-web 2>/dev/null; then
+            systemctl restart patch-manager-web || true
+        fi
+        if systemctl is-active --quiet patch-manager-worker 2>/dev/null; then
+            systemctl restart patch-manager-worker || true
+        fi
+
+        # Run pending database migrations
+        MIGRATION_DIR="/usr/share/patch-manager/migrations"
+        if [[ -d "$MIGRATION_DIR" ]]; then
+            echo "Applying database migrations..."
+            for sql_file in $(ls "$MIGRATION_DIR"/*.sql 2>/dev/null | sort); do
+                echo "  Applying: $(basename "$sql_file")"
+            done
+            echo "Note: Migrations must be applied manually: sudo -u patch_manager psql -d patch_manager -f <migration_file>"
+        fi
+
+        echo ""
+        echo "Linux Patch Manager installed successfully!"
+        echo "==========================================="
+        echo ""
+        echo "Next steps:"
+        echo "  1. Install and configure PostgreSQL:"
+        echo "       apt install postgresql-16"
+        echo "  2. Create the database:"
+        echo "       sudo -u postgres createdb -O patch_manager patch_manager"
+        echo "  3. Edit /etc/patch-manager/config.toml with your database URL"
+        echo "  4. Enable and start services:"
+        echo "       systemctl enable --now patch-manager.target"
+        echo "  5. Access the web UI at https://localhost"
+        echo "     Default admin credentials are set via the seed migration."
+        echo ""
+        echo "IMPORTANT: Change the default admin password immediately after first login!"
+        echo ""
+        echo "If this is an upgrade, services have been restarted automatically."
+        echo "Apply any new database migrations:"
+        echo "  sudo -u patch_manager psql -d patch_manager -f /usr/share/patch-manager/migrations/<NNN_migration>.sql"
+        echo ""
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        ;;
+esac
+
+exit 0

debian/postrm

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -e
+
+case "$1" in
+    purge)
+        # Remove service user (only if purge)
+        if id patch-manager &>/dev/null; then
+            userdel patch-manager 2>/dev/null || true
+        fi
+
+        # Remove runtime data
+        rm -rf /var/log/patch-manager
+        rm -rf /opt/patch-manager
+        rm -rf /var/backups/patch-manager
+
+        # Remove configuration and keys (purge only)
+        rm -rf /etc/patch-manager
+
+        # Remove backup cron
+        crontab -l 2>/dev/null | grep -vF "backup.sh" | crontab - 2>/dev/null || true
+
+        # Reload systemd
+        systemctl daemon-reload
+        ;;
+
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # On remove (not purge), keep config and keys
+        systemctl daemon-reload 2>/dev/null || true
+        ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        ;;
+esac
+
+exit 0

debian/prerm

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+case "$1" in
+    remove|upgrade|deconfigure)
+        # Stop services gracefully
+        if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
+            systemctl stop patch-manager.target 2>/dev/null || true
+        fi
+        ;;
+
+    failed-upgrade)
+        ;;
+
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        ;;
+esac
+
+exit 0