5 Commits

Author	SHA1	Message	Date
Echo	a6b9c054b2	fix: missing fi closing JWT keys if-block in setup.sh	2026-04-28 23:29:04 +00:00
Echo	e18739f0ec	fix: missing SQL heredoc delimiter in setup.sh	2026-04-28 23:24:54 +00:00
Echo	83c97aa2b1	fix: resolve all startup bugs (BUG-6 through BUG-9) ... BUG-6: Add TLS support via axum-server + rustls - Added axum-server with tls-rustls feature to workspace and pm-web - pm-web now serves HTTPS when TLS certs exist, falls back to HTTP with warning - setup.sh generates self-signed ECDSA P-256 TLS cert with SANs - Config already had web_tls_cert_path/web_tls_key_path fields BUG-7: Fix audit chain integrity errors - Migration 005 now TRUNCATEs audit_log after adding prev_hash column - Existing rows had broken hash chains (inserted before prev_hash existed) BUG-8: Disable WatchdogSec in patch-manager-web.service - pm-web does not implement sd_notify, causing systemd to kill the service BUG-9: Disable WatchdogSec in patch-manager-worker.service - Same issue as BUG-8, worker does not implement sd_notify Previous fixes (BUG-1 through BUG-5) also included: - setup.sh: PostgreSQL 15+ schema GRANTs - Axum route syntax :param → {param} (19 routes) - DbUser struct role: String → UserRole enum mapping - UserRole/AuthProvider Display trait implementations - Seed admin password hash (Argon2id)	2026-04-28 23:01:03 +00:00
Echo	297bf1bd83	feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing ... M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped	2026-04-24 00:45:51 +00:00
Echo	da5a94d838	feat(M1): Project scaffolding, DB schema, core infrastructure ... - Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core, pm-agent-client, pm-auth, pm-ca, pm-reports) - React + TypeScript + Vite + MUI frontend scaffold - Full PostgreSQL schema: all 17 tables with indexes and constraints - pm-core: config (TOML+env), db (SQLx pool + migrations), error (unified AppError + JSON envelope), request_id (ULID middleware), logging (tracing JSON/pretty) - pm-web: Axum skeleton, /status/health endpoint, static file serving - pm-worker: Tokio skeleton, heartbeat writer, schema version check - Embedded sqlx migrations with advisory lock (single-writer) - systemd unit files, setup.sh, build-frontend.sh - config.example.toml with all configuration keys - docs/runbooks/restore.md - cargo check passes with zero warnings Closes M1.	2026-04-23 15:55:53 +00:00