19 Commits

Author	SHA1	Message	Date
Echo	2cc3d0db40	chore: bump version to 0.1.9 for rate limiting fix release	2026-05-21 02:38:29 +00:00
Echo	f9bdc0a5af	fix: update axum route syntax to v0.8 standard	2026-05-16 17:39:21 +00:00
Echo	69d2e88bbd	feat: OIDC SSO provider support (Keycloak, Azure AD, custom) ... - Refactored azure_sso.rs to sso.rs with generic OIDC provider support - Added OIDC discovery URL lookup with 1hr TTL caching - Added PKCE for all providers, client_secret optional for public clients - Added /api/v1/auth/sso/login and /api/v1/auth/sso/callback routes - Added /api/v1/auth/azure/* backward-compatible routes - Added POST /settings/sso/discover and POST /settings/sso/test endpoints - Frontend: Provider dropdown (Keycloak/Azure AD/Custom OIDC) - Frontend: Auto-fill discovery URL for Keycloak - Frontend: Discover Endpoints and Test Connection buttons - Frontend: Dynamic SSO button based on provider display name - Made migration 014 idempotent with DO blocks and IF NOT EXISTS - Fixed debian/install to use /usr/local/bin/ for binaries - Fixed frontend file path in .deb package - Reset admin password on dev server - Fixed database permissions for oidc_config table	2026-05-13 13:32:24 +00:00
Echo	1426ecffc2	chore: bump version to 0.1.4	2026-05-12 23:23:43 +00:00
Echo	4c300087f2	fix: Update build-package.sh VERSION to 0.1.3	2026-05-12 17:40:09 +00:00
Echo	f0bd431779	fix: postinst auto-restart services on upgrade and build-package.sh version sync ... - debian/postinst: auto-restart patch-manager-web and patch-manager-worker on upgrade (not fresh install) - debian/postinst: list pending database migrations after upgrade - scripts/build-package.sh: update debian/control Version from VERSION variable to ensure dpkg handles upgrades correctly - tasks/lessons.md: added lessons about service restarts and version sync	2026-05-07 00:55:34 +00:00
Echo	3ebdedda65	chore: bump version to 0.1.2	2026-05-06 21:43:29 +00:00
Echo	8bef562dbc	fix: ESLint errors and update git hooks to include ESLint ... - HostDetailPage.tsx: fix eqeqeq (!= to !==) - HostsPage.tsx: merge duplicate @mui/icons-material imports - PatchDeploymentPage.tsx: merge duplicate @mui/icons-material imports - pre-commit hook: add ESLint check - pre-push hook: add ESLint check	2026-05-06 17:46:10 +00:00
Echo	6481899cb5	chore: bump version to 0.1.1	2026-05-06 16:27:15 +00:00
Echo	0e9cb1c915	fix: add HealthCheckListResponse type to match API response structure ... - Added HealthCheckListResponse type { checks: [...], total: number } - Updated healthChecksApi.list() return type to HealthCheckListResponse - Fixed HostDetailPage to use res.data?.checks instead of Array.isArray - Added Target column to health checks table - Added git pre-commit/pre-push hooks to prevent format CI failures - Updated lessons.md	2026-05-06 16:18:29 +00:00
Echo	ee33ba5740	feat: setup.sh generates CA-signed web cert instead of self-signed ... - Generate internal CA (ECDSA P-256, 10-year validity) if not present - Sign web server cert with internal CA (1-year validity) - Add SANs for hostname, short hostname, localhost, and host IP - Add EKU: serverAuth to web cert - pm-ca will load existing CA on startup - Simplify host cert section to only show agent deployment files	2026-05-06 02:08:01 +00:00
Echo	a6b9c054b2	fix: missing fi closing JWT keys if-block in setup.sh	2026-04-28 23:29:04 +00:00
Echo	e18739f0ec	fix: missing SQL heredoc delimiter in setup.sh	2026-04-28 23:24:54 +00:00
Echo	83c97aa2b1	fix: resolve all startup bugs (BUG-6 through BUG-9) ... BUG-6: Add TLS support via axum-server + rustls - Added axum-server with tls-rustls feature to workspace and pm-web - pm-web now serves HTTPS when TLS certs exist, falls back to HTTP with warning - setup.sh generates self-signed ECDSA P-256 TLS cert with SANs - Config already had web_tls_cert_path/web_tls_key_path fields BUG-7: Fix audit chain integrity errors - Migration 005 now TRUNCATEs audit_log after adding prev_hash column - Existing rows had broken hash chains (inserted before prev_hash existed) BUG-8: Disable WatchdogSec in patch-manager-web.service - pm-web does not implement sd_notify, causing systemd to kill the service BUG-9: Disable WatchdogSec in patch-manager-worker.service - Same issue as BUG-8, worker does not implement sd_notify Previous fixes (BUG-1 through BUG-5) also included: - setup.sh: PostgreSQL 15+ schema GRANTs - Axum route syntax :param → {param} (19 routes) - DbUser struct role: String → UserRole enum mapping - UserRole/AuthProvider Display trait implementations - Seed admin password hash (Argon2id)	2026-04-28 23:01:03 +00:00
Echo	001c90f4d8	Fix build-package.sh - handle broken pipe from head command	2026-04-27 22:50:44 +00:00
Echo	475bcde7ed	ci: Use standalone release script to fix JSON escaping issues ... - Shell/curl JSON escaping caused HTTP 422 errors - Created scripts/create-release.py for reliable Gitea release creation - Uses Python urllib for proper JSON handling and multipart upload - Supports GITEA_TOKEN/GITHUB_TOKEN env vars with fallback	2026-04-24 12:30:23 +00:00
Echo	4e992afacc	feat: Add .deb packaging for Ubuntu 24.04 release ... - debian/control: Package metadata with dependencies - debian/postinst: Service user, dirs, JWT key gen, config, cron setup - debian/prerm: Graceful service stop before upgrade - debian/postrm: Purge cleanup (user, data, config, cron) - debian/changelog: 1.0.0-1 initial release - debian/install: File manifest - scripts/build-package.sh: Full build pipeline (cargo release, frontend, dpkg-deb) - .gitignore: Exclude *.deb and package-build/	2026-04-24 00:58:38 +00:00
Echo	297bf1bd83	feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing ... M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped	2026-04-24 00:45:51 +00:00
Echo	da5a94d838	feat(M1): Project scaffolding, DB schema, core infrastructure ... - Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core, pm-agent-client, pm-auth, pm-ca, pm-reports) - React + TypeScript + Vite + MUI frontend scaffold - Full PostgreSQL schema: all 17 tables with indexes and constraints - pm-core: config (TOML+env), db (SQLx pool + migrations), error (unified AppError + JSON envelope), request_id (ULID middleware), logging (tracing JSON/pretty) - pm-web: Axum skeleton, /status/health endpoint, static file serving - pm-worker: Tokio skeleton, heartbeat writer, schema version check - Embedded sqlx migrations with advisory lock (single-writer) - systemd unit files, setup.sh, build-frontend.sh - config.example.toml with all configuration keys - docs/runbooks/restore.md - cargo check passes with zero warnings Closes M1.	2026-04-23 15:55:53 +00:00