44 Commits

Author	SHA1	Message	Date
Echo	2bbc03b937	fix: resolve 6 reporting issues - SQL schema mismatches, duplicate type, UI dropdown, chart scale, CSV error handling ... 1. Compliance CSV/PDF: Replace non-existent pd.total_packages with jsonb_array_length(pd.installed_packages) and pd.pending_patches with pd.patch_count. Fix GROUP BY to match new columns. 2. Vulnerability CSV/PDF: Replace non-existent pd.cve_data with jsonb_array_elements on pd.available_patches JSONB, extracting cve_ids via nested lateral join. Replace pd.updated_at with pd.polled_at (actual column name). 3. TypeScript: Remove duplicate PollingConfig interface declaration in frontend/src/types/index.ts. 4. ReportsPage: Replace Group ID text field with Select dropdown populated from GET /api/v1/groups, showing group names instead of requiring UUID input. 5. PDF charts: Increase embed_image scale from 0.18 to 0.28 for better visibility on A4 landscape pages. 6. Vulnerability CSV: Remove invalid (no data) comment row on query failure; return header-only CSV instead to maintain valid CSV format.	2026-05-12 19:59:03 +00:00
Echo	13cabcea77	fix: Replace console.log with console.warn in MfaSetupPage for ESLint	2026-05-12 17:26:49 +00:00
Echo	0fb804eefb	fix: Merge duplicate @mui/icons-material import in LoginPage	2026-05-12 17:05:48 +00:00
Echo	86a6c714d4	feat: Complete Azure SSO implementation (v0.1.3) ... - Add SSO session cleanup task (10-min expiry, 60s purge interval) - Change callback to redirect to frontend with tokens as query params - Add sso_callback_url to SecurityConfig with serde default - Add SsoCallbackPage.tsx for handling SSO callback redirects - Add /auth/sso/callback public route to App.tsx - Add Sign in with Microsoft Azure button to LoginPage - Replace insecure decode_jwt_payload with verify_id_token - Implement JWKS caching (1-hour TTL) and RSA signature verification - Validate iss, aud, exp claims on id_token - Add jsonwebtoken dependency to pm-web crate - Update config.example.toml with sso_callback_url setting - Add sso_callback_url to settings response (read-only from TOML)	2026-05-12 17:01:20 +00:00
Echo	08add28b80	fix: eslint-disable for useEffect deps in UsersPage	2026-05-07 19:14:21 +00:00
Echo	cc1214a963	feat: Phase 4 - password validation, force password reset flow, account lockout, QR code for MFA	2026-05-07 17:53:16 +00:00
Echo	b5b975e7e5	feat: Phase 3 - admin user management with edit, password reset, MFA disable, search/filter	2026-05-07 16:38:24 +00:00
Echo	5cf3125a2e	feat: Phase 2 - user profile page with self-service password change and MFA management	2026-05-07 16:32:55 +00:00
Echo	0a70afbbe9	feat: Phase 1 - user/password API extensions and auth route fix	2026-05-07 16:21:53 +00:00
Echo	42392ed9c7	fix: persist auth across refreshes with onFinishHydration and safety timeout	2026-05-07 13:39:14 +00:00
Echo	73df591cd3	fix: persist auth state across page refreshes using onRehydrateStorage	2026-05-07 02:59:09 +00:00
Echo	0279caf5d2	feat: add target_host_id to service health checks ... - Add target_host_id column to host_health_checks table (nullable UUID FK) - Allow service checks to query a different host agent - Backend models, API routes, and poller updated - Frontend: host selector dropdown for service checks - Validation: target host must exist and be healthy - FK ON DELETE SET NULL: revert to own host if target deleted	2026-05-06 21:38:42 +00:00
Echo	8bef562dbc	fix: ESLint errors and update git hooks to include ESLint ... - HostDetailPage.tsx: fix eqeqeq (!= to !==) - HostsPage.tsx: merge duplicate @mui/icons-material imports - PatchDeploymentPage.tsx: merge duplicate @mui/icons-material imports - pre-commit hook: add ESLint check - pre-push hook: add ESLint check	2026-05-06 17:46:10 +00:00
Echo	0e9cb1c915	fix: add HealthCheckListResponse type to match API response structure ... - Added HealthCheckListResponse type { checks: [...], total: number } - Updated healthChecksApi.list() return type to HealthCheckListResponse - Fixed HostDetailPage to use res.data?.checks instead of Array.isArray - Added Target column to health checks table - Added git pre-commit/pre-push hooks to prevent format CI failures - Updated lessons.md	2026-05-06 16:18:29 +00:00
Echo	3d9b2d4917	fix: health checks list not showing - API returns {checks:[...]} not array ... - Fixed data extraction: use res.data?.checks instead of Array.isArray(res.data) - Added Target column to health checks table showing service_name or URL - Matches the pattern used by maintenance windows (res.data?.windows)	2026-05-06 03:51:40 +00:00
Echo	812b23d2d0	fix: simplify host cert section to only show agent deployment files ... - Remove client cert/key from KeyDisplayDialog on host detail page - Bundle download now only contains ca.crt, server.crt, server.key - Rename bundle to {hostname}-agent-certs.zip - Remove standalone client cert download button - Update dialog title and warning text - The main Certificates page still has all certs available	2026-05-06 01:58:32 +00:00
Echo	5914c9b297	feat: all-inclusive agent cert bundle - server cert + client cert + CA root in one issuance	2026-05-06 01:29:25 +00:00
Echo	aa0cb9ab3c	feat: cert bundle download with CA root, re-issue endpoint, and enhanced cert UI	2026-05-05 23:06:48 +00:00
Echo	d59597b732	feat: add Issue Certificate button and dialog to HostDetailPage	2026-05-05 21:23:49 +00:00
Echo	1aa90c7eb0	fix: add host creation form for Add Host button	2026-05-05 20:48:14 +00:00
Echo	93828e1976	feat: health check configuration and worker engine (Phase 3+4) ... - Added health_check_poller.rs: periodic service/HTTP health checks - Added pre-patch health gate in job_executor.rs - Added waiting_health_check job status (migration 008) - Added health_check_status to HostSummary and hosts API - Added health check types and API functions to frontend - Added health check UI section to HostDetailPage - Added health check status indicators to HostsPage and PatchDeploymentPage - Added serde default for health_check_poll_interval_secs - Fixed missing AgentClient import in health_check_poller.rs - Fixed missing ws_relay import in main.rs - Fixed missing closing paren in retry_pending_jobs SQL - Added ReadWritePaths for /etc/patch-manager/keys in systemd services	2026-05-05 14:10:37 +00:00
Echo	1ba325d529	feat: add patches missing filter and count indicator to deploy page	2026-05-04 18:56:52 +00:00
Echo	9627febe90	fix: add job-level WS events so jobs show completed status ... - Frontend: handleWsEvent now distinguishes host vs job events - Host events only update detail rows + optimistic counters - Job events (event_type=job) set authoritative status + counts - Backend ws_relay: NotifyPayload now includes event_type field - Host events: event_type=host - update_parent_job_status fires pg_notify with event_type=job - Backend job_executor: sync_job_status fires pg_notify with event_type=job - Backend jobs cancel endpoint fires pg_notify with event_type=job - Fixes jobs appearing stuck because host status was mapped to job status	2026-05-03 16:34:38 +00:00
Echo	eec976d093	fix: graceful login error handling and remove hard redirects ... - LoginPage.tsx: proper error handling for network errors, rate limiting (429), MFA required, account disabled, and server errors - LoginPage.tsx: dismissible error alerts with onClose - LoginPage.tsx: added 🐉 branding to login title - client.ts: removed window.location.href hard redirects on auth failure (now uses React state-based logout instead of full page reload) - client.ts: auth errors now propagate naturally through React Router	2026-04-29 01:27:58 +00:00
Echo	8ef118a515	feat: add AppLayout sidebar navigation with dark theme ... - Created AppLayout.tsx with MUI AppBar + permanent sidebar drawer - Grouped navigation: Overview, Fleet, Operations, Administration - RBAC visibility: admin-only items (Users, Certificates, Settings) - User menu with logout functionality - Mobile-responsive collapsible drawer - Active state indicator on current page - Switched theme from lightTheme to darkTheme in App.tsx - Wrapped authenticated routes in AppLayout with React Router Outlet - 404 redirect to dashboard instead of placeholder page	2026-04-29 01:22:07 +00:00
Echo	44836cb365	Add eslint-disable eqeqeq for TypeScript nullish check pattern	2026-04-27 22:11:10 +00:00
Echo	04dac6fec0	Fix TypeScript type errors - use != null to exclude both null and undefined	2026-04-27 22:05:48 +00:00
Echo	f00853b5c0	Fix ESLint warnings with disable comments for legitimate cases	2026-04-27 21:59:50 +00:00
Echo	8c07d3e967	Fix ESLint error: remove unused catch parameter	2026-04-27 21:32:08 +00:00
Echo	ba12ad03ce	Update package-lock.json for eslint-plugin-react-hooks	2026-04-27 21:25:19 +00:00
Echo	2fd3eb89b4	Fix all frontend ESLint errors ... - Add eslint-plugin-react-hooks to package.json and config - Fix duplicate imports in HostsPage.tsx - Remove non-null assertion in main.tsx - Fix != to !== in HostDetailPage.tsx and MaintenanceWindowsPage.tsx - Fix unused variable in ReportsPage.tsx - Change console.debug to console.warn in useJobWebSocket.ts	2026-04-27 21:20:25 +00:00
Echo	adb88fc296	Fix ESLint config syntax	2026-04-27 20:43:44 +00:00
Echo	c7061569e4	Fix ESLint config - remove unconfigured React plugin rules	2026-04-27 20:24:03 +00:00
Echo	8a27b136b7	Revert "ci: adapt CI to ubuntu-22.04 runner with proven linux_patch_api patterns" ... This reverts commit f8bac85903.	2026-04-27 03:02:53 +00:00
Echo	f8bac85903	ci: adapt CI to ubuntu-22.04 runner with proven linux_patch_api patterns ... - Pin all jobs to ubuntu-22.04 runner - Use curl -sfL with secrets.GITEATOKEN for checkout - Switch checkout URL to https://gitea-lxc.moon-dragon.us - Install rustup with --default-toolchain stable --profile minimal - Add cargo bin to GITHUB_PATH instead of sourcing per-step - Enforce clippy -D warnings - Ignore RUSTSEC-2025-0134 in cargo audit - Pass GITEA_TOKEN via env for release step	2026-04-27 02:43:46 +00:00
Echo	f49ec1ac51	ci: Add comprehensive CI quality gates ... - New ci.yml workflow: rust-format, clippy, rust-test, security-audit, frontend-lint - rustfmt.toml: strict formatting rules (edition 2021, max_width 100, grouped imports) - clippy.toml: lint configuration with complexity thresholds - eslint.config.js: ESLint 9 flat config for TypeScript/React - build.yml: now only triggers on v* tags (ci.yml handles master/PR) - package.json: updated lint script for ESLint 9 flat config Quality gates run on every push to master and every PR: 1. Rust Format Check (cargo fmt --check --all) 2. Clippy Lints (pedantic + deny warnings) 3. Rust Unit Tests (cargo test --workspace --all-features) 4. Security Audit (cargo audit) 5. Frontend Lint (ESLint + TypeScript type check)	2026-04-24 14:55:01 +00:00
Echo	297bf1bd83	feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing ... M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped	2026-04-24 00:45:51 +00:00
Echo	84ab92f4f0	feat(M10): Settings page - Azure SSO, SMTP, polling, IP whitelist, TLS strategy	2026-04-23 21:40:37 +00:00
Echo	7b7fac315e	feat(M8+M9): CA certificates page + Reporting CSV/PDF with charts	2026-04-23 18:56:11 +00:00
Echo	a5d52ffab0	feat: M6 maintenance windows + M7 WebSocket relay (real-time job status) ... M6 - Maintenance Windows: - routes/maintenance_windows.rs: full CRUD API - migrations/004_maintenance_windows.sql - frontend/MaintenanceWindowsPage.tsx - HostDetailPage.tsx: maintenance window config panel M7 - WebSocket Relay: - pm-web: POST /api/v1/ws/ticket (JWT-auth, single-use, 60s TTL) - pm-web: WS /api/v1/ws/jobs?ticket=... (PgListener -> browser push) - pm-web: DashMap<String,WsTicket> in AppState, 30s cleanup task - pm-worker: ws_relay.rs subscribes to agent WS, updates patch_job_hosts, fires pg_notify(job_update) for real-time fan-out - frontend: useJobWebSocket hook with auto-reconnect + exponential backoff - frontend: JobsPage live updates with WS status indicator - types: JobWsEvent interface - api/client: wsApi.createTicket() All tasks marked complete in tasks/todo.md cargo build: zero errors, zero warnings	2026-04-23 17:42:51 +00:00
Echo	6f9c6dc881	M5: Patch Deployment & Job Management ... Backend: - migrations/003_jobs_scheduling.sql: retry_next_at/last_error columns, pg_notify trigger for immediate job dispatch, retry index - pm-agent-client: ApplyPatchesRequest/Response, AgentJobStatus, RollbackResponse types; apply_patches/job_status/rollback_job client methods + generic POST helper - pm-core/models: JobStatus, JobKind, PatchJob, PatchJobHost, CreateJobRequest, PatchJobSummary - pm-web/routes/jobs.rs: POST/GET /api/v1/jobs, GET /jobs/:id, POST /jobs/:id/cancel, POST /jobs/:id/rollback - pm-worker/job_executor.rs: NOTIFY listener, periodic scanner, execute_host_job, poll_running_jobs, handle_host_failure (3-retry exponential backoff 1m/5m/30m), sync_job_status, retry_pending_jobs - pm-worker/main.rs: spawn job_executor Frontend: - types/index.ts: PatchInfo, PatchJobHost, PatchJob, PatchJobSummary, CreateJobRequest interfaces - api/client.ts: jobsApi (list/get/create/cancel/rollback), patchesApi (getHostPatches) - pages/PatchDeploymentPage.tsx: 3-step MUI Stepper (host select → configure → result) - pages/JobsPage.tsx: job list table, expandable per-host detail, cancel/rollback actions with confirm dialog, load-more pagination - App.tsx: /jobs and /deployment routes wired to real pages cargo check: 0 errors | vite build: 0 errors	2026-04-23 17:08:43 +00:00
Echo	a6eb762962	feat(M3): Host Management, Groups, Users, CIDR Discovery ... - pm-core::models: Host, HostSummary, Group, User, DiscoveryResult types + request payloads for all CRUD operations - pm-core::audit: Tamper-evident hash-chained audit log writer (SHA-256 chain, non-fatal, covers all M3 events) - pm-web/routes/hosts: Full host CRUD with RBAC scoping; FQDN DNS resolution on registration; host↔group membership; operator group-scoped access enforcement; audit on register/remove - pm-web/routes/groups: Full group CRUD; host↔group and user↔group membership management; admin-only create/delete/update - pm-web/routes/users: Full user CRUD (admin); current user profile; password hashing (Argon2id); role management; session revocation - pm-web/routes/discovery: CIDR scan with bounded concurrency (128 workers), TCP probe with 2s timeout, reverse DNS lookup, scan results table, register-from-discovery flow with audit log - Frontend: HostsPage (filterable table with health chips), HostDetailPage, GroupsPage (create/delete dialog), UsersPage (create/revoke sessions) - App.tsx updated with all M3 routes wired to real pages - cargo check --workspace: zero errors Closes M3.	2026-04-23 16:25:08 +00:00
Echo	6811f84a7c	feat(M2): Authentication, Authorization & Frontend Shell ... - pm-auth::password: Argon2id (m=65536,t=3,p=1) hashing + verification - pm-auth::jwt: EdDSA/Ed25519 JWT issuance + validation (15-min TTL) - pm-auth::refresh: Opaque 256-bit refresh tokens, SHA-256 hashed, 1-hour sliding inactivity timeout, rotation on use, revocable - pm-auth::mfa_totp: TOTP setup/verify (HMAC-SHA1, 6-digit, 30s) with otpauth:// URI generation (Google Authenticator compatible) - pm-auth::mfa_webauthn: Stub (full implementation deferred) - pm-auth::rbac: Axum middleware for JWT auth + IP whitelist + admin/operator role enforcement + FromRequestParts extractor - pm-auth::session: Full login flow (password → MFA → tokens), token refresh, logout, force-logout - pm-web auth routes: POST /api/v1/auth/login|refresh|logout, GET /api/v1/auth/mfa/setup, POST /api/v1/auth/mfa/verify - IP whitelist middleware on all protected connection points - migrations/002_seed_admin.sql: Default admin account seed - Frontend: Auth store (Zustand with persistence), login page with MFA prompt, MFA setup page (stepper), JWT auto-refresh interceptor, route guards (RequireAuth), updated App.tsx routing - cargo check --workspace: zero errors, 1 minor warning Closes M2.	2026-04-23 16:10:08 +00:00
Echo	da5a94d838	feat(M1): Project scaffolding, DB schema, core infrastructure ... - Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core, pm-agent-client, pm-auth, pm-ca, pm-reports) - React + TypeScript + Vite + MUI frontend scaffold - Full PostgreSQL schema: all 17 tables with indexes and constraints - pm-core: config (TOML+env), db (SQLx pool + migrations), error (unified AppError + JSON envelope), request_id (ULID middleware), logging (tracing JSON/pretty) - pm-web: Axum skeleton, /status/health endpoint, static file serving - pm-worker: Tokio skeleton, heartbeat writer, schema version check - Embedded sqlx migrations with advisory lock (single-writer) - systemd unit files, setup.sh, build-frontend.sh - config.example.toml with all configuration keys - docs/runbooks/restore.md - cargo check passes with zero warnings Closes M1.	2026-04-23 15:55:53 +00:00