54 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Echo	71ddbe97d4	Fix YAML formatting in frontend-lint job	2026-04-27 20:07:15 +00:00
Echo	d6fa680f80	Fix Node.js 18 - use n version manager for sustainable installation	2026-04-27 20:03:00 +00:00
Echo	fea924f31e	Fix Node.js 18 - download binary directly from nodejs.org	2026-04-27 20:01:44 +00:00
Echo	2214d9d2c3	Fix Node.js 18 - use purge and remove conflicting files	2026-04-27 20:00:29 +00:00
Echo	65e7f8fab6	Fix Node.js 18 - also remove libnode72 package	2026-04-27 19:55:20 +00:00
Echo	8d4a428632	Fix Node.js 18 installation - remove conflicting packages first	2026-04-27 19:49:37 +00:00
Echo	9470c17fb2	Fix CI failures: clippy, tests, audit, and frontend lint ... - Rename clippy.toml field to single-char-binding-names-threshold - Add placeholder certificates for pm-agent-client doc tests - Add .cargo/audit.toml to handle upstream security advisories - Update CI to install Node.js 18 for frontend linting	2026-04-27 19:42:01 +00:00
Echo	8067ba9672	Fix checkout URL format to match linux_patch_api ... - Remove /api/v1/repos/ from archive URLs - Use direct repo path format: /echo/linux_patch_manager/archive/ - All 6 checkout steps updated	2026-04-27 17:58:45 +00:00
Echo	22f7d4c59c	Trigger CI test run after GITEATOKEN fix	2026-04-27 17:55:10 +00:00
Echo	8ccc703974	Fix Gitea CI configuration per troubleshooting guide ... - Quote YAML 'on' key to prevent boolean parsing - Fix GITEATOKEN case sensitivity (was GITEA_TOKEN) - Update Gitea URLs to https://gitea-lxc.moon-dragon.us - Fix release step token and URL parameters Fixes based on GITEA_CI_TROUBLESHOOTING_GUIDE.md	2026-04-27 16:18:14 +00:00
Echo	8a27b136b7	Revert "ci: adapt CI to ubuntu-22.04 runner with proven linux_patch_api patterns" ... This reverts commit f8bac85903.	2026-04-27 03:02:53 +00:00
Echo	f8bac85903	ci: adapt CI to ubuntu-22.04 runner with proven linux_patch_api patterns ... - Pin all jobs to ubuntu-22.04 runner - Use curl -sfL with secrets.GITEATOKEN for checkout - Switch checkout URL to https://gitea-lxc.moon-dragon.us - Install rustup with --default-toolchain stable --profile minimal - Add cargo bin to GITHUB_PATH instead of sourcing per-step - Enforce clippy -D warnings - Ignore RUSTSEC-2025-0134 in cargo audit - Pass GITEA_TOKEN via env for release step	2026-04-27 02:43:46 +00:00
Echo	bcb93c1d2d	ci: pin runner to ubuntu-22.04	2026-04-27 02:35:57 +00:00
Echo	9fd3e8c2f8	ci: Trigger CI test with ubuntu-latest containers and GITEA_TOKEN config	2026-04-24 17:26:56 +00:00
Echo	e07b0c2121	docs: Add lesson about dual-runner root cause	2026-04-24 16:25:08 +00:00
Echo	59f82068b0	ci: Switch to ubuntu-latest containers for all jobs ... - Changed runs-on from 'linux' to 'ubuntu-latest' for all jobs - Uses ubuntu-latest:docker://ubuntu:24.04 runner label - Each job runs in a fresh Ubuntu 24.04 container - Removed all PATH hacks, conditional sudo, and absolute paths - Ubuntu containers run as root (no sudo needed) - Standard commands work without PATH modifications - Added GITHUB_REPOSITORY fallback for checkout	2026-04-24 16:16:54 +00:00
Echo	c9084e9188	ci: Fix apt-get package names - use 'curl' not '/usr/bin/curl' ... Package names for apt-get install must not include paths. Only the command invocations use absolute paths.	2026-04-24 16:04:03 +00:00
Echo	6204e961f4	ci: Use absolute paths for all system commands in linux:host mode ... - act_runner host executor doesn't inherit PATH from workflow env or export - All system commands now use absolute paths: /usr/bin/apt-get, /usr/bin/curl, etc. - Removed all export PATH lines (were ineffective) - Fixes 'apt-get: command not found' and 'curl: command not found' errors	2026-04-24 16:03:48 +00:00
Echo	5fc0d65b16	ci: Add explicit PATH export to every step for linux:host runner ... - The global env: PATH variable doesn't propagate to act_runner shell scripts - Added export PATH=... at the start of every run: block - Fixes 'apt-get: command not found' and 'curl: command not found' errors - Removed global PATH from env: section (was ineffective)	2026-04-24 15:55:11 +00:00
Echo	da4632f44e	ci: Fix PATH env for linux:host runner + clean workflow ... - Added global PATH env variable with all standard paths - Fixes apt-get/curl 'command not found' errors in job execution context - Fixed broken YAML where if: and run: merged on one line - Cleaned up all per-step PATH exports (now global)	2026-04-24 15:49:41 +00:00
Echo	5a4d4d583e	style: Apply rustfmt with stable-only config ... - Fixed rustfmt.toml to only use stable options (removed nightly-only) - Applied cargo fmt --all to fix formatting violations - Stable options: edition=2021, max_width=100, reorder_imports/modules, match_block_trailing_comma	2026-04-24 15:32:50 +00:00
Echo	f0fe5f5fd1	ci: Use conditional sudo for apt-get in all jobs ... - Some jobs run as root (no sudo needed), others as echo user (sudo required) - Added SUDO detection: SUDO=; [ 0 -ne 0 ] && SUDO=sudo - Fixed remaining unfixed apt-get call in build-and-release job	2026-04-24 15:25:33 +00:00
Echo	70527802fa	ci: Remove sudo from apt-get commands - runner executes as root in host mode ... - sudo not available in all execution contexts - /root/.cache/act/ workspace indicates root user execution - apt-get works directly without sudo when running as root	2026-04-24 15:17:39 +00:00
Echo	a55bac60f3	ci: Add curl install before checkout in all quality gate jobs ... - rust-format job failed because curl was not available for checkout - Added 'Install checkout dependencies' step (curl, ca-certificates) to all jobs - Fixed duplicate steps block in rust-test job	2026-04-24 15:14:27 +00:00
Echo	b94f041aea	ci: Consolidate into single unified CI pipeline ... - Merged build.yml into ci.yml - single source of truth - Quality gates (format, clippy, test, audit, lint) run on every push/PR/tag - Build & Release job only runs on v* tag pushes - Build & Release depends on ALL quality gates passing - Deleted build.yml - no more split workflow confusion - Added rustfmt.toml, clippy.toml, eslint.config.js configs	2026-04-24 15:07:13 +00:00
Echo	f49ec1ac51	ci: Add comprehensive CI quality gates ... - New ci.yml workflow: rust-format, clippy, rust-test, security-audit, frontend-lint - rustfmt.toml: strict formatting rules (edition 2021, max_width 100, grouped imports) - clippy.toml: lint configuration with complexity thresholds - eslint.config.js: ESLint 9 flat config for TypeScript/React - build.yml: now only triggers on v* tags (ci.yml handles master/PR) - package.json: updated lint script for ESLint 9 flat config Quality gates run on every push to master and every PR: 1. Rust Format Check (cargo fmt --check --all) 2. Clippy Lints (pedantic + deny warnings) 3. Rust Unit Tests (cargo test --workspace --all-features) 4. Security Audit (cargo audit) 5. Frontend Lint (ESLint + TypeScript type check)	2026-04-24 14:55:01 +00:00
Echo	475bcde7ed	ci: Use standalone release script to fix JSON escaping issues ... - Shell/curl JSON escaping caused HTTP 422 errors - Created scripts/create-release.py for reliable Gitea release creation - Uses Python urllib for proper JSON handling and multipart upload - Supports GITEA_TOKEN/GITHUB_TOKEN env vars with fallback	2026-04-24 12:30:23 +00:00
Echo	101eb81f16	ci: Fix release step with hardcoded repo path and error handling ... - GITHUB_REPOSITORY may be empty in linux:host mode - Added REPO fallback to echo/linux_patch_manager - Added REF_NAME fallback for GITHUB_REF_NAME - Added HTTP status code check before parsing release JSON - Debug output for API response	2026-04-24 12:02:50 +00:00
Echo	e6829d0aa9	ci: Remove debug step, fix release auth for GITEA_TOKEN fallback ... - Removed debug environment step (no longer needed) - Release upload step now uses GITEA_TOKEN fallback - Uses internal Gitea API URL for release creation	2026-04-24 11:50:19 +00:00
Echo	f21853f88c	ci: Add debug step to check available env vars in linux:host mode ... - Need to verify which tokens are available in host execution - GITHUB_TOKEN may not be injected; GITEA_TOKEN added to systemd env - Debug output will guide checkout auth fix	2026-04-24 02:59:28 +00:00
Echo	fa5456c2b8	ci: Use GITEA_TOKEN fallback for API archive checkout ... - GITHUB_TOKEN may not be injected in linux:host mode - Use GITEA_TOKEN from runner environment as fallback - API archive download with Authorization header is proven working - Added GITEA_TOKEN to act-runner systemd service environment	2026-04-24 02:54:18 +00:00
Echo	9c924a204c	ci: Use Gitea API archive download instead of git clone ... - git clone with token-in-URL doesn't work for private repos in Gitea - Use API archive endpoint with Authorization header instead - curl archive tarball, extract with --strip-components=1 - More reliable than git URL auth for self-hosted runners	2026-04-24 02:21:16 +00:00
Echo	6ce34546e1	ci: Hardcode internal Gitea URL for checkout with auth ... - GITHUB_SERVER_URL may point to unreachable external domain - Use http://192.168.2.189:3000 directly with GITHUB_TOKEN for auth - Private repos require token-in-URL authentication	2026-04-24 02:18:27 +00:00
Echo	c9f9a59ce6	ci: Fix git clone with GITHUB_TOKEN for private repo auth ... - Private repos require authentication for git clone - Inject GITHUB_TOKEN into clone URL: http://echo:{GITHUB_TOKEN}@host/repo.git - Kill stuck clone processes on runner before new build	2026-04-24 02:17:51 +00:00
Echo	038c168472	docs: Add lessons for DinD in LXC, native runner, and GitHub action deps ... - Docker-in-Docker fails with SIGKILL in LXC (even --privileged) - Native act_runner binary with systemd is the correct approach - No GitHub action dependencies in Gitea workflows - Dig deeper on infrastructure issues (cascading problems) - Don't remove SSH keys without verifying current access	2026-04-24 01:53:55 +00:00
Echo	aa73ef7f38	ci: Use native host runner (runs-on: linux) for LXC compatibility ... - Docker-in-Docker fails with SIGKILL in LXC (exit 137 after 45s) - Even --privileged mode doesn't fix DinD in LXC - Native act_runner binary installed on LXC host with systemd service - Host is Ubuntu 24.04 with Rust 1.95, Node 18, npm pre-installed - runs-on: linux maps to linux:host label (direct host execution) - No GitHub action dependencies (pure shell steps only)	2026-04-24 01:53:26 +00:00
Echo	55a3b504fa	ci: Use ubuntu-latest with privileged runner for proper DinD ... - Change runs-on back to ubuntu-latest (maps to docker://ubuntu:24.04) - Remove container: directive (label already specifies image) - Remove sudo (running as root in Ubuntu container) - Always install Rust (no caching between runs yet)	2026-04-24 01:50:08 +00:00
Echo	dd40a26b01	ci: Use host runner to avoid Docker-in-Docker issues ... - Change runs-on from ubuntu-latest to linux (maps to linux:host) - Remove container: directive that caused SIGKILL on sibling containers - Run directly on LXC host which is already Ubuntu - Add sudo for apt-get commands on host - Check for existing cargo before installing Rust	2026-04-24 01:49:10 +00:00
Echo	ffd8c131f6	ci: Remove all GitHub action dependencies from workflow ... - Replace actions/checkout with git clone using GITHUB_SERVER_URL - Remove actions/cache (no cross-run caching for now) - Consolidate into single job (no artifact passing needed) - Remove actions/upload-artifact and actions/download-artifact - Pure shell steps only - no cloning from github.com needed	2026-04-24 01:44:21 +00:00
Echo	a1b2d564e9	docs: Add lessons learned from CI/CD runner troubleshooting ... - CI/CD First: set up pipeline before manual builds - Verify runner before creating workflows - Dig deeper on infrastructure issues (cascading problems) - Don't remove SSH keys without verifying current access path	2026-04-24 01:30:28 +00:00
Echo	f2ad17e7c3	ci: trigger Gitea Actions build	2026-04-24 01:20:12 +00:00
Echo	c31fc0e6e0	feat: Add Gitea Actions CI/CD pipeline for automated .deb builds ... - .gitea/workflows/build.yml: 3-job pipeline (backend, frontend, package) - Builds on Ubuntu 24.04 container for correct glibc - Tags v* trigger release + .deb upload to Gitea Releases - Master pushes produce dev builds as artifacts - tasks/lessons.md: CI/CD-first lesson captured	2026-04-24 01:12:34 +00:00
Echo	4e992afacc	feat: Add .deb packaging for Ubuntu 24.04 release ... - debian/control: Package metadata with dependencies - debian/postinst: Service user, dirs, JWT key gen, config, cron setup - debian/prerm: Graceful service stop before upgrade - debian/postrm: Purge cleanup (user, data, config, cron) - debian/changelog: 1.0.0-1 initial release - debian/install: File manifest - scripts/build-package.sh: Full build pipeline (cargo release, frontend, dpkg-deb) - .gitignore: Exclude *.deb and package-build/	2026-04-24 00:58:38 +00:00
Echo	297bf1bd83	feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing ... M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped	2026-04-24 00:45:51 +00:00
Echo	84ab92f4f0	feat(M10): Settings page - Azure SSO, SMTP, polling, IP whitelist, TLS strategy	2026-04-23 21:40:37 +00:00
Echo	7b7fac315e	feat(M8+M9): CA certificates page + Reporting CSV/PDF with charts	2026-04-23 18:56:11 +00:00
Echo	a5d52ffab0	feat: M6 maintenance windows + M7 WebSocket relay (real-time job status) ... M6 - Maintenance Windows: - routes/maintenance_windows.rs: full CRUD API - migrations/004_maintenance_windows.sql - frontend/MaintenanceWindowsPage.tsx - HostDetailPage.tsx: maintenance window config panel M7 - WebSocket Relay: - pm-web: POST /api/v1/ws/ticket (JWT-auth, single-use, 60s TTL) - pm-web: WS /api/v1/ws/jobs?ticket=... (PgListener -> browser push) - pm-web: DashMap<String,WsTicket> in AppState, 30s cleanup task - pm-worker: ws_relay.rs subscribes to agent WS, updates patch_job_hosts, fires pg_notify(job_update) for real-time fan-out - frontend: useJobWebSocket hook with auto-reconnect + exponential backoff - frontend: JobsPage live updates with WS status indicator - types: JobWsEvent interface - api/client: wsApi.createTicket() All tasks marked complete in tasks/todo.md cargo build: zero errors, zero warnings	2026-04-23 17:42:51 +00:00
Echo	6f9c6dc881	M5: Patch Deployment & Job Management ... Backend: - migrations/003_jobs_scheduling.sql: retry_next_at/last_error columns, pg_notify trigger for immediate job dispatch, retry index - pm-agent-client: ApplyPatchesRequest/Response, AgentJobStatus, RollbackResponse types; apply_patches/job_status/rollback_job client methods + generic POST helper - pm-core/models: JobStatus, JobKind, PatchJob, PatchJobHost, CreateJobRequest, PatchJobSummary - pm-web/routes/jobs.rs: POST/GET /api/v1/jobs, GET /jobs/:id, POST /jobs/:id/cancel, POST /jobs/:id/rollback - pm-worker/job_executor.rs: NOTIFY listener, periodic scanner, execute_host_job, poll_running_jobs, handle_host_failure (3-retry exponential backoff 1m/5m/30m), sync_job_status, retry_pending_jobs - pm-worker/main.rs: spawn job_executor Frontend: - types/index.ts: PatchInfo, PatchJobHost, PatchJob, PatchJobSummary, CreateJobRequest interfaces - api/client.ts: jobsApi (list/get/create/cancel/rollback), patchesApi (getHostPatches) - pages/PatchDeploymentPage.tsx: 3-step MUI Stepper (host select → configure → result) - pages/JobsPage.tsx: job list table, expandable per-host detail, cancel/rollback actions with confirm dialog, load-more pagination - App.tsx: /jobs and /deployment routes wired to real pages cargo check: 0 errors | vite build: 0 errors	2026-04-23 17:08:43 +00:00
Echo	a6eb762962	feat(M3): Host Management, Groups, Users, CIDR Discovery ... - pm-core::models: Host, HostSummary, Group, User, DiscoveryResult types + request payloads for all CRUD operations - pm-core::audit: Tamper-evident hash-chained audit log writer (SHA-256 chain, non-fatal, covers all M3 events) - pm-web/routes/hosts: Full host CRUD with RBAC scoping; FQDN DNS resolution on registration; host↔group membership; operator group-scoped access enforcement; audit on register/remove - pm-web/routes/groups: Full group CRUD; host↔group and user↔group membership management; admin-only create/delete/update - pm-web/routes/users: Full user CRUD (admin); current user profile; password hashing (Argon2id); role management; session revocation - pm-web/routes/discovery: CIDR scan with bounded concurrency (128 workers), TCP probe with 2s timeout, reverse DNS lookup, scan results table, register-from-discovery flow with audit log - Frontend: HostsPage (filterable table with health chips), HostDetailPage, GroupsPage (create/delete dialog), UsersPage (create/revoke sessions) - App.tsx updated with all M3 routes wired to real pages - cargo check --workspace: zero errors Closes M3.	2026-04-23 16:25:08 +00:00
Echo	6811f84a7c	feat(M2): Authentication, Authorization & Frontend Shell ... - pm-auth::password: Argon2id (m=65536,t=3,p=1) hashing + verification - pm-auth::jwt: EdDSA/Ed25519 JWT issuance + validation (15-min TTL) - pm-auth::refresh: Opaque 256-bit refresh tokens, SHA-256 hashed, 1-hour sliding inactivity timeout, rotation on use, revocable - pm-auth::mfa_totp: TOTP setup/verify (HMAC-SHA1, 6-digit, 30s) with otpauth:// URI generation (Google Authenticator compatible) - pm-auth::mfa_webauthn: Stub (full implementation deferred) - pm-auth::rbac: Axum middleware for JWT auth + IP whitelist + admin/operator role enforcement + FromRequestParts extractor - pm-auth::session: Full login flow (password → MFA → tokens), token refresh, logout, force-logout - pm-web auth routes: POST /api/v1/auth/login|refresh|logout, GET /api/v1/auth/mfa/setup, POST /api/v1/auth/mfa/verify - IP whitelist middleware on all protected connection points - migrations/002_seed_admin.sql: Default admin account seed - Frontend: Auth store (Zustand with persistence), login page with MFA prompt, MFA setup page (stepper), JWT auto-refresh interceptor, route guards (RequireAuth), updated App.tsx routing - cargo check --workspace: zero errors, 1 minor warning Closes M2.	2026-04-23 16:10:08 +00:00