fix: remove postinst migrations, let app handle schema via sqlx (#68)

Root cause: postinst ran sqlx migrate as postgres (superuser), creating ALL
database objects owned by postgres. When pm-web connects as patch_manager, it
cannot ALTER TABLE during migrations because it does not own them. The
reassign_ownership() function never worked because REASSIGN OWNED BY postgres
TO patch_manager fails for superuser-owned objects.

Fix: Create the database owned by patch_manager (already done) and run all
migrations as patch_manager via PGPASSWORD auth. When all objects are owned by
patch_manager from the start, pm-web can ALTER them during upgrades.

Changes:
- Add psql_run_as_pm() helper that authenticates as patch_manager via PGPASSWORD
- Replace all psql_run_db calls in apply_migrations() with psql_run_as_pm
- Remove reassign_ownership() function entirely (it never worked)
- Remove reassign_ownership call from main()
- Add ALTER DEFAULT PRIVILEGES FOR ROLE postgres in setup_database() as safety
  net for any future migration that might run as postgres
- Upgrade GRANT USAGE/CREATE to GRANT ALL PRIVILEGES on schema public
- Keep pgcrypto extension creation as postgres (requires superuser)
- Renumber sections after removing reassign_ownership

Proven on live LPM system: service active, port 443 listening, all tables
owned by patch_manager.

.github/workflows/ci.yml

@@ -9,6 +9,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
 permissions:
   contents: write
@@ -19,7 +20,7 @@ jobs:
     name: Rust Format
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: rustfmt
@@ -30,7 +31,7 @@ jobs:
     name: Clippy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
@@ -43,7 +44,7 @@ jobs:
     name: Rust Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - name: Install system dependencies
@@ -54,7 +55,7 @@ jobs:
     name: Security Audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - run: cargo install cargo-audit && cargo audit
 
@@ -62,11 +63,11 @@ jobs:
     name: Secret scanning
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@v3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -74,9 +75,9 @@ jobs:
     name: Frontend Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20'
       - name: Install & Lint
@@ -87,7 +88,7 @@ jobs:
     needs: [rust-format, clippy, rust-test, security-audit, frontend-lint]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Free disk space
@@ -103,7 +104,7 @@ jobs:
       - name: Strip binaries
         run: strip target/release/pm-web target/release/pm-worker
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20'
       - name: Build frontend
@@ -125,7 +126,7 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
       - name: Upload to GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           body: ${{ steps.release_notes.outputs.notes }}
           files: linux-patch-manager_*.deb
@@ -135,17 +136,18 @@ jobs:
     needs: [rust-format, clippy, rust-test, security-audit, frontend-lint]
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -153,7 +155,7 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/draco-lunaris/linux-patch-manager
           tags: |
@@ -163,10 +165,10 @@ jobs:
             type=sha
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

Cargo.toml

@@ -12,7 +12,7 @@ members = [
 ]
 
 [workspace.package]
-version = "1.1.1"
+version = "1.1.12"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 license = "MIT"

Dockerfile

@@ -28,6 +28,14 @@ WORKDIR /usr/src/app
 
 # Cache dependencies by building a dummy project first
 COPY Cargo.toml Cargo.lock ./
+COPY crates/pm-web/Cargo.toml crates/pm-web/Cargo.toml
+COPY crates/pm-worker/Cargo.toml crates/pm-worker/Cargo.toml
+COPY crates/pm-core/Cargo.toml crates/pm-core/Cargo.toml
+COPY crates/pm-agent-client/Cargo.toml crates/pm-agent-client/Cargo.toml
+COPY crates/pm-auth/Cargo.toml crates/pm-auth/Cargo.toml
+COPY crates/pm-ca/Cargo.toml crates/pm-ca/Cargo.toml
+COPY crates/pm-reports/Cargo.toml crates/pm-reports/Cargo.toml
+COPY crates/migrate-secrets/Cargo.toml crates/migrate-secrets/Cargo.toml
 RUN mkdir -p crates/pm-web/src crates/pm-worker/src crates/pm-core/src \
     crates/pm-agent-client/src crates/pm-auth/src crates/pm-ca/src \
     crates/pm-reports/src crates/migrate-secrets/src
@@ -43,6 +51,7 @@ RUN cargo build --release 2>/dev/null || true
 
 # Now build the real project
 COPY crates/ crates/
+COPY migrations/ migrations/
 RUN cargo build --release
 
 # Verify binaries exist
@@ -84,6 +93,7 @@ RUN apt-get update && apt-get install -y \
     ca-certificates \
     libssl3t64 \
     libfontconfig1 \
+    openssl \
     postgresql-client-16 \
     argon2 \
     curl \

config/config.example.toml

@@ -49,7 +49,8 @@ health_check_poll_interval_secs = 300
 # Maximum concurrent mTLS agent calls (Tokio Semaphore)
 max_concurrent_agent_calls = 64
 
-# Worker heartbeat write interval (seconds)
+# Worker heartbeat write interval (seconds). Default: 300 = 5 minutes
+heartbeat_interval_secs = 300
 
 # WS relay HTTP polling fallback interval (seconds). When WebSocket connection to
 # an agent fails, the relay falls back to polling the agent's HTTP API at this

crates/pm-core/src/config.rs

@@ -101,7 +101,8 @@ pub struct WorkerConfig {
     pub health_check_poll_interval_secs: u64,
     /// Maximum concurrent agent calls
     pub max_concurrent_agent_calls: usize,
-    /// Worker heartbeat interval in seconds
+    /// Worker heartbeat interval in seconds (default: 300 = 5 min)
+    #[serde(default = "default_heartbeat_interval")]
     pub heartbeat_interval_secs: u64,
     /// WS relay HTTP polling fallback interval in seconds (default: 10)
     pub ws_relay_poll_interval_secs: u64,
@@ -255,6 +256,10 @@ fn default_health_check_poll_interval() -> u64 {
     300
 }
 
+fn default_heartbeat_interval() -> u64 {
+    300
+}
+
 fn default_sso_callback_url() -> String {
     "http://localhost:5173/auth/sso/callback".to_string()
 }

debian/changelog

@@ -1,3 +1,63 @@
+linux-patch-manager (1.1.12-1) unstable; urgency=low
+
+  * Release v1.1.12
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 22:14:03 -0500
+
+linux-patch-manager (1.1.11-1) unstable; urgency=low
+
+  * Release v1.1.11
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 15:57:10 -0500
+
+linux-patch-manager (1.1.10-1) unstable; urgency=low
+
+  * Release v1.1.10
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 14:11:31 -0500
+
+linux-patch-manager (1.1.9-1) unstable; urgency=low
+
+  * Release v1.1.9
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 13:05:59 -0500
+
+linux-patch-manager (1.1.8-1) unstable; urgency=low
+
+  * Release v1.1.8
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 11:47:58 -0500
+
+linux-patch-manager (1.1.7-1) unstable; urgency=low
+
+  * Release v1.1.7
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 09:11:11 -0500
+
+linux-patch-manager (1.1.6-1) unstable; urgency=low
+
+  * Release v1.1.6
+
+ -- git-echo <git-echo@moon-dragon.us>  Tue, 09 Jun 2026 08:10:52 -0500
+
+linux-patch-manager (1.1.5-1) unstable; urgency=low
+
+  * Release v1.1.5
+
+ -- git-echo <git-echo@moon-dragon.us>  Mon, 08 Jun 2026 20:15:50 -0500
+
+linux-patch-manager (1.1.4-1) unstable; urgency=low
+
+  * Release v1.1.4
+
+ -- git-echo <git-echo@moon-dragon.us>  Mon, 08 Jun 2026 17:30:35 -0500
+
+linux-patch-manager (1.1.2-1) unstable; urgency=low
+
+  * Release v1.1.2
+
+ -- git-echo <git-echo@moon-dragon.us>  Sun, 07 Jun 2026 21:19:18 -0500
+
 linux-patch-manager (1.1.1-1) unstable; urgency=low
 
   * Release v1.1.1

debian/control

@@ -1,5 +1,5 @@
 Package: linux-patch-manager
-Version: 1.1.1-1
+Version: 1.1.12-1
 Architecture: amd64
 Maintainer: Moon Dragon <echo@moon-dragon.us>
 Installed-Size: 45000

debian/postinst

@@ -7,6 +7,9 @@ set -e
 # Fully automated: apt install ./linux-patch-manager_X.X.X-1_amd64.deb
 # results in a running service with a printed admin password.
 # All steps are idempotent (safe to re-run on upgrade).
+#
+# Migrations are handled by the application via sqlx on startup.
+# This script only creates the database, user, and grants.
 # =============================================================================
 
 RED='\033[0;31m'
@@ -22,7 +25,6 @@ error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
 DB_NAME="patch_manager"
 DB_USER="patch_manager"
 CONFIG_DIR="/etc/patch-manager"
-MIGRATION_DIR="/usr/share/patch-manager/migrations"
 ADMIN_PASSWORD_FILE="/etc/patch-manager/admin-password.txt"
 
 # ---------------------------------------------------------------------------
@@ -34,7 +36,7 @@ psql_run() {
 }
 
 psql_run_db() {
-    # Run SQL against the patch_manager database
+    # Run SQL against the patch_manager database as postgres superuser
     sudo -u postgres psql -v ON_ERROR_STOP=1 -d "${DB_NAME}" "$@" 2>/dev/null
 }
 
@@ -89,7 +91,7 @@ wait_for_postgresql() {
 }
 
 # ---------------------------------------------------------------------------
-# 4. Create PostgreSQL user and database (idempotent)
+# 4. Create PostgreSQL user, database, and grants (idempotent)
 # ---------------------------------------------------------------------------
 setup_database() {
     info "Setting up PostgreSQL database and user..."
@@ -107,7 +109,27 @@ setup_database() {
         # Store password for config generation
         echo "${db_password}" > /tmp/.pm-db-password-new
     else
-        info "PostgreSQL user '${DB_USER}' already exists, skipping creation."
+        info "PostgreSQL user '${DB_USER}' already exists."
+        # Recover the DB password: try from existing config, or generate new.
+        local config_file="${CONFIG_DIR}/config.toml"
+        local existing_pw=""
+        if [[ -f "${config_file}" ]]; then
+            # Extract password from URL: postgres://user:PASSWORD@host/db
+            # Use @localhost anchor so passwords containing @ are extracted correctly.
+            existing_pw=$(sed -n 's|^url = "postgres://[^:]*:\(.*\)@localhost.*"|\1|p' "${config_file}" | head -1)
+        fi
+        if [[ -n "${existing_pw}" && "${existing_pw}" != "CHANGEME" ]]; then
+            # Config has a real password — sync it to PostgreSQL so the app can connect.
+            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${existing_pw}';" 2>/dev/null || true
+            echo "${existing_pw}" > /tmp/.pm-db-password-new
+            info "Synced DB password from existing config to PostgreSQL."
+        else
+            # No config or CHANGEME — generate a fresh password and update PostgreSQL.
+            db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
+            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
+            echo "${db_password}" > /tmp/.pm-db-password-new
+            info "Generated new DB password for existing user."
+        fi
     fi
 
     # Create database if not exists
@@ -120,84 +142,145 @@ setup_database() {
         info "Database '${DB_NAME}' already exists, skipping creation."
     fi
 
-    # Grant permissions (idempotent)
-    psql_run_db -c "GRANT USAGE ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
-    psql_run_db -c "GRANT CREATE ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
-    psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true
-}
-
-# ---------------------------------------------------------------------------
-# 5. Apply database migrations (idempotent)
-# ---------------------------------------------------------------------------
-apply_migrations() {
-    info "Applying database migrations..."
-
-    # Ensure pgcrypto extension is available
+    # Ensure pgcrypto extension is available (required by application migrations)
     psql_run_db -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" 2>/dev/null || true
 
-    # Create migration tracking table if not exists
-    psql_run_db <<'MIGSQL'
-CREATE TABLE IF NOT EXISTS _migrations (
-    id          SERIAL PRIMARY KEY,
-    filename    TEXT    NOT NULL UNIQUE,
-    applied_at  TIMESTAMPTZ NOT NULL DEFAULT now()
-);
-MIGSQL
+    # Grant full permissions so patch_manager owns and manages all objects
+    psql_run_db -c "GRANT ALL PRIVILEGES ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
+    psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true
+    # If any future migration runs as postgres, ensure objects are still accessible by patch_manager
+    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON TABLES TO ${DB_USER};" 2>/dev/null || true
+    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON SEQUENCES TO ${DB_USER};" 2>/dev/null || true
+    psql_run_db -c "ALTER DEFAULT PRIVILEGES FOR ROLE postgres IN SCHEMA public GRANT ALL ON FUNCTIONS TO ${DB_USER};" 2>/dev/null || true
+}
 
-    # Handle upgrade from pre-migration-tracking versions:
-    # If tables exist but _migrations is empty, mark all existing migrations as applied.
-    local migration_count
-    migration_count=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM _migrations;" 2>/dev/null || echo "0")
-    migration_count="${migration_count// /}"
+# ---------------------------------------------------------------------------
+# 5. Write config.toml with DB URL
+# ---------------------------------------------------------------------------
+# Handles three scenarios:
+#   1. No config file → create from example with real DB password
+#   2. Config exists with CHANGEME → replace CHANGEME with real DB password
+#   3. Config exists with real password → leave it alone (upgrade)
+# ---------------------------------------------------------------------------
+write_config() {
+    local config_file="${CONFIG_DIR}/config.toml"
 
-    local tables_exist
-    tables_exist=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='users';" 2>/dev/null || echo "0")
-    tables_exist="${tables_exist// /}"
-
-    if [[ "${migration_count}" == "0" && "${tables_exist}" -gt 0 ]]; then
-        info "Existing database detected — marking all shipped migrations as already applied."
-        for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
-            local fname
-            fname=$(basename "${sql_file}")
-            psql_run_db -c "INSERT INTO _migrations (filename) VALUES ('${fname}') ON CONFLICT (filename) DO NOTHING;" 2>/dev/null || true
-        done
+    # Resolve the DB password to use: from setup_database() or generate fresh.
+    local db_password=""
+    if [[ -f /tmp/.pm-db-password-new ]]; then
+        db_password=$(cat /tmp/.pm-db-password-new)
     fi
 
-    # Apply each migration in sorted order, skipping already-applied ones
-    local applied=0
-    local skipped=0
-    for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
-        local fname
-        fname=$(basename "${sql_file}")
-
-        local already_applied
-        already_applied=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM _migrations WHERE filename='${fname}';" 2>/dev/null || echo "0")
-        already_applied="${already_applied// /}"
-
-        if [[ "${already_applied}" -gt 0 ]]; then
-            skipped=$((skipped + 1))
-            continue
-        fi
-
-        info "  Applying migration: ${fname}"
-        if psql_run_db -f "${sql_file}"; then
-            psql_run_db -c "INSERT INTO _migrations (filename) VALUES ('${fname}');" 2>/dev/null || true
-            applied=$((applied + 1))
+    if [[ -f "${config_file}" ]]; then
+        # Check if the config still has the CHANGEME placeholder
+        if grep -q 'CHANGEME' "${config_file}"; then
+            if [[ -z "${db_password}" ]]; then
+                # No password from setup_database() — generate a fresh one
+                db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
+                psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
+            fi
+            info "Replacing CHANGEME placeholder in existing config with real DB password."
+            sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
         else
-            error "  Failed to apply migration: ${fname}"
-            return 1
+            info "Config file ${config_file} already exists with a real password, leaving it unchanged."
+            return 0
         fi
-    done
-
-    if [[ "${applied}" -gt 0 ]]; then
-        info "Applied ${applied} new migration(s), skipped ${skipped} already applied."
     else
-        info "All migrations up to date (${skipped} already applied)."
+        # No config file — create from example
+        if [[ -z "${db_password}" ]]; then
+            db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
+            psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
+        fi
+
+        info "Writing configuration file..."
+        cp /usr/share/patch-manager/config.example.toml "${config_file}"
+        sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
+    fi
+
+    chown patch-manager:patch-manager "${config_file}"
+    chmod 640 "${config_file}"
+    info "Configuration written to ${config_file}"
+}
+
+# ---------------------------------------------------------------------------
+# 6. Generate JWT keys (idempotent)
+# Only generates if missing; regenerates verify.pem from signing.pem if lost.
+# ---------------------------------------------------------------------------
+generate_jwt_keys() {
+    if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
+        info "Generating Ed25519 JWT signing key..."
+        openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
+        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
+        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
+        chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
+        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
+        info "JWT keys generated."
+    elif [[ ! -f "${CONFIG_DIR}/jwt/verify.pem" ]]; then
+        info "Regenerating missing JWT verification key from existing signing key..."
+        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
+        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/verify.pem"
+        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
+        info "JWT verification key regenerated."
+    else
+        info "JWT keys already exist, skipping."
     fi
 }
 
 # ---------------------------------------------------------------------------
-# 6. Generate admin password and update database
+# 7. Enable and start services
+# ---------------------------------------------------------------------------
+enable_and_start_services() {
+    systemctl daemon-reload
+
+    # Enable the target (which pulls in web + worker)
+    systemctl enable patch-manager.target 2>/dev/null || true
+
+    # Enable individual services so they survive a reboot
+    systemctl enable patch-manager-web.service patch-manager-worker.service 2>/dev/null || true
+
+    # Start or restart services
+    if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
+        info "Restarting patch-manager services (upgrade)..."
+        systemctl restart patch-manager.target 2>/dev/null || true
+    else
+        info "Starting patch-manager services..."
+        systemctl start patch-manager.target 2>/dev/null || true
+    fi
+}
+
+# ---------------------------------------------------------------------------
+# 8. Wait for pm-web service to be healthy
+# The application runs database migrations via sqlx on startup.
+# We must wait for it to be ready before generating the admin password,
+# since the users table won't exist until migrations complete.
+# ---------------------------------------------------------------------------
+wait_for_service_healthy() {
+    info "Waiting for pm-web service to become healthy (migrations run on startup)..."
+    local retries=30
+    local delay=1
+    local i
+    for ((i = 1; i <= retries; i++)); do
+        # Check if the service is active
+        if systemctl is-active --quiet patch-manager-web.service 2>/dev/null; then
+            # Service is active — try a health check on the HTTPS port
+            if curl -skf https://localhost:443/ >/dev/null 2>&1 || \
+               curl -skf https://localhost:8443/ >/dev/null 2>&1; then
+                info "pm-web is healthy."
+                return 0
+            fi
+        fi
+        warn "pm-web not ready yet (attempt ${i}/${retries}), waiting ${delay}s..."
+        sleep "${delay}"
+    done
+    error "pm-web did not become healthy after $((retries * delay)) seconds."
+    error "Admin password generation may fail because the users table may not exist yet."
+    return 1
+}
+
+# ---------------------------------------------------------------------------
+# 9. Generate admin password and update database
+# Must run AFTER the service has started and run migrations,
+# because the users table is created by sqlx migrations.
 # ---------------------------------------------------------------------------
 generate_admin_password() {
     info "Generating admin password..."
@@ -207,8 +290,11 @@ generate_admin_password() {
     admin_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9!@#%^&*' | head -c 24)
 
     # Hash with argon2 (PHC format, compatible with the application)
+    # Generate a random 16-character salt (argon2 requires minimum 8 characters)
+    local admin_salt
+    admin_salt=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
     local password_hash
-    password_hash=$(echo -n "${admin_password}" | argon2 salt -id -t 3 -m 65536 -p 1 -l 32 -e)
+    password_hash=$(echo -n "${admin_password}" | argon2 "${admin_salt}" -id -t 3 -m 16 -p 1 -l 32 -e)
 
     # Update admin user password in database
     # Only update if the placeholder hash is still present
@@ -245,77 +331,6 @@ generate_admin_password() {
     fi
 }
 
-# ---------------------------------------------------------------------------
-# 7. Write config.toml with DB URL (only if file doesn't exist)
-# ---------------------------------------------------------------------------
-write_config() {
-    local config_file="${CONFIG_DIR}/config.toml"
-
-    if [[ -f "${config_file}" ]]; then
-        info "Config file ${config_file} already exists, not overwriting."
-        return 0
-    fi
-
-    info "Writing configuration file..."
-
-    # Get the DB password — use the one we just generated if we created the user
-    local db_password=""
-    if [[ -f /tmp/.pm-db-password-new ]]; then
-        db_password=$(cat /tmp/.pm-db-password-new)
-    fi
-
-    # If we don't have a password (user already existed), generate a new one
-    # and update the PostgreSQL user so we can connect
-    if [[ -z "${db_password}" ]]; then
-        db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
-        psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
-    fi
-
-    # Copy example config and set the DB URL
-    cp /usr/share/patch-manager/config.example.toml "${config_file}"
-    sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
-    chown patch-manager:patch-manager "${config_file}"
-    chmod 640 "${config_file}"
-
-    info "Configuration written to ${config_file}"
-}
-
-# ---------------------------------------------------------------------------
-# 8. Generate JWT keys (idempotent)
-# ---------------------------------------------------------------------------
-generate_jwt_keys() {
-    if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
-        info "Generating Ed25519 JWT signing key..."
-        openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
-        openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
-        chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
-        chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
-        chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
-        info "JWT keys generated."
-    else
-        info "JWT signing key already exists, skipping."
-    fi
-}
-
-# ---------------------------------------------------------------------------
-# 9. Enable and start services
-# ---------------------------------------------------------------------------
-enable_and_start_services() {
-    systemctl daemon-reload
-
-    # Enable the target (which pulls in web + worker)
-    systemctl enable patch-manager.target 2>/dev/null || true
-
-    # Start or restart services
-    if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
-        info "Restarting patch-manager services (upgrade)..."
-        systemctl restart patch-manager.target 2>/dev/null || true
-    else
-        info "Starting patch-manager services..."
-        systemctl start patch-manager.target 2>/dev/null || true
-    fi
-}
-
 # ---------------------------------------------------------------------------
 # 10. Install backup cron (idempotent)
 # ---------------------------------------------------------------------------
@@ -335,11 +350,11 @@ case "$1" in
         create_directories
         wait_for_postgresql
         setup_database
-        apply_migrations
-        generate_admin_password
         write_config
         generate_jwt_keys
         enable_and_start_services
+        wait_for_service_healthy
+        generate_admin_password
         install_backup_cron
 
         # Clean up temp file

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "patch-manager-ui",
   "private": true,
-  "version": "1.1.1",
+  "version": "1.1.12",
   "type": "module",
   "scripts": {
     "dev": "vite",

migrations/001_initial_schema.sql

@@ -12,31 +12,63 @@ CREATE EXTENSION IF NOT EXISTS "pg_trgm";    -- fuzzy text search on host names
 -- Enumerations
 -- ============================================================
 
-CREATE TYPE user_role AS ENUM ('admin', 'operator');
-CREATE TYPE auth_provider AS ENUM ('local', 'azure_sso');
-CREATE TYPE host_health_status AS ENUM ('pending', 'healthy', 'degraded', 'unreachable');
-CREATE TYPE job_status AS ENUM ('queued', 'pending', 'running', 'succeeded', 'failed', 'cancelled');
-CREATE TYPE job_kind AS ENUM ('patch_apply', 'patch_remove', 'reboot', 'rollback');
-CREATE TYPE window_recurrence AS ENUM ('once', 'daily', 'weekly', 'monthly');
-CREATE TYPE cert_status AS ENUM ('active', 'revoked', 'expired');
-CREATE TYPE audit_action AS ENUM (
-    'user_login', 'user_logout', 'user_login_failed',
-    'user_created', 'user_deleted', 'user_updated',
-    'host_registered', 'host_removed',
-    'group_created', 'group_deleted',
-    'group_membership_changed',
-    'patch_job_created', 'patch_job_cancelled', 'patch_job_rollback',
-    'maintenance_window_created', 'maintenance_window_updated', 'maintenance_window_deleted',
-    'certificate_issued', 'certificate_renewed', 'certificate_revoked', 'certificate_downloaded',
-    'config_changed',
-    'discovery_scan_started'
-);
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_role') THEN
+        CREATE TYPE user_role AS ENUM ('admin', 'operator');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'auth_provider') THEN
+        CREATE TYPE auth_provider AS ENUM ('local', 'azure_sso');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'host_health_status') THEN
+        CREATE TYPE host_health_status AS ENUM ('pending', 'healthy', 'degraded', 'unreachable');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'job_status') THEN
+        CREATE TYPE job_status AS ENUM ('queued', 'pending', 'running', 'succeeded', 'failed', 'cancelled');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'job_kind') THEN
+        CREATE TYPE job_kind AS ENUM ('patch_apply', 'patch_remove', 'reboot', 'rollback');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'window_recurrence') THEN
+        CREATE TYPE window_recurrence AS ENUM ('once', 'daily', 'weekly', 'monthly');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'cert_status') THEN
+        CREATE TYPE cert_status AS ENUM ('active', 'revoked', 'expired');
+    END IF;
+END $$;
+DO $$ BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'audit_action') THEN
+        CREATE TYPE audit_action AS ENUM (
+            'user_login', 'user_logout', 'user_login_failed',
+            'user_created', 'user_deleted', 'user_updated',
+            'host_registered', 'host_removed',
+            'group_created', 'group_deleted',
+            'group_membership_changed',
+            'patch_job_created', 'patch_job_cancelled', 'patch_job_rollback',
+            'maintenance_window_created', 'maintenance_window_updated', 'maintenance_window_deleted',
+            'certificate_issued', 'certificate_renewed', 'certificate_revoked', 'certificate_downloaded',
+            'config_changed',
+            'discovery_scan_started'
+        );
+    END IF;
+END $$;
 
 -- ============================================================
 -- Groups (defined before users/hosts for FK ordering)
 -- ============================================================
 
-CREATE TABLE groups (
+CREATE TABLE IF NOT EXISTS groups (
     id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     name        TEXT NOT NULL UNIQUE,
     description TEXT NOT NULL DEFAULT '',
@@ -44,13 +76,13 @@ CREATE TABLE groups (
     updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
-CREATE INDEX idx_groups_name ON groups (name);
+CREATE INDEX IF NOT EXISTS idx_groups_name ON groups (name);
 
 -- ============================================================
 -- Users
 -- ============================================================
 
-CREATE TABLE users (
+CREATE TABLE IF NOT EXISTS users (
     id                  UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     username            TEXT NOT NULL UNIQUE,
     display_name        TEXT NOT NULL DEFAULT '',
@@ -73,28 +105,28 @@ CREATE TABLE users (
     updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
-CREATE INDEX idx_users_email ON users (email);
-CREATE INDEX idx_users_azure_oid ON users (azure_oid) WHERE azure_oid IS NOT NULL;
-CREATE INDEX idx_users_role ON users (role);
+CREATE INDEX IF NOT EXISTS idx_users_email ON users (email);
+CREATE INDEX IF NOT EXISTS idx_users_azure_oid ON users (azure_oid) WHERE azure_oid IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_users_role ON users (role);
 
 -- ============================================================
 -- User <-> Group membership
 -- ============================================================
 
-CREATE TABLE user_groups (
+CREATE TABLE IF NOT EXISTS user_groups (
     user_id    UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
     group_id   UUID NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
     assigned_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
     PRIMARY KEY (user_id, group_id)
 );
 
-CREATE INDEX idx_user_groups_group ON user_groups (group_id);
+CREATE INDEX IF NOT EXISTS idx_user_groups_group ON user_groups (group_id);
 
 -- ============================================================
 -- Refresh Tokens
 -- ============================================================
 
-CREATE TABLE refresh_tokens (
+CREATE TABLE IF NOT EXISTS refresh_tokens (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     user_id         UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
     -- Stored as Argon2id hash of the opaque token bytes
@@ -109,14 +141,14 @@ CREATE TABLE refresh_tokens (
     ip_address      INET
 );
 
-CREATE INDEX idx_refresh_tokens_user ON refresh_tokens (user_id);
-CREATE INDEX idx_refresh_tokens_expires ON refresh_tokens (expires_at) WHERE revoked = FALSE;
+CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user ON refresh_tokens (user_id);
+CREATE INDEX IF NOT EXISTS idx_refresh_tokens_expires ON refresh_tokens (expires_at) WHERE revoked = FALSE;
 
 -- ============================================================
 -- Hosts
 -- ============================================================
 
-CREATE TABLE hosts (
+CREATE TABLE IF NOT EXISTS hosts (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     fqdn            TEXT NOT NULL,
     ip_address      INET NOT NULL,
@@ -136,28 +168,28 @@ CREATE TABLE hosts (
     CONSTRAINT hosts_fqdn_ip_unique UNIQUE (fqdn, ip_address)
 );
 
-CREATE INDEX idx_hosts_health_status ON hosts (health_status);
-CREATE INDEX idx_hosts_fqdn ON hosts USING gin (fqdn gin_trgm_ops);
-CREATE INDEX idx_hosts_ip ON hosts (ip_address);
+CREATE INDEX IF NOT EXISTS idx_hosts_health_status ON hosts (health_status);
+CREATE INDEX IF NOT EXISTS idx_hosts_fqdn ON hosts USING gin (fqdn gin_trgm_ops);
+CREATE INDEX IF NOT EXISTS idx_hosts_ip ON hosts (ip_address);
 
 -- ============================================================
 -- Host <-> Group membership
 -- ============================================================
 
-CREATE TABLE host_groups (
+CREATE TABLE IF NOT EXISTS host_groups (
     host_id     UUID NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
     group_id    UUID NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
     assigned_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
     PRIMARY KEY (host_id, group_id)
 );
 
-CREATE INDEX idx_host_groups_group ON host_groups (group_id);
+CREATE INDEX IF NOT EXISTS idx_host_groups_group ON host_groups (group_id);
 
 -- ============================================================
 -- Host Health Data (cached results from 5-min polls)
 -- ============================================================
 
-CREATE TABLE host_health_data (
+CREATE TABLE IF NOT EXISTS host_health_data (
     id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     host_id     UUID NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
     polled_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
@@ -166,14 +198,14 @@ CREATE TABLE host_health_data (
     payload     JSONB NOT NULL DEFAULT '{}'
 );
 
-CREATE INDEX idx_host_health_host ON host_health_data (host_id, polled_at DESC);
+CREATE INDEX IF NOT EXISTS idx_host_health_host ON host_health_data (host_id, polled_at DESC);
 -- Retained for 30 days (pruned by worker)
 
 -- ============================================================
 -- Host Patch Data (cached results from 30-min polls)
 -- ============================================================
 
-CREATE TABLE host_patch_data (
+CREATE TABLE IF NOT EXISTS host_patch_data (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     host_id         UUID NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
     polled_at       TIMESTAMPTZ NOT NULL DEFAULT NOW(),
@@ -184,14 +216,14 @@ CREATE TABLE host_patch_data (
     cve_count       INTEGER NOT NULL DEFAULT 0
 );
 
-CREATE INDEX idx_host_patch_host ON host_patch_data (host_id, polled_at DESC);
+CREATE INDEX IF NOT EXISTS idx_host_patch_host ON host_patch_data (host_id, polled_at DESC);
 -- Retained for 30 days (pruned by worker)
 
 -- ============================================================
 -- Maintenance Windows
 -- ============================================================
 
-CREATE TABLE maintenance_windows (
+CREATE TABLE IF NOT EXISTS maintenance_windows (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     host_id         UUID NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
     label           TEXT NOT NULL DEFAULT '',
@@ -207,14 +239,14 @@ CREATE TABLE maintenance_windows (
     updated_at      TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
-CREATE INDEX idx_mw_host ON maintenance_windows (host_id);
-CREATE INDEX idx_mw_start ON maintenance_windows (start_at) WHERE enabled = TRUE;
+CREATE INDEX IF NOT EXISTS idx_mw_host ON maintenance_windows (host_id);
+CREATE INDEX IF NOT EXISTS idx_mw_start ON maintenance_windows (start_at) WHERE enabled = TRUE;
 
 -- ============================================================
 -- Patch Jobs
 -- ============================================================
 
-CREATE TABLE patch_jobs (
+CREATE TABLE IF NOT EXISTS patch_jobs (
     id                  UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     kind                job_kind NOT NULL DEFAULT 'patch_apply',
     status              job_status NOT NULL DEFAULT 'queued',
@@ -233,15 +265,15 @@ CREATE TABLE patch_jobs (
     completed_at        TIMESTAMPTZ
 );
 
-CREATE INDEX idx_patch_jobs_status ON patch_jobs (status);
-CREATE INDEX idx_patch_jobs_created ON patch_jobs (created_at DESC);
-CREATE INDEX idx_patch_jobs_user ON patch_jobs (created_by_user_id);
+CREATE INDEX IF NOT EXISTS idx_patch_jobs_status ON patch_jobs (status);
+CREATE INDEX IF NOT EXISTS idx_patch_jobs_created ON patch_jobs (created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_patch_jobs_user ON patch_jobs (created_by_user_id);
 
 -- ============================================================
 -- Patch Job Hosts (per-host status within a batch job)
 -- ============================================================
 
-CREATE TABLE patch_job_hosts (
+CREATE TABLE IF NOT EXISTS patch_job_hosts (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     job_id          UUID NOT NULL REFERENCES patch_jobs(id) ON DELETE CASCADE,
     host_id         UUID NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
@@ -257,15 +289,15 @@ CREATE TABLE patch_job_hosts (
     UNIQUE (job_id, host_id)
 );
 
-CREATE INDEX idx_pjh_job ON patch_job_hosts (job_id);
-CREATE INDEX idx_pjh_host ON patch_job_hosts (host_id);
-CREATE INDEX idx_pjh_status ON patch_job_hosts (status);
+CREATE INDEX IF NOT EXISTS idx_pjh_job ON patch_job_hosts (job_id);
+CREATE INDEX IF NOT EXISTS idx_pjh_host ON patch_job_hosts (host_id);
+CREATE INDEX IF NOT EXISTS idx_pjh_status ON patch_job_hosts (status);
 
 -- ============================================================
 -- Certificates
 -- ============================================================
 
-CREATE TABLE certificates (
+CREATE TABLE IF NOT EXISTS certificates (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     -- NULL = root CA cert
     host_id         UUID REFERENCES hosts(id) ON DELETE CASCADE,
@@ -279,15 +311,15 @@ CREATE TABLE certificates (
     cert_pem        TEXT NOT NULL
 );
 
-CREATE INDEX idx_certs_host ON certificates (host_id);
-CREATE INDEX idx_certs_status ON certificates (status);
-CREATE INDEX idx_certs_expires ON certificates (expires_at);
+CREATE INDEX IF NOT EXISTS idx_certs_host ON certificates (host_id);
+CREATE INDEX IF NOT EXISTS idx_certs_status ON certificates (status);
+CREATE INDEX IF NOT EXISTS idx_certs_expires ON certificates (expires_at);
 
 -- ============================================================
 -- Audit Log (tamper-evident, hash-chained)
 -- ============================================================
 
-CREATE TABLE audit_log (
+CREATE TABLE IF NOT EXISTS audit_log (
     id              BIGSERIAL PRIMARY KEY,
     action          audit_action NOT NULL,
     actor_user_id   UUID REFERENCES users(id) ON DELETE SET NULL,
@@ -302,17 +334,17 @@ CREATE TABLE audit_log (
     row_hash        TEXT NOT NULL DEFAULT ''
 );
 
-CREATE INDEX idx_audit_created ON audit_log (created_at DESC);
-CREATE INDEX idx_audit_actor ON audit_log (actor_user_id);
-CREATE INDEX idx_audit_action ON audit_log (action);
-CREATE INDEX idx_audit_target ON audit_log (target_type, target_id);
+CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_log (created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_audit_actor ON audit_log (actor_user_id);
+CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_log (action);
+CREATE INDEX IF NOT EXISTS idx_audit_target ON audit_log (target_type, target_id);
 -- Retained for 6 months (pruned by worker)
 
 -- ============================================================
 -- Azure SSO Configuration
 -- ============================================================
 
-CREATE TABLE azure_sso_config (
+CREATE TABLE IF NOT EXISTS azure_sso_config (
     id              INTEGER PRIMARY KEY DEFAULT 1,  -- singleton row
     enabled         BOOLEAN NOT NULL DEFAULT FALSE,
     tenant_id       TEXT NOT NULL DEFAULT '',
@@ -329,7 +361,7 @@ CREATE TABLE azure_sso_config (
 -- System Configuration (key/value runtime settings)
 -- ============================================================
 
-CREATE TABLE system_config (
+CREATE TABLE IF NOT EXISTS system_config (
     key         TEXT PRIMARY KEY,
     value       TEXT NOT NULL,
     description TEXT NOT NULL DEFAULT '',
@@ -351,13 +383,14 @@ INSERT INTO system_config (key, value, description) VALUES
     ('smtp_from',                  '',      'From address for notifications'),
     ('smtp_tls_mode',              'starttls', 'SMTP TLS mode: none, starttls, tls'),
     ('web_tls_strategy',           'internal_ca', 'Web UI TLS cert strategy: internal_ca or operator_supplied'),
-    ('ip_whitelist',               '[]',    'JSON array of allowed CIDR/IP strings; empty = allow all');
+    ('ip_whitelist',               '[]',    'JSON array of allowed CIDR/IP strings; empty = allow all')
+ON CONFLICT (key) DO NOTHING;
 
 -- ============================================================
 -- Worker Heartbeat
 -- ============================================================
 
-CREATE TABLE worker_heartbeat (
+CREATE TABLE IF NOT EXISTS worker_heartbeat (
     id              INTEGER PRIMARY KEY DEFAULT 1,  -- singleton row
     last_seen       TIMESTAMPTZ NOT NULL DEFAULT NOW(),
     worker_version  TEXT NOT NULL DEFAULT '',
@@ -368,7 +401,7 @@ CREATE TABLE worker_heartbeat (
 -- Discovery Results (transient; cleared before each scan)
 -- ============================================================
 
-CREATE TABLE discovery_results (
+CREATE TABLE IF NOT EXISTS discovery_results (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     scan_id         UUID NOT NULL,
     ip_address      INET NOT NULL,
@@ -381,5 +414,5 @@ CREATE TABLE discovery_results (
     registered      BOOLEAN NOT NULL DEFAULT FALSE
 );
 
-CREATE INDEX idx_discovery_scan ON discovery_results (scan_id);
-CREATE INDEX idx_discovery_ip ON discovery_results (ip_address);
+CREATE INDEX IF NOT EXISTS idx_discovery_scan ON discovery_results (scan_id);
+CREATE INDEX IF NOT EXISTS idx_discovery_ip ON discovery_results (ip_address);

migrations/003_jobs_scheduling.sql

@@ -8,11 +8,11 @@
 
 -- When the retry engine should next attempt this host; NULL = not scheduled
 ALTER TABLE patch_job_hosts
-    ADD COLUMN retry_next_at TIMESTAMPTZ;
+    ADD COLUMN IF NOT EXISTS retry_next_at TIMESTAMPTZ;
 
 -- Last failure reason captured by the worker for display in the UI
 ALTER TABLE patch_job_hosts
-    ADD COLUMN last_error TEXT;
+    ADD COLUMN IF NOT EXISTS last_error TEXT;
 
 -- ============================================================
 -- pg_notify trigger: fires when an immediate job is inserted
@@ -30,15 +30,21 @@ BEGIN
 END;
 $$;
 
-CREATE TRIGGER trg_job_enqueued
-    AFTER INSERT ON patch_jobs
-    FOR EACH ROW
-    EXECUTE FUNCTION notify_job_enqueued();
+DO $$ BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_trigger WHERE tgname = 'trg_job_enqueued'
+    ) THEN
+        CREATE TRIGGER trg_job_enqueued
+            AFTER INSERT ON patch_jobs
+            FOR EACH ROW
+            EXECUTE FUNCTION notify_job_enqueued();
+    END IF;
+END $$;
 
 -- ============================================================
 -- Index: efficiently find hosts due for retry
 -- ============================================================
 
-CREATE INDEX idx_pjh_retry
+CREATE INDEX IF NOT EXISTS idx_pjh_retry
     ON patch_job_hosts (retry_next_at)
     WHERE retry_next_at IS NOT NULL;

migrations/007_health_checks.sql

@@ -1,7 +1,7 @@
 -- Migration 007: Health check configuration and results
 
 -- Health checks configured per host (1-5 per host)
-CREATE TABLE host_health_checks (
+CREATE TABLE IF NOT EXISTS host_health_checks (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     host_id         UUID NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
     name            VARCHAR(100) NOT NULL,
@@ -27,10 +27,10 @@ CREATE TABLE host_health_checks (
     )
 );
 
-CREATE INDEX idx_health_checks_host ON host_health_checks (host_id);
+CREATE INDEX IF NOT EXISTS idx_health_checks_host ON host_health_checks (host_id);
 
 -- Health check poll results (4-day retention, pruned by worker)
-CREATE TABLE host_health_check_results (
+CREATE TABLE IF NOT EXISTS host_health_check_results (
     id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     check_id    UUID NOT NULL REFERENCES host_health_checks(id) ON DELETE CASCADE,
     healthy     BOOLEAN NOT NULL,
@@ -39,4 +39,4 @@ CREATE TABLE host_health_check_results (
     checked_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
-CREATE INDEX idx_health_results_check ON host_health_check_results (check_id, checked_at DESC);
+CREATE INDEX IF NOT EXISTS idx_health_results_check ON host_health_check_results (check_id, checked_at DESC);

migrations/011_health_check_target_host.sql

@@ -4,7 +4,7 @@
 -- FK with ON DELETE SET NULL: if target host deleted, revert to default.
 
 ALTER TABLE host_health_checks
-  ADD COLUMN target_host_id UUID REFERENCES hosts(id) ON DELETE SET NULL;
+  ADD COLUMN IF NOT EXISTS target_host_id UUID REFERENCES hosts(id) ON DELETE SET NULL;
 
-CREATE INDEX idx_health_checks_target_host ON host_health_checks (target_host_id)
+CREATE INDEX IF NOT EXISTS idx_health_checks_target_host ON host_health_checks (target_host_id)
   WHERE target_host_id IS NOT NULL;

migrations/016_enrollment_requests.sql

@@ -1,7 +1,7 @@
 -- Migration: 016_enrollment_requests
 -- Description: Create enrollment_requests table for host self-enrollment
 
-CREATE TABLE enrollment_requests (
+CREATE TABLE IF NOT EXISTS enrollment_requests (
     id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     machine_id      TEXT NOT NULL UNIQUE,
     fqdn            TEXT NOT NULL,
@@ -12,5 +12,5 @@ CREATE TABLE enrollment_requests (
     expires_at      TIMESTAMPTZ NOT NULL DEFAULT NOW() + INTERVAL '24 hours'
 );
 
-CREATE INDEX idx_enrollment_requests_token ON enrollment_requests (polling_token);
-CREATE INDEX idx_enrollment_requests_expires ON enrollment_requests (expires_at);
+CREATE INDEX IF NOT EXISTS idx_enrollment_requests_token ON enrollment_requests (polling_token);
+CREATE INDEX IF NOT EXISTS idx_enrollment_requests_expires ON enrollment_requests (expires_at);

scripts/build-package.sh

@@ -22,7 +22,7 @@ warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
 error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
 
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-VERSION="1.1.1"
+VERSION="1.1.12"
 RELEASE="1"
 PKG_NAME="linux-patch-manager"
 DEB_NAME="${PKG_NAME}_${VERSION}-${RELEASE}_amd64.deb"