v1 readiness: CHANGELOG + threat model + first-run onboarding polish
- CHANGELOG.md: Keep-a-Changelog format, v1.0.0 entry summarising what each phase delivered. - docs/threat-model.md: structured walkthrough of assets, actors, attack surfaces and residual risks; reviewed against v1.0.0. - cmd/server/main.go: at first-run startup, print a clickable $RM_BASE_URL/bootstrap URL alongside the existing one-shot bootstrap token (or a fallback hint when RM_BASE_URL is unset). - web/templates/pages/bootstrap.html: visible "Minimum 12 characters" hint under the password field so the rule is communicated before the operator submits. - tasks.md: close X-01, X-04, X-05 with notes.
This commit is contained in:
@@ -0,0 +1,89 @@
|
||||
# Changelog
|
||||
|
||||
All notable changes to this project are documented here.
|
||||
The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
||||
and the project follows [Semantic Versioning](https://semver.org/).
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [1.0.0] - 2026-05-09
|
||||
|
||||
First tagged release. Six development phases brought the project from
|
||||
empty repo to a self-hostable, multi-tenant restic backup orchestrator
|
||||
with a web UI, JSON API, and self-updating agent fleet.
|
||||
|
||||
### Phase 1 — MVP: enrolment, visibility, on-demand backup
|
||||
|
||||
- HTTP server, SQLite store with migrations, AEAD-encrypted
|
||||
credentials at rest, Argon2id password hashing, session cookies.
|
||||
- WebSocket transport between server and agents (heartbeat, hello,
|
||||
schedule fan-out, job log streaming).
|
||||
- Agent install path for Linux (systemd unit + `install.sh`); one-time
|
||||
enrolment tokens with embedded repo credentials.
|
||||
- Run-now backup execution end-to-end, snapshot listing.
|
||||
- Server-side encrypted repo creds pushed to the agent on hello.
|
||||
|
||||
### Phase 2 — Scheduling, retention, repo operations
|
||||
|
||||
- Source groups (paths + excludes + pre/post hooks + bandwidth caps)
|
||||
decoupled from schedules; a schedule fires a source group.
|
||||
- Cron-style schedules with retention policies, server-driven
|
||||
reconciliation push and ack.
|
||||
- `restic forget`, `prune`, `check`, `unlock` automation; periodic
|
||||
maintenance ticker with per-host stagger.
|
||||
- Pending-runs queue with backpressure (`max_concurrent_jobs` per
|
||||
host).
|
||||
- Repo stats panel on the host detail page (size, last-check, last-
|
||||
prune, stale-lock banner).
|
||||
- Auto-init of repos on first onboard with credential-failure surface
|
||||
on the host detail page.
|
||||
- Announce-and-approve enrolment path for hosts that don't have a
|
||||
pre-minted token (Ed25519 fingerprint, operator approves).
|
||||
- Windows agent: SCM service integration + `install.ps1` installer.
|
||||
- Cross-platform alt-enrolment (announce flow on Windows).
|
||||
|
||||
### Phase 3 — Restore, alerts, audit
|
||||
|
||||
- Restore wizard: pick a snapshot, pick paths, pick a target
|
||||
(in-place / new directory), live progress.
|
||||
- Snapshot diff against parent.
|
||||
- Alert engine: per-source-group dedup, severity tiers, ack / resolve.
|
||||
- Live-refresh alerts table with severity cues.
|
||||
- Audit log UI with filters, sort, CSV export, payload-detail modal.
|
||||
|
||||
### Phase 4 — RBAC, OIDC, host tags
|
||||
|
||||
- Role-based access control: viewer / operator / admin.
|
||||
- User management UI (invite, role change, disable, password reset).
|
||||
- Generic OIDC SSO with JIT user provisioning + role mapping.
|
||||
- Per-host tags with chip-row filter on the dashboard.
|
||||
|
||||
### Phase 5 — OSS readiness
|
||||
|
||||
- mdBook-rendered docs site at `docs/book/`.
|
||||
- Contributor onboarding (CONTRIBUTING.md, security policy, license).
|
||||
- Docker-only release pipeline + reference deployment compose file.
|
||||
- Playwright e2e harness covering the smoke runbook.
|
||||
|
||||
### Phase 6 — Update delivery + observability
|
||||
|
||||
- Agent self-update: server-side channel pin per host, signed binary
|
||||
fetch via the WS transport, atomic swap with rollback on failure.
|
||||
- Fleet-wide update orchestration with per-host stagger and an admin
|
||||
pause switch.
|
||||
- Prometheus `/metrics` endpoint + Grafana dashboard JSON.
|
||||
- Repo size trend per host (90-day rolling) on the host detail page.
|
||||
|
||||
### Cross-cutting
|
||||
|
||||
- Live dashboard with column sort, filters, free-text host search,
|
||||
background-tab-aware live refresh (5s cadence).
|
||||
- Pure-Go binary with embedded UI, no Node/CGO at runtime.
|
||||
- Reproducible `-trimpath -ldflags="-s -w"` builds for
|
||||
linux/amd64, linux/arm64, windows/amd64.
|
||||
- Sharded CI (server-http / store / rest), pre-commit hooks (gofumpt,
|
||||
go vet, golangci-lint).
|
||||
- Threat model published (`docs/threat-model.md`).
|
||||
|
||||
[Unreleased]: https://gitea.dcglab.co.uk/steve/restic-manager/compare/v1.0.0...HEAD
|
||||
[1.0.0]: https://gitea.dcglab.co.uk/steve/restic-manager/releases/tag/v1.0.0
|
||||
Reference in New Issue
Block a user