49 Commits

Author	SHA1	Message	Date
steve	22a5bb7db5	v1 readiness: CHANGELOG + threat model + first-run onboarding polish ... - CHANGELOG.md: Keep-a-Changelog format, v1.0.0 entry summarising what each phase delivered. - docs/threat-model.md: structured walkthrough of assets, actors, attack surfaces and residual risks; reviewed against v1.0.0. - cmd/server/main.go: at first-run startup, print a clickable $RM_BASE_URL/bootstrap URL alongside the existing one-shot bootstrap token (or a fallback hint when RM_BASE_URL is unset). - web/templates/pages/bootstrap.html: visible "Minimum 12 characters" hint under the password field so the rule is communicated before the operator submits. - tasks.md: close X-01, X-04, X-05 with notes.	2026-05-09 12:29:00 +01:00
steve	3232c85667	tasks: close NS-05 (setup-go already gone) + NS-06 (drop Run-backup tombstone button)	2026-05-09 11:55:21 +01:00
steve	8ef681f3f4	tasks: queue NS-05 (drop setup-go) + NS-06 (drop disabled Run-backup button) ... Two small follow-ups noted while working through the p5-oss-readiness CI-runner switch: * NS-05 — actions/setup-go is now redundant; ci-runner-go ships Go on PATH and re-downloading on every job costs ~5s a shard. * NS-06 — host_chrome's per-host "Run backup now" button is a permanently-disabled tombstone; remove it so the chrome stops advertising an action that no longer exists.	2026-05-08 22:26:59 +01:00
steve	89537d417a	P5: OSS readiness — docs site, contributor onboarding, e2e harness ... P5-01 — Documentation site under docs/book/ rendered with mdBook (downloaded via Makefile, same static-binary pattern as Tailwind). Structured chapters: getting started, concepts, operations, security, reference. `make docs` / `make docs-watch`. Generated output gitignored. P5-02 — CONTRIBUTING.md rewritten from placeholder to a full guide. CODE_OF_CONDUCT.md adapted from Contributor Covenant for a single-maintainer project. .gitea/issue_template/{bug,feature}.md and PULL_REQUEST_TEMPLATE.md. P5-04 — Six README screenshots captured live from a fresh server bootstrap (login, empty dashboard, add-host, alerts, settings, audit log). README rewritten to centre the screenshot grid and link out to the docs site. P5-05 — SECURITY.md with disclosure policy (3-day ack, 30-day default window), scope in/out, threat-model summary, operator hardening checklist. Mirrored as a docs-site chapter. P5-06 — End-to-end test harness. e2e/compose.e2e.yml brings up server + sibling Linux agent (alpine + restic) + restic/rest-server. Agent uses announce-and-approve so Playwright can drive the full operator flow: bootstrap → login → accept pending → backup → verify terminal status. Second spec scrapes /metrics to assert the P6-04 endpoint surface. .gitea/workflows/e2e.yml runs on every PR; local how-to in docs/e2e.md.	2026-05-08 20:08:23 +01:00
steve	73e733be61	P6-04+05: Prometheus /metrics endpoint + Grafana dashboard ... New internal/server/metrics package emits the legacy text/plain exposition format directly, so we don't pull in prometheus/client_golang. Endpoint is opt-in via RM_METRICS_TOKEN and/or RM_METRICS_TRUSTED_CIDR; route is not mounted at all if neither gate is set. Both gates ANDed when both configured. Per-host gauges (online, last_backup_*, repo_size_bytes, snapshot_count, open_alerts, repo_status), server gauges (hosts_total/online, active_alerts by severity, build_info), and an in-memory job-duration histogram observed from the existing MsgJobFinished branch in the WS handler. Docs in docs/prometheus.md (enable + scrape config + metric reference + dashboard import). Sample dashboard at deploy/grafana/restic-manager-dashboard.json - six panels, Grafana schema 39, single Prometheus datasource variable. Tests: golden render, concurrent observe, bucket boundaries in the metrics package; auth matrix (no auth -> 404, token gate, CIDR gate, both required) in the HTTP layer.	2026-05-07 23:17:15 +01:00
steve	afd15c6990	tasks: P6-03 done, repo size trend graphs	2026-05-07 19:20:05 +01:00
steve	0bd075c2a3	tasks: mark P6-01 + P6-02 done with as-shipped block	2026-05-06 22:33:33 +01:00
steve	c80ca90efb	tasks: rewrite P6-01/02 around server-bundled agent self-update ... The original plan was apt repo + Chocolatey package. The P5-03 Docker pivot bundled matching agent binaries into the server image and exposes them via /agent/binary, so 'update agent' now collapses to 're-fetch from your own server'. No third-party packaging or signing infra needed. P6-01 drops to S; P6-02 keeps the dashboard reporting + fleet-update UX but points at the new mechanism.	2026-05-06 21:08:22 +01:00
steve	3800b34a2b	testing: bootstrap UI, agent reliability, NS-01..04 + alert username ... Smoothes the rough edges that came up exercising a live deployment. First-run bootstrap UI: /bootstrap renders a username + password form that uses the in-memory token directly (operator no longer copies it out of the log); /login redirects there while bootstrap is available. Agent reliability: failJob synthetic envelopes so command.run early returns no longer hang the server-side job; runtime probe of restic restore --help drives --no-ownership instead of version sniffing (0.18.x had it removed). Server unit re-shaped: ProtectSystem=full plus ReadWritePaths=/etc/restic-manager, no ProtectHome — restore can now write anywhere a user might want. Restore wizard: default target is /root/rm-restore/<job-id>/ with clearer help text. Re-init confirm input uses .field (was .input, which doesn't exist — text was invisible). NS-01 host delete: store DeleteHost, admin-band /hosts/{id}/delete with hostname-confirm danger zone, audit, FK cascade, live WS close. NS-02 enrollment-token recovery: outstanding-tokens panel on /hosts/new, regenerate (preserves attachments) and revoke handlers + audit, store-level ListOutstandingEnrollmentTokens and DeleteEnrollmentToken. NS-03 repo init / probe surface: migration 0020 adds hosts.repo_status + repo_status_error; WS handler projects every init job's outcome onto the host row (idempotent already-initialised collapses to ready); creds-save resets status and dispatches a fresh probe; /hosts/{id}/repo/probe retry endpoint with banner. NS-04 dashboard live + sort + filter: query-string filter (q/status/repo_status/tag/sort/dir), 5s htmx live poll mirroring the alerts pattern with a localStorage live toggle, sortable column headers, filter row + clear. Alerts page: ack'd-by line resolves user_id ULID to username. Compose.yaml ignored — host-specific.	2026-05-05 22:03:15 +01:00
steve	d6f6d19bff	p5-07: reference deployment (server-only compose + reverse-proxy docs) ... The reverse proxy is assumed to live outside this project (Caddy, nginx, Traefik, whatever the operator already runs). The reference compose stands up only the server: image-pinned via RM_VERSION, named volume for operator state, localhost-bound so the proxy reaches it on loopback. docs/reverse-proxy.md covers what the proxy must forward — the X-Forwarded-* headers, Host, and Connection: upgrade for the agent WebSocket and live-log streams — plus the RM_TRUSTED_PROXY CIDR rule that gates header trust. Worked examples for Caddy, nginx (with the websocket upgrade map + 1h proxy_read_timeout for live logs), and Traefik.	2026-05-05 17:15:00 +01:00
steve	7cc17813a9	p5-03: docker-only release path (drop goreleaser) ... Single public deliverable per tag: a multi-arch server image, with cross-compiled agent binaries + install scripts + the systemd unit baked under /opt/restic-manager/dist/. The /agent/binary and /install/* handlers fall back from <DataDir>/... to that read-only path so a fresh container Just Works without first-run staging; operators can still drop a custom build into <DataDir>/ to override per-host. Architecture rationale: agent distribution already routes through the running server, so the release surface mirrors that — there's no second source of truth to keep in sync. Workflow .gitea/workflows/release.yml triggers on v*.*.* tag-push (fan-out :vX.Y.Z / :X.Y / :X, plus :latest once MAJOR>=1) and workflow_dispatch (snapshot tag only). Pushes to the Gitea container registry on this instance. Both binaries grow main.commit + main.date ldflag targets. Makefile and Dockerfile fill them; release workflow forwards from gitea.sha plus a UTC timestamp. Spec : docs/superpowers/specs/2026-05-05-p5-03-docker-only-release.md Plan : docs/superpowers/plans/2026-05-05-p5-03-docker-only-release.md	2026-05-05 15:18:48 +01:00
steve	4d90f72575	oidc: merge userinfo claims; tick P4-05 in tasks.md ... Authelia (and many other IdPs) only put `sub` in the ID token by default, surfacing `preferred_username`/`email`/`groups` from the userinfo endpoint. Fetch userinfo after id_token verification and fold its claims into the parsed claim map; the id_token claims remain authoritative on conflict so the signed assertion still wins. Live sweep against https://auth.dcglab.co.uk verified all four flows: rm-admin → admin JIT, rm-operator → operator JIT (RBAC denies admin pages), rm-viewer → viewer JIT (RBAC denies operator pages), rm-other → no_role_match banner with no row created. Returning rm-admin sign-in resolves to the same row by sub. Screenshots in _diag/p4-05-sweep/.	2026-05-05 14:06:28 +01:00
steve	89d4458866	feat(hosts): per-host tags edit + dashboard chip-row filter (P4-07)	2026-05-05 11:16:09 +01:00
steve	191f0f1c55	tasks: defer update delivery + observability to Phase 6 ... Pull the operator-experience polish out of Phase 4 so a working v1 ships sooner. Phase 4 keeps RBAC + user mgmt (already done), OIDC, and host tags. Deferred items renumbered as P6-01..P6-05: P4-01 → P6-01 apt + Chocolatey update delivery P4-02 → P6-02 agent-version-behind-server tracking on dashboard P4-06 → P6-03 repo size trend graphs P4-08 → P6-04 Prometheus /metrics endpoint P4-09 → P6-05 Grafana dashboard JSON + integration docs None of these gate getting the system into production. They land after Phase 5 (OSS readiness) on the new Phase 6. Phase 4 remaining: P4-05 (OIDC login) + P4-07 (per-host tags + dashboard filtering).	2026-05-05 11:05:11 +01:00
steve	d85e82110f	tasks: tick P4-03/04 + sweep notes ... Live Playwright + curl sweep on the smoke env exercised the full user-management lifecycle: admin add user → setup link generated → curl-as-new-user fetches /setup (200, username on page) → POSTs password → 303 to / with Set-Cookie → 200 on dashboard, 200 on /settings/account, **403 on /settings/users** (admin-only) → admin disables → next request is **401** + session row count drops to 0 → audit log reflects user.created + user.setup_completed. Three-role middleware enforces band gates; admin is fail-closed default. Setup tokens are sha256-hashed at rest with 1h expiry; expired tokens are swept on the alert engine's 60s tick. Last-admin guard rejects disable + demote of the only enabled admin. Self- service password change at /settings/account is reachable by every role.	2026-05-05 10:57:25 +01:00
steve	3f36bcd0b0	feat(audit): P3-08 — audit log UI with filters	2026-05-05 07:49:25 +01:00
steve	c5b884a22b	tasks: tick P3-05/06/07 + Playwright sweep notes ... Sweep against the live smoke env confirmed the alerts subsystem end-to-end: three channels (webhook → local sink, ntfy → ntfy.sh, SMTP → MailHog) created and verified via the Test button; synthetic critical raised; ack + resolve fan out alert.acknowledged / alert.resolved across all three; dashboard banner appears and clears; nav badge tracks open count. Three real bugs found and fixed mid-sweep — see preceding three commits for the full reasoning.	2026-05-04 21:01:34 +01:00
steve	e4031d26fa	P3 wrap: agent auto-creates restore target; tasks.md ticked ... 1. Agent-side MkdirAll on the new-dir restore target. Restic creates missing leaves but won't traverse multiple missing levels, and under the systemd sandbox writes outside ReadWritePaths fail anyway. Calling os.MkdirAll(target, 0700) before invoking restic means the operator never has to pre-create the per-job subdir, and a path the sandbox rejects surfaces as a clean 'restic restore: prepare target ...: read-only file system' error in the job log instead of a cryptic restic-side stat failure. 2. tasks.md Phase 3 — Restore section refreshed: - P3-X4 added (job log download dropdown — txt + ndjson) - P3-X5 added (UK lint locale switch + 73-correction sweep) - P3-X6 added (SIZE/FILES tooltip when host's restic < 0.17) - P3-03 entry expanded to cover version-gated --no-ownership, editable target, $HOME expansion, agent-side MkdirAll - As-shipped sweep summary mentions custom-target restore + download dropdown + tooltip in addition to the original walk Test: TestRunRestoreNewDirAutoCreatesTarget seeds a multi-level target the operator hasn't created and confirms RunRestore mkdir's the chain before invoking restic.	2026-05-04 17:51:34 +01:00
steve	e22b41d452	P3 sweep fixes: snap-row CSS, tree expand, --no-ownership drop, target path ... Bug fixes from the Playwright sweep against the live smoke server: 1. Snapshot-picker layout. The .snap-row class was used in the wireframe but never landed in web/styles/input.css; rows rendered as vertical blocks instead of a 6-column grid. Added the token (mirrors host-row shape with restore-specific column widths). 2. Tree expansion. hx-target='closest .tree-row + .tree-children' isn't a valid HTMX selector — modifiers don't chain. Replaced HTMX-driven expansion with a small window.__rmTreeToggle helper that uses plain fetch + .tree-pair wrapper structure for trivial sibling lookup. Caches loaded state per node. 3. --no-ownership flag dropped. Restic 0.17 introduced --no-ownership; 0.16 rejects it ('unknown flag') before doing any work. Since the agent runs as root in the systemd unit, restored files keep their original uid/gid either way and the parent dir is root-owned, so the 'cp without sudo' rationale doesn't hold. Drop the flag entirely. 4. Default target dir moved to /var/lib/restic-manager/restore. The systemd unit pins ReadWritePaths to /etc/restic-manager + /var/lib/restic-manager (with ProtectSystem=strict making the rest of /var read-only); writes to /var/restic-restore failed with 'read-only file system'. 5. Confirm summary HTML escaping. defaultTarget JS literal evaluates to a string with literal angle brackets; insertion into innerHTML must escape them. Added an inline HTML-escape pass. tasks.md ticked for the Restore sub-phase with a sweep summary covering the live end-to-end test.	2026-05-04 15:57:42 +01:00
steve	454a2415dc	docs: P3 restore design spec + scope-decompose Phase 3 ... Splits Phase 3 into three independently-shippable sub-phases (Restore, Alerts, Audit UI) so they can land in separate PRs with their own brainstorm → spec → plan cycles. The Restore sub-phase is up first. The brainstorm ran on 2026-05-04 and locked the following decisions: - Single-host restore only this phase. P3-04 (cross-host restore) is moved to a new 'Future / unscheduled' section. Disaster recovery is already covered by re-enrolling a replacement host with the same repo creds; the remaining 'pull a file from host A onto host C' use case is genuinely different (file sharing / migration, not DR) and has no confirmed need. - Default target is /var/restic-restore/<job-id>/ with --no-ownership; in-place restore preserves uid/gid/mode and is gated by typed-confirmation of the host name (mirroring the repo re-init danger zone). - Tree browser is the path picker, lazy-loaded via a synchronous WS RPC (tree.list) over the existing correlation-ID infrastructure with a per-wizard-session in-memory cache (~30 min TTL). - Single-page wizard with progressively-enabled sections; entry is a top-level Restore button on host detail (or per-snapshot Restore action for direct deep-link). - Snapshot diff (P3-09) is a JobDiff JobKind, dispatched like every other agent operation; output streams to the standard live job log page. - Restore-specific live job page variant with files-restored / bytes-restored / current-file widget. - Single-flight per host across all kinds, plus a real cancel-job feature (command.cancel WS envelope, agent kills the restic subprocess via context cancel + SIGTERM/SIGKILL grace) so the operator can pre-empt a long-running backup if they need to restore urgently. Wires the existing job_detail Cancel button (which was a UI stub). - Audit row host.restore on every dispatch + a recent-restores panel on host detail. Role gate deferred to P4-03 RBAC. Wireframe at _diag/p3-restore-wizard/wireframe.html (gitignored — transient design artefact); screenshot reviewed and approved 2026-05-04.	2026-05-04 15:02:32 +01:00
steve	c691dc8a56	tasks: tick P2 completion + Playwright sweep screenshots ... P2R-09/10/11/12/13/14, P2-16/17/18 all marked done. Acceptance line for Windows hosts annotated as 'compile-verified, untested in CI'. _diag/p2-completion-sweep/ holds the dashboard + host-detail + schedules + sources + repo + source-group-edit screenshots from a clean sweep against :8080. Zero console errors throughout. announce_test.go: rate-limit + global-cap subtests dropped t.Parallel to avoid racing on the package-level tunables under -race.	2026-05-04 11:27:09 +01:00
steve	cd510d2032	tasks: collapse Phase 5 header + fix P2R-03/04 cadence cross-refs ... The Phase 5 section had drifted from the convention used by phases 1–4 (single section header carrying ✅, no separate summary block). Collapse to the existing pattern; fold the summary into a blockquote sitting right under the header. While there: P2R-03 and P2R-04 still carried forward-references saying "cadence-driven dispatch lands in P2R-04 / P2R-05". Both should point at P2R-06 (the maintenance ticker), not the next item in the list. Updated descriptions to reflect what actually shipped: LatestJobByKind anchor includes in-flight jobs, ForgetGroups multi-group payload reshape, repo.stats envelope shape, per-host drain mutex.	2026-05-04 10:26:24 +01:00
steve	18cc90d54e	tasks: tick P2R-03 through P2R-08 done	2026-05-04 10:19:15 +01:00
steve	e871b05b38	lint: drive baseline to zero, drop only-new-issues gate ... Cleanup pass over the repo so CI can enforce lint going forward without the only-new-issues escape hatch: * gofumpt -w across the tree (31 hits, all formatting) * misspell --fix (25 hits, US-locale spelling) — but reverted on api.JobCancelled = "cancelled" since that literal is the wire + DB CHECK constraint value, plus matched the case in store/fleet.go back to "cancelled" and added //nolint:misspell on both for the next time someone reaches for the auto-fix * Wrap every `defer rows.Close()` / `defer stmt.Close()` / `defer res.Body.Close()` in `defer func() { _ = .Close() }()` to satisfy errcheck without losing the close itself * websocket.Dial callers (1 prod, 4 tests) now capture + close the upgrade response Body — coder/websocket can return res with a nil Body on success, so the test deferred-closes guard against that * Annotate the two genuine-by-design nilerr cases with //nolint comments explaining why nil-on-error is the contract (cookie missing = no session; ctx cancelled mid-backoff = clean shutdown) * Add brief godoc on the 10 exported const groups + types that revive flagged (api.HostOS/HostArch/JobKind/JobStatus/LogStream/ ErrorCode, restic.EventKind, store.Role, web.FS) * Drop the unused (*Server).userByID method * Inline the unparam baseView(active) — every UI page is under the dashboard primary nav today Result: `golangci-lint run ./...` reports 0 issues. CI lint job no longer needs only-new-issues: true; X-06 follow-up entry in tasks.md removed.	2026-05-03 16:15:17 +01:00
steve	18a9f6624e	ci: migrate .golangci.yml to v2 schema + only-new-issues gate ... The bump from golangci-lint-action@v6 → v7 (which downloads the v2.x binary) was blocking CI lint with 'unsupported version of the configuration: ""' because .golangci.yml was still in the v1 schema. Migrate the config to v2: * version: "2" prelude * disable-all → default: none * linters-settings → linters.settings * gofumpt + goimports move into formatters.enable + formatters.settings * exclude-rules move into linters.exclusions.rules * gosimple drops (folded into staticcheck in v2) Fix the four lint hits in the new P2R-02 code: * host_bandwidth.go: convert hostBandwidthRequest directly to hostBandwidthView via type conversion (S1016) * ui_repo.go: drop unparam savedSection + status arguments from renderRepoPage (always "" / always 422 — split GET render from validation-fail render) * ui_schedules.go: gofumpt formatting on the scheduleEditPage struct Add only-new-issues: true to the lint job. The repo carries ~90 pre-existing findings (gofumpt drift × 31, misspell × 25, missing godoc × 10, bodyclose × 6, errcheck × 12, …) accumulated before lint was actually wired into CI. Without this gate, every PR would fail on baseline noise instead of its own changes. Track the cleanup as X-06 in tasks.md so the gate is temporary.	2026-05-03 15:00:24 +01:00
steve	2a8dd1eba2	P2R-02 ✅ — mark Phase 4 complete, all 6 slices done ... Update tasks.md: Phase 4 of the P2 redesign is done end-to-end. Slice 1–5 wired the four host-detail tabs against the new slim-schedule + source-group + repo-maintenance model; slice 6 ran a Playwright sweep against the live :8080 server (login, walk every tab, create source group, create schedule, Run-now, confirm a snapshot landed) — clean pass, no console errors. Screenshots in _diag/p2r-02-sweep/. Side-fix landed alongside slice 6: agent runner now drops restic's noisy --json status events from log.stream (the throttled job.progress envelope already covers them). Phase 5 (server-side maintenance ticker — P2R-03..08) is next.	2026-05-03 14:49:40 +01:00
steve	64d2fcf7a3	P2R-02 follow-up: clickable rows on Sources/Schedules + cron-preset tooltips ... Aligns Sources and Schedules tab rows with the dashboard's row-click UX: whole-row click navigates to the row's edit page (mirroring .host-row.clickable). Drops the redundant Edit buttons; Run-now and Delete remain in .row-action cells that sit above the row-link overlay via z-index. Schedule edit form's cron preset chips now carry human-readable title= tooltips ("Every day at 03:00", "Every Sunday at 03:00", etc). tasks.md gets a binding row-design rule covering all current and future list-row templates, and the P2R-02 entry is split into the six slices already agreed with the operator (slices 1–3 marked done, 4 next).	2026-05-03 12:01:55 +01:00
steve	d000fe7ec1	P2R-01: REST + WS rewire against the slim shape ... Schedules CRUD now takes {cron, enabled, source_group_ids[]} with cron parsed via robfig/cron/v3 and group membership scoped to the host. New source-groups CRUD lives at /api/hosts/{id}/source-groups; delete refuses with 409 if any schedule still references the group, returning the schedule list so the UI can prompt 'remove from these schedules first.' Repo-maintenance GET/PUT manages forget/prune/check cadences on host_repo_maintenance — no version bump, the server-side ticker (P2R-06) drives execution. Per-source-group Run-now (POST /hosts/{id}/source-groups/{gid}/run) resolves the group's includes/excludes/retention/tag and dispatches a backup command.run with the new structured CommandRunPayload fields (Includes/Excludes/Tag). Old per-host /hosts/{id}/run-backup and /hosts/{id}/init-repo return 410 Gone with a redirect message. schedule_push.go is rebuilt: buildScheduleSetPayload assembles the slim wire shape, pushScheduleSetOnConn ships it during the on-hello window, pushScheduleSetAsync fires after every CRUD mutation, and dispatchScheduledJob handles agent schedule.fire by iterating the schedule's source groups and dispatching one backup per group with actor_kind=schedule and scheduled_id pointing at the schedule. Auto-init at first WS connect: when the host has repo creds bound and no init job in its history, server dispatches restic init. Restic's 'config file already exists' soft-success means re-runs against an existing repo no-op; we don't auto-retry on failure (operator triggers re-init manually via the danger zone in P2R-09). api.Schedule drops Kind/Paths/Excludes/Tags/RetentionPolicy/Manual etc. in favour of {id, cron, enabled, source_groups: [...]}. The agent scheduler stops checking sch.Manual; cmd/agent's backup dispatch reads Includes/Excludes/Tag instead of Args. Tests cover the new HTTP surface end-to-end: source-groups CRUD with in-use refusal, schedule validation (bad cron / missing groups / foreign group), repo-maintenance auto-seed and validation, the 410 route, and buildScheduleSetPayload's wire-shape correctness. Full suite passes; smoke env exercises auto-init dispatch on hello, async push after schedule create, and per-source-group Run-now landing the right paths/excludes/tag at the agent.	2026-05-03 10:56:40 +01:00
steve	813158b3d6	P2 redesign · phase 2.5: tasks.md rewrite + UI patch-up ... The store rewrite in 5667cdf left tasks.md describing a data shape (fat schedules, host.repo_initialised_at, manual flag) that no longer exists, and left the host-detail templates rendering against fields the store no longer exposes. This commit reconciles both. tasks.md * Mid-phase pivot called out at the top of Phase 2 with commit hashes. * P2-01..P2-05 kept as done but stamped ⚠️ "shipped against old shape — to re-validate under P2R-02". * P2-04.5 (manual flag) struck as superseded. * New P2R-NN section covering work that previously lived only in commit messages and code stubs: P2R-00.1/00.2/00.3/00.4 — phases already shipped (this commit records 00.4) P2R-01 — REST + WS rewire against slim schedules + source groups + repo maintenance + auto-init P2R-02 — UI rewire against the v4 wireframes P2R-03..05 — prune / check / unlock command surfaces P2R-06 — server-side maintenance ticker (cadence-driven) P2R-07 — repo stats panel P2R-08 — pending_runs queue worker P2R-09 — auto-init UX polish P2R-10..12 — pre/post hooks rehomed from schedule onto source group P2R-13..14 — bandwidth + next/last-run surface * P2-16/17/18 (Windows + announce-and-approve) untouched. * Phase 2 acceptance criteria rewritten against the new model. UI patch-up (P2R-00.4) * host_detail.html + host_row.html: removed every $host.RepoInitialisedAt reference (column dropped in migration 0008 — render was 500'ing). * Removed manual init-repo branches; the auto-init path replaces them. * Schedules sub-tab demoted from active link to inert div until P2R-02 rebuilds the page (it was linking to a raw 501 from the stubbed ui_schedules.go handlers). * Disabled the four per-host Run-now buttons (dashboard row + host detail header + empty-snapshots state + right-rail) with a "lands in P2 Phase 4" hint — handler is 501-stubbed pending P2R-01, so leaving them clickable produced silent failures over htmx. * Dashboard row-action becomes "Open →" instead of Run-now. Project tooling * .mcp.json at repo root: project-scoped Playwright MCP override. Forces --headless (so I don't pop a browser at the operator) and --output-dir _diag (so screenshots / traces land in the gitignored _diag/ directory rather than scattered at the repo root). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 09:13:05 +01:00
steve	fdecde0d5c	P2-05: forget command with retention policy ... End-to-end forget plumbing — operator can create a forget schedule with keep-* values, agent runs restic forget --keep-* … on the schedule's cron (or via per-row Run-now), snapshot list shrinks, UI updates. * api.CommandRunPayload gains retention_policy json.RawMessage so the agent doesn't need a typed copy of the server-side struct. * restic.ForgetPolicy mirrors restic's --keep-* flags. Empty() reports zero dimensions; restic wrapper RunForget refuses to run an empty policy (would delete every snapshot). Does NOT pass --prune — pruning lives behind a separate admin-only credential (P2-06); forget just rewrites the snapshot index. * runner.RunForget mirrors RunBackup's envelope shape so the live log viewer works without special-casing. On success triggers reportSnapshots (forget shrinks the index, the host's snapshot count almost certainly changed). * cmd/agent dispatcher handles MsgCommandRun with kind=forget, decodes RetentionPolicy from the wire, builds restic.ForgetPolicy. * Server dispatchScheduleNow marshals the schedule's RetentionPolicy into the wire payload for kind=forget jobs. Refuses to dispatch a forget schedule with empty retention. * validateSchedule rejects kind=forget without at least one keep-* dimension (new error code: missing_retention). * UI schedule edit form gains a Kind dropdown (backup or forget; immutable on edit). Paths block toggles by kind via inline data-kind attributes. Form help-text explains the prune separation. Other kinds (prune, check, unlock) deferred to P2-06..08; the Kind dropdown only offers backup and forget today. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 14:07:42 +01:00
steve	148e61b33b	P2-04.5: kill host.default_paths in favour of manual schedules ... Two independent path lists for "what does this host back up?" was a real divergence footgun — operator types one set at Add-host time and a different set into a schedule, both end up in the same repo, the snapshot history looks fine until restore. Resolution: drop host.default_paths entirely; add a `manual` flag on schedules. A manual schedule has paths/excludes/tags/retention like any other but no cron — it fires only via per-schedule Run-now. Single source of truth for what gets backed up. Schema (migration 0007): * schedules.manual INTEGER NOT NULL DEFAULT 0. * For every host with non-empty default_paths, seed a manual schedule with those paths and bump host_schedule_version. * ALTER TABLE hosts DROP COLUMN default_paths. * ALTER TABLE enrollment_tokens RENAME COLUMN default_paths TO initial_paths. Original draft of this migration rebuilt hosts via the create-new + drop-old + rename-new pattern. With foreign_keys=ON (set in the connection DSN), DROP TABLE on the parent fired ON DELETE CASCADE on every child of hosts(id) — schedules / jobs / snapshots / host_credentials all wiped on the smoke env when I tried it. SQLite 3.35+ supports column-level ALTERs directly, so we skip the rebuild dance and avoid the cascade trap. Six lines of SQL instead of sixty, no FK risk. Run-now rewiring: * New `dispatchScheduleNow(hostID, scheduleID, conn?)` helper unifies the agent-driven path (cron fire → schedule.fire → OnScheduleFire callback) and the UI-driven path (operator clicks Run-now on a schedule row). Conn arg is optional; nil falls back to Hub.Send. * New POST /hosts/{id}/schedules/{sid}/run endpoint — per-row Run-now button on the schedules list. * Dashboard's per-host Run-now (handleUIRunBackup) now picks the host's only enabled manual schedule, falls back to the only enabled schedule, else returns "pick one in Schedules tab". Keeps one-click for the common case. Agent: * Scheduler skips manual schedules in cron build (silent — they're a normal data shape, not an error). * Wire Schedule struct gains Manual flag. * Schedule.fire flow unchanged — the agent only ever fires non-manual schedules anyway. UI: * Add-host form retitled "Initial schedule · manual" so the operator knows the paths become an editable schedule under the Schedules tab. Result page calls out the manual schedule + points at Host > Schedules. * Schedule edit form: "Manual schedule" checkbox at the top of the When section; toggling it hides/shows the cron field via inline JS. Server-side validator skips the cron requirement when manual=true. * Schedule list shows a "manual" tag under the status pill and renders the When column as "— run-now only —" for manual rows. Each row gets a Run-now button when the schedule is enabled and the host is online. Tests + go test ./... green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 12:26:06 +01:00
steve	160d788bae	P2-04: schedule editor UI ... Closes the schedule foundations slice — operator can now drive the plumbing P2-01..03 landed without touching the JSON API. * New routes: - GET /hosts/{id}/schedules (list) - GET /hosts/{id}/schedules/new (create form) - POST /hosts/{id}/schedules/new (create) - GET /hosts/{id}/schedules/{sid}/edit (edit form) - POST /hosts/{id}/schedules/{sid}/edit (update) - POST /hosts/{id}/schedules/{sid}/delete (delete, confirm-then-redirect) * List view (web/templates/pages/schedules_list.html): status, cron, paths, retention summary, tags, edit/delete buttons. Header shows "version N · agent in sync" or "agent at vM" when the push hasn't been ack'd yet — backed by host_schedule_version + applied_schedule_version. Empty-state CTA points at /schedules/new. * Create/edit form (web/templates/pages/schedule_edit.html, shared): cron expression with five quick-pick presets (daily 3am / every 6h / @hourly / weekly Sun / monthly 1st), paths textarea (one per line), excludes textarea, tags (comma-separated), retention as six numeric fields (mirrors restic's --keep-* flags one-for-one), bandwidth caps, enabled toggle. Side panel explains the reconciliation flow so the operator knows what saving actually does. Validation errors re-render with operator's input intact. * internal/server/http/ui_schedules.go owns the handlers; reuses the same validateSchedule + pushScheduleSetAsync used by the JSON API path. Each save audit-logs schedule.created / schedule.updated / schedule.deleted (matching the JSON API actions). * store.RetentionPolicy gains a Summary() method ("last=7, d=14, w=4" or "—"). Used by the list view's table cell so templates don't have to do any conditional retention rendering. * Two new template helpers: list (string varargs → []string, used for the cron preset row) and joinComma (sibling to joinDot for the rare list that wants commas). RetentionPolicy.Summary covers the schedule-list case but the helpers are general. * host_detail.html secondary tabs row converted from inert <div>s into <a> links. Snapshots active by default; Schedules now points at the new page. Jobs/Repo/Settings remain inert until their P2 owners ship. Hooks UI deferred to P2-15 (lands with the hook execution path). Single-kind UI (backup only) by design — other kinds get a UI when their job dispatch lands in P2-05..08. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 11:44:40 +01:00
steve	6450bf1b88	P2-02 (agent side) + P2-03: agent scheduler + schedule.fire dispatch ... Closes the schedule reconciliation loop end-to-end. * New `internal/agent/scheduler` package wraps robfig/cron/v3 with the lifecycle the agent needs: - Apply(ScheduleSetPayload, Sender) stops the prior cron (waiting for in-flight entries to return), rebuilds from scratch, starts, and emits schedule.ack with the version we just applied. - Disabled entries skipped silently; bad cron exprs (which shouldn't reach us — the server validates — but defensive) log a warn and skip. - On each cron tick the entry sends a new schedule.fire envelope to the server with {schedule_id, scheduled_at}. The scheduler itself never builds CommandRunPayloads — server is the source of truth for jobs. - tx is swapped on every Apply, so reconnect is handled naturally: cron entries that fire against a dropped tx log "no active connection" and skip the tick. - Stop() is idempotent and waits for the cron's in-flight workers via cron.Stop().Done(). * New wire message api.MsgScheduleFire + api.ScheduleFirePayload for the agent → server "I just fired locally" RPC. * Server-side dispatch (schedule_push.go: dispatchScheduledJob): looks up the schedule by id, validates ownership + that it's enabled, builds args from kind (paths for backup; other kinds are still arg-less in Phase 2 and grow as those job kinds land in P2-05..08), persists a jobs row with actor_kind=schedule + scheduled_id, and writes command.run back on the same conn so the agent runs through its existing dispatch path. * store.CreateJob now writes scheduled_id. This column was in the schema since 0001 but never populated — the original P1 path only had operator-driven jobs, so actor_kind was always 'user' and scheduled_id was always nil. * cmd/agent/main.go integration: dispatcher gains a *scheduler.Scheduler; the MsgScheduleSet case now hands the payload to scheduler.Apply (in a goroutine so the WS read loop keeps draining other messages). * WS dispatcher gains OnScheduleFire alongside OnScheduleAck. * Tests: - scheduler unit tests (4): ack-on-apply, cron tick fires schedule.fire envelope, disabled entries don't fire, replace- prior-state stops the old cron. - Server-side end-to-end: schedule.fire → command.run with the right job_id / kind / args, plus jobs row with actor_kind= "schedule" and scheduled_id linking back to the schedule. Persistence of next-fire times across agent restarts is deliberately deferred. A missed fire window during downtime simply fires once on reconnect — that's the desirable behaviour (the operator wants the missed backup to run, not be silently skipped because we lost track of when it was due). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 11:29:12 +01:00
steve	946b6db137	P2-02 (server side): schedule reconciliation push + ack handling ... Server is now the source of truth for the agent's cron set. * Helpers in schedule_push.go: - loadScheduleSetPayload reads the host's schedules + canonical version into the wire shape. - pushScheduleSetOnConn writes directly to a just-handshaken conn (avoids racing against Hub.Register on a brand-new connection). - pushScheduleSetAsync is the post-CRUD flavour — no-op when the host is offline (the next reconnect's on-hello path catches it up, so a missed push is non-fatal). - applyScheduleAck records what version the agent has confirmed. * onAgentHello restructured: was returning early when the host had no repo credentials, which made the schedule push unreachable for fresh hosts. Split into pushRepoCredsOnHello (silent no-op on ErrNotFound) + pushScheduleSetOnConn (always runs). Empty schedule list is a valid push: tells the agent to drop stale cron entries. * WS dispatcher gains an OnScheduleAck hook on HandlerDeps; the http server wires it to applyScheduleAck. MsgScheduleAck moves out of the "TODO(P2)" group into a real case that decodes the payload and forwards to the callback. * Schedule CRUD handlers each fire pushScheduleSetAsync after the audit-log write so the agent picks up changes within seconds. Tests cover: - On-hello push of an already-created schedule, agent acks, applied_schedule_version flips on the host row. - Connect-then-CRUD: empty initial push (version 0), then a follow-on push at version 1 after the operator creates a schedule via REST. Agent-side `schedule.set` handler (parse, replace local cron, emit `schedule.ack`) is the remainder of P2-02 and lands with P2-03's local scheduler. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 11:22:06 +01:00
steve	4b075840a1	P2-01: schedule schema + CRUD API ... The `schedules` table was already laid down in migration 0001; this slice adds the Go-side data model, store CRUD with atomic version bumps, and REST endpoints. * `store.Schedule` + `RetentionPolicy` + `ScheduleOptions` typed views (the wire form on the agent side keeps retention/options as raw JSON since the agent just forwards them to restic). * Store CRUD: CreateSchedule / GetSchedule / ListSchedulesByHost / UpdateSchedule / DeleteSchedule. Each mutation bumps `host_schedule_version` atomically in the same tx via UPSERT on `host_schedule_version`. SetHostAppliedScheduleVersion records what the agent has confirmed via schedule.ack (P2-02 will use it). * REST endpoints under /api/hosts/{id}/schedules + /{sid}: GET (list, with the version envelope so callers can detect drift), POST (create), PUT (update — kind is immutable), DELETE. * Validation: cron expressions parse via robfig/cron/v3 (same parser the agent will use, so anything that validates here will fire there); kind ∈ {backup, forget, prune, check} (init/unlock are operator-only one-shot kinds, not schedulable); backup schedules require ≥1 path; hooks rejected on non-backup kinds (spec §14.3). * All mutations audit-logged. * Tests: store-level CRUD + version-bump invariants; REST happy path (create→list→update→delete with version progression); REST validation table covers each rejection code. newTestServerWithHub now sets BootstrapToken so the schedules handler tests can use the existing login flow without a parallel test-server constructor. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 11:12:58 +01:00
steve	bd434bd1d0	P1-26: live job log viewer + WS browser fan-out hub ... Closes the P1-21 remainder. internal/server/ws/jobhub.go — new JobHub. Per-job_id set of subscribers; each gets a 64-deep buffered channel with a writer goroutine. Broadcast is non-blocking: if a subscriber is slow, its channel fills and messages are dropped for that subscriber only — the agent's read loop is never blocked by a stuck browser. The agent dispatchAgentMessage path mirrors job.started / job.progress / log.stream / job.finished envelopes onto the hub in addition to its existing persistence work. The wire shape is the same end-to-end, so client-side JS switches on env.type the same way Go code does. GET /api/jobs/{id}/stream is the browser endpoint. Auth via session cookie (HTTP layer); upgrade; subscribe; pump until context closes. GET /jobs/{id} renders the live log page. Three states (queued/ running/succeeded/failed) drive the header pill, the progress bar block, the failure summary panel, and the action button (Cancel job while running, Back to host afterwards). Already- persisted log lines are server-rendered on initial load; new lines arrive over the WS and append to #log-stream. Auto-scrolls unless the user scrolls up (a "⇢ Follow" pill re-attaches). On job.finished the page reloads after 600ms to pick up the final-state header rendered server-side. POST /hosts/{id}/run-backup now sets HX-Redirect → /jobs/{job_id} on success so HTMX lands the operator straight on the live log. For non-HTMX callers (curl / plain form post) it 303s to the same target. store.ListJobLogs returns persisted log lines for initial render on page load. Browser-verified end-to-end: enrol → run a real backup against a sibling restic/rest-server → live progress + 11 log lines stream in → succeeded pill + final stats land after page reload. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 21:45:56 +01:00
steve	26a2b85e13	P1-25: host detail page (snapshots tab default) ... GET /hosts/{id} renders the v1 host detail layout: - persistent header: status dot (pulse if a job is in flight), monospace name, tags, plus a metadata strip (os/arch, agent version, restic version, "last seen Xs ago" or "online · last heartbeat …"). - vitals strip: four tiles for last backup (status + relative time), repo size, snapshot count, open alerts. - sub-tabs: Snapshots is active; Jobs / Repo / Settings are visible but inert until P2. - snapshot table: short id, time (absolute), paths joined with " · ", size, file count, restore button (disabled — wires up in P3). - right rail: run-now stack (backup live, forget/prune/check/ unlock disabled with the Phase tag), danger-zone remove panel (also disabled for now). Empty state: when a host has no snapshots yet, the table replaces itself with a "no snapshots yet" prompt that includes the run-now button (provided the agent is online). Pagination cap of 50 most-recent snapshots; full pagination lands when fleet sizes demand it. Template helpers grew: comma() now accepts int / int32 / int64 so templates don't fight Go's type inference; joinDot() concatenates a []string with " · "; absTime() formats time.Time as YYYY-MM-DD HH:MM:SS; the existing relTime() already accepts T or *T after P1-27. Browser-verified end-to-end with seeded fixture data. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:20:21 +01:00
steve	dad8c7fe99	P1-27: Add host flow — form + minted-token result page ... GET /hosts/new renders the focused two-column form (hostname, tags, repo URL/username/password). POST /hosts/new validates, mints a one-time token via the new mintEnrollmentToken helper — shared with the existing JSON /api/enrollment-tokens endpoint — and re-renders the same page in result state showing: - the install command with RM_SERVER + RM_TOKEN filled in (and an inline copy-to-clipboard button), - an "awaiting agent connection" panel with the hostname pre-filled, - a troubleshooting list pointing at the most common reasons the agent doesn't appear, - back-to-dashboard / add-another-host links. publicURL() resolves RM_BASE_URL first, falling back to scheme + Host on the inbound request — useful for local smoke without a proxy. Browser-verified end-to-end: form submit → token minted → install command renders with the right values from the form input. template fn formatRelTime now accepts time.Time *or* *time.Time so templates can pass either without fighting Go's lack of an address-of operator. Deferred: download-preconfigured-installer (a templated .sh with the values baked in) — copy-paste covers v1; nice-to-have later. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:16:54 +01:00
steve	ee16bc7ce7	P1-24: live dashboard — fleet summary tiles + host table ... Server-rendered HTML view backed by: - new store.FleetSummary aggregating host counts + repo bytes + snapshot total + open alerts + last-24h job rollup in two queries. - GET /api/hosts (JSON list of hosts in the dashboard projection). - GET /api/fleet/summary (JSON aggregate, same shape as above). The HTML page (web/templates/pages/dashboard.html) renders the four summary tiles + host table directly from store data — no separate fetch. Per-row state colour comes from .host-row.{degraded,failed, offline} which paint a 3px left edge so problem hosts are scannable without reading. HTMX is loaded into the base layout so per-row "Run now" buttons can hx-post to /hosts/{id}/run-backup, a thin HTML wrapper that funnels into a new dispatchJob helper shared with the JSON /api/hosts/{id}/jobs endpoint. Empty state (zero hosts) collapses to the "no hosts yet" prompt with the + Add host CTA — matches the v1 mockup. Template helpers (internal/server/ui/funcs.go) added for byte formatting (412 GB / 3.7 TB), relative time (3m ago / 2d ago), and comma grouping (1,847). Pure Go, no template-magic dependency. Browser-verified end-to-end with seeded fixture data: five hosts across all four states render with correct dots, accents, last- backup pills, sizes, snapshot counts, alerts, tags, and the right action button (Run now / Retry / Run first / View → / offline). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 19:29:11 +01:00
steve	229f89fee2	P1-23 / P1-28: base layout, login, session-aware nav + Tailwind build ... P1-28: Tailwind standalone CLI wired into the Makefile. `make tailwind` downloads the pinned v3.4.17 binary into bin/tailwindcss (gitignored), builds web/styles/input.css → web/static/css/styles.css. `make build` now runs the CSS pass first; `make tailwind-watch` for dev. Output is embedded in the binary via web.FS — single static binary, no Node. The CSS source carries every component class the v1 mockups defined (status dots, buttons, host row, log viewer, progress bar, fields, chips, snippet panel, empty state) so screens that land later can just reach for them. P1-23: html/template tree at web/templates with two layouts (base with chrome, chromeless for login + bootstrap), one nav partial, and two pages (dashboard placeholder, login). internal/server/ui parses the tree at startup; ui_handlers.go in the http package wires: GET / dashboard (303 → /login when unauthed) GET /login sign-in form POST /login consume form, mint session cookie, 303 → / POST /logout drop cookie, 303 → /login GET /static/* embedded Tailwind bundle The HTML login flow shares store/session logic with /api/auth/login via a new authenticateAndSession helper — same security guarantees, two surface representations (HTML form / JSON). Verified end-to-end: bootstrap → form-login → authed dashboard → sign-out → 303 cycle works in the browser; Tailwind output emits only the component classes referenced in the live templates (9.6kB minified). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 19:19:06 +01:00
steve	5d1951ad94	P1-34: e2e smoke runbook + redacted GET /repo-credentials ... Adds docs/e2e-smoke.md — an ~5-minute runbook that walks the full P1 happy path against a sibling restic/rest-server: bootstrap admin, mint token with repo creds, enrol an agent, watch the config.update push land, run a backup, confirm the snapshot, edit creds and watch the second push fire. Per the design discussion this is a runbook (not a Go integration test); the Playwright version lands in P5-06. GET /api/hosts/{id}/repo-credentials returns the redacted view — {repo_url, repo_username, has_password} — so the UI can pre-fill the edit form without ever pulling the password out of the AEAD blob. Marks P1-32 / P1-33 / P1-34 done in tasks.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 13:49:34 +01:00
steve	e58917106d	spec/tasks: pull repo-credential plumbing into Phase 1 ... Adds P1-32/33/34: encrypted repo creds carried on the enrollment token, agent-side AEAD secrets file, end-to-end smoke. spec.md §4.2 and §7.3 rewritten to describe the full flow (server-issued at token time, pushed via config.update on hello, persisted encrypted on the agent) and to make the encrypted-file-now / OS-keyring-Phase-2 split explicit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 12:32:53 +01:00
steve	6c9558c703	tasks: add P2-18 announce-and-approve, expand P1-27 with preconfigured installer ... P2-18 captures the keypair + fingerprint-comparison enrollment flow as a Phase 2 alternative to the token model. Includes guards (rate limit, pending cap, hostname-collision flagging) and explicit acceptance criteria. P1-27 grows to mint encrypted repo creds alongside the token and expose a one-click preconfigured-installer download from the "Add host" form (cf. UrBackup Internet-mode push installer). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 12:31:28 +01:00
steve	3904a78f14	P1-22: snapshot listing via restic snapshots --json ... Agent calls restic snapshots --json after each successful backup (60s timeout, separate from the backup ctx) and ships the projection over the existing snapshots.report WS envelope. Failure here is logged but doesn't fail the job — the next successful backup catches the projection up. Server-side ReplaceHostSnapshots is delete-then-insert plus a hosts.snapshot_count update in one transaction so the dashboard's per-host count stays consistent with the projection. New read endpoint GET /api/hosts/{id}/snapshots returns the cached list with a refreshed_at marker so the UI can show staleness when an agent has been offline. Schema: dropped the unused snapshots.repo_id FK (repos as a first-class entity is P2 work), added short_id and refreshed_at columns, switched the time index to DESC for the most-recent-first list query. api.Snapshot gains short_id; size_bytes/file_count come from the embedded summary block on restic 0.16+ and stay zero on older clients. Tests cover round-trip, authoritative replacement after forget+prune shrinkage, and empty-after-wipe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 11:20:57 +01:00
steve	77a305d064	tasks.md: mark Phase 1 progress ... Captures the state landed in this session: Done (P1-01..03, P1-05, P1-06, P1-08..16, P1-17..20, P1-29): HTTP server, store + schema, crypto, first-run bootstrap, every API type with wire-shape tests, WS transport, enrollment + hello + heartbeat round-trip, agent config + service unit + WS client + sysinfo, restic wrapper, job lifecycle store + run-now endpoint, agent runner. Partial (P1-04, P1-07, P1-21, P1-31): CSRF middleware lives with the UI work; audit middleware sweep lives with rest of API; live job-log fan-out needs the per-job browser hub; signed agent binaries deferred to Phase 5. Open (P1-22..28): Snapshot listing, full UI suite (login, dashboard, host detail, live job log, add-host, Tailwind build). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 00:46:16 +01:00
steve	c275f4ff4c	phase 1 foundations: api types, store, crypto, auth ... Lands the bottom three layers of Phase 1: P1-08 internal/api: protocol_version + envelope + every WS message shape from spec.md §6.2 (Hello, Heartbeat, Job*, Schedule*, etc). Wire-format tests pin the JSON shape so a rename here breaks tests instead of silently breaking the agent. P1-02 + P1-03 internal/store: SQLite via modernc.org/sqlite, embed.FS + a tiny version table for hand-rolled migrations. 0001_initial.sql covers every table from spec.md §5 plus enrollment_tokens and host_schedule_version. Typed accessors for users / sessions / enrollment / audit. WAL + foreign_keys + busy_timeout on by default. P1-06 internal/crypto: XChaCha20-Poly1305 AEAD wrapper with per-message random nonce. Key file lifecycle (generate + refuse-to-overwrite, load with size validation). Optional additionalData binds ciphertext to the row that owns it. P1-04 internal/auth (partial — passwords + tokens; sessions middleware lands with the HTTP handlers): argon2id following RFC 9106 (64 MiB / t=3 / p=4 / 32B), constant-time verify. HashToken stores SHA-256 of session/agent/enrollment tokens so a stolen DB doesn't hand over credentials. Build floor moves to Go 1.25 (modernc.org/sqlite v1.50+ requires it); CI + Dockerfile + README updated. Markdown lint diagnostics on tasks.md cleared. All packages tested. ~70 new tests pass in <1s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 00:24:40 +01:00
steve	595546afb9	spec/tasks: address pre-Phase-1 design feedback ... Doc-only changes captured before any Phase 1 code lands. spec.md: - §4.1 nhooyr.io/websocket → github.com/coder/websocket (the maintained fork; the original is unmaintained) - §4.1 RM_LISTEN documented as source of truth for the bind port; add RM_TRUSTED_PROXY env var for X-Forwarded-* handling behind Caddy/Traefik - §4.2 Phase 1 ships Linux only; Windows binaries continue to build in CI to keep the codebase portable, but service integration + installer move to Phase 2 - §4.2 self-update via apt/choco, not bespoke signed binaries - §5 add Host.protocol_version + Host.applied_schedule_version - §6.2 lock protocol_version handshake semantics (clean error on mismatch, not weird JSON parse failures) - §6.2 schedule reconciliation when server unreachable: agent keeps firing last-known-good indefinitely; server's view canonical on reconnect; UI surfaces drift via applied_schedule_version - §6.2 schedule.set carries schedule_version; new schedule.ack agent→server message - §10.1 cross-reference RM_LISTEN ↔ compose port mapping - §14.3 hooks rejected at validation on non-backup schedule kinds tasks.md: - P1-14 / P1-30 (Windows service + install.ps1) → Phase 2 as P2-16 / P2-17 - P1-29 install.sh detects existing restic timers/cron and prints disable commands, doesn't auto-disable - Phase 1 acceptance: drop Windows from end-to-end criterion, require windows cross-compile in CI - P4-01 rewritten: package-manager-based update delivery - P5-08 removed (duplicate of P4-08 Prometheus /metrics) - Various references updated No Go code changes; build still clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 00:12:55 +01:00
steve	c9368de904	phase 0: project bootstrap ... P0-01 Go module + cmd/server + cmd/agent skeletons + internal/ tree P0-02 LICENSE (PolyForm NC 1.0.0), README, CONTRIBUTING P0-03 golangci-lint, pre-commit, .editorconfig, .gitignore P0-04 Gitea Actions CI: test (race+coverage), lint, cross-platform build matrix P0-05 Dockerfile.server (multi-stage, distroless/static), docker-compose.yml P0-06 Makefile with build/test/lint/fmt/run/release targets build, vet, test, and cross-compile to linux/{amd64,arm64} + windows/amd64 all verified locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 00:03:59 +01:00
steve	7612687a14	initial setup ready	2026-04-30 23:55:52 +01:00