Conversation
- Add EntraIdService with OAuth 2.0 Authorization Code Flow and PKCE support - Implement ID token validation via JWKS with configurable caching - Add federated identity provisioning and account linking on first SSO login - Support automatic group-to-role synchronization from Entra ID claims - Add database migrations for federated_identities and oauth_state_store tables - Create /api/auth/entra-id/* routes for login, callback, and token exchange - Add EntraIdLoginButton component with Microsoft branding for frontend - Implement server-side ephemeral state store with 10-minute TTL - Add single-use authorization code flow for secure frontend token delivery - Update authentication middleware to treat federated and local auth identically - Add comprehensive unit, integration, and property-based test coverage - Update configuration schema and environment examples for Entra ID setup - Add Entra ID integration documentation with setup and group mapping examples - Ensure zero disruption to existing local authentication flows
- Update Docker image version labels in Dockerfile, Dockerfile.alpine, and Dockerfile.ubuntu - Bump backend package.json version from 1.4.0 to 1.5.0 - Update backend API server version in health check endpoint - Bump frontend package.json version from 1.4.0 to 1.5.0 - Update Navigation component to display v1.5.0.alpha - Bump Helm chart appVersion from 1.4.0 to 1.5.0 - Update root package.json version from 1.4.0 to 1.5.0
- Add comprehensive upgrading.md guide covering Git, Docker, Docker Compose, and Kubernetes deployment methods - Document database backup requirements and migration behavior before upgrading - Update README with inline upgrading section and link to full upgrade guide - Add upgrading link to README documentation navigation - Update CHANGELOG to reflect v1.5.0 release with v1.4.0 dated as 2026-06-05 - Clarify "classic infrastructure" description to include Kubernetes nodes - Remove roadmap section and replace version history with CHANGELOG reference - Consolidate upgrade instructions across all deployment methods with clear step-by-step procedures
- Add console-integration specification with design, requirements, and task documentation - Archive 70+ completed specifications to done directory including: * Puppet and PuppetDB integration specs * Release and testing documentation * RBAC authorization and SSH integration specs * Azure and Checkmk integration specs * Code review fixes and journal enhancements * Node groups, parallel execution, and Proxmox integration specs - Reorganize specification structure to separate active work from completed milestones - Improve project documentation organization for future reference and auditing
…anagement and UI widgets - Add ConsolePlugin interface and console-specific types for transports, capabilities, and session states - Implement ConsoleSessionManager service with token generation, session CRUD, validation, and concurrent limits - Add ConsoleWebSocketProxy service for VNC/SPICE protocol relay and binary stream handling - Create console configuration schema with timeout, duration, and heartbeat parameters - Add database migrations for console_sessions and console_permissions tables with RBAC integration - Implement Proxmox console provider for VNC access to virtual machines - Add /console API routes for session creation, validation, connection, and termination - Create 14 property-based tests covering token validation, RBAC, availability, binary relay, malformed input handling, and concurrent limits - Add frontend widgets: ConsoleViewer, ConsoleAccessWidget, GeneralInfoWidget, LatestActionsWidget, MonitoringSummaryWidget, PuppetRunsWidget - Implement widget grid layout system with dynamic widget registry for node detail page - Add ActionRow and WidgetFrame components for consistent widget presentation - Include comprehensive audit logging for all console session operations - Update configuration service to parse and validate console environment variables - Completes console integration specification with full end-to-end functionality from session creation to user access and monitoring
…ame components - Add property-based tests for widget registry validation (registration preservation, column span clamping, integration filtering) - Add unit tests for WidgetFrame component (column span application, error badge content, loading skeleton, error state with retry) - Add unit tests for WidgetGrid component (action row composition, error isolation, integration status error handling) - Add integration test for WidgetGrid with mocked integration status and test widget registration - Add mock widget components for testing (MockReadyWidget, MockErrorWidget, MockNeverReadyWidget) - Fix console API response structure in ConsoleViewer to destructure session from nested response - Resolve linked/merged node identifiers to provider-specific IDs in getConsoleCapabilities and createSession - Update IntegrationManager to use cached inventory for node ID resolution without extra fetches - Update console route handler to resolve FQDN and merged inventory names to provider-specific formats - Mark completed widget grid specification tasks in project documentation
…ation - Add new PuppetAgentActionsWidget component for managing Puppet agent operations - Implement puppetAgentActions widget with registry integration - Update security middleware to exclude non-credential auth endpoints from rate limiting (GET /providers, POST /refresh, POST /logout, GET /callback) - Enhance ConsoleAccessWidget with expandable state and integration badges - Expand GeneralInfoWidget with comprehensive system information display (CPU, memory, disk, network interfaces) - Update LatestActionsWidget with enhanced filtering and pagination - Refactor PuppetRunsWidget to support new data structures - Improve Navigation component with updated styling and route handling - Add PUBLIC_PATHS set to App.svelte for conditional navigation shell rendering - Update widget registry with new puppet agent actions widget - Ensure authenticated users only see navigation and footer on protected route
- Add build tools (python3, make, g++) installation in backend-deps stage - Update npm install to use --build-from-source flag for sqlite3 compilation - Apply changes across all Dockerfile variants (standard, Alpine, Ubuntu) - Resolves glibc version mismatches in Debian bookworm (2.36) and missing musl binaries - Adds hadolint ignore comments for package manager operations
- Add SSO code detection and exchange in App.svelte before router initialization - Implement processingSso state to block route rendering during code exchange - Add loading UI for SSO completion flow with spinner and status message - Refactor Router.svelte auth guards to use derived state instead of side-effects - Split authorization logic into separate derived computed property for clarity - Move redirect side-effects into dedicated $effect block for better control flow - Add authorized guard check before rendering route components - Prevent auth guard from firing during SSO callback to avoid race conditions - Add accessibility attributes (role, aria-label) to loading spinner in Router - Ensure SSO code is exchanged before setup status check runs
…tion authorization bypass - Add database migrations for Checkmk write permissions schema - Implement monitoringActions route with proper authorization checks - Enforce command-whitelist validation on all execution paths including batch and re-execute endpoints - Add RBAC middleware to executions router to prevent unauthorized command execution - Update Checkmk service to support write operations with validated action types - Add comprehensive security tests for execution authorization and command validation - Update configuration schema and documentation for new security controls - Fix WebSocket TLS verification in console proxy to enable upstream certificate validation - Add security assessment documentation covering auth, RBAC, and command execution vulnerabilities - Improve PuppetDB service type safety and integration error handling - Update frontend Checkmk API client and MonitorPage component for write action support - Add test coverage for new security-sensitive routes and authorization logic Fixes unauthorized command execution vulnerability (H-1) and improves defense-in-depth validation across integration points.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.