mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-07-09 16:00:59 +00:00
Label legacy Pro Plus in customer docs
This commit is contained in:
parent
58fc250e78
commit
d94595884e
18 changed files with 57 additions and 57 deletions
|
|
@ -24,14 +24,14 @@ Patrol autonomy controls how aggressively Patrol responds to findings.
|
|||
| Level | Key | Detect | Investigate | Fix (Warning) | Fix (Critical) | Plan |
|
||||
|-------|-----|:------:|:-----------:|:-------------:|:--------------:|------|
|
||||
| **Monitor** | `monitor` | Yes | No | No | No | Community |
|
||||
| **Approval** | `approval` | Yes | Yes | Approval required | Approval required | Pro / Pro+ / Cloud |
|
||||
| **Assisted** | `assisted` | Yes | Yes | Auto-fix | Approval required | Pro / Pro+ / Cloud |
|
||||
| **Full** | `full` | Yes | Yes | Auto-fix | Auto-fix | Pro / Pro+ / Cloud |
|
||||
| **Approval** | `approval` | Yes | Yes | Approval required | Approval required | Pro / legacy Pro+ / Cloud |
|
||||
| **Assisted** | `assisted` | Yes | Yes | Auto-fix | Approval required | Pro / legacy Pro+ / Cloud |
|
||||
| **Full** | `full` | Yes | Yes | Auto-fix | Auto-fix | Pro / legacy Pro+ / Cloud |
|
||||
|
||||
- **Monitor** (default): Patrol creates findings but takes no action. This is the Community and Relay baseline. Suitable for learning what Patrol detects before enabling investigation or remediation.
|
||||
- **Approval** (Pro and above): Patrol investigates findings and proposes fixes. All fixes queue for manual approval before execution.
|
||||
- **Assisted** (Pro and above): Warning-level findings are auto-fixed. Critical findings still require approval. This is the recommended starting point for most Pro and Pro+ users who enable fix execution.
|
||||
- **Full** (Pro and above): All findings are auto-fixed without approval. Requires an explicit toggle and a Pro, Pro+, or Cloud license. Recommended only for environments with thorough alert coverage.
|
||||
- **Assisted** (Pro and above): Warning-level findings are auto-fixed. Critical findings still require approval. This is the recommended starting point for most Pro and legacy Pro+ users who enable fix execution.
|
||||
- **Full** (Pro and above): All findings are auto-fixed without approval. Requires an explicit toggle and a Pro, legacy Pro+, or Cloud license. Recommended only for environments with thorough alert coverage.
|
||||
|
||||
### Configuration
|
||||
|
||||
|
|
@ -52,7 +52,7 @@ curl -X PUT http://localhost:7655/api/ai/patrol/autonomy \
|
|||
### License Requirements
|
||||
|
||||
- `monitor`: Available on all plans. Community and Relay can run Patrol with BYOK.
|
||||
- `approval`, `assisted`, and `full`: Require the `ai_autofix` capability (Pro, Pro+, or Cloud license).
|
||||
- `approval`, `assisted`, and `full`: Require the `ai_autofix` capability (Pro, legacy Pro+, or Cloud license).
|
||||
|
||||
Without the `ai_autofix` capability, the effective autonomy level is clamped to `monitor` at runtime, regardless of the saved configuration. If you previously had a Pro license and downgraded, your saved setting is preserved but enforcement reverts to `monitor`.
|
||||
|
||||
|
|
@ -66,11 +66,11 @@ Control levels govern what the interactive Pulse Assistant can do during chat se
|
|||
|-------|-----|:-----:|:----------------:|------|
|
||||
| **Read-only** | `read_only` | Yes | No | Community |
|
||||
| **Controlled** | `controlled` | Yes | With approval | Community |
|
||||
| **Autonomous** | `autonomous` | Yes | Yes | Pro / Pro+ / Cloud |
|
||||
| **Autonomous** | `autonomous` | Yes | Yes | Pro / legacy Pro+ / Cloud |
|
||||
|
||||
- **Read-only** (default): The assistant can query metrics, storage, and resource status but cannot execute any control actions.
|
||||
- **Controlled**: The assistant can propose commands but pauses for your explicit approval before execution. Each command shows a detailed approval card in the chat UI.
|
||||
- **Autonomous**: The assistant executes commands without prompting. Requires a Pro, Pro+, or Cloud license.
|
||||
- **Autonomous**: The assistant executes commands without prompting. Requires a Pro, legacy Pro+, or Cloud license.
|
||||
|
||||
### Configuration
|
||||
|
||||
|
|
|
|||
|
|
@ -692,7 +692,7 @@ Test/preview request contract:
|
|||
|
||||
---
|
||||
|
||||
## 💳 License (Relay / Pro / Pro+ / Cloud)
|
||||
## 💳 License (Relay / Pro / legacy Pro+ / Cloud)
|
||||
|
||||
### License Status (Admin)
|
||||
`GET /api/license/status`
|
||||
|
|
@ -833,7 +833,7 @@ Revoke a resource share. Admin or owner role required.
|
|||
|
||||
## 🤖 Pulse AI
|
||||
|
||||
**Paid gating:** endpoints labeled with a paid plan require the relevant Relay, Pro, Pro+, or Cloud capability and return `402 Payment Required` if the feature is not licensed.
|
||||
**Paid gating:** endpoints labeled with a paid plan require the relevant Relay, Pro, legacy Pro+, or Cloud capability and return `402 Payment Required` if the feature is not licensed.
|
||||
|
||||
### Get AI Settings
|
||||
`GET /api/settings/ai`
|
||||
|
|
@ -887,7 +887,7 @@ Streaming variant of execute (used by the UI for incremental responses).
|
|||
```json
|
||||
{ "cluster_id": "cluster-id" }
|
||||
```
|
||||
Requires Pro, Pro+, or Cloud with the `kubernetes_ai` feature enabled. This route remains
|
||||
Requires Pro, legacy Pro+, or Cloud with the `kubernetes_ai` feature enabled. This route remains
|
||||
available for compatibility, but current v6 Pulse Pro marketing does not treat
|
||||
Kubernetes-specific analysis as a standalone plan pillar.
|
||||
|
||||
|
|
@ -997,7 +997,7 @@ Query params:
|
|||
- `range` (optional): `1h`, `6h`, `12h`, `24h`, `1d`, `7d`, `30d`, `90d` (default `24h`; duration strings also accepted)
|
||||
- `maxPoints` (optional): Downsample to a target number of points
|
||||
|
||||
> **License**: Requests beyond Community's `7d` floor require the paid `long_term_metrics` entitlement. Relay unlocks `14d`, Pro and Pro+ unlock `90d`, and requests beyond the active tier's limit return `402 Payment Required`.
|
||||
> **License**: Requests beyond Community's `7d` floor require the paid `long_term_metrics` entitlement. Relay unlocks `14d`, Pro and legacy Pro+ unlock `90d`, and requests beyond the active tier's limit return `402 Payment Required`.
|
||||
> **Aliases**: `guest` (VM/LXC) and `docker` (Docker container) are accepted, but persistent store data uses the canonical types above.
|
||||
|
||||
---
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Pulse's audit log records security-relevant events with tamper-evident signatures. Use it for compliance, incident investigation, and tracking who did what.
|
||||
|
||||
**Requires:** Pro, Pro+, or Cloud license with the `audit_logging` capability to query, export, and verify events via the API. Events are recorded on all plans, but the API endpoints are license-gated.
|
||||
**Requires:** Pro, legacy Pro+, or Cloud license with the `audit_logging` capability to query, export, and verify events via the API. Events are recorded on all plans, but the API endpoints are license-gated.
|
||||
|
||||
For plan details, see [PULSE_PRO.md](PULSE_PRO.md). For API endpoints, see [API Reference](API.md#-audit-log-pro).
|
||||
|
||||
|
|
@ -133,7 +133,7 @@ See [Multi-Tenant Organizations](MULTI_TENANT.md) for details.
|
|||
|
||||
## Community vs Pro Behavior
|
||||
|
||||
| Capability | Community | Pro / Pro+ / Cloud |
|
||||
| Capability | Community | Pro / legacy Pro+ / Cloud |
|
||||
|------------|-----------|-------------|
|
||||
| Events captured | Yes | Yes |
|
||||
| Persistent storage (SQLite) | Yes | Yes |
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Centralized Agent Management (Pro/Pro+/Cloud)
|
||||
# Centralized Agent Management (Pro/legacy Pro+/Cloud)
|
||||
|
||||
Pro, Pro+, and Cloud support centralized management of agent configurations, allowing administrators to define "Configuration Profiles" and assign them to specific agents. This enables bulk updates and consistent configuration across your fleet without manually editing configuration files on each host.
|
||||
Pro, legacy Pro+, and Cloud support centralized management of agent configurations, allowing administrators to define "Configuration Profiles" and assign them to specific agents. This enables bulk updates and consistent configuration across your fleet without manually editing configuration files on each host.
|
||||
|
||||
Profiles are managed in the UI: **Settings → Unified Agents → Agent Profiles**.
|
||||
|
||||
|
|
@ -38,7 +38,7 @@ Notes:
|
|||
|
||||
## API Usage
|
||||
|
||||
All endpoints require **Admin** authentication and a Pro, Pro+, or Cloud license.
|
||||
All endpoints require **Admin** authentication and a Pro, legacy Pro+, or Cloud license.
|
||||
|
||||
### 1. Create a Profile
|
||||
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ Yes. Use the export/import workflow described above. Your monitoring configurati
|
|||
|
||||
## See Also
|
||||
|
||||
- [Plans & Entitlements](PULSE_PRO.md) — feature comparison across Community, Relay, Pro, Pro+, and Cloud
|
||||
- [Plans & Entitlements](PULSE_PRO.md) — feature comparison across Community, Relay, Pro, legacy Pro+, and Cloud
|
||||
- [Installation (Self-Hosted)](INSTALL.md) — self-hosted installation guide
|
||||
- [Relay / Mobile Access](RELAY.md) — relay setup and mobile rollout status (pre-configured on Cloud)
|
||||
- [Multi-Tenant](MULTI_TENANT.md) — multi-tenant mode (Cloud Enterprise)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ Pulse uses a split-configuration model to ensure security and flexibility.
|
|||
| ------ | --------- | ---------------- |
|
||||
| `.env` | Authentication & Secrets | 🔒 **Critical** (Read-only by owner) |
|
||||
| `.encryption.key` | Encryption key for `.enc` files | 🔒 **Critical** |
|
||||
| `.audit-signing.key` | Audit log signing key (Pro/Pro+/Cloud, encrypted) | 🔒 **Sensitive** |
|
||||
| `.audit-signing.key` | Audit log signing key (Pro/legacy Pro+/Cloud, encrypted) | 🔒 **Sensitive** |
|
||||
| `system.json` | General Settings | 📝 Standard |
|
||||
| `nodes.enc` | Node Credentials | 🔒 **Encrypted** (AES-256-GCM) |
|
||||
| `alerts.json` | Alert Rules | 📝 Standard |
|
||||
|
|
@ -21,20 +21,20 @@ Pulse uses a split-configuration model to ensure security and flexibility.
|
|||
| `ai_patrol_runs.json` | AI Patrol run history | 📝 Standard |
|
||||
| `ai_usage_history.json` | AI usage history | 📝 Standard |
|
||||
| `ai_chat_sessions.json` | Legacy AI chat sessions (UI sync) | 📝 Standard |
|
||||
| `license.enc` | Relay/Pro/Pro+/Cloud license key | 🔒 **Encrypted** |
|
||||
| `license.enc` | Relay/Pro/legacy Pro+/Cloud license key | 🔒 **Encrypted** |
|
||||
| `host_metadata.json` | Host notes, tags, and AI command overrides | 📝 Standard |
|
||||
| `docker_metadata.json` | Docker metadata cache | 📝 Standard |
|
||||
| `guest_metadata.json` | Guest notes and metadata | 📝 Standard |
|
||||
| `agent_profiles.json` | Agent configuration profiles (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `agent_profile_assignments.json` | Agent profile assignments (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-versions.json` | Agent profile version history (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-deployments.json` | Agent profile deployment status (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-changelog.json` | Agent profile change log (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `agent_profiles.json` | Agent configuration profiles (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `agent_profile_assignments.json` | Agent profile assignments (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-versions.json` | Agent profile version history (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-deployments.json` | Agent profile deployment status (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-changelog.json` | Agent profile change log (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `recovery_tokens.json` | Recovery tokens (short-lived) | 🔒 **Sensitive** |
|
||||
| `sessions.json` | Persistent sessions (includes OIDC refresh tokens) | 🔒 **Sensitive** |
|
||||
| `update-history.jsonl` | Update history log (in-app updates) | 📝 Standard |
|
||||
| `metrics.db` | Persistent metrics history (SQLite) | 📝 Standard |
|
||||
| `audit.db` | Audit log database (Pro/Pro+/Cloud, SQLite) | 🔒 **Sensitive** |
|
||||
| `audit.db` | Audit log database (Pro/legacy Pro+/Cloud, SQLite) | 🔒 **Sensitive** |
|
||||
| `baselines.json` | AI baseline data for anomaly detection | 📝 Standard |
|
||||
| `ai_correlations.json` | AI correlation analysis cache | 📝 Standard |
|
||||
| `ai_patterns.json` | AI pattern detection data | 📝 Standard |
|
||||
|
|
@ -106,7 +106,7 @@ Environment overrides (lock the corresponding UI fields):
|
|||
| `OIDC_ALLOWED_GROUPS` | Allowed groups (space or comma-separated) |
|
||||
| `OIDC_ALLOWED_DOMAINS` | Allowed email domains (space or comma-separated) |
|
||||
| `OIDC_ALLOWED_EMAILS` | Allowed emails (space or comma-separated) |
|
||||
| `OIDC_GROUP_ROLE_MAPPINGS` | Comma-separated group=role mappings (Pro/Pro+/Cloud) |
|
||||
| `OIDC_GROUP_ROLE_MAPPINGS` | Comma-separated group=role mappings (Pro/legacy Pro+/Cloud) |
|
||||
| `OIDC_CA_BUNDLE` | Custom CA bundle path |
|
||||
|
||||
</details>
|
||||
|
|
@ -514,6 +514,6 @@ The relay protocol provides end-to-end encrypted remote access foundations for P
|
|||
- All data is encrypted end-to-end using ECDH key exchange.
|
||||
- The relay server never sees plaintext monitoring data.
|
||||
- Each mobile session has its own encryption channel.
|
||||
- Requires a valid Relay, Pro, Pro+, or Cloud license (gated by the `relay` feature key).
|
||||
- Requires a valid Relay, Pro, legacy Pro+, or Cloud license (gated by the `relay` feature key).
|
||||
|
||||
Relay config is stored encrypted in `relay.enc`.
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ Pulse uses a split config model:
|
|||
|
||||
- **Local auth and secrets**: `.env` (managed by Quick Security Setup or environment overrides, not shown in the UI)
|
||||
- **Encryption key**: `.encryption.key` (required to decrypt `.enc` files)
|
||||
- **Audit signing key**: `.audit-signing.key` (Pro/Pro+/Cloud, encrypted)
|
||||
- **Audit signing key**: `.audit-signing.key` (Pro/legacy Pro+/Cloud, encrypted)
|
||||
- **System settings**: `system.json` (editable in the UI unless locked by env)
|
||||
- **Nodes and credentials**: `nodes.enc` (encrypted)
|
||||
- **Notification config**: `email.enc`, `webhooks.enc`, `apprise.enc` (encrypted)
|
||||
|
|
@ -39,8 +39,8 @@ Pulse uses a split config model:
|
|||
- **AI pattern data**: `ai_patterns.json`
|
||||
- **AI remediation data**: `ai_remediations.json`
|
||||
- **AI incident tracking**: `ai_incidents.json`
|
||||
- **Audit log database**: `audit.db` (Pro/Pro+/Cloud, SQLite)
|
||||
- **Relay/Pro/Pro+/Cloud license**: `license.enc` (encrypted)
|
||||
- **Audit log database**: `audit.db` (Pro/legacy Pro+/Cloud, SQLite)
|
||||
- **Relay/Pro/legacy Pro+/Cloud license**: `license.enc` (encrypted)
|
||||
- **Host metadata**: `host_metadata.json`
|
||||
- **Docker metadata**: `docker_metadata.json`
|
||||
- **Guest metadata**: `guest_metadata.json`
|
||||
|
|
@ -56,7 +56,7 @@ Pulse uses a split config model:
|
|||
- **Organization metadata**: `org.json` (multi-tenant)
|
||||
- **TrueNAS connections**: `truenas.enc` (encrypted)
|
||||
- **Relay config**: `relay.enc` (encrypted, Relay and above)
|
||||
- **RBAC roles**: `rbac_roles.json` (Pro/Pro+/Cloud)
|
||||
- **RBAC roles**: `rbac_roles.json` (Pro/legacy Pro+/Cloud)
|
||||
|
||||
Path mapping:
|
||||
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ If a setting is disabled with an amber warning, it's being overridden by an envi
|
|||
## 🔍 Monitoring & Metrics
|
||||
|
||||
### What do Relay, Pro, and Cloud unlock?
|
||||
Relay adds remote access, mobile access, push notifications, and 14-day history. Pro and Cloud unlock **Auto-Fix and advanced AI analysis** along with the broader operations feature set. Existing Pro+ holders keep their current continuity, but self-hosted pricing no longer sells more monitoring volume. Pulse Patrol is available to everyone on Community with BYOK and provides scheduled, cross-system analysis that correlates real-time state, recent metrics history, and diagnostics to surface actionable findings.
|
||||
Relay adds remote access, mobile access, push notifications, and 14-day history. Pro and Cloud unlock **Auto-Fix and advanced AI analysis** along with the broader operations feature set. Existing legacy Pro+ holders keep their current continuity, but self-hosted pricing no longer sells more monitoring volume. Pulse Patrol is available to everyone on Community with BYOK and provides scheduled, cross-system analysis that correlates real-time state, recent metrics history, and diagnostics to surface actionable findings.
|
||||
|
||||
Example output includes trend-based capacity warnings, backup regressions, Kubernetes AI cluster analysis, and correlated container failures that simple threshold alerts miss.
|
||||
See [Pulse AI](AI.md), [Plans and entitlements](PULSE_PRO.md), and <https://pulserelay.pro>.
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ curl -H "X-API-Token: $TOKEN" \
|
|||
"http://localhost:7655/api/metrics-store/history?resourceType=vm&resourceId=pve1:node1:100&range=7d&metric=cpu"
|
||||
```
|
||||
|
||||
> **License**: Requests beyond Community's `7d` floor require the paid `long_term_metrics` entitlement. Relay unlocks `14d`, Pro and Pro+ unlock `90d`, and requests beyond the active tier's limit return `402 Payment Required`.
|
||||
> **License**: Requests beyond Community's `7d` floor require the paid `long_term_metrics` entitlement. Relay unlocks `14d`, Pro and legacy Pro+ unlock `90d`, and requests beyond the active tier's limit return `402 Payment Required`.
|
||||
> **Aliases**: `guest` (VM/LXC) and `docker` (Docker container) are accepted, but persistent store data uses the canonical types above.
|
||||
|
||||
## Troubleshooting
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ Never copy `/etc/pulse` (or `/data` in Docker/Kubernetes) manually. Encryption k
|
|||
| — | Agent profiles and assignments |
|
||||
| — | AI settings and findings (`ai.enc`, `ai_findings.json`, `ai_patrol_runs.json`, `ai_usage_history.json`) |
|
||||
| — | RBAC roles (`rbac_roles.json`) — re-create after import |
|
||||
| — | Relay/Pro/Pro+/Cloud license (`license.enc`) |
|
||||
| — | Relay/Pro/legacy Pro+/Cloud license (`license.enc`) |
|
||||
| — | Server sessions (`sessions.json`) |
|
||||
| — | Update history (`update-history.jsonl`) |
|
||||
|
||||
|
|
@ -67,7 +67,7 @@ Because local login credentials are stored in `.env` (not part of exports), you
|
|||
* **Unified Agent**: Update the `--token` flag in your service definition.
|
||||
* **Containerized agent**: Update `PULSE_TOKEN` in the agent container environment.
|
||||
* *Tip: Use **Settings → Infrastructure → Install on a host** to generate updated install commands.*
|
||||
4. **Relay/Pro/Pro+/Cloud**: Re-activate your license key after migration (license files are not included in exports).
|
||||
4. **Relay/Pro/legacy Pro+/Cloud**: Re-activate your license key after migration (license files are not included in exports).
|
||||
|
||||
## 🔒 Security
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
RBAC lets you define custom roles with granular permissions and assign them to users. This restricts what each user can see and do in Pulse.
|
||||
|
||||
**Requires:** Pro, Pro+, or Cloud license with the `rbac` capability.
|
||||
**Requires:** Pro, legacy Pro+, or Cloud license with the `rbac` capability.
|
||||
|
||||
For plan details, see [PULSE_PRO.md](PULSE_PRO.md). For API endpoints, see [API Reference](API.md#-rbac--role-management-pro).
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ All other documents are supporting references unless explicitly required for evi
|
|||
- **[Proxy Auth](PROXY_AUTH.md)** – Authentik/Authelia/Cloudflare proxy authentication configuration.
|
||||
- **[Agent Security](AGENT_SECURITY.md)** – Agent self-update verification and API security.
|
||||
|
||||
## 📖 Advanced Topics (Relay / Pro / Pro+ / Cloud)
|
||||
## 📖 Advanced Topics (Relay / Pro / legacy Pro+ / Cloud)
|
||||
|
||||
- **[AI Autonomy & Safety](AI_AUTONOMY.md)** – Configure patrol autonomy levels, assistant control levels, investigation tuning, and safety guardrails.
|
||||
- **[Role-Based Access Control (RBAC)](RBAC.md)** – Define custom roles, assign permissions, and integrate with OIDC group mapping.
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ Pulse Relay provides **end-to-end encrypted remote access** foundations for Puls
|
|||
|
||||
## Requirements
|
||||
|
||||
- **Relay, Pro, Pro+, or Cloud license** — relay is gated by the `relay` feature key.
|
||||
- **Relay, Pro, legacy Pro+, or Cloud license** — relay is gated by the `relay` feature key.
|
||||
- **Outbound WebSocket** — Pulse must be able to reach `relay.pulserelay.pro` (port 443).
|
||||
- **No inbound ports** — you do not need to open any ports on your firewall.
|
||||
|
||||
|
|
|
|||
|
|
@ -46,12 +46,12 @@ sudo pulse bootstrap-token
|
|||
#### Audit Log verification shows unsigned events
|
||||
- **Symptom**: Audit Log entries show “Unsigned” or verification fails in the UI.
|
||||
- **Root cause**: Audit signing is disabled (crypto manager unavailable), so events are stored without signatures.
|
||||
- **Fix**: Ensure `.encryption.key` is present and Pro/Pro+/Cloud audit logging is enabled, then restart Pulse to regenerate `.audit-signing.key`. Newly created events will be signed; existing unsigned events remain unsigned.
|
||||
- **Fix**: Ensure `.encryption.key` is present and Pro/legacy Pro+/Cloud audit logging is enabled, then restart Pulse to regenerate `.audit-signing.key`. Newly created events will be signed; existing unsigned events remain unsigned.
|
||||
|
||||
#### Audit Log is empty
|
||||
- **Symptom**: Audit Log shows zero events or "Console Logging Only."
|
||||
- **Root cause**: Community plan uses console logging only, or Pro/Pro+/Cloud audit logging is not enabled.
|
||||
- **Fix**: Use Pro, Pro+, or Cloud with audit logging enabled, then generate new audit events (logins, token creation, password changes).
|
||||
- **Root cause**: Community plan uses console logging only, or Pro/legacy Pro+/Cloud audit logging is not enabled.
|
||||
- **Fix**: Use Pro, legacy Pro+, or Cloud with audit logging enabled, then generate new audit events (logins, token creation, password changes).
|
||||
|
||||
#### Audit Log verification fails for older events
|
||||
- **Symptom**: Older events fail verification while newer events pass.
|
||||
|
|
|
|||
|
|
@ -222,9 +222,9 @@ curl -fsSL http://<pulse-ip>:7655/install.sh | \
|
|||
PULSE_DISABLE_AUTO_UPDATE=true
|
||||
```
|
||||
|
||||
## Remote Configuration (Agent Profiles, Pro/Pro+/Cloud)
|
||||
## Remote Configuration (Agent Profiles, Pro/legacy Pro+/Cloud)
|
||||
|
||||
Pro, Pro+, and Cloud can push centralized settings to agents via Agent Profiles.
|
||||
Pro, legacy Pro+, and Cloud can push centralized settings to agents via Agent Profiles.
|
||||
|
||||
Behavior:
|
||||
- The agent fetches remote config on startup from `/api/agents/agent/{agent_id}/config`.
|
||||
|
|
|
|||
|
|
@ -62,9 +62,9 @@ For generic webhooks, use Go templates to format the JSON payload.
|
|||
- **Private IPs**: By default, webhooks to private IPs are blocked. Allow them in **Settings → System → Network → Webhook Security**.
|
||||
- **Headers**: Add custom headers (e.g., `Authorization: Bearer ...`) in the webhook config.
|
||||
|
||||
## 🧾 Audit Webhooks (Pro/Pro+/Cloud)
|
||||
## 🧾 Audit Webhooks (Pro/legacy Pro+/Cloud)
|
||||
|
||||
Pro, Pro+, and Cloud support dedicated audit webhooks for security event compliance. Unlike alert notifications, these webhooks deliver the raw, signed JSON payload of every security-relevant action (login, config change, group mapping).
|
||||
Pro, legacy Pro+, and Cloud support dedicated audit webhooks for security event compliance. Unlike alert notifications, these webhooks deliver the raw, signed JSON payload of every security-relevant action (login, config change, group mapping).
|
||||
|
||||
### Setup
|
||||
1. Go to **Settings → Security → Webhooks**.
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ Pulse uses a split-configuration model to ensure security and flexibility.
|
|||
| ------ | --------- | ---------------- |
|
||||
| `.env` | Authentication & Secrets | 🔒 **Critical** (Read-only by owner) |
|
||||
| `.encryption.key` | Encryption key for `.enc` files | 🔒 **Critical** |
|
||||
| `.audit-signing.key` | Audit log signing key (Pro/Pro+/Cloud, encrypted) | 🔒 **Sensitive** |
|
||||
| `.audit-signing.key` | Audit log signing key (Pro/legacy Pro+/Cloud, encrypted) | 🔒 **Sensitive** |
|
||||
| `system.json` | General Settings | 📝 Standard |
|
||||
| `nodes.enc` | Node Credentials | 🔒 **Encrypted** (AES-256-GCM) |
|
||||
| `alerts.json` | Alert Rules | 📝 Standard |
|
||||
|
|
@ -21,20 +21,20 @@ Pulse uses a split-configuration model to ensure security and flexibility.
|
|||
| `ai_patrol_runs.json` | AI Patrol run history | 📝 Standard |
|
||||
| `ai_usage_history.json` | AI usage history | 📝 Standard |
|
||||
| `ai_chat_sessions.json` | Legacy AI chat sessions (UI sync) | 📝 Standard |
|
||||
| `license.enc` | Relay/Pro/Pro+/Cloud license key | 🔒 **Encrypted** |
|
||||
| `license.enc` | Relay/Pro/legacy Pro+/Cloud license key | 🔒 **Encrypted** |
|
||||
| `host_metadata.json` | Host notes, tags, and AI command overrides | 📝 Standard |
|
||||
| `docker_metadata.json` | Docker metadata cache | 📝 Standard |
|
||||
| `guest_metadata.json` | Guest notes and metadata | 📝 Standard |
|
||||
| `agent_profiles.json` | Agent configuration profiles (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `agent_profile_assignments.json` | Agent profile assignments (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-versions.json` | Agent profile version history (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-deployments.json` | Agent profile deployment status (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-changelog.json` | Agent profile change log (Pro/Pro+/Cloud) | 📝 Standard |
|
||||
| `agent_profiles.json` | Agent configuration profiles (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `agent_profile_assignments.json` | Agent profile assignments (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-versions.json` | Agent profile version history (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-deployments.json` | Agent profile deployment status (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `profile-changelog.json` | Agent profile change log (Pro/legacy Pro+/Cloud) | 📝 Standard |
|
||||
| `recovery_tokens.json` | Recovery tokens (short-lived) | 🔒 **Sensitive** |
|
||||
| `sessions.json` | Persistent sessions (includes OIDC refresh tokens) | 🔒 **Sensitive** |
|
||||
| `update-history.jsonl` | Update history log (in-app updates) | 📝 Standard |
|
||||
| `metrics.db` | Persistent metrics history (SQLite) | 📝 Standard |
|
||||
| `audit.db` | Audit log database (Pro/Pro+/Cloud, SQLite) | 🔒 **Sensitive** |
|
||||
| `audit.db` | Audit log database (Pro/legacy Pro+/Cloud, SQLite) | 🔒 **Sensitive** |
|
||||
| `baselines.json` | AI baseline data for anomaly detection | 📝 Standard |
|
||||
| `ai_correlations.json` | AI correlation analysis cache | 📝 Standard |
|
||||
| `ai_patterns.json` | AI pattern detection data | 📝 Standard |
|
||||
|
|
@ -106,7 +106,7 @@ Environment overrides (lock the corresponding UI fields):
|
|||
| `OIDC_ALLOWED_GROUPS` | Allowed groups (space or comma-separated) |
|
||||
| `OIDC_ALLOWED_DOMAINS` | Allowed email domains (space or comma-separated) |
|
||||
| `OIDC_ALLOWED_EMAILS` | Allowed emails (space or comma-separated) |
|
||||
| `OIDC_GROUP_ROLE_MAPPINGS` | Comma-separated group=role mappings (Pro/Pro+/Cloud) |
|
||||
| `OIDC_GROUP_ROLE_MAPPINGS` | Comma-separated group=role mappings (Pro/legacy Pro+/Cloud) |
|
||||
| `OIDC_CA_BUNDLE` | Custom CA bundle path |
|
||||
|
||||
</details>
|
||||
|
|
@ -514,6 +514,6 @@ The relay protocol provides end-to-end encrypted remote access foundations for P
|
|||
- All data is encrypted end-to-end using ECDH key exchange.
|
||||
- The relay server never sees plaintext monitoring data.
|
||||
- Each mobile session has its own encryption channel.
|
||||
- Requires a valid Relay, Pro, Pro+, or Cloud license (gated by the `relay` feature key).
|
||||
- Requires a valid Relay, Pro, legacy Pro+, or Cloud license (gated by the `relay` feature key).
|
||||
|
||||
Relay config is stored encrypted in `relay.enc`.
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ All other documents are supporting references unless explicitly required for evi
|
|||
- **[Proxy Auth](PROXY_AUTH.md)** – Authentik/Authelia/Cloudflare proxy authentication configuration.
|
||||
- **[Agent Security](AGENT_SECURITY.md)** – Agent self-update verification and API security.
|
||||
|
||||
## 📖 Advanced Topics (Relay / Pro / Pro+ / Cloud)
|
||||
## 📖 Advanced Topics (Relay / Pro / legacy Pro+ / Cloud)
|
||||
|
||||
- **[AI Autonomy & Safety](AI_AUTONOMY.md)** – Configure patrol autonomy levels, assistant control levels, investigation tuning, and safety guardrails.
|
||||
- **[Role-Based Access Control (RBAC)](RBAC.md)** – Define custom roles, assign permissions, and integrate with OIDC group mapping.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue