Commit graph

3360 commits

Author SHA1 Message Date
rcourtman
76ced45c3a Harden demo SSH setup for private deploy hosts
Some checks are pending
Build and Test / Secret Scan (push) Waiting to run
Build and Test / Frontend & Backend (push) Waiting to run
Canonical Governance / governance (push) Waiting to run
Helm CI / Lint and Render Chart (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 1/4) (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 2/4) (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 3/4) (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 4/4) (push) Waiting to run
Core E2E Tests / E2E verdict (push) Blocked by required conditions
2026-07-09 16:51:38 +01:00
rcourtman
584aa10699 Stabilize multi-tenant org switch in release E2E 2026-07-09 14:34:46 +01:00
rcourtman
1a05c715ac Reuse authenticated state in multi-tenant release E2E 2026-07-09 13:40:35 +01:00
rcourtman
6999ca0119 Prepare 6.0.5 release 2026-07-09 11:52:28 +01:00
rcourtman
847cf98544 Fix activation fingerprint and license period status 2026-07-09 11:30:26 +01:00
rcourtman
93bccaff18 Update the Pro binary in-app from the license server download broker
Some checks are pending
Build and Test / Secret Scan (push) Waiting to run
Build and Test / Frontend & Backend (push) Waiting to run
Canonical Governance / governance (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 1/4) (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 2/4) (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 3/4) (push) Waiting to run
Core E2E Tests / Playwright Core E2E (shard 4/4) (push) Waiting to run
Core E2E Tests / E2E verdict (push) Blocked by required conditions
The in-app updater and the unattended timer both target the public
rcourtman/Pulse community assets, so a Pro install that used them was
silently downgraded to community. Guard 2 (983a89326) blocked in-app
apply on the Pro edition, which stopped the downgrade but left Pro
installs with no update path except manual portal downloads. That
friction is a plausible driver of the runtime split: as of 2026-07-08
only 10 of 66 active paid licenses have any Pro-runtime install.

Root fix: the compiled Pro binary now checks and applies updates
through the license server download broker (GET /v1/downloads/pulse-pro
with the installation token and instance fingerprint). The check
compares against the broker's pinned private release instead of GitHub,
respecting the stable/rc channel guard. Apply re-resolves fresh signed
R2 URLs at apply time, verifies the archive against the same pinned
pulse-installer SSHSIG key plus the broker manifest sha256, and refuses
GitHub-shaped download URLs outright. An unactivated Pro binary still
refuses with the portal fallback. The community edition path is
unchanged.

The update banner restores in-app apply for auto-updatable Pro
deployments and keeps the portal instructions for deployments the
updater cannot drive (Docker). scripts/pulse-auto-update.sh now skips
when the installed binary reports Pulse Pro so the unattended timer can
never reinstall community over Pro.

Note: internal/updates/pro_update.go and manager_pro_update_test.go for
this change landed one commit early inside 313552deb via a parallel
session committing a shared staged index; this commit completes the
wiring they belong to.
2026-07-08 23:39:37 +01:00
rcourtman
8222f132a8 Explain the pre-5.1.29 auto-update jump to v6 in the upgrade guide
v5 installs on 5.1.28 and older have no release-line pin, so with
auto-update enabled they silently in-place upgrade to the newest stable
GitHub release, which is now v6. Add an FAQ entry for the operator who
lands on v6 without asking, and point the rollback path at 5.1.36, the
final v5 release (was 5.1.35).
2026-07-08 22:56:57 +01:00
rcourtman
e23505206d Carry the max_users grant claim into instance license limits
GrantClaims and Claims gain a MaxUsers seat limit mirroring MaxGuests:
the grant JWT claim is copied at the activation bridge and surfaced
through EffectiveLimits()["max_users"], which the already-shipped
user-limit enforcement (MaxUsersLimitFromLicense) reads unchanged.
Inert by default: no plan sets max_users yet, so absent claim = 0 =
unlimited for every existing license and grant. The self-hosted
commercial volume scrub strips only max_monitored_systems and
max_guests; tests now pin that max_users survives it from both the
named field and explicit limits, plus the end-to-end proof that a grant
carrying max_users=3 enforces 3 and a grant without it stays unlimited.
Contract shape recorded in cloud-paid Extension Point 26; the grant
wire contract list gains max_users against the relay-server reference
(pulse-pro 95a18bd).
2026-07-08 16:56:07 +01:00
rcourtman
fca5975c38 Add the dormant Business tier to the licensing core
TierBusiness: Pro's feature set, 365-day history retention, uncapped
core monitoring like every self-hosted tier, Business display name, and
a slot in the min-tier ordering. Differentiation is by max_users limit,
retention, and support rather than features (multi-user is already a Pro
capability via RBAC; see specs/pricing-segmentation.md binder findings).
Dormant until the license server issues business plan versions; no
checkout, pricing, or UI surface references it yet. Contract shape
recorded as cloud-paid Extension Point 26 and pinned by
TestBusinessTierContractShape.
2026-07-08 16:02:56 +01:00
rcourtman
a205ba3498 Repair storage-recovery registry proof path after spec rename
1c38d7993 replaced 17-recovery-layout.spec.ts with
17-proxmox-backups-layout.spec.ts but the storage-recovery registry
entry still named the old file, which broke the registry audit for
every subsequent governance-audited commit.
2026-07-08 16:01:23 +01:00
rcourtman
7645965afe Derive the rollback target for scheduled release rehearsals
The weekly release-dry-run schedule failed at 'Resolve rehearsal
metadata' because GitHub does not apply workflow_dispatch input
defaults to schedule events, so rollback_version arrived empty and
resolve_release_promotion.py rejected the run.

Scheduled runs now pass --derive-rollback-latest-stable, which fills
an empty rollback_version with the latest stable tag preceding the
rehearsal version (currently v6.0.4 for 6.0.5-rc.3). Manual dispatches
keep the explicit rollback_version requirement; the stale prefilled
5.1.29 default is removed so operators state the target themselves.
The deployment-installability contract records the scoped scheduled
exception.
2026-07-08 13:52:48 +01:00
rcourtman
0d787a4b1f Prepare v6.0.5 RC4 release packet
Refs #1535
2026-07-08 13:10:06 +01:00
rcourtman
16d74a75bb Follow the connections-workspace spec rename in governance references
Commit 346ba81ed rewrote the per-platform connection specs against the
consolidated Connected systems workspace but left the old spec paths in
RA20 evidence and two registry.json proof lists, failing release_ready.
Point them at the renamed workspace specs.
2026-07-08 13:01:15 +01:00
rcourtman
75047c0dfc Re-point governance evidence at surviving platform-first specs
Commit 005100432 retired the unified-route e2e specs but left two
status.json evidence entries pointing at deleted files, failing
repo_ready and RA20. Re-point them at the surviving coverage the
retirement commit named: refresh resilience via the ported Proxmox
workloads stability spec, and TrueNAS workload surfaces via the
platform pages shell spec.
2026-07-08 11:50:30 +01:00
rcourtman
983a89326f Block in-app self-update on the Pro binary to prevent silent downgrade
The in-app updater and install.sh both fetch the public community build from
github.com/rcourtman/Pulse. On non-Docker Pro installs (systemd, proxmoxve,
source) the "Apply Update" button was live, so applying an update replaced the
separately compiled Pro binary with community and silently stripped Audit,
RBAC, Reporting, and SSO from a paying customer. Docker was already blocked;
nothing else was.

Add a dependency-free pkg/edition marker (defaults to community) that the Pro
binary flips via enterpriseruntime.Initialize, mirroring the existing
coreaudit.SetLogger / server.SetBusinessHooks registration seam. ApplyUpdate
now refuses when the edition is Pro, pointing at the Private Release Access
portal (https://pulserelay.pro/download.html) and the install.sh --archive
path. The gate keys off the compiled binary, not license state: a community
binary with an active license still self-updates as before.

The update banner hides the in-app apply affordance and shows portal
instructions for the Pro runtime, keyed off the existing runtime-identity
signal (runtime.build) rather than a new payload field, so nothing extra is
plumbed through the version API and the frontend reuses the canonical
"which binary am I" contract. The backend gate is the hard guarantee; the
banner is the UX layer.

Guard 2 of the Pro download/update experience spec.
2026-07-08 10:02:04 +01:00
rcourtman
74131e56e3 Fix no-op relationship_change spam from registry rebuilds
Every state update rebuilds the resource registry from scratch, which
reconstructs all relationship edges with fresh ObservedAt/LastSeenAt
stamps and fresh metadata maps. recordRegistryChanges compared the old
and new slices with reflect.DeepEqual, so every relationship-bearing
resource emitted a relationship_change row on every rebuild cycle even
when nothing changed. On the public demo this wrote roughly 450k rows
per day (1.2M of 1.6M rows were literal from==to no-ops), grew
unified_resources.db to 1.6GB in three days, starved the store's single
connection until retention pruning failed with SQLITE_BUSY, and drove
the droplet into the swap-thrash outage on 2026-07-08. Same mechanism
as issue #1496.

Compare relationship sets by edge identity instead: canonical source,
canonical target, type, and active state, order-insensitive. Volatile
provenance fields no longer count as change.

Also cap resource_changes at 200k rows during retention pruning so a
pathological writer can never grow the table unbounded inside the
30-day retention window, and record both invariants in the
unified-resources subsystem contract.
2026-07-08 08:10:15 +01:00
rcourtman
292baf308b Fix PBS backup discovery regression from bounded polling
The RC3 memory bound for PBS backup polling summarized any group with
more than 8 snapshots into a single synthesized entry built from group
metadata. A synthesized entry has no verification, size, file, or
per-snapshot time data, so most real deployments saw every backup as
Unverified with no size, PBS files not listed, and a backup timeline
collapsed onto the latest backup day.

Keep the issue #1524 memory bounds but derive them from real data:
always fetch snapshots for stale groups, retain the newest bounded set
per group (limit raised from 8 to 100 to cover real keep policies), and
keep the newest-first global live-state cap. Remove the synthesized
group placeholder path entirely and update the monitoring subsystem
contract and tests to pin real-snapshot bounding.

Fixes #1541
Refs #1524
2026-07-07 22:48:34 +01:00
rcourtman
8355335e08 Clarify v5 migration recovery states 2026-07-07 21:46:07 +01:00
rcourtman
89d9f51258 Record OIDC scope fix resolution in handoff spec 2026-07-07 21:44:23 +01:00
rcourtman
4b645f4dd2 Add OIDC scope group auth fix spec 2026-07-07 21:09:13 +01:00
rcourtman
4043c466f6 Extend MSP install proof for portal rollups 2026-07-07 20:49:55 +01:00
rcourtman
4382919447 Add MSP report scheduling and alert rollup 2026-07-07 20:37:18 +01:00
rcourtman
d43255889d Point relay pairing at the Pulse Mobile install page
A Relay customer who enables Remote Access and generates a pairing QR
has nothing to scan it with: Pulse Mobile is early access and its
install links live on the authenticated download page, which nothing
in the pairing flow mentioned. Add the pointer to the pairing help
text, pin it in the panel contract test, and give docs/RELAY.md the
same install path instead of 'join early access when available'.
2026-07-07 20:04:36 +01:00
rcourtman
8113f3e8c3 Ensure Helm Pages publishes release chart 2026-07-07 19:21:48 +01:00
rcourtman
155023d86a Add mobile impact gate to release dispatch 2026-07-07 18:21:20 +01:00
rcourtman
1fad0948d4 Clear expired work claim 2026-07-07 18:01:02 +01:00
rcourtman
0ff922ca16 Prepare v6.0.5 RC3 release packet
Refs #1535
2026-07-07 16:48:12 +01:00
rcourtman
eb99d7a6b3 Fix SSO session display labels
Refs #1535
2026-07-07 16:35:07 +01:00
rcourtman
57139c65c5 Fix mobile onboarding URL handoff sanitization
Some checks are pending
Canonical Governance / governance (push) Waiting to run
Build and Test / Secret Scan (push) Waiting to run
Build and Test / Frontend & Backend (push) Waiting to run
Helm CI / Lint and Render Chart (push) Waiting to run
Core E2E Tests / Playwright Core E2E (push) Waiting to run
2026-07-07 15:12:59 +01:00
rcourtman
e1cddca2d1 Prepare v6.0.5 RC2 release packet
Refs #1470

Refs #1471

Refs #1476

Refs #1483

Refs #1511

Refs #1515

Refs #1516

Refs #1524

Refs #1533

Refs #1534
2026-07-07 10:50:49 +01:00
rcourtman
022f170dff Prefer route-aware Proxmox host URLs 2026-07-07 10:37:10 +01:00
rcourtman
3dd2ecd198 Add Proxmox token smoke diagnostics
Refs #1476
2026-07-07 10:10:16 +01:00
rcourtman
58ece3c1b8 Fix physical disk SMART/Proxmox merge identity
Refs #1516

Refs #1483

Refs #1471
2026-07-07 09:46:51 +01:00
rcourtman
8eed26d653 Bound PBS backup polling memory
Refs #1524
2026-07-07 09:42:54 +01:00
rcourtman
b503ee6fd3 Fix legacy agent update token recovery
Refs #1515
2026-07-07 09:31:21 +01:00
rcourtman
dded079297 Prepare v6.0.5 RC1 release packet
Some checks are pending
Build and Test / Secret Scan (push) Waiting to run
Build and Test / Frontend & Backend (push) Waiting to run
Canonical Governance / governance (push) Waiting to run
Helm CI / Lint and Render Chart (push) Waiting to run
Core E2E Tests / Playwright Core E2E (push) Waiting to run
Refs #1530

Refs #1531

Refs #1471
2026-07-07 00:12:09 +01:00
rcourtman
4b669ad9b5 Fix SAT SMART temperature collection
Refs #1471
2026-07-06 23:42:00 +01:00
rcourtman
41a99c1a03 Prepare v6.0.5 patch release
Some checks are pending
Build and Test / Secret Scan (push) Waiting to run
Build and Test / Frontend & Backend (push) Waiting to run
Canonical Governance / governance (push) Waiting to run
Helm CI / Lint and Render Chart (push) Waiting to run
Core E2E Tests / Playwright Core E2E (push) Waiting to run
Refs #1530

Refs #1531
2026-07-06 23:29:17 +01:00
rcourtman
af7f7c5d11 Fix Gemini Patrol tool-call readiness
Refs #1530
2026-07-06 23:01:16 +01:00
rcourtman
1d7fa6c4bf Prepare v6.0.4 release 2026-07-06 16:50:59 +01:00
rcourtman
4a597fa425 Fix legacy audit monotonic timestamps
Refs #1464
2026-07-06 16:20:55 +01:00
rcourtman
7ddc2fcb47 Fix Docker app-container percent normalization
Refs #1525
2026-07-06 16:11:36 +01:00
rcourtman
7edfa1bb86 Fix Docker container URL metadata identity
Refs #1490
2026-07-06 15:48:26 +01:00
rcourtman
92951532e3 Fix host agent clock-skew liveness
Refs #1519
2026-07-06 15:07:12 +01:00
rcourtman
6f582671b0 Fix Proxmox live chart CPU fallback
Refs #1525
2026-07-06 15:05:18 +01:00
rcourtman
ebd61ee109 Fix empty Docker facet tab admission
Refs #1518
2026-07-06 14:48:07 +01:00
rcourtman
21b15e6755 Fix Proxmox read-state CPU normalization
Refs #1525
2026-07-06 14:33:41 +01:00
rcourtman
926c6bd433 Fix legacy agent update recovery
Refs #1515
2026-07-06 14:01:26 +01:00
rcourtman
e7334e66e4 Allow local DNS agent HTTP URLs
Refs #1522
2026-07-06 13:53:19 +01:00
rcourtman
caa9b41834 Fix OIDC provider detail persistence
Refs #1521
2026-07-06 11:18:18 +01:00