rcourtman
5f2990deec
Require proxy admin for SSH config endpoints
2026-02-04 15:57:59 +00:00
rcourtman
145e5c46bb
Require admin for host config patch and delete
2026-02-04 15:56:07 +00:00
rcourtman
5ede1f6a97
Harden apply-restart auth for proxy/OIDC
2026-02-04 15:48:06 +00:00
rcourtman
0f2122ea85
Cover proxy admin gating for config management
2026-02-04 15:45:31 +00:00
rcourtman
093235b0a9
Extend proxy admin gating to agent manage endpoints
2026-02-04 15:44:24 +00:00
rcourtman
df799c66d5
Expand proxy admin gating for host and profiles
2026-02-04 15:42:54 +00:00
rcourtman
e9860eb4c6
Block proxy non-admin for security restart and OIDC
2026-02-04 15:41:50 +00:00
rcourtman
248f4c69a5
Ensure proxy non-admins blocked for AI admin endpoints
2026-02-04 15:40:14 +00:00
rcourtman
773ba13ada
Require ai:execute for approvals approve/deny
2026-02-04 15:39:04 +00:00
rcourtman
23cc5af69f
Require proxy admin for test-notification
2026-02-04 15:34:30 +00:00
rcourtman
e3179e49ac
Cover RBAC mutation license gating
2026-02-04 15:22:38 +00:00
rcourtman
4e3811e69e
Cover RBAC mutations in permission denial tests
2026-02-04 15:21:02 +00:00
rcourtman
895a7e07e2
Verify host uninstall enforces token binding
2026-02-04 15:16:12 +00:00
rcourtman
e069507d97
Add scope checks for notification endpoints
2026-02-04 15:10:02 +00:00
rcourtman
d257815564
Reject recovery via untrusted XFF
2026-02-04 15:01:09 +00:00
rcourtman
b35de694bb
Document legacy token org access
2026-02-04 14:55:20 +00:00
rcourtman
f6b70da39f
Enforce token precedence for tenant access
2026-02-04 14:54:14 +00:00
rcourtman
8300ec8460
Prefer org header over cookie
2026-02-04 14:51:14 +00:00
rcourtman
d06c749c1a
Reject org cookie for non-member
2026-02-04 14:48:03 +00:00
rcourtman
9ff395eba4
Cover tenant user membership checks
2026-02-04 14:41:08 +00:00
rcourtman
5e4de1e849
Deny proxy non-admin despite token
2026-02-04 14:35:08 +00:00
rcourtman
3fe152bba8
Allow API tokens with OIDC enabled
2026-02-04 14:27:46 +00:00
rcourtman
313df78cf7
Require auth for admin endpoints with OIDC
2026-02-04 14:26:38 +00:00
rcourtman
c5308adf6e
Cover admin bypass routing
2026-02-04 14:24:42 +00:00
rcourtman
fecfc74c0a
Gate admin endpoints for proxy users
2026-02-04 14:21:10 +00:00
rcourtman
de2ed1b33a
Cover multi-org token authorization
2026-02-04 14:15:50 +00:00
rcourtman
fdb7c9a1c5
Block cross-tenant org token use
2026-02-04 14:13:57 +00:00
rcourtman
34ca427458
Add unified guest intelligence to patrol seed context
...
Enrich the patrol seed context with service identity (from discovery
store) and network reachability (via ICMP ping through host agents).
The guest metrics table now includes Service and Reachable columns,
and a Service Health Issues section highlights running-but-unreachable
guests. A new SignalGuestUnreachable signal type creates deterministic
findings for unreachable guests.
New files:
- patrol_intelligence.go: GuestProber interface, GuestIntelligence
type, gatherGuestIntelligence() with concurrent per-node probing
- patrol_prober.go: agentExecProber implementation using batch ping
commands via connected host agents
2026-02-04 14:08:57 +00:00
rcourtman
6de231fcf0
Enforce host config token binding
2026-02-04 14:06:30 +00:00
rcourtman
cb788f18b9
Ignore bearer token in security status
2026-02-04 14:01:57 +00:00
rcourtman
9e3b8f722e
Require host config read scope
2026-02-04 14:00:04 +00:00
rcourtman
698a7b1926
Require auth for RBAC and reporting
2026-02-04 13:57:00 +00:00
rcourtman
041148f90b
Harden security status token handling
2026-02-04 13:52:36 +00:00
rcourtman
3b9019f216
Enforce audit/report scope checks
2026-02-04 13:47:32 +00:00
rcourtman
a5c5172e51
Require settings:write for agent profiles
2026-02-04 13:43:28 +00:00
rcourtman
5c18748742
Add SMART disk lifecycle monitoring with historical charts
...
Expand the smartctl collector to capture detailed SMART attributes (SATA
and NVMe), propagate them through the full data pipeline, persist them
as time-series metrics, and display them in an interactive disk detail
drawer with historical sparkline charts.
Backend: add SMARTAttributes struct, writeSMARTMetrics for persistent
storage, "disk" resource type in metrics API with live fallback.
Frontend: enhanced DiskList with Power-On column and SMART warnings,
new DiskDetail drawer matching NodeDrawer styling patterns, generic
HistoryChart metric support with proper tooltip formatting.
2026-02-04 13:35:40 +00:00
rcourtman
13ef837a5f
Cover tenant auth middleware
2026-02-04 13:34:09 +00:00
rcourtman
af1a14f3a7
Cover checksum token auth
2026-02-04 13:28:54 +00:00
rcourtman
bbfc5a9fc4
Fix OIDC login bypass test to expect 302
...
redirectOIDCError uses http.StatusFound (302) but the test expected
307. The test was stale after the error redirect was introduced.
2026-02-04 13:27:10 +00:00
rcourtman
67e2dce78d
Inventory download route exposure
2026-02-04 13:27:00 +00:00
rcourtman
0d564bfd8f
Clarify download checksum auth
2026-02-04 13:23:55 +00:00
rcourtman
ce9481e7bf
Inventory frontend and static auth bypasses
2026-02-04 13:20:45 +00:00
rcourtman
d1f602c93b
Validate public allowlist backing
2026-02-04 13:18:29 +00:00
rcourtman
41c10e60d7
Add auth bypass inventory coverage
2026-02-04 13:16:29 +00:00
rcourtman
fc9c2b2477
Add public paths inventory test
2026-02-04 13:05:12 +00:00
rcourtman
75710338a3
Add CSRF skip allowlist test
2026-02-04 13:01:00 +00:00
rcourtman
3c9a0ebc58
Cover apply-restart CSRF skip
2026-02-04 12:58:12 +00:00
rcourtman
49a570b574
Track bare routes in inventory test
2026-02-04 12:55:59 +00:00
rcourtman
8ddcbf8c62
Add router route inventory test
2026-02-04 12:49:22 +00:00
rcourtman
8951b6f7f9
Require monitoring scope for socket.io
2026-02-04 12:41:12 +00:00
