26.2.4

v26.2.4: Major platform update — security hardening, TLS everywhere, 12 new services, 78 new tests

Infrastructure:
- PostgreSQL TLS enabled by default (ECDSA P-256 self-signed, sslmode=require)
- Redis TLS enabled by default (rediss://, auto-generated certs)
- HTTP-to-HTTPS redirect with health endpoint exceptions
- Trivy scanner pinned to v0.69.1 for reproducible builds
- Docker CLI upgraded to 29.2.0 (API 1.53)

Security hardening:
- JWT tokens rejected from query parameters (header + cookie only)
- CORS restricted to same-origin by default (was allow-all)
- CSRF constant-time comparison + auto-regeneration
- Return URL validation against open redirects
- Bearer prefix enforcement per RFC 6750
- WebSocket origin validation on all upgrade requests
- WebSocket rate limiting (20 concurrent per IP)
- TOTP replay attack protection via Redis
- Admin self-role-change prevention
- 10 MB max request body on all authenticated routes
- Webhook tokens hashed with SHA-256 before storage
- Per-route CSP (strict global, relaxed for Monaco)
- getRealIP uses rightmost non-private X-Forwarded-For

New services (12):
- Calendar (events, tasks, checklists, notes)
- Change events feed (immutable audit trail with full-text search)
- Cost/resource optimization (usage tracking, recommendations)
- Custom dashboards (per-user widget layouts)
- Drift detection (config snapshots, env/port/volume/image diff)
- Session recording & replay (asciicast v2, gzip, retention policies)
- Registry browsing (Docker Hub, GHCR, Harbor, OCI v2)
- Compliance evaluator (CIS Docker Benchmark scoring)
- Compliance PDF report generator (pure Go, no dependencies)
- Proxy backend abstraction layer (SyncBackend interface)
- About page (version, runtime, DB version, health)

New scheduler workers:
- Auto-deploy (GitOps image tag detection)
- Runbook execution (multi-step with approval gates)
- SLA breach detection (vulnerability deadline monitoring)
- Webhook dispatch (HMAC-SHA256 signed, with retry)

New developer tools (15 browser-based):
- Base64/URL/hex encoders, JSON/YAML formatters, UUID/password generators
- Hash calculator, CIDR calculator, regex tester, JWT decoder
- Text diff viewer, crypto key generator, TOTP generator

App catalog expanded (6 → 20 apps, 7 categories):
- Nextcloud, Traefik v3, WireGuard Easy, Mattermost
- Passbolt, Vaultwarden, Authentik, Uptime Kuma
- Grafana + Prometheus, Woodpecker CI, PostgreSQL + pgAdmin

New database migrations (036–044):
- Agent events, git sync full-name, CVE remediation tracking
- Change events, drift detection, resource optimization
- Session recording, runbook approvals, calendar

Application bootstrap:
- Monolithic app.go (2554 lines) split into 8 init files
- API errors standardized (machine-readable codes, consistent JSON)
- Auth provider adapter layer (decoupled LDAP/OAuth types)

Config changes:
- JWT secret and encryption key auto-generated on first run
- Default admin password now random (printed to stderr)
- cookie_secure defaults to true
- Configurable rate limits, paths, storage dirs

Frontend:
- 23 new template page directories
- Self-hosted vendor libs: asciinema-player, bcrypt.js, js-yaml, marked

Testing:
- 78 new test files (54 → 132 total)
- Shared testutil package with fixtures and helpers
- Coverage across agent, services, repositories, handlers, middleware

CI/CD:
- GitHub Actions pipeline (lint, test, security scan, build)
- GoReleaser config (multi-arch linux/darwin amd64/arm64)
- Pre-commit hooks (govulncheck, migration verify, go mod tidy)

Bug fixes:
- Containers not appearing after restart (host stuck offline)
- Host never recovering from offline status
- Shortcuts form multiple submission (disabled inactive inputs)
- Ansible inventory routes were commented out (404)
- Node metrics "No Data Available" (type constant mismatch)
- NATS "Disconnected" on About page (readiness check)
- Stack deploy log not streaming (buffered output)
- Server readiness race (poll loop replaces sleep)
- Forward reference compile error in app.go
- NATS client Connect() never called
- Audit service nil in standalone mode
- Orphan contexts in goroutines (Trivy, scheduler)
- Proxy host ID resolution (hashUUIDToInt)

Author: fran-olivares

.goreleaser.yml

@@ -0,0 +1,154 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# usulnet - GoReleaser Configuration
+# https://goreleaser.com
+
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+    - go install github.com/a-h/templ/cmd/templ@v0.3.977
+    - templ generate
+
+builds:
+  - id: usulnet
+    main: ./cmd/usulnet
+    binary: usulnet
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -X github.com/fr4nsys/usulnet/internal/app.Version={{.Version}}
+      - -X github.com/fr4nsys/usulnet/internal/app.Commit={{.Commit}}
+      - -X github.com/fr4nsys/usulnet/internal/app.BuildTime={{.Date}}
+    flags:
+      - -trimpath
+
+  - id: usulnet-agent
+    main: ./cmd/usulnet-agent
+    binary: usulnet-agent
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -X github.com/fr4nsys/usulnet/internal/app.Version={{.Version}}
+      - -X github.com/fr4nsys/usulnet/internal/app.Commit={{.Commit}}
+      - -X github.com/fr4nsys/usulnet/internal/app.BuildTime={{.Date}}
+    flags:
+      - -trimpath
+
+archives:
+  - id: default
+    formats:
+      - tar.gz
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}
+    files:
+      - LICENSE
+      - README.md
+      - config.yaml
+      - deploy/**/*
+
+checksum:
+  name_template: "checksums.txt"
+  algorithm: sha256
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^ci:"
+      - "^chore:"
+      - "^style:"
+  groups:
+    - title: "Security"
+      regexp: '^.*?sec(urity)?(\(.+\))?\!?:.+$'
+      order: 0
+    - title: "Features"
+      regexp: '^.*?feat(\(.+\))?\!?:.+$'
+      order: 1
+    - title: "Bug Fixes"
+      regexp: '^.*?fix(\(.+\))?\!?:.+$'
+      order: 2
+    - title: "Performance"
+      regexp: '^.*?perf(\(.+\))?\!?:.+$'
+      order: 3
+    - title: "Other"
+      order: 999
+
+dockers:
+  - image_templates:
+      - "ghcr.io/fr4nsys/usulnet:{{ .Version }}-amd64"
+      - "ghcr.io/fr4nsys/usulnet:latest-amd64"
+    use: buildx
+    dockerfile: Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--build-arg=VERSION={{.Version}}"
+      - "--build-arg=COMMIT={{.Commit}}"
+      - "--build-arg=BUILD_TIME={{.Date}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.Commit}}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+    ids:
+      - usulnet
+
+  - image_templates:
+      - "ghcr.io/fr4nsys/usulnet:{{ .Version }}-arm64"
+      - "ghcr.io/fr4nsys/usulnet:latest-arm64"
+    use: buildx
+    dockerfile: Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--build-arg=VERSION={{.Version}}"
+      - "--build-arg=COMMIT={{.Commit}}"
+      - "--build-arg=BUILD_TIME={{.Date}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.Commit}}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+    ids:
+      - usulnet
+    goarch: arm64
+
+docker_manifests:
+  - name_template: "ghcr.io/fr4nsys/usulnet:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/fr4nsys/usulnet:{{ .Version }}-amd64"
+      - "ghcr.io/fr4nsys/usulnet:{{ .Version }}-arm64"
+  - name_template: "ghcr.io/fr4nsys/usulnet:latest"
+    image_templates:
+      - "ghcr.io/fr4nsys/usulnet:latest-amd64"
+      - "ghcr.io/fr4nsys/usulnet:latest-arm64"
+
+release:
+  github:
+    owner: fr4nsys
+    name: usulnet
+  prerelease: auto
+  name_template: "v{{.Version}}"
+  header: |
+    ## usulnet v{{.Version}}
+
+    Docker Management Platform — self-hosted alternative to Portainer.
+  footer: |
+    ## Docker
+
+    ```bash
+    docker pull ghcr.io/fr4nsys/usulnet:{{.Version}}
+    ```
+
+    **Full Changelog**: https://github.com/fr4nsys/usulnet/compare/{{ .PreviousTag }}...{{ .Tag }}

Dockerfile

@@ -93,16 +93,17 @@ LABEL org.opencontainers.image.title="usulnet" \
       org.opencontainers.image.vendor="usulnet" \
       org.opencontainers.image.licenses="AGPL-3.0"
 
-# All runtime packages in a single layer (includes nvim editor deps)
-# Minimized apk cache by combining all installs
+# Runtime packages (includes nvim editor deps)
 RUN apk add --no-cache \
     ca-certificates tzdata curl su-exec util-linux \
     docker-cli docker-cli-compose \
     neovim git ripgrep fd \
     musl-locales musl-locales-lang && \
-    # Install Trivy vulnerability scanner
-    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin && \
-    # Clean up curl caches
+    update-ca-certificates
+
+# Install Trivy vulnerability scanner (pinned version for reproducibility)
+ARG TRIVY_VERSION=0.69.1
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${TRIVY_VERSION} && \
     rm -rf /tmp/* /var/cache/apk/*
 
 # Overwrite Alpine's docker-cli (27.x, API 1.47) with Docker 29.2.0 (API 1.53)

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build build-agent run test test-coverage test-check-coverage test-benchmark test-e2e clean dev-up dev-down migrate lint lint-fix fmt vet templ css install-hooks
+.PHONY: all build build-agent run test test-coverage test-check-coverage test-benchmark test-e2e clean dev-certs dev-up dev-down migrate lint lint-fix fmt vet templ css install-hooks help release-check release-snapshot verify-migrations security-scan docker-push
 
 # Variables
 BINARY_NAME=usulnet
@@ -76,7 +76,7 @@ test-coverage:
 
 test-check-coverage:
 	@echo "Running coverage threshold check..."
-	@bash scripts/check-coverage.sh 40
+	@bash scripts/check-coverage.sh 15
 
 test-benchmark:
 	@echo "Running benchmarks..."
@@ -92,11 +92,21 @@ clean:
 	@rm -f coverage.out coverage.html
 
 # Development environment
-dev-up:
+dev-certs: ## Generate TLS certificates for dev environment (PostgreSQL, HTTPS, NATS)
+	@if [ ! -f dev-certs/ca.crt ]; then \
+		echo "Generating dev TLS certificates..."; \
+		$(GORUN) $(MAIN_PATH) pki init --data-dir ./dev-certs; \
+		chmod 755 dev-certs; \
+		chmod 644 dev-certs/*.crt; \
+	else \
+		echo "Dev certificates already exist (dev-certs/ca.crt)"; \
+	fi
+
+dev-up: dev-certs
 	docker compose -f docker-compose.dev.yml up -d
 	@echo "Waiting for services to be ready..."
 	@sleep 5
-	@echo "Development environment is ready"
+	@echo "Development environment is ready (PostgreSQL TLS: verify-full)"
 
 dev-down:
 	docker compose -f docker-compose.dev.yml down
@@ -163,5 +173,93 @@ install-hooks:
 	@echo "Pre-commit hook installed"
 
 # Quality gate — run all quality checks
-quality: lint vet test-check-coverage
+quality: lint vet test test-check-coverage
 	@echo "All quality checks passed!"
+
+# Release engineering
+release-check:
+	@echo "Checking release prerequisites..."
+	@test -n "$$(git describe --exact-match --tags HEAD 2>/dev/null)" || (echo "ERROR: HEAD is not tagged. Tag with: git tag -a vX.Y.Z -m 'Release vX.Y.Z'" && exit 1)
+	@test -z "$$(git status --porcelain)" || (echo "ERROR: Working tree is dirty. Commit or stash changes." && exit 1)
+	@which goreleaser > /dev/null 2>&1 || (echo "ERROR: goreleaser not found. Install: go install github.com/goreleaser/goreleaser/v2@latest" && exit 1)
+	@echo "All release prerequisites met."
+
+release-snapshot:
+	@echo "Building release snapshot (no publish)..."
+	@which goreleaser > /dev/null 2>&1 || (echo "Installing goreleaser..." && go install github.com/goreleaser/goreleaser/v2@latest)
+	goreleaser release --snapshot --clean
+
+verify-migrations:
+	@echo "Verifying migration integrity..."
+	@bash scripts/verify-migrations.sh
+
+security-scan:
+	@echo "Running security scans..."
+	@which govulncheck > /dev/null 2>&1 || (echo "Installing govulncheck..." && go install golang.org/x/vuln/cmd/govulncheck@latest)
+	govulncheck ./...
+	@if which golangci-lint > /dev/null 2>&1; then \
+		echo "Running gosec via golangci-lint..."; \
+		golangci-lint run --enable gosec ./...; \
+	else \
+		echo "SKIP: golangci-lint not installed"; \
+	fi
+
+docker-push:
+	@echo "Pushing Docker images..."
+	@test -n "$(DOCKER_REGISTRY)" || (echo "ERROR: DOCKER_REGISTRY not set" && exit 1)
+	docker tag usulnet:latest $(DOCKER_REGISTRY)/usulnet:latest
+	docker tag usulnet:latest $(DOCKER_REGISTRY)/usulnet:$(shell git describe --tags --always)
+	docker push $(DOCKER_REGISTRY)/usulnet:latest
+	docker push $(DOCKER_REGISTRY)/usulnet:$(shell git describe --tags --always)
+
+# Help
+help:
+	@echo "usulnet — Docker Management Platform"
+	@echo ""
+	@echo "Build:"
+	@echo "  make build              Full build (templ + CSS + Go binary)"
+	@echo "  make build-agent        Build agent binary only"
+	@echo "  make build-all          Build both binaries"
+	@echo "  make frontend           Generate templates + compile CSS"
+	@echo ""
+	@echo "Run:"
+	@echo "  make run                Run the server (go run)"
+	@echo "  make dev-certs          Generate TLS certificates for dev environment"
+	@echo "  make dev-up             Start dev services (PostgreSQL, Redis, NATS) with TLS"
+	@echo "  make dev-down           Stop dev services"
+	@echo "  make dev-up-agent       Start dev services with agent profile"
+	@echo ""
+	@echo "Test:"
+	@echo "  make test               Run tests with race detection and coverage"
+	@echo "  make test-coverage      Generate HTML coverage report"
+	@echo "  make test-check-coverage  Check coverage threshold"
+	@echo "  make test-benchmark     Run benchmark tests"
+	@echo "  make test-e2e           Run E2E tests (requires running services)"
+	@echo ""
+	@echo "Code Quality:"
+	@echo "  make lint               Run golangci-lint"
+	@echo "  make lint-fix           Run golangci-lint with auto-fix"
+	@echo "  make fmt                Format Go source files"
+	@echo "  make vet                Run go vet"
+	@echo "  make quality            Full quality gate (lint + vet + test + coverage)"
+	@echo "  make security-scan      Run govulncheck + gosec"
+	@echo "  make verify-migrations  Check migration file integrity"
+	@echo ""
+	@echo "Database:"
+	@echo "  make migrate            Run migrations up"
+	@echo "  make migrate-down       Roll back migrations"
+	@echo "  make migrate-status     Show migration status"
+	@echo ""
+	@echo "Docker:"
+	@echo "  make docker-build       Build production Docker image"
+	@echo "  make docker-build-agent Build agent Docker image"
+	@echo ""
+	@echo "Release:"
+	@echo "  make release-check      Verify release prerequisites (clean tree, tag, goreleaser)"
+	@echo "  make release-snapshot   Build release locally without publishing"
+	@echo "  make docker-push        Push Docker images (requires DOCKER_REGISTRY)"
+	@echo ""
+	@echo "Other:"
+	@echo "  make deps               Download and tidy Go modules"
+	@echo "  make install-hooks      Install git pre-commit hook"
+	@echo "  make clean              Remove build artifacts"