cd-develop built and pushed the image, then said nothing. With no Slack step and
no Gitea webhook, the only way to know a build ran was to poll the Actions API
(whose run status is unreliable) or list registry tags. 21 of 24 repos were silent
this way; only devices, guide and incident notified.
Ports the notify step from hiveops-devices verbatim, adapted for a build-only
pipeline: the card says built & pushed (not deployed) and names the tag to deploy.
if: always() so failures are announced too, and continue-on-error so a Slack hiccup
can never fail a build. Short SHA is derived inside the step from github.sha, as most
repos have no Short SHA step. No new secret: SLACK_WEBHOOK_URL is already an org secret.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):
postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
protection. Affects 42.7.4-42.7.11.
httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation
httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.
Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.
Refs bom#6
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Keeps operating essentials (template gate, ports, build/deploy, env, What's New,\nrepo-specific quirks); moves architecture/endpoints/tables/topics to the HiveIQ\nGuide (guide.bcos.dev) which is kept in sync with code. Part of the guide-KB rollout.\n\nCo-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Single VITE_API_URL replaces apiUrl+authUrl. Gateway URL for auth calls
is derived at runtime via apiUrl.replace(/\/aria$/, '').
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Path was /api/auth/users/me but the auth controller is at /auth/api/users/me.
Caused a CORS-then-404 error on every page load.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace cryptic SVG countdown circle with a clear labeled toggle switch
in ThreatEvents, DevicePosture, and PrecursorAlerts. State is persisted
to localStorage per-component (aria_threats_autoRefresh, aria_posture_autoRefresh,
aria_alerts_autoRefresh).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
OTX pulse names exceed 100 characters, causing a column-too-long error on
IOC feed upsert. TEXT has no length limit and matches the description column.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add reported_at field to threat_ioc (V7 migration) — tracks when the source
originally published the IOC, distinct from addedAt (ingestion time); wired
into OTX (created field), MalwareBazaar and ThreatFox (first_seen field),
and the manual IOC creation endpoint
- Fix threat event stats to use a 24h time window for critical/high counts
(countBySeverityAndDetectedAtAfter) instead of all-time totals
- Rebuild IOC Management with canonical filter sidebar: collapsible left sidebar
with per-type toggle pills, active filter chips with individual removal
- DevicePosture: collapse institutions and filter sidebar by default
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All institutions expanded by default. Header row shows device count,
avg posture score, and a warning badge when any device scores below 80.
Fetches all records in one call (size=500) instead of paginating.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: IocFeeds.svelte called feeds.find() on a Map (backend returned
Map<String,Object> not List) → reactive statement crash → entire Svelte tree
broken, all sidebar nav dead.
Backend:
- /feeds/status now returns List<Map> with feedName/configured/enabled/
lastRunAt/lastRunStatus/lastIocsAdded/lastIocsUpdated fields
- /feeds/runs now returns full Page<IocFeedRun> (not stripped .getContent())
- IocFeedService.isConfigured(feedName) added for per-feed key check
- Feed order fixed to [OTX, MALWARE_BAZAAR, THREAT_FOX] (deterministic)
Frontend:
- loadFeeds: Array.isArray guard prevents crash if shape is ever wrong
- loadRuns: safe fallback for both Page and plain-array responses
- api.ts refreshFeed URL fixed: /feeds/refresh/{name} not /feeds/{name}/refresh
- IocFeedStatus type: added lastIocsUpdated
- IocFeeds.svelte: Refresh All moved from header to toolbar; all buttons
use canonical btn/btn-primary/btn-secondary/btn-sm classes; pollInterval
now calls pollStatus (status-only poll) not full refresh trigger
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ARIA is an internal security intelligence tool — MSP_ADMIN users
should not have access. Replaced hasAnyRole('MSP_ADMIN','BCOS_ADMIN')
with hasRole('BCOS_ADMIN') across all four controllers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without @EnableSpringDataWebSupport(VIA_DTO) the API returned totalElements
at the top level. Frontend expects {content, page: {totalElements, totalPages,
number}} — the DTO format. Fixes Load Failed on all paginated pages.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
V4 dropped the PK but PostgreSQL retained the implicit NOT NULL.
V5 makes device_id nullable so agents without a numeric deviceId
can persist posture reports.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
V4 migration drops the device_id primary key and adds an auto-generated
id BIGSERIAL as the PK. device_id becomes a unique nullable column.
Agents that don't send a numeric deviceId can now save posture reports.
Controller GET /{deviceId} now uses findByDeviceId instead of findById.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All three list pages (ThreatEvents, PrecursorAlerts, DevicePosture) now
use the template's btn-manual-refresh icon button + SVG countdown timer
in header-controls, matching the canonical TablePage.svelte pattern.
Plain text Refresh button removed from toolbar-right.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PrecursorAlerts and DevicePosture were using custom inline select
dropdowns for filtering. Both now use the canonical left filter sidebar
with collapsible status-pills, active filter chips, and content-frame
layout from hiveops-template/TablePage.svelte.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>