Commit Graph

36 Commits

Author SHA1 Message Date
johannes 3c0058d892 docs(guide): gotcha — root-owned cron logs silently kill bcosadmin cron jobs
The redirect (>> /var/log/x.log) fails before the command runs when the target
is root-owned/absent; job dies with zero output. Caused backups #18/#19 + IDS
#22 outages. Diagnose via redirect-target owner; fix with chown + logrotate create.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 11:50:30 -04:00
johannes 80e4bbe415 docs(guide): ClamAV remediation status + VM-sizing OOM gotcha
devops.security: #16 remediated (freshclam + clamscan, no resident clamd); 5/6
VMs done incl CDE; proxy EXCLUDED (957MB, install OOM d it -> hard reboot).
platform.gotchas: check VM RAM before installing memory-heavy tools.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 10:58:00 -04:00
johannes 03f6c16eab docs(guide): correct devops.backups + devops.security after prod audit
First pass had a partial view. Backups are 3 layers (Swift dumps + encrypted
off-cluster borg to DLX + Cinder snapshots), not just pg_dumpall — #15 (DR)
resolved, #13/#14 re-scoped. Security has iptables auto-block (security-monitor)
+ AIDE FIM — #17 re-scoped; ClamAV (#16) remains the one real gap.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 08:27:18 -04:00
johannes 5d23388ef5 docs(guide): add platform.production-checks + new DEVOPS section (backups, security)
- platform.production-checks: the daily prod health sweep (deep actuator/critical
  set, Loki ERROR+5xx top-5, backup freshness, ClamAV per-VM) -> 06:30 email report.
- NEW DevOps nav section in the reader (SPECIAL + section block + expandFor).
- devops.backups: pg_dumpall->Swift nightly job, verify/restore, gaps (#13/#14/#15).
- devops.security: ClamAV/firewall posture from the 2026-07-02 sweep — FAILING,
  remediation in #16 (Critical, PCI CDE) / #17. Reconciler: devops = concept docs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 07:55:49 -04:00
johannes 2be67a26d1 docs(guide): add IAT_SERVER_RECOVERED / IAT_CORE_RECOVERED to activeteller module
The activeteller agent module now emits two connectivity-recovery events
(hiveops-agent#68) that drive incident auto-close. Adds them to the event lists
(internal + claude), bumps the count 9→11, and corrects the SymXchange behaviour
in architect.md: the connection-error streak resets (and IAT_CORE_RECOVERED fires)
on the next message header, not on a fault line.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 00:44:32 -04:00
johannes 340e131dc7 docs(guide): add platform.ci-cd + capture DNS single-point-of-failure gotcha
New platform.ci-cd page: runner topology (dlx-hiveiq-runner-01), no-internet
design, workflow set, access, and failure signatures. gotchas: correct the
stale \"CI is disabled\" line and add the AdGuard DNS SPOF (hits app boxes + CI
+ Claude sessions). Grounded in runner logs from the 2026-07-01 outage.

Refs hiveiq-ops/hiveiq-devops#11

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 00:06:27 -04:00
johannes 95761a0643 content(guide): agent.* module guides — 15 modules (Internal/Architect/Claude, audience dev)
Closes the agent-module coverage gap the reconciler flagged (activeteller + 14).
Grounded per module in hiveops-agent/hiveops-module-*; audience dev (dev-only).
Reconciler now green. Grounding surfaced agent-side bugs (log-error route
mismatch, atec poll-interval hardcoded) — to verify + file next.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 19:26:23 -04:00
johannes 167ba332a8 chore(guide): reconciler excludes deprecated qds-monitor (superseded by the agent)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 19:07:27 -04:00
johannes 871b81474d feat(guide): coverage reconciler + relabel customer tabs Overview→Customer
scripts/coverage-reconcile.py diffs the code surface (services, agent modules,
SPAs) against documented module keys and reports gaps — catches undocumented
things (found 15 agent modules + qds-monitor). Also relabeled 63 customer tabs
Overview→Customer for role-tab consistency with the fleet pilot.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 19:05:40 -04:00
johannes 26610bb4f3 style(guide): let content fill the pane (drop 860px cap) — no more right-side gap
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 17:37:17 -04:00
johannes 930a4b968e feat(guide): dev audience tier + GUIDE_SERVED_AUDIENCES env cap (prod = customer,internal)
4-tier ladder customer<internal<dev<bcos. Re-tagged Architect/Testing/Claude +
platform/technical from internal->dev; Processes stays bcos. Backend visible()
enforces a per-instance served-audiences cap at the API. bcos.dev/DLX serve all;
production sets GUIDE_SERVED_AUDIENCES=customer,internal so dev/bcos never leave
dev. Verified: capped instance returns only Customer+Internal, 404s dev/bcos.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 17:11:00 -04:00
johannes e02aab4d3b feat(guide): in-guide feedback → creates Gitea Bug/Enhancement issues
Backend FeedbackController + GiteaFeedbackService (POST /api/v1/guide/feedback):
resolves/creates the Bug/Enhancement label, appends reporter (from JWT) + module
context, POSTs the issue via a server-side GITEA_FEEDBACK_TOKEN (reaches Gitea via
public route). Area→repo map mirrors the Browser. Reader gets a 💬 Send feedback
button + dark slide-in form (Bug/Enhancement, area prefilled from current module,
title, description) with success link. Verified e2e (created hiveops-guide #4).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 16:54:55 -04:00
johannes 7b7af91910 content(guide): note issue-close auto-notifies reporter — fill Resolution first (processes.gitea-issues)
Ties in dlx-claude's gitea-notify webhook: closing a Gitea issue DMs the reporter
in their HiveIQ inbox using the Resolution field.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 16:24:06 -04:00
johannes 4d56db455e feat(guide): Processes section + bcos-only audience tier (BCOS_ADMIN)
New 3-tier gating: customer < internal (MSP/BCOS) < bcos (BCOS_ADMIN only).
GuideController.isBcos + service visible() honour audience: bcos. New 'processes'
app with Develop / Main / Release / Gitea-Issue process docs (audience bcos),
rendered as a Processes nav section only BCOS_ADMIN can see. Verified: BCOS 200,
MSP/customer 404.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 16:09:33 -04:00
johannes 2488408ee9 content(guide): Testing tabs for all 63 modules — slim frontend QA checklists (DRAFT)
Every customer module now has the full 5-lens set (Customer/Internal/Architect/
Testing/Claude). Testing = frontend-only what-to-test -> pass/fail checklist vs
bcos.dev sim data (C1/C2/C3 + test logins), audience internal. Authored via
per-module fan-out (2 retried on Sonnet 5).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 15:50:40 -04:00
johannes 467b7243df content(guide): reshape fleet Testing tabs — slim frontend-only QA checklist
Per Johannes: Testing tab is a tester's what-to-test -> pass/fail checklist (UI
only, bcos.dev sim data C1/C2/C3 + test logins), not an engineering API spec.
Dropped curl/endpoints/backend. New pattern for the fan-out.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 15:40:18 -04:00
johannes 3976251b90 feat(guide): Testing role-tab (fleet pilot) + sidebar identity indicator
- New Testing tab (order 35, audience internal, 🧪): test accounts, manual flow,
  copy-paste API smoke tests, role/scoping checks, regression watch. Fleet pilot.
- Reader shows 'Signed in as {email} · {role}' above Sign out (decoded from JWT),
  so you always know which identity you're testing as.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 15:26:29 -04:00
johannes 3b80409718 fix(guide): collapsible nav not toggling — reference open/searching directly (Svelte reactivity)
isOpen() helper hid the dependency on `open` from Svelte's tracking, so clicks
updated state but not the view. Inline (searching || open[key]) instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 12:30:14 -04:00
johannes 9608b363ac feat(guide): collapsible nav — Modules (per-app) / Platform / Technical sections
Restructure reader sidebar into 3 collapsible top-level sections: Modules at
top (each product app collapsible with its module list), then Platform and
Technical. Auto-expands the section/app of the active module; search expands all.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 12:27:21 -04:00
johannes 2f94d62769 content(guide): role-tabs (Internal/Architect/Claude) for all 63 customer modules (DRAFT, Refs #1 #3)
Full role-tab rollout: every customer module now has Customer/Internal/
Architect/Claude tabs, grounded per-module in real code. Backend serves 296
docs / 96 modules. Grounding surfaced ~20 real bugs across services (filed
separately after verification).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 12:14:54 -04:00
johannes 916095f43b feat(guide): role-tab model — Customer/Internal/Architect/Claude (fleet pilot, Refs #1 #3)
Reader shows role-based tabs with icons (order 10/20/30/40, internal gated).
Fleet pilot: relabel Customer tab + author Internal/Architect/Claude tabs for
tasks/artifacts/patch-windows, grounded in fleet code. Architect/Claude tabs
surfaced real bugs (patch-window day-code, /stats hardcoded counts) — flagged
separately, not fixed here.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 11:47:27 -04:00
johannes 0328d90d8b feat(guide): dark theme + show/hide password on login; dark reader
Login page: dark card/inputs, Show/Hide password toggle (manual value bind
since dynamic type can't use bind:value). Reader: dark content, tabs, and
markdown (headings/tables/code/blockquote).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 11:28:35 -04:00
johannes 69fef2b2fd fix(guide): correct auth paths — /api/login + /api/users/me (base already includes /auth)
authApi baseURL is .../auth, so posting /auth/api/login double-prefixed to
/auth/auth/api/login → 403. Use /api/login and /api/users/me.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 11:00:49 -04:00
johannes cc5765511c content(guide): customer-facing module guides across 13 SPAs (DRAFT, Refs #3)
62 plain-language audience:customer Overview guides, one per primary
user-facing module (analytics/aria/claims/dashboard/devices/incident/msp/
profile/recon/reports/transactions/vault + fleet), authored by a per-module
parallel pass grounded in each component's actual UI, mirroring the fleet.tasks
voice. Existing hand-made guides were skipped, not overwritten. Deployed to
guide.bcos.dev for review; all DRAFT.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 10:46:12 -04:00
johannes 7bf43e1370 feat(guide): tabbed markdown reader — retire CRUD GuidesView (Phase 2, Refs #1)
New GuideReader.svelte: nav tree (apps→modules) + tabbed markdown (marked),
audience-gated server-side (admins see internal tabs, badged). Replaces the old
DB-CRUD GuidesView. Consumes GET /api/v1/guide/nav + /modules/{module}.
Deployed to guide.bcos.dev.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 10:42:59 -04:00
johannes a41f7d522c content(guide): reconcile platform.kafka catalog — 15 code-verified topics (Refs #3)
The per-service pass surfaced 10 topics beyond the original 5 (agent.online/
offline, fleet.task.events, incidents.created/updated/resolved, journal.
transactions.recorded, analytics.snapshot-ready, adoons.rule-suggestion.
requested/ready). All grep-confirmed as literals in producing-service source.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 09:04:11 -04:00
johannes 6542c4f348 content(guide): per-service internal knowledge base — 19 technical.<svc> guides (DRAFT, Refs #3)
One code-grounded internal guide per backend service (Responsibility / Data /
Kafka / API surface / Gotchas), authored by parallel per-service agents reading
each service's own source, then an adversarial verify pass (DB names, topics,
endpoints spot-checked against code — 0 hard errors). Several guides correctly
document CODE over stale CLAUDE.md (remote = HTTP long-poll not WebSocket;
analytics = has a DB, not stateless; devices = has its own backend).
Unconfirmed facts are marked (unverified). audience: internal, all DRAFT.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 09:01:58 -04:00
johannes b102bbabd0 content(guide): platform infra knowledge base — topology, nginx-routing, data-stores, kafka, gotchas (DRAFT, Refs #3)
Cross-cutting internal guides so admins/Claude can query HiveIQ topology,
routing, data ownership and Kafka flows without re-reading code. All
audience: internal, marked DRAFT pending review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 08:52:53 -04:00
johannes 09fb6fc580 content(guide): internal platform architecture guides (DRAFT, Refs #1)
Internal (audience:internal) guides capturing the HiveIQ architecture that caused
repeated mistakes: data-architecture (executor/Kafka/record-store), service-ownership,
deployment topology, auth/JWT, git workflow, module map. For admins + Claude's reference.
2026-07-01 07:57:20 -04:00
johannes 261ded9580 content(guide): fleet.tasks / fleet.artifacts / fleet.patch-windows markdown (Refs #1)
Ported from the previously-hardcoded GuidePanel objects in hiveops-fleet.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 01:05:57 -04:00
hiveiq e17e3feca6 Merge pull request 'feat(guide): markdown-driven backend API, retire DB/CRUD (Phase 1)' (#2) from feat/1-markdown-guide-backend into develop
Merge PR #2: markdown-driven guide backend (Refs #1)
2026-06-30 23:54:09 -04:00
johannes 4b7f50ec6a feat(guide): markdown-driven backend API, retire DB/CRUD (Refs #1)
Phase 1 of the guide rebuild (DESIGN.md):
- MarkdownGuideService scans content/**/*.md (frontmatter: module/title/tab/order/audience)
- GET /api/v1/guide/nav + /api/v1/guide/modules/{module}; audience gated by role
  (internal tabs only for MSP_ADMIN/BCOS_ADMIN)
- Removed JPA/Flyway/Postgres, Guide entity/repo/service, admin CRUD, seed migrations
- Seed content: devices.sw-deploy (Overview/Data/Technical-internal), fleet.tasks
- Verified: boots with no DB, loads 4 docs, nav + audience filtering + 401 all correct

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 23:49:58 -04:00
johannes 9c91c56672 docs: hiveops-guide redesign plan (markdown + API + tabbed slide-out)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 23:37:16 -04:00
johannes 59fce91714 fix(frontend): add type=module and svelte-preprocess to fix ESM build 2026-06-29 15:46:30 -04:00
johannes 931ad6c11b chore: add .gitignore, exclude backend/target and frontend/dist 2026-06-29 15:39:28 -04:00
johannes 638760e0b3 feat: initial hiveops-guide service — standalone guide content API and admin SPA 2026-06-29 15:39:17 -04:00