Conversation
- Add Azure integration to CHANGELOG.md with VM inventory, provisioning, lifecycle management, API routes, setup guide, configuration schema, journal collector, and color coding - Update README.md to include Azure in integration list and feature descriptions - Add Azure VM provisioning feature to features section - Add Azure configuration reference to configuration table - Update version history to mention Azure integration in v1.1.0 - Add Azure integration documentation link to integration references - Reflect Azure as supported infrastructure provider alongside Proxmox and AWS
- Add comprehensive design document covering RBAC gap fixes, frontend bug fixes, and embedded MCP server architecture - Add detailed requirements specification for RBAC enhancements and MCP server implementation - Add task breakdown and implementation checklist for feature development - Add Kiro spec configuration for requirements-first workflow tracking - Establishes foundation for RBAC permission backfill, frontend API fixes, and MCP server integration
- 2.1 Fix fetchWithRetry to handle HTTP 204 No Content - 2.2 Write property test for fetchWithRetry JSON round-trip (Property 1) - 2.3 Update permissions.ts with azure, hiera, ssh resource types - 2.4 Write unit tests for permissions.ts updates
- 3.1 Create CreateRoleDialog.svelte with Svelte 5 runes, form validation, and accessible dialog - 3.2 Integrate CreateRoleDialog into RoleManagementPage - 3.3 Write property test for form validation (Property 2) with numRuns: 20 - 3.4 Write unit tests for CreateRoleDialog (render, submit, 409, 500 errors)
- 5.1 Add mcpEnabled: z.boolean().default(false) to AppConfigSchema - 5.2 Parse MCP_ENABLED env var in ConfigService, expose isMcpEnabled() - 5.3 Add unit tests verifying default false and true when MCP_ENABLED=true
- 6.1 Create backend/src/mcp/McpServiceUser.ts with provisionMcpServiceUser - 6.2 Write unit tests for idempotent provisioning - Add optional isBuiltIn to CreateRoleDTO for built-in role creation
- 7.1 Install @modelcontextprotocol/sdk dependency - 7.2 Create McpServer.ts with server setup and McpToolHandlers.ts with tool registration - 7.3 Write property test for inventory_list search filtering (Property 3) - 7.4 Write property test for universal MCP tool permission enforcement (Property 4) - 7.5 Write unit tests for MCP tool handlers (31 tests)
- 8.1 Update server.ts to conditionally initialize MCP when MCP_ENABLED=true - 8.2 Write integration test for MCP endpoint (initialize + tools/list) - Fix McpServiceUser password to meet complexity requirements
…rver features - CHANGELOG: add v1.2.0 section with MCP server, new permissions, CreateRoleDialog, and bug fixes - README: add MCP Server to features, version history, config table, and project structure - docs/configuration.md: add MCP Server section with MCP_ENABLED and tool reference - docs/api.md: add MCP endpoint documentation with tool parameters and client config - docs/permissions-rbac.md: add Azure/Hiera/SSH permissions, update Viewer/Operator roles, add MCP service user section - docs/architecture.md: add MCP server to startup sequence
…xisting 012 Migration 012 was already applied to existing databases as 012_journal_event_types_cleanup.sql (since removed from source). Renumbered to 013 so the MigrationRunner picks it up.
…migration naming, mcp property test Agent-Logs-Url: https://github.com/example42/pabawi/sessions/a99365e6-9ac1-49f6-aab6-ea031f01f7ec Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
Agent-Logs-Url: https://github.com/example42/pabawi/sessions/a99365e6-9ac1-49f6-aab6-ea031f01f7ec Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
… and troubleshooting
- Add read-only qualifier to MCP server description for clarity - Expand client support list to include Claude Code, Gemini CLI, and OpenAI Codex CLI - Add configuration instructions for Claude Code with HTTP transport setup - Add configuration instructions for Gemini CLI with settings.json format - Add configuration instructions for OpenAI Codex CLI with TOML config format - Remove .kiro/settings/mcp.json from repository and add to .gitignore - Consolidate MCP client setup documentation with consistent formatting
- Add McpOutputSummariser.ts to transform verbose service responses into compact, LLM-friendly output - Strip large, duplicated, or low-value fields while preserving essential infrastructure data - Update McpToolHandlers.ts to integrate output summarisation across all 8 MCP tools - Expand CLAUDE.md with additional test commands (headed, debug modes) and pre-commit hook setup - Update architecture documentation to include AWS, Azure, and Proxmox plugins in integration overview - Document multi-database adapter pattern (SQLite, Postgres) and additional services (JournalService, AuditLoggingService, etc.) - Add MCP configuration reference and links to related documentation - Update McpServer.test.ts to verify output summarisation behavior - Update docs/mcp.md with summarisation details and LLM-optimized output examples
…olHandlers, server.ts session management Agent-Logs-Url: https://github.com/example42/pabawi/sessions/bc80a31b-4f45-47f1-897e-a6d35b38363f Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
Agent-Logs-Url: https://github.com/example42/pabawi/sessions/bc80a31b-4f45-47f1-897e-a6d35b38363f Co-authored-by: alvagante <283804+alvagante@users.noreply.github.com>
- Add .npmrc with ignore-scripts=true for supply-chain security - Update install:all to rebuild native modules (bcrypt, sqlite3, ssh2) - Add npm rebuild step to CI workflow and devcontainer - Add date range filtering to journal timeline (PuppetDB, Proxmox, executions) - Fix accessibility: proper ARIA roles, button elements, tabindex in AWSProvisionForm, GroupActionModal, ManageTab, MultiSelectDropdown - Update docs and steering to reflect install:all changes - Update .kirograph/config.json glob patterns to use ** prefix - Update pre-commit hook to v2 with HTML report generation - Fix markdownlint issues (table pipe escape, duplicate H1)
Implement tasks 1.1-1.4 (DI Container), partial task 7 (Puppet execution), and frontend component extraction from the code-review-fixes spec. DI Container: - Create DIContainer class with typed register()/resolve() and ServiceRegistry - Wire container into server.ts startup with ConfigService, LoggerService, ExpertModeService - Migrate all 27 route factories to accept container parameter - Replace inline new LoggerService()/ExpertModeService() in route files - Provide createDefaultContainer() fallback for backward-compatible test setups Puppet Route Hardening: - Refactor createPuppetRouter to accept IntegrationManager + JournalService - Add multi-node puppet run endpoint with parallel execution and journal entries - Add Zod schemas: PuppetEnvironmentSchema, PuppetTagSchema (input validation) - Add splay/splayLimit options for staggered execution - Remove global integrationManager assignment from server.ts Frontend: - Extract RunPuppetForm.svelte component from GroupActionModal - Update GroupActionModal, ParallelExecutionModal, PuppetRunInterface - Add environment selector and catalog comparison improvements Also: IntegrationManager plugin priority ordering, BoltService error handling, commonSchemas validation additions, spec documentation files.
Migrate all route handlers from direct process.env.JWT_SECRET and process.env.PABAWI_LIFECYCLE_TOKEN reads to ConfigService accessors. Add Zod-validated schema fields for both secrets. Remove internal process.env fallback from AuthenticationService. Update DIContainer to register ConfigService. Fix unnecessary type assertion lint errors in server.ts, journal.ts, and DIContainer.ts. Update vitest env and test helpers to supply required secrets. Completes tasks 3.1 and 3.4 of code-review-fixes spec.
Replace nine copy-pasted plugin init blocks in server.ts with a declarative pluginRegistry array and single for...of loop (-660 lines net). Remove duplicate router mounts: - /api/nodes inventory mount (keep /api/inventory) - /api/nodes packages mount (keep /api/packages) Update all frontend consumers to canonical API paths: - /api/nodes/:id -> /api/inventory/:id - /api/nodes/:id/lifecycle-actions -> /api/inventory/:id/lifecycle-actions - /api/package-tasks -> /api/packages/package-tasks - /api/nodes/:id/install-package -> /api/packages/:id/install-package Update affected tests to match new paths. Implements spec tasks 4.1, 4.2, 6.1.
- Extract shared runPuppetOn helper in puppet.ts, eliminating duplicated execution logic in single-node and multi-node handlers (tasks 7.1, 7.2) - Split frontend api.ts into proxmoxApi.ts, awsApi.ts, azureApi.ts; api.ts retains only HTTP infrastructure (tasks 8.1, 8.2) - Harden localStorage access in expertMode/logger with try/catch for sandboxed environments - Add vitest global setup with in-memory localStorage mock - Update all affected test imports to reference new API modules - Mark tasks 2, 5, 7, 8 as complete in spec
Tasks 9–14 of code-review-fixes spec: - Add MCP SDK type declaration (mcp-sdk.d.ts) removing all as-any casts in server.ts MCP block - Add centralized Express.Request augmentation (express.d.ts) replacing scattered inline casts - Add type-safe JSON parse utility (utils/json.ts) used across ConfigService - Implement BoltJsonError interface and categoriseError() with JSON-first strategy - Refactor PuppetRunInterface to SSE-first with single-fetch fallback (no polling) - Add typed event interfaces for all SSE streaming event types - Replace ~80 eslint-disable comments with proper types across integrations - Add property tests: bolt error categorisation, config secrets, plugin registry, SSE events - Fix ProxmoxService restrict-template-expressions via explicit String() wrapping - Add svc accessor pattern to ProxmoxIntegration and AWS/Azure plugins - Fix all broken tests from structural changes (task 14) - Update tasks.md marking tasks 9–14 complete
Convert config route from module-level ConfigService instantiation to createConfigRouter(container) factory pattern, matching all other routes. - config route resolves ConfigService from DI container - PABAWI_LIFECYCLE_TOKEN changed from required to optional (defaults to empty string; endpoint returns 500 when unconfigured) - Auth middleware receives JWT secret from ConfigService (fixes ephemeral random secret causing "Invalid token signature" after login) - Property-based tests updated to reflect optional lifecycle token - CHANGELOG.md expanded with full v1.2.0 entries and release dates - Documentation and steering files updated to reflect DI container, plugin registry, and frontend API module split patterns - copilot-instructions.md rewritten to match current architecture
- Add MCP_AUTH_TOKEN env var for static bearer token authentication on /mcp - Create mcpAuthMiddleware: checks static token first, falls through to JWT - Mount auth middleware on all MCP HTTP routes (POST/GET/DELETE /mcp) - Refactor health check scheduler from fixed-interval to adaptive backoff: uses shorter retry interval (60s) when plugins are unhealthy, normal interval (5min) when all healthy - Downgrade noisy credential-validation logs from INFO to DEBUG in AWS, Azure, and Proxmox services - Update docs/mcp.md with authentication section, client config examples, and troubleshooting for 401 errors - Add AGENTS.md (root-level agent guidance file) - Add security assessment (.kiro/security-assessment-2026-05-13.md) Resolves SA-00 from security assessment (critical: unauthenticated MCP endpoints).
Add a new facts_bulk MCP tool and corresponding REST endpoint (GET /api/integrations/puppetdb/facts/bulk) that retrieves specific facts across all nodes in a single PuppetDB query. This eliminates N+1 per-node requests that triggered 429 rate limiting. Frontend changes: - Refactor GlobalFactsTab to use the bulk endpoint instead of per-node fact fetching, reducing requests from N to 1 - Simplify loading/error state from per-node maps to single booleans Backend fixes: - Add eslint-disable comments for legitimate runtime guards - Narrow error types in Promise.reject and Object.entries calls - Remove redundant String() wraps and nullish coalescing - Add eslint-disable for non-null assertions in MCP transport
Add a new facts_bulk MCP tool and corresponding REST endpoint (GET /api/integrations/puppetdb/facts/bulk) that retrieves specific facts across all nodes in a single PuppetDB query. This eliminates N+1 per-node requests that triggered 429 rate limiting. Frontend changes: - Refactor GlobalFactsTab to use the bulk endpoint instead of per-node fact fetching, reducing requests from N to 1 - Simplify loading/error state from per-node maps to single booleans Backend fixes: - Add eslint-disable comments for legitimate runtime guards - Narrow error types in Promise.reject and Object.entries calls - Remove redundant String() wraps and nullish coalescing - Add eslint-disable for non-null assertions in MCP transport
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.