- Delete install.sh.deprecated (dead code)
- Add TODO(DEV-031) for ghost update scanner-side prevention
- Add TODO(DEV-030) with specific missing service cycles
- ETHOS sweep: zero banned words, emojis, or fmt.Printf
- All tests pass, Linux builds clean
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Apply B-2 jitter and backoff fixes to Windows service (F-C1-5)
Proportional jitter and exponential backoff now in service polling loop
- Add known winget install location search for SYSTEM account (F-C1-1)
Checks PATH then system-wide WindowsApps locations
- Fix winget text parser for package names with spaces (F-C1-2)
Column-position parsing from header keywords replaces whitespace split
- Add ghost update post-install state verification (F-C1-3)
RebootRequired flag on InstallResult marks pending reboot
- Replace fmt.Printf with log.Printf in winget scanner (F-C1-6)
- Remove emoji from Windows service log messages (F-C1-7)
GOOS=linux build: PASS. All tests pass, no regressions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pre-fix test suite for 7 Windows-specific findings. All tests
are SHARED (no build tags) — they compile and run on Linux
using source file inspection and direct function calls.
Tests added:
- F-C1-1 HIGH: Winget PATH-only search (2 tests)
- F-C1-2 MEDIUM: Winget text parser spaces bug (4 tests)
- F-C1-3 HIGH: Ghost updates — no post-install verification (3 tests)
- F-C1-4 RESOLVED: Service auto-restart already configured (1 test)
- F-C1-5 HIGH: Duplicated polling loop missing B-2 fixes (5 tests)
- F-C1-6 LOW: Winget uses fmt.Printf (2 tests)
- F-C1-7 LOW: Service has emojis in logs (2 tests)
Current state: 8 FAIL, 11 PASS. All prior tests pass.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Wrap agent registration in DB transaction (F-B2-1/F-B2-8)
All 4 ops atomic, manual DeleteAgent rollback removed
- Use SELECT FOR UPDATE SKIP LOCKED for atomic command delivery (F-B2-2)
Concurrent requests get different commands, no duplicates
- Wrap token renewal in DB transaction (F-B2-9)
Validate + update expiry atomic
- Add rate limit to GET /agents/:id/commands (F-B2-4)
agent_checkin rate limiter applied
- Add retry_count column, cap stuck command retries at 5 (F-B2-10)
Migration 029, GetStuckCommands filters retry_count < 5
- Cap polling jitter at current interval (fixes rapid mode) (F-B2-5)
maxJitter = min(pollingInterval/2, 30s)
- Add exponential backoff with full jitter on reconnection (F-B2-7)
calculateBackoff: base=10s, cap=5min, reset on success
All tests pass. No regressions from A-series or B-1.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pre-fix test suite documenting 7 data integrity and concurrency
bugs. Tests FAIL where they assert correct post-fix behavior,
PASS where they document current buggy state.
Tests added:
- F-B2-1/8 HIGH: Registration not transactional (3 tests)
- F-B2-2 MEDIUM: Command delivery race condition (3 tests)
- F-B2-9 MEDIUM: Token renewal not transactional (2 tests)
- F-B2-4 MEDIUM: No rate limit on GetCommands (3 tests)
- F-B2-5 LOW: Jitter negates rapid mode (2 tests)
- F-B2-10 LOW: No max retry for stuck commands (2 tests)
- F-B2-7 MEDIUM: No exponential backoff on reconnection (2 tests)
Current state: 7 FAIL, 10 PASS. No A/B-1 regressions.
See docs/B2_PreFix_Tests.md for full inventory.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Complete RedFlag codebase with two major security audit implementations.
== A-1: Ed25519 Key Rotation Support ==
Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management
Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing
== A-2: Replay Attack Fixes (F-1 through F-7) ==
F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH - Migration 026: expires_at column with partial index
F-6 HIGH - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH - Agent-side executedIDs dedup map with cleanup
F-4 HIGH - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt
Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.
All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
