3.7.1-beta2 — Dedicated Bolt Service Account + Long-lived Tokens + Authenticated Dynamic Inventory

3.7.1-beta2 delivers the complete recommended production workflow for running Bolt against live Node Classifier data from the OpenVox GUI using a dedicated bolt system user and long-lived service tokens.

Highlights

• ovox token generate — First-class support for permanent (or long-lived) API tokens intended for automation.
  • Smart defaults for the bolt user (--output /etc/puppetlabs/bolt/.bolt_token, 0600).
  • New short flag: -n for --name.
• Authenticated openvox_enc Bolt inventory plugin — Now works end-to-end with Bearer tokens from a dedicated service account.
• GUI Bolt execution hardening — --project /etc/puppetlabs/bolt is now always passed so custom plugins resolve correctly.
• Ownership hygiene — Updater no longer steals ownership of /etc/puppetlabs/bolt from your bolt user.
• Multiple robustness fixes in the Orchestration → Configuration tab and Targets dropdowns.

Full details in CHANGELOG.md.

This release closes a major chapter in making the GUI a first-class, scriptable, and secure control plane for Bolt at scale.

v3.7.1-beta1

First beta release of OpenVox GUI 3.7.1 series.

Highlights

• Major new ovox infra tooling:

  • ovox infra health — component health overview
  • ovox infra settings show / set — inspect and directly control settings (including JVM heap and code cache)
  • ovox infra recommend — fleet-size based tuning recommendations with word-wrapped readable output
  • ovox infra tune — apply recommendations with automatic backups and service restarts (puppetserver / puppetdb)

• Automatic build version stamping on every deploy (VERSION.build) so the console always shows a unique traceable version.

• ovox CLI now has its own independent but coordinated versioning.

This release focuses on making infrastructure tuning safe, scriptable, and observable from the terminal.

Full details in the docs/TUNING.md guide.

v3.7.0 — Metrics Section, Certificate Audit, Navigation Restructure

OpenVox GUI 3.7.0

66 commits since v3.6.7. This is the largest feature release since the project began.

---

Metrics Section (10 Visualization Pages)

A new top-level Metrics nav group providing fleet-wide analytics and PuppetDB server instrumentation:

Run Performance — 10-chart thumbnail dashboard with click-to-expand:

• Agent-side: Run Duration Trends, Timing Phase Breakdown, Top 10 Slowest Nodes (hourly averaged)
• Server-side via PuppetDB Jolokia/JMX: Command Processing Time (catalog/facts/report as separate lines), Storage Operation Timing, Database Connection Pool (read/write active/idle/pending), HTTP API Latency, Catalog Deduplication, GC Pressure, Fleet Population
• All server metrics auto-refresh (configurable 5s/10s/15s/30s/1m/Off) with localStorage persistence
• Refresh rate control, manual refresh button, clear history

Fleet Compliance — bar chart showing compliant/drifted/failed/noop/unreported. Trend area chart over configurable time window. Expandable alphabetized node lists.

Fleet Fact Overview — auto-detects interesting facts ranked by variety. Scatter plots for numeric data (uptime, memory, CPU count), bar charts for categorical (OS, kernel, versions). Outlier detection highlights values on only 1-2 nodes with clickable certname links.

Catalog Graph — real directed dependency graph using React Flow + dagre. Class Hierarchy tab shows role -> profile -> module class structure reconstructed from Puppet tags. Resource Dependencies tab shows requires/before/notifies edges. Color-coded nodes (red=roles, green=profiles, blue=modules), bright theme, auto-fit zoom.

PuppetDB Health — JVM heap usage as a live area chart accumulating in localStorage (up to 360 points). Command queue depth line chart. Auto-refresh every 10 seconds.

Plus: Change Timeline, Environment Comparison (time-series with auto-refresh), Node Heatmap, Classification Tree, Class Coverage.

---

Certificate Audit

New tool under Tools > Certificate Audit that cross-references signed CA certificates against PuppetDB nodes to find orphans. Categories: "Never Reported", "Deactivated", "Expired in PuppetDB". Checkbox multi-select with "Clean Selected" or "Clean All" bulk actions. Fixed Revoked Certificates parser bug and increased CA command timeout to 120s.

---

Navigation Restructure

• "Monitoring" renamed to Dashboard with Overview and Nodes as children
• "Information" renamed to Tools with Certificate Audit added
• Reports moved under the Logs section
• Colored nav icons for each section
• All Nodes section added to the Nodes page

---

UX Improvements

• Clickable certnames everywhere — every FQDN in the entire GUI is a blue link to the node detail page (Dashboard, Certificates, Fact Explorer, Resource Explorer, Packages, Compliance, Timeline, Cert Audit, Heatmap, Classifier, Fact Distribution)
• All dropdowns alphabetized — certificates, node selectors, classifiers
• Certificate Authority list alphabetized and scrollable
• High-quality chart rendering — smooth natural curves, gradient fills, dark glass-morphism tooltips, refined grids, no donut/pie charts anywhere
• Server-side response caching (30s TTL) for performance overview, compliance, and JMX metrics

---

Technical

• @xyflow/react + dagre dependencies for catalog graph
• @mantine/dropzone for SSL wizard file uploads
• 30+ new /api/metrics/* endpoints
• PuppetDB Jolokia/JMX passthrough endpoints
• Puppet-internal classes (main, Settings, Stage) filtered from all views
• All JMX values type-guarded with Number() || 0 for render safety

---

Full Changelog

See CHANGELOG.md for the complete 3.7.0 entry.

v3.6.7 — SSL Certificate Wizard, Log Viewer, Security Hardening

What's New in 3.6.7

SSL Certificate Wizard

The SSL Configuration page has been completely redesigned as a guided wizard experience. No more manually editing certificate paths.

Web Certificate Wizard — three source options:

• Organization Certificate: step-by-step flow with hyper-detailed educational content explaining each file type in plain English. Includes IT team terminology cross-reference (7-8 alternate names per file that your PKI team might use), file format examples, sensitive file warnings, and a complete copy-paste email template. Drag-and-drop upload with real-time PEM validation and key-cert match checking. Auto-places files and restarts the service.
• Let's Encrypt: detects certbot, triggers renewal, displays DNS-01 challenge TXT record with copy button, signals completion when DNS is updated.
• Puppet Certificates: one-click reuse of the OpenVox Server's own certificates.

Puppet CA Intermediate Wizard — for enterprise environments requiring corporate PKI trust chains:

• Plain-English "How Certificate Chains Work" tutorial with visual chain diagram
• Key type comparison table: RSA 4096-bit vs EC P-256 with strengths, use cases, and "not sure which to pick?" guidance
• CSR generation with copy-to-clipboard, download button, and pre-written email template for your PKI team
• Resumable workflow — generate the CSR today, come back days or weeks later when your PKI team responds
• Upload signed bundle + CRL chain with validation, automatic puppetserver ca import, and post-import fleet re-enrollment guidance
• Ed25519 explicitly noted as unsupported for CA certs

Certificate Status Dashboard — real-time health overview at the top of the page with green/yellow/red badges for both the GUI web cert and the Puppet CA, expiry countdown, key type, and chain status.

11 new /api/ssl/* backend endpoints, all admin-only.

---

Log Viewer

New top-level Logs section in the navigation with tabbed access to five log sources:

• OpenVox GUI
• Puppet Agent
• PuppetServer
• PuppetDB
• System Log

No shell access required. Reads from journalctl for services that log to the journal, with automatic fallback to on-disk log files (/var/log/puppetlabs/) for PuppetDB and PuppetServer which maintain their own application logs.

Controls: line count (50-2000), time range filter (5 min to yesterday), text search, auto-refresh every 5 seconds, and download as .log file.

---

Navigation

• "Information" renamed to "Tools" in the sidebar.

---

Classification

• Unclassified Nodes pane on the Classification page (Code > Classification > Nodes tab) now always visible, showing "All PuppetDB nodes are classified" when empty, or clickable badges for quick classification when nodes exist.

---

Security & Maintenance

• Sudoers hardening — removed duplicate puppetserver ca * and openssl x509 * wildcards, replaced with explicit per-subcommand rules. Added Defaults:puppet !requiretty for sudo to work from systemd services.
• 9 Python dependency updates: cryptography 46.0.7 → 48.0.0, fastapi 0.135.1 → 0.136.1, uvicorn 0.42.0 → 0.47.0, pydantic 2.12.5 → 2.13.4, sqlalchemy 2.0.48 → 2.0.49, python-multipart 0.0.27 → 0.0.29, pydantic-settings 2.13.1 → 2.14.1, prometheus-client 0.24.1 → 0.25.0. Added certifi==2026.5.20 CA bundle pin. Updated postcss 8.5.12 → 8.5.15.
• sqlite3 crash fix — resolved undefined symbol: sqlite3_deserialize caused by mismatched RHEL 9 packages after a partial OS update.
• manage_users.py fix — changed shebang to use the venv Python interpreter; script was non-functional on production with system Python.
• install.sh fix — added 8 missing Bolt sudoers rules for file upload/download, script run, and inventory show.
• Deploy script improvements — deploy.sh and update_local.sh now auto-append missing sudoers rules on every update, ensuring production servers get new rules without re-running the installer.
• SSL backup pruning — only the last 5 backups are retained.
• Zero known CVEs. Zero npm vulnerabilities. Zero Dependabot alerts.

---

Removed

• Removed betavox-gui — decommissioned leftover v2.0 LDAP beta service (port 4568).

---

Full Changelog

See CHANGELOG.md for complete details.

v3.6.2 -- Lockfile portability fix (supersedes v3.6.1)

Release v3.6.2 -- Lockfile portability fix (supersedes v3.6.1)

Release-engineering follow-up to v3.6.1. No code or dependency changes.

What this release fixes

The 3.6.1 lockfile bump for postcss was performed on a workstation
whose ~/.npmrc pointed at an internal Artifactory mirror, so npm
recorded https://artifactory.twitter.biz/.../postcss-8.5.12.tgz as
the resolved URL in frontend/package-lock.json. Hosts without
access to that mirror -- which is most of them -- failed npm install
against the v3.6.1 lockfile with HTTP 403 Forbidden.

The lockfile has been re-resolved against the public registry
(https://registry.npmjs.org/) so deploys from a clean clone of the
v3.6.2 tag work everywhere.

Operator notes

• Hosts already running 3.6.1 successfully (deployed by rsync of a
  working tree, not from the tagged ref) need no special action --
  routine upgrade to 3.6.2 just re-resolves the same postcss 8.5.12
  package from a public URL.
• For clean-clone or fresh-install deploys, prefer v3.6.2 over v3.6.1.
  v3.6.1 is otherwise identical and remains in the changelog as
  history.
• No new CVE patches in this release -- both Dependabot fixes from
  3.6.1 (postcss XSS, python-multipart DoS) are intact in 3.6.2.

v3.6.0 -- Agent Installer + Security Hardening

3.6.0 is a major release. It consolidates 31 test-build iterations
(3.3.5-1 through 3.3.5-30 plus 3.3.5-22 cleanup) into one stable
artifact suitable for production. Per-iteration history is preserved
below for context.

Headline feature -- OpenVox Agent Installer

A full PE-style agent bootstrap workflow for OpenVox:

• One-line install on Linux:
  curl -k --noproxy <fqdn> https://<fqdn>:8140/packages/install.bash | sudo bash
  No --server arg needed -- install.bash discovers the puppetserver FQDN by reading the kernel's TCP state (/proc/net/tcp) and reverse-DNSing the IP of the curl connection that just downloaded it.
• One-line install on Windows: equivalent PowerShell snippet that downloads install.ps1 and passes the FQDN extracted from the URL via [System.Uri]$url.Host.
• Local OpenVox package mirror at /opt/openvox-pkgs/{yum,apt,windows,mac}/ populated from yum.voxpupuli.org, apt.voxpupuli.org, and downloads.voxpupuli.org. Layout mirrors upstream 1:1.
• PuppetServer static-content mount serves /packages/* on port 8140 (the standard puppetserver port -- no new firewall rules needed). FastAPI also serves the same content on its own port (4567) as a fallback.
• Nightly auto-sync via openvox-repo-sync.timer at 02:30 with randomised delay. Both install.sh (fresh install) and update_local.sh (upgrade) offer an interactive "Sync now?" prompt so the mirror is populated before the first agent install.
• Permanent puppet CA trust install on agents: install.bash and install.ps1 install the puppetserver's CA cert into the OS-native trust store (/usr/local/share/ca-certificates/openvox-puppet-ca.crt on Debian/Ubuntu, /etc/pki/ca-trust/source/anchors/openvox-puppet-ca.crt on RHEL family, Cert:\LocalMachine\Root on Windows). Subsequent apt-get update / dnf upgrade openvox-agent / browser visits work without --insecure / Verify-Peer=false / sslverify=0 band-aids.
• no_proxy handling: install.bash exports no_proxy for apt/yum so they bypass corporate proxies for the local mirror; the GUI's published one-liner uses --noproxy <fqdn> (curl) / $wc.Proxy = $null (PowerShell) to bypass proxies at the bootstrap-curl layer too.

UI reorganization

• "Infrastructure" promoted to a top-level nav group with three pages: Certificate Authority, Orchestration, and Agent Install. Final left-nav order: Monitoring, Infrastructure, Code, Data, Information, Settings.
• Agent Install page holds the entire agent bring-up workflow on one page: copy-to-clipboard install commands (Linux | Windows | Direct URLs | Mirror Status | Sync Log tabs in a single Card) plus a Pending Certificate Requests Card. Pending CSR signing was moved here from the Certificate Authority page so the workflow (paste install command -> wait for CSR -> click Sign -> done) lives in one place.
• Mirror Status, Disk Space, and Sync Log are now tabs inside the Install Commands card instead of three standalone cards stacked below it. "Sync now" button hoisted into the card header so it's always visible regardless of which tab is active.

Security hardening

3.6.0 closes every CRITICAL and HIGH finding from an internal security audit conducted at the end of the 3.3.5-x test-build series.

• Per-route role enforcement on every privileged endpoint. Previously the auth middleware only checked JWT validity -- any authenticated user (including viewer and auto-provisioned LDAP accounts) could trigger destructive operations. Now each endpoint declares Depends(require_role(...)):
  • Bolt /run/{command,task,plan}, /file/{upload,download}, /run/script, /inventory/sync -- admin or operator
  • Bolt PUT /config (rewrites bolt-project.yaml / inventory.yaml) -- admin only
  • Certificate Authority sign, revoke, clean -- admin or operator
  • Configuration all 13 mutating endpoints (puppet.conf, Hiera, SSL, .env, restart-puppet-stack, files, lookup, app, ssl, preferences) -- admin only
  • External Node Classifier all 10 mutating endpoints (common save, environments / groups / nodes CRUD) -- admin or operator
  • PQL Console POST /query -- admin or operator (PuppetDB facts can leak Hiera-rendered passwords)
• Deploy webhook (/api/deploy/webhook) now requires HMAC-SHA256 signature verification with a shared secret. Disabled by default; opt in via OPENVOX_GUI_DEPLOY_WEBHOOK_SECRET in .env (and configure the same string in GitHub's webhook settings). The ref field from the JSON payload is strictly validated against OPENVOX_GUI_DEPLOY_WEBHOOK_REF_PATTERN (default ^[a-zA-Z0-9._/-]{1,200}$) before being passed to r10k-deploy.sh. Previously the endpoint accepted unauthenticated POSTs and was effectively an open r10k-deploy-as-root entrypoint.
• JWT logout actually revokes the token now. New tokens carry a jti (JWT ID) claim; /api/auth/logout adds the jti to a server-side token_denylist table; the auth middleware checks the denylist on every authenticated request via verify_token_async. Pre-3.6.0, /logout only deleted the cookie -- the JWT itself stayed cryptographically valid for its full 24-hour expiry. Pre-3.6.0 tokens (no jti) can't be revoked individually and expire normally.
• LDAP bind password encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256) keyed off the existing OPENVOX_GUI_SECRET_KEY. The column had a comment claiming "Encrypted at rest" since 2.0 but stored plaintext; that's fixed. New backend/app/services/secrets.py module provides encrypt_secret / decrypt_secret / is_encrypted with versioned ciphertext (enc:v1:<token>) so existing plaintext values are read transparently and re-encrypted on the next save.
• Sudoers wildcards tightened:
  • openssl x509 * (allowed -out /etc/shadow for arbitrary file write as root) replaced with explicit per-form rules constrained to /etc/puppetlabs/puppet/ssl/ca/ paths.
  • puppetserver ca * replaced with explicit per-subcommand rules (ca list, ca sign --certname *, etc.).
  • r10k-deploy.sh * defended in depth via the wrapper script -- argv elements are now whitelisted (env name + flags only) before exec'ing r10k.

Quality + reliability

• Three high-severity npm-audit findings cleared non-breaking via npm audit fix: vite 6.4.1->6.4.2 (Path Traversal in Optimized Deps + Arbitrary File Read via WebSocket -- both dev-server-only), lodash->4.18.1 (Code Injection via _.template, Prototype Pollution in _.unset/_.omit), picomatch->4.0.4 (Method Injection in POSIX Character Classes, ReDoS via extglob quantifiers).
• Async cert handlers: three blocking subprocess.run calls in routers/certificates.py async handlers wrapped in asyncio.to_thread so the uvicorn event loop doesn't freeze for up to 10 s per request when shelling out to openssl.
• Sync script lock-file race closed in sync-openvox-repo.sh: cleanup trap installed before lock-file write (was the other way round, leaving a small race window for stale locks on SIGTERM).
• Bare except: clauses narrowed in routers/certificates.py so KeyboardInterrupt and asyncio.CancelledError propagate.

Documentation

• docs/INSTALLER.md is the canonical reference for the agent installer feature: architecture diagram, mirror layout, full CLI option matrix, four-step puppetserver-FQDN resolution chain, security model, and troubleshooting entries for the actual failures the test campaign hit (407 CONNECT tunnel failed, Certificate verification failed, 404 Not Found on a specific dist's Packages index).
• docs/SUDOERS.md updated with the tightened sudoers payload + the sync-trigger NOPASSWD rule.
• INSTALL.md documents the new install-time prompts (CONFIGURE_PKG_REPO, RUN_INITIAL_SYNC).
• UPDATE.md "Special note for upgrades to 3.6.0" walks operators through what update_local.sh does and the one mandatory action (set the webhook secret if you use the deploy webhook).
• TROUBLESHOOTING.md has a dedicated Agent Installer section covering the most common gotchas.

Per-iteration history (preserved below)

The 31 test-build iterations that produced this release are kept as historical entries below. They document how the design evolved, what was rejected, and the exact failure modes that were fixed. Future maintainers should treat them as background context; the consolidated entry above is the canonical changelog for 3.6.0.

v3.3.0 - PuppetDB Orchestration Targets, SSL Health Checks, Dashboard Enhancements

What's New in v3.3.0

Orchestration - Live PuppetDB Targets

• "All nodes" resolved from PuppetDB - Selecting "All nodes" in the Orchestration UI now queries PuppetDB for every known certname in real-time and passes them as explicit --targets to Bolt, instead of relying on the static inventory.yaml file. Falls back gracefully if PuppetDB is unreachable.

Deploy Reliability

• SSL-aware health checks - update_local.sh and deploy.sh now detect when SSL is enabled and use HTTPS for the post-restart health check. Fixes the false "Service did not become healthy" error that occurred on every deploy when SSL was active.

Dashboard Enhancements

• Status trends chart layered - Green (unchanged) area renders as a background field with orange (changed), red (failed), and blue (noop) superimposed in the foreground.
• Pie chart with 2D/3D toggle - Node status overview now uses a pie chart with a toggle between flat and 3D views.
• Graph stability - Fixed crash on null trends data.

Native SSL Support (3.2.x series, now stable)

• HTTPS on port 4567 - The GUI can serve HTTPS directly via uvicorn using Puppet certificates.
• SSL Configuration tab - View and manage SSL settings under Settings > Application Configuration.
• SSL prompt during updates - update_local.sh prompts to enable SSL if not already configured.

Documentation

• All docs reviewed and verified against current code
• Python prerequisite corrected from 3.8 to 3.10+
• Removed non-existent --dev flag from UPDATE.md
• Updated Recent Versions section to reflect 3.x series
• CHANGELOG entries added for 3.2.5 through 3.3.0

Full Changelog: https://github.com/cvquesty/openvox-gui/blob/main/CHANGELOG.md

v3.2.7

Full Changelog: v3.2.6...v3.2.7

v3.2.6 — Editable SSL Configuration

Changed

• SSL Configuration is now editable — no more reinstall needed to change certs.

Backend

• PUT /api/config/ssl — writes ssl_enabled, cert_path, key_path, ca_path to .env
• Returns "Restart required" message

Frontend

• Edit mode: Click pencil icon → fields become editable
• SSL toggle: Switch to enable/disable HTTPS
• Path inputs: Edit cert/key/CA paths directly
• Quick populate: Click any row in "Certificates on Disk" → fills that path
• Save/Cancel: Buttons appear when editing
• Restart notice: Orange alert after save: "Restart openvox-gui service"

API

• config.updateSSL({ ssl_enabled, cert_path, key_path, ca_path })

Notes

• Settings → Application Configuration → SSL Configuration tab
• Direct route /config/ssl still works
• No breaking changes

v3.2.5 — SSL docs & Config tab

Changed

• SSL Configuration moved to Settings tab: The SSL Configuration page is now a tab inside Settings → Application Configuration, positioned to the right of "Auth Settings". The separate Settings nav entry has been removed.
• Documentation updated:
  • INSTALL.md: Added "Review SSL Configuration" step in After Installation
  • UPDATE.md: Documented the SSL prompt during update_local.sh
  • CHANGELOG.md: Added 3.2.3 and 3.2.4 entries

Notes

• No new features — this is a docs + UX refactor
• SSL Config content unchanged, just accessed via tab instead of nav
• Direct route /config/ssl still works