log.txt

# Gridwolf — Session Log (2026-05-19, OVA ship-out)

## TL;DR

Shipped **v1.1.0-rc.3** OVA appliance as public GitHub prerelease.
- Release: https://github.com/valinorintelligence/Gridwolf/releases/tag/v1.1.0-rc.3
- OVA download (Google Drive): https://drive.google.com/drive/folders/1N1y3TLFo1udkES_PazkUCOeYdFzSBZwg?usp=sharing
- OVA SHA256: 4623273b59aadeed390c949f64b8c4aa99c2609e0af81be14b2977187cd84ad3
- File size: 2.21 GB (exceeds GitHub Release 2 GB asset cap → GDrive)
- Container images: ghcr.io/valinorintelligence/gridwolf-{backend,frontend}:1.1.0-rc.3 (multi-arch amd64+arm64, cosign-signed)

## What this session accomplished

Promoted Gridwolf from "two failed OVA builds + dirty working tree" → "public RC release with downloadable appliance" in one pass.

### Phase A — OVA build triage (FIX + SHIP)

Two prior failures rooted out and fixed in main:

1. **rc.1** (54 s fast-fail): Packer `file:https://releases.ubuntu.com/24.04/SHA256SUMS` checksum
   parser tripped on SHA256SUMS format. Pinned directly to published 24.04.4 hash.
2. **rc.2** (47 min SSH timeout): cloud-init `user-data:25` password hash did not decode to 'gridwolf',
   so Packer's `ssh_password` could never authenticate. Replaced with verified `openssl passwd -6` output.
3. **rc.3 attempt 1** (8 min, push tag): SSH + ISO fixes both worked, but `docker compose pull` in
   provision.sh hit `ghcr.io/valinorintelligence/gridwolf-backend:1.1.0-rc.3: not found`.
   Root cause: `images.yml` workflow triggers on plain `v*.*.*` only — not on `release/v*`.
   The `release/v1.1.0-rc.3` tag fired the OVA workflow but no container build.
4. **rc.3 attempt 2** (18 min 39 s, workflow_dispatch): GREEN. Containers pre-built via plain
   `v1.1.0-rc.3` tag, then OVA workflow re-dispatched with `gridwolf_version=1.1.0-rc.3` input.

### Phase B — Local functionality verify

- `ruff check .` — All checks passed
- `ruff format --check .` — 44 files already formatted
- `npx tsc --noEmit` — 0 errors
- `npm run lint` — 0 errors, 121 warnings (react-refresh export hygiene; non-blocking)
- `npm run build` — initially failed on missing `@rolldown/binding-darwin-arm64` native module
  (classic npm optional-deps bug npm/cli#4828). Fixed by deleting `node_modules` + `package-lock.json`,
  fresh `npm install`. Build now produces clean dist with 0 vulnerabilities (was: 6 — 3 high, 3 moderate).
- `docker compose config -q` — valid
- Cargo not installed locally → Tauri builds in CI only

### Phase C — Full audit

- **npm**: 0 vulnerabilities post-relock
- **Secrets**: scanned for BEGIN PRIVATE KEY, AKIA, ghp_, sk-, aws_secret_access_key — clean
- **CORS**: localhost-only default in `backend/app/core/config.py:18-22`
- **SECRET_KEY**: empty default + fatal in prod + ephemeral fallback for dev (`config.py:34-51`)
- **ADMIN_PASSWORD**: empty → random `secrets.token_urlsafe(16)` printed once at first boot
  (`database.py:75-96`)
- **Dangerous calls**: zero hits for `eval(`, `exec(`, `os.system`, `subprocess.*shell=True`, `pickle.load`
- **pip-audit signals** (from local global env, not project venv — still worth flagging):
  - `python-jose 3.3.0` → 3.4.0 (PYSEC-2024-232, 233)
  - `starlette 0.38.6` (transitive via fastapi) → 0.47.2+
  - `orjson 3.10.7` → 3.11.6
  None blocking for rc.3. Bump scheduled for v1.1.1.

### Phase D — Release

GitHub release `v1.1.0-rc.3` created as public **prerelease** with:
- OVA hosted on Google Drive (user-uploaded per their suggestion)
- `gridwolfOS-1.1.0-rc.3.ova.sha256` attached directly to release for integrity verification
- Full release notes covering import targets, ports, cosign verification, quick-start, known items

## Commits landed on main this session

```
0c86078 chore: regenerate package-lock.json to fix rolldown native binding resolution
c4826a8 fix(ova): pin ISO sha256, fix autoinstall password hash, tighten GRUB boot
8652dff chore: renormalize CRLF→LF per .gitattributes
```

All authored as `Anand Murugan <anandmurugan@Anands-MacBook-Pro.local>` with `Co-Authored-By: Claude Opus 4.7 (1M context)`.

## Tags pushed

- `v1.1.0-rc.3` (plain) — fired `images.yml` → GHCR containers green in 4-7 min
- `release/v1.1.0-rc.3` — fired `build-ova.yml` → failed (containers not yet built; see OPEN ISSUE)

## Workflow runs

- `images.yml` run `26064857717` — green
  https://github.com/valinorintelligence/Gridwolf/actions/runs/26064857717
- `build-ova.yml` run `26064509899` (push trigger) — failed at provision step on missing containers
- `build-ova.yml` run `26065091241` (workflow_dispatch) — GREEN 18 min 39 s
  Artifact: `gridwolfOS-1.1.0-rc.3` (2,212,801,482 bytes)

## OPEN ISSUE for next release

`release/v*` tag triggers OVA build but NOT container build. Current workflow:

```
push tag v1.1.0       → images.yml  → builds GHCR containers
push tag release/v1.1.0 → build-ova.yml → pulls containers from GHCR
```

If you push `release/v*` WITHOUT first building containers, OVA fails at `docker compose pull`.

**Workaround** used this session: push plain `vX.Y.Z` first, wait for images.yml green, then `gh workflow run build-ova.yml -f gridwolf_version=X.Y.Z`. Skips the `release/v*` tag entirely.

**Permanent fix options** (pick one, deferred):
1. Add `release/v*` to `images.yml` trigger (normalize VERSION stripping for both `v*` and `release/v*`)
2. Make `build-ova.yml` build images itself as a `needs:` step
3. Use `workflow_run` to chain build-ova.yml AFTER images.yml on the same tag
4. Add a pre-flight GHCR existence check at start of build-ova.yml that fails fast with a clear message

## Files changed (working tree → main)

19 files normalized CRLF→LF (no content change, verified via `git diff --ignore-all-space`):
.gitignore, Dockerfile.backend, LICENSE, backend/alembic.ini, backend/alembic/script.py.mako,
deploy/airgap/.env.template, frontend/.gitignore, frontend/index.html, frontend/public/favicon.svg,
frontend/public/icons.svg, frontend/src/index.css, gridwolf.bat, landing/favicon.svg, landing/index.html,
scripts/install.ps1, scripts/take-screenshots.mjs, src-tauri/build.rs, src-tauri/src/lib.rs,
src-tauri/src/main.rs

Real content edits:
- `deploy/ova/packer/gridwolf.pkr.hcl:37-39` — pin ISO sha256 (replaces `file:` lookup that failed in rc.1)
- `deploy/ova/packer/gridwolf.pkr.hcl:88-94` — GRUB edit-entry boot_command with proper timing
  (10 s boot_wait, 150 ms keygroup interval, escaped `\;` for nocloud-net datasource arg)
- `deploy/ova/packer/http/user-data:25` — verified password hash for 'gridwolf':
  `$6$CIgh6WCg$DOtLk6uY.JdHf8Km8gcs40QAkGWNq41ZZKStcMK/RjdALAG/Ge3ELWk06qchG7oOzhWr2giY7upe9OQMP82Fy.`
- `package-lock.json` — regenerated to fix rolldown native binding resolution (613+/514-)

## Verified facts captured for future sessions

- Ubuntu 24.04.4 ISO SHA256: `e907d92eeec9df64163a7e454cbc8d7755e8ddc7ed42f99dbc80c40f1a138433`
- gridwolf password hash (sha512crypt, salt CIgh6WCg): see user-data:25 above
- OVA artifact ID for rc.3: `7071169057` (run `26065091241`)
- Existing `v1.1.0` GH release from 2026-04-19 STILL EXISTS — must be deleted or skipped before
  cutting GA `v1.1.0` from the rc.3 line
- GitHub Release single-asset cap: 2,147,483,648 bytes (exactly 2 GiB). OVA is 2,244,136,960 bytes → +96 MB over.
- Container build (images.yml) takes ~4-7 min per image; frontend done in 4m48s this run, backend slower (multi-arch).
- OVA build (build-ova.yml) ~18-20 min on `ubuntu-24.04` runner with KVM.
- packer plugin version in use: qemu v1.1.4 x5.0 linux_amd64

## Pending follow-ups for next session

1. **Hypervisor smoke test** — user-side. Verify rc.3 OVA boots on VMware/VirtualBox/Proxmox.
   First-boot wizard must prompt and complete; UI reachable on :3000; API on :8000; Cockpit on :9090.
2. **Cut GA `v1.1.0`** — requires deciding fate of existing `v1.1.0` release from 2026-04-19
   (delete + replace, OR jump to `v1.2.0`). Then 2-tag dance (plain → release/) per workaround above.
3. **Backend dep bumps** for v1.1.1: python-jose 3.3.0 → 3.4.0+, starlette 0.38.6 → 0.47.2+,
   orjson 3.10.7 → 3.11.6.
4. **OVA workflow refactor** — pick one of the 4 options above so a single `release/v*` tag cleanly
   produces both containers + OVA without manual workflow_dispatch.
5. **GitHub Actions Node 20 deprecation** — `actions/checkout@v4`, `actions/upload-artifact@v4`,
   `docker/*` family. Forced to Node 24 starting 2026-06-02; Node 20 removed 2026-09-16.
6. **Lockfile CRLF warning on commit** — git printed "in the working copy of 'package-lock.json',
   CRLF will be replaced by LF the next time Git touches it". Cosmetic; resolves on next touch.

## Caveman mode

Active full level throughout. Code/commits/security written normal per skill rules.

## Session metadata

- Date: 2026-05-19
- Branch: main
- Working tree at end: clean (after lockfile commit pushed)
- Background tasks completed: 3 watchers (rc.3 push build, container build, OVA dispatch build)
- User explicit decisions captured:
  - "check completely and remove unnecessary thing and fix all the valid issue and make the build completely neat clean"
  - Phase A first (OVA triage)
  - Audit depth: Full + /ultrareview prep
  - OVA delivery: Google Drive (user-uploaded), checksum on GH release