feat: deliver v1.2.0 tenant security and release improvements

Author: eblackrps

AGENTS.md

@@ -20,6 +20,7 @@ Connectors: vmware/ (govmomi), proxmox/ (REST), hyperv/ (WinRM/PowerShell), kvm/
 - Backup-oriented connectors such as `internal/connectors/veeam/` may expose domain-specific discovery methods instead of the core VM discovery interface when they enrich the universal inventory rather than replace it.
 - The KVM connector supports a real libvirt-backed implementation behind the `libvirt` build tag; the default build keeps an XML-backed fallback so the repo remains portable on machines without libvirt development tooling.
 - Community plugins are loaded through `internal/connectors/plugin/`, which exposes a gRPC-based plugin host and a sample plugin under `examples/plugin-example/`.
+- Plugin manifests may optionally declare `minimum_viaduct_version` and `maximum_viaduct_version` so host/plugin compatibility stays explicit once releases are published.
 ## Code Standards
 - Run golangci-lint before committing. Config in .golangci.yml.
 - All exported functions require doc comments.
@@ -116,12 +117,16 @@ Scopes: cli, discovery, vmware, proxmox, hyperv, kvm, nutanix, migrate, deps, li
 - Keep operator guidance honest about maturity. If a workflow is backend-only or automation-oriented rather than a first-class CLI command, document it that way instead of implying a polished surface that does not exist.
 - Release verification should exercise packaging as well as builds and tests. If packaging breaks, the release is not ready even if `go build` passes.
 - Plugin executable launches now expect a `plugin.json` sidecar manifest with name, platform, version, and protocol version metadata. Keep the manifest aligned with the plugin’s reported platform.
+- Release bundles now include a machine-readable `dependency-manifest.json` alongside the release manifest and checksums. Treat it as part of the public artifact contract.
 - Tenant-scoped audit, reporting, and request-correlation behavior are part of the operator surface. Changes to those routes should update both the API docs and troubleshooting guidance.
+- Tenant automation should prefer service accounts over shared tenant API keys. Viewer, operator, and admin roles are part of the tenant isolation model and should stay explicit in API routing.
+- The API route `/api/v1/about` is the canonical operator-visible build metadata surface for packaged environments and should stay aligned with CLI version output and release manifests.
+- Migration `credential_ref` handling is operator-visible behavior. If it changes, update `configs/config.example.yaml` and the configuration docs in the same change.
 - Treat install, upgrade, and rollback documentation as operational code. Broken runbooks are production bugs.
 ## Current State
 - Discovery is implemented for VMware, Proxmox, Hyper-V, KVM, and Nutanix, with Veeam available for backup and restore-point enrichment plus portability planning.
 - `internal/migrate/` includes declarative spec parsing, workload matching, pre-flight checks, execution windows, approval gates, wave planning, resumable checkpoints, disk conversion, cold and warm migration orchestration, replication progress tracking, boot verification, cutover coordination, and rollback support.
 - `internal/lifecycle/` provides cost modeling, policy evaluation/simulation, waiver-aware remediation guidance, and drift detection backed by sample cost profiles and policy definitions under `configs/`.
-- `internal/store/` persists discovery snapshots, migration state, recovery points, and tenant metadata in both in-memory and PostgreSQL backends.
+- `internal/store/` persists discovery snapshots, migration state, recovery points, and tenant metadata in both in-memory and PostgreSQL backends, including tenant quotas and service-account definitions.
 - The Go API server and React dashboard are both present, and `web/` builds into production static assets with inventory, migration, history, dependency-graph, tenant summary, runbook, and lifecycle remediation views.
 - Integration coverage includes discovery, cold migration, scheduled-window pre-flight gating, migration resume after interruption, warm migration resume, cutover rollback on boot failure, tenant isolation under concurrent access, lifecycle recommendation/simulation flows, plugin crash handling, and backup portability workflows.

CHANGELOG.md

@@ -4,19 +4,28 @@ All notable changes to Viaduct should be documented in this file.
 
 This changelog tracks published releases and the major implementation milestones that shaped the current repository state.
 
-## [1.0.0] - 2026-04-05
-
-### Highlights
-- shipped the first tagged Viaduct release with a release-gated CLI, API, dashboard, install scripts, packaged web assets, checksums, and release manifest generation
-- delivered multi-platform discovery for VMware, Proxmox, Hyper-V, KVM, Nutanix, and Veeam-related backup inventory
-- delivered dependency-aware migration planning, cold and warm migration workflows, execution windows, approval gates, checkpoints, resume support, verification, and rollback
-- delivered lifecycle cost, policy, drift, remediation, and simulation workflows
-- delivered tenant-scoped API access, persistent state backends, plugin hosting, contributor docs, operator runbooks, and example lab environments
-
 ## Unreleased
 
 - no unreleased changes currently tracked
 
+## [1.2.0] - 2026-04-07
+
+### Tenant Security And Scale
+- added tenant-scoped service accounts with viewer, operator, and admin roles for API authentication
+- added role-gated tenant routes and a current-tenant introspection route without leaking API keys
+- added tenant quotas for API request rate, snapshot count, and migration count
+
+### Migration And API Correctness
+- fixed current-inventory aggregation so the API no longer misses sources once snapshot history grows past twenty entries
+- replaced brittle pending-approval summary detection with real migration-state decoding
+- wired migration `credential_ref` resolution through the CLI config and API server connector-resolution paths
+- added the `/api/v1/about` route for operator-visible build and compatibility metadata
+
+### Plugin And Release Operability
+- added optional plugin host-version compatibility markers in `plugin.json`
+- added a machine-readable `dependency-manifest.json` to packaged release bundles
+- expanded regression coverage for service-account auth, quota enforcement, plugin compatibility, packaging metadata, and summary correctness
+
 ## [1.1.0] - 2026-04-05
 
 ### Current Stable Surface
@@ -43,6 +52,15 @@ This changelog tracks published releases and the major implementation milestones
 - added release-era install, quickstart, upgrade, release, support, and troubleshooting entrypoints
 - improved directory onboarding for docs, configs, examples, API assets, tests, and the dashboard
 
+## [1.0.0] - 2026-04-05
+
+### Highlights
+- shipped the first tagged Viaduct release with a release-gated CLI, API, dashboard, install scripts, packaged web assets, checksums, and release manifest generation
+- delivered multi-platform discovery for VMware, Proxmox, Hyper-V, KVM, Nutanix, and Veeam-related backup inventory
+- delivered dependency-aware migration planning, cold and warm migration workflows, execution windows, approval gates, checkpoints, resume support, verification, and rollback
+- delivered lifecycle cost, policy, drift, remediation, and simulation workflows
+- delivered tenant-scoped API access, persistent state backends, plugin hosting, contributor docs, operator runbooks, and example lab environments
+
 ## Historical Implementation Milestones
 
 ### Phase 4 Complete

INSTALL.md

@@ -33,7 +33,7 @@ Release bundles produced by `make package-release-matrix` include:
 - built web assets
 - docs and sample configs
 - install scripts
-- checksums and a release manifest
+- checksums, a release manifest, and a dependency manifest
 
 On POSIX systems:
 

QUICKSTART.md

@@ -35,6 +35,7 @@ The sample config already points the KVM source at the local lab fixtures.
 
 ```bash
 ./bin/viaduct serve-api --port 8080
+curl http://localhost:8080/api/v1/about
 ```
 
 ## 6. Start The Dashboard
@@ -47,6 +48,12 @@ npm run dev
 
 The dashboard expects the API at `/api` and can use `VITE_VIADUCT_API_KEY` from [web/.env.example](web/.env.example) when tenant-scoped access is enabled.
 
+If you create additional tenants or service accounts, use:
+
+```bash
+curl -H "X-API-Key: <tenant-key>" http://localhost:8080/api/v1/tenants/current
+```
+
 ## Next Steps
 - Review [docs/operations/migration-operations.md](docs/operations/migration-operations.md) for execution and rollback workflows.
 - Review [docs/operations/backup-portability.md](docs/operations/backup-portability.md) for Veeam portability guidance.

README.md

@@ -10,14 +10,14 @@ Viaduct is an open source control plane for discovering, migrating, and operatin
 Broadcom's VMware licensing changes forced many teams into urgent platform decisions, but most migration tooling still assumes a one-time move into a single destination. Viaduct is built for operators who need a durable mixed-platform operating model: discover what exists, understand the blast radius, move workloads safely, preserve backup coverage, and keep managing cost, policy, and drift after cutover.
 
 ## Project Status
-Viaduct is ready for broad evaluation, operator pilots, and community contribution. The repository includes multi-platform discovery, dependency graphing, declarative migration orchestration, warm-migration primitives, lifecycle remediation, backup portability, multi-tenancy, plugin hosting, a web dashboard, reproducible release packaging, and a shared release gate for CI and local verification.
+Viaduct is ready for broad evaluation, operator pilots, and community contribution. The repository includes multi-platform discovery, dependency graphing, declarative migration orchestration, warm-migration primitives, lifecycle remediation, backup portability, multi-tenancy with service accounts and quota controls, plugin hosting, a web dashboard, reproducible release packaging, and a shared release gate for CI and local verification.
 
 ## Supported Capabilities
 - Discovery engine: Collects normalized inventory from VMware, Proxmox, Hyper-V, KVM, Nutanix, and Veeam-related backup systems into a universal schema.
 - Dependency mapping: Builds graph views across workloads, networks, storage, and backup relationships to support safer migration planning.
 - Migration orchestration: Supports declarative planning, preflight validation, cold and warm migration flows, execution windows, approval gates, checkpoints, resume support, and rollback.
 - Lifecycle analysis: Evaluates cost, policy, and drift, then turns those signals into remediation guidance and simulation output.
-- Multi-tenancy and extensibility: Provides tenant-scoped API access, persistent state backends, and a gRPC-based plugin host for community connectors.
+- Multi-tenancy and extensibility: Provides tenant-scoped API access, service-account and role-based access controls, persistent state backends, and a gRPC-based plugin host for community connectors.
 - Operator surfaces: Exposes the same core workflows through a CLI, REST API, and React dashboard.
 
 ## Supported Connectors And Integrations
@@ -49,6 +49,7 @@ make build
 ./bin/viaduct discover --type kvm --source examples/lab/kvm --save
 ./bin/viaduct plan --spec examples/lab/migration-window.yaml
 ./bin/viaduct serve-api --port 8080
+curl http://localhost:8080/api/v1/about
 
 cd web
 npm ci

RELEASE.md

@@ -12,7 +12,7 @@ This document describes the stable packaging and release process for Viaduct.
 1. Ensure the working tree is in the intended state and public docs are current.
 2. Run `make release-gate`.
 3. Inspect the generated bundles in `dist/`.
-4. Verify `release-manifest.json` and `SHA256SUMS.txt`.
+4. Verify `release-manifest.json`, `dependency-manifest.json`, and `SHA256SUMS.txt`.
 5. Smoke-test the packaged binary with `viaduct version` and `viaduct --help`.
 6. Confirm install docs, upgrade docs, and rollback docs still match the artifact layout.
 7. Tag and publish only after the verification and smoke checks are clean.
@@ -25,7 +25,7 @@ The release bundle should include:
 - docs
 - sample configs
 - examples
-- manifest and checksums
+- release manifest, dependency manifest, and checksums
 - deployment reference assets
 
 ## Release Notes Guidance

cmd/viaduct/config.go

@@ -16,6 +16,7 @@ type appConfig struct {
 	Insecure      bool                         `yaml:"insecure"`
 	StateStoreDSN string                       `yaml:"state_store_dsn"`
 	Sources       map[string]connectors.Config `yaml:"sources"`
+	Credentials   map[string]connectors.Config `yaml:"credentials"`
 	Plugins       map[string]string            `yaml:"plugins"`
 }
 
@@ -108,6 +109,34 @@ func mergeConnectorConfig(target *connectors.Config, source connectors.Config) {
 	}
 }
 
+func mergeConnectorCredentialConfig(target *connectors.Config, source connectors.Config) {
+	if target.Username == "" && source.Username != "" {
+		target.Username = source.Username
+	}
+	if target.Password == "" && source.Password != "" {
+		target.Password = source.Password
+	}
+	if !target.Insecure && source.Insecure {
+		target.Insecure = true
+	}
+	if target.Port == 0 && source.Port != 0 {
+		target.Port = source.Port
+	}
+}
+
+func resolveMigrationConnectorConfig(address, platform, credentialRef string, cfg *appConfig) connectors.Config {
+	config := resolveConnectorConfig(address, platform, "", "", false, cfg)
+	if cfg == nil {
+		return config
+	}
+
+	if credentialConfig, ok := cfg.Credentials[strings.TrimSpace(credentialRef)]; ok {
+		mergeConnectorCredentialConfig(&config, credentialConfig)
+	}
+	config.Address = address
+	return config
+}
+
 func expandPath(path string) (string, error) {
 	if path == "" {
 		return path, nil

cmd/viaduct/config_test.go

@@ -3,6 +3,8 @@ package main
 import (
 	"path/filepath"
 	"testing"
+
+	"github.com/eblackrps/viaduct/internal/connectors"
 )
 
 func TestLoadAppConfig_ExampleConfig_Parses(t *testing.T) {
@@ -23,7 +25,38 @@ func TestLoadAppConfig_ExampleConfig_Parses(t *testing.T) {
 	if cfg.Sources["kvm"].Address != "examples/lab/kvm" {
 		t.Fatalf("kvm source address = %q, want examples/lab/kvm", cfg.Sources["kvm"].Address)
 	}
+	if cfg.Credentials["source/vcenter"].Username == "" {
+		t.Fatal("source/vcenter credential username = empty, want populated example credential")
+	}
 	if cfg.Plugins["example"] != "grpc://127.0.0.1:50071" {
 		t.Fatalf("example plugin address = %q, want grpc://127.0.0.1:50071", cfg.Plugins["example"])
 	}
 }
+
+func TestResolveMigrationConnectorConfig_CredentialRefApplied_Expected(t *testing.T) {
+	t.Parallel()
+
+	cfg := &appConfig{
+		Sources: map[string]connectors.Config{
+			"vmware": {Insecure: true},
+		},
+		Credentials: map[string]connectors.Config{
+			"source/vcenter": {
+				Username: "administrator@vsphere.local",
+				Password: "secret",
+				Port:     443,
+			},
+		},
+	}
+
+	config := resolveMigrationConnectorConfig("https://vcsa.lab.local", "vmware", "source/vcenter", cfg)
+	if config.Address != "https://vcsa.lab.local" {
+		t.Fatalf("Address = %q, want https://vcsa.lab.local", config.Address)
+	}
+	if config.Username != "administrator@vsphere.local" || config.Password != "secret" {
+		t.Fatalf("credentials = %#v, want credential-ref values", config)
+	}
+	if !config.Insecure || config.Port != 443 {
+		t.Fatalf("transport settings = %#v, want insecure source config and port 443", config)
+	}
+}

cmd/viaduct/main.go

@@ -37,6 +37,8 @@ var (
 )
 
 func init() {
+	_ = os.Setenv("VIADUCT_VERSION", version)
+
 	rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose output")
 	rootCmd.PersistentFlags().StringVarP(&output, "output", "o", "table", "Output format: table, json, yaml")
 	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "~/.viaduct/config.yaml", "Path to config file")

cmd/viaduct/migration_helpers.go

@@ -9,8 +9,8 @@ import (
 )
 
 func connectorsForSpec(cfg *appConfig, catalog *connectorcatalog.Catalog, spec *migratepkg.MigrationSpec) (sourceConnector connectors.Connector, targetConnector connectors.Connector, err error) {
-	sourceConfig := resolveConnectorConfig(spec.Source.Address, string(spec.Source.Platform), "", "", false, cfg)
-	targetConfig := resolveConnectorConfig(spec.Target.Address, string(spec.Target.Platform), "", "", false, cfg)
+	sourceConfig := resolveMigrationConnectorConfig(spec.Source.Address, string(spec.Source.Platform), spec.Source.CredentialRef, cfg)
+	targetConfig := resolveMigrationConnectorConfig(spec.Target.Address, string(spec.Target.Platform), spec.Target.CredentialRef, cfg)
 
 	sourceConnector, err = catalog.Build(spec.Source.Platform, sourceConfig)
 	if err != nil {