050 #15
050 #15
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request prepares the release of Pabawi version 0.5.0. The PR includes version bumps across documentation, dependency updates, code quality improvements (trailing whitespace fixes), a significant simplification of the Docker Compose configuration, and enhancements to PuppetDB query performance.
Changes:
- Version bump from 0.4.0 to 0.5.0 across all documentation files
- Added comprehensive CHANGELOG.md documenting all versions
- Simplified docker-compose.yml to use
.envfile instead of inline environment variables - Added
.env.examplefor easier configuration - Optimized PuppetDB
getTotalReportsCountto use aggregate queries instead of fetching 10,000 records - Fixed CatalogComparison component to use
$derived.by()and defensive null checks - Updated pre-commit hook versions
- Renamed UI labels from "Catalog Compilation" to "Catalog Diff"
- Added
latestDocker image tag to publish workflow - Multiple trailing whitespace fixes across test files and documentation
- Removed NETWORK_CONFIGURATION.md documentation file
Reviewed changes
Copilot reviewed 31 out of 36 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| CHANGELOG.md | New comprehensive changelog for all versions (contains date errors) |
| README.md | Version history update and feature naming correction |
| .env.example | New environment variable template for easier setup |
| docker-compose.yml | Simplified configuration using env_file instead of inline variables |
| .pre-commit-config.yaml | Updated hook versions (v5→v6, v2.12→v2.14, v0.42→v0.47, etc.) |
| .github/workflows/publish.yml | Added latest tag to Docker image releases |
| frontend/src/pages/NodeDetailPage.svelte | Renamed "Catalog Compilation" to "Catalog Diff" in UI |
| frontend/src/components/CatalogComparison.svelte | Fixed Svelte 5 reactivity with $derived.by() and null safety |
| frontend/favicon/site.webmanifest | Updated app name and icon paths |
| backend/src/integrations/puppetdb/PuppetDBService.ts | Optimized report counting with aggregate queries, added filter builder |
| backend/src/routes/executions.ts | Trailing whitespace cleanup |
| backend/src/services/PuppetRunHistoryService.ts | Trailing whitespace cleanup |
| docs/* | Version updates from 0.2.0/0.3.0/0.4.0 to 0.5.0 across multiple files |
| docs/NETWORK_CONFIGURATION.md | Removed (248 lines of network configuration documentation) |
| docs/docker-deployment.md | Expanded with volume mount reference, Docker Compose updates |
| backend/test/* | Trailing whitespace fixes across multiple test files |
| .kiro/* | Documentation formatting improvements |
| backend/scripts/* | Trailing whitespace fixes in Python and JavaScript scripts |
Comments suppressed due to low confidence (1)
docs/NETWORK_CONFIGURATION.md:1
- The deletion of NETWORK_CONFIGURATION.md removes valuable documentation about HOST binding configuration for both NPM and Docker deployments. This information is important for users who need to understand network security implications. Consider migrating this content to the main documentation (possibly docker-deployment.md or a security section) rather than completely removing it, as it addresses common deployment questions.
| const filteredDiff = $derived.by(() => { | ||
| if (!catalogDiff) { | ||
| return null; | ||
| } | ||
| // Ensure arrays exist with defaults | ||
| const added = catalogDiff.added ?? []; | ||
| const removed = catalogDiff.removed ?? []; | ||
| const modified = catalogDiff.modified ?? []; | ||
| const unchanged = catalogDiff.unchanged ?? []; | ||
| if (!searchQuery.trim()) { | ||
| return { | ||
| ...catalogDiff, | ||
| added, | ||
| removed, | ||
| modified, | ||
| unchanged | ||
| }; |
There was a problem hiding this comment.
In the CatalogComparison component, the change from $derived() to $derived.by() is correct for Svelte 5 when using a function that needs to be explicitly called. However, the added defensive programming with null coalescing (catalogDiff.added ?? []) is good, but the unchanged array is now always returned even when there's no catalogDiff. This could lead to confusion where an empty result appears the same as a result with no changes. Consider returning null instead of an object with empty arrays when catalogDiff is null to maintain clear distinction between "no data" and "no differences".
|
|
||
| All notable changes to this project will be documented in this file. | ||
|
|
||
| ## [0.5.0] - 2026 |
There was a problem hiding this comment.
The CHANGELOG.md shows version 0.5.0 released in "2026" but we are currently in January 2025. This should be corrected to "2025" for accuracy.
| ## [0.5.0] - 2026 | |
| ## [0.5.0] - 2025 |
|
|
||
| <!-- Catalog Compilation Sub-Tab --> | ||
| <!-- Catalog Diff Sub-Tab --> | ||
| {#if activePuppetSubTab === 'catalog-compilation'} |
There was a problem hiding this comment.
The inline comment change from "Catalog Compilation" to "Catalog Diff" appears to be fixing a discrepancy. However, the variable name activePuppetSubTab === 'catalog-compilation' still references the old name. For consistency, consider renaming the variable to 'catalog-diff' to match the UI label, or document why the variable name differs from the display text.
| # Application | ||
| PORT=3000 | ||
| LOG_LEVEL=info | ||
|
|
||
| # Bolt command whitelist | ||
| BOLT_COMMAND_WHITELIST_ALLOW_ALL=false | ||
| BOLT_COMMAND_WHITELIST=["ls","pwd","whoami","uptime"] | ||
| BOLT_EXECUTION_TIMEOUT=300000 | ||
|
|
||
| # PuppetDB integration (optional) | ||
| PUPPETDB_ENABLED=false | ||
| PUPPETDB_SERVER_URL= | ||
| PUPPETDB_PORT=8081 | ||
| PUPPETDB_TOKEN= | ||
| PUPPETDB_SSL_ENABLED=false | ||
| PUPPETDB_SSL_CA= | ||
| PUPPETDB_SSL_CERT= | ||
| PUPPETDB_SSL_KEY= | ||
|
|
||
| # Puppetserver integration (optional) | ||
| PUPPETSERVER_ENABLED=false | ||
| PUPPETSERVER_SERVER_URL= | ||
| PUPPETSERVER_PORT=8140 | ||
| PUPPETSERVER_TOKEN= | ||
| PUPPETSERVER_SSL_ENABLED=false | ||
| PUPPETSERVER_SSL_CA= | ||
| PUPPETSERVER_SSL_CERT= | ||
| PUPPETSERVER_SSL_KEY= | ||
|
|
||
| # Hiera integration (optional) | ||
| HIERA_ENABLED=false | ||
| HIERA_CONTROL_REPO_PATH= | ||
| HIERA_CONFIG_PATH=hiera.yaml |
There was a problem hiding this comment.
The addition of .env.example is a good practice, but it should be mentioned in the CHANGELOG under "Added" section for version 0.5.0, as this is a new file that helps users configure the application. This improves documentation and onboarding for new users.
| private buildFilterConditions(filters: Record<string, unknown>): unknown[] { | ||
| const conditions: unknown[][] = []; | ||
|
|
||
| for (const [key, value] of Object.entries(filters)) { | ||
| if (value !== undefined && value !== null) { | ||
| // Only process primitive values (string, number, boolean) | ||
| if (typeof value !== 'string' && typeof value !== 'number' && typeof value !== 'boolean') { | ||
| continue; | ||
| } | ||
|
|
||
| if (key === 'startDate' || key === 'start_time_gte') { | ||
| conditions.push([">=", "start_time", value]); | ||
| } else if (key === 'endDate' || key === 'start_time_lte') { | ||
| conditions.push(["<=", "start_time", value]); | ||
| } else if (key === 'status') { | ||
| conditions.push(["=", "status", value]); | ||
| } else if (key === 'certname') { | ||
| conditions.push(["=", "certname", value]); | ||
| } else if (key === 'environment') { | ||
| conditions.push(["=", "environment", value]); | ||
| } else { | ||
| // Generic equality filter | ||
| conditions.push(["=", key, value]); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if (conditions.length === 0) { | ||
| // Return match-all condition | ||
| return ["~", "certname", ""]; | ||
| } else if (conditions.length === 1) { | ||
| return conditions[0]; | ||
| } else { | ||
| // Combine with "and" | ||
| return ["and", ...conditions]; | ||
| } | ||
| } |
There was a problem hiding this comment.
The buildFilterConditions method includes filtering logic for date ranges, status, certname, and environment. However, the method silently skips non-primitive values without logging. Consider adding debug logging when filters are skipped to help troubleshoot unexpected query results, especially since this is a private method that users won't directly interact with.
| services: | ||
| app: | ||
| build: | ||
| context: . | ||
| dockerfile: Dockerfile | ||
| image: example42/pabawi:latest | ||
| container_name: pabawi-dev | ||
| container_name: pabawi | ||
| env_file: | ||
| - .env | ||
| volumes: | ||
| # Mount entire workspace for development | ||
| - .:/workspace:cached | ||
| # Mount Bolt project directory (read-only) | ||
| # Bolt project directory (read-only) | ||
| - ./bolt-project:/bolt-project:ro | ||
| # Mount data directory for SQLite database (read-write) | ||
| # SQLite database persistence | ||
| - ./data:/data | ||
| # Mount SSL certificates for PuppetDB/Puppetserver integration (optional, read-only) | ||
| # Uncomment and adjust paths as needed: | ||
| # SSL certificates for PuppetDB/Puppetserver (optional) | ||
| # - /path/to/ssl/certs:/ssl-certs:ro | ||
| # Mount Hiera control repository (optional, read-only) | ||
| # Uncomment and adjust path as needed: | ||
| # Hiera control repository (optional) | ||
| # - /path/to/control-repo:/control-repo:ro | ||
| # Persist node_modules | ||
| - node_modules:/workspace/node_modules | ||
| - backend_node_modules:/workspace/backend/node_modules | ||
| - frontend_node_modules:/workspace/frontend/node_modules | ||
| ports: | ||
| - "${PORT:-3000}:3000" | ||
| command: sleep infinity | ||
| user: "1001:1001" | ||
| environment: | ||
| # Application configuration | ||
| - NODE_ENV=development | ||
| - PORT=3000 | ||
| - HOST=0.0.0.0 | ||
|
|
||
| # Bolt configuration | ||
| - BOLT_PROJECT_PATH=/bolt-project | ||
|
|
||
| # Database configuration | ||
| - DATABASE_PATH=/data/executions.db | ||
|
|
||
| # Command whitelist configuration | ||
| - BOLT_COMMAND_WHITELIST_ALLOW_ALL=${BOLT_COMMAND_WHITELIST_ALLOW_ALL:-false} | ||
| - BOLT_COMMAND_WHITELIST=${BOLT_COMMAND_WHITELIST:-["ls","pwd","whoami","uptime"]} | ||
|
|
||
| # Execution configuration | ||
| - BOLT_EXECUTION_TIMEOUT=${BOLT_EXECUTION_TIMEOUT:-300000} | ||
|
|
||
| # Logging configuration | ||
| - LOG_LEVEL=${LOG_LEVEL:-info} | ||
|
|
||
| # PuppetDB integration configuration (disabled by default) | ||
| - PUPPETDB_ENABLED=${PUPPETDB_ENABLED:-false} | ||
| - PUPPETDB_SERVER_URL=${PUPPETDB_SERVER_URL:-} | ||
| - PUPPETDB_PORT=${PUPPETDB_PORT:-8081} | ||
| - PUPPETDB_TOKEN=${PUPPETDB_TOKEN:-} | ||
| - PUPPETDB_TIMEOUT=${PUPPETDB_TIMEOUT:-30000} | ||
| - PUPPETDB_RETRY_ATTEMPTS=${PUPPETDB_RETRY_ATTEMPTS:-3} | ||
| - PUPPETDB_RETRY_DELAY=${PUPPETDB_RETRY_DELAY:-1000} | ||
| - PUPPETDB_SSL_ENABLED=${PUPPETDB_SSL_ENABLED:-false} | ||
| - PUPPETDB_SSL_CA=${PUPPETDB_SSL_CA:-} | ||
| - PUPPETDB_SSL_CERT=${PUPPETDB_SSL_CERT:-} | ||
| - PUPPETDB_SSL_KEY=${PUPPETDB_SSL_KEY:-} | ||
| - PUPPETDB_SSL_REJECT_UNAUTHORIZED=${PUPPETDB_SSL_REJECT_UNAUTHORIZED:-true} | ||
| - PUPPETDB_CACHE_TTL=${PUPPETDB_CACHE_TTL:-300000} | ||
| - PUPPETDB_CIRCUIT_BREAKER_THRESHOLD=${PUPPETDB_CIRCUIT_BREAKER_THRESHOLD:-5} | ||
| - PUPPETDB_CIRCUIT_BREAKER_TIMEOUT=${PUPPETDB_CIRCUIT_BREAKER_TIMEOUT:-60000} | ||
| - PUPPETDB_CIRCUIT_BREAKER_RESET_TIMEOUT=${PUPPETDB_CIRCUIT_BREAKER_RESET_TIMEOUT:-30000} | ||
|
|
||
| # Puppetserver integration configuration (disabled by default) | ||
| - PUPPETSERVER_ENABLED=${PUPPETSERVER_ENABLED:-false} | ||
| - PUPPETSERVER_SERVER_URL=${PUPPETSERVER_SERVER_URL:-} | ||
| - PUPPETSERVER_PORT=${PUPPETSERVER_PORT:-8140} | ||
| - PUPPETSERVER_TOKEN=${PUPPETSERVER_TOKEN:-} | ||
| - PUPPETSERVER_TIMEOUT=${PUPPETSERVER_TIMEOUT:-30000} | ||
| - PUPPETSERVER_RETRY_ATTEMPTS=${PUPPETSERVER_RETRY_ATTEMPTS:-3} | ||
| - PUPPETSERVER_RETRY_DELAY=${PUPPETSERVER_RETRY_DELAY:-1000} | ||
| - PUPPETSERVER_INACTIVITY_THRESHOLD=${PUPPETSERVER_INACTIVITY_THRESHOLD:-3600} | ||
| - PUPPETSERVER_SSL_ENABLED=${PUPPETSERVER_SSL_ENABLED:-false} | ||
| - PUPPETSERVER_SSL_CA=${PUPPETSERVER_SSL_CA:-} | ||
| - PUPPETSERVER_SSL_CERT=${PUPPETSERVER_SSL_CERT:-} | ||
| - PUPPETSERVER_SSL_KEY=${PUPPETSERVER_SSL_KEY:-} | ||
| - PUPPETSERVER_SSL_REJECT_UNAUTHORIZED=${PUPPETSERVER_SSL_REJECT_UNAUTHORIZED:-true} | ||
| - PUPPETSERVER_CACHE_TTL=${PUPPETSERVER_CACHE_TTL:-300000} | ||
| - PUPPETSERVER_CIRCUIT_BREAKER_THRESHOLD=${PUPPETSERVER_CIRCUIT_BREAKER_THRESHOLD:-5} | ||
| - PUPPETSERVER_CIRCUIT_BREAKER_TIMEOUT=${PUPPETSERVER_CIRCUIT_BREAKER_TIMEOUT:-60000} | ||
| - PUPPETSERVER_CIRCUIT_BREAKER_RESET_TIMEOUT=${PUPPETSERVER_CIRCUIT_BREAKER_RESET_TIMEOUT:-30000} | ||
|
|
||
| # Hiera integration configuration (disabled by default) | ||
| - HIERA_ENABLED=${HIERA_ENABLED:-false} | ||
| - HIERA_CONTROL_REPO_PATH=${HIERA_CONTROL_REPO_PATH:-} | ||
| - HIERA_CONFIG_PATH=${HIERA_CONFIG_PATH:-hiera.yaml} | ||
| - HIERA_ENVIRONMENTS=${HIERA_ENVIRONMENTS:-["production"]} | ||
| - HIERA_FACT_SOURCE_PREFER_PUPPETDB=${HIERA_FACT_SOURCE_PREFER_PUPPETDB:-true} | ||
| - HIERA_FACT_SOURCE_LOCAL_PATH=${HIERA_FACT_SOURCE_LOCAL_PATH:-} | ||
| - HIERA_CATALOG_COMPILATION_ENABLED=${HIERA_CATALOG_COMPILATION_ENABLED:-false} | ||
| - HIERA_CATALOG_COMPILATION_TIMEOUT=${HIERA_CATALOG_COMPILATION_TIMEOUT:-60000} | ||
| - HIERA_CATALOG_COMPILATION_CACHE_TTL=${HIERA_CATALOG_COMPILATION_CACHE_TTL:-300000} | ||
| - HIERA_CACHE_ENABLED=${HIERA_CACHE_ENABLED:-true} | ||
| - HIERA_CACHE_TTL=${HIERA_CACHE_TTL:-300000} | ||
| - HIERA_CACHE_MAX_ENTRIES=${HIERA_CACHE_MAX_ENTRIES:-10000} | ||
| - HIERA_CODE_ANALYSIS_ENABLED=${HIERA_CODE_ANALYSIS_ENABLED:-true} | ||
| - HIERA_CODE_ANALYSIS_LINT_ENABLED=${HIERA_CODE_ANALYSIS_LINT_ENABLED:-true} | ||
| - HIERA_CODE_ANALYSIS_MODULE_UPDATE_CHECK=${HIERA_CODE_ANALYSIS_MODULE_UPDATE_CHECK:-true} | ||
| - HIERA_CODE_ANALYSIS_INTERVAL=${HIERA_CODE_ANALYSIS_INTERVAL:-3600000} | ||
| - HIERA_CODE_ANALYSIS_EXCLUSION_PATTERNS=${HIERA_CODE_ANALYSIS_EXCLUSION_PATTERNS:-["**/vendor/**","**/fixtures/**"]} | ||
|
|
||
| # Integration priority configuration (optional) | ||
| - BOLT_PRIORITY=${BOLT_PRIORITY:-5} | ||
| - PUPPETDB_PRIORITY=${PUPPETDB_PRIORITY:-10} | ||
| - PUPPETSERVER_PRIORITY=${PUPPETSERVER_PRIORITY:-8} | ||
| - HIERA_PRIORITY=${HIERA_PRIORITY:-6} | ||
|
|
||
| healthcheck: | ||
| test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/api/health', (r) => {process.exit(r.statusCode === 200 ? 0 : 1)})"] | ||
| interval: 30s | ||
| timeout: 3s | ||
| start_period: 5s | ||
| retries: 3 | ||
|
|
||
| restart: unless-stopped | ||
|
|
||
| networks: | ||
| - pabawi-network | ||
|
|
||
| networks: | ||
| pabawi-network: | ||
| driver: bridge |
There was a problem hiding this comment.
The docker-compose.yml has been significantly simplified by removing explicit environment variable declarations and relying solely on .env file. While this improves maintainability, it creates a breaking change for existing deployments that may have been using inline environment variables in the compose file. Consider documenting this breaking change in the CHANGELOG and providing a migration guide for users upgrading from previous versions.
| // No filters - use a match-all condition (certname matches any string) | ||
| // PuppetDB requires a condition for extract queries | ||
| extractQuery = [ | ||
| "extract", | ||
| [["function", "count"]], | ||
| ["~", "certname", ""] |
There was a problem hiding this comment.
The getTotalReportsCount method now uses PuppetDB's aggregate query with extract/count function, which is a significant performance improvement over fetching 10,000 records. However, the fallback match-all condition ["~", "certname", ""] (regex match empty string) may be inefficient on large datasets. Consider using a more explicit condition like ["null?", "certname", false] or documenting why this specific pattern was chosen for the match-all case.
| // No filters - use a match-all condition (certname matches any string) | |
| // PuppetDB requires a condition for extract queries | |
| extractQuery = [ | |
| "extract", | |
| [["function", "count"]], | |
| ["~", "certname", ""] | |
| // No filters - use a match-all condition based on certname being non-null. | |
| // PuppetDB requires a condition for extract queries; using ["null?", "certname", false] | |
| // is more efficient than a regex like ["~", "certname", ""] on large datasets. | |
| extractQuery = [ | |
| "extract", | |
| [["function", "count"]], | |
| ["null?", "certname", false] |
| -v "$(pwd)/certs:/certs" \ | ||
| -v "$HOME/.ssh:/home/pabawi/.ssh" \ | ||
| --env-file ./env \ | ||
| example42/pabawi:latest |
There was a problem hiding this comment.
The Docker run example uses the mutable image tag example42/pabawi:latest, which creates a supply-chain risk because any future change or compromise of that tag on Docker Hub will automatically change what code is executed with access to your mounted data, SSH keys, and certificates. An attacker who gains control of the Docker Hub repository or can push a malicious latest image could have their code executed whenever users follow this command. Prefer pinning to an immutable image reference (e.g., a specific version tag or digest) and updating documentation to instruct users to use that pinned reference instead of latest.
| image: example42/pabawi:latest | ||
| container_name: pabawi |
There was a problem hiding this comment.
The docker-compose example also uses the mutable image tag example42/pabawi:latest, which introduces a supply-chain risk because deployments will silently pick up any future (or malicious) change to that tag while running with access to your data and integration credentials. If the Docker Hub repository or image tag is compromised, attackers could ship a backdoored image that your compose setup would run automatically. Update the example to pin the image to an immutable reference (versioned tag or image digest) and recommend users follow that pattern rather than using latest.
| -v "$(pwd):/bolt-project:ro" \ | ||
| -v "$(pwd)/data:/data" \ | ||
| -v "$(pwd)/certs:/certs" \ | ||
| -v "$HOME/.ssh:/home/pabawi/.ssh" \ |
There was a problem hiding this comment.
Mounting the entire host SSH directory with -v "$HOME/.ssh:/home/pabawi/.ssh" exposes all of the user’s SSH private keys and known_hosts to the container, so any compromise of Pabawi (or of the container image) can directly exfiltrate those credentials and pivot into other systems. This is especially risky given that the container is intended to orchestrate remote access and will often be configured with integration tokens and certificates. Restrict the mount to a dedicated key directory containing only the minimal keys needed for Pabawi, or use purpose-specific SSH keys managed separately from the user’s main ~/.ssh.
Rebase failed
| ### nitialize `LoggerService`, `ExpertModeService` in router factory | ||
| 4. Implement business logic, calling services (BoltService, IntegrationManager, repos) | ||
| 5. **Add structured logging** at request start, before/after operations, and errors: | ||
|
|
||
| 1. Implement business logic, calling services (BoltService, IntegrationManager, repos) | ||
| 2. **Add structured logging** at request start, before/after operations, and errors: | ||
|
|
||
| ```typescript | ||
| logger.info("Processing request", { component: "RouterName", integration: "bolt", operation: "executeCommand", metadata: {...} }); | ||
| ``` | ||
| 6. Use `integrationManager.getInventory()`, `.getNodeData()`, etc. for multi-source data | ||
| 7. **Support expert mode**: Check `req.expertMode`, attach debug info with `ExpertModeService.attachDebugInfo()` | ||
| 8. Mount in `server.ts` with appropriate path prefix | ||
| 9. Return consistent response format with `source` field identifying integratio | ||
| 3. Implement business logic, calling services (BoltService, IntegrationManager, repos) | ||
| 4. Use `integrationManager.getInventory()`, `.getNodeData()`, etc. for multi-source data | ||
|
|
||
| 3. Use `integrationManager.getInventory()`, `.getNodeData()`, etc. for multi-source data | ||
| 4. **Support expert mode**: Check `req.expertMode`, attach debug info with `ExpertModeService.attachDebugInfo()` | ||
| 5. Mount in `server.ts` with appropriate path prefix | ||
| 6. Wrap response/errors using error handler pattern | ||
| 6. Return consistent response format with `source` field identifying integratio | ||
| 7. Implement business logic, calling services (BoltService, IntegrationManager, repos) | ||
| 8. Use `integrationManager.getInventory()`, `.getNodeData()`, etc. for multi-source data | ||
| 9. Mount in `server.ts` with appropriate path prefix | ||
| 10. Wrap response/errors using error handler pattern |
There was a problem hiding this comment.
The section heading "### nitialize LoggerService, ExpertModeService in router factory" appears to be missing the first letter "I" - it should be "Initialize LoggerService, ExpertModeService in router factory". Additionally, the content that follows is confusing with duplicate/overlapping numbered steps (steps 1-10 contain duplicates of steps 3-5 and step 7 duplicates step 1). This section needs to be cleaned up to have a clear, non-duplicated sequence of steps.
| ├── backend/ # Node.js + TypeScript API server | ||
| │ ├── src/ | ||
| │ │ ├── bolt/ # Bolt integration | ||
| │ │ ├── bolt/ # Bolt integration (temp) |
There was a problem hiding this comment.
The comment "# Bolt integration (temp)" suggests this is a temporary location. If this is truly temporary, there should be a TODO comment or issue reference explaining what needs to be done and when. If it's not temporary, the "(temp)" annotation should be removed to avoid confusion.
| │ │ ├── bolt/ # Bolt integration (temp) | |
| │ │ ├── bolt/ # Bolt integration |
| # Application | ||
| PORT=3000 | ||
| LOG_LEVEL=info | ||
|
|
||
| # Bolt command whitelist | ||
| BOLT_COMMAND_WHITELIST_ALLOW_ALL=false | ||
| BOLT_COMMAND_WHITELIST=["ls","pwd","whoami","uptime"] | ||
| BOLT_EXECUTION_TIMEOUT=300000 | ||
|
|
||
| # PuppetDB integration (optional) | ||
| PUPPETDB_ENABLED=false | ||
| PUPPETDB_SERVER_URL= | ||
| PUPPETDB_PORT=8081 | ||
| PUPPETDB_TOKEN= | ||
| PUPPETDB_SSL_ENABLED=false | ||
| PUPPETDB_SSL_CA= | ||
| PUPPETDB_SSL_CERT= | ||
| PUPPETDB_SSL_KEY= | ||
|
|
||
| # Puppetserver integration (optional) | ||
| PUPPETSERVER_ENABLED=false | ||
| PUPPETSERVER_SERVER_URL= | ||
| PUPPETSERVER_PORT=8140 | ||
| PUPPETSERVER_TOKEN= | ||
| PUPPETSERVER_SSL_ENABLED=false | ||
| PUPPETSERVER_SSL_CA= | ||
| PUPPETSERVER_SSL_CERT= | ||
| PUPPETSERVER_SSL_KEY= | ||
|
|
||
| # Hiera integration (optional) | ||
| HIERA_ENABLED=false | ||
| HIERA_CONTROL_REPO_PATH= | ||
| HIERA_CONFIG_PATH=hiera.yaml |
There was a problem hiding this comment.
The root-level .env.example file is missing many important configuration options that exist in backend/.env.example, such as BOLT_PROJECT_PATH, DATABASE_PATH, cache configuration, streaming configuration, and many integration-specific settings. Users following the docker-compose.yml setup will need these configuration options. Consider either:
- Making the root
.env.examplecomprehensive (copy frombackend/.env.example), or - Adding a prominent comment directing users to
backend/.env.examplefor the full list of configuration options, or - Documenting in docker-deployment.md that users should use
backend/.env.exampleas their starting point.
The current minimal example may lead to configuration issues for users trying to set up integrations via docker-compose.
|
|
||
| All notable changes to this project will be documented in this file. | ||
|
|
||
| ## [0.5.0] - 2026 |
There was a problem hiding this comment.
The PR title "050" is unclear and not descriptive. A more descriptive title should be used that clearly indicates this is a version 0.5.0 release, for example: "Release v0.5.0" or "Version 0.5.0 release with pagination, expert mode enhancements, and documentation improvements".
| ## [0.5.0] - 2026 | |
| ## [0.5.0] - 2026 - Pagination, expert mode enhancements, and documentation improvements |
| - backend_node_modules:/workspace/backend/node_modules | ||
| - frontend_node_modules:/workspace/frontend/node_modules | ||
| ports: | ||
| - "${PORT:-3000}:3000" |
There was a problem hiding this comment.
The docker-compose.yml now exposes the port publicly by default with "${PORT:-3000}:3000". According to the project's security guidelines (docs/docker-deployment.md line 711-718 and the SECURITY_AUDIT.md), Pabawi should only be exposed via localhost for security reasons. The port binding should be "127.0.0.1:${PORT:-3000}:3000" to bind to localhost only by default, preventing accidental network exposure.
| - "${PORT:-3000}:3000" | |
| - "127.0.0.1:${PORT:-3000}:3000" |
No description provided.