torrust
diff --git a/‎.github/workflows/container.yaml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/container.yaml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 128 additions & 30 deletions b/‎CHANGELOG.md‎
Lines changed: 128 additions & 30 deletions
diff --git a/‎Containerfile‎
Lines changed: 4 additions & 4 deletions b/‎Containerfile‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
@@ -42,12 +42,12 @@ jobs:
           # output points the reader at the real line.
           if awk '{ sub(/#.*/, ""); print }' compose.yaml \
               | grep -nE 'mailcatcher|MAILER|SMTP|smtp_'; then
-            echo "::error file=compose.yaml::dev mail sidecar / SMTP config present in production-shaped baseline (ADR-T-009 §8.1, §9.1.3)"
+            echo "::error file=compose.yaml::dev mail sidecar / SMTP config present in production-shaped baseline (ADR-T-009 §D1 / §8.1)"
             exit 1
           fi
           echo "compose.yaml clean."
 
-      # Phase 9 §9.2 — vendored `su-exec.c` must not change
+      # Phase 9 / ADR-T-009 §D8 — vendored `su-exec.c` must not change
       # without a fresh audit entry recording the new SHA-256
       # in contrib/dev-tools/su-exec/AUDIT.md.
       - id: su-exec-audit
@@ -59,17 +59,17 @@ jobs:
           recorded=$(sed -n '/^## Audit Log/,$ { s/^SHA-256: \([0-9a-f]\{64\}\)$/\1/p; }' "$audit" | tail -1)
           actual=$(sha256sum contrib/dev-tools/su-exec/su-exec.c | cut -d' ' -f1)
           if [ -z "$recorded" ]; then
-            echo "::error file=$audit::no SHA-256 entry found in '## Audit Log' section (ADR-T-009 §9.2)"
+            echo "::error file=$audit::no SHA-256 entry found in '## Audit Log' section (ADR-T-009 §D8)"
             exit 1
           fi
           if [ "$recorded" != "$actual" ]; then
-            echo "::error file=$audit::recorded SHA-256 ($recorded) does not match contrib/dev-tools/su-exec/su-exec.c ($actual). Append a new dated audit entry per ADR-T-009 §9.2."
+            echo "::error file=$audit::recorded SHA-256 ($recorded) does not match contrib/dev-tools/su-exec/su-exec.c ($actual). Append a new dated audit entry per ADR-T-009 §D8."
             exit 1
           fi
           echo "su-exec audit current ($actual)."
 
-      # Phase 9 §9 / Acceptance Criterion #7 — every env var
-      # listed in the entry script's manifest block must be
+      # Phase 9 / ADR-T-009 Acceptance Criterion #7 — every env
+      # var listed in the entry script's manifest block must be
       # documented in docs/containers.md.
       - id: entry-env-docs
         name: entry-script env vars documented
@@ -80,7 +80,7 @@ jobs:
                   | grep -oE '[A-Z][A-Z0-9_]+' \
                   | sort -u)
           if [ -z "$vars" ]; then
-            echo "::error file=$script::ENTRY_ENV_VARS manifest block not found or empty (ADR-T-009 §9 Crit. #7)"
+            echo "::error file=$script::ENTRY_ENV_VARS manifest block not found or empty (ADR-T-009 Acceptance Criterion #7)"
             exit 1
           fi
           missing=0
 
@@ -9,43 +9,73 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- ADR-T-009: Container infrastructure refactor (Phases 1–9). Beyond
-  the tactical hardening already noted under Phase 3, the refactor:
-  - Splits the runtime image into a lean `release` (distroless
-    `cc-debian13`) and `debug` (`cc-debian13:debug`) target. The
-    `release` image keeps `/bin/busybox`, `/bin/su-exec`, and
-    `/usr/bin/jq` root-only (mode `0700`/`0500 root:root`); the
-    unprivileged `torrust` user gets `EACCES` on the entire toolset
-    after privilege drop. The `debug` target retains the upstream
-    `/busybox/` tree on `PATH` for interactive debugging.
-  - Extracts three helper binaries into their own workspace crates
-    with no transitive HTTP/TLS/async-runtime dependencies:
-    `torrust-index-health-check` (renamed from `health_check`),
-    `torrust-index-auth-keypair` (renamed from
-    `torrust-generate-auth-keypair`), and the new
-    `torrust-index-config-probe` (the same loader the application
-    uses, exposing the resolved schema/database/auth state as JSON).
-  - Splits Compose into a production-shaped
-    [`compose.yaml`](./compose.yaml) baseline (no `mailcatcher`, no
-    `tty`, dev ports bound to `127.0.0.1`, credentials referenced
-    as bare `${VAR}`) and an auto-loaded
-    [`compose.override.yaml`](./compose.override.yaml) supplying the
-    dev sandbox. Two `Makefile` targets (`make up-dev`, `make up-prod`)
-    wrap the documented invocation paths and validate required env
-    vars before any container starts.
-  - Adds `contrib/dev-tools/su-exec/AUDIT.md` recording provenance,
-    rationale, and a SHA-256-anchored append-only audit log for the
-    vendored `su-exec.c`. CI fails the build when the file changes
-    without a matching audit entry.
-
+- ADR-T-009: Container infrastructure refactor.
 - `torrust-index-config` workspace crate (`packages/index-config/`)
   containing the parsing surface of the configuration system: schema
   modules, validator, `load_settings`, `Info`, `Error`, the
   `CONFIG_OVERRIDE_*` / `ENV_VAR_CONFIG_TOML*` constants, and the
   permission value types (`Role`, `Action`, `Effect`,
-  `PermissionOverride`). Leaf crate \u2014 no `tokio`, `reqwest`,
+  `PermissionOverride`). Leaf crate — no `tokio`, `reqwest`,
   `sqlx`, `hyper`, `rustls`, `native-tls`, or `openssl` in its dep
   closure (ADR-T-009 Phase 3).
+- `torrust-index-cli-common` workspace crate
+  (`packages/index-cli-common/`) providing the shared P9 helper-binary
+  scaffolding: `refuse_if_stdout_is_tty`, `init_json_tracing`,
+  `emit<T: Serialize>`, and a common `BaseArgs` with `--debug`. Used
+  by every helper binary so each `main` is only domain logic
+  (ADR-T-009 §D5).
+- `torrust-index-config-probe` workspace crate
+  (`packages/index-config-probe/`) loading the same `Settings` the
+  application loads and emitting the resolved
+  schema/database/auth state as one JSON object on stdout. The entry
+  script consumes its output via `jq` and dispatches the auth-key /
+  database-seeding decisions; this eliminates the script-vs-application
+  parser drift that caused R3 (ADR-T-009 §D3).
+- `torrust-index-entry-script` test-only workspace crate
+  (`packages/index-entry-script/`) driving the sourced shell library
+  via `sh` subprocess and asserting exit codes / stderr contracts for
+  every branch of the auth-key invariants and the SQLite-seeding
+  outcomes (ADR-T-009 §D3).
+- Sourced POSIX `sh` library at
+  `share/container/entry_script_lib_sh` containing the entry script's
+  pure helpers (`inst`, `key_configured`, `validate_auth_keys`,
+  `seed_sqlite`). Shipped to `/usr/local/lib/torrust/entry_script_lib_sh`
+  (mode `0444 root:root`) and sourced — not exec'd — by the entry
+  script and by the host-side test crate (ADR-T-009 §D3).
+- Top-level [`Makefile`](./Makefile) with `make up-dev` (plain
+  `docker compose up`) and `make up-prod` (validates required
+  credential env vars, then runs `docker compose --file compose.yaml
+  up -d --wait` with the override excluded) (ADR-T-009 §D1).
+- [`compose.override.yaml`](./compose.override.yaml) auto-loaded by
+  Compose v2, re-introducing the `mailcatcher` sidecar, `tty: true`,
+  and permissive `${VAR:-default}` substitutions on top of the
+  production-shaped baseline (ADR-T-009 §D1).
+- `contrib/dev-tools/su-exec/AUDIT.md` recording provenance, choice
+  rationale (`su-exec` over `gosu`/`setpriv`), and a SHA-256-anchored
+  append-only audit log for the vendored `su-exec.c`. CI fails the
+  build when the file changes without a matching audit entry; there is
+  deliberately no calendar-based re-audit trigger for an unchanged
+  ~105-line POSIX C file (ADR-T-009 §D8).
+- `jq_donor` Containerfile stage installing `jq` (and its `libjq.so.1`
+  / `libonig.so.5` shared libraries) from a pristine `rust:slim-trixie`
+  base. Both runtime images copy `/usr/bin/jq` as `0500 root:root`,
+  invoked only during the entry script's pre-`su-exec` phase to parse
+  the config probe's and auth-keypair helper's JSON output. An
+  `ldd`-based allow-list assertion catches future transitive-dep
+  changes at build time (ADR-T-009 §D5).
+- `Info::from_env` constructor on `torrust-index-config`'s `Info`,
+  the JSON-safe sibling of `Info::new` that skips the diagnostic
+  `println!`s (so the config probe's stdout-only contract stays
+  intact) and filters empty-string env vars so a bare `${VAR}`
+  substituting to empty no longer reaches the deserialiser as
+  configuration TOML.
+- `pub const DEFAULT_CONFIG_TOML_PATH` re-export from
+  `torrust-index-config` so the entry script and the probe share a
+  single source of truth for the default in-container TOML location.
+- `# ENTRY_ENV_VARS:` / `# END_ENTRY_ENV_VARS` canonical manifest
+  block in `share/container/entry_script_sh`. CI extracts the
+  variable names and verifies every one is documented in
+  `docs/containers.md` (ADR-T-009 Acceptance Criterion #7).
 - `EXPOSE ${IMPORTER_API_PORT}/tcp` in Containerfile; port 3002 mapped in
   compose.
 - `restart: unless-stopped` on index and tracker compose services.
@@ -157,6 +187,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   `crate::services::authorization` for backwards compatibility. The
   `Permissions` trait and `PermissionMatrix` runtime policy stay in
   the root crate (ADR-T-009 Phase 3).
+- **BREAKING:** Entry-script `USER_ID` guard tightened from
+  `USER_ID >= 1000` to "is numeric and not `0`". The previous rule
+  encoded the wrong property and rejected valid configurations
+  (rootless Podman with subuid remapping, low-UID CI runners,
+  BSD-derived hosts). Operators who relied on the old guard to
+  reject low UIDs must enforce that policy at the orchestrator level
+  (ADR-T-009 §D7).
+- Runtime images split onto two parallel bases. `release` now builds
+  on the lean `gcr.io/distroless/cc-debian13` (was the `:debug`
+  variant) with a single `/bin/busybox` (mode `0700 root:root`) and a
+  curated set of applet symlinks; the unprivileged `torrust` user
+  gets `EACCES` on every applet after privilege drop. `debug`
+  retains the `:debug` base with `/busybox/` on `PATH` for
+  interactive debugging. Eliminates the R6 absolute-path bypass of
+  the curated subset (ADR-T-009 §D4).
+- `compose.yaml` restructured as a production-shaped baseline:
+  `mailcatcher` removed, `tty: true` removed, dev-only ports bound to
+  `127.0.0.1`, credentials referenced via bare `${VAR}` (no defaults,
+  no `:?required` assertion). The dev sandbox lives in the
+  auto-loaded `compose.override.yaml`. Plain `docker compose up`
+  continues to work for dev (ADR-T-009 §D1).
+- `API_PORT` and `IMPORTER_API_PORT` are no longer build-time `ARG`s.
+  Both keep their `ENV` defaults, which the listener and the
+  healthcheck honour at runtime; consumers no longer need to rebuild
+  the image to change a port (ADR-T-009 §D6).
+- `.containerignore` excludes `adr/` and `docs/` from the build
+  context (ADR-T-009 §D9).
+- Health-check binary rewritten without `reqwest`/`tokio`/TLS using
+  `std::net::TcpStream` + a minimal HTTP/1.1 GET (~30 lines), with
+  `set_read_timeout`/`set_write_timeout` for a short connect/read
+  window. Emits `{"target", "status", "elapsed_ms"}` JSON on stdout
+  on success; empty stdout + non-zero exit on failure
+  (ADR-T-009 §D5).
+- Auth-keypair helper emits `{"private_key_pem", "public_key_pem"}`
+  JSON on stdout instead of two raw PEM blocks. The entry script's
+  consumer migrated from `sed` PEM-block extraction to `jq`. The TTY
+  guard now exits with code 2 (was 1) to align with the shared
+  `refuse_if_stdout_is_tty` helper (ADR-T-009 §D5).
 - **BREAKING:** Raise MSRV from 1.85 to 1.88.
 - **BREAKING:** `administrator: bool` replaced by `role: String` in API
   responses (`TokenResponse`, `UserCompact`, etc.). The legacy `admin: bool`
@@ -245,6 +313,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+- `connect_url`, `token`, `[mail.smtp]`, and `[auth]` path entries
+  from every shipped TOML under `share/default/config/`. No
+  credentials and no environment-coupled values ship inside the image
+  (ADR-T-009 §D2). The `[auth]` paths are owned by the entry script
+  (§D3); `connect_url` and `token` are now mandatory at the schema
+  level.
+- `impl Default for Database` and the `default_database` /
+  `default_connect_url` serde-default helpers; the enclosing
+  `#[serde(default)]` on `TorrustIndex.database` was removed in the
+  same change so an absent `[database]` block also fails serde
+  validation (ADR-T-009 §D2).
+- `impl Default for Tracker`, `Tracker::default_token`, and the
+  enclosing `#[serde(default = "default_tracker")]` on
+  `Settings.tracker`. The `"tracker.token"` entry was also removed
+  from `mandatory_options` since the schema-level enforcement
+  supersedes it (ADR-T-009 §D2).
+- `impl Default for Settings` (the single ambient test fixture).
+  Tests now consume the shared `PLACEHOLDER_TOML` /
+  `placeholder_settings()` helpers from
+  `torrust_index_config::test_helpers` (`#[doc(hidden)] pub`).
+- `src/bin/health_check.rs` — superseded by the
+  `torrust-index-health-check` workspace crate
+  (`packages/index-health-check/`) (ADR-T-009 §D5).
+- `src/bin/generate_auth_keypair.rs` and the
+  `torrust-generate-auth-keypair` binary name — superseded by the
+  `torrust-index-auth-keypair` workspace crate
+  (`packages/index-auth-keypair/`) (ADR-T-009 §D5).
+- `/busybox/` directory from the `release` runtime image. The lean
+  `cc-debian13` base does not ship it, so the R6 absolute-path
+  bypass is eliminated by construction (ADR-T-009 §D4).
 - `admin: bool` field from `TokenResponse`, `LoggedInUserData`, and
   `TokenRenewalData` — superseded by `role: String` (ADR-T-008).
 - `UserCompact::is_admin()` convenience method — no longer needed after
 
@@ -123,7 +123,7 @@ RUN mkdir -p /app/bin/; \
 # Phase 4: per-binary modes. Application binary stays
 # world-executable; root-phase-only helpers (auth-keypair,
 # config-probe) tighten to root-only (0500 root:root) per
-# ADR-T-009 §6 / §7.3 — same posture as busybox, su-exec, jq.
+# ADR-T-009 §D4 / §D5 — same posture as busybox, su-exec, jq.
 RUN chown -R root:root /app; chmod -R u=rw,go=r,a+X /app; \
     chmod 0755 /app/bin/torrust-index; \
     chown 0:0  /app/bin/torrust-index-auth-keypair \
@@ -149,7 +149,7 @@ RUN mkdir -p /app/bin/; \
 # Phase 4: per-binary modes (see test_debug above for rationale).
 # The healthcheck binary is invoked from HEALTHCHECK, which
 # runs as root (no --user in the directive), so 0500 is
-# sufficient. The config-probe (ADR-T-009 §6 / §7) is invoked
+# sufficient. The config-probe (ADR-T-009 §D3) is invoked
 # only from the entry script's pre-su-exec phase, so it is
 # also root-only.
 RUN chown -R root:root /app; chmod -R u=rw,go=r,a+X /app; \
@@ -247,8 +247,8 @@ COPY --from=preflight_gate /tmp/.adduser-ok /tmp/.preflight-sentinel
 ENV PATH=/usr/local/bin:/bin:/usr/bin:/sbin
 # Materialise the curated applet set as symlinks to the
 # single root-only /bin/busybox. The applet list must match
-# §4.4 of the implementation plan — update both in the same
-# change.
+# the curated applet reference in ADR-T-009 §D4 — update
+# both in the same change.
 RUN ["/bin/busybox", "sh", "-c", \
      "for a in sh adduser addgroup install mkdir dirname chown chmod tr mktemp cat printf rm echo grep; do \
         /bin/busybox ln -s busybox /bin/$a; \
 
@@ -125,7 +125,7 @@ _Optionally, you may choose to supply the entire configuration as an environment
 TORRUST_INDEX_CONFIG_TOML=$(cat "./storage/index/etc/index.toml") cargo run
 ```
 
-_For deployment, you __should__ override the `tracker_api_token`:_
+_For deployment, you __should__ override the `tracker.token` (per ADR-T-009 §D2 it is mandatory; the shipped TOMLs no longer carry a default):_
 
 ```sh
 # Override secrets in configuration using environmental variables