Skip to content

v1.5.0 — Observability, Dashboard Customization & Hardening#196

Open
s-b-e-n-s-o-n wants to merge 277 commits intomainfrom
feature/v1.5-observability
Open

v1.5.0 — Observability, Dashboard Customization & Hardening#196
s-b-e-n-s-o-n wants to merge 277 commits intomainfrom
feature/v1.5-observability

Conversation

@s-b-e-n-s-o-n
Copy link
Contributor

@s-b-e-n-s-o-n s-b-e-n-s-o-n commented Mar 22, 2026
edited
Loading

Summary

v1.5.0 brings real-time observability, a fully customizable dashboard, and significant hardening across the stack.

Highlights

  • Real-time container logs — WebSocket streaming with ANSI color rendering, JSON pretty-print, search/filter, pause/resume
  • System log streaming — Live WebSocket delivery with level and component filtering
  • Customizable dashboard — Drag-and-drop widget layout, resize, show/hide, progressive collapse at small sizes
  • Container resource monitoring — CPU/memory stats with ring-buffer history and Prometheus metrics
  • Debug dump endpoint — One-click diagnostics download with sensitive value redaction
  • Digest notification mode — Accumulate updates and send a single batch email on a cron schedule
  • Success toasts — Visual confirmation for every container action (update, start, stop, restart, scan, delete, rollback, trigger run)
  • View Containers navigation — Jump from Watchers/Agents detail panels directly to filtered container list
  • Trigger aliasesDD_ACTION_* and DD_NOTIFICATION_* prefixes alongside legacy DD_TRIGGER_*

Bug Fixes

Security

  • WebSocket origin validation and closed-socket error handling
  • Auth lockout with configurable threshold and expiry
  • Debug dump redacts sensitive environment variables

Infrastructure

  • CI workflow renames (drop numeric prefixes)
  • Stryker mutation testing dashboard reporting
  • .stryker-tmp gitignored + excluded from vitest
  • Security policy updated to latest-only

Test plan

  • 219 commits, all gitmoji conventional commit format
  • Full QA checklist (184/200+ items verified via Playwright + code review)
  • Lefthook pre-push: all 7 gates green (ts-nocheck, biome, qlty, build-and-test, e2e, e2e-playwright, clean-tree)
  • UI: 2054 tests passing, 100% coverage thresholds
  • App: 11700+ tests passing, 100% coverage thresholds
  • E2E + Playwright E2E passing
  • Docker build succeeds
  • All 11 open issues addressed (8 fixed, 2 config/awaiting user, 1 responded)

Closes #156, #180, #183, #184, #186, #187, #189, #192, #195, #200

🤖 Generated with Claude Code

@s-b-e-n-s-o-n
🐛 fix(prometheus): use string constants for metric names
2728434 
prom-client Counter/Histogram/Gauge types don't expose .name property.
Use named constants to avoid TypeScript errors on removeSingleMetric calls.
@s-b-e-n-s-o-n
🐛 fix(api): remove redundant flushHeaders from StreamableResponse
1ac820f 
Express Response already requires flushHeaders() — making it optional
in an extending interface causes TS2430.
@s-b-e-n-s-o-n
🔧 chore(ci): rename and restructure workflow files
8cefecd 
Number workflows for execution order clarity:
- 10-ci-verify.yml (was ci.yml) — PR/push verification
- 20-release-cut.yml (new) — manual tag creation
- 30-release-from-tag.yml (was release.yml) — tag-triggered release
- 40-security-codeql.yml (was codeql.yml) — SAST scanning
- 50-security-fuzz.yml (was fuzz.yml) — fuzz testing
- 55-quality-mutation.yml (new) — Stryker mutation testing
- 60-security-scorecard.yml (was scorecard.yml) — OpenSSF Scorecard
- 70-security-snyk.yml (new) — paid Snyk scans

Add commit message CI gate, dynamic workflow resolution,
version assertion, CHANGELOG validation, RC prerelease support,
and Snyk quota-gated scanning.
@s-b-e-n-s-o-n
🔧 chore(scripts): add CI gate and release automation scripts
3e31315 
- validate-commit-msg.mjs: lefthook commit-msg hook for gitmoji format
- validate-commit-range.mjs: CI gate for PR commit message validation
- commit-message.mjs: shared commit message parsing logic + tests
- extract-changelog-entry.mjs: extract versioned entry from CHANGELOG + tests
- qlty-check-gate.sh: qlty lint wrapper with scope control
- qlty-smells-gate.mjs: complexity/duplication advisory gate
- release-next-version.mjs: semver bump calculator from commit log + tests
@s-b-e-n-s-o-n
🔧 chore(security): add Snyk gate scripts and quota planner
3240a07 
- snyk-code-gate.sh: SAST scan wrapper with enforcement toggle
- snyk-container-gate.sh: container image scan with severity gate
- snyk-iac-gate.sh: infrastructure-as-code scan wrapper
- snyk-quota-config.json: centralized monthly quota configuration
- snyk-quota-plan.mjs: quota validator to stay within free tier + tests
@s-b-e-n-s-o-n
🔧 chore(test): add lefthook pipeline, E2E, Playwright, and load test …
fd2904d 
…infra

- lefthook.yml: full pre-commit/commit-msg/pre-push pipeline with
  clean tree gate, lint, build+test, E2E, Playwright (15m timeout),
  and blocking zizmor
- run-e2e-tests.sh: Cucumber E2E runner
- run-playwright-qa.sh: Playwright runner with Docker image cache
  (skips rebuild when image is newer than latest commit)
- run-playwright-qa-cache.test.sh: regression tests for cache logic
- check-load-test-regression.sh: load test baseline comparator
- test/load-test-baselines/: committed CI smoke baseline
- test/README.md: test infrastructure documentation
@s-b-e-n-s-o-n
🔧 chore(quality): add Stryker mutation testing and update dependencies
dd37088 
- app/stryker.conf.mjs, ui/stryker.conf.mjs: mutation testing configs
- Add @stryker-mutator/{core,typescript-checker,vitest-runner} to
  app and ui devDependencies with test:mutation scripts
- Add lefthook devDependency to root workspace
- Update .qlty/qlty.toml configuration
@s-b-e-n-s-o-n
✨ feat(app): add observability, release notes, and v1.5 backend features
e2b0787 
- Add structured logging with pino child loggers across all subsystems
- Add log sanitization for control characters and ANSI escapes
- Add release notes fetching and enrichment in watchers
- Add maturity tracking and suggested tag computation
- Add container filter extraction and handler group refactoring
- Add digest cache deduplication per poll cycle in registries
- Add oninclude auto-trigger mode for triggers
- Refactor Docker watcher into extracted modules (container processing,
  image comparison, event orchestration, runtime details, tag candidates)
- Fix Dockercompose test expectations for container full name format
- Add pre-commit-coverage.sh for staged-only coverage checks
- Update vitest config and coverage provider
@s-b-e-n-s-o-n
✨ feat(ui): add v1.5 dashboard, container detail, and config views
6b2b735 
- Add release notes link, maturity badge, and suggested tag components
- Wire maturity, suggested tag, and release notes into container views
- Add container logs, runtime stats panels, and filter bar
- Add announcement banner, notification bell, and security empty state
- Update all view components for v1.5 observability features
- Add ButtonStandard spec and auth service tests
- Update composables, services, and container mapper utilities
@s-b-e-n-s-o-n
📝 docs: update CHANGELOG, README, CI flow, and content for v1.5
d4ef7f0 
- Update CHANGELOG with v1.5 observability features and CI audit fixes
- Update README roadmap table and badges
- Update CONTRIBUTING guidelines
- Add cosign verification quickstart doc
- Add CI pipeline flowchart (docs/ci-flow.html)
- Add CI audit findings tracker (docs/audit-findings.html)
- Add agent prompt documentation
- Update website landing page
@s-b-e-n-s-o-n
🐛 fix(hooks): pass staged files to pre-commit coverage script
679957f 
The lefthook coverage command was missing {staged_files} in its run
directive, so the script received no arguments and always skipped.
@s-b-e-n-s-o-n
🔧 chore(lint): fix biome errors and pre-commit coverage script
fe48ef1 
- Remove unused imports from Docker watcher test files
- Add aria-hidden to decorative SVGs in docs HTML
- Add type="button" to buttons in audit-findings.html
- Fix formatting in scripts and demo helpers
- Remove --coverage from pre-commit hook to avoid global threshold
  failures on partial runs (full coverage enforced in pre-push)
@s-b-e-n-s-o-n
🔧 chore(hooks): split coverage into separate pre-push gate
bec0f52 
- Remove coverage from pre-commit (was blocking every commit with 80s runs)
- Build-and-test now runs tests WITHOUT --coverage for speed
- Add dedicated coverage gate (priority 6) with clear error output
- Write machine-readable .coverage-gaps.json on failure
- Gitignore .coverage-gaps.json and CLAUDE.md
- Renumber e2e/playwright/zizmor priorities (7/8/9)
@s-b-e-n-s-o-n
🔧 chore(coverage): exclude type-only and stub files from measurement
e506c3e 
- Add auth-types, openapi, release-notes/types, webhooks/types to excludes
- Add registry provider stubs (Artifactory, Forgejo, Gitea, Harbor, Nexus)
- Update vitest config assertion to match new exclusions
@s-b-e-n-s-o-n
♻️ refactor(app): simplify code paths and mark unreachable defensive …
6acdacf 
…branches

- Simplify error message extraction in container filters
- Remove unused descending param from sortContainersByName
- Simplify splitSubjectImageAndTag in webhook parsers
- Add v8 ignore comments for defensive fallbacks that cannot be
  reached through normal code paths (BaseRegistry, Registry,
  registry-dispatch, Docker trigger, Dockercompose trigger)
@s-b-e-n-s-o-n
💄 style(ui): add tag, file-lines, and external-link icons to bundle
06e0280
@s-b-e-n-s-o-n
✅ test: fill coverage gaps across all modules
6209a73 
- Add new test files: container filters, webhook shared parsers,
  GithubProvider release notes
- Expand coverage for agent API, container API, webhook parsers,
  registry dispatch, signature verification
- Cover BaseRegistry digest cache, Registry manifest resolution
- Cover tag filtering, suggestion engine, security scan edge cases
- Cover Docker/Dockercompose triggers, Pushover, self-update controller
- Cover watcher event orchestration, container events, tag candidates
- Update UI auth service specs
@s-b-e-n-s-o-n
🔧 chore(lint): fix qlty issues in shell scripts and config
990fdb8 
- Format shell scripts with shfmt
- Remove unused json_dir variable from coverage script
- Add shellcheck SC2016 directives for intentional single-quote blocks
- Remove stale yamllint comment from lefthook pre-commit section
- Remove unused biome-ignore suppression from env.d.ts
@s-b-e-n-s-o-n
🐛 fix(app): resolve pre-push typecheck regressions
619570d
@s-b-e-n-s-o-n
🐛 fix(ci): use /health for playwright QA readiness
43717ea
@s-b-e-n-s-o-n
🔒 security(ci): clear zizmor findings in GitHub workflows
fa3e0ef
@s-b-e-n-s-o-n
Merge branch 'main' into feature/v1.5-observability
3da5fb1 
# Conflicts:
#	.github/workflows/ci.yml
#	.github/workflows/release.yml
#	CHANGELOG.md
#	CONTRIBUTING.md
#	README.md
#	app/registry/index.test.ts
#	app/watchers/providers/docker/Docker.test.ts
#	app/watchers/providers/docker/Docker.ts
#	app/watchers/providers/docker/container-event-update.ts
#	content/docs/current/changelog/index.mdx
#	content/docs/current/configuration/watchers/index.mdx
#	lefthook.yml
#	package-lock.json
#	scripts/pre-push-build-test.sh
#	ui/src/components/containers/ContainersGroupedViews.vue
#	ui/src/router/index.ts
#	ui/src/views/dashboard/useDashboardData.ts
@s-b-e-n-s-o-n
test(docker): align normalizeContainer immutability tests with v1.5
53403d1
@s-b-e-n-s-o-n
test(playwright): harden QA health checks and selectors
d8058d7
@s-b-e-n-s-o-n
chore(qa): parameterize playwright stack runtime
b62246a
@s-b-e-n-s-o-n
Merge branch 'main' into feature/v1.5-observability
643d7e9 
# Conflicts:
#	.github/workflows/fuzz.yml
#	app/agent/api/container.ts
#	app/agent/api/trigger.ts
#	app/agent/api/watcher.ts
#	app/package-lock.json
#	app/vitest.coverage-provider.ts
#	app/watchers/providers/docker/Docker.ts
#	ui/package-lock.json
#	ui/src/views/DashboardView.vue
@s-b-e-n-s-o-n
🔧 chore(ci): update codeql-action pin to valid v4.33.0 commit
70ecbdd 
The previous pin (f0213c31) became an orphaned imposter commit after
GitHub force-pushed the v4 tag, causing Scorecard webapp verification
to reject SARIF uploads with "imposter commit does not belong to
github/codeql-action". Updated all 4 references across scorecard.yml
and codeql.yml to the current v4.33.0 tag commit (b1bff819).
@s-b-e-n-s-o-n
✨ feat(ui): add full-page container log viewer with WebSocket streaming
063c092 
- New ContainerLogsView.vue at /containers/:id/logs with container info header
- Route updated to use dedicated view instead of reusing ContainersView
- ContainerLogs component: copy button, search match nav hidden until searching
- Container detail panel log tab: proper viewport-height flex containment
- DetailPanel slot wrapper: flex column for child fill
@s-b-e-n-s-o-n
✨ feat(api): diagnostic debug dump + container log streaming docs
8f27bb3 
- Debug dump endpoint: GET /api/v1/debug/dump with redacted system state export
- Container log streaming docs: WebSocket endpoint documented with close codes
- Container log download docs: updated with gzip compression, stdout/stderr params
- App API docs: debug dump section, version example updated to 1.5.0
- Changelog docs: v1.5.0 entry added
- Log viewer config docs: rewritten for WebSocket streaming features
@s-b-e-n-s-o-n
🚀 release(v1.5.0): version bump, changelog, readme, website, docs
cd5825f 
- Bump app, ui, demo package versions to 1.5.0
- README badge → 1.5.0, roadmap v1.5.0 marked released
- CHANGELOG: full v1.5.0 entry with Added + Changed sections
- Website: homepage badge → v1.5.0, roadmap timeline updated, v1.5.1 marked next
- Sync-docs script: v1.5 as primary docs version
- Demo mock data: version bumped to 1.5.0
- v1.4 docs snapshot preserved in content/docs/v1.4/
@s-b-e-n-s-o-n
🔧 chore: add version field to root package.json for release workflow
ff36f91 
The release-from-tag workflow asserts tag version matches all three
package.json files. Root was missing the version field.
@s-b-e-n-s-o-n
🔧 chore(ci): increase release CI wait timeout to 20 minutes
eda422a 
CI verify takes 10-15 minutes. The release workflow was timing out
at 10 minutes (40 × 15s). Bump to 80 attempts (20 minutes).
@s-b-e-n-s-o-n
🔧 chore(ci): increase release CI wait to 25min with 60s poll interval
7dcae60 
CI verify consistently takes 18-20 minutes. Previous config polled
every 15s for 10 minutes — always timed out. Now polls every 60s
for 25 minutes (25 × 60s), matching actual CI duration.
@s-b-e-n-s-o-n
🔧 chore(ci): fall back to Unreleased changelog for pre-release tags
67a3999 
RC/beta/alpha tags don't have their own CHANGELOG heading. The release
workflow now tries the exact version first, then falls back to the
[Unreleased] section for pre-release tags (those containing a hyphen).
@s-b-e-n-s-o-n
🐛 fix(ci): allow extract-changelog to parse [Unreleased] heading
71563c2 
The strict date regex rejected headings without a date suffix.
[Unreleased] is valid Keep a Changelog format. Skip date validation
when the version is "Unreleased" so RC releases can fall back to it.
@s-b-e-n-s-o-n s-b-e-n-s-o-n deployed to release-publish March 23, 2026 23:05 — with GitHub Actions Active
@s-b-e-n-s-o-n
💄 style(ui): consolidate env + label deprecation banners into one
c7d9f27 
Merge the separate "legacy environment variables" and "legacy container
labels" banners into a single "legacy configuration aliases" banner.
Shows both env and label key previews in one place instead of stacking
two banners for the same concern.
@s-b-e-n-s-o-n
💄 style(ui): add outlined variant for action buttons
c5996ae 
Add 'outlined' AppButton variant with visible border so action buttons
are distinguishable from plain text. Applied to all buttons on the
container Actions tab (side panel and full-page) — Preview Update,
Update Now, Scan Now, Skip, Snooze, Maturity, Reset, and Rollback.
@s-b-e-n-s-o-n
✨ feat(ui): add Update action to container dropdown menu
c9be007 
The "More" overflow menu was missing the regular Update option.
Blocked containers see "Force update", non-blocked containers
with available updates now see "Update" with cloud-download icon.
@s-b-e-n-s-o-n
🐛 fix(ui): add toasts, confirmations, and loading guards to Actions tab
e8816f1 
- Policy actions (skip, snooze, unsnooze, maturity, clear): add
  success + error toasts via useToast()
- Clear Policy: add confirmation modal (severity: warn) before
  executing, since it removes skips + snooze + maturity at once
- Preview: add error toast on failure
- Rollback: add error toast on failure
- Trigger Run: add error toast on failure
- Clear Skips / Clear Policy: add policyInProgress disabled guard
  to prevent double-click during processing
- Tests: update mocks for confirmClearPolicy handler
@s-b-e-n-s-o-n
🔧 chore(ui): wire confirmClearPolicy through container template context
053954a 
Expose confirmClearPolicy in the template context so the side panel
and full-page Actions tab can use the confirmation-wrapped handler
instead of calling clearPolicySelected directly.
@s-b-e-n-s-o-n
✅ test(ui): add coverage for confirmClearPolicy handler
97f0752
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biggest-littlest biggest-littlest Awaiting requested review from biggest-littlest biggest-littlest is a code owner

@ALARGECOMPANY ALARGECOMPANY Awaiting requested review from ALARGECOMPANY ALARGECOMPANY is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The container is output multiple times in Trigger

1 participant

@s-b-e-n-s-o-n