BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 21:26:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
BetterFrame/server/src/plugins/service-admin-http/routes-firmware.ts

253 lines
10 KiB
TypeScript
Raw Normal View History

feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
/**
* Admin firmware routes release upload, list, yank, per-kiosk push.
*
* Upload path supports:
* - browser multipart form ("upload from your machine")
feat(firmware): allow env import token
2026-05-20 03:02:12 +00:00
* - CI auto-import via Authorization: Bearer <token>. The token may be a
* DB-backed admin API key or the single-purpose BF_FIRMWARE_IMPORT_API_KEY.
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
* POST /api/admin/firmware/import with JSON {version, channel, arch,
feat(firmware): allow env import token
2026-05-20 03:02:12 +00:00
* release_notes, content_b64} so GitHub Actions can publish releases
* without a session.
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
*/
import { type H3, getRouterParam, readBody, createError } from "h3";
import { randomUUID } from "node:crypto";
import { htmlPage, htmlFragment } from "./html-response.js";
import type { AdminDeps } from "./index.js";
import {
FirmwarePage,
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
FirmwareRolloutsPage,
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
KioskFirmwarePanel,
} from "../../web-templates/admin-pages.js";
import { getCoordinator } from "../../shared/coordinator-registry.js";
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware
2026-05-14 05:38:18 +00:00
import { audit } from "../../shared/audit.js";
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
import type { FirmwareChannel } from "../../shared/types.js";
const ALLOWED_CHANNELS: ReadonlySet<FirmwareChannel> = new Set(["stable", "beta", "dev"]);
const ALLOWED_ARCHES = new Set([
"aarch64-unknown-linux-gnu",
"x86_64-unknown-linux-gnu",
"armv7-unknown-linux-gnueabihf",
]);
export function registerFirmwareRoutes(app: H3, deps: AdminDeps): void {
// ---- List page -----------------------------------------------------------
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
app.get("/admin/firmware", async (event) => {
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
const user = event.context.user!;
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const releases = await deps.repo.listFirmwareReleases();
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
return htmlPage(FirmwarePage({
user: user.username,
releases,
publicKeyPem: deps.firmware.publicKeyPem(),
}));
});
// ---- Human upload (multipart) -------------------------------------------
app.post("/admin/firmware/upload", async (event) => {
const user = event.context.user!;
const req = event.req;
const form = await req.formData();
const file = form.get("artifact");
if (!(file instanceof File)) {
throw createError({ statusCode: 400, statusMessage: "artifact file required" });
}
const version = String(form.get("version") ?? "").trim();
const channelRaw = String(form.get("channel") ?? "stable").trim();
const arch = String(form.get("arch") ?? "").trim();
const releaseNotes = String(form.get("release_notes") ?? "").trim() || null;
if (!ALLOWED_CHANNELS.has(channelRaw as FirmwareChannel)) {
throw createError({ statusCode: 400, statusMessage: `invalid channel '${channelRaw}'` });
}
if (!ALLOWED_ARCHES.has(arch)) {
throw createError({ statusCode: 400, statusMessage: `invalid arch '${arch}'` });
}
if (!/^\d+\.\d+\.\d+(-[\w.]+)?$/.test(version)) {
throw createError({ statusCode: 400, statusMessage: `invalid version '${version}' (expected semver)` });
}
const buf = Buffer.from(await file.arrayBuffer());
const { sha256, signature } = deps.firmware.signBlob(buf);
const artifactPath = await deps.firmware.storeBlob(buf, sha256);
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const release = await deps.repo.createFirmwareRelease({
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
id: randomUUID(),
version,
channel: channelRaw as FirmwareChannel,
arch,
artifact_path: artifactPath,
size_bytes: buf.length,
sha256,
signature,
release_notes: releaseNotes,
uploaded_by: user.id,
});
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
await audit(deps.repo, event as any, "firmware.upload", {
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware
2026-05-14 05:38:18 +00:00
resource_type: "firmware_release",
resource_id: release.id,
metadata: { version, channel: channelRaw, arch, sha256, size: buf.length },
});
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
return new Response(null, { status: 302, headers: { location: "/admin/firmware" } });
});
// ---- CI auto-import (JSON, API-key-auth) --------------------------------
// Body: {version, channel, arch, release_notes?, content_b64}
// Server signs server-side (no client-side trust required for signing key)
app.post("/api/admin/firmware/import", async (event) => {
// Middleware already verified API key on /api/admin/* — admin scope
// checked there. No further auth needed here.
const body = await readBody<{
version: string;
channel: FirmwareChannel;
arch: string;
release_notes?: string;
content_b64: string;
}>(event);
if (!body?.version || !body.channel || !body.arch || !body.content_b64) {
throw createError({ statusCode: 400, statusMessage: "version, channel, arch, content_b64 required" });
}
if (!ALLOWED_CHANNELS.has(body.channel)) {
throw createError({ statusCode: 400, statusMessage: `invalid channel '${body.channel}'` });
}
if (!ALLOWED_ARCHES.has(body.arch)) {
throw createError({ statusCode: 400, statusMessage: `invalid arch '${body.arch}'` });
}
const buf = Buffer.from(body.content_b64, "base64");
if (buf.length === 0) {
throw createError({ statusCode: 400, statusMessage: "empty artifact" });
}
const { sha256, signature } = deps.firmware.signBlob(buf);
const artifactPath = await deps.firmware.storeBlob(buf, sha256);
const id = randomUUID();
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const release = await deps.repo.createFirmwareRelease({
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
id,
version: body.version,
channel: body.channel,
arch: body.arch,
artifact_path: artifactPath,
size_bytes: buf.length,
sha256,
signature,
release_notes: body.release_notes ?? null,
uploaded_by: null,
});
return { ok: true, release_id: release.id, sha256, signature };
});
// ---- Yank ---------------------------------------------------------------
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
app.post("/admin/firmware/:id/yank", async (event) => {
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
const id = String(getRouterParam(event, "id"));
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
await deps.repo.yankFirmwareRelease(id);
await audit(deps.repo, event as any, "firmware.yank", {
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware
2026-05-14 05:38:18 +00:00
resource_type: "firmware_release",
resource_id: id,
});
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
return new Response(null, { status: 302, headers: { location: "/admin/firmware" } });
});
// ---- Per-kiosk firmware settings ----------------------------------------
// POST channel + target_version (used by KioskFirmwarePanel form)
app.post("/admin/kiosks/:id/firmware", async (event) => {
const id = Number(getRouterParam(event, "id"));
const body = await readBody<Record<string, string>>(event);
const channelRaw = (body?.["channel"] ?? "stable").trim() as FirmwareChannel;
const targetRaw = (body?.["target_version"] ?? "").trim();
if (!ALLOWED_CHANNELS.has(channelRaw)) {
throw createError({ statusCode: 400, statusMessage: "invalid channel" });
}
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
await deps.repo.setKioskFirmwarePref(id, {
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
channel: channelRaw,
target_version: targetRaw ? targetRaw : null,
});
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const k = await deps.repo.getKioskById(id);
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
if (!k) {
return new Response(null, { status: 302, headers: { location: "/admin/kiosks" } });
}
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const releases = await deps.repo.listFirmwareReleases();
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
return htmlFragment(KioskFirmwarePanel({ kiosk: k, releases }));
});
// Push update now: server pings the kiosk via WS coordinator so it goes
// and pulls /api/kiosk/firmware/check immediately. The actual download
// happens kiosk-side over the existing kiosk_key channel.
app.post("/admin/kiosks/:id/firmware/push", (event) => {
const id = Number(getRouterParam(event, "id"));
const dispatched = getCoordinator().sendToKiosk(id, { type: "firmware_check" });
return { ok: true, dispatched };
});
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
// ---- Rollouts -----------------------------------------------------------
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
app.get("/admin/firmware/rollouts", async (event) => {
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
const user = event.context.user!;
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const rollouts = await deps.repo.listFirmwareRollouts();
const releases = await deps.repo.listFirmwareReleases();
const kiosks = await deps.repo.listKiosks();
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
return htmlPage(FirmwareRolloutsPage({
user: user.username,
rollouts,
releases,
kiosks,
}));
});
app.post("/admin/firmware/rollouts/new", async (event) => {
const body = await readBody<Record<string, string | string[]>>(event);
const releaseId = String(body?.["release_id"] ?? "");
if (!releaseId) throw createError({ statusCode: 400, statusMessage: "release_id required" });
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const release = await deps.repo.getFirmwareRelease(releaseId);
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
if (!release) throw createError({ statusCode: 404, statusMessage: "release not found" });
const percentage = clamp(Number(body?.["percentage"] ?? 100), 1, 100);
const targetsRaw = body?.["target_kiosk_ids"];
const targets: number[] = Array.isArray(targetsRaw)
? targetsRaw.map((s) => Number(s)).filter((n) => Number.isFinite(n))
: typeof targetsRaw === "string" && targetsRaw
? targetsRaw.split(",").map((s) => Number(s.trim())).filter((n) => Number.isFinite(n))
: [];
const user = event.context.user!;
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const rollout = await deps.repo.createFirmwareRollout({
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
id: randomUUID(),
release_id: releaseId,
target_kiosk_ids: targets,
percentage,
created_by: user.id ?? null,
});
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
await deps.repo.updateFirmwareRolloutState(rollout.id, "active");
await audit(deps.repo, event as any, "firmware.rollout.create", {
feat(server): audit log — schema, helper, admin UI, hooks for login/pair/firmware
2026-05-14 05:38:18 +00:00
resource_type: "firmware_rollout",
resource_id: rollout.id,
metadata: { release_id: releaseId, percentage, target_count: targets.length },
});
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
// Bump every targeted kiosk to check now (best-effort over WS).
const coord = getCoordinator();
if (targets.length === 0) {
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
const allKiosks = await deps.repo.listKiosks();
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
for (const k of allKiosks) coord.sendToKiosk(k.id, { type: "firmware_check" });
} else {
for (const id of targets) coord.sendToKiosk(id, { type: "firmware_check" });
}
return new Response(null, { status: 302, headers: { location: "/admin/firmware/rollouts" } });
});
app.post("/admin/firmware/rollouts/:id/state", async (event) => {
const id = String(getRouterParam(event, "id"));
const body = await readBody<{ state: string }>(event);
const state = body?.state;
if (state !== "paused" && state !== "active" && state !== "complete") {
throw createError({ statusCode: 400, statusMessage: "invalid state" });
}
feat(db): full async Repository conversion for PostgreSQL support Mechanical conversion of the entire data access layer from synchronous node:sqlite API to async DbAdapter interface. Enables PostgreSQL (PgAdapter) as a drop-in backend alongside SQLite (SqliteAdapter). Repository (2208 lines): - Constructor accepts DbAdapter instead of DatabaseSync - Internal _run/_get/_all/_exec helpers wrap adapter calls - All 155 methods converted to async, return Promise<T> - transact() uses adapter.transaction() (supports PG savepoints) 14 caller files updated (327 call sites): - routes-admin.ts: 202 repo calls + 6 async helper functions - service-api-http: 40 repo calls + async getClusterKey - routes-firmware.ts, routes-os-updates.ts, routes-auth.ts, routes-setup.ts, middleware.ts: all handlers made async - shared/auth.ts: resolveSession + revokeSession now async - shared/bundle.ts: generateBundle now async, .map→for..of loops - shared/pairing.ts: all 3 functions async - shared/audit.ts: audit() now async - shared/camera-health.ts: checkAll repo calls awaited - service-coordinator-ws: session + kiosk lookups awaited - service-store/index.ts: creates SqliteAdapter.fromExisting() SqliteAdapter gains static fromExisting(db) factory for wrapping an already-opened DatabaseSync (migrations run on raw db, then adapter wraps for Repository queries). tsc --noEmit: zero errors.
2026-05-23 00:07:44 +00:00
await deps.repo.updateFirmwareRolloutState(id, state);
feat(ota): phase 3 — rollouts + automated rollback Rollouts (server side): - /admin/firmware/rollouts page lists + creates campaigns. Pick release, target kiosk_ids (empty = whole channel), percentage (1-100). - Active rollouts override channel-latest in /api/kiosk/firmware/check. - Deterministic bucket via sha256(rollout_id:kiosk_id) % 100 — same kiosk consistently lands in the same bucket across re-checks. - Pause / resume / complete state controls. Rollback (kiosk side): - Before swap, kiosk writes firmware-applying.json marker. - After clean boot + first successful heartbeat, marker deleted. - New ExecStartPre hook (/usr/local/sbin/betterframe-firmware-rollback.sh) runs every service start; stale marker (>120s) + .prev present → restore .prev. Pairs with systemd's StartLimit to catch crash loops.
2026-05-14 05:28:20 +00:00
return new Response(null, { status: 302, headers: { location: "/admin/firmware/rollouts" } });
});
}
function clamp(n: number, lo: number, hi: number): number {
if (!Number.isFinite(n)) return lo;
return Math.max(lo, Math.min(hi, Math.floor(n)));
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
}
Reference in a new issue Copy permalink