Kiosk checks for stable firmware update before pairing. If available,
downloads + verifies + swaps binary and restarts. No auth needed.
Server: GET /api/firmware/public/check (stable channel, no auth)
GET /api/firmware/public/download/:id (rate-limited, no auth)
Kiosk: check_public() + apply_public() in firmware.rs. Called from
ui.rs worker thread before entering pairing loop. kiosk_app_version
made pub for access from ui.rs.
Also includes kiosk_id deserialization fix (Value instead of String).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Server returns kiosk_id as integer (not yet migrated to UUIDv7).
ClaimResp.kiosk_id changed from Option<String> to Option<Value>
to handle both integer and string. This was causing a panic on
deserialization after successful pairing.
Also simplified Coolify version arg.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Nested dollar-brace defaults dont resolve in Docker Compose.
Use COOLIFY_GIT_COMMIT directly which Coolify always provides.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
25% was too tight — firmware OTA writes to /opt/betterframe/kiosk/
on the rootfs and fills it. 50% headroom gives enough space for
the kiosk binary download + swap.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
routes-os-updates.ts used require() which fails in ESM. Changed to
dynamic import(). Also includes persistent event topic subscriptions
with status tracking (inactive/pending/active/failed), merge-only
refresh, and colored status dots in camera detail UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add camera_event_subscriptions table to track per-camera per-topic
subscription state (inactive/pending/active/failed). Refresh-events
handler now merges discovered topics instead of replacing, so topics
are never lost when a camera goes temporarily offline. Admin UI shows
colored status dots and last-event timestamps per topic, with a
"subscribe all inactive" button to queue subscriptions for kiosk pickup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Server returns {bf_kiosk_deleted: true} (200) instead of 401 when
kiosk key not found on bundle/heartbeat. Kiosk then confirms via
GET /api/kiosk/_check — only wipes config if _check also returns
401. Prevents proxy glitches from nuking valid kiosks.
Flow: bf_kiosk_deleted signal → confirm via _check → 401 = wipe,
200 = ignore (false alarm).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PG BOOLEAN columns cant compare with integer literals. Five
queries used enabled = 1 in WHERE, causing boolean = integer
operator error on kiosk auth, bundle fetch, and heartbeat.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PG returns JSONB columns as native JS objects, not strings.
j() helper only handled strings via JSON.parse, returning the
fallback for objects. Now passes through objects/arrays directly.
Fixes pairing extras (kiosk_key_plaintext), capabilities, scopes,
and all other JSONB fields.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PG driver returns TIMESTAMPTZ as JS Date objects. The s() and sn()
mapper helpers only checked for typeof string, returning null/empty
for Date objects. This broke consumed_at check in pairing (always
null), expires_at comparisons (Invalid Date), and all other
timestamp fields.
Now: Date instances are converted to ISO strings via toISOString().
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Repository _run/_get/_all now create child spans with db.statement
when an Observable is set via withObs(). Bundle generation and pairing
confirmation accept optional obs for span-based tracing. Key admin
route handlers (camera/layout/kiosk CRUD, cloud sync) log structured
info lines with actor and resource id. Kiosk API routes (heartbeat,
bundle, event, firmware check, OS check) log kiosk_id on entry.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
onError: always log.error regardless of status code.
onResponse: log info with response status + duration in ms.
claimPairing: debug changed to info (debug not working in BSB).
Timestamps tracked via _startMs on event context.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
If event.context.obs not set, fall back to init-level obs and
flag no request trace in error message.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
claimPairing now receives the request Observable and logs the
specific reason for pending (not_found/expired/not_consumed/
missing_key). Success logged at info level with kiosk_id.
All logs correlated via request trace.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
After successful claim, kiosk_id from server response is stored
globally and included in all subsequent Axiom log entries for
kiosk identification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Kiosk binary now forwards all tracing logs to Axiom when
BF_AXIOM_KEY + BF_AXIOM_DATASET are set at compile time via
option_env!(). Batches up to 50 entries or flushes every 10s.
No-op when keys not baked in (local dev builds).
CI build.yml passes secrets as env vars for cargo build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Static file path now uses BSB pluginCwd instead of import.meta.dirname.
Added info log with method+path on every request via per-request trace.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Each HTTP request gets a fresh BSB trace (not a child span of init).
onRequest creates trace, stores on event.context.obs. onError logs
with trace context. onResponse ends the trace. 4xx logged as warn,
5xx as error. H3EventContext typed with obs field.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both admin-http and api-http now log HTTP 500+ errors with status,
path, and error message to BSB observable (warn level). Makes
server-side errors visible in Coolify/container logs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- PARTUUID in cmdline.txt and fstab must be lowercase (initramfs
does case-sensitive match)
- BF_DATA partition now formatted as ext4 with label (was zeroed)
- Remove resize flag from cmdline.txt (breaks GPT layout)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SQLite INSERT OR IGNORE syntax not valid in PG. PG adapter now
auto-rewrites to INSERT INTO ... ON CONFLICT DO NOTHING. Fixes
attach layout, label assignments, and join table inserts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Desktop purge was using wildcard lx* which removed libwlroots
and cage as dependency. Now uses specific package names +
apt-mark manual cage to protect it from autoremove.
2. Per-user cursor theme for bfkiosk (~/.icons/default/index.theme).
3. Repartition disables auto_initramfs in config.txt (initramfs
cant resolve LABEL= roots). Also handles root=/dev/* format
in cmdline.txt sed replacement.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pi 5 bootloader needs config.txt on partition 1. Old layout had
BF_BOOTSEL there with only autoboot.txt. Now 5 partitions:
BF_BOOT_A(1), BF_BOOT_B(2), BF_ROOT_A(3), BF_ROOT_B(4), BF_DATA(5).
autoboot.txt on each boot partition for A/B tryboot switching.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pi-gen username/password config triggers firstboot wizard AFTER
custom stages — reinstalls userconf and undoes our purge. Removed
those params from pi-gen-action config. Now create bfadmin user
directly in chroot script with password expiry on first login.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Piwiz still appeared after package purge alone. Now:
1. Purge ALL desktop packages (lxde, labwc, wayfire, lightdm, xorg)
2. autoremove orphaned deps
3. Force systemd.unit=multi-user.target in kernel cmdline
No desktop = no piwiz. Period.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
setup_state.is_complete, cluster_key_provisioned, display.is_primary,
event_log.forwarded_to_nodered all had literal 0/1 in SQL strings.
PG rejects integer for BOOLEAN columns. Changed to ? params with
true/false values — SQLite adapter coerces to 1/0 automatically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Compose postgres uses POSTGRES_DB from BF_PG_DB. Dockerfile ARG
was BF_PG_DATABASE causing mismatch. PG error 3D000 db not found.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Was crashing silently during migration. Now logs which migration
index failed and the first 200 chars of the SQL before rethrowing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
BSB bsb-plugin-cli build extracts schemas statically and cannot
resolve cross-file imports. Inlined the anyvali db config schema
in each plugin's ConfigSchema. Shared DbConfig type stays in
shared/db/config.ts (type-only imports work fine).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Package name changed from @betterframe/server to betterframe to
match BSB plugin path. Added nodered/package.json COPY so npm ci
can resolve the workspace dependency graph.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
EZVIZ: consumer Hikvision cameras via Open Platform API (appKey/appSecret).
Reolink: local HTTP API + RTSP (no cloud API available).
Eagle Eye Networks: OAuth2 cloud VMS with HLS relay URLs.
Each service plugin now independently initializes its own DB connection
via shared/db/init.ts instead of depending on a central service-store
plugin. This removes the inter-plugin dependency ordering and the
plugin-registry singleton, making each service self-contained.
- Move db-adapter, repository, mappers, migrations, adapters to shared/db/
- Create shared/db/config.ts (reusable dbConfigSchema) and init.ts
- Delete service-store plugin and plugin-registry
- Add db config block to each service's ConfigSchema + sec-config template
- Move event_log purge timer into service-admin-http
- Update all import paths across shared modules and plugins
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
node:sqlite rejects JS booleans as bind params. SQLite adapter now
converts true→1, false→0 before binding. Mirrors the PG compat
approach from the other direction.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
envsubst only handles ${VAR}, not ${VAR:-default}. The :-default
syntax is bash-only. Defaults come from Dockerfile ARG declarations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Base image: betterweb/service-base:9 (was :node which is v8)
- Plugin path: /home/bsb/node_modules/betterframe/ (flat pkg name)
- sec-config template: added package: betterframe to all 4 services
so BSB resolves plugins from the correct npm package
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
/mnt/bsb-plugins is declared as VOLUME in BSB base image. Build-time
COPY gets shadowed by empty anonymous volume at runtime. Use /home/bsb/
node_modules which BSB also searches and isn't a VOLUME.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
BSB container mode searches /mnt/bsb-plugins/node_modules/ for
plugins. Moved built output from /home/bsb to the correct external
plugin path at /mnt/bsb-plugins/node_modules/@betterframe/server/.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
BSB needs BSB_LIVE=true for production mode. Without it, warns about
non-production and tries to write sec-config.yaml (which is read-only).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
BSB entrypoint at /root/entrypoint.sh runs as root and drops
privileges itself. Our USER node blocked access to entrypoint.
Removed USER root/node, use absolute COPY paths, let BSB own
the user lifecycle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sec-config.yaml is now generated at Docker build time from
sec-config.template.yaml via envsubst. Secrets come from Coolify
build args (set in UI, never in git). Template uses ${VAR:-default}
placeholders — safe to commit to public repo.
- sec-config.yaml removed from git, added to .gitignore
- sec-config.template.yaml added (public, no secrets)
- Dockerfile.server: ARGs for all config, envsubst generates config
at build time, result is chmod 444 (read-only)
- Coolify compose: removed sec-config volume mount (baked in now)
- For native installs: copy template to sec-config.yaml, fill values
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bind 0.0.0.0 (not 127.0.0.1) so services are reachable across
containers. Use Docker container hostnames (nodered, server, postgres)
instead of localhost. Added missing cookieName + totpIssuer to
api-http and coordinator-ws configs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Resolved coolify compose conflict — took remote bind mount pattern.
All paths now use /home/bsb (BSB container workdir, not /app).
Both compose files use bind mount for sec-config.yaml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dockerfile.server now uses betterweb/service-base:node as runtime
base instead of node:24-trixie-slim + manual bsb-plugin-cli. BSB
container handles entrypoint, user, plugin loading.
sec-config.yaml removed from Docker image — must be bind-mounted
at /app/sec-config.yaml. Both compose files updated with :ro mount.
All BF_* env vars removed from compose server service.
deploy/docker/sec-config.yaml deleted (was baked in, now mounted).
version.ts path updated for new workdir /app.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
