11 Commits

Author	SHA1	Message	Date
lerko	61c28fac62	refactor(store): swap mattn/go-sqlite3 for modernc.org/sqlite ... Pure-Go SQLite driver — no CGO, no C compiler. Enables: - static binaries (verified: `file` shows statically linked) - cross-compile to linux/arm64, darwin/amd64+arm64, windows/amd64+arm64 - goreleaser now builds 6 OS/arch targets + windows .zip - Dockerfile drops gcc/musl-dev, sets CGO_ENABLED=0 - release-binaries drops gcc/musl-dev Driver name changes sqlite3 → sqlite, DSN pragmas use _pragma=name(value) format. All tests pass CGO=0 and CGO=1 -race. Homebrew cask block removed (was skip_upload:true dead config).	2026-06-11 13:10:05 -04:00
lerko	92efb8e270	fix(security): make SSH key revocation fail closed ... keyCache.Invalidate existed but had zero callers, and refresh silently swallowed store errors — a revoked key kept working off the stale cache for as long as the DB stayed down. Invalidate now clears the key set (not just the timestamp) and is wired through userInvalidatingStore, a decorator at the composition root that drops the cache on AddUser/UpdateUser/DeleteUser/ImportData. Transient refresh errors still retain the previous key set so a DB blip can't lock every admin out, but a post-revocation refresh failure denies. Refresh errors are logged. First tests for the SSH auth gate. Also suppresses per-request HTTP logging when the local TUI owns the terminal — request logs scribbled over the alt screen.	2026-06-11 12:26:40 -04:00
lerko	771721abb4	fix(security): bump Go 1.26.3 → 1.26.4 ... Fixes GO-2026-5039 (net/textproto) and GO-2026-5037 (crypto/x509).	2026-06-02 18:43:11 -04:00
lerko	32982228b0	fix(security): patch Docker Scout CVEs and remove unused openssh-client (#41) ... ## Summary - Upgrade `golang.org/x/net` v0.54.0 → v0.55.0 — patches 6 CVEs including critical CVE-2026-41589 (CVSS 9.6) - Remove `openssh-client` from Docker image — unused (uptop uses pure Go SSH), eliminates 4 CVEs - Add `apk upgrade` to Dockerfile for remaining Alpine package CVEs ## CVEs Resolved | CVE | Severity | Package | Fix | |-----|----------|---------|-----| | CVE-2026-41589 | 9.6 Critical | golang.org/x/net | upgraded to v0.55.0 | | CVE-2025-60876 | 6.5 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-42502 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-42506 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-25681 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-35414 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 | | CVE-2026-25680 | 7.5 High | alpine/openssh | removed openssh-client | | CVE-2026-35386 | 3.6 Low | alpine/openssh | removed openssh-client | | CVE-2026-35387 | 3.1 Low | alpine/openssh | removed openssh-client | | CVE-2026-35388 | 2.5 Low | alpine/openssh | removed openssh-client | | CVE-2026-27136 | 6.5 Medium | alpine/busybox | apk upgrade | ## Not Addressed (not exploitable) CVE-2026-35385 (charmbracelet/wish v1.4.7, CVSS 9.6) — path traversal in wish's SCP middleware. uptop does not use the SCP middleware, only wish core + bubbletea middleware. Vulnerable code path is never loaded. Migration to wish v2 tracked in #42. ## Test Plan - [x] `go build ./...` passes - [x] `go test ./...` passes - [ ] Rebuild Docker image, re-scan with Docker Scout Reviewed-on: #41	2026-05-30 00:33:20 +00:00
lerko	8f17deba67	chore: migrate module path to lerkolabs org ... Move Go module from gitea.lerkolabs.com/lerko/uptop to gitea.lerkolabs.com/lerkolabs/uptop. Updates all imports, go.mod, goreleaser owner, and README links.	2026-05-29 14:22:49 -04:00
lerko	b1935aa682	fix(deps): bump golang.org/x/crypto v0.47.0 → v0.52.0 ... Fixes 7 vulns (GO-2026-5014 through GO-2026-5023) found by govulncheck. Also bumps x/net, x/sys, x/text, x/sync, x/mod, x/tools to latest.	2026-05-26 20:20:23 -04:00
lerko	2cd3dcddb4	chore: bump Go 1.24.4 → 1.26.3, Alpine 3.21 → 3.23 ... Go 1.24 EOL since Feb 2026. Fixes 33 stdlib vulns found by govulncheck (database/sql, os/exec, net/http). Gets Green Tea GC.	2026-05-26 20:12:43 -04:00
lerko	9d12e3ecf1	chore: complete rename from go-upkeep to uptop ... - Module path: gitea.lerkolabs.com/lerko/uptop - Binary: cmd/uptop/ - All imports updated to full module path - Env vars: UPKEEP_* → UPTOP_* - Prometheus metrics: upkeep_* → uptop_* - Default DB: uptop.db - Docker image: lerko/uptop - All docs, compose files, CI updated Only remaining "go-upkeep" reference is the fork attribution in README.	2026-05-24 20:20:35 -04:00
lerko	5b01b9ee30	feat(config): add config-as-code YAML import/export ... Add declarative config-as-code support via YAML files. Monitors and alerts can be exported, version controlled, and applied across instances. - goupkeep export [-o file.yaml] dumps current state - goupkeep apply -f file.yaml creates/updates to match desired state - --dry-run shows planned changes without applying - --prune deletes monitors/alerts not in the YAML - Matching by name, alert references by name, nested group children - CLI refactored to subcommands (apply, export, serve) with backward compat - 24 tests covering apply, export, validation, round-trip idempotency	2026-05-15 20:40:49 -04:00
lerko	93fe372497	feat(monitor): add ping, port, and DNS check routines ... Implement checkPing (pro-bing ICMP), checkPort (TCP dial), and checkDNS (miekg/dns) with per-monitor timeout, configurable DNS record types, and fallback defaults. Groups skip checks entirely.	2026-05-14 17:22:57 -04:00
lerko	02f0a39d97	feat: initial commit — uptime monitor (forked from go-upkeep) ... Go-based uptime monitor with SQLite/Postgres storage, TUI dashboard, SSH server, alerting, and clustering support.	2026-05-14 11:05:10 -04:00