# Alpha

> The agent becomes a daemon. The dashboard learns to drive it.

URL: https://bkpdb.com/changelog/2026-04-22/
Date: 2026-04-22
Tag: alpha

---

## Agent

### Added

- Production CLI shape: `bkpdb enroll` (one-shot, token → identity) and `bkpdb run` (daemon), plus `bkpdb version`. Re-enrolling is a deliberate operator gesture; the identity directory must be removed first.
- Identity: Ed25519 keypair generated on the host, CSR built locally, certificate persisted alongside SQLite-backed durable state so in-flight job rows and identity survive a host restart.
- mTLS HTTP client that fetches identity per request and rotates on renewal.
- Daemon: heartbeat loop, state machine, halt-on-401, graceful shutdown that drains the worker pool.
- Worker pool: bounded-concurrency executor with a durable lifecycle; a recoverer reconciles stale in-flight rows on startup.
- Command handlers for `run_backup` and `run_restore`, plus result-reporting endpoints (`PostBackup`, `PostRestore`) that carry structured failure reasons back to the control plane.
- Certificate renewal goroutine, with a `ShouldRenewAt` decider and a renewal RPC that obtains a fresh certificate well before expiry.


## Control plane

### Added

- Database creation wizard. Five steps: connection, agent pick-or-install, storage destinations (one primary, optional mirrors), schedule rules, review. The agent step live-polls for fresh heartbeats so the operator can watch a freshly installed agent come up in the same tab.
- Storage destination probe: an end-to-end `head_bucket` → `put_object` → `get_object` (with byte match) → `delete_object` sweep, run synchronously at submit and exposed as an HTMX endpoint for the “Test now” button. Results are cached on the destination.
- Expanded storage form to every S3-compatible provider with a tested config, plus a generic custom-endpoint option.
- Agent certificate renewal endpoint and a CRL endpoint.