Unreleased

2026-05-19

Unreleased

The agent pivots to bearer-token auth with sealed credentials. The control plane grows a verification pipeline and an alerts module.

AddedBearer-token authentication. The agent loads a token and a wrapping key from the environment, persists the wrapping key locally, and unseals the credentials envelope with AES-GCM at use time.
Addeddb_probe command handler: live database-connectivity checks dispatched through the same lifecycle as backup and restore. The probe result is reported back over PostProbe.
AddedBounded-concurrency worker pool with durable lifecycle. Inflight rows are reconciled on startup by the recoverer, and the daemon drains the pool on shutdown.
AddedEnd-to-end command handlers: BackupHandler, RestoreHandler, and the probe handler all run their respective run_* flows through the worker pool.
AddedHeartbeat dispatch. Pending jobs are parsed from the heartbeat response and run through the worker pool. No long-poll, no side channel.
AddedHalt-on-401 in Daemon.Tick: the daemon refuses to keep talking to a control plane that has revoked its token.
AddedSFTP fingerprint mode in the credentials wire shape, aligned with the server's expectations.
AddedOSS-prep: LICENSE, SECURITY.md, a bearer-aware HTTP client, and daemon entrypoint polish for the first public release.

ChangedCredentials wire shape aligned with the server's sealed-envelope format. crl_cache table dropped via a v1 to v2 state migration.
ChangedBinary registry. Published Postgres binaries are now sourced from a static-musl bash matrix.
ChangedCI: race-detector step runs with CGO enabled, golangci-lint upgraded to v2 with the real lint debt cleared, and the licensed gitleaks action replaced with a binary install.

AddedVerification module, server-side. A dedicated bkpdb-verification q-cluster runs a Docker-based pipeline against the latest backup. Trigger on successful upload, on-demand verify-now from the backup detail page, per-result detail page, and a policy config tab on the database detail.
AddedBoolean-returning SQL checks in the verification policy. statement_timeout is set via PGOPTIONS so a runaway query does not block the worker.
AddedAlerts module. Events with dedup, incidents with recovery, channel CRUD with address verification, per-database channel scope, and a policy/events/incidents dashboard.
AddedAlert channels: email via QueuedEmailBackend, Slack via incoming webhook. A handler registry routes events to the right one with retry and backoff.
AddedAlert wiring: backup, verification, and retention modules fire failed and recovered events. A still-failing reminder cron fires for incidents that have not recovered.
AddedRestore from backup detail page, and adhoc-target restore with cancel and polling.
AddedContainerised dev stack with separate webapp and worker services.

ChangedAgent auth: mTLS replaced with bearer tokens and sealed credentials. The operator picks agent_name at token issue, not on the agent host.
Changed/agent/v1/ and /api/v1/ surfaces force JSON responses.
ChangedHeartbeat pending_jobs entries include attempt so the agent can distinguish retries from first runs.
ChangedEnvironment variables renamed from DBCRATE_* to BKPDB_*.

FixedAlerts: record_event enqueues fan-out reliably, and the reconnect recoverer no longer crashes on an unparsable agent primary key.