Skip to content

Releases: xencon/aixcl

AIXCL v1.1.61

Choose a tag to compare

@github-actions github-actions released this 14 Jul 18:11
df980f5

AIXCL v1.1.61

Release v1.1.61 -- Maintenance release: two GitHub Actions dependency bumps and an issue-authoring rail that validates custom issue bodies at creation time instead of at the merge gate.

What's New in v1.1.61

Added

  • ✅ Issue body validation in create-issue.sh: the wrapper accepts an optional body file and pipes it through the reference-style check before creation (same rail create-pr.sh already had); ci-checks.md gained an Issue Authoring section covering reference style and post-merge checkbox markers, in both rules mirrors (#1883).

Changed

  • ✅ softprops/action-gh-release 3.0.1 to 3.0.2: Dependabot workflow-action patch bump, merged to main and reconciled to dev (#1881).
  • ✅ lycheeverse/lychee-action 2.8.0 to 2.9.0: Dependabot workflow-action minor bump, same reconciliation (#1881).

Documentation


Full Changelog: v1.1.60...v1.1.61

AIXCL v1.1.60

Choose a tag to compare

@github-actions github-actions released this 12 Jul 03:20
5c6d425

AIXCL v1.1.60

Release v1.1.60 -- Detection and hardening release: alert state is now visible in Grafana, two new reconciliation checks guard profile contracts and shell obfuscation patterns (both caught real drift on their first run), and the app layer's eval sites are gone.

What's New in v1.1.60

Added

  • ✅ Alert state surfaced in Grafana: Alertmanager datasource makes Prometheus-evaluated alerts browsable in Grafana's Alerting UI; a Grafana-managed Scrape Target Down rule (up < 1 for 2m) covers the vanishing-exporter failure class directly; a Firing Alerts panel tops the system-overview dashboard. Closes the visibility gap behind the missed cadvisor profile drop (#1867).
  • ✅ Profile-vs-contract reconciliation check: ./aixcl checks profiles diffs PROFILE_SERVICES in config/profiles/*.env against the 02_profiles.md enumerations both ways, in checks all and CI. Found real drift on its first run: bld documented Alertmanager but did not carry it -- fixed in the same PR (#1865).
  • ✅ Shell obfuscation pattern check: ./aixcl checks obfuscation scans tracked shell code for pipe-to-shell, base64-to-shell, ANSI-C escapes, quote-split expansion, and eval without an inline eval-waiver justification; runs in checks all (11 checks) and a security.yml CI job (#1870).

Changed

  • ✅ App-layer eval sites removed: all 18 eval-echo dynamic variable reads in lib/aixcl/commands/app.sh (plus one in app_provision.sh) converted to bash indirect expansion; the two remaining parser evals apply shell-quoted parser output and carry verified eval-waiver comments (#1869).

Documentation


Full Changelog: v1.1.59...v1.1.60

AIXCL v1.1.59

Choose a tag to compare

@github-actions github-actions released this 11 Jul 15:07
14b17e9

AIXCL v1.1.59

Release v1.1.59

Documentation


Full Changelog: v1.1.58...v1.1.59

AIXCL v1.1.58

Choose a tag to compare

@github-actions github-actions released this 11 Jul 13:40
c2e3aec

AIXCL v1.1.58

Release v1.1.58 -- Observability stack refresh and continued least-privilege work: seven monitoring services updated in one batch, Ollama bumped to 0.31.2, the Open WebUI rootless Podman permission failure fixed, and cAdvisor reduced to a single capability.

What's New in v1.1.58

Changed

  • ✅ Observability stack batch update: Seven services bumped in one pass -- cadvisor v0.60.5, prometheus v3.13.1, alertmanager v0.33.1, grafana 13.1.0, node-exporter v1.12.0, postgres-exporter v0.20.1, nvidia-gpu-exporter 1.10.0. All patch/minor bumps with no breaking changes in upstream release notes (#1840).
  • ✅ Ollama 0.31.1 to 0.31.2: Inference engine patch bump; inference verified post-update (#1839).
  • ✅ cAdvisor capability tightening: cap_drop: ALL keeping only SYS_PTRACE, default seccomp profile restored (previously unconfined), and no-new-privileges added, mirroring the blackbox-exporter pattern. cAdvisor stays root by necessity for host-wide metrics; verified live with no metric regression against a 24h Prometheus baseline (#1847).
  • ✅ gitleaks install instructions updated: README.md install snippet moved from v8.21.2 to v8.30.1 (#1841).

Fixed

  • ✅ Open WebUI rootless Podman permissions: Volume writes failed under rootless Podman because the upstream USER_ID/GROUP_ID defaults collide with subordinate UID mapping; entrypoint now uses prefixed OPENWEBUI_USER_ID/OPENWEBUI_GROUP_ID (default 1000) following the proven pgAdmin pattern. Also corrects the nvidia-gpu-exporter tag (v1.10.0 to 1.10.0) and adds cadvisor to the sys profile per the profiles contract (#1845).

Documentation


Full Changelog: v1.1.57...v1.1.58

AIXCL v1.1.57

Choose a tag to compare

@github-actions github-actions released this 11 Jul 09:40
b737238

AIXCL v1.1.57

Release v1.1.57 -- Agent-platform efficiency and least-privilege sweep: per-session agent instruction payload cut 11%, a new container UID audit in check-env that caught and fixed a surplus-root exporter on its first run, and in-flight issue resumption for the agent work queue.

What's New in v1.1.57

Added

  • ✅ Per-container UID audit in check-env: ./aixcl utils check-env now reports the user each container's PID 1 actually runs as (read from the process table, not the image config), with a justified allowlist (cadvisor, nvidia-gpu-exporter), a warning on unexpected root, and a graceful skip when the stack is down. Unit-tested including the root-ollama regression case (#1674).
  • ✅ Agent queue resumes in-flight issues: /next-task now injects open issue-<N>/ PRs alongside the queue issue and follows an explicit resume path (no duplicate branches or PRs; act on review comments) instead of assuming every task is a fresh start.

Changed

  • ✅ Rules files slimmed to deltas: The security/workflow/formatting files in .claude/rules/ and .opencode/rules/ now carry only content absent from AGENTS.md/DEVELOPMENT.md, cutting the auto-loaded per-session agent payload by 441 words (11%) with no policy loss; CONTEXT.md descriptions updated to match.

Fixed

  • ✅ pgadmin cap restrictions removed: The pgAdmin entrypoint starts postfix and executes python3, which the capability hardening broke into a restart loop; cap restrictions and resource limits removed for pgadmin only (hotfixed on main 2026-07-10, reconciled to dev via sync PR).
  • ✅ blackbox-exporter runs as nobody: Found by the new UID audit on its first production run; the image's root default exists only for ICMP probes, which this HTTP-only deployment (with cap_drop: ALL) cannot use anyway.

Documentation


Full Changelog: v1.1.56...v1.1.57

AIXCL v1.1.56

Choose a tag to compare

@github-actions github-actions released this 10 Jul 01:06
a3ca871

AIXCL v1.1.56

Release v1.1.56 -- Container security hardening (resource limits, capability drops, non-root transitions) applied across the stack while preserving the runtime core invariant; Ollama inference engine remains fully runnable.

What's New in v1.1.56

Fixed

  • ✅ Container security hardening: Added CPU/memory/pids limits to all 23 services; cap_drop: ALL + minimal cap_add on open-webui/pgadmin; no-new-privileges:true on runtime core and UI services; read_only: true + tmpfs on vault/loki; cadvisor removed from sys profile (retained in bld).
  • ✅ Runtime core entrypoint compatibility: Removed read_only + tmpfs /tmp:noexec from ollama (conflicted with entrypoint chown on rootfs); removed read_only + tmpfs from open-webui (blocked setpriv user transition); removed no-new-privileges from open-webui/pgadmin (blocked setuid transition). All retain no-new-privileges on runtime core.
  • ✅ Stack status - curl failure handling: Fixed set -e exit on curl failures in aixcl stack status; all 19 services in sys profile now report correctly.
  • ✅ Agent queue label rename: agent-qwen renamed to agent for consistency.

Documentation


Full Changelog: v1.1.55...v1.1.56

AIXCL v1.1.55

Choose a tag to compare

@github-actions github-actions released this 09 Jul 21:28
203b5fb

AIXCL v1.1.55

Release v1.1.55 -- Concurrent stack operations can no longer corrupt each other: whole-stack lifecycle commands now serialize on a per-user lock, so a second overlapping run refuses cleanly instead of destroying the first run's Vault bootstrap state.

What's New in v1.1.55

Fixed

  • ✅ Stack Lifecycle Lock: two concurrent stack start runs raced each other's Vault KV artifact clearing and sidecar rm -f/run management, leaving crash-looping bootstrap agents and a degraded stack. stack start/stop/restart and utils prune/prune --all now acquire a PID-file lock keyed to the invoking user (flock was rejected after testing showed the held fd leaks into conmon behind detached containers); a second invocation exits non-zero naming the in-progress run's PID, command, and start time. Stale locks from SIGKILLed runs self-heal via a liveness check, and EXIT/INT/TERM traps release the lock on normal completion, Ctrl-C, and SIGTERM. Closes #1802.

Documentation


Full Changelog: v1.1.54...v1.1.55

AIXCL v1.1.54

Choose a tag to compare

@github-actions github-actions released this 09 Jul 03:50
0906fce

AIXCL v1.1.54

Release v1.1.54 -- First-run experience repaired end to end: a vanilla clone-to-running deployment no longer logs the Vault root token, no longer storms through container recreations during phased start, and stops Ollama gracefully instead of waiting out the kill timeout.

What's New in v1.1.54

Changed

  • ✅ Recreation Storm Regression Test: test-02-stack-start now fails if a stack start emits "name already in use" or "has dependent containers" errors, or unseals Vault more than once -- the observable symptoms of a compose recreation storm. Addresses #1788.

Fixed

  • ✅ Vault Root Token No Longer Logged: vault-init logged the plaintext root token during artefact verification because lookup-self returns the token itself as .data.id; the check now extracts and logs the audit-safe token accessor instead. Operators of existing installs should rotate the root token. Closes #1787.
  • ✅ Compose Recreation Storm on Phased Start: VAULT_TOKEN in the compose process environment changed podman-compose's interpolated config hash between start phases, forcing scoped down/up cycles that recreated healthy containers, double-unsealed Vault, and spewed "name already in use" errors; the token is now excluded from the compose environment and the two Vault agent sidecars are run directly. Closes #1788.
  • ✅ First-Run UX Polish: the missing-.env warning now points at ./aixcl stack init and stays quiet while init/start run; progress lines pad to end of line so shrinking counters leave no residue; the Vault sidecar image is derived from the compose pin instead of three hardcoded copies; and the Ollama entrypoint drops privileges with setpriv instead of su -, so PID 1 receives SIGTERM (graceful stop in under 1s instead of the 10s SIGKILL timeout) and compose-provided tuning variables reach the engine. Closes #1792.

Documentation


Full Changelog: v1.1.53...v1.1.54

AIXCL v1.1.53

Choose a tag to compare

@github-actions github-actions released this 07 Jul 06:07
f14390f

AIXCL v1.1.53

Release v1.1.53 -- Ollama model telemetry lands on the platform dashboard via a new json-exporter service, and the pr-ready merge gate learns to pass release-lifecycle checklists without manual exceptions.

What's New in v1.1.53

Added

  • ✅ Ollama Model Telemetry: new json-exporter operational service (pinned prometheuscommunity/json-exporter:v0.7.0, hardened) converts Ollama's /api/ps and /api/tags JSON into per-model Prometheus gauges; the platform dashboard AI row gains Models Loaded (honest zero when idle), Models Available, and a Loaded Model Memory panel charting total vs VRAM bytes per model. Registered in both profiles, the service registry, stack status, and docs. Closes #1768.

Fixed

  • ✅ Post-Merge Boxes Exempt from Merge Gate: ./aixcl checks pr-ready reports unticked checkboxes marked (post-merge) as informational instead of blocking, and release prep stamps the marker on release-lifecycle deliverables (tag pushed, release published, dev synced) that cannot be true before the release PR merges; documented in both rules mirrors and proven live on its own PR. Closes #1778.

Documentation


Full Changelog: v1.1.52...v1.1.53

AIXCL v1.1.52

Choose a tag to compare

@github-actions github-actions released this 07 Jul 05:37
4cc3cf5

AIXCL v1.1.52

Release v1.1.52 -- Observability repaired and merges gated: the platform dashboard is fully live via a new blackbox exporter probing Ollama and Open WebUI, a mandatory pr-ready merge gate lands in the CLI, and five CI/tooling defects are fixed.

What's New in v1.1.52

Added

  • ✅ PR Merge-Readiness Gate: new ./aixcl checks pr-ready <pr> command validates PR state, title format, assignee, component and taxonomy labels, unticked checkboxes on the PR and its linked issue, body reference style, and CI status before any merge; documented as mandatory in both rules mirrors and used to gate every merge in this cycle, including its own. Closes #1762.

Changed

  • ✅ Dependabot Buildx Bump: docker/setup-buildx-action raised from 4.1.0 to 4.2.0 in CI workflows; reconciled from main into dev ahead of this release. Closes #1770.
  • ✅ Models Loaded Placeholder Removed: the platform dashboard stat whose query was the constant 0 is gone; the AI Platform row is rebalanced to a symmetric 2x2 GPU grid, and real Ollama model telemetry is tracked in #1768. Closes #1767.
  • ✅ Yamllint Line-Length Wraps: Grafana provisioning YAML wrapped under the 160-character limit using folded scalars with byte-identical parsed values. Closes #1752.

Fixed

  • ✅ Platform Dashboard Panels Live: Ollama and Open WebUI health stats are now driven by probe_success from a new hardened blackbox-exporter operational service (pinned prom/blackbox-exporter:v0.28.0, registered in both profiles, stack status, and Prometheus scrape config), and the GPU Utilization query uses the correct exporter metric name. Closes #1765.
  • ✅ Apps Dashboard Directory Ships: grafana/provisioning/dashboards/apps/ is tracked via .gitkeep so the Grafana provisioner path always exists at container start; generated dashboard contents remain git-ignored. Closes #1760.
  • ✅ create-pr.sh Issue References: the PR template substitution keeps the leading hash, so Fixes #N references stay linked. Closes #1758.
  • ✅ Username Scan Exclusions: the hardcoded-username check excludes CHANGELOG.md history and the fork repository slug, which document real infrastructure rather than assignees. Closes #1756.
  • ✅ Agent-Context Reference Check Relaxed: files that defer to AGENTS.md inherit its cold-start reading list and are exempt from duplicate doc-reference warnings. Closes #1751.

Documentation


Full Changelog: v1.1.51...v1.1.52