nas-burnin

brandon/nas-burnin

Fork 0

Commit graph

Author	SHA1	Message	Date
Brandon Walter	0ebc325746	docs: rename to NAS Burn-In + version bump in spec/context Some checks are pending Security scan / pip-audit (push) Waiting to run Details Security scan / bandit (push) Waiting to run Details Security scan / gitleaks (push) Waiting to run Details Security scan / mypy (push) Waiting to run Details Catches the README, SPEC, and CLAUDE.md that were missed in the 1.0.0-38 product rename. Infrastructure identifiers (paths, container, repo URL) deliberately stay as truenas-burnin. Also refreshes SPEC.md version (1.0.0-8 → 1.0.0-39) and CLAUDE.md last-updated stamp (1.0.0-12 → 1.0.0-39).	2026-05-03 18:53:33 -05:00
Brandon Walter	992e2c47b3	deps: pin transitive dependencies via lockfile (1.0.0-25) Some checks are pending Security scan / pip-audit (push) Waiting to run Details Security scan / bandit (push) Waiting to run Details Security scan / gitleaks (push) Waiting to run Details Closes the unpinned-deps gotcha that broke production once already (Starlette 1.0 shipping in 2026-04 changed the TemplateResponse signature; our floating requirements.txt picked it up on the next rebuild and the dashboard 500'd until 1.0.0-12 patched the call sites). Mechanics: * `requirements.in` — human-edited input, identical contents to the old `requirements.txt`. * `requirements.txt` — now an autogenerated lockfile (876 lines, every transitive pinned with sha256 hashes). Regenerated via `scripts/regenerate-lockfile.sh`, which runs `pip-compile --generate-hashes --strip-extras` in a clean python:3.12-slim container so the script has no host dependencies. * Dockerfile installs with `pip install --require-hashes` — refuses any package whose sha256 doesn't match the lockfile, defending against compromised PyPI mirrors and accidental version drift. Verification: * Container boots clean on the hash-locked install (1.0.0-25). * /health returns 200 with all checks green. * Daily security scan (pip-audit + bandit + gitleaks) returns 0 findings against the new lockfile. Future deps changes: edit requirements.in, run the regenerate script, review the diff, rebuild, commit both files. README §"Updating dependencies" walks through it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 17:15:02 -04:00
Brandon Walter	c589e3c8e5	docs: add README operator guide First operator-facing README. Covers quick start (build, configure, first-user login), the multi-drive batch workflow with concrete time estimates, the four drive-lock states with their confirm tokens, notable settings, daily report / notifications, ops cookbook (logs, user CLI, backups, /health probe, DB reset), and an honest "known gaps" list. Cross-references CLAUDE.md (architecture + rationale) and SPEC.md (per-version feature reference) for deeper docs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 11:08:42 -04:00

Author

SHA1

Message

Date

Brandon Walter

0ebc325746

docs: rename to NAS Burn-In + version bump in spec/context

Security scan / pip-audit (push) Waiting to run

Details

Security scan / bandit (push) Waiting to run

Details

Security scan / gitleaks (push) Waiting to run

Details

Security scan / mypy (push) Waiting to run

Details

Catches the README, SPEC, and CLAUDE.md that were missed in the
1.0.0-38 product rename. Infrastructure identifiers (paths,
container, repo URL) deliberately stay as truenas-burnin.

Also refreshes SPEC.md version (1.0.0-8 → 1.0.0-39) and CLAUDE.md
last-updated stamp (1.0.0-12 → 1.0.0-39).

2026-05-03 18:53:33 -05:00

Brandon Walter

992e2c47b3

deps: pin transitive dependencies via lockfile (1.0.0-25)

Security scan / pip-audit (push) Waiting to run

Details

Security scan / bandit (push) Waiting to run

Details

Security scan / gitleaks (push) Waiting to run

Details

Closes the unpinned-deps gotcha that broke production once already
(Starlette 1.0 shipping in 2026-04 changed the TemplateResponse
signature; our floating requirements.txt picked it up on the next
rebuild and the dashboard 500'd until 1.0.0-12 patched the call sites).

Mechanics:
* `requirements.in` — human-edited input, identical contents to the
  old `requirements.txt`.
* `requirements.txt` — now an autogenerated lockfile (876 lines, every
  transitive pinned with sha256 hashes). Regenerated via
  `scripts/regenerate-lockfile.sh`, which runs `pip-compile
  --generate-hashes --strip-extras` in a clean python:3.12-slim
  container so the script has no host dependencies.
* Dockerfile installs with `pip install --require-hashes` — refuses
  any package whose sha256 doesn't match the lockfile, defending
  against compromised PyPI mirrors and accidental version drift.

Verification:
* Container boots clean on the hash-locked install (1.0.0-25).
* /health returns 200 with all checks green.
* Daily security scan (pip-audit + bandit + gitleaks) returns 0 findings
  against the new lockfile.

Future deps changes: edit requirements.in, run the regenerate script,
review the diff, rebuild, commit both files. README §"Updating
dependencies" walks through it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 17:15:02 -04:00

Brandon Walter

c589e3c8e5

docs: add README operator guide

First operator-facing README. Covers quick start (build, configure,
first-user login), the multi-drive batch workflow with concrete time
estimates, the four drive-lock states with their confirm tokens,
notable settings, daily report / notifications, ops cookbook (logs,
user CLI, backups, /health probe, DB reset), and an honest "known
gaps" list.

Cross-references CLAUDE.md (architecture + rationale) and SPEC.md
(per-version feature reference) for deeper docs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 11:08:42 -04:00

3 commits