feat: rootless podman, session hardening, boot stability, sidebar fix

Rootless podman migration (TASK-11):
- Remove sudo from all podman calls in PodmanClient + 8 backend files
- Remove sudo from all podman/docker calls in deploy script
- Restore full systemd security hardening: NoNewPrivileges,
  RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime,
  RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict
- Enable loginctl linger for rootless container persistence
- Remove Ollama from auto-deploy (marketplace-only)

Session & auth hardening:
- Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms)
- Debounced 401 redirect in rpc-client.ts (prevents redirect storms)

Boot stability:
- optimize-debian.sh: adds chrony, swap, removes policy-rc.d
- deploy script: pre-restart chrony + swap setup
- ISO build: chrony package, swap file creation
- BootScreen: no longer clears localStorage (prevents splash replay)
- RootRedirect: sole owner of localStorage clearing on server ready

UI fixes:
- Sidebar opacity default changed from 0→visible (fixes missing sidebar
  after page-persistence login without entrance animation)
- Console.log/error wrapped in import.meta.env.DEV guards
- Remove unused route import from RootRedirect

Beta tracking:
- CLAUDE.md: beta freeze protocol added
- MASTER_PLAN.md: TASK-11, TASK-17, phase structure
- BETA-PROGRESS.md: initial tracking doc
- Tagged v1.2.0-alpha.1 as pre-rootless baseline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-18 13:53:27 +00:00
parent 934d120243
commit 870ff095d8
48 changed files with 2979 additions and 2196 deletions

View File

@@ -306,8 +306,8 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
pub async fn rolling_container_restart() -> Result<RollingRestartReport> {
use std::process::Command;
let output = Command::new("sudo")
.args(["podman", "ps", "--format", "{{.Names}}"])
let output = Command::new("podman")
.args(["ps", "--format", "{{.Names}}"])
.output()
.context("Failed to list containers")?;
let names: Vec<String> = String::from_utf8_lossy(&output.stdout)
@@ -325,8 +325,8 @@ pub async fn rolling_container_restart() -> Result<RollingRestartReport> {
for name in &names {
debug!(container = %name, "Restarting container");
let restart = Command::new("sudo")
.args(["podman", "restart", "--time", "30", name])
let restart = Command::new("podman")
.args(["restart", "--time", "30", name])
.output();
match restart {
@@ -335,8 +335,8 @@ pub async fn rolling_container_restart() -> Result<RollingRestartReport> {
let mut healthy = false;
for _ in 0..12 {
tokio::time::sleep(std::time::Duration::from_secs(5)).await;
let check = Command::new("sudo")
.args(["podman", "inspect", name, "--format", "{{.State.Status}}"])
let check = Command::new("podman")
.args(["inspect", name, "--format", "{{.State.Status}}"])
.output();
if let Ok(out) = check {
let status = String::from_utf8_lossy(&out.stdout).trim().to_string();