Skip to content

Releases: NCNU-OpenSource/AADS

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 19 Jun 09:19
48980e8
v0.2.0 — execution hardening + docs overhaul + org migration

ExecutionProfile/PolicyCard, plan_sha256 drift detection, log-injection
defence; full doc correction pass; repo+GHCR migration to NCNU-OpenSource;
dashboard hardening; orphaned-code removal.

v0.1.6

Choose a tag to compare

@github-actions github-actions released this 04 Jun 02:27
8f010ef
fix(installer): fail fast with journal output when service won't start

Previously the installer ran systemctl status (informational), then
silently polled the HTTP API for 30 s before dying with a vague message.
On status=226/NAMESPACE or similar failures the user had no actionable
output and had to investigate manually.

Now: after install.sh exits, wait up to 15 s for aads-agent.service to
enter 'active'; if it doesn't, print the last 30 journal lines and die
immediately with a clear message.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

v0.1.5

Choose a tag to compare

@github-actions github-actions released this 04 Jun 02:25
7ffbcd7
fix(agent): make all ReadWritePaths optional with '-' prefix

/etc/nginx and /var/log/nginx lacked the '-' prefix, causing systemd to
fail with status=226/NAMESPACE when nginx is not installed on the target.
All service paths are now suppressed-if-missing so the agent starts
regardless of which services are present on the host.

Also remove 'After=nginx.service' — the agent doesn't depend on nginx
being active, only on the network being online.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

v0.1.4

Choose a tag to compare

@github-actions github-actions released this 04 Jun 01:39
60ee30b
fix: harden image pulls for unstable networks

Repeated CloudFront EOFs on multi-GB image blobs were exhausting the
default retry budget. Root cause: re-running 'docker compose pull'
discards a partially-downloaded blob, so retrying the whole pull never
makes progress on a single large blob that drops mid-transfer.

Three lower-level fixes:
  1. /etc/docker/daemon.json max-download-attempts=10 (merged via jq,
     preserves existing settings like DNS) — Docker's own per-blob retry
     inside a single pull, which DOES resume blob attempts
  2. COMPOSE_PARALLEL_LIMIT=1 — serialize pulls so all bandwidth goes to
     one blob, finishing it inside the connection's stable window
  3. Bump script-level pull retries 5 -> 8

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

v0.1.3

Choose a tag to compare

@github-actions github-actions released this 04 Jun 01:11
67dd896
fix: retry docker pull up to 5 times on network errors

layer1-filter image is ~2.8 GB (includes PyTorch) and can hit transient
EOF/network interrupts on slow or unstable connections. The pull step now
retries up to 5 times with a 5s delay between attempts, showing the last
error line on each failure. Auth errors (unauthorized/denied) still break
immediately and fall through to the local-build fallback.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

v0.1.2

Choose a tag to compare

@github-actions github-actions released this 04 Jun 00:49
93c7c18
fix: fallback to local build when GHCR pull is unauthorized

GHCR packages default to private even for public repos, causing
'unauthorized' errors on fresh servers. bootstrap-server.sh now:
  1. Tries docker compose pull from GHCR (fast, uses prebuilt images)
  2. On unauthorized error: shallow-clones the public repo, copies the
     already-generated .env, and runs docker compose up --build locally
  3. All other pull errors still die with the original message

The fallback builds take ~5 min on first run but require no GHCR auth.
Users can permanently fix this by making the 6 GHCR packages public at
https://github.com/bs10081?tab=packages

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 04 Jun 00:36
a7019cd
feat: add server curl|bash installer and bundle builder

dist/install-server.sh — curl|bash entry point for the server:
  Downloads aads-server.tgz from GitHub Releases, extracts to
  ~/aads (or /opt/aads for root), then runs bootstrap-server.sh.
  Supports AADS_INSTALL_DIR and AADS_RELEASE_BASE_URL overrides.

dist/build-server-bundle.sh — packages all server-side files into
  aads-server.tgz: docker-compose.prod.yaml, .env.example, config
  dirs (litellm, prometheus, grafana, layer0-collector, migrations),
  dist/ scripts, pi-agent/, and the prebuilt aads-agent.tgz so the
  dashboard can serve self-hosted agent installs out of the box.

CI: release-assets job now also builds and attaches aads-server.tgz
  and install-server.sh alongside the existing agent assets.

DEPLOYMENT.md: server section now leads with the HTTPS one-liner.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

v0.1.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 23:52
a7df295
feat: add one-click installer and server Docker bundle

On-Device Agent (curl|bash):
- dist/install-agent.sh: interactive full installer — apt deps,
  downloads agent payload from server, runs pi-agent/install/install.sh,
  registers node via /api/agents/register, installs Alloy log forwarder
- dist/build-agent-payload.sh: packages pi-agent/ into aads-agent.tgz
- pi-agent/alloy/config.alloy.tmpl: Alloy config template with
  __NODE_ID__/__LOKI_URL__ placeholders filled at install time

Server Docker bundle (prebuilt registry images):
- docker-compose.prod.yaml: mirrors dev compose but pulls
  ghcr.io/bs10081/aads-* images; mounts ./dist into dashboard for
  self-serve agent installer downloads
- dist/bootstrap-server.sh: interactive server bootstrap — generates
  secrets, writes .env, builds agent payload, compose pull+up, verifies
  DB, prints ready-to-paste agent install command
- .github/workflows/build-images.yml: builds and pushes 6 service
  images to GHCR on tag push; attaches agent payload to releases

Supporting changes:
- dashboard/app.py: add /install-agent.sh and /aads-agent.tgz static
  routes so targets download payload from the server without external net
- .env.example: add AADS_IMAGE_REGISTRY/TAG keys for prod compose
- .gitignore: stop ignoring dist/ scripts; only ignore dist/aads-agent.tgz
- DEPLOYMENT.md: rewrite for one-click server-first → agent flow
- docs/lab-deploy-plan.md: track lab deploy plan (untracked file)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>