v0.2.7 — Security Hardening & Pipe Feature

🔒 Security

• 69 IDOR security tests across 12 test files covering every API endpoint
• Defense-in-depth: user_id parameter added to all DB delete/fetch functions (project, cloud, server)
• Cross-user isolation: list endpoints return only the authenticated user's resources
• CLI endpoint tests: 18 dedicated tests verifying stacker list, deploy, and destroy honor user boundaries
• Credential logging hardened: sensitive data no longer printed to server logs

🔧 Pipe Feature (Phase 1)

• stacker pipe list — query and display pipe instances with status, triggers, errors
• stacker pipe create — interactive flow: scan both apps, pick endpoints, auto-match fields, create template + instance
• stacker pipe activate — set pipe to active, send activate_pipe agent command with full config
• stacker pipe deactivate — pause pipe, send deactivate_pipe agent command
• stacker pipe trigger — one-shot pipe execution with optional JSON input
• PUT /api/v1/pipes/instances/{id}/status — new REST endpoint
• Agent command types: activate_pipe, deactivate_pipe, trigger_pipe with full validation (9 unit tests)
• 6 new client methods + 4 API request/response structs

🐛 Fixes

• Per-target deployment lock files prevent stacker deploy --target local from overwriting cloud deployment records
• Cloud credential duplicate-key error on repeated deploys
• Upstream validation fix for cargo dependencies

📊 Test Coverage

• 772 unit tests passing
• 69 integration security tests (skip gracefully without Postgres)
• 18 CLI endpoint IDOR tests

v0.2.6 — Kata Containers, Pipes, Audit, Marketplace

What's New in v0.2.6

🔒 Kata Containers Runtime Support

• runtime field on deploy_app / deploy_with_configs commands — values: runc (default), kata
• Server-side validation rejects unknown runtime values (HTTP 422)
• Capability gating: agents without kata feature are rejected before command dispatch
• --runtime kata|runc flag on stacker deploy and stacker agent deploy-app
• DB migration: runtime column persisted per deployment
• Vault: per-deployment runtime preference + org-level "must use Kata" policy
• Compose templates conditionally emit runtime: kata per service
• Hetzner CCX (dedicated-CPU/KVM) provisioning via Terraform + Ansible
• Full docs: docs/kata/ — setup guide, Hetzner KVM guide, network constraints, monitoring

🔗 Pipe (Container Linking) Foundation

• stacker pipe scan|create|list — connect containerized apps
• ProbeEndpoints agent command: auto-discovers OpenAPI, HTML forms, REST endpoints
• Two-level storage: pipe_templates (reusable) + pipe_instances (per-deployment)
• REST API: POST/GET/DELETE /api/v1/pipes/templates and /instances

📊 Agent Audit Ingest & Query

• POST /api/v1/agent/audit — receive audit event batches from Status Panel
• GET /api/v1/agent/audit — query audit log with filters
• Migration: agent_audit_log table

🛒 Marketplace Developer & Buyer Flows

• stacker submit — package and submit stack to marketplace
• stacker marketplace status|logs — track submissions
• Buyer install/download endpoints + agent self-registration

🔥 Firewall (iptables) Management

• MCP tools: configure_firewall, list_firewall_rules, configure_firewall_from_role
• Status Panel and SSH execution methods
• Public/private port rules with persistence

🐛 Fixes

• Casbin ACL: group_admin GET access to /admin/project/:id/compose

Full changelog: https://github.com/trydirect/stacker/blob/v0.2.6/CHANGELOG.md

v0.2.5

What's Changed

• Redeploy. FIX:Casbin policies use 'client' as the subject not numeric… by @vsilent in #125
• chore(deps): update postgres docker tag to v16.13 by @renovate[bot] in #85
• enrich service catalog, nginx proxy auto inject docker hub image by @vsilent in #124
• Feature redeploy lock by @vsilent in #127
• Add interactive cloud credential selection on stacker deploy --target cloud by @Copilot in #129
• Dev by @vsilent in #134

Full Changelog: v0.2.4...v0.2.5

v0.2.4

What's Changed

• Stacker cli, minimal requirements for deployment. by @vsilent in #112
• Cli by @vsilent in #113
• Ssh key by @vsilent in #115

Full Changelog: v0.2.3...v0.2.4

v0.2.3

What's Changed

• feat: add pricing columns to stack_template + enrich webhook payload by @vsilent in #106
• feat(mcp): Add Ansible roles management tools for SSH deployments by @vsilent in #105
• Dev by @vsilent in #107
• Cli by @vsilent in #114
• Feature ai chat driven by @vsilent in #111

Full Changelog: v0.2.2...v0.2.3

v0.2.2

What's Changed

• Issue 17 by @vsilent in #18
• Dev by @vsilent in #21
• Update README.md by @vsilent in #22
• Issue auth by @smart--petea in #23
• Issue auth by @smart--petea in #24
• Issue auth by @smart--petea in #27
• Merge dev by @vsilent in #32
• Bump h2 from 0.3.21 to 0.3.24 by @dependabot[bot] in #29
• Bump tracing from 0.1.39 to 0.1.40 by @dependabot[bot] in #28
• 30 access policies by @smart--petea in #36
• Issue 33 by @vsilent in #39
• 30 access policies by @vsilent in #40
• Issue 33 by @vsilent in #41
• Casbin debug by @smart--petea in #46
• Update README.md by @vsilent in #48
• Update README.md by @vsilent in #49
• Update README.md by @vsilent in #50
• Update README.md by @vsilent in #51
• 43 secure cloud tokens by @vsilent in #52
• 47 delete endpoints by @smart--petea in #53
• 54 parallel dockerhub requests by @smart--petea in #56
• 57 conditional rating serialization by @smart--petea in #58
• Dev by @vsilent in #59
• Configure Renovate by @renovate[bot] in #63
• Update Rust crate sqlx to 0.8.0 [SECURITY] by @renovate[bot] in #64
• Update Rust crate base64 to v0.22.1 by @renovate[bot] in #65
• Update Rust crate sqlx to 0.8.1 [SECURITY] by @renovate[bot] in #67
• Update actions/cache action to v3.5.0 by @renovate[bot] in #84
• Potential fix for code scanning alert no. 18: Cleartext logging of sensitive information by @vsilent in #95
• Update GitHub Artifact Actions (major) by @renovate[bot] in #90
• Rename is_plan_upgrade to is_plan_higher_tier by @Copilot in #98
• Extract parse_bool_env helper to deduplicate boolean parsing logic by @Copilot in #99
• Potential fix for code scanning alert no. 5: Cleartext logging of sensitive information by @vsilent in #100
• Feature user service refactoring by @vsilent in #94

New Contributors

• @dependabot[bot] made their first contribution in #29
• @renovate[bot] made their first contribution in #63
• @Copilot made their first contribution in #98

Full Changelog: v0.2.1...v0.2.2