* feat(sync-releases): show artifact details, verify GPG, allow custom rollout (#58)
* feat(sync-releases): show artifact details, verify GPG, allow custom rollout
The previous production prompt was a single y/N with no artifact context, no
way to override the hardcoded 10% rollout, and no signature verification. An
operator confirming a release this way had to trust that the right files were
in S3 and that the .sig was issued by the OTA root key — neither was visible.
Changes:
* Print full artifact summary before the prompt: URL, sha256, compatibleSkus,
and signature status for each artifact.
* Verify each .sig file with gpg --status-fd=1 and check the primary key
fingerprint against OTA_ROOT_KEY_FPR (mirrored from rv1106-system's
release_r2.sh). Reports valid / wrong-root / invalid / missing-pubkey /
gpg-unavailable / absent, with a loud WARNING line for wrong-root and
invalid signatures so the operator cannot miss them.
* Print the latest already-synced release of the same type before the prompt
so the operator can confirm this is the next expected version.
* Add an interactive rollout-percentage prompt with 10% default, validated to
0-100, replacing the hardcoded 10.
* Add an `a`/`abort` answer alongside y/N so operators can stop a multi-
release sync mid-run when they spot something wrong, instead of having to
N through every remaining version.
* Print the DB target and bucket as the first line of main() so a wrong
.env.production selection is obvious before any prompts fire.
* Print a final run summary with counters: created / skipped-by-user /
already-synced / no-artifacts, plus an "aborted at <type> <version>" line
when the run was cut short.
* Add `npm run sync-releases:production` script and ignore .env.production.
Verification path runs only when NODE_ENV=production, so non-prod runs and
the test suite never spawn gpg or download artifacts. All 52 existing tests
still pass; tsc build is clean.
* refactor: hoist objectKeyFromArtifactUrl into helpers
Both src/releases.ts and scripts/sync-releases.ts had their own copy of the
same URL-to-S3-key conversion. Moved into src/helpers.ts and imported from
both call sites so a future change (e.g. CDN path prefix handling) only needs
to land once.
* fix(sync-releases): only treat ERRSIG rc=9 as missing pubkey
GnuPG's ERRSIG line carries an `rc` reason code. rc=9 is the only one that
means "we don't have the signer's key" — rc=4 (unsupported algorithm) and
other codes are real verification failures. The previous implementation
collapsed every ERRSIG into noPubkey, which would have falsely told the
operator the OTA root key was missing when the actual problem was e.g. an
unsupported pubkey algorithm.
Now parses the rc field and surfaces non-9 ERRSIG codes as `invalid` with a
human reason (rc=4 → "unsupported algorithm", others → "gpg error code N").
* feat(releases): map recovery artifact filename per SKU (#59)
The system recovery endpoint hard-coded `update.img`, which is the
eMMC/RKDevTool image. The SDMMC variant ships as `update_sd.img.zip`
(a balenaEtcher-flashable archive), so requesting recovery for the
`jetkvm-v2-sdmmc` SKU returned the wrong artifact (or 404'd once SKU
folders were enforced). Drive the filename from a small per-SKU map
and reject unmapped SKUs with 400 so a typo can't silently fall back
to the wrong image.
After the getDefaultRelease SKU-compat fix, the default path was
graceful but the rollout-upgrade path stayed strict: if a device was in
the rollout bucket and the latest release lacked a compatible artifact
for the requested SKU, dbReleaseToMetadata still threw and 404'd the
whole request — even though responseJson already held a valid default.
Short-circuit the upgrade when the latest release has no compatible
artifact and update the regression test to assert the default is kept
instead of asserting the throw.
* feat: add SKU-aware OTA release artifacts
Persist OTA artifact URL/hash data separately from rollout state so stable release responses can choose artifacts by compatible SKU while release rollout remains version/type based.
* fix: select compatible OTA releases by SKU
Ensure stable release selection only considers releases with artifacts compatible with the requested SKU, and tighten tests around the DB-backed OTA contract.
* fix: match production OTA release responses
Only expose stable signature URLs that actually exist and preserve production's version-first SKU error behavior.
* fix: restrict legacy OTA artifacts and make sync create-only
Pre-SKU artifacts (no skus/ folder) are jetkvm-v2 only. Marking them
compatible with jetkvm-v2-sdmmc would brick devices that received
firmware predating their hardware. Future SKUs must opt in via an
explicit skus/<sku>/ upload.
sync-releases now skips releases already in the DB instead of upserting
them. This prevents routine sync runs from rewriting Release.url/hash
or appending duplicate ReleaseArtifact rows if R2_CDN_URL ever changes.
Backfills and repairs are left to one-off scripts.
* refactor: drop forceUpdate query parameter from /releases
The flag is no longer sent by any client. Routine update checks now
always go through the rollout-aware default-and-latest path, which is
what forceUpdate effectively short-circuited to. Removes one query
parameter, one branch in the handler, and the corresponding axis from
the compare-releases sweep.
* fix: skip incompatible defaults and parallelize stable DB lookups
getDefaultRelease previously picked the newest 100%-rolled-out release
without checking SKU compatibility. If that release lacked a compatible
artifact, the request 404'd downstream even though older 100%-rolled-out
releases had valid binaries for the SKU. It now filters to releases that
actually ship a compatible artifact before selecting the latest, falling
back to a 404 only when no compatible default exists.
The four DB lookups in the stable rollout-aware path are independent; run
them concurrently so background-check latency drops from ~4 round trips
to ~1.
* feat: serve optional GPG signature URLs for OTA releases
Resolve .sig file existence from S3 at response time and include
appSigUrl/systemSigUrl in the release payload when present. Works
across all code paths (prerelease, forceUpdate, rollout) and supports
backfilling signatures for older releases.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix releases sig URL cache typing
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Adam Shiervani
Nikita Sliusarev
Aveline
Noah Halstead
Siyuan Miao
thinkafterbefore