The build scripts hardcoded `docker` as the container runtime. This adds
auto-detection of docker or podman (preferring docker), with a
CONTAINER_CMD env var override.
On non-x86_64 hosts (e.g. Apple Silicon), podman/buildah ignores
--build-arg overrides for the BUILDPLATFORM predefined arg, so the
Dockerfile is patched in the build context to hardcode linux/amd64,
ensuring the correct base image is pulled for cross-compilation.
* fix: auto-recover USB gadget when host reconnects (#128)
When the USB host reboots or disconnects, the UDC state becomes
"not attached" and never recovers. Add automatic recovery that detects
this state and rebinds the USB gadget, with rate limiting to avoid
thrashing. Also refactor keyboard HID file handling to support
force-reopen after rebind.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: move USB recovery logic to internal/usbgadget package
Extract ShouldAttemptUSBRecovery and its retry interval constant into
the internal/usbgadget package so the logic is testable without
importing the top-level kvm package. Reset the recovery timer in
updateUsbRelatedConfig to prevent auto-recovery from interfering
during the host's USB re-enumeration window after a deliberate
config change.
Made-with: Cursor
* feat(e2e): add JSON-RPC data channel support to test hooks
Expose the WebRTC RPC data channel through test hooks and add a
sendJsonRpc helper that sends a JSON-RPC request over the channel
and resolves via callback with timeout handling. This enables e2e
tests to invoke backend RPC methods directly.
Made-with: Cursor
* refactor(e2e): restructure tests with remote-agent suite
Move device-level e2e tests (config-reset, EDID, HTTPS, HDMI sleep,
LED, mouse, USB attach timing, USB device) into a consolidated
remote-agent suite that runs through a Go-based agent binary. Add a
separate Playwright project for remote-agent tests.
- Remove standalone spec files now covered by ra-all.spec.ts
- Rename login-rate-limit to zz-login-rate-limit so it runs last
(avoids needing a post-test reboot to clear rate-limit state)
- Reorder welcome-password tests so validation runs first, reusing
the onboarding state and saving an SSH reset cycle
Made-with: Cursor
* refactor(e2e): clean up test helpers and reduce duplication
Consolidate all test helpers into a single helpers.ts file, removing
the separate ota-helpers.ts. This gives every test file a single import
source and eliminates duplicated code across the test suite.
Key changes:
- Merge ota-helpers.ts into helpers.ts (mock server, binary deployment,
device config, env var validation, triggerUpdate, withTempSignature)
- Remove duplicated rpc/restartAppViaSSH/waitForDeviceReady functions
from ra-all.spec.ts in favour of shared imports
- Extract loginAndOpenSettings helper in settings-local-auth tests
- Extract getOTAEnvVars, toPreReleaseVersion, triggerUpdate, and
withTempSignature to reduce boilerplate across OTA tests
- Remove unused verifyMouseWorks function and dead variables
- Strip redundant JSDoc that just restated type signatures
- Remove duplicated per-project use config from playwright.config.ts
(already inherited from top-level)
- Convert dynamic imports in sshExec to top-level imports
Made-with: Cursor
* refactor(e2e): move binary deployment into Playwright globalSetup
Replace the shell-script deployment logic with Playwright's
globalSetup/globalTeardown hooks. When BASELINE_BINARY_PATH is set,
globalSetup deploys the binary, resets device config, reboots, and
captures pre-test logs. globalTeardown captures post-test logs.
This keeps the deployment lifecycle inside Playwright where it belongs,
and reduces test_core_e2e.sh to a thin wrapper that sets env vars.
Made-with: Cursor
* fix: retry HID file reopen after USB gadget rebind
After rebinding the DWC3 USB controller, the kernel needs a moment to
create the /dev/hidg* device nodes. The previous code attempted to
reopen the keyboard HID file immediately after rebind, which raced
with the kernel and failed with "no such device or address".
Add a retry loop (up to 10 attempts, 200ms apart) to wait for the
device nodes to appear before reopening the keyboard HID file.
Made-with: Cursor
* fix: harden USB gadget recovery after UDC unbind
Reset stale HID gadget handles after rebind, suppress transient HID-open errors during detach windows, and fall back to full gadget reconfiguration when simple UDC rebind does not restore keyboard HID promptly. Strengthen the remote-agent USB recovery E2E to verify both keyboard and mouse input recover after unbind with retry tolerance for host-side input node churn.
Made-with: Cursor
* refactor: simplify USB HID error handling and reduce hot-path overhead
- Use errors.Is with syscall.Errno instead of string matching in
IsHIDTemporarilyUnavailableError (robust, zero-alloc)
- Cache USB state in usbReadyForHidReports instead of reading sysfs
on every HID report
- Extract rpcHidReport wrapper to deduplicate 5 rpc*Report functions
- Fix openWithTimeout goroutine/fd leak on timeout
- Add USBStateNotAttached/USBStateUnknown constants, replace literals
- Deduplicate discoverJetKVMDevices by delegating to listInputDevices
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: run remote-agent e2e tests when JETKVM_REMOTE_HOST is provided
Made-with: Cursor
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(ota): reject empty signature and require prerelease opt-in for bypass
Two OTA signature verification vulnerabilities:
1. Empty signature bypass: downloadSignature accepted a 0-byte response,
which caused verifyFile to skip GPG verification entirely via the
len(signature) > 0 guard. An attacker serving an empty .sig file
could bypass signature checks on any stable release.
2. Prerelease bypass without opt-in: shouldBypassSignatureCheck only
checked whether the remote version had a prerelease suffix, not
whether the device had opted into the dev channel. A compromised
server could push a version like "99.0.0-dev.1" to any device and
skip signature verification regardless of include_pre_release setting.
Fixes:
- downloadSignature now returns an error when signature bytes are empty
- shouldBypassSignatureCheck takes includePreRelease param and requires
it to be true before allowing prerelease bypass
Unit tests added for: empty signature, hash mismatch, non-200 sig
download, valid signature happy path, and prerelease opt-in table tests.
Made-with: Cursor
* test(e2e): add OTA signature edge case and prerelease rejection tests
Add wrong-key signature, empty signature, and prerelease-without-opt-in
E2E tests to catch signature bypass vulnerabilities on real devices.
Made-with: Cursor
* refactor(e2e): use Playwright projects and remove OTA shell scripts
Organize E2E tests into named Playwright projects (core, ota-signed,
ota-prerelease-unsigned, etc.) so each test suite can be run with
--project=<name>. Remove 5 OTA wrapper scripts that were just
boilerplate env-var setup, and inline them into the Makefile via a
shared OTA_ENV macro. Rename z-ota-* specs to ota-* now that ordering
is controlled by project selection, not alphabetical filename sorting.
Made-with: Cursor
* fix(ci): use Go 1.25 for golangci-lint to match build workflow
golangci-lint v2.1.6 (built with Go 1.24) panics when type-checking
code that requires Go 1.25. Align the lint workflow with build.yml
by using go-version: ^1.25.1 instead of oldstable.
Made-with: Cursor
* Implement GPG signature verification for OTA updates
- Added GPG signature verification to the OTA update process, ensuring that updates requiring signatures cannot be applied without them.
- Introduced a new GPGVerifier struct to handle fetching and verifying signatures.
- Updated the updateApp and updateSystem methods to check for signature URLs and download signatures as needed.
- Enhanced error handling for missing signatures and verification failures.
- Removed the old release.sh script as its functionality has been integrated into the Makefile for better release management.
* Add tests for GPG signature verification in OTA updates
* Refactor error message for missing GPG signature URL in OTA updates
* Refactor OTA update process to improve signature handling
- Introduced a new method for downloading component signatures, ensuring that updates requiring signatures cannot proceed without them.
- Updated the Makefile to allow E2E tests to optionally include OTA tests based on the SKIP_OTA_E2E variable.
- Enhanced the test_local_update.sh script to support signature file verification and inclusion during tests.
- Improved error handling for missing signature URLs and added context cancellation checks in GPG key fetching.
* Refactor GPG key caching to validate keyring before storing
* Update Makefile to enhance E2E test process with optional OTA signature verification
* Comment out non-working keyservers and update root key fingerprint
* Add Ubunutu keyserver
* Update root key fingerprint for GPG signature verification in OTA updates
* Add signed OTA E2E test and full E2E test suite to Makefile
- Introduced `test_e2e_signed` target for testing signed OTA updates with GPG signature verification.
- Added `test_e2e_full` target to run both regular and signed OTA tests, requiring a signing key fingerprint.
- Enhanced error handling for missing parameters in both test targets.
* Update IP address extraction in test_local_update.sh to exclude all localhost addresses
* Add GPG public key fetching tests with caching and error handling
* Enhance build and testing scripts for signed OTA updates
* Add fingerprint extraction and validation for GPG keys
* Simplify bypass mechanism of OTA signature checks
* Refactor E2E testing and release workflows
* Enhance OTA testing framework and scripts
* Improve local network IP detection in OTA helpers by implementing route-based detection as a primary method, falling back to interface scanning if necessary.
* Add support for unsigned OTA version testing
- Introduced a new script to test unsigned OTA updates with specific version checks.
- Updated Makefile to include the new test script for unsigned OTA.
- Enhanced existing E2E tests to validate version differences and ensure proper OTA behavior.
- Improved error handling for required environment variables in the testing framework.
* Update Makefile to include core E2E tests and enhance dev release validation
- Added `test_core_e2e.sh` script execution to both production and development release workflows.
- Improved user confirmation prompt before proceeding with the dev release.
- Added completion messages to indicate successful test execution and readiness for release.
* Enhance Makefile and testing scripts for improved OTA validation
- Added a new script execution for testing unsigned OTA updates in the Makefile.
- Updated E2E test configurations to exclude specific OTA tests and improve retry logic for video stream dimension retrieval.
- Refactored mouse round-trip tests to remove unnecessary settle time parameters.
* Final release confirmation of prod releases
* Cleanup OTA code: eliminate redundant parsing, TOCTOU, and duplication
- Remove double parseAndValidateKeyring call by threading validated
keyring through fetchFromSingleKeyserver → fetchFromKeyservers →
updateMemoryCache
- Extract getKeyring() helper to deduplicate VerifySignature and
VerifySignatureFromFile preamble
- Replace os.Stat+os.Remove TOCTOU pattern with direct os.Remove
ignoring os.ErrNotExist in downloadFile
- Remove unnecessary fs.existsSync in mock server handler; check
signaturePath variable directly
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* E2E: fix flaky tests, add unsigned OTA to dev test lane
- Fix mouse roundtrip flakiness by increasing MOUSE_SETTLE_MS (50→150ms)
- Export sshExec from helpers for ota-helpers.ts
- Reduce overly conservative delays (polling, animations, reconnects)
- Add waitForVideoDimensions helper with proper polling
- Improve ensureLocalAuthMode to try known passwords before SSH reset
- Add unsigned specific-version OTA test to `make test_e2e` target
- Build baseline + dev binary with pinned VERSION_DEV to avoid timestamp drift
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Remove stale dev_release checklist item from PR templates
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Enhance synctrace logging.
Switched the maps to be indexed by the .Pointer (not a string)
Grouped the lockCount, unlockCount ,and lastLock in an trackingEntry so we can detect unlocks of something that wasn't ever locked and excessive unlocks and also tracks the first time locked and the last unlock time.
Added LogDangledLocks for debugging use.
Added a panic handler to the Main so we can log out panics
* Switch to traceable sync for most everything
* More documentation
* Update internal/sync/log.go
* Update DEVELOPMENT.md
* Resolve merge issue.
* Applied review comments
* Restore --enable-sync-trace option.
* Use WithLevel so we can re-panic as desired
* Implement local update testing framework with Makefile integration and E2E tests
- Added `scripts/test_local_update.sh` for orchestrating local OTA update tests.
- Modified `Makefile` to include a new `test_e2e` target that builds the binary and calls the new script.
- Created `ui/e2e/local-update-flow.spec.ts` for end-to-end testing of the update process.
- Enhanced UI components with `data-testid` attributes for better testability.
- Introduced `getCurrentVersion()` helper function to retrieve the app version from the `/metrics` endpoint.
- Ensured cleanup processes are robust, even on failure or interruption.
* Update Makefile and E2E test scripts for improved OTA testing and version management
- Bump version from 0.5.1 to 0.5.2 in the Makefile.
- Modify `test_e2e` target to use DEVICE_IP from environment or prompt for input.
- Replace `test_release_on_device.sh` with `test_local_update.sh` for consistency in testing.
- Enhance `test_local_update.sh` to include stable version retrieval from GitHub and improve logging.
- Remove deprecated `local-update-flow.spec.ts` and streamline E2E tests for better coverage.
- Refactor helper functions for clarity and maintainability in test scripts.
* Refactor E2E test scripts and Makefile for improved clarity and functionality
- Update `Makefile` to streamline the `test_e2e` target by removing unnecessary dependencies and simplifying the Playwright installation command.
- Enhance `scripts/test_local_update.sh` by cleaning up logging, removing redundant output, and improving the structure for better readability.
- Update E2E test scripts to remove excessive console logging, ensuring a cleaner output during test execution.
- Refactor test steps for better organization and clarity, particularly in the OTA update flow tests.
- Adjust Playwright configuration to enable step printing for better visibility during test runs.
* Fix linting errors
* chore: update Makefile for improved build process and add testing commands
* chore: add git checks to dev_release for branch and status validation
* chore: enhance dev_release with gh CLI checks and release creation
* chore: update dev_release to use versioned tags for Git and GitHub releases
* chore: refactor deploy script to use version argument and improve deployment process
* chore: update Makefile to version 0.5.0 and enhance release process with confirmation prompts and version bumping
* chore: enhance release process in Makefile with pre-release checks and user confirmation for production releases
* chore: refactor build process in Makefile to streamline development builds with a dedicated inner target
* chore: simplify build_release target in Makefile by removing frontend dependency
* chore: enable automatic version bumping in Makefile by uncommenting git commands
* chore: add pre-release testing prompts in Makefile for both development and production releases
* chore: update Makefile and test_release_on_device.sh to implement a new testing flow for pre-release validation
* chore: update Makefile to ensure consistent version handling in build and release processes
Thiago Vinhas
Adam Shiervani
Marc Brooks
Aveline