The telemetry collector was comparing its own version against GitHub
instead of comparing the requesting census server's version. This caused
update notifications to fail when the collector and census server had
different versions.
Changes:
- Export IsNewerVersion function from version package
- Update telemetry collector to compare req.CurrentVersion against GitHub latest
- Add backward compatible isNewerVersion alias
This fixes the issue where census server 2.0.3 wasn't being notified
about updates to 2.0.4/2.0.5 even though the collector knew about them.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changes the version check flow to properly track active installations:
- Server now checks for updates via telemetry collector (not GitHub directly)
- Version checks run on startup and daily at midnight
- Server caches results and exposes via /api/health endpoint
- UI now reads version info from server's /api/health (not collector directly)
- Telemetry collector can now accurately track active server installations
Backend:
- Add CheckViaCollector() function to internal/version/version.go
- Add checkForUpdates() and runDailyVersionCheck() in cmd/server/main.go
- Add getInstallationID() and getCollectorURL() helper functions
- Update /api/health endpoint to include latest_version, update_available, release_url
- Uses telemetry endpoint URL from database (falls back to community collector)
Frontend:
- Update UpdateBanner.tsx to use getHealth() instead of checkVersion()
- Update app/settings/page.tsx to use health endpoint for version checks
- Remove direct telemetry collector calls from UI
- Poll hourly instead of daily (server checks daily)
Flow:
1. Server → Telemetry Collector /api/version/check (startup + daily)
2. Collector → GitHub API (cached 24h) + records installation activity
3. Server → stores result in memory cache
4. UI → reads from server's /api/health endpoint
5. Collector → uses version_checks table for "active installations" chart
This ensures the collector accurately tracks active server installations
(not just browser sessions) for the analytics dashboard.
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implemented Server-Sent Events (SSE) to provide live progress updates
when checking multiple containers for updates, solving the "is it hung?"
problem for bulk operations.
Backend Changes:
- Add job tracking system (internal/api/update_jobs.go)
- Thread-safe UpdateJobManager for in-memory job state
- 1-hour TTL with automatic cleanup
- Incremental result storage as checks complete
- Modify bulk check handler to run asynchronously
- Returns job ID immediately instead of blocking
- Launches goroutine to perform checks in background
- Updates progress after each container check
- Add SSE progress endpoint (GET /api/containers/check-progress/{job_id})
- Streams progress updates every 500ms
- Sends 'progress' events with checked/total counts
- Sends 'complete' event with final results
- Add hourly cleanup goroutine to prevent memory leaks
Frontend Changes (Next.js):
- Create useUpdateCheckProgress custom hook
- Manages SSE connection lifecycle
- Parses progress and completion events
- Handles errors and cleanup gracefully
- Update BulkUpdateModal components (containers + NPM integration)
- Show animated progress bar (0-100%)
- Display live counter: "Checked X of Y containers"
- Smooth CSS transitions with 300ms duration
- Update API client to handle new response format
User Experience:
- Before: Static "Checking N containers..." with no feedback
- After: Real-time progress bar + counter, updates every 500ms
- Especially helpful for large batches (50+ containers)
Technical Details:
- Uses SSE over WebSockets (simpler for one-way communication)
- Non-blocking: UI remains responsive during checks
- Memory efficient: Jobs auto-cleanup after 1 hour
- Browser compatible: Works in Chrome, Firefox, Safari
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Backend:
- Add TrivyDBUpdatedAt field to AgentInfo model
- Update handleGetTrivyStatus to populate db_version from:
- Local scanner via GetTrivyDBMetadata() for unix hosts
- Agent info API for remote agent hosts
- Both now report actual DB timestamp instead of empty value
Frontend:
- Update TrivyDatabaseModal to format DB timestamp using formatDate()
- Update ScanHostSelectionModal to format DB timestamp
- Add formatDate helper function to ScanHostSelectionModal
- Display shows "18 hours ago" or "2 days ago" instead of "Unknown"
Fixes "DB: Unknown" issue in both Security plugin modals.
Now displays human-readable database freshness (e.g., "18 hours ago").
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add TrivyDBUpdatedAt field to agent Info struct
- Add GetTrivyDBMetadata() method to read Trivy's metadata.json
- Include trivy_db_updated_at in /api/vulnerabilities/summary response
- Agent /info endpoint now reports Trivy DB update timestamp
- Format: ISO 8601 timestamp (e.g., "2025-12-11T18:30:38Z")
Resolves "DB: Unknown" display issue in Security plugin modals.
Both local server and remote agents now report database freshness.
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changes include:
- GetHostIDForImage method in storage with ORDER BY last_seen DESC
- Agent deployment script improvements
- Build time tracking in agent Dockerfile
- Additional vulnerability scanning infrastructure
These changes were made in previous session but not committed.
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Problem: Agent scans were failing with error:
'--skip-java-db-update' cannot be specified on the first run
Root cause: The agent was skipping Java DB updates whenever trivy.db
existed, but the Java DB (trivy-java.db) doesn't exist on first run.
Trivy requires the Java DB to be downloaded on first use before it
can be skipped.
Solution: Check for Java DB existence separately. Only add
--skip-java-db-update flag if trivy-java.db actually exists.
This allows first-time Java scanning while still preventing lock
conflicts on subsequent scans.
Fixes scans for images with Java components (e.g., frooodle/s-pdf,
nginx-proxy-manager, couchdb containers).
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Support ANY registry prefix (ghcr.io, gcr.io, quay.io, lscr.io, etc)
- Detect registry by checking for dot in first path segment
- Strip registry prefix as fallback attempt for all registries
- Add debug logging for registry detection
- Fixes scans for images from non-Docker Hub registries
Previously only handled docker.io and index.docker.io prefixes.
Now handles ghcr.io/selfhosters-cc/census-agent:latest,
lscr.io/linuxserver/qbittorrent, etc.
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Backend changes:
- Updated go.mod module path from github.com/container-census to
github.com/selfhosters-cc to match correct GitHub organization
- Updated all import paths across codebase to use new module name
- This fixes ldflags injection of BuildTime during compilation
- BuildTime now correctly shows in /api/health response
Frontend changes:
- Added build time badge next to version in header
- Shows date and time in compact format (e.g., "🔨 12/11/2025 8:06 PM")
- Hover shows full timestamp
- Only displays if build_time is not "unknown"
The build script already sets BuildTime via ldflags, but it was being
ignored because the module path in go.mod didn't match the ldflags path.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed POST /api/hosts/{id}/scan from async (202 Accepted) to
synchronous (200 OK). The endpoint now waits for the scan to complete
and saves all data before responding to the client.
Benefits:
- Frontend gets fresh data immediately after scan completes
- No race conditions between scan completion and loadData()
- No need for artificial delays in frontend
- Proper error handling if scan fails
The scan runs in the request context and responds with:
- 200 OK on success with container count
- 500 Internal Server Error if scan fails
- Validates host exists and is enabled before scanning
This ensures the UI always shows the correct container state after
start/stop/restart/remove operations.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements efficient UI updates after container actions by allowing
the frontend to trigger an immediate scan of a specific host instead
of waiting for the next automatic scan cycle.
Features:
- POST /api/hosts/{id}/scan endpoint
- Scans single host in background goroutine
- Returns 202 Accepted immediately
- Validates host exists and is enabled
- Saves scan results to database
This replaces the non-functional scanHost() frontend call with a
working backend endpoint, ensuring the UI updates immediately after
start/stop/restart/remove operations.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Always show "Manage Plugins" link in sidebar even when all plugins disabled
- Restore NPM plugin static page to avoid bundle.js 404 errors
- Remove npm from dynamic route generateStaticParams (uses static route)
- NPM plugin now properly uses its dedicated React component
- Graph and security plugins continue to use dynamic [pluginId] route
This fixes the issue where disabling all plugins made it impossible to
re-enable them, and resolves bundle.js loading errors for NPM plugin.
- Implemented external plugin architecture with gRPC-based communication
- Added plugin manager for lifecycle management (start, stop, healthcheck)
- Created protobuf definitions for plugin API and Census API
- Added plugin discovery and loading from data/plugins directory
- Plugin features: custom tabs, HTTP routes, frontend assets, settings
- Added plugin management UI in Next.js frontend
- Added plugin SDK for frontend integration with fetch proxy and toast notifications
- Included cache busting for plugin asset loading
- Support for enabling/disabling plugins via UI
- Automatic plugin process management and health monitoring
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed:
- Image update detection now uses registry digest (RepoDigests) instead of
local image ID, eliminating false positive updates for containers already
running the latest image
- Multi-arch image timestamps now correctly fetched by resolving platform-
specific manifest (linux/amd64) from manifest lists
- Logout button hidden when authentication is disabled
- JS files served with no-cache headers to ensure updates are seen without
hard refresh
Added:
- Agent version display on Hosts page with version fetched on each scan
- Onboarding tour now re-shows on major/minor version upgrades to display
"What's new" information to returning users
Changed:
- Update progress UI shows "Pulling image..." immediately when update starts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit replaces the browser's native Basic Auth prompt with a
custom login page to improve user experience and avoid browser
credential caching issues.
Authentication Changes:
- Add gorilla/sessions for cookie-based session management
- Create login page with instructions for finding credentials
- Add logout button (🚪 icon) to navbar
- Root path (/) now redirects to /login.html when unauthenticated
- Maintain backward compatibility with Basic Auth for API clients
- Add SESSION_SECRET environment variable for session encryption
Implementation:
- internal/auth/session.go: Session middleware and management
- internal/api/auth_handlers.go: Login/logout HTTP endpoints
- internal/api/handlers.go: Updated routing with selective auth
- cmd/server/main.go: Session store initialization
- web/login.html: Login page with credential finding instructions
- web/login.js: Login form handling
- web/app.js: 401 redirect handling and logout function
- web/index.html: Logout button in navbar
Documentation:
- README.md: Added SESSION_SECRET to docker-compose example
- README.md: Added "Authentication Issues" troubleshooting section
- scripts/run-local.sh: Added auth prompt with qwerty credentials
Onboarding Tour:
- Restored "Join the Selfhosting Community" telemetry opt-in step
- Added updateTelemetrySettings() method
- Tour now has 5 steps including community contribution option
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The batch update endpoint was passing container.ID (short ID)
to RecreateContainer instead of container.Name, causing
"Container not found" errors during recreation.
Changed to use container.Name for consistency with the
single container update endpoint, which is more reliable
for Docker container inspection.
Fixes issue where bulk updates would fail with:
"Failed to update <container>: Container not found"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
### Fixed
- Remote agent image pull failures when updating containers
- Agent now pulls by image tag instead of digest
- Resolves "pull access denied for sha256" errors
- Applied to both single and batch update endpoints
- Toggle switch duplicate circles in notification rule modal
- Removed duplicate CSS pseudo-element
### Improved
- Update modal layout changed to card-based design
- Host badges on each update row
- Vertical information display prevents horizontal overflow
- Better readability on all screen sizes
- Dashboard layout more compact
- Quick Actions and System Health side-by-side on desktop
- Reduced spacing and font sizes throughout
- Responsive design for mobile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The /api/health endpoint now accepts both GET and HEAD HTTP methods.
Previously it only supported GET, causing Docker's wget-based healthcheck
to fail with 404 errors when using --spider (which sends HEAD requests).
This fix ensures the container health status reports correctly in
Docker environments that use HEAD requests for health monitoring.
Tested and verified:
- wget --spider now returns 200 OK
- Container health status shows "healthy"
- Health endpoint still works with GET requests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added:
- Server: History tab showing a timeline view of when a container was first seen, image changes, state changes, etc
- Server: Test connection buttons when adding new agents
- Server: Database cleanup routine to remove scan details when it can be aggregated (no data lost for tracking trends)
- Telemetry collector: Database view to see more granular details about submissions, making debugging easier
- Added CHANGELOG.md
Fixed:
- Agent: API token persistence - was generating a new token each time
1. Added optional security to the UI for the server and telemtry collector
2. Expanded the telemetry being collected and the telemetry UI accordingly
3. Documentation update
4. Enhanced charting
Self Hosters