CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

• BionicGPT Adversarial Analysis: Complete codebase review (8,244 lines across 18 files)

  • Identified 15 issues across 4 priority levels (P0-P3)
  • Fixed 3 P0 (Breaking) issues immediately
  • Documented 12 remaining issues with implementation plans
  • See docs/BIONICGPT_ADVERSARIAL_ANALYSIS_COMPLETE_2025-10-28.md

• BionicGPT Concrete Recommendations: Prioritized improvement roadmap

  • Immediate actions (1 week): 5 tasks, 7-9 hours
  • Short-term (2 weeks): 5 tasks, 14-17 hours
  • Long-term (1 month): 5 tasks, 10-12 hours
  • See docs/BIONICGPT_RECOMMENDATIONS_2025-10-28.md

• Vault Integration Roadmap: Documented BionicGPT Vault integration as deferred task

  • Current state: .env files working, Vault diagnostics show 403 (permission issue)
  • Required fix: Update Vault Agent AppRole policy for services/production/bionicgpt/*
  • Priority: P2 (Nice-to-have), deferred until Vault-backed delivery needed
  • See ROADMAP.md

• Consul ACL Auto-Enablement: eos sync --vault --consul now automatically enables Consul ACLs if disabled, with user consent

  • Preflight check detects ACL status before attempting integration
  • Offers to enable ACLs automatically with backup and rollback support
  • Use --force flag to enable ACLs without prompting
  • See docs/consul-vault-integration.md for details

• New Helper Package: pkg/consul/config/acl_enablement.go

  • EnableACLsInConfig(): Modify Consul configuration to enable ACLs
  • BackupConfig(): Create timestamped backups before modification
  • ValidateConfigSyntax(): Verify HCL syntax after changes
  • RestartConsulService(): Restart Consul and wait for readiness
  • Automatic rollback if Consul fails to start after configuration change

Changed

• BREAKING: Consul ACLs now enabled by default for new installations (changed from enabled = false to enabled = true)
  • Impact: New eos create consul installations will have ACLs enabled
  • Migration: Existing Consul installations are NOT affected
  • Rationale: Required for Vault-Consul integration, improves security posture
  • Default Policy: Changed from allow to deny (zero-trust model)
  • Rollback: Original configuration backed up automatically, restore with cp /etc/consul.d/consul.hcl.backup.TIMESTAMP /etc/consul.d/consul.hcl

Fixed

• BionicGPT LiteLLM Health Check Failure (P0 - Breaking) - Fixed 2025-10-28

  • Root Cause: curl executable not found in ghcr.io/berriai/litellm:main-latest container
  • Impact: Health checks always failed, bionicgpt-app never started (stuck in "created" state), port 8513 inaccessible
  • Solution: Changed health check from curl to Python urllib (Python guaranteed in LiteLLM container)
  • Files: pkg/bionicgpt/install.go:913
  • Verification: Tested on vhost2 production - all containers healthy, port 8513 accessible

• BionicGPT App Dependency Too Strict (P0 - Breaking) - Fixed 2025-10-28

  • Problem: App depended on litellm-proxy: service_healthy, any health check issue blocked startup completely
  • Solution: Relaxed to service_started - app will retry LiteLLM connections internally (more resilient)
  • Rationale: Separation of concerns - health checks for monitoring, not blocking
  • Files: pkg/bionicgpt/install.go:952

• BionicGPT Diagnostics Use curl Inside Container (P0 - Breaking) - Fixed 2025-10-28

  • Problem: Diagnostic health checks used curl inside LiteLLM container (not available)
  • Impact: Diagnostics always showed "failed" even when service was healthy
  • Solution: Changed all curl usages to Python urllib
  • Files:
    • pkg/debug/bionicgpt/diagnostics.go:1452 (health endpoint + timeout 10s)
    • pkg/debug/bionicgpt/diagnostics.go:1481 (liveliness endpoint + timeout 10s)
    • pkg/debug/bionicgpt/diagnostics.go:881 (remediation message)
  • Verification: go build and go vet both pass

• BionicGPT Model Connectivity Tests Use curl (P1 - Important) - Fixed 2025-10-28

  • Problem: Model connectivity diagnostics used curl for POST requests (not available in container)
  • Impact: Model connectivity tests always failed with "curl not found"
  • Solution: Replaced curl POST with Python urllib HTTP POST request including HTTP code tracking
  • Files: pkg/debug/bionicgpt/diagnostics.go:1680-1708
  • Timeout: 10s (consistent with health checks)
  • Verification: Build passes, vet clean

• BionicGPT Hardcoded Ports in Diagnostics (P1 - Important) - Fixed 2025-10-28

  • Problem: 4 hardcoded localhost:4000 port references prevented diagnostics from working with custom ports
  • Impact: Diagnostics would fail if user customized LiteLLM port
  • Solution: Replaced all hardcoded ports with bionicgpt.DefaultLiteLLMPort constant
  • Locations:
    • Line 881: Remediation message
    • Line 1452: Health check endpoint
    • Line 1481: Liveliness check endpoint
    • Line 1692: Model connectivity endpoint
  • Limitation: Diagnostics don't have access to runtime config (can't detect custom ports at runtime)
  • Comment Added: "PORT: Uses DefaultLiteLLMPort constant (diagnostics don't have access to runtime config)"
  • Verification: grep -n "localhost:4000" diagnostics.go returns no results

• Issue: eos sync --vault --consul failed with "ACL support disabled" error

  • Root Cause: Vault-Consul integration requires ACLs, but default Consul config had acl.enabled = false
  • Solution: Preflight check now detects this and offers automatic remediation
  • User Experience: Clear error messages with actionable remediation steps

[v1.x.x] - Previous Releases

(Historical changelog entries go here)

---

Breaking Change Migration Guide

Consul ACL Default Change (v2.0)

Who is affected: Users who install Consul with Eos v2.0+

What changed: ACLs are now enabled by default

Before (v1.x):

eos create consul
# Config: acl { enabled = false, default_policy = "allow" }

eos sync --vault --consul
# Error: ACL support disabled

After (v2.0):

eos create consul
# Config: acl { enabled = true, default_policy = "deny" }

eos sync --vault --consul
# Success: ACLs already enabled, bootstrap proceeds

Migration for existing installations:

If you have Consul installed with ACLs disabled:

# Option 1: Automatic (recommended)
sudo eos sync --vault --consul
# Answer 'y' when prompted to enable ACLs

# Option 2: Automatic without prompting
sudo eos sync --vault --consul --force

# Option 3: Manual
sudo nano /etc/consul.d/consul.hcl
# Change: acl { enabled = true, default_policy = "deny" }
sudo systemctl restart consul
sudo eos sync --vault --consul

Rollback:

If you need to revert to ACLs disabled:

# 1. Restore backup
sudo cp /etc/consul.d/consul.hcl.backup.TIMESTAMP /etc/consul.d/consul.hcl

# 2. Restart Consul
sudo systemctl restart consul

# 3. Verify
consul members

Why this change:

1. Security: ACLs provide access control and audit trails
2. Compliance: Required for SOC2, PCI-DSS, HIPAA
3. Vault Integration: Vault Consul secrets engine requires ACLs
4. Best Practice: HashiCorp recommends ACLs for production

Support:

• Documentation: docs/consul-vault-integration.md#acl-configuration
• Issues: https://github.com/CodeMonkeyCybersecurity/eos/issues
• Community: https://wiki.cybermonkey.net.au