v0.0.1 release

Author: Axodouble

.gitignore

@@ -0,0 +1,34 @@
+# Build artifacts
+/qu
+/qu-*
+/dist/
+*.exe
+*.test
+*.out
+
+# Go workspace / module cache (only relevant if vendored)
+/vendor/
+
+# Local node state — never commit anything that looks like a data dir
+/quptime/
+/etc/quptime/
+node.yaml
+cluster.yaml
+trust.yaml
+keys/
+
+# Compose / secrets
+.env
+.env.local
+*.local.yml
+*.local.yaml
+
+# Editor / OS scratch
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Test / coverage
+coverage.out
+coverage.html

CHANGELOG.md

@@ -0,0 +1,86 @@
+# Changelog
+
+All notable changes to this project are documented here. The format
+follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and
+this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [v0.0.1] — 2026-05-15
+
+Initial public release.
+
+### Added
+
+- **Quorum-based uptime monitoring.** Multiple cooperating nodes run
+  the same probes (HTTP, TCP, ICMP) and vote on the cluster-wide
+  truth. A check flips state only after two consecutive aggregate
+  evaluations agree (hysteresis), so single-node flake doesn't page
+  anyone.
+- **Deterministic master election.** Among the live members of the
+  quorum the lexicographically smallest NodeID wins — no negotiation
+  step, no split-brain window.
+- **mTLS inter-node transport** with TLS 1.3 minimum, SSH-style
+  fingerprint pinning, and a pre-shared `cluster_secret` gating the
+  Join RPC.
+- **Replicated `cluster.yaml`** carrying peers, checks, and alerts.
+  Master is the only writer; followers receive monotonic-versioned
+  snapshots and converge on the latest. Hand-edits to the file on any
+  node are picked up by the manual-edit watcher and forwarded through
+  the master.
+- **HTTP, TCP, and ICMP probes** with configurable interval,
+  timeout, expected status, and optional body-substring match. ICMP
+  defaults to unprivileged UDP-mode pings so the daemon can run as a
+  non-root user.
+- **SMTP and Discord alerts** with optional Go `text/template`
+  subject/body overrides per alert, default-attach mode (`default:
+  true`), and per-check opt-outs via `suppress_alert_ids`.
+- **Docker-friendly env-var configuration.** Every field in
+  `node.yaml` can also be supplied via a `QUPTIME_*` environment
+  variable; `qu serve` auto-initialises a fresh data volume from
+  these on first start, so `docker compose up` is enough to launch a
+  node.
+- **Interactive TUI** (`qu tui`) for peers, checks, and alerts with
+  live refresh.
+- **Hardened systemd unit** shipped via `install.sh`: dedicated
+  `quptime` user, `ProtectSystem=strict`, all capabilities dropped by
+  default.
+- **Multi-arch Docker images** (`linux/amd64`, `linux/arm64`)
+  published to `git.cer.sh/axodouble/quptime`.
+- **Static Linux binaries** (`amd64`, `arm64`) published per tag with
+  a `SHA256SUMS` file; the official installer verifies the checksum
+  before placing the binary on disk.
+
+### Security
+
+- Cluster secret is compared in constant time
+  (`crypto/subtle.ConstantTimeCompare`).
+- Self-signed RSA certs minted at `qu init`; SPKI SHA-256
+  fingerprints are what's pinned, matching the canonical OpenSSL
+  representation.
+- Private keys are written with mode `0600`; data and runtime
+  directories with `0700`/`0750`.
+- All `cluster.yaml` writes go through an atomic `tmpfile + rename`.
+- `install.sh` downloads the published `SHA256SUMS` and refuses to
+  install if the downloaded binary doesn't match.
+
+### Known limitations
+
+- **Cluster-wide secret distribution.** SMTP passwords and Discord
+  webhook URLs configured via `qu alert add …` are stored in
+  `cluster.yaml`, which is replicated to every node. Treat every node
+  as having read access to every alert credential. Restrict who can
+  reach the data directory accordingly. See
+  [docs/security.md](docs/security.md) for the threat model.
+- **No automatic key rotation.** Rolling a node's identity means
+  wiping its data directory, running `qu init` again, and re-adding
+  it from another node.
+- **No historical metrics.** Only the current aggregate state is kept
+  in memory. There is no built-in graph store, SLA calculator, or
+  audit log.
+- **Master-flap state.** Aggregator hysteresis state lives in
+  memory on the current master. When leadership changes the new
+  master starts from `StateUnknown` and re-accumulates hysteresis —
+  expect a few seconds of delayed alerting after a master switch.
+- **No release signing beyond SHA256SUMS** (no cosign / GPG).
+  Planned for a future release.
+
+[v0.0.1]: https://git.cer.sh/axodouble/quptime/releases/tag/v0.0.1

README.md

@@ -88,7 +88,7 @@ go build -o qu ./cmd/qu
 To stamp the version into the binary:
 
 ```sh
-go build -ldflags "-X main.version=v0.1.0" -o qu ./cmd/qu
+go build -ldflags "-X main.version=v0.0.1" -o qu ./cmd/qu
 qu --version
 ```
 
@@ -100,7 +100,7 @@ amd64 and arm64, and publishes them as a Gitea release with a
 `SHA256SUMS` file alongside.
 
 ```sh
-git tag v0.1.0
+git tag v0.0.1
 git push --tags
 ```
 
@@ -166,6 +166,15 @@ c0d4...  charlie.example.com:9901  true  2026-05-12T15:01:32Z
 
 ## Adding checks and alerts
 
+> ⚠️ **Alert credentials are replicated cluster-wide.** SMTP passwords
+> and Discord webhook URLs live in `cluster.yaml`, which is mirrored to
+> every node. Any node that can read its own data directory can read
+> every alert secret. Treat compromising one node as compromising every
+> alert credential, and restrict who can reach `$QUPTIME_DIR` on each
+> host (the hardened systemd unit and the Docker image both default to
+> `0700`/`0750`). See [docs/security.md](docs/security.md) for the full
+> threat model.
+
 ```sh
 # alerts first so checks can reference them
 qu alert add discord oncall --webhook https://discord.com/api/webhooks/...

docs/deployment/docker.md

@@ -9,8 +9,9 @@ daemon can bind privileged ports and open ICMP sockets; override with
 
 ```
 git.cer.sh/axodouble/quptime:master          # tip of main, multi-arch
-git.cer.sh/axodouble/quptime:v0.1.0          # tagged release
-git.cer.sh/axodouble/quptime:v0.1.0-amd64    # single-arch (if you must pin)
+git.cer.sh/axodouble/quptime:latest          # latest tagged release
+git.cer.sh/axodouble/quptime:v0.0.1          # specific tagged release
+git.cer.sh/axodouble/quptime:latest-amd64    # single-arch (if you must pin)
 ```
 
 The image embeds `QUPTIME_DIR=/etc/quptime` and declares it a volume —
@@ -24,7 +25,7 @@ For a development cluster or a single-node smoke test:
 # compose.yaml
 services:
   quptime:
-    image: git.cer.sh/axodouble/quptime:v0.1.0
+    image: git.cer.sh/axodouble/quptime:latest
     container_name: quptime
     restart: unless-stopped
     environment:
@@ -76,7 +77,7 @@ For local testing of the full quorum machinery without three machines:
 ```yaml
 # compose.yaml
 x-quptime: &quptime
-  image: git.cer.sh/axodouble/quptime:v0.1.0
+  image: git.cer.sh/axodouble/quptime:latest
   restart: unless-stopped
   cap_add:
     - NET_RAW
@@ -146,7 +147,7 @@ The natural unit is one compose file per host, each running one
 # /etc/qu-stack/compose.yaml
 services:
   quptime:
-    image: git.cer.sh/axodouble/quptime:v0.1.0
+    image: git.cer.sh/axodouble/quptime:latest
     container_name: quptime
     restart: unless-stopped
     environment:

docs/deployment/tailscale.md

@@ -51,7 +51,7 @@ services:
     restart: unless-stopped
 
   quptime:
-    image: git.cer.sh/axodouble/quptime:v0.1.0
+    image: git.cer.sh/axodouble/quptime:latest
     container_name: quptime
     environment:
       # host:port other QUptime nodes use to reach this one. Should be

docs/installation.md

@@ -79,7 +79,8 @@ registry on every tag and every push to `master`:
 
 ```
 git.cer.sh/axodouble/quptime:master   # tip of main
-git.cer.sh/axodouble/quptime:v0.1.0   # tagged release
+git.cer.sh/axodouble/quptime:latest   # latest tagged release
+git.cer.sh/axodouble/quptime:v0.0.1   # pinned release
 ```
 
 See the [Docker deployment guide](deployment/docker.md) for compose