add telegraf

Author: root

.github/branch-protection-guide.md

@@ -62,6 +62,7 @@ It is useful for early feedback, but it is not a merge-governance layer and shou
 Recommended use:
 
 - run lightweight lint, backend/frontend tests, and fast security checks on `push -> non-main branches`
+- include narrow, high-signal regression suites when a subsystem is expensive or noisy in the full backend matrix; current examples are `make test backend-iac` for the IaC refactor surface and `make test backend-software` for software catalog/executor contracts
 - do not treat `Dev Fast CI` as a required check for `main`
 - do not use it as a substitute for PR review or branch protection
 

.github/workflows/dev-fast-ci.yml

@@ -66,6 +66,12 @@ jobs:
       - name: Run fast backend tests
         run: make test backend fast
 
+      - name: Run focused IaC regression tests
+        run: make test backend-iac
+
+      - name: Run focused software regression tests
+        run: make test backend-software
+
       - name: Run frontend tests
         run: make test web
 

Makefile

@@ -1,6 +1,6 @@
 
 .PHONY: help install tidy build run test test-strict test-fast lint lint-strict lint-fast fmt fmt-strict fmt-fast check check-fast sec sec-strict sec-fast artifact-scan \
-	backend web backend-targeted fast strict build-local latest dev \
+	backend web backend-targeted backend-iac backend-software fast strict build-local latest dev \
 	image start stop restart logs stats delete rm kill-port redo \
 	openapi-gen openapi-merge openapi-check openapi-sync
 
@@ -51,7 +51,9 @@ help:
 	@echo "  make test backend         Run strict backend Go tests from backend/"
 	@echo "  make test backend fast    Run faster backend Go tests from backend/"
 	@echo "  make test web            Run web tests from web/"
-	@echo "  make test backend-targeted Run backend routes/secrets/migrations test set"
+	@echo "  make test backend-targeted Run the legacy mixed routes/secrets/migrations integration bundle"
+	@echo "  make test backend-iac     Run focused IaC domain + route regression tests"
+	@echo "  make test backend-software Run focused software catalog/executor regression tests"
 	@echo "  make test e2e            Run the full end-to-end suite entrypoint"
 	@echo "  make test e2e fast       Run the smoke E2E suite"
 	@echo "  make lint                 Run strict linters (golangci-lint, actionlint, eslint, web typecheck)"
@@ -310,9 +312,17 @@ else ifeq ($(QUALITY_SCOPE),web)
 		rm -f "$$log_file"
 	@echo "✓ Web tests completed"
 else ifeq ($(QUALITY_SCOPE),backend-targeted)
-	@echo "Running targeted backend tests..."
+	@echo "Running legacy mixed backend integration bundle..."
 	@cd backend && go test ./domain/routes ./domain/secrets ./infra/migrations -v
-	@echo "✓ Targeted backend tests completed"
+	@echo "✓ Legacy mixed backend integration bundle completed"
+else ifeq ($(QUALITY_SCOPE),backend-iac)
+	@echo "Running focused IaC backend tests..."
+	@cd backend && go test ./domain/iac ./domain/routes -run '^(TestService|TestIACRoutes)' -v
+	@echo "✓ Focused IaC backend tests completed"
+else ifeq ($(QUALITY_SCOPE),backend-software)
+	@echo "Running focused software backend tests..."
+	@cd backend && go test ./domain/software/catalog ./domain/software/executor -run '^(TestLoadServerCatalogComponentKeys|TestServerCatalogCanResolveAllEntries|TestResolveTemplateSubstitutesScriptEnv|TestServerCatalogCapabilityComponentMapConsistency|TestBuildManagedScriptCommand_EmbeddedScript|TestBuildManagedScriptCommand_EmbeddedScriptWithEnv)$$' -v
+	@echo "✓ Focused software backend tests completed"
 else ifeq ($(QUALITY_SCOPE),e2e)
 ifeq ($(QUALITY_MODE),fast)
 	@echo "Running E2E smoke suite..."
@@ -1007,7 +1017,7 @@ endif
 		echo "Error: fuser or lsof required"; exit 1; \
 	fi
 
-backend web backend-targeted fast strict build-local latest dev:
+backend web backend-targeted backend-iac backend-software fast strict build-local latest dev:
 	@:
 
 # Swallow positional args (e.g., make start 9092, make build backend)

backend/docs/openapi/api.yaml

@@ -6080,6 +6080,49 @@ paths:
             summary: Get monitor target series
             tags:
                 - Monitoring
+    /api/monitor/telegraf/write:
+        post:
+            description: Receives Influx line protocol payloads from managed-server Telegraf agents and forwards them to the embedded VictoriaMetrics Influx write endpoint. Authenticate with HTTP Basic Auth where username is the server record ID and password is the per-server monitor agent token issued during managed metrics collector setup.
+            operationId: post_api_monitor_telegraf_write
+            parameters:
+                - description: Basic base64(serverId:monitorAgentToken)
+                  in: header
+                  name: Authorization
+                  required: true
+                  schema:
+                    type: string
+            requestBody:
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/GenericRequest'
+                required: false
+            responses:
+                "204":
+                    description: No Content
+                "401":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/MonitorErrorResponse'
+                    description: Unauthorized
+                "413":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/MonitorErrorResponse'
+                    description: Payload Too Large
+                "502":
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/MonitorErrorResponse'
+                    description: Bad Gateway
+            security:
+                - bearerAuth: []
+            summary: Write Telegraf metrics
+            tags:
+                - Monitoring Ingest
     /api/monitor/write:
         post:
             description: Receives Prometheus remote-write protobuf payloads from managed-server Netdata agents. This endpoint is served by the AppOS backend and forwards accepted payloads to the embedded time-series database. Authenticate with HTTP Basic Auth where username is the server record ID and password is the per-server monitor agent token issued during Netdata install/update. Reverse-proxy forwarding headers used elsewhere for agent URL generation are parsed defensively only the first comma-separated host/port value is used and forwarded ports must be numeric.

backend/docs/openapi/ext-api.yaml

@@ -4561,6 +4561,48 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/MonitorErrorResponse'
+  /api/monitor/telegraf/write:
+    post:
+      tags: [Monitoring Ingest]
+      summary: Write Telegraf metrics
+      description: "Receives Influx line protocol payloads from managed-server Telegraf agents and forwards them to the embedded VictoriaMetrics Influx write endpoint. Authenticate with HTTP Basic Auth where username is the server record ID and password is the per-server monitor agent token issued during managed metrics collector setup."
+      operationId: post_api_monitor_telegraf_write
+      parameters:
+        - name: Authorization
+          in: header
+          description: "Basic base64(serverId:monitorAgentToken)"
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: false
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/GenericRequest'
+      security:
+        - bearerAuth: []
+      responses:
+        "204":
+          description: No Content
+        "401":
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MonitorErrorResponse'
+        "413":
+          description: Payload Too Large
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MonitorErrorResponse'
+        "502":
+          description: Bad Gateway
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MonitorErrorResponse'
   /api/monitor/write:
     post:
       tags: [Monitoring Ingest]

backend/docs/openapi/group-matrix.yaml

@@ -425,6 +425,7 @@ groups:
     apiType: Ext
     extSurface:
       - POST /api/monitor/write
+      - POST /api/monitor/telegraf/write
     nativeSurface: []
     sources:
       extRouteFiles:

backend/domain/iac/contracts.go

@@ -0,0 +1,36 @@
+package iac
+
+import (
+	"io"
+
+	"github.com/websoft9/appos/backend/infra/filesvc"
+)
+
+// ReadPort is the minimum filesystem capability needed for IaC read-side use cases.
+type ReadPort interface {
+	List(path string) ([]filesvc.Entry, error)
+	ReadFile(path string) ([]byte, filesvc.Entry, error)
+}
+
+// LibraryPort is the minimum read-only library capability needed for current IaC use cases.
+type LibraryPort interface {
+	ReadPort
+	Stat(path string) (filesvc.Entry, error)
+}
+
+// WorkspacePort is the minimum workspace capability needed for current IaC use cases.
+type WorkspacePort interface {
+	ReadPort
+	Stat(path string) (filesvc.Entry, error)
+	Resolve(path string) (string, error)
+	WriteFile(path string, data []byte, overwrite bool) (filesvc.Entry, error)
+	WriteReader(path string, reader io.Reader, overwrite bool, maxBytes int64) (filesvc.Entry, error)
+	Mkdir(path string) (filesvc.Entry, error)
+	Delete(path string, recursive bool) error
+	Move(fromPath string, toPath string, overwrite bool) (filesvc.Entry, error)
+}
+
+// CrossCopyPort copies content from the IaC library boundary into the IaC workspace boundary.
+type CrossCopyPort interface {
+	CopyLibraryToWorkspace(fromPath string, toPath string, overwrite bool) error
+}

backend/domain/iac/dto.go

@@ -0,0 +1,26 @@
+package iac
+
+import "time"
+
+// Entry is the IaC-facing file or directory projection returned by read-side use cases.
+type Entry struct {
+	Name       string
+	Type       string
+	Size       int64
+	ModifiedAt time.Time
+}
+
+// FileContent is the IaC-facing text file projection returned by read-side use cases.
+type FileContent struct {
+	Path       string
+	Content    string
+	Size       int64
+	ModifiedAt time.Time
+}
+
+// DownloadFile is the IaC-facing file projection used for attachment downloads.
+type DownloadFile struct {
+	Path     string
+	AbsPath  string
+	Filename string
+}

backend/domain/iac/errors.go

@@ -0,0 +1,17 @@
+package iac
+
+import "errors"
+
+var (
+	ErrInvalidPath       = errors.New("invalid path")
+	ErrNotFound          = errors.New("not found")
+	ErrDirectoryRequired = errors.New("directory required")
+	ErrFileRequired      = errors.New("file required")
+	ErrConflict          = errors.New("conflict")
+	ErrBinaryContent     = errors.New("binary content not supported")
+	ErrLimitExceeded     = errors.New("limit exceeded")
+	ErrRootDeleteDenied  = errors.New("root delete denied")
+	ErrCrossRootMoveDenied = errors.New("cross-root move denied")
+	ErrInvalidFilename   = errors.New("invalid filename")
+	ErrExtensionBlocked  = errors.New("extension blocked")
+)