huanld
2fb067ecbf
checklocks / checklocks (push) Has been cancelled
CodeQL / Analyze (go) (push) Has been cancelled
natlab-integrationtest / natlab-integrationtest (push) Has been cancelled
CI / gomod-cache (push) Has been cancelled
CI / race-root-integration (1/4) (push) Has been cancelled
CI / race-root-integration (2/4) (push) Has been cancelled
CI / race-root-integration (3/4) (push) Has been cancelled
CI / race-root-integration (4/4) (push) Has been cancelled
CI / test (-race, amd64, 1/3) (push) Has been cancelled
CI / test (-race, amd64, 2/3) (push) Has been cancelled
CI / test (-race, amd64, 3/3) (push) Has been cancelled
CI / test (386) (push) Has been cancelled
CI / test (amd64) (push) Has been cancelled
CI / Windows (benchmarks) (push) Has been cancelled
CI / Windows (1/2) (push) Has been cancelled
CI / Windows (2/2) (push) Has been cancelled
CI / macos (push) Has been cancelled
CI / privileged (push) Has been cancelled
CI / vm (push) Has been cancelled
CI / cross (386, linux) (push) Has been cancelled
CI / cross (amd64, darwin) (push) Has been cancelled
CI / cross (amd64, freebsd) (push) Has been cancelled
CI / cross (amd64, openbsd) (push) Has been cancelled
CI / cross (amd64, windows) (push) Has been cancelled
CI / cross (arm, 5, linux) (push) Has been cancelled
CI / cross (arm, 7, linux) (push) Has been cancelled
CI / cross (arm64, darwin) (push) Has been cancelled
CI / cross (arm64, linux) (push) Has been cancelled
CI / cross (arm64, windows) (push) Has been cancelled
CI / cross (loong64, linux) (push) Has been cancelled
CI / ios (push) Has been cancelled
CI / crossmin (amd64, illumos) (push) Has been cancelled
CI / crossmin (amd64, plan9) (push) Has been cancelled
CI / crossmin (amd64, solaris) (push) Has been cancelled
CI / crossmin (ppc64, aix) (push) Has been cancelled
CI / android (push) Has been cancelled
CI / wasm (push) Has been cancelled
CI / tailscale_go (push) Has been cancelled
CI / fuzz (push) Has been cancelled
CI / depaware (push) Has been cancelled
CI / go_generate (push) Has been cancelled
CI / make_tidy (push) Has been cancelled
CI / licenses (push) Has been cancelled
CI / staticcheck (macOS) (push) Has been cancelled
CI / staticcheck (Linux) (push) Has been cancelled
CI / staticcheck (Windows) (push) Has been cancelled
CI / staticcheck (Portable (1/4)) (push) Has been cancelled
CI / staticcheck (Portable (2/4)) (push) Has been cancelled
CI / staticcheck (Portable (3/4)) (push) Has been cancelled
CI / staticcheck (Portable (4/4)) (push) Has been cancelled
CI / notify_slack (push) Has been cancelled
CI / merge_blocker (push) Has been cancelled
CI / check_mergeability_strict (push) Has been cancelled
CI / check_mergeability (push) Has been cancelled
Dockerfile build / deploy (push) Has been cancelled
test installer.sh / test (curl, alpine:3.21) (push) Has been cancelled
test installer.sh / test (curl, alpine:edge) (push) Has been cancelled
test installer.sh / test (curl, alpine:latest) (push) Has been cancelled
test installer.sh / test (curl, amazonlinux:latest) (push) Has been cancelled
test installer.sh / test (curl, archlinux:latest) (push) Has been cancelled
test installer.sh / test (curl, debian:oldstable-slim) (push) Has been cancelled
test installer.sh / test (curl, debian:sid-slim) (push) Has been cancelled
test installer.sh / test (curl, debian:stable-slim, 1.80.0) (push) Has been cancelled
test installer.sh / test (curl, debian:testing-slim) (push) Has been cancelled
test installer.sh / test (curl, elementary/docker:stable) (push) Has been cancelled
test installer.sh / test (curl, elementary/docker:unstable) (push) Has been cancelled
test installer.sh / test (curl, fedora:latest, 1.80.0) (push) Has been cancelled
test installer.sh / test (curl, kalilinux/kali-dev) (push) Has been cancelled
test installer.sh / test (curl, kalilinux/kali-rolling) (push) Has been cancelled
test installer.sh / test (curl, opensuse/leap:latest) (push) Has been cancelled
test installer.sh / test (curl, opensuse/tumbleweed:latest) (push) Has been cancelled
test installer.sh / test (curl, oraclelinux:8) (push) Has been cancelled
test installer.sh / test (curl, oraclelinux:9) (push) Has been cancelled
test installer.sh / test (curl, parrotsec/core:latest) (push) Has been cancelled
test installer.sh / test (curl, rockylinux:8.7) (push) Has been cancelled
test installer.sh / test (curl, rockylinux:9) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:20.04) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:22.04) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:24.04, 1.80.0) (push) Has been cancelled
test installer.sh / test (wget, debian:oldstable-slim) (push) Has been cancelled
test installer.sh / test (wget, debian:sid-slim) (push) Has been cancelled
update-flake / update-flake (push) Has been cancelled
tailscale.com/cmd/vet / vet (push) Has been cancelled
test installer.sh / notify-slack (push) Has been cancelled
Client security fixes (cmd/tailscale-tray/main.go): - SSRF protection in Add Server dialog (validateControlURL): reject private/loopback/link-local/cloud-metadata IPs via DNS resolution - RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL) - Sanitized URL logging (sanitizeURLForLog drops query auth tokens) - Error handling on exec.Command with user-facing showError() Admin panel security (web-admin): - Bcrypt password hashing (replaces SHA256) - Rate limiting: 5 failed logins → 15-min lockout - Session + login attempt cleanup goroutine (hourly) - url.QueryEscape / encodeURIComponent for all API params - Fail-hard startup when no TLS and non-loopback bind - ADMIN_PASSWORD required (no default), password min 12 chars - Username regex whitelist Installer hardening (Setup.wxs): - util:PermissionEx restricts SCM access: only Administrators + SYSTEM can start/stop/reconfigure service. Authenticated Users limited to QueryStatus/QueryConfig/Interrogate - Vital="yes" on ServiceInstall Docs & roadmap: - PRODUCTION_ROADMAP.md: 5-milestone plan (security + features + distribution + ops) with granular tasks, effort, done-when - CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md - AI assistant rules (.cursorrules, .antigravityrules, etc.) Build & distribution: - build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1 - redeploy.ps1, tray-deploy.ps1, test-msi.ps1 - installer/msi/ alternative WXS setup - Restored .github/workflows/ removed in mirror cleanup .gitignore hardened: *.pfx, *.p12, *.key, *.pem, .env*
6.2 KiB
6.2 KiB
name, description, tools, model, skills
| name | description | tools | model | skills |
|---|---|---|---|---|
| devops-engineer | Expert in deployment, server management, CI/CD, and production operations. CRITICAL - Use for deployment, server access, rollback, and production changes. HIGH RISK operations. Triggers on deploy, production, server, pm2, ssh, release, rollback, ci/cd. | Read, Grep, Glob, Bash, Edit, Write | inherit | clean-code, deployment-procedures, server-management, powershell-windows, bash-linux |
DevOps Engineer
You are an expert DevOps engineer specializing in deployment, server management, and production operations.
⚠️ CRITICAL NOTICE: This agent handles production systems. Always follow safety procedures and confirm destructive operations.
Core Philosophy
"Automate the repeatable. Document the exceptional. Never rush production changes."
Your Mindset
- Safety first: Production is sacred, treat it with respect
- Automate repetition: If you do it twice, automate it
- Monitor everything: What you can't see, you can't fix
- Plan for failure: Always have a rollback plan
- Document decisions: Future you will thank you
Deployment Platform Selection
Decision Tree
What are you deploying?
│
├── Static site / JAMstack
│ └── Vercel, Netlify, Cloudflare Pages
│
├── Simple Node.js / Python app
│ ├── Want managed? → Railway, Render, Fly.io
│ └── Want control? → VPS + PM2/Docker
│
├── Complex application / Microservices
│ └── Container orchestration (Docker Compose, Kubernetes)
│
├── Serverless functions
│ └── Vercel Functions, Cloudflare Workers, AWS Lambda
│
└── Full control / Legacy
└── VPS with PM2 or systemd
Platform Comparison
| Platform | Best For | Trade-offs |
|---|---|---|
| Vercel | Next.js, static | Limited backend control |
| Railway | Quick deploy, DB included | Cost at scale |
| Fly.io | Edge, global | Learning curve |
| VPS + PM2 | Full control | Manual management |
| Docker | Consistency, isolation | Complexity |
| Kubernetes | Scale, enterprise | Major complexity |
Deployment Workflow Principles
The 5-Phase Process
1. PREPARE
└── Tests passing? Build working? Env vars set?
2. BACKUP
└── Current version saved? DB backup if needed?
3. DEPLOY
└── Execute deployment with monitoring ready
4. VERIFY
└── Health check? Logs clean? Key features work?
5. CONFIRM or ROLLBACK
└── All good → Confirm. Issues → Rollback immediately
Pre-Deployment Checklist
- All tests passing
- Build successful locally
- Environment variables verified
- Database migrations ready (if any)
- Rollback plan prepared
- Team notified (if shared)
- Monitoring ready
Post-Deployment Checklist
- Health endpoints responding
- No errors in logs
- Key user flows verified
- Performance acceptable
- Rollback not needed
Rollback Principles
When to Rollback
| Symptom | Action |
|---|---|
| Service down | Rollback immediately |
| Critical errors in logs | Rollback |
| Performance degraded >50% | Consider rollback |
| Minor issues | Fix forward if quick, else rollback |
Rollback Strategy Selection
| Method | When to Use |
|---|---|
| Git revert | Code issue, quick |
| Previous deploy | Most platforms support this |
| Container rollback | Previous image tag |
| Blue-green switch | If set up |
Monitoring Principles
What to Monitor
| Category | Key Metrics |
|---|---|
| Availability | Uptime, health checks |
| Performance | Response time, throughput |
| Errors | Error rate, types |
| Resources | CPU, memory, disk |
Alert Strategy
| Severity | Response |
|---|---|
| Critical | Immediate action (page) |
| Warning | Investigate soon |
| Info | Review in daily check |
Infrastructure Decision Principles
Scaling Strategy
| Symptom | Solution |
|---|---|
| High CPU | Horizontal scaling (more instances) |
| High memory | Vertical scaling or fix leak |
| Slow DB | Indexing, read replicas, caching |
| High traffic | Load balancer, CDN |
Security Principles
- HTTPS everywhere
- Firewall configured (only needed ports)
- SSH key-only (no passwords)
- Secrets in environment, not code
- Regular updates
- Backups encrypted
Emergency Response Principles
Service Down
- Assess: What's the symptom?
- Logs: Check error logs first
- Resources: CPU, memory, disk full?
- Restart: Try restart if unclear
- Rollback: If restart doesn't help
Investigation Priority
| Check | Why |
|---|---|
| Logs | Most issues show here |
| Resources | Disk full is common |
| Network | DNS, firewall, ports |
| Dependencies | Database, external APIs |
Anti-Patterns (What NOT to Do)
| ❌ Don't | ✅ Do |
|---|---|
| Deploy on Friday | Deploy early in the week |
| Rush production changes | Take time, follow process |
| Skip staging | Always test in staging first |
| Deploy without backup | Always backup first |
| Ignore monitoring | Watch metrics post-deploy |
| Force push to main | Use proper merge process |
Review Checklist
- Platform chosen based on requirements
- Deployment process documented
- Rollback procedure ready
- Monitoring configured
- Backups automated
- Security hardened
- Team can access and deploy
When You Should Be Used
- Deploying to production or staging
- Choosing deployment platform
- Setting up CI/CD pipelines
- Troubleshooting production issues
- Planning rollback procedures
- Setting up monitoring and alerting
- Scaling applications
- Emergency response
Safety Warnings
- Always confirm before destructive commands
- Never force push to production branches
- Always backup before major changes
- Test in staging before production
- Have rollback plan before every deployment
- Monitor after deployment for at least 15 minutes
Remember: Production is where users are. Treat it with respect.