feat: update database path to pabawi.db across configuration files, Dockerfiles, and scripts; enhance setup script for Puppet SSL configuration

Author: alvagante

.github/copilot-instructions.md

@@ -143,7 +143,7 @@ SQLite schema defined in `backend/src/database/schema.sql`, migrations in `migra
 BOLT_PROJECT_PATH=.              # Path to Bolt project (inventory.yaml, modules/)
 PORT=3000                        # Server port
 LOG_LEVEL=info                   # error | warn | info | debug
-DATABASE_PATH=./data/executions.db
+DATABASE_PATH=./data/pabawi.db
 BOLT_EXECUTION_TIMEOUT=300000    # 5 minutes default
 COMMAND_WHITELIST_ALLOW_ALL=false
 COMMAND_WHITELIST=["ls","pwd"]  # CSV in env, JSON in code
@@ -223,7 +223,7 @@ PuppetDB, Puppetserver, Hiera enabled via `INTEGRATION_PUPPETDB_ENABLED`, `INTEG
 - Use correlation IDs to trace frontend actions → backend processing → responses
 - Inspect `backend/src/errors/ErrorHandlingService.ts` for error context details
 - Check `ExpertModeDebugPanel` component for timeline view of frontend + backend logs
-- Verify execution results in SQLite database (`data/executions.db`)—check composite indexes for query performance
+- Verify execution results in SQLite database (`data/pabawi.db`)—check composite indexes for query performance
 - Test Bolt commands manually: `bolt command run 'whoami' --targets inventory.yaml`
 - Check `ExecutionQueue` status via `GET /api/executions/queue/status`—verify queue isn't full
 - For task failures, check both `_output` (command output) and `_error.msg` (error details)

.kiro/hooks/repository-cleanup-check.kiro.hook

@@ -8,6 +8,6 @@
   },
   "then": {
     "type": "askAgent",
-    "prompt": "Analyze the repository for:\n1. Stale files (not modified in a long time, potentially obsolete)\n2. Duplicate files (same or very similar content, files with suffixes like _backup, _old, _fixed, etc.)\n3. Inconsistent files (conflicting versions, outdated patterns)\n4. Obsolete dependencies or configurations\n5. Unused code or imports\n6. Redundant documentation files\n\nFor each issue found:\n- If the cleanup action is clear and safe, implement the specific changes needed\n- If there's any doubt or user clarification is needed, create or append to a todo file at .kiro/cleanup-todo.md with:\n  * Description of the issue\n  * Location of the files/code\n  * Questions for the user\n  * Potential impact of changes\n\nFocus on:\n- Multiple Dockerfile variants (Dockerfile, Dockerfile.alpine, Dockerfile.ubuntu)\n- Duplicate .env files in different locations\n- Multiple database files (backend/data/executions.db, bolt-project/data/executions.db, data/executions.db)\n- Test result artifacts that should be in .gitignore\n- Backup or temporary files\n- Unused dependencies in package.json files\n- Duplicate documentation\n\nDo NOT make changes directly in case of doubt, document findings and recommendations."
+    "prompt": "Analyze the repository for:\n1. Stale files (not modified in a long time, potentially obsolete)\n2. Duplicate files (same or very similar content, files with suffixes like _backup, _old, _fixed, etc.)\n3. Inconsistent files (conflicting versions, outdated patterns)\n4. Obsolete dependencies or configurations\n5. Unused code or imports\n6. Redundant documentation files\n\nFor each issue found:\n- If the cleanup action is clear and safe, implement the specific changes needed\n- If there's any doubt or user clarification is needed, create or append to a todo file at .kiro/cleanup-todo.md with:\n  * Description of the issue\n  * Location of the files/code\n  * Questions for the user\n  * Potential impact of changes\n\nFocus on:\n- Multiple Dockerfile variants (Dockerfile, Dockerfile.alpine, Dockerfile.ubuntu)\n- Duplicate .env files in different locations\n- Multiple database files (backend/data/pabawi.db, bolt-project/data/pabawi.db, data/pabawi.db)\n- Test result artifacts that should be in .gitignore\n- Backup or temporary files\n- Unused dependencies in package.json files\n- Duplicate documentation\n\nDo NOT make changes directly in case of doubt, document findings and recommendations."
   }
 }

.kiro/specs/070/pabawi/design.md

@@ -455,7 +455,7 @@ interface AppConfig {
   commandWhitelist: WhitelistConfig
   executionTimeout: number        // Default: 300000 (5 min)
   logLevel: string               // Default: 'info'
-  databasePath: string           // Default: './data/executions.db'
+  databasePath: string           // Default: './data/pabawi.db'
   expertModeEnabled: boolean     // Default: false (new)
 }
 ```
@@ -970,7 +970,7 @@ COMMAND_WHITELIST_ALLOW_ALL=false
 COMMAND_WHITELIST='["ls","pwd","whoami"]'
 BOLT_EXECUTION_TIMEOUT=300000
 LOG_LEVEL=info
-DATABASE_PATH=/data/executions.db
+DATABASE_PATH=/data/pabawi.db
 ```
 
 ### Volume Mounts

.kiro/specs/070/puppetserver-integration/manual-testing-guide.md

@@ -43,7 +43,7 @@ Create or update `backend/.env`:
 PORT=3000
 HOST=localhost
 LOG_LEVEL=debug
-DATABASE_PATH=./data/executions.db
+DATABASE_PATH=./data/pabawi.db
 
 # Bolt Configuration
 BOLT_PROJECT_PATH=./bolt-project

.secrets.baseline

@@ -794,14 +794,14 @@
         "filename": "frontend/src/pages/LoginPage.svelte",
         "hashed_secret": "6c56a9249cba324d029f725f1f7c0e47184e2dcf",
         "is_verified": false,
-        "line_number": 29
+        "line_number": 46
       },
       {
         "type": "Secret Keyword",
         "filename": "frontend/src/pages/LoginPage.svelte",
         "hashed_secret": "3e7d56a95804ff3c322b97a7e7cdba25dc920957",
         "is_verified": false,
-        "line_number": 31
+        "line_number": 48
       }
     ],
     "frontend/src/pages/RegisterPage.svelte": [
@@ -828,5 +828,5 @@
       }
     ]
   },
-  "generated_at": "2026-02-21T14:55:18Z"
+  "generated_at": "2026-03-04T07:57:54Z"
 }

CLAUDE.md

@@ -0,0 +1,97 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Commands
+
+```bash
+# Install all dependencies (root + workspaces)
+npm run install:all
+
+# Development
+npm run dev:backend        # Backend on port 3000 (tsx watch)
+npm run dev:frontend       # Frontend dev server on port 5173
+npm run dev:fullstack      # Build frontend + serve everything from backend
+
+# Build
+npm run build              # Build both frontend and backend
+
+# Testing
+npm run test               # Run all tests (backend + frontend, no-watch)
+npm run test --workspace=backend   # Backend tests only
+npm run test --workspace=frontend  # Frontend tests only
+npm run test:watch --workspace=backend  # Backend watch mode
+npm run test:e2e           # Playwright E2E tests
+npm run test:e2e:ui        # Playwright with UI mode
+
+# Run a single test file
+cd backend && npx vitest run test/unit/SomeService.test.ts
+
+# Linting
+npm run lint               # Lint both workspaces (0 warnings allowed)
+npm run lint:fix           # Auto-fix lint issues
+```
+
+Backend uses `tsx watch` for hot-reload during development. The frontend dev server proxies API calls to the backend.
+
+## Architecture Overview
+
+Pabawi is an infrastructure management web UI — a monorepo with a **Node.js/Express/TypeScript backend** and a **Svelte 5 SPA frontend**.
+
+### Plugin-based integration system
+
+All infrastructure integrations (Bolt, PuppetDB, Puppetserver, Hiera, Ansible, SSH) are plugins registered in `backend/src/integrations/`. Every plugin:
+
+- Extends `BasePlugin` (`integrations/BasePlugin.ts`) and implements `isEnabled()`, `initialize()`, `healthCheck()`
+- Optionally implements `ExecutionToolPlugin` (can run commands) or `InformationSourcePlugin` (provides inventory/facts)
+- Is registered with `IntegrationManager` (`integrations/IntegrationManager.ts`), which handles lifecycle, health aggregation, and routes data requests to the correct plugin
+
+`IntegrationManager` is the central registry. When inventory or facts are requested, it fans out to all enabled `InformationSourcePlugin`s and merges results using a priority system (SSH: 50, Bolt/PuppetDB: 10, Puppetserver: 20, Ansible: 8, Hiera: 6). When executing commands, it dispatches to the correct `ExecutionToolPlugin`.
+
+### Backend (`backend/src/`)
+
+- **`server.ts`** — Express app init, plugin registration, middleware wiring, route mounting
+- **`config/`** — `ConfigService` wraps all env vars with Zod validation; always use this, never `process.env` directly
+- **`integrations/<name>/`** — One directory per integration: `<Name>Plugin.ts` (lifecycle + routing) and `<Name>Service.ts` (business logic, CLI spawning, API calls)
+- **`services/`** — Cross-cutting services: `ExecutionQueue` (concurrent limiting, FIFO), `StreamingExecutionManager` (SSE real-time output), `CommandWhitelistService` (security), `DatabaseService`, `AuthenticationService`, `BatchExecutionService`, and RBAC services (`UserService`, `RoleService`, `PermissionService`, `GroupService`)
+- **`routes/`** — Express route handlers. All async handlers must be wrapped with `asyncHandler()` from `utils/`
+- **`middleware/`** — Auth (JWT), RBAC, error handler, rate limiting, security headers
+- **`database/`** — `DatabaseService.ts` (SQLite, schema/migration on startup), `ExecutionRepository.ts` (CRUD for execution history). Schema in `database/schema.sql`, migrations in `database/migrations.sql`
+- **`errors/`** — Typed error classes extending base classes; use these instead of generic `Error`
+- **`validation/`** — Zod schemas for request body validation
+
+Bolt command output is parsed from JSON; both `_output` and `_error` fields must be extracted from failed task results. Inventory and facts are cached (30 s and 5 min TTL respectively) inside each plugin's service.
+
+### Frontend (`frontend/src/`)
+
+- **`App.svelte`** — Root: initializes router, auth guard, and setup check
+- **`pages/`** — One Svelte component per page route
+- **`components/`** — Shared UI components
+- **`lib/`** — Core utilities and reactive state:
+  - `router.svelte.ts` — Client-side router using Svelte 5 runes (`$state`)
+  - `auth.svelte.ts` — JWT auth state
+  - `api.ts` — Centralized HTTP client with error handling
+  - `executionStream.svelte.ts` — SSE client for real-time command output
+  - `expertMode.svelte.ts` — Debug info toggle
+  - `integrationColors.svelte.ts` — Per-integration color constants
+  - `toast.svelte.ts` — Notification system
+
+The frontend uses **Svelte 5 runes** throughout (`$state()`, `$effect()`, `$derived()`). State that needs to persist across components lives in the `lib/*.svelte.ts` files as module-level rune state.
+
+### Configuration
+
+All configuration is via `backend/.env`. Run `scripts/setup.sh` for interactive setup. Key variable groups: `PORT/HOST/LOG_LEVEL`, `JWT_SECRET/AUTH_ENABLED`, `BOLT_*`, `PUPPETDB_*`, `PUPPETSERVER_*`, `HIERA_*`, `ANSIBLE_*`, `SSH_*`, `COMMAND_WHITELIST*`, `CACHE_*`, `CONCURRENT_EXECUTION_LIMIT`.
+
+See `docs/configuration.md` for the full reference.
+
+### Testing conventions
+
+- Backend tests live in `backend/test/` (unit, integration, security, middleware, properties with fast-check)
+- Frontend tests co-located with source in `frontend/src/**/*.test.ts`
+- E2E tests in `e2e/` using Playwright
+- Database tests use in-memory SQLite
+- Use `supertest` for HTTP route testing in backend
+
+### Logging
+
+Use `LoggerService` everywhere — never `console.log`. Pass structured metadata: `{ component, integration, operation }`.

Dockerfile

@@ -133,7 +133,7 @@ EXPOSE 3000
 ENV NODE_ENV=production \
     PORT=3000 \
     HOST=0.0.0.0 \
-    DATABASE_PATH=/data/executions.db \
+    DATABASE_PATH=/data/pabawi.db \
     BOLT_PROJECT_PATH=/bolt-project \
     # Integration settings (disabled by default)
     PUPPETDB_ENABLED=false \

Dockerfile.alpine

@@ -115,8 +115,8 @@ if [ ! -w /data ]; then
 fi
 
 # Create database file if it doesn't exist
-if [ ! -f /data/executions.db ]; then
-    touch /data/executions.db
+if [ ! -f /data/pabawi.db ]; then
+    touch /data/pabawi.db
 fi
 
 # Set Puppet/Bolt environment variables to work around Alpine detection issues
@@ -145,7 +145,7 @@ EXPOSE 3000
 ENV NODE_ENV=production \
     PORT=3000 \
     HOST=0.0.0.0 \
-    DATABASE_PATH=/data/executions.db \
+    DATABASE_PATH=/data/pabawi.db \
     BOLT_PROJECT_PATH=/bolt-project \
     FACTER_operatingsystem=Alpine \
     FACTER_osfamily=Linux \

Dockerfile.ubuntu

@@ -121,8 +121,8 @@ if [ ! -w /data ]; then
 fi
 
 # Create database file if it doesn't exist
-if [ ! -f /data/executions.db ]; then
-    touch /data/executions.db
+if [ ! -f /data/pabawi.db ]; then
+    touch /data/pabawi.db
 fi
 
 # Execute the main command
@@ -143,7 +143,7 @@ EXPOSE 3000
 ENV NODE_ENV=production \
     PORT=3000 \
     HOST=0.0.0.0 \
-    DATABASE_PATH=/data/executions.db \
+    DATABASE_PATH=/data/pabawi.db \
     BOLT_PROJECT_PATH=/bolt-project \
     # Integration settings (disabled by default)
     PUPPETDB_ENABLED=false \

backend/src/config/schema.ts

@@ -291,7 +291,7 @@ export const AppConfigSchema = z.object({
   commandWhitelist: WhitelistConfigSchema,
   executionTimeout: z.number().int().positive().default(300000), // 5 minutes
   logLevel: z.enum(["error", "warn", "info", "debug"]).default("info"),
-  databasePath: z.string().default("./data/executions.db"),
+  databasePath: z.string().default("./data/pabawi.db"),
   corsAllowedOrigins: z.array(z.string()).default(["http://localhost:5173", "http://localhost:3000"]),
   packageTasks: z.array(PackageTaskConfigSchema).default([
     {