You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Albacore release. Theme: full deployment lifecycle and self-healing operations.
Umbrella for the next release; each item below ships this cycle.
Features
Observability & self-recovery (feat: Add AI-native observability and self-recovery module #148): per-deployment health and per-container
resource monitoring with configurable spike thresholds; pluggable notifications
(email first, webhook interface next); AI-native reconcile at boot and on ill-health
via the existing service-action engine. Must not restart deployments the user
intentionally stopped (reconcile against tracked desired state).
S3-compatible backups (feat: Add support for s3 compatible backup #105): a clear definition of what is backed up, how, and
where, plus a remote S3-compatible destination on top of the existing local backup
system. Stretch: FlatRun itself as an S3 endpoint, backed by r2/aws/etc.
Integrations: deploy from a GitHub or git URL and from uploaded code, not only
from compose content or a template. Today a deployment must already have a compose
file; this adds source-based deployment with auth.
Builders: build code and then deploy it. Today only an existing compose build:
section runs. This adds build-from-source (Dockerfile detection, buildpacks / nixpacks)
with build config (args, cache, secrets).
Persist AI chat sessions: store conversation history so chats survive reloads and
can be resumed, instead of being lost per session.
Marketplace-sourced templates: the deployment flow's templates should come from the
marketplace (api.flatrun.dev) and be kept current, with flatrun/marketplace on GitHub
as the fallback source for public publications when the API is unreachable. Today the
deploy flow uses the templates embedded in the agent binary.
Firewall enforcement: the built-in firewall app persists, validates, and previews a
host-wide inbound/outbound policy, but does not enforce it yet. Translate rules to
nftables/iptables with a safeguard that preserves the active SSH session before a
default-deny inbound policy takes effect.
Security trace & false-block fix (fix: Security module blocking after 1 404 #153): stop blocking on a single 404; give every
blocked IP a trace of the events (counts, paths) that led to the block.
Effective rebuild / pull / env (bug: Rebuild, pulls etc not effective with picking new env vars #149): expose force-recreate, no-cache rebuild,
and non-cached pull so updated env vars and images actually take effect, matching what
currently requires a manual docker compose from the terminal.
UI design refresh: improve the UI design and adopt Iconify for iconography. First pass shipped in feat(ui): Design refresh with dark mode, assistant, and global search ui#74 (dark mode, design tokens, Iconify, the assistant rework, global search). Per-screen polish and modal consolidation still to follow.
Seed bind mounts from image content (Seed bind mounts from image content when host path is empty #139): opt-in per-mount seeding so an empty or
missing host path is populated from the image (mirroring named-volume copy-on-first-use)
before compose up, only when the target is empty. Fixes single-file config mounts
becoming directories and empty mounts for images that don't self-populate.
User-set primary service (enh: Smarter primary service detection in multi-service compose files #111): the smarter fallback shipped (detection now prefers app/web before the first service with ports, instead of random map order). Letting the
user explicitly set a deployment's primary service is still open.
Compose validation working directory (fix(compose): Resolve relative env_file against the deployment directory #161): validation hardcodes the working
directory to ., so a relative env_file (e.g. ./.env) fails on the image-set /
update path even though the file exists in the deployment directory. Resolve relative
paths against the deployment directory, as the up path already does.
Housekeeping
Document the release naming system: keep the convention below current and reuse
it when opening the next umbrella issue.
Release naming: umbrella releases are codenamed after sea creatures, advancing one
letter per release. Albacore (A) -> Barnacle (B) -> Cuttlefish (C) -> Dolphin (D) ...
Pick the next unused letter when opening each new group(enhancements): issue.
Albacore release. Theme: full deployment lifecycle and self-healing operations.
Umbrella for the next release; each item below ships this cycle.
Features
resource monitoring with configurable spike thresholds; pluggable notifications
(email first, webhook interface next); AI-native reconcile at boot and on ill-health
via the existing service-action engine. Must not restart deployments the user
intentionally stopped (reconcile against tracked desired state).
where, plus a remote S3-compatible destination on top of the existing local backup
system. Stretch: FlatRun itself as an S3 endpoint, backed by r2/aws/etc.
dashboard instead of loading everything at once; profile and optimize the backend
paths behind those views.
from compose content or a template. Today a deployment must already have a compose
file; this adds source-based deployment with auth.
build:section runs. This adds build-from-source (Dockerfile detection, buildpacks / nixpacks)
with build config (args, cache, secrets).
summarization, and related tools (UI side: feat(ai): Add AI workflow to file viewers/editors accross the application ui#71).
can be resumed, instead of being lost per session.
marketplace (api.flatrun.dev) and be kept current, with
flatrun/marketplaceon GitHubas the fallback source for public publications when the API is unreachable. Today the
deploy flow uses the templates embedded in the agent binary.
host-wide inbound/outbound policy, but does not enforce it yet. Translate rules to
nftables/iptables with a safeguard that preserves the active SSH session before a
default-deny inbound policy takes effect.
Improvements
nginx vhost generation (nginx vhost generation: WebSocket timeouts, unconditional upgrade header, ssl_stapling noise, missing target validation #156): configurable / long WebSocket proxy timeouts;
conditional
Connection: upgradevia amapinstead of unconditional; skipssl_staplingwhen the cert has no OCSP responder; validate the target service/portactually listens before saving a vhost.
Streamed deployment actions (feat: Stream start/stop progress and run deployment actions as jobs #150): run start/stop/restart as background jobs that
return a job id; job status and buffered output survive a page reload; stream compose
output over the WebSocket keyed by job id with a poll fallback; serialize concurrent
actions per deployment. Shipped in feat(agent): Run deployment and service actions as streamed jobs #163 and feat(ui): Stream deployment and service action progress ui#76. (Jobs are
in-memory with ~15-minute retention: reload survives, an agent restart does not.)
Security trace & false-block fix (fix: Security module blocking after 1 404 #153): stop blocking on a single 404; give every
blocked IP a trace of the events (counts, paths) that led to the block.
Effective rebuild / pull / env (bug: Rebuild, pulls etc not effective with picking new env vars #149): expose force-recreate, no-cache rebuild,
and non-cached pull so updated env vars and images actually take effect, matching what
currently requires a manual
docker composefrom the terminal.UI design refresh: improve the UI design and adopt Iconify for iconography. First pass shipped in feat(ui): Design refresh with dark mode, assistant, and global search ui#74 (dark mode, design tokens, Iconify, the assistant rework, global search). Per-screen polish and modal consolidation still to follow.
Seed bind mounts from image content (Seed bind mounts from image content when host path is empty #139): opt-in per-mount seeding so an empty or
missing host path is populated from the image (mirroring named-volume copy-on-first-use)
before compose up, only when the target is empty. Fixes single-file config mounts
becoming directories and empty mounts for images that don't self-populate.
nginx additional-domain upstream collision (fix(nginx): Multi-domain upstream collides across deployments; server_names_hash not configurable #155): the extra-domain path proxies by
bare service name (e.g.
app), which is not unique across deployments, so a customdomain on a shared host intermittently serves another deployment's container. Route by
the unique deployment name like the primary-domain path.
nginx security base image (bug: Use flatrun/openresty for security base #106, check: Ensure base nginx image is configured to flatrun/openresty #39): use
flatrun/openrestyas the nginx baseinstead of upstream
openresty/openresty, which is incompatible with the FlatRunsecurity configs.
User-set primary service (enh: Smarter primary service detection in multi-service compose files #111): the smarter fallback shipped (detection now prefers
app/webbefore the first service with ports, instead of random map order). Letting theuser explicitly set a deployment's primary service is still open.
Propagate metadata-save errors (enh: Propagate SaveMetadata errors during compose updates #110): surface
SaveMetadatafailures during composeupdates instead of discarding them, so compose and
service.ymlcan't silently diverge.Suppress ACME challenge log noise (enh: Suppress logging for ACME challenge requests in nginx configs #112): set
access_log off/log_not_found offon the well-known ACME challenge locations so cleaned-up challenge 404s stop burying real
errors. Complements the fix: Security module blocking after 1 404 #153 security trace.
--helplists subcommands (enh:--helpcommand flag omits subcommands (update, setup, version) #130): top-level help should listupdate,setup, andversion, andhelpshould print usage instead of falling through to start the server.Compose validation working directory (fix(compose): Resolve relative env_file against the deployment directory #161): validation hardcodes the working
directory to
., so a relativeenv_file(e.g../.env) fails on the image-set /update path even though the file exists in the deployment directory. Resolve relative
paths against the deployment directory, as the
uppath already does.Housekeeping
it when opening the next umbrella issue.
Release naming: umbrella releases are codenamed after sea creatures, advancing one
letter per release. Albacore (A) -> Barnacle (B) -> Cuttlefish (C) -> Dolphin (D) ...
Pick the next unused letter when opening each new
group(enhancements):issue.