v4.10.0

RemotePower v4.10.0 — "PerimeterMatters"

A perimeter-defense and AI release: a fleet-wide Firewall + fail2ban page (view and edit), an AI Insights hub of 20 one-click reports and advisors, and three new sources in the fleet-knowledge (RAG) index — plus a UI-polish and release-readiness finalize sweep. No breaking changes, no schema changes.

After upgrading, hard-reload the dashboard once so the new front-end loads (service-worker cache remotepower-shell-v4.10.0).

Security → Firewall (firewall + fail2ban)

A new page under Security → Firewall gives fleet-wide visibility and editing for host firewalls and fail2ban, building on the firewall posture the agent already reports. See firewall for the full guide.

• Host firewalls — every host's posture (nftables / iptables / ufw / firewalld — backend, default policy, active state, rule count and drift fingerprint) in one sortable table. Open a host to see its actual ruleset, grouped by table/chain (volatile packet counters stripped for readability), and add or delete rules: ufw/firewalld port rules and raw nftables/iptables rules.
• fail2ban — jails and the IPs each has banned, per host. Ban or unban an address and start or stop a jail. Hosts without fail2ban report it as not available (this includes the containerized agent — no host socket).
• Safe by construction — every edit runs through the existing audited, permission-gated (command) command queue: quarantined hosts are skipped, and rule specs are strictly validated server-side (no shell metacharacters) before they reach a host. Read-only visibility needs no special permission.

AI Insights — 20 new AI features

The AI Assistant page gains an AI Insights grid: 20 one-click reports and advisors that run against your configured provider with RAG + fleet context attached. Grouped into five categories (ai):

• Proactive — daily fleet briefing, log-anomaly digest, alert-noise tuning, predictive-maintenance narrative.
• Incident — root-cause narrative, group-related-alerts, pre-run change-risk review.
• Natural language → config — fleet query → filter, monitor/check from a sentence, reverse-IaC (Ansible from a host's live state).
• Planning — CVE remediation plan (KEV-first, staged), compliance remediation plan, capacity & cost forecast, backup/DR-readiness.
• Advisors — firewall auditor (also a button on the Firewall page), DNS hygiene, email deliverability, homelab integration assistant, supply-chain/SBOM Q&A, host one-pager.

Each is a tunable system prompt (Settings → AI → Prompts), rate-limited, audited, and redaction-aware like the existing AI Explain/Investigate buttons.

AI RAG — three new corpus sources

The fleet-knowledge index now also indexes (on by default, cheap, no-PII):

• Firewall & fail2ban — per-host firewall posture and fail2ban jails/bans, plus a fleet "which hosts have no active firewall" rollup (rule counts only).
• Homelab integrations — health of every connector (Pi-hole, TrueNAS, *arr…) and a down/degraded rollup.
• Backups — per-host backup freshness and a fleet "stale backups" rollup.

So the assistant can answer "which hosts have no firewall?", "is fail2ban running on web01?", "which integrations are down?" and "are db01's backups current?" directly from indexed state. Toggle each under Settings → AI → RAG.

Agent audit (read-only) mode

Touch /etc/remotepower/audit-mode on a host (on Windows/macOS, audit-mode in the agent's data dir) and its agent becomes observe-only: it keeps collecting and reporting, and read-only assessments (lynis / OpenSCAP / CVE) still run, but it refuses every command — exec/scripts, reboot/shutdown, host-config apply and self-update. The flag is an operator-owned file the server cannot clear, so the host can't be modified through the agent by design. The server also refuses to queue actions for an audit host, and the device shows an AUDIT badge. Enforced by all three agents (Linux / Windows / macOS). Remove the file to re-enable control.

Site / group / tag-scoped credentials

The CMDB credentials vault is per-device. v4.10.0 adds scoped credentials: define a shared login once at a site, group or tag level and it's inherited by every member device — a customer's domain admin, a site's switch password, an out-of-band IPMI account. They use the same encrypted vault as per-device credentials (AES-GCM; the key is derived from your vault passphrase and passed per-request in the X-RP-Vault-Key header — the server never stores it), are admin-only, and every reveal is audit-logged. Manage them from the Scoped credentials card on the CMDB page; each row shows how many devices it applies to. (Scope-delegated reveal — letting a site-scoped operator use that site's credentials — is a planned follow-up; v1 is admin-only.)

UI polish + finalize sweep

• Firewall/fail2ban detail panels highlight the open host, scroll into view, add a Close button, and mark queued edits in-panel.
• The AI Insights hub is grouped with per-category icons.
• The Reports page's per-device Uptime (SLA) table is searchable by device/group.
• Three fleet-scaling dashboard lists (heatmap, upcoming events, timeline) are scroll-capped; toolbar filters gained accessible labels; a stray emoji icon became a Lucide SVG; the severity-orange is now a themeable token.
• A second whole-project security/perf/RAG/docs finalize pass — see security-review-4.10.0.

Upgrade notes

No configuration or data migration is required. Agents report the new firewall rule lists and fail2ban status on their next check-in after upgrade; until then the Firewall page shows posture without per-rule detail.