v4.8.0

RemotePower v4.8.0 — "OnboardingMatters"

An onboarding release. Standing RemotePower up — and adding the hosts you want to manage — is now a single command, with HTTPS on by default and no insecure default password. This release also adds a full DMARC / SPF / DKIM monitor with aggregate-report ingestion, broadens accessibility, and closes agent-parity gaps on macOS and Windows. No breaking changes; everything existing keeps working.

After upgrading, hard-reload the dashboard once (service-worker cache remotepower-shell-v4.8.0).

Turnkey onboarding

Getting started used to mean running several scripts and editing an nginx file. Now it's one command, and adding a host is one line.

• Unified install.sh wizard. One wizard provisions the whole server — nginx, the app, TLS, and the admin account — so you never hand-edit a config file. Run sudo bash install.sh from the checkout.

• One-command Docker. docker compose up -d brings the server up serving HTTPS by default (self-signed on first boot) with no insecure default password — the generated admin password is printed to the container log.

• Self-hosted one-line agent installer. The server publishes an /install endpoint. Add device → Quick install command gives you a one-liner; on the target host:

  wget -qO- "https://your-server/install?t=<token>" | sudo sh

  It downloads the "Quick install" agent — server URL, enrolment token and integrity baked in — verifies its checksum, enrols, and the host appears in the device list by its hostname within ~60 seconds. Nothing else to configure.

• Bootstrap agents over SSH. From the server checkout, push the agent to remote hosts you name:

  sudo bash install.sh agent push --server https://your-server --token <token> user@host1 [user@host2 ...]

• Clean uninstall. sudo bash install.sh uninstall tears down the server, the agent, or the demo (keeps your data; --purge to wipe it).

• Scaling is now an explicit advanced track. PostgreSQL, HA, satellites and load balancing are reframed as a deliberate heavy-fleet path so the default experience stays simple. See deployment and scaling.

• Manual.html removed — its content is folded into the docs, which are the single source of truth.

Full quick-start: install.

Reputation/DMARC monitor

A new Reputation/DMARC page (under Security) tracks your mail-deliverability posture in three complementary halves:

• IP reputation (DNSBL) — add the IPv4 addresses you send mail from and RemotePower checks each against a set of DNS blocklists (Spamhaus, SpamCop, Barracuda, SORBS, UCEPROTECT, PSBL). It shows Clean / Listed-on-N and which lists, re-scans periodically, and raises an ip_blacklisted alert when a monitored IP gets listed (auto-resolved via ip_blacklist_cleared).
• DNS posture checks — RemotePower reads each domain's published TXT records (_dmarc, SPF, optionally a DKIM selector) and grades them ok / weak / fail, so you can see at a glance which domains are spoofable.
• Aggregate reports via IMAP — point RemotePower at the mailbox that receives your DMARC RUA aggregate reports. It polls that mailbox on a schedule and on demand, decompresses and parses the gzip/zip XML, and shows per-source SPF/DKIM pass/fail tallies plus a mailbox health view (message and unseen counts) so you can confirm reports are actually arriving.

New endpoints: GET /api/dmarc/reports, POST /api/dmarc/fetch, GET /api/dmarc/imap, POST /api/dmarc/imap. Parsed report state is stored in dmarc_reports. Reference: dmarc.

Accessibility

• Named dialogs. Every modal dialog now carries an accessible name, so screen readers announce what each dialog is.
• No more native popups. Every native confirm() / prompt() has been replaced with a styled, accessible in-app dialog — consistent look, keyboard-navigable, and screen-reader friendly.

Agent parity

• macOS saturation metrics. The macOS agent now reports the 1-minute load average and file-descriptor utilisation % that the Linux agent already sends, so Macs participate in the same saturation views.
• Windows GPU telemetry. The Windows agent now reports NVIDIA GPU telemetry, so Windows hosts show up on the fleet GPU page alongside Linux.

Reliability & hardening

• The CVE "Scan all devices" action no longer hangs the browser.
• The audit-log clear action now explains why it was denied when it is.
• Security hardening: tighter scanner temp-workdir permissions, corrected containerized-agent host reads, credential-file hardening on macOS and Windows, and internal lock-safety fixes.

v4.8.0 was independently tested with wapiti, nikto, nuclei, bandit and OWASP ZAP and passed clean.

---

Upgrade is in-place; see upgrading. Older release notes live in CHANGELOG.