Symbol extraction (symbols.rs):
- tree-sitter parsers for Rust, TypeScript, Python
- Extracts: functions, structs, enums, traits, classes, interfaces
- Signatures, docstrings, line ranges for each symbol
- extract_project_symbols() walks project directory
- Skips hidden/vendor/target/node_modules, files >100KB
Proto: IndexSymbols + SymbolEntry messages for client→server symbol relay
Client: after SessionReady, extracts symbols and sends IndexSymbols
to Sol for indexing into the code search index.
14 unit tests for symbol extraction across Rust/TS/Python.
- Agent service (crossbeam channels): TUI never blocks on gRPC I/O.
Chat runs on a background tokio task, events flow back via bounded
crossbeam channel. Designed as a library-friendly internal RPC.
- Virtual viewport: pre-wrap text with textwrap on content/width change,
slice only visible rows for rendering. Paragraph gets no Wrap, no
scroll() — pure O(viewport) per frame.
- Event drain loop: coalesce all queued terminal events before drawing.
Filters MouseEventKind::Moved (crossterm's EnableMouseCapture floods
these via ?1003h any-event tracking). Single redraw per batch.
- Conditional drawing: skip frames when nothing changed (needs_redraw).
- Mouse wheel + PageUp/Down + Home/End scrolling, command history
(Up/Down, persistent to .sunbeam/history), Alt+L debug log overlay.
- Proto: SessionReady now includes history entries + resumed flag.
Session resume loads conversation from Matrix room on reconnect.
- Default model: devstral-small-latest (was devstral-small-2506).
os_api: resolve pod name by label instead of hardcoded opensearch-0.
added find_pod_by_label helper to kube.rs.
secrets.py: sol-agent policy (read/write sol-tokens/*) and k8s auth
role bound to matrix namespace default SA.
SunbeamClient accessors are now async and resolve auth per-client:
- SSO bearer (get_token) for admin APIs, Matrix, La Suite, OpenSearch
- Gitea PAT (get_gitea_token) for VCS
- None for Prometheus, Loki, S3, LiveKit
Fixes client URLs to match deployed routes: hydra→hydra.{domain},
matrix→messages.{domain}, grafana→metrics.{domain},
prometheus→systemmetrics.{domain}, loki→systemlogs.{domain}.
Removes all ad-hoc token helpers from CLI modules (matrix_with_token,
os_client, people_client, etc). Every dispatch just calls
client.service().await?.
Patches gitea admin credentials into secret/sol for Sol's Gitea
integration. Adds sol-agent vault policy with read/write access
to sol-tokens/* for user impersonation PATs, plus k8s auth role
bound to the matrix namespace.
Adds Verb variants: auth, vcs, chat, search, storage, media, mon,
vault, people, docs, meet, drive, mail, cal, find. Each delegates
to the corresponding SDK cli.rs dispatch function.
Removes the legacy `user` command (replaced by `auth identity`).
Renames Get's -o to --kubectl-output to avoid conflict with the
new global -o/--output flag. Enables all SDK features in binary.
Slim binary that depends on sunbeam-sdk for all logic. Replaces 62
crate:: refs with sunbeam_sdk::. Tracing filter updated to include
sunbeam_sdk=info.
Convert the single binary crate into a Cargo workspace with two members:
sunbeam-sdk (library) and sunbeam (thin binary). Moves build.rs to the
SDK with adjusted .git/HEAD path for the nested layout.
Python changes that were ported to Rust in preceding commits:
- User onboard/offboard with mailbox + Projects provisioning
- Welcome email with job title/department
- --no-cache build flag
- Date validation, apply confirmation, build targets
- Make tool downloads platform-aware (darwin/linux, arm64/amd64)
- Add buildctl to bundled tools
- Add get_infra_dir() with config fallback for REPO_ROOT resolution
- Add ACME email to sunbeam config (set/get)
- Add REGISTRY_HOST_IP substitution in kustomize builds
- Update Kratos admin identity schema to employee
- Fix logs command to use production tunnel and context
- Add matrix to MANAGED_NS and tuwunel to restart/build targets
- Add post-apply hooks for matrix namespace:
- _patch_tuwunel_oauth2_redirect: reads client_id from hydra-maester
Secret and patches OAuth2Client redirectUris dynamically
- _inject_opensearch_model_id: reads model_id from ingest pipeline
and writes to ConfigMap for tuwunel deployment env var injection
- Add post-apply hook for data namespace:
- _ensure_opensearch_ml: idempotently registers/deploys all-mpnet-base-v2
(768-dim) model, creates ingest + hybrid search pipelines
- Add tuwunel secrets to OpenBao seed (OIDC, TURN, registration token)
- Refactor secret seeding to only write dirty paths (avoid VSO churn)
- Add ACME email fallback from config when not provided via CLI flag
- Collapse proxy build to single path using real Dockerfile via remote buildkitd
- Remove cross-compile and Dockerfile.package codepath
- Fix missing --must-change-password=false in Gitea admin password sync
- Add usage: sunbeam config [-h] action ...
positional arguments:
action
set Set configuration values
get Get current configuration
clear Clear configuration
options:
-h, --help show this help message and exit subcommand with set/get/clear actions
- Store configuration in with production_host and infra_directory
- Integrate with production environment detection, prioritizing config over SUNBEAM_SSH_HOST
- Add comprehensive test coverage with 11 new tests
- Update CLI help and error messages for better user experience
sunbeam apply [namespace] builds the full kustomize overlay (preserving
all image substitutions and patches) then filters the output to only
resources in the given namespace before applying. Cleanup and ConfigMap
restart detection are also scoped to the target namespace.
- manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup()
- cli.py: namespace positional arg for apply; meet added to build choices
- tests: 17 new tests covering filter logic and CLI dispatch
- secrets.py: seed secret/meet (django-secret-key, application-jwt-secret-key)
- images.py: add sunbeam build meet (meet-backend + meet-frontend from source)
- kube.py: production SSH tunnel support, domain discovery from cluster, cmd_bao
- gitea.py: configure Hydra as OIDC auth source; mark admin account as private
- services.py: minor VSO sync status and services list fixes
- users.py: add cmd_user_enable
- Add cmd_user_disable: disables Kratos identity (state: inactive) and
revokes all sessions. Provides emergency lockout — user cannot log in
again; existing Django app sessions expire within SESSION_COOKIE_AGE (1h).
- Add cmd_user_enable: re-enables a previously disabled identity.
- Wire disable/enable as subcommands of 'sunbeam user'.
- Fix cmd_user_list: table() args were swapped and result was not printed.
Snapshot ConfigMap resourceVersions before and after kubectl apply.
For any ConfigMap whose resourceVersion changed, find all Deployments
in the same namespace that mount it as a volume and issue a rollout
restart. Eliminates the need to manually restart pods after editing
ConfigMaps (e.g. services.json, nginx configs).
Builds the integration-service Docker image from the sunbeam/ root
context (needs both integration/packages/ for the widget source and
integration-service/ for nginx config and logos), pushes to Gitea,
pre-seeds into k3s containerd, and rolls the deployment.
images.py: extend AMD64_ONLY_IMAGES with the three impress (La Suite Docs)
images — impress-backend, impress-frontend, impress-y-provider. Always pull
the amd64 manifest + layers by digest unconditionally before the blob check;
the prior guard skipped the pull when the index blob was present but layers
were missing, causing the OCI import to fail on arm64 hosts.
secrets.py: add docs KV path (django-secret-key, collaboration-secret) to
_seed_openbao so a fresh sunbeam seed generates all required credentials for
the impress deployment.
kube.py: kube_exec now accepts an optional container= kwarg so callers
can target a specific container in Linkerd-injected pods (where exec
would otherwise land in the linkerd-proxy sidecar instead of the app).
Used by check_valkey (container="valkey") and check_openbao
(container="openbao").
kube.py + cli.py: new cmd_k8s / sunbeam k8s verb — transparent
kubectl --context=sunbeam passthrough for one-off cluster operations.
Returns kubectl's exit code directly.
manifests.py: fix REPO_ROOT parents index (was 3, needed 2) which
caused kustomize overlay lookup to resolve against the wrong directory.
tools.py: call ensure_tool("helm") before running kustomize so the
bundled helm v3.17.1 is on PATH; system helm v4 dropped the -c flag
that kustomize 5.6.0 uses for version detection.
gitea.py: pass --must-change-password=false to gitea admin user
change-password, removing the separate Postgres UPDATE workaround that
was fragile and required a second exec into the CNPG pod.
Replaced the unauthenticated SeaweedFS probe (which accepted any HTTP
< 500 as passing) with a signed S3 ListBuckets request using AWS
Signature V4. Credentials are read from the seaweedfs-s3-credentials
K8s secret; a 200 response confirms authentication is working.
Updated tests to cover missing creds, 403 bad-creds, 502 gateway error,
and URLError cases.
All checks now run concurrently via ThreadPoolExecutor so total time
is bounded by the slowest single check, not their sum.
Timeout reduced from 10s to 5s per check. SeaweedFS check switched
from kubectl exec (wget not reliably available in container) to an
HTTP probe against the external S3 endpoint (https://s3.DOMAIN/) —
consistent with the "use external URLs for publicly facing services"
requirement. 403 is treated as healthy (unauthenticated S3 response).
Output now mirrors sunbeam status (namespace headers, checks indented
below). Any uncaught exception from a check is caught in cmd_check
and displayed as a failed check instead of crashing.
Also fix _http_get: TimeoutError and other raw OSError/SSL errors that
Python 3.13 doesn't always wrap in URLError are now normalized to
URLError before re-raising, so each check function's URLError handler
reliably catches all network failures.
