fran-olivares/usulnet

usulnet v26.2.5 — 2026-02-21

Fixed

• Encryption Key Lost on Every Restart (critical — data loss): config.go:Validate() auto-generated a new random encryption key each time the application started without an explicit USULNET_ENCRYPTION_KEY. This meant all previously encrypted data — SSH credentials, TOTP secrets, NPM registry tokens, and config variables — became permanently unreadable after every restart. Removed the random key generation; the application now deterministically derives the encryption key from the JWT secret via SHA-256, producing a stable key that survives restarts as long as the JWT secret remains unchanged. Reported by community in #14.

• SSH "Not Configured" Error Page Unhelpful: The SSH service error page displayed a vague message (Enable SSH by setting the encryption key in your configuration) with no actionable guidance. Replaced with a structured HTML card explaining that the key auto-derives from the JWT secret, plus numbered setup steps: generate a key with openssl rand -hex 32, set USULNET_ENCRYPTION_KEY, or configure security.config_encryption_key in config.yaml.

• Encryption Failure Logged as Warning Instead of Error: When the AES encryptor failed to initialize (disabling SSH, TOTP, NPM, and Config services), the application only logged a Warn-level message with no diagnostic context. Elevated to Error level with structured fields (key_length, hint) so operators can immediately identify and fix misconfigured encryption keys.

• NATS Port Not Exposed for Multi-Node Deployments: NATS port 4222 was only reachable inside the usulnet-backend internal Docker network, preventing remote agents on other hosts from connecting to the master. Exposed port 4222 to the host in all production Docker Compose files (docker-compose.yml, deploy/docker-compose.prod.yml). Configurable via NATS_PORT environment variable. Install script updated to display NATS connection URL.

Full Changelog: https://github.com/fr4nsys/usulnet/compare/v26.2.4...v26.2.5