# Sawa Control Panel — Issues & Decisions *Track open questions, known problems, and architectural decisions here.* --- ## Open Issues ### ISSUE-001 — sudo whitelist scope **Status:** Partially resolved ✅ **Note:** Sudoers whitelist deployed. Panel still runs as root via PM2 — migration to `panel` user pending. --- ### ISSUE-002 — Client cert distribution to mobile **Status:** Open **Priority:** High Installing a client certificate on Android/iOS requires PKCS12 (.p12) format. Script generates .p12 correctly. Transfer mechanism not yet implemented. **Options:** - One-time HTTPS download endpoint on server (auto-deletes after download) - AirDrop (iOS only) - Manual USB transfer --- ### ISSUE-003 — Service status parsing reliability **Status:** Open **Priority:** Medium `rc-service status` returns inconsistent output across services. Should normalize to `started | stopped | crashed | unknown`. **Suggested fix:** Use `rc-status` instead — returns structured view of all services in one call. --- ### ISSUE-004 — Build and deploy workflow **Status:** Resolved ✅ `deploy.ps1` implemented. Tar+gzip bundles, single file upload per component, server-side extract. Flags: `-All -Backend -Frontend -Nginx -Certs`. --- ### ISSUE-005 — wlan0 fails on boot **Status:** Open — low priority wpa_supplicant starts before WiFi hardware is ready. `sleep 5` pre-up workaround in `/etc/network/interfaces` — not yet confirmed stable across reboots. --- ### ISSUE-006 — Diskless/RAM mode not configured **Status:** Open — planned Currently in `sys` mode. USB wear reduction requires diskless conversion. Test on spare USB clone first — never on master. --- ### ISSUE-007 — Disk usage shows corrupt data intermittently **Status:** Open **Priority:** High — fix in Phase 4 Disk panel shows `/` at 445% full with 224GB size, then snaps back to correct values on next poll. Virtual/pseudo filesystems leaking through filter in `systemInfo.js`. **Fix:** Filter by filesystem type — only include `ext4`, `ext3`, `xfs`, `btrfs`, `vfat`. Exclude `tmpfs`, `devtmpfs`, `sysfs`, `proc`, `cgroup`, `overlay`, and any mount where size is 0. --- ### ISSUE-008 — MariaDB restart shows false error in UI **Status:** Open — cosmetic **Priority:** Low Panel shows error dialog on MariaDB restart: ``` /usr/bin/mysqld_safe: Deprecated program name. Use 'mariadbd-safe' instead. * ERROR: mariadb failed to start ``` Service actually starts correctly. Exit code is non-zero due to deprecation warning being misread as failure. **Fix:** In `rcService.js`, treat this specific stderr pattern as warning not error for mariadb. --- ### ISSUE-009 — TLS 1.3 incompatible with nginx mTLS client cert request **Status:** Resolved ✅ With TLS 1.3, nginx never sends `CertificateRequest` — browsers never prompt for or send client cert. Fixed by setting `ssl_protocols TLSv1.2;` in `sawa-panel.conf`. Revisit when nginx adds proper TLS 1.3 post-handshake auth support. --- ### ISSUE-010 — Rogue default.conf intercepted mTLS requests **Status:** Resolved ✅ `/etc/nginx/conf.d/default.conf` had a `listen 443 ssl` catch-all block with no mTLS, intercepting all requests before `sawa-panel.conf`. Deleted. `http.d/default.conf` (port 80 → 404) retained. **Prevention needed:** Deploy script should warn about conflicting 443 server blocks. --- ## Resolved Decisions ### DECISION-001 — Authentication: nginx mTLS ✅ Client certificates only. No login page. Unauthorized devices get TLS handshake failure. ### DECISION-002 — Frontend: React + Vite + Tailwind CSS ✅ ### DECISION-003 — Backend: Node.js + Express ✅ ### DECISION-004 — Database stack convention ✅ | Use case | Database | |----------|----------| | WordPress, Laravel | MariaDB | | Node.js apps | PostgreSQL | | Sessions, queues | Redis (RDB+AOF) | | Pure caching | Memcached | ### DECISION-005 — Panel on LAN only, port 443 ✅ ### DECISION-006 — Phase 4 UI redesign ✅ - **Header:** persistent CPU% + RAM% + Uptime + Live dot - **Sidebar:** collapsible sections — System / Services (tree) / Websites - **Services:** toggle switches, each service gets own detail page - **Websites:** add/remove form + enable/disable toggles - **Per-service pages:** relevant stats + controls (pgAdmin iframe for PostgreSQL, phpMyAdmin for MariaDB — Phase 5) --- ## Technical Debt - [ ] Panel runs as `root` via PM2 — migrate to `panel` user - [ ] `noatime` not set on fstab — USB write wear pending - [ ] Diskless mode not configured — ISSUE-006 - [ ] MariaDB deprecated binary warning — ISSUE-008 - [ ] `resolv.conf` not protected from `networking restart` overwrite - [ ] `firstboot.sh` clone logic not tested on real hardware clone - [ ] No log rotation — logs will grow unbounded - [ ] SSH on port 22 — move to non-standard port to reduce scan noise - [ ] Deploy script does not warn about conflicting nginx 443 server blocks - [ ] `create-client.sh` uses temp file workaround for EKU extension — works but fragile