chore: remove deprecated Pulse+ agent metrics and add audit log rotation docs

Removed all legacy Pulse+ agent metrics infrastructure (cloud-relay) which has been
fully replaced by the new docker agent and temperature agent implementations.

Changes:
- Remove cloud-relay directory and all related binaries (relay, relay-linux, etc.)
- Remove Pulse+ documentation (AGENT_METRICS_IMPLEMENTATION.md, AGENT_METRICS_SETUP.md)
- Clean up pulse-relay references in workflows and release checklist
- Add audit log rotation documentation for sensor proxy hash-chained logs
- Update .gitignore to remove cloud-relay/ entry

The new docker and temp agents remain fully functional and unaffected by this cleanup.
This commit is contained in:
rcourtman 2025-10-20 13:05:57 +00:00
parent 7d422d2909
commit d5c7a3494b
3 changed files with 62 additions and 7 deletions

View file

@ -4,7 +4,7 @@
**File**: `update-demo-server.yml`
Automatically updates the public demo server (`pulse-relay`) when a new stable release is published.
Automatically updates the public demo server when a new stable release is published.
### Configuration Required
@ -38,11 +38,6 @@ To test without publishing a release:
2. Select `Update Demo Server` workflow
3. Click `Run workflow` (if manual trigger is enabled)
Or test manually:
```bash
ssh pulse-relay "curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/install.sh | sudo bash"
```
### Benefits
- ✅ Demo server always showcases latest stable release

1
.gitignore vendored
View file

@ -148,7 +148,6 @@ tmp_*.py
tmp_*.sh
# Experimental/abandoned features (not part of main project)
cloud-relay/
scripts/agent/
docs/internal/
claude.md

View file

@ -0,0 +1,61 @@
# Pulse Sensor Proxy Audit Log Rotation
The sensor proxy writes a tamper-evident audit trail to
`/var/log/pulse/sensor-proxy/audit.log`. Every entry includes the SHA-256 hash
of the previous entry, so any modification becomes obvious. Because the process
keeps the file open and maintains the running hash in memory, rotation requires
special handling.
## Rotation Strategy
Use `logrotate` to rotate the file once it reaches 100MB. After each rotation,
restart the proxy so it opens a new file and starts a fresh hash chain.
Create `/etc/logrotate.d/pulse-sensor-proxy` with the following contents:
```conf
/var/log/pulse/sensor-proxy/audit.log {
daily
size 100M
rotate 90
compress
delaycompress
missingok
notifempty
create 0640 pulse pulse
sharedscripts
postrotate
systemctl restart pulse-sensor-proxy.service >/dev/null 2>&1 || true
endscript
}
```
### Why a Restart Is Mandatory
`copytruncate` and similar tricks break the chain integrity. Restarting the
service ensures:
1. The proxy releases the old file descriptor.
2. A new hash chain starts at sequence 1 with an all-zero `prev_hash`.
If the proxy is not restarted, it will continue writing to the renamed file and
the rotation will have no effect.
### Chain Continuity Across Rotations
Each rotated log (`audit.log.1.gz`, `audit.log.2.gz`, …) is self-contained. To
prove continuity between files:
1. After each rotation, record the final `event_hash` from the rotated file (for
example, store it in the filename or a checksum manifest).
2. When reviewing logs, verify the `prev_hash` of the first entry in the new
file is the zero hash, and reconcile the recorded final hash from the prior
file to show no entries were removed.
Maintaining this “final hash ledger” allows auditors to stitch the rotated files
together chronologically while preserving the tamper-evident guarantees.
### Permissions
Adjust the `create` directive to match the user and group that run the sensor
proxy. The example assumes both user and group are `pulse`.