ZenSite EMS / ZenGrid — status-decent-ec Release Notes v0.1.0
Release Information
- Version: v0.1.0
- Release Date: 2026-04-30
- Release Type: Minor
- Urgency: Planned
- Component: status-decent-ec (Device Status Dashboard)
- GitLab MR: !1 — Setup CI/CD with proper security guidelines
Summary
This release establishes the foundational CI/CD pipeline, container build infrastructure, and security quality gates for status-decent-ec, the ZenSite/ZenGrid component responsible for displaying device status feedback to operators and end users. No functional changes to user-facing features are included; this release hardens the build and delivery pipeline to meet SDL requirements.
Security Fixes
No CVEs addressed in this release.
| Finding | Severity | Component | Resolution |
|---|---|---|---|
Build scripts used unsafe shell: true / subprocess patterns | Medium | Build tooling | Refactored to use spawnSync with explicit argument arrays |
| Auth/static-file middleware lacked predictable ordering | Medium | Next.js middleware | Middleware execution order made explicit and deterministic |
CI placeholder secret BETTER_AUTH_SECRET used low-entropy value | Low | CI build stage | Documented as CI-only placeholder; production secrets managed via GitLab CI/CD variables |
Changes
New Features
- CI/CD Pipeline: Full GitLab CI pipeline introduced with dedicated stages: formatting check (Prettier), Node.js application build (Next.js 15), Kaniko-based container image build, SonarQube static analysis, and Dependency-Track SBOM scanning.
- SonarQube Integration: Project wired to SonarQube Community Build with
sonar-project.propertiesdefining project metadata, source roots, and coverage/test exclusions. Quality gate passed with no failed conditions on initial scan. - Dependency-Track SBOM Scanning: Application BOM and container image BOM submitted automatically on each pipeline run. Current findings: app BOM 26 total (0 critical, 17 high, 7 medium, 2 low); image BOM 13 total (1 critical, 6 high, 6 medium). No policy failures. Findings are tracked for triage in subsequent releases.
- Container Build (Kaniko): Multi-stage Dockerfile using
node:22-bookworm-slimwith layer caching via internal registry. Build produces a minimal production image running as non-root usernodeon port 3000. - Prettier Formatting Gate: Automated formatting check stage enforces consistent code style; linting delegated to the formatting stage to avoid double-handling in the Next.js build step.
- Database Management Script: Rebuild script hardened to use
spawnSyncand an explicit safe environment, with SQLite3 integration replacing shell-executed commands. - Multi-Architecture Module Support: Added SWC, Parcel Watcher, Tailwind CSS, and LightningCSS native modules for multiple architectures (linux/amd64, linux/arm64) to ensure reproducible builds across CI and deployment targets.
- Kubernetes Memory Configuration: CI pipeline runner configured with 3 Gi memory request and limit to support the Next.js build process reliably.
Bug Fixes
- Fixed
getPathLocalefunction to correctly handle empty first URL path segments, preventing incorrect locale resolution on certain routes.
Dependency Updates
No dependency version changes in this release. Initial package-lock.json established as the baseline for future SCA comparisons.
Affected Components
| Component | Version | Notes |
|---|---|---|
| status-decent-ec (app) | v0.1.0 / 4141bd5c | Initial pipeline-hardened build |
| Container image | sha256:df4d4a6b9b4e7323135614c88c1595a830c5ac633921781bdfba478d2fe2b734 | Pushed to registry.met3r.com/met3r/status-decent-ec |
| Next.js | 15.5.14 | Base framework |
| Node.js base image | 22-bookworm-slim | Runtime base |
Other ZenSite stack components (Backend Services, EMS Core, TICK Stack, IAM/SSO) are not affected by this release.
Update Instructions
Prerequisites
- This is the initial pipeline release; no previous version exists to migrate from.
- Deployment environment must have access to
registry.met3r.com. - Production
BETTER_AUTH_SECRETmust be a randomly generated secret of at least 32 characters (openssl rand -base64 32). The CI build uses a low-entropy placeholder — this must not be used in production. - Keycloak OIDC issuer, client ID, and client secret must be configured via environment variables before deployment.
Update Steps
- Pull the container image using the digest reference (see Integrity Verification below).
- Configure all required environment variables:
BASE_URL,BETTER_AUTH_SECRET,KEYCLOAK_MASTER_ISSUER,KEYCLOAK_MASTER_CLIENT_ID,KEYCLOAK_MASTER_CLIENT_SECRET. - Deploy container to target environment (Kubernetes or Docker Compose).
- Verify health endpoint responds (see Verification Steps).
Integrity Verification
Container image digest:
registry.met3r.com/met3r/status-decent-ec@sha256:df4d4a6b9b4e7323135614c88c1595a830c5ac633921781bdfba478d2fe2b734
Tag reference (pin to digest in production manifests, do not rely on mutable tags):
registry.met3r.com/met3r/status-decent-ec:4141bd5c8d29eadf3d671a7abced974b8e4eb227
Verification Steps
- Verify the running container digest matches the digest published above.
- Check the health endpoint:
GET /api/health→ expected200 OK. - Confirm the login page renders at
/<locale>/login(e.g.,/en/login). - Review application logs for startup errors; expected informational output includes
[Database] Shutdown handlers registeredduring static page generation — this is normal build-time behaviour and does not indicate a runtime error.
Rollback Steps
As this is the initial release, rollback means stopping the service. No database migrations were applied; no prior version state exists to restore.
Known Issues and Open Findings
- Dependency-Track high-severity findings (app BOM): 17 high-severity findings exist in the application dependency tree. These are under triage and will be addressed in subsequent patch releases according to the Vulnerability Handling & Disclosure Policy (SLA: High severity resolved within 7 days of confirmed exploitability assessment).
- Container image critical finding: 1 critical-severity finding in the container base image BOM. Under triage; mitigation or base image update to follow.
- MQTT connection at build time: The CI build log shows
ECONNREFUSEDfor MQTT during static page generation. This is expected — no MQTT broker is available in the build environment. The application handles this gracefully at runtime. BETTER_AUTH_SECRETwarnings in build log: These warnings appear because the CI pipeline uses a placeholder secret. This is intentional and does not affect production security provided the production secret is correctly configured.
Risks of Not Applying This Update
This release does not patch any externally exploitable vulnerability. Not deploying it means the CI/CD pipeline lacks automated security quality gates, increasing the risk that future changes introduce vulnerabilities without detection. The Dependency-Track and SonarQube gates established here are required controls under the ZenSite SDL.
Support
- Security issues: report@met3r.com
- General support: contact your METER account representative