Skip to main content

ZenSite EMS / ZenGrid — status-decent-ec Release Notes v0.1.0

Release Information

  • Version: v0.1.0
  • Release Date: 2026-04-30
  • Release Type: Minor
  • Urgency: Planned
  • Component: status-decent-ec (Device Status Dashboard)
  • GitLab MR: !1 — Setup CI/CD with proper security guidelines

Summary

This release establishes the foundational CI/CD pipeline, container build infrastructure, and security quality gates for status-decent-ec, the ZenSite/ZenGrid component responsible for displaying device status feedback to operators and end users. No functional changes to user-facing features are included; this release hardens the build and delivery pipeline to meet SDL requirements.

Security Fixes

No CVEs addressed in this release.

FindingSeverityComponentResolution
Build scripts used unsafe shell: true / subprocess patternsMediumBuild toolingRefactored to use spawnSync with explicit argument arrays
Auth/static-file middleware lacked predictable orderingMediumNext.js middlewareMiddleware execution order made explicit and deterministic
CI placeholder secret BETTER_AUTH_SECRET used low-entropy valueLowCI build stageDocumented as CI-only placeholder; production secrets managed via GitLab CI/CD variables

Changes

New Features

  • CI/CD Pipeline: Full GitLab CI pipeline introduced with dedicated stages: formatting check (Prettier), Node.js application build (Next.js 15), Kaniko-based container image build, SonarQube static analysis, and Dependency-Track SBOM scanning.
  • SonarQube Integration: Project wired to SonarQube Community Build with sonar-project.properties defining project metadata, source roots, and coverage/test exclusions. Quality gate passed with no failed conditions on initial scan.
  • Dependency-Track SBOM Scanning: Application BOM and container image BOM submitted automatically on each pipeline run. Current findings: app BOM 26 total (0 critical, 17 high, 7 medium, 2 low); image BOM 13 total (1 critical, 6 high, 6 medium). No policy failures. Findings are tracked for triage in subsequent releases.
  • Container Build (Kaniko): Multi-stage Dockerfile using node:22-bookworm-slim with layer caching via internal registry. Build produces a minimal production image running as non-root user node on port 3000.
  • Prettier Formatting Gate: Automated formatting check stage enforces consistent code style; linting delegated to the formatting stage to avoid double-handling in the Next.js build step.
  • Database Management Script: Rebuild script hardened to use spawnSync and an explicit safe environment, with SQLite3 integration replacing shell-executed commands.
  • Multi-Architecture Module Support: Added SWC, Parcel Watcher, Tailwind CSS, and LightningCSS native modules for multiple architectures (linux/amd64, linux/arm64) to ensure reproducible builds across CI and deployment targets.
  • Kubernetes Memory Configuration: CI pipeline runner configured with 3 Gi memory request and limit to support the Next.js build process reliably.

Bug Fixes

  • Fixed getPathLocale function to correctly handle empty first URL path segments, preventing incorrect locale resolution on certain routes.

Dependency Updates

No dependency version changes in this release. Initial package-lock.json established as the baseline for future SCA comparisons.

Affected Components

ComponentVersionNotes
status-decent-ec (app)v0.1.0 / 4141bd5cInitial pipeline-hardened build
Container imagesha256:df4d4a6b9b4e7323135614c88c1595a830c5ac633921781bdfba478d2fe2b734Pushed to registry.met3r.com/met3r/status-decent-ec
Next.js15.5.14Base framework
Node.js base image22-bookworm-slimRuntime base

Other ZenSite stack components (Backend Services, EMS Core, TICK Stack, IAM/SSO) are not affected by this release.

Update Instructions

Prerequisites

  • This is the initial pipeline release; no previous version exists to migrate from.
  • Deployment environment must have access to registry.met3r.com.
  • Production BETTER_AUTH_SECRET must be a randomly generated secret of at least 32 characters (openssl rand -base64 32). The CI build uses a low-entropy placeholder — this must not be used in production.
  • Keycloak OIDC issuer, client ID, and client secret must be configured via environment variables before deployment.

Update Steps

  1. Pull the container image using the digest reference (see Integrity Verification below).
  2. Configure all required environment variables: BASE_URL, BETTER_AUTH_SECRET, KEYCLOAK_MASTER_ISSUER, KEYCLOAK_MASTER_CLIENT_ID, KEYCLOAK_MASTER_CLIENT_SECRET.
  3. Deploy container to target environment (Kubernetes or Docker Compose).
  4. Verify health endpoint responds (see Verification Steps).

Integrity Verification

Container image digest:

registry.met3r.com/met3r/status-decent-ec@sha256:df4d4a6b9b4e7323135614c88c1595a830c5ac633921781bdfba478d2fe2b734

Tag reference (pin to digest in production manifests, do not rely on mutable tags):

registry.met3r.com/met3r/status-decent-ec:4141bd5c8d29eadf3d671a7abced974b8e4eb227

Verification Steps

  1. Verify the running container digest matches the digest published above.
  2. Check the health endpoint: GET /api/health → expected 200 OK.
  3. Confirm the login page renders at /<locale>/login (e.g., /en/login).
  4. Review application logs for startup errors; expected informational output includes [Database] Shutdown handlers registered during static page generation — this is normal build-time behaviour and does not indicate a runtime error.

Rollback Steps

As this is the initial release, rollback means stopping the service. No database migrations were applied; no prior version state exists to restore.

Known Issues and Open Findings

  • Dependency-Track high-severity findings (app BOM): 17 high-severity findings exist in the application dependency tree. These are under triage and will be addressed in subsequent patch releases according to the Vulnerability Handling & Disclosure Policy (SLA: High severity resolved within 7 days of confirmed exploitability assessment).
  • Container image critical finding: 1 critical-severity finding in the container base image BOM. Under triage; mitigation or base image update to follow.
  • MQTT connection at build time: The CI build log shows ECONNREFUSED for MQTT during static page generation. This is expected — no MQTT broker is available in the build environment. The application handles this gracefully at runtime.
  • BETTER_AUTH_SECRET warnings in build log: These warnings appear because the CI pipeline uses a placeholder secret. This is intentional and does not affect production security provided the production secret is correctly configured.

Risks of Not Applying This Update

This release does not patch any externally exploitable vulnerability. Not deploying it means the CI/CD pipeline lacks automated security quality gates, increasing the risk that future changes introduce vulnerabilities without detection. The Dependency-Track and SonarQube gates established here are required controls under the ZenSite SDL.

Support

  • Security issues: report@met3r.com
  • General support: contact your METER account representative
DECENT EC

DECENT.EC, Decentralized Energy Communitiesis an initiative of MET3R Solutions Limited.

Our contact

info@decent.ec

DECENT.EC