fix secrets

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

.gitea/workflows/release-agent.yml

@@ -0,0 +1,32 @@
+name: release-agent
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Go setup
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.26.1"
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+          workdir: agent
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEATOKEN }}

.gitignore

@@ -0,0 +1 @@
+go.work.sum

README.md

@@ -0,0 +1,358 @@
+# HellreigN
+
+Агент внутренней диагностики инфраструктуры. Централизованный сбор логов, мониторинг нагрузки, управление скриптами и контроль состояния сервисов.
+
+## Возможности
+
+- **Сбор логов** — journald, Docker, Kubernetes, файлы
+- **Метрики нагрузки** — CPU, RAM, диск, сеть в реальном времени
+- **Контроль сервисов** — проверка alive/dead для systemd и Docker
+- **Удалённое выполнение команд** — запуск скриптов и команд на агентах
+- **Граф зависимостей** — определение причин сбоев, порядок запуска
+- **Офлайн-буфер** — логи не теряются при потере связи
+- **mTLS** — защищённое соединение между агентом и бэкендом
+
+## Архитектура
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                     Инфраструктура                          │
+│                                                             │
+│  ┌──────────┐  ┌──────────┐  ┌──────────┐                  │
+│  │ Agent 1  │  │ Agent 2  │  │ Agent N  │                  │
+│  │ (хост)   │  │ (docker) │  │ (k8s)    │                  │
+│  └────┬─────┘  └────┬─────┘  └────┬─────┘                  │
+│       │              │              │                       │
+│       └──────────────┼──────────────┘                       │
+│                      │ gRPC (mTLS)                          │
+│                      ▼                                      │
+│              ┌───────────────┐                              │
+│              │    Backend    │ ◄── REST API                 │
+│              │  :8080 / :9001│                              │
+│              └───────┬───────┘                              │
+│                      │                                      │
+│                      ▼                                      │
+│              ┌───────────────┐                              │
+│              │  ClickHouse   │ ◄── Хранилище логов          │
+│              └───────────────┘                              │
+└─────────────────────────────────────────────────────────────┘
+                      ▲
+                      │ HTTP
+              ┌───────┴───────┐
+              │   Frontend    │
+              │     :3000     │
+              └───────────────┘
+```
+
+## Быстрый старт
+
+### Требования
+
+- Docker + Docker Compose
+- Go 1.26.1+ (для локальной разработки)
+
+### Деплой
+
+```bash
+cd infra
+docker compose up -d --build
+```
+
+Поднимутся:
+- **ClickHouse** — хранилище логов
+- **Backend** — API (`8080`) + gRPC (`9001`)
+- **Frontend** — веб-интерфейс (`3000`)
+- **Agent** — пример агента
+
+Откройте `http://localhost:3000`. Логин: `admin`, пароль: `admin123`.
+Что бы агент заработал нужно в веб интрфейсе найти кнопку создать токен получить его и вписать в конфигурацию агента
+### Локальная разработка
+
+```bash
+# Backend
+cd backend && go run ./cmd/main.go
+
+# Frontend
+cd frontend && npm install && npm run dev
+
+# Agent
+cd agent && CONFIG_FILE=./config.yml go run main.go
+```
+
+## Конфигурация
+
+### Backend
+
+`infra/backend/config.yml`:
+
+```yaml
+database:
+  token_db: /var/lib/hellreign/tokens.db
+  clickhouse_host: clickhouse:9000
+  clickhouse_user: default
+  clickhouse_password: testpassword
+  clickhouse_database: hellreign
+admin:
+  admin_name: Admin
+  admin_last_name: User
+  admin_login: admin
+  admin_password: admin123
+```
+
+### Агент
+
+`infra/agent/config.yml`:
+
+```yaml
+backend_url: http://backend:8080
+grpc_url: backend:9001
+label: production-server-1
+registration_token: "token-из-ui"
+cert_dir: /etc/hellreign-agent/certs
+services:
+  # journald + проверка systemd
+  - name: nginx
+    type: journald
+    systemd_unit: nginx.service
+
+  # Docker контейнер
+  - name: redis
+    type: docker
+
+  # Файл
+  - name: myapp
+    type: file
+    path: /var/log/myapp/app.log
+```
+
+Поле `systemd_unit` опционально. Если указано — агент проверяет `systemctl is-active` и шлёт статус `up`/`down`. Для Docker — `docker inspect {{.State.Running}}`.
+
+### Граф зависимостей
+
+`infra/services.yaml`:
+
+```yaml
+nodes:
+  production-server-1:
+    services:
+      nginx:
+        depends_on: [sshd]
+      sshd:
+        depends_on: []
+```
+
+Используется для определения причины сбоев и порядка запуска.
+
+## Переменные окружения
+
+### Backend
+
+| Переменная | По умолчанию | Описание |
+|------------|-------------|----------|
+| `CONFIG_FILE` | `/etc/hellreign/config.yml` | Путь к YAML конфигу |
+| `GRAPH_YAML_PATH` | `/etc/hellreign/services.yaml` | Путь к графу сервисов |
+| `SSL_CERT_DIR` | `/var/lib/hellreign/ssl` | Директория mTLS сертификатов |
+| `SERVER_SAN_DNS` | `localhost,backend` | SAN DNS сертификата |
+| `SERVER_SAN_IP` | `127.0.0.1` | SAN IP сертификата |
+| `GRPC_PORT` | `9001` | Порт gRPC |
+| `GIN_MODE` | `release` | Режим Gin |
+
+### Агент
+
+| Переменная | По умолчанию | Описание |
+|------------|-------------|----------|
+| `CONFIG_FILE` | `/etc/hellreign-agent/config.yml` | Путь к YAML конфигу |
+| `JOURNALD_LOGDIR` | `/var/log/journal` | Директория journald (ro) |
+| `BUFFER_DB` | `/var/lib/hellreign-agent/agent_buffer.db` | SQLite буфер |
+| `IS_DEBUG` | `0` | Debug логи (`1`/`0`) |
+
+## Порты
+
+| Сервис | Порт | Назначение |
+|--------|------|------------|
+| Frontend | `3000` | Веб-интерфейс |
+| Backend HTTP | `8080` | REST API + Swagger |
+| Backend gRPC | `9001` | gRPC (mTLS) |
+| ClickHouse HTTP | `8123` | HTTP интерфейс |
+| ClickHouse Native | `9000` | Native протокол |
+
+## API примеры
+
+### Авторизация
+
+```bash
+curl -X POST http://localhost:8080/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"login":"admin","password":"admin123"}'
+```
+
+### Агенты и метрики
+
+```bash
+# Список подключённых агентов
+curl http://localhost:8080/api/v1/agents \
+  -H "Authorization: Bearer <jwt>"
+
+# Метрики нагрузки (CPU, RAM, disk, network)
+curl http://localhost:8080/api/v1/agents/system-metrics \
+  -H "Authorization: Bearer <jwt>"
+```
+
+### Логи
+
+```bash
+# Поиск
+curl "http://localhost:8080/api/v1/logs?service=nginx&level=error" \
+  -H "Authorization: Bearer <jwt>"
+
+# Список сервисов
+curl http://localhost:8080/api/v1/logs/services \
+  -H "Authorization: Bearer <jwt>"
+```
+
+### Скрипты
+
+```bash
+# Дерево
+curl http://localhost:8080/api/v1/scripts/tree \
+  -H "Authorization: Bearer <jwt>"
+
+# Запуск на агенте
+curl -X POST http://localhost:8080/api/v1/scripts/1/run \
+  -H "Authorization: Bearer <jwt>" \
+  -H "Content-Type: application/json" \
+  -d '{"token":"agent-token"}'
+```
+
+### Swagger
+
+`http://localhost:8080/swagger/index.html`
+
+Перегенерация:
+
+```bash
+cd backend && swag init -g ./cmd/main.go --parseDependency --parseInternal
+```
+
+## Деплой агента на хост
+
+### 1. Директории
+
+```bash
+sudo mkdir -p /etc/hellreign-agent/certs /var/lib/hellreign-agent
+```
+
+### 2. Конфиг
+
+```bash
+sudo nano /etc/hellreign-agent/config.yml
+```
+
+```yaml
+backend_url: https://monitoring.example.com
+grpc_url: monitoring.example.com:9001
+label: prod-web-1
+registration_token: "token-из-ui"
+cert_dir: /etc/hellreign-agent/certs
+services:
+  - name: nginx
+    type: journald
+    systemd_unit: nginx.service
+  - name: postgres
+    type: journald
+    systemd_unit: postgresql.service
+```
+
+### 3. Бинарь
+
+Скачать из релиза Gitea или собрать:
+
+```bash
+cd agent && go build -o hellreign-agent ./main.go
+sudo mv hellreign-agent /usr/bin/
+```
+
+### 4. Systemd
+
+```ini
+[Unit]
+Description=HellreigN Agent
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/hellreign-agent
+Environment=CONFIG_FILE=/etc/hellreign-agent/config.yml
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+```
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable --now hellreign-agent
+```
+
+## CI/CD
+
+При пуше тега `v*` — GoReleaser собирает `.deb` и `.rpm` для `linux/amd64` и `linux/arm64`:
+
+```bash
+git tag v1.0.0 && git push origin v1.0.0
+```
+
+Требует секрет `GITEA_TOKEN` в настройках репозитория.
+
+## Proto
+
+После изменений в `proto/hellreign.proto`:
+
+```bash
+cd proto
+protoc --go_out=. --go_opt=paths=source_relative \
+       --go-grpc_out=. --go-grpc_opt=paths=source_relative \
+       hellreign.proto
+mv hellreign*.go proto/
+```
+
+## Структура
+
+```
+HellreigN/
+├── agent/                          # Агент диагностики
+│   ├── main.go
+│   └── internal/
+│       ├── buffer/                 # SQLite буфер (офлайн-доставка)
+│       ├── client/                 # gRPC клиент команд
+│       ├── commander/              # Исполнитель команд
+│       ├── config/                 # YAML конфиг
+│       ├── metrics/                # Сбор CPU, RAM, disk, network
+│       ├── logsource/              # Источники логов
+│       │   ├── docker/
+│       │   ├── file/
+│       │   ├── journald/
+│       │   └── kubernetes/
+│       ├── mtls/                   # mTLS credentials
+│       └── registration/           # Регистрация
+├── backend/                        # Бэкенд API
+│   ├── cmd/main.go
+│   └── internal/
+│       ├── handlers/               # HTTP хендлеры
+│       ├── repository/             # SQLite репозитории
+│       ├── grpcsrv/
+│       │   ├── commander/          # Выполнение команд
+│       │   └── collector/          # Сбор логов и метрик
+│       ├── auth/                   # JWT
+│       └── storage/                # ClickHouse
+├── frontend/                       # React + TypeScript
+├── infra/                          # Docker Compose
+│   ├── docker-compose.yml
+│   ├── services.yaml               # Граф зависимостей
+│   ├── backend/config.yml
+│   ├── agent/config.yml
+│   └── clickhouse/init/
+├── migrations/                     # SQL миграции SQLite
+└── proto/                          # Protobuf
+```

agent/.goreleaser.yml

@@ -0,0 +1,64 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+version: 2
+project_name: BanForge
+
+
+
+gitea_urls:
+  api: https://gitea.d3m0k1d.ru/api/v1
+  download: https://gitea.d3m0k1d.ru/d3m0k1d/HellreigN/releases/download
+  skip_tls_verify: false
+
+
+builds:
+  - id: banforge
+    main: ./main.go
+    binary: banforge
+    ignore:
+      - goos: windows
+      - goos: darwin
+      - goos: freebsd
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - "-s -w"
+    env:
+      - CGO_ENABLED=0
+
+nfpms:
+  - id: banforge
+    package_name: banforge
+    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    homepage: https://gitea.d3m0k1d.ru/d3m0k1d/HellreigN
+    description: HellreigN agent
+    maintainer: d3m0k1d <contact@d3m0k1d.ru>
+    license: GPLv3.0
+    formats:
+      - deb
+      - rpm
+    bindir: /usr/bin
+release: 
+  gitea:
+    owner: d3m0k1d
+    name: BanForge
+  mode: keep-existing
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+checksum:
+  name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
+  algorithm: sha256
+
+sboms:
+  - artifacts: any
+    documents:
+      - "{{ .ArtifactName }}.spdx.json"
+    cmd: syft
+    args: ["$artifact", "--output", "spdx-json=$document"]

agent/dockerfile

@@ -0,0 +1,24 @@
+FROM golang:1.26.1 as builder
+
+WORKDIR /app
+
+COPY proto/ proto/
+COPY agent/ agent/
+
+WORKDIR /app/agent
+RUN --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=cache,target=/root/.cache/go-build \
+  go mod download && \
+  CGO_ENABLED=0 go build -ldflags "-s -w" -o /agent .
+
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  systemd \
+  && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY --from=builder /agent .
+
+CMD ["./agent"]

agent/go.mod

@@ -0,0 +1,89 @@
+module gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent
+
+go 1.26.1
+
+require (
+	gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto v0.0.0-20260404174628-3389df740c20
+	github.com/hpcloud/tail v1.0.0
+	github.com/moby/moby/api v1.54.1
+	github.com/moby/moby/client v0.4.0
+	github.com/samber/lo v1.53.0
+	golang.org/x/sync v0.20.0
+	google.golang.org/grpc v1.80.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/api v0.35.3
+	k8s.io/apimachinery v0.35.3
+	modernc.org/sqlite v1.34.5
+)
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.41.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)
+
+require (
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	go.opentelemetry.io/otel/metric v1.41.0 // indirect
+	go.opentelemetry.io/otel/trace v1.41.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/fsnotify.v1 v1.4.7 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	k8s.io/client-go v0.35.3
+	modernc.org/libc v1.55.3 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.8.0 // indirect
+)
+
+replace gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto => ../proto

agent/go.sum

@@ -0,0 +1,227 @@
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
+github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
+github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/moby/api v1.54.1 h1:TqVzuJkOLsgLDDwNLmYqACUuTehOHRGKiPhvH8V3Nn4=
+github.com/moby/moby/api v1.54.1/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
+github.com/moby/moby/client v0.4.0 h1:S+2XegzHQrrvTCvF6s5HFzcrywWQmuVnhOXe2kiWjIw=
+github.com/moby/moby/client v0.4.0/go.mod h1:QWPbvWchQbxBNdaLSpoKpCdf5E+WxFAgNHogCWDoa7g=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
+github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=
+github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/samber/lo v1.53.0 h1:t975lj2py4kJPQ6haz1QMgtId2gtmfktACxIXArw3HM=
+github.com/samber/lo v1.53.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 h1:sNrWoksmOyF5bvJUcnmbeAmQi8baNhqg5IWaI3llQqU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+k8s.io/api v0.35.3 h1:pA2fiBc6+N9PDf7SAiluKGEBuScsTzd2uYBkA5RzNWQ=
+k8s.io/api v0.35.3/go.mod h1:9Y9tkBcFwKNq2sxwZTQh1Njh9qHl81D0As56tu42GA4=
+k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8=
+k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.3 h1:s1lZbpN4uI6IxeTM2cpdtrwHcSOBML1ODNTCCfsP1pg=
+k8s.io/client-go v0.35.3/go.mod h1:RzoXkc0mzpWIDvBrRnD+VlfXP+lRzqQjCmKtiwZ8Q9c=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ=
+modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
+modernc.org/ccgo/v4 v4.19.2 h1:lwQZgvboKD0jBwdaeVCTouxhxAyN6iawF3STraAal8Y=
+modernc.org/ccgo/v4 v4.19.2/go.mod h1:ysS3mxiMV38XGRTTcgo0DQTeTmAO4oCmJl1nX9VFI3s=
+modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
+modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
+modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
+modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
+modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U=
+modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
+modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
+modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
+modernc.org/sqlite v1.34.5 h1:Bb6SR13/fjp15jt70CL4f18JIN7p7dnMExd+UFnF15g=
+modernc.org/sqlite v1.34.5/go.mod h1:YLuNmX9NKs8wRNK2ko1LW1NGYcc9FkBO69JOt1AR9JE=
+modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
+modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

agent/internal/buffer/buffer.go

@@ -0,0 +1,161 @@
+package buffer
+
+import (
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	_ "modernc.org/sqlite"
+)
+
+// BufferedLog represents a log entry stored for later delivery
+type BufferedLog struct {
+	ID        int64
+	Service   string
+	Message   string
+	CreatedAt time.Time
+}
+
+// LogBuffer provides SQLite-backed log buffering
+type LogBuffer struct {
+	db *sql.DB
+}
+
+// NewLogBuffer creates a new log buffer with the given database path
+func NewLogBuffer(dbPath string) (*LogBuffer, error) {
+	db, err := sql.Open("sqlite", dbPath+"?_journal_mode=WAL&_busy_timeout=5000")
+	if err != nil {
+		return nil, fmt.Errorf("failed to open database: %w", err)
+	}
+
+	// Create table if not exists
+	_, err = db.Exec(`
+		CREATE TABLE IF NOT EXISTS buffered_logs (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			service TEXT NOT NULL,
+			message TEXT NOT NULL,
+			created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+		)
+	`)
+	if err != nil {
+		_ = db.Close()
+		return nil, fmt.Errorf("failed to create table: %w", err)
+	}
+
+	// Create index for efficient ordering
+	_, _ = db.Exec(`CREATE INDEX IF NOT EXISTS idx_created_at ON buffered_logs(created_at ASC)`)
+
+	return &LogBuffer{db: db}, nil
+}
+
+// Close closes the database connection
+func (b *LogBuffer) Close() error {
+	return b.db.Close()
+}
+
+// Store stores a log entry in the buffer
+func (b *LogBuffer) Store(service, message string) error {
+	_, err := b.db.Exec(
+		"INSERT INTO buffered_logs (service, message) VALUES (?, ?)",
+		service, message,
+	)
+	return err
+}
+
+// StoreBatch stores multiple log entries in a single transaction
+func (b *LogBuffer) StoreBatch(entries []BufferedLog) error {
+	tx, err := b.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+
+	stmt, err := tx.Prepare("INSERT INTO buffered_logs (service, message) VALUES (?, ?)")
+	if err != nil {
+		return err
+	}
+	defer stmt.Close()
+
+	for _, entry := range entries {
+		if _, err := stmt.Exec(entry.Service, entry.Message); err != nil {
+			return err
+		}
+	}
+
+	return tx.Commit()
+}
+
+// GetPending retrieves pending logs in order of arrival, limited to batchSize
+func (b *LogBuffer) GetPending(batchSize int) ([]BufferedLog, error) {
+	rows, err := b.db.Query(
+		"SELECT id, service, message, created_at FROM buffered_logs ORDER BY created_at ASC LIMIT ?",
+		batchSize,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var logs []BufferedLog
+	for rows.Next() {
+		var log BufferedLog
+		var createdAt string
+		if err := rows.Scan(&log.ID, &log.Service, &log.Message, &createdAt); err != nil {
+			return nil, err
+		}
+		log.CreatedAt, _ = time.Parse("2006-01-02 15:04:05", createdAt)
+		logs = append(logs, log)
+	}
+
+	return logs, rows.Err()
+}
+
+// Delete removes a log entry from the buffer after successful delivery
+func (b *LogBuffer) Delete(id int64) error {
+	_, err := b.db.Exec("DELETE FROM buffered_logs WHERE id = ?", id)
+	return err
+}
+
+// DeleteBatch removes multiple log entries after successful delivery
+func (b *LogBuffer) DeleteBatch(ids []int64) error {
+	if len(ids) == 0 {
+		return nil
+	}
+
+	tx, err := b.db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+
+	for _, id := range ids {
+		if _, err := tx.Exec("DELETE FROM buffered_logs WHERE id = ?", id); err != nil {
+			return err
+		}
+	}
+
+	return tx.Commit()
+}
+
+// Count returns the number of buffered logs
+func (b *LogBuffer) Count() (int, error) {
+	var count int
+	err := b.db.QueryRow("SELECT COUNT(*) FROM buffered_logs").Scan(&count)
+	return count, err
+}
+
+// Clear removes all buffered logs
+func (b *LogBuffer) Clear() error {
+	_, err := b.db.Exec("DELETE FROM buffered_logs")
+	return err
+}
+
+// FlushToJSON exports buffered logs to JSON format for debugging
+func (b *LogBuffer) FlushToJSON() ([]byte, error) {
+	logs, err := b.GetPending(1000)
+	if err != nil {
+		return nil, err
+	}
+	return json.MarshalIndent(logs, "", "  ")
+}

agent/internal/client/commandexe.go

@@ -0,0 +1,81 @@
+package client
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"sync"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/commander"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/metadata"
+)
+
+type CommanderClient struct {
+	cmder     *commander.CommandExecutor
+	wg        *sync.WaitGroup
+	id, label string
+}
+
+func New(
+	cmder *commander.CommandExecutor,
+	id, label string,
+) CommanderClient {
+	return CommanderClient{cmder, new(sync.WaitGroup), id, label}
+}
+
+func (self *CommanderClient) HandleCommands(ctx context.Context, srvAddr string, tc credentials.TransportCredentials) error {
+	cli, err := grpc.NewClient(srvAddr, grpc.WithTransportCredentials(tc))
+	if err != nil {
+		return fmt.Errorf("Failed to connect to gRPC: %w", err)
+	}
+	ccli := proto.NewCommanderClient(cli)
+	bidi, err := ccli.Stream(metadata.NewOutgoingContext(ctx, metadata.MD{"agentid": []string{self.id}, "label": []string{self.label}}))
+	if err != nil {
+		return err
+	}
+	wg := new(errgroup.Group)
+	wg.Go(self.recv(bidi))
+	// wg.Go(self.send(bidi))
+	err = wg.Wait()
+	self.wg.Wait()
+	return err
+}
+
+func (self *CommanderClient) recv(bidi grpc.BidiStreamingClient[proto.FinishedCommand, proto.Command]) func() error {
+	return func() error {
+		for {
+			msg, err := bidi.Recv()
+			if err != nil {
+				if errors.Is(err, io.EOF) {
+					return nil
+				}
+				return err
+			}
+			self.wg.Go(func() {
+				func() error {
+					fc, err := self.cmder.Execute(msg)
+					if err != nil {
+						return err
+					}
+					return bidi.Send(fc)
+				}()
+				if err != nil {
+					log.Println(err)
+				}
+			})
+
+		}
+	}
+}
+
+// func (self *God) send(bidi grpc.BidiStreamingClient[proto.FinishedCommand, proto.Command]) func() error {
+// 	return func() error {
+// 		return nil
+// 	}
+// }

agent/internal/commander/impl.go

@@ -0,0 +1,66 @@
+package commander
+
+import (
+	"bytes"
+	"errors"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"golang.org/x/sync/errgroup"
+	"io"
+	"os/exec"
+)
+
+type CommandExecutor struct{}
+
+func (*CommandExecutor) Execute(command *proto.Command) (fc *proto.FinishedCommand, err error) {
+	fc = new(proto.FinishedCommand)
+	fc.Id = command.Id
+	cmd := exec.Command(command.Command[0], command.Command[1:]...)
+	var stdin io.WriteCloser
+	if command.Stdin != nil {
+		stdin, err = cmd.StdinPipe()
+		if err != nil {
+			return nil, err
+		}
+	}
+	stdout, err1 := cmd.StdoutPipe()
+	stderr, err2 := cmd.StderrPipe()
+	if err := errors.Join(err1, err2); err != nil {
+		return nil, err
+	}
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+	if command.Stdin != nil {
+		io.WriteString(stdin, *command.Stdin)
+		if err := stdin.Close(); err != nil {
+			return nil, err
+		}
+	}
+	eg := new(errgroup.Group)
+	stdoutbuf := new(bytes.Buffer)
+	stderrbuf := new(bytes.Buffer)
+	eg.Go(func() error {
+		_, err := io.Copy(stdoutbuf, stdout)
+		return err
+	})
+	eg.Go(func() error {
+		_, err := io.Copy(stderrbuf, stderr)
+		return err
+	})
+	if waitErr := cmd.Wait(); waitErr != nil {
+		var exitErr *exec.ExitError
+		if !errors.As(waitErr, &exitErr) {
+			return nil, waitErr
+		}
+		fc.Status = int32(exitErr.ExitCode())
+	} else {
+		fc.Status = int32(cmd.ProcessState.ExitCode())
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+	fc.Status = int32(cmd.ProcessState.ExitCode())
+	fc.Stdout = stdoutbuf.String()
+	fc.Stderr = stderrbuf.String()
+	return
+}

agent/internal/config/config.go

@@ -0,0 +1,63 @@
+package config
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+)
+
+type ServiceConfig struct {
+	Name        string  `yaml:"name"`
+	Type        string  `yaml:"type"`
+	Path        *string `yaml:"path"`
+	SystemdUnit *string `yaml:"systemd_unit"` // Optional: systemd unit name for health check
+}
+
+type AgentConfig struct {
+	BackendURL        string          `yaml:"backend_url"`
+	GRPCURL           string          `yaml:"grpc_url"`
+	RegistrationToken string          `yaml:"registration_token"`
+	Label             string          `yaml:"label"`
+	CertDir           string          `yaml:"cert_dir"`
+	Services          []ServiceConfig `yaml:"services"`
+
+	MonitorDocker bool `yaml:"monitor_docker"`
+
+	MonitorKubernetes   bool    `yaml:"monitor_kubes"`
+	KubernetesNamespace *string `yaml:"kubernetes_namespace"`
+}
+
+func Load(path string) (*AgentConfig, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var cfg AgentConfig
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+
+	if cfg.CertDir == "" {
+		cfg.CertDir = "/etc/hellreign-agent/certs"
+	}
+
+	return &cfg, nil
+}
+
+func LoadFromString(data string) (*AgentConfig, error) {
+	var cfg AgentConfig
+	if err := yaml.Unmarshal([]byte(data), &cfg); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
+
+func validateConfigPath(path string) error {
+	if _, err := os.Stat(path); err != nil {
+		return fmt.Errorf("config file not found: %w", err)
+	}
+	return nil
+}

agent/internal/logger/logger.go

@@ -0,0 +1,27 @@
+package logger
+
+import (
+	"log/slog"
+	"os"
+)
+
+type Logger struct {
+	*slog.Logger
+}
+
+func New(debug bool) *Logger {
+	var level slog.Level
+	if debug {
+		level = slog.LevelDebug
+	} else {
+		level = slog.LevelInfo
+	}
+
+	handler := slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
+		Level: level,
+	})
+
+	return &Logger{
+		Logger: slog.New(handler),
+	}
+}

agent/internal/logsource/docker/impl.go

@@ -0,0 +1,89 @@
+package docker
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os/exec"
+	"syscall"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/config"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource"
+)
+
+var _ logsource.LogSource = new(DockerLogSource)
+
+// DockerLogSource reads logs from a Docker container via `docker logs -f`.
+type DockerLogSource struct {
+	cmd           *exec.Cmd
+	stdout        io.ReadCloser
+	stdoutscanner *bufio.Scanner
+}
+
+// ReadLine implements logsource.LogSource.
+func (d *DockerLogSource) ReadLine() (string, error) {
+	if d.stdoutscanner.Scan() {
+		return d.stdoutscanner.Text(), nil
+	} else {
+		if d.stdoutscanner.Err() == nil {
+			return "", fmt.Errorf("%w: %s", logsource.ErrDead, io.EOF)
+		}
+		return "", d.stdoutscanner.Err()
+	}
+}
+
+// Close implements logsource.LogSource.
+func (d *DockerLogSource) Close() error {
+	_ = d.cmd.Process.Signal(syscall.SIGTERM)
+	return d.cmd.Wait()
+}
+
+// New creates a Docker log source for the given container.
+// The container name is taken from cfg.Path (if set) or cfg.Name.
+func New(cfg config.ServiceConfig) (*DockerLogSource, error) {
+	containerName := cfg.Name
+	if cfg.Path != nil && *cfg.Path != "" {
+		containerName = *cfg.Path
+	}
+
+	// docker logs -f --tail=0 --no-color <container_name>
+	// -f        : follow new logs
+	// --tail=0  : skip existing logs
+	// --no-color: strip color codes for clean output
+	cmd := exec.Command("docker", "logs", "-f", "--tail=0", "--no-color", containerName) //nolint:gosec
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create stdout pipe for docker logs: %w", err)
+	}
+
+	// Also capture stderr since docker logs merges stdout and stderr from the container
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create stderr pipe for docker logs: %w", err)
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return nil, fmt.Errorf("failed to start docker logs for container %q: %w", containerName, err)
+	}
+
+	// Use MultiReader to merge stdout and stderr
+	// Docker logs outputs container stdout+stderr to its own stdout, but we also
+	// capture the docker CLI's stderr separately in case of errors (e.g. container not found)
+	stdoutscanner := bufio.NewScanner(stdout)
+
+	// Start a goroutine to consume stderr (we don't send docker CLI stderr as logs,
+	// but we need to prevent the pipe from filling up)
+	go func() {
+		buf := make([]byte, 4096)
+		for {
+			_, err := stderr.Read(buf)
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	return &DockerLogSource{cmd, stdout, stdoutscanner}, nil
+}

agent/internal/logsource/file/impl.go

@@ -0,0 +1,45 @@
+package file
+
+import (
+	"errors"
+	"os"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource"
+	"github.com/hpcloud/tail"
+)
+
+var _ logsource.LogSource = new(FileLogSource)
+
+type FileLogSource struct {
+	*tail.Tail
+}
+
+func New(filepath string) (fls *FileLogSource, err error) {
+	if _, err := os.Stat(filepath); os.IsNotExist(err) {
+		if err := os.WriteFile(filepath, []byte{}, 0600); err != nil {
+			return nil, err
+		}
+	}
+	t, err := tail.TailFile(filepath, tail.Config{
+		Follow: true,
+		Location: &tail.SeekInfo{
+			Offset: 100,
+			Whence: 2,
+		},
+	})
+	if err != nil {
+		return
+	}
+	return &FileLogSource{t}, nil
+}
+func (f *FileLogSource) ReadLine() (string, error) {
+	select {
+	case <-f.Dead():
+		return "", errors.Join(logsource.ErrDead, f.Err())
+	case line := <-f.Lines:
+		return line.Text, line.Err
+	}
+}
+func (f *FileLogSource) Close() error {
+	return f.Stop()
+}

agent/internal/logsource/interface.go

@@ -0,0 +1,10 @@
+package logsource
+
+import "errors"
+
+type LogSource interface {
+	ReadLine() (string, error)
+	Close() error
+}
+
+var ErrDead = errors.New("shouldn't continue to read that")

agent/internal/logsource/journald/impl.go

@@ -0,0 +1,55 @@
+package journald
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os/exec"
+	"syscall"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/config"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource"
+)
+
+var _ logsource.LogSource = new(JournaldLogSource)
+
+type JournaldLogSource struct {
+	cmd           *exec.Cmd
+	stdout        io.ReadCloser
+	stdoutscanner *bufio.Scanner
+}
+
+// ReadLine implements logsource.LogSource.
+func (j *JournaldLogSource) ReadLine() (string, error) {
+	if j.stdoutscanner.Scan() {
+		return j.stdoutscanner.Text(), nil
+	} else {
+		if j.stdoutscanner.Err() == nil {
+			return "", fmt.Errorf("%w: %s", logsource.ErrDead, io.EOF)
+		}
+		return "", j.stdoutscanner.Err()
+	}
+}
+func (j *JournaldLogSource) Close() error {
+	_ = j.cmd.Process.Signal(syscall.SIGTERM)
+	return j.cmd.Wait()
+}
+
+func New(cfg config.ServiceConfig, logdir string) (*JournaldLogSource, error) {
+	args := make([]string, 0)
+	if cfg.Path != nil {
+		args = append(args, "-u", *cfg.Path)
+	}
+	args = append(args, "-f", "-n", "0", "-o", "short", "--no-pager", "--directory", logdir)
+	cmd := exec.Command("journalctl", args...) //nolint:gosec
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	err = cmd.Start()
+	if err != nil {
+		return nil, err
+	}
+	stdoutscanner := bufio.NewScanner(stdout)
+	return &JournaldLogSource{cmd, stdout, stdoutscanner}, nil
+}

agent/internal/logsource/kubernetes/impl.go

@@ -0,0 +1,95 @@
+package kubernetes
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os/exec"
+	"strings"
+	"syscall"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/config"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource"
+)
+
+var _ logsource.LogSource = new(KubernetesLogSource)
+
+// KubernetesLogSource reads logs from a Kubernetes pod via `kubectl logs -f`.
+type KubernetesLogSource struct {
+	cmd           *exec.Cmd
+	stdout        io.ReadCloser
+	stdoutscanner *bufio.Scanner
+}
+
+// ReadLine implements logsource.LogSource.
+func (k *KubernetesLogSource) ReadLine() (string, error) {
+	if k.stdoutscanner.Scan() {
+		return k.stdoutscanner.Text(), nil
+	} else {
+		if k.stdoutscanner.Err() == nil {
+			return "", fmt.Errorf("%w: %s", logsource.ErrDead, io.EOF)
+		}
+		return "", k.stdoutscanner.Err()
+	}
+}
+
+// Close implements logsource.LogSource.
+func (k *KubernetesLogSource) Close() error {
+	_ = k.cmd.Process.Signal(syscall.SIGTERM)
+	return k.cmd.Wait()
+}
+
+// New creates a Kubernetes log source for the given pod.
+// The pod identifier is taken from cfg.Path in the format "namespace/podname".
+// If no namespace is specified (just "podname"), "default" namespace is used.
+// If cfg.Path is nil or empty, cfg.Name is used as the pod name with "default" namespace.
+func New(cfg config.ServiceConfig) (*KubernetesLogSource, error) {
+	podName := cfg.Name
+	namespace := "default"
+
+	if cfg.Path != nil && *cfg.Path != "" {
+		parts := strings.SplitN(*cfg.Path, "/", 2)
+		if len(parts) == 2 {
+			namespace = parts[0]
+			podName = parts[1]
+		} else {
+			podName = parts[0]
+		}
+	}
+
+	// kubectl logs -f <pod> -n <namespace> --tail=0 --no-color
+	// -f        : follow new logs
+	// --tail=0  : skip existing logs
+	// --no-color: strip color codes for clean output
+	cmd := exec.Command("kubectl", "logs", "-f", podName, "-n", namespace, "--tail=0", "--no-color") //nolint:gosec
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create stdout pipe for kubectl logs: %w", err)
+	}
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create stderr pipe for kubectl logs: %w", err)
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return nil, fmt.Errorf("failed to start kubectl logs for pod %q (ns: %q): %w", podName, namespace, err)
+	}
+
+	stdoutscanner := bufio.NewScanner(stdout)
+
+	// Consume stderr to prevent pipe from filling up
+	go func() {
+		buf := make([]byte, 4096)
+		for {
+			_, err := stderr.Read(buf)
+			if err != nil {
+				return
+			}
+		}
+	}()
+
+	return &KubernetesLogSource{cmd, stdout, stdoutscanner}, nil
+}

agent/internal/metrics/collector.go

@@ -0,0 +1,214 @@
+package metrics
+
+import (
+	"bufio"
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+)
+
+// SystemMetrics holds current system resource usage.
+type SystemMetrics struct {
+	CPUPercent     float64
+	MemoryPercent  float64
+	DiskPercent    float64
+	NetworkRxBytes float64
+	NetworkTxBytes float64
+}
+
+// Collector collects system metrics from /proc and sysfs.
+type Collector struct {
+	lastCPUTotal  uint64
+	lastCPUIdle   uint64
+	lastNetRx     float64
+	lastNetTx     float64
+	lastNetTime   time.Time
+}
+
+// NewCollector creates a new metrics collector.
+func NewCollector() *Collector {
+	return &Collector{}
+}
+
+// Collect gathers current system metrics.
+func (c *Collector) Collect() (SystemMetrics, error) {
+	var m SystemMetrics
+
+	cpu, err := c.readCPU()
+	if err == nil {
+		m.CPUPercent = cpu
+	}
+
+	mem, err := c.readMemory()
+	if err == nil {
+		m.MemoryPercent = mem
+	}
+
+	disk, err := c.readDisk("/")
+	if err == nil {
+		m.DiskPercent = disk
+	}
+
+	netRx, netTx, err := c.readNetwork()
+	if err == nil {
+		m.NetworkRxBytes = netRx
+		m.NetworkTxBytes = netTx
+	}
+
+	return m, nil
+}
+
+// readCPU returns CPU usage percentage since last call.
+func (c *Collector) readCPU() (float64, error) {
+	f, err := os.Open("/proc/stat")
+	if err != nil {
+		return 0, err
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if !strings.HasPrefix(line, "cpu ") {
+			continue
+		}
+
+		fields := strings.Fields(line)
+		if len(fields) < 8 {
+			return 0, nil
+		}
+
+		var user, nice, system, idle, iowait, irq, softirq uint64
+		user, _ = strconv.ParseUint(fields[1], 10, 64)
+		nice, _ = strconv.ParseUint(fields[2], 10, 64)
+		system, _ = strconv.ParseUint(fields[3], 10, 64)
+		idle, _ = strconv.ParseUint(fields[4], 10, 64)
+		iowait, _ = strconv.ParseUint(fields[5], 10, 64)
+		irq, _ = strconv.ParseUint(fields[6], 10, 64)
+		softirq, _ = strconv.ParseUint(fields[7], 10, 64)
+
+		total := user + nice + system + idle + iowait + irq + softirq
+		idleTotal := idle + iowait
+
+		if c.lastCPUTotal > 0 {
+			totalDiff := total - c.lastCPUTotal
+			idleDiff := idleTotal - c.lastCPUIdle
+
+			if totalDiff > 0 {
+				cpuPercent := float64(totalDiff-idleDiff) / float64(totalDiff) * 100.0
+				c.lastCPUTotal = total
+				c.lastCPUIdle = idleTotal
+				return cpuPercent, nil
+			}
+		}
+
+		c.lastCPUTotal = total
+		c.lastCPUIdle = idleTotal
+		return 0, nil
+	}
+
+	return 0, scanner.Err()
+}
+
+// readMemory returns RAM usage percentage.
+func (c *Collector) readMemory() (float64, error) {
+	f, err := os.Open("/proc/meminfo")
+	if err != nil {
+		return 0, err
+	}
+	defer f.Close()
+
+	var total, available uint64
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "MemTotal:") {
+			fields := strings.Fields(line)
+			total, _ = strconv.ParseUint(fields[1], 10, 64)
+		} else if strings.HasPrefix(line, "MemAvailable:") {
+			fields := strings.Fields(line)
+			available, _ = strconv.ParseUint(fields[1], 10, 64)
+		}
+	}
+
+	if total == 0 {
+		return 0, nil
+	}
+
+	used := total - available
+	return float64(used) / float64(total) * 100.0, nil
+}
+
+// readDisk returns disk usage percentage for the given path.
+func (c *Collector) readDisk(path string) (float64, error) {
+	var stat syscall.Statfs_t
+	if err := syscall.Statfs(path, &stat); err != nil {
+		return 0, err
+	}
+
+	total := stat.Blocks * uint64(stat.Bsize)
+	free := stat.Bfree * uint64(stat.Bsize)
+
+	if total == 0 {
+		return 0, nil
+	}
+
+	used := total - free
+	return float64(used) / float64(total) * 100.0, nil
+}
+
+// readNetwork returns network RX/TX bytes per second.
+func (c *Collector) readNetwork() (float64, float64, error) {
+	f, err := os.Open("/proc/net/dev")
+	if err != nil {
+		return 0, 0, err
+	}
+	defer f.Close()
+
+	var totalRx, totalTx uint64
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		// Skip header lines
+		if strings.Contains(line, "|") || strings.HasPrefix(strings.TrimSpace(line), "Inter") {
+			continue
+		}
+
+		parts := strings.SplitN(strings.TrimSpace(line), ":", 2)
+		if len(parts) < 2 {
+			continue
+		}
+
+		fields := strings.Fields(parts[1])
+		if len(fields) < 9 {
+			continue
+		}
+
+		rx, _ := strconv.ParseUint(fields[0], 10, 64)
+		tx, _ := strconv.ParseUint(fields[8], 10, 64)
+		totalRx += rx
+		totalTx += tx
+	}
+
+	now := time.Now()
+	var rxRate, txRate float64
+
+	if !c.lastNetTime.IsZero() {
+		elapsed := now.Sub(c.lastNetTime).Seconds()
+		if elapsed > 0 {
+			rxRate = float64(totalRx) - c.lastNetRx
+			txRate = float64(totalTx) - c.lastNetTx
+			// Convert to bytes per second
+			rxRate = rxRate / elapsed
+			txRate = txRate / elapsed
+		}
+	}
+
+	c.lastNetRx = float64(totalRx)
+	c.lastNetTx = float64(totalTx)
+	c.lastNetTime = now
+
+	return rxRate, txRate, nil
+}

agent/internal/models/service.go

@@ -0,0 +1,22 @@
+package models
+
+// ServiceStatus represents the unified status of a service across all monitor types.
+type ServiceStatus string
+
+const (
+	StatusRunning  ServiceStatus = "running"
+	StatusStopped  ServiceStatus = "stopped"
+	StatusDegraded ServiceStatus = "degraded"
+	StatusPending  ServiceStatus = "pending"
+	StatusUnknown  ServiceStatus = "unknown"
+)
+
+// IsHealthy reports whether the service is stable enough for dependents to rely on.
+func (s ServiceStatus) IsHealthy() bool {
+	return s == StatusRunning
+}
+
+type Service struct {
+	Name   string
+	Status ServiceStatus
+}

agent/internal/monitor/docker/impl.go

@@ -0,0 +1,58 @@
+package docker
+
+import (
+	"context"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/monitor"
+	"github.com/moby/moby/api/types/container"
+	moby "github.com/moby/moby/client"
+	"github.com/samber/lo"
+)
+
+var _ monitor.ServiceMonitor = new(DockerMonitor)
+
+type DockerMonitor struct{}
+
+func New() *DockerMonitor {
+	return &DockerMonitor{}
+}
+
+func (self *DockerMonitor) CheckServices(ctx context.Context) ([]models.Service, error) {
+	client, err := moby.New(moby.FromEnv)
+	if err != nil {
+		return nil, err
+	}
+	ctrs, err := client.ContainerList(ctx, moby.ContainerListOptions{
+		Size:    false,
+		All:     false,
+		Limit:   0,
+		Filters: moby.Filters{},
+		Latest:  false,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return lo.Map(ctrs.Items, func(item container.Summary, _ int) models.Service {
+		return models.Service{
+			Name:   lo.If(len(item.Names) > 0, item.Names[0]).Else(item.ID),
+			Status: mapContainerState(string(item.State)),
+		}
+	}), nil
+}
+
+// mapContainerState maps Docker container states to unified ServiceStatus.
+func mapContainerState(state string) models.ServiceStatus {
+	switch state {
+	case "running":
+		return models.StatusRunning
+	case "exited", "dead":
+		return models.StatusStopped
+	case "paused":
+		return models.StatusDegraded
+	case "restarting", "created", "removing":
+		return models.StatusPending
+	default:
+		return models.StatusUnknown
+	}
+}

agent/internal/monitor/interface.go

@@ -0,0 +1,11 @@
+package monitor
+
+import (
+	"context"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/models"
+)
+
+type ServiceMonitor interface {
+	CheckServices(ctx context.Context) ([]models.Service, error)
+}

agent/internal/monitor/kubes/impl.go

@@ -0,0 +1,66 @@
+package kubes
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/samber/lo"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/monitor"
+)
+
+var _ monitor.ServiceMonitor = new(KubesMonitor)
+
+type KubesMonitor struct{ namespace string }
+
+func New(namespace string) *KubesMonitor {
+	return &KubesMonitor{namespace}
+}
+
+func (self *KubesMonitor) CheckServices(ctx context.Context) ([]models.Service, error) {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return nil, err
+	}
+	config, err := clientcmd.BuildConfigFromFlags("", filepath.Join(home, ".kube", "config"))
+	if err != nil {
+		return nil, err
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	// TODO: consider moving all the shit above into constructor
+	pods, err := clientset.CoreV1().Pods(self.namespace).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return lo.Map(pods.Items, func(item corev1.Pod, _ int) models.Service {
+		return models.Service{
+			Name:   item.Name,
+			Status: mapPodPhase(item.Status.Phase),
+		}
+	}), nil
+}
+
+// mapPodPhase maps K8s pod phases to unified ServiceStatus.
+func mapPodPhase(phase corev1.PodPhase) models.ServiceStatus {
+	switch phase {
+	case corev1.PodRunning:
+		return models.StatusRunning
+	case corev1.PodSucceeded:
+		return models.StatusStopped
+	case corev1.PodFailed:
+		return models.StatusStopped
+	case corev1.PodPending:
+		return models.StatusPending
+	default:
+		return models.StatusUnknown
+	}
+}

agent/internal/mtls/credentials.go

@@ -0,0 +1,49 @@
+package mtls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+
+	"google.golang.org/grpc/credentials"
+)
+
+// LoadMTLSCredentials loads client certificate and CA certificate for mTLS.
+func LoadMTLSCredentials(caCertPEM, clientCertPEM, clientKeyPEM []byte) (credentials.TransportCredentials, error) {
+	cert, err := tls.X509KeyPair(clientCertPEM, clientKeyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("load client key pair: %w", err)
+	}
+
+	caCertPool := x509.NewCertPool()
+	if !caCertPool.AppendCertsFromPEM(caCertPEM) {
+		return nil, fmt.Errorf("failed to append CA certificate")
+	}
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		RootCAs:      caCertPool,
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	return credentials.NewTLS(tlsConfig), nil
+}
+
+// LoadMTLSCredentialsFromFiles loads mTLS credentials from file paths.
+func LoadMTLSCredentialsFromFiles(caCertPath, clientCertPath, clientKeyPath string) (credentials.TransportCredentials, error) {
+	caCert, err := os.ReadFile(caCertPath)
+	if err != nil {
+		return nil, fmt.Errorf("read CA cert: %w", err)
+	}
+	clientCert, err := os.ReadFile(clientCertPath)
+	if err != nil {
+		return nil, fmt.Errorf("read client cert: %w", err)
+	}
+	clientKey, err := os.ReadFile(clientKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("read client key: %w", err)
+	}
+
+	return LoadMTLSCredentials(caCert, clientCert, clientKey)
+}

agent/internal/registration/registration.go

@@ -0,0 +1,169 @@
+package registration
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+)
+
+type Certs struct {
+	CACertPEM     []byte
+	ClientCertPEM []byte
+	ClientKeyPEM  []byte
+}
+
+type RegisterRequest struct {
+	CSR   string `json:"csr"`
+	Token string `json:"token"`
+}
+
+type RegisterResponse struct {
+	CACert     string `json:"ca_cert"`
+	ClientCert string `json:"client_cert"`
+}
+
+type TokenResponse struct {
+	Token string `json:"token"`
+}
+
+type ErrorResponse struct {
+	Error string `json:"error"`
+}
+
+// GenerateKeyAndCSR generates a new ECDSA private key and CSR for the agent.
+func GenerateKeyAndCSR(label string) (*ecdsa.PrivateKey, []byte, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, fmt.Errorf("generate key: %w", err)
+	}
+
+	template := x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName:   label,
+			Organization: []string{"HellreigN Agent"},
+		},
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
+	}
+
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, &template, key)
+	if err != nil {
+		return nil, nil, fmt.Errorf("create csr: %w", err)
+	}
+
+	csrPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrDER,
+	})
+
+	return key, csrPEM, nil
+}
+
+// Register sends CSR to backend and receives signed certificates.
+func Register(backendURL, token string, csrPEM []byte) (*Certs, error) {
+	reqBody := RegisterRequest{CSR: string(csrPEM), Token: token}
+	body, err := json.Marshal(reqBody)
+	if err != nil {
+		return nil, err
+	}
+
+	url := fmt.Sprintf("%s/api/v1/agents/register", backendURL)
+	resp, err := http.Post(url, "application/json", bytes.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("register request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		var errResp ErrorResponse
+		json.NewDecoder(resp.Body).Decode(&errResp)
+		return nil, fmt.Errorf("registration failed (status %d): %s", resp.StatusCode, errResp.Error)
+	}
+
+	var regResp RegisterResponse
+	if err := json.NewDecoder(resp.Body).Decode(&regResp); err != nil {
+		return nil, fmt.Errorf("decode response: %w", err)
+	}
+
+	return &Certs{
+		CACertPEM:     []byte(regResp.CACert),
+		ClientCertPEM: []byte(regResp.ClientCert),
+	}, nil
+}
+
+// SaveCerts saves CA cert, client cert, and client key to the given directory.
+func SaveCerts(certDir string, certs *Certs, key *ecdsa.PrivateKey) error {
+	if err := os.MkdirAll(certDir, 0700); err != nil {
+		return fmt.Errorf("create cert dir: %w", err)
+	}
+
+	if err := os.WriteFile(filepath.Join(certDir, "ca.crt"), certs.CACertPEM, 0644); err != nil {
+		return err
+	}
+	if err := os.WriteFile(filepath.Join(certDir, "client.crt"), certs.ClientCertPEM, 0644); err != nil {
+		return err
+	}
+
+	keyDER, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return err
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: keyDER,
+	})
+	if err := os.WriteFile(filepath.Join(certDir, "client.key"), keyPEM, 0600); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// LoadCerts loads existing certificates and key from disk.
+func LoadCerts(certDir string) (*Certs, *ecdsa.PrivateKey, error) {
+	caCert, err := os.ReadFile(filepath.Join(certDir, "ca.crt"))
+	if err != nil {
+		return nil, nil, err
+	}
+	clientCert, err := os.ReadFile(filepath.Join(certDir, "client.crt"))
+	if err != nil {
+		return nil, nil, err
+	}
+	clientKeyPEM, err := os.ReadFile(filepath.Join(certDir, "client.key"))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	block, _ := pem.Decode(clientKeyPEM)
+	if block == nil {
+		return nil, nil, fmt.Errorf("decode client key")
+	}
+	key, err := x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("parse client key: %w", err)
+	}
+
+	return &Certs{
+		CACertPEM:     caCert,
+		ClientCertPEM: clientCert,
+	}, key, nil
+}
+
+// CertsExist checks if all certificate files exist in the directory.
+func CertsExist(certDir string) bool {
+	files := []string{"ca.crt", "client.crt", "client.key"}
+	for _, f := range files {
+		if _, err := os.Stat(filepath.Join(certDir, f)); err != nil {
+			return false
+		}
+	}
+	return true
+}

agent/main.go

@@ -0,0 +1,480 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/buffer"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/client"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/commander"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/config"
+	agentmetrics "gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/metrics"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logger"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource/docker"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource/file"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource/journald"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/logsource/kubernetes"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/mtls"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/agent/internal/registration"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"github.com/samber/lo"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/metadata"
+)
+
+func main() {
+	cfgPath := os.Getenv("CONFIG_FILE")
+	if cfgPath == "" {
+		cfgPath = "/etc/hellreign-agent/config.yml"
+	}
+
+	cfg, err := config.Load(cfgPath)
+	if err != nil {
+		log.Fatalf("Failed to load config: %v", err)
+	}
+
+	lgr := logger.New(os.Getenv("IS_DEBUG") == "1")
+	lgr.Debug("Config parsed", "cfg", cfg)
+
+	// Check if certificates already exist (agent was previously registered)
+	if registration.CertsExist(cfg.CertDir) {
+		lgr.Info("Certificates found, skipping registration")
+	} else {
+		if cfg.RegistrationToken == "" {
+			lgr.Error("No registration token provided")
+			os.Exit(1)
+		}
+
+		// Generate key and CSR
+		k, csrPEM, err := registration.GenerateKeyAndCSR(cfg.Label)
+		if err != nil {
+			lgr.Error("Failed to generate key and CSR", "err", err)
+			os.Exit(1)
+		}
+		lgr.Info("Generated ECDSA key pair and CSR")
+
+		// Register with backend
+		certs, err := registration.Register(cfg.BackendURL, cfg.RegistrationToken, csrPEM)
+		if err != nil {
+			lgr.Error("Failed to register", "err", err)
+			os.Exit(1)
+		}
+		lgr.Info("Successfully registered, received certificates")
+
+		// Save certificates
+		if err := registration.SaveCerts(cfg.CertDir, certs, k); err != nil {
+			lgr.Error("Failed to save certificates", "err", err)
+			os.Exit(1)
+		}
+		lgr.Info("Certificates saved", "cert_dir", cfg.CertDir)
+	}
+
+	creds, err := mtls.LoadMTLSCredentialsFromFiles(
+		cfg.CertDir+"/ca.crt",
+		cfg.CertDir+"/client.crt",
+		cfg.CertDir+"/client.key",
+	)
+	if err != nil {
+		lgr.Error("Failed to load TLS credentials", "err", err)
+		os.Exit(1)
+	}
+
+	// Initialize log buffer for offline storage
+	dbPath := getEnvOrDefault("BUFFER_DB", "/var/lib/hellreign-agent/agent_buffer.db")
+	logBuf, err := buffer.NewLogBuffer(dbPath)
+	if err != nil {
+		lgr.Error("Failed to create log buffer", "err", err)
+		os.Exit(1)
+	}
+	defer func() { _ = logBuf.Close() }()
+	lgr.Info("Log buffer initialized", "path", dbPath)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	wg := &errgroup.Group{}
+
+	grpcAddr := cfg.GRPCURL
+	if grpcAddr == "" {
+		grpcAddr = cfg.BackendURL
+	}
+	grpcAddr = strings.TrimPrefix(grpcAddr, "http://")
+	grpcAddr = strings.TrimPrefix(grpcAddr, "https://")
+	// Start command executor
+	wg.Go(func() error {
+		cmdexe := new(commander.CommandExecutor)
+		ccli := client.New(cmdexe, cfg.Label, cfg.Label)
+		return ccli.HandleCommands(ctx, grpcAddr, creds)
+	})
+
+	// Start services update stream
+	if len(cfg.Services) > 0 {
+		wg.Go(func() error {
+			return reportServices(ctx, grpcAddr, creds, cfg.Label, cfg.Services, lgr)
+		})
+	}
+
+	// Start system metrics reporting
+	wg.Go(func() error {
+		return reportSystemMetrics(ctx, grpcAddr, creds, cfg.Label, lgr)
+	})
+
+	// Start log collectors
+	if len(cfg.Services) > 0 {
+		wg.Go(func() error {
+			conn, err := grpc.NewClient(grpcAddr, grpc.WithTransportCredentials(creds))
+			if err != nil {
+				return fmt.Errorf("failed to connect to gRPC: %w", err)
+			}
+			defer func() { _ = conn.Close() }()
+
+			ccli := proto.NewCollectorClient(conn)
+
+			svcWg := new(errgroup.Group)
+			for _, svc := range cfg.Services {
+				svc := svc
+				var src logsource.LogSource
+				switch svc.Type {
+				case "journald":
+					src, err = journald.New(svc, os.Getenv("JOURNALD_LOGDIR"))
+					if err != nil {
+						return fmt.Errorf("failed to create journald source %q: %w", svc.Name, err)
+					}
+				case "file":
+					if svc.Path == nil {
+						return fmt.Errorf("path is required for file log source %q", svc.Name)
+					}
+					src, err = file.New(*svc.Path)
+					if err != nil {
+						return fmt.Errorf("failed to create file source %q: %w", svc.Name, err)
+					}
+				case "docker":
+					src, err = docker.New(svc)
+					if err != nil {
+						return fmt.Errorf("failed to create docker source for container %q: %w", svc.Name, err)
+					}
+				case "kubernetes":
+					src, err = kubernetes.New(svc)
+					if err != nil {
+						return fmt.Errorf("failed to create kubernetes source for pod %q: %w", svc.Name, err)
+					}
+				default:
+					return fmt.Errorf("unknown log source type %q for service %q", svc.Type, svc.Name)
+				}
+
+				svcWg.Go(func() error {
+					lgr.Info("Starting log stream", "service", svc.Name)
+
+					// First, flush any buffered logs from offline period
+					if err := flushBufferedLogs(ctx, ccli, logBuf, svc.Name, cfg.Label, cfg.RegistrationToken, lgr); err != nil {
+						lgr.Error("Failed to flush buffered logs", "service", svc.Name, "err", err)
+					}
+
+					scli, err := ccli.Stream(
+						metadata.NewOutgoingContext(ctx, metadata.MD{
+							"whoami":   []string{cfg.Label},
+							"service":  []string{svc.Name},
+							"token":    []string{cfg.RegistrationToken},
+							"services": lo.Map(cfg.Services, func(item config.ServiceConfig, _ int) string {
+								return item.Name
+							}),
+						}),
+					)
+					if err != nil {
+						return fmt.Errorf("failed to create stream: %w", err)
+					}
+
+					for {
+						line, err := src.ReadLine()
+						if err != nil {
+							lgr.Error("ReadLine error", "service", svc.Name, "err", err)
+							return err
+						}
+
+						if err := scli.Send(&proto.CollectorRequest{
+							Message: line,
+						}); err != nil {
+							// Connection failed, buffer the log
+							lgr.Warn("Send failed, buffering log", "service", svc.Name, "err", err)
+							if storeErr := logBuf.Store(svc.Name, line); storeErr != nil {
+								lgr.Error("Failed to buffer log", "service", svc.Name, "err", storeErr)
+							}
+							// Try to reconnect
+							if reconnectErr := reconnectStream(ctx, &scli, ccli, svc.Name, cfg.Label, cfg.RegistrationToken, logBuf, lgr); reconnectErr != nil {
+								return reconnectErr
+							}
+							continue
+						}
+					}
+				})
+			}
+			return svcWg.Wait()
+		})
+	}
+
+	if err := wg.Wait(); err != nil {
+		lgr.Error("Agent dead", "err", err)
+		os.Exit(1)
+	}
+}
+
+func getEnvOrDefault(key, defaultValue string) string {
+	if value := os.Getenv(key); value != "" {
+		return value
+	}
+	return defaultValue
+}
+
+// flushBufferedLogs sends any buffered logs to the server
+func flushBufferedLogs(
+	ctx context.Context,
+	ccli proto.CollectorClient,
+	logBuf *buffer.LogBuffer,
+	service, agentName, token string,
+	lgr *logger.Logger,
+) error {
+	count, err := logBuf.Count()
+	if err != nil {
+		return err
+	}
+	if count == 0 {
+		return nil
+	}
+
+	lgr.Info("Flushing buffered logs", "service", service, "count", count)
+
+	scli, err := ccli.Stream(
+		metadata.NewOutgoingContext(ctx, metadata.MD{
+			"whoami":  []string{agentName},
+			"service": []string{service},
+			"token":   []string{token},
+		}),
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create stream for flush: %w", err)
+	}
+
+	const batchSize = 100
+	var deletedIDs []int64
+
+	for {
+		logs, err := logBuf.GetPending(batchSize)
+		if err != nil {
+			return err
+		}
+		if len(logs) == 0 {
+			break
+		}
+
+		for _, logEntry := range logs {
+			if err := scli.Send(&proto.CollectorRequest{Message: logEntry.Message}); err != nil {
+				lgr.Error("Failed to send buffered log", "service", service, "err", err)
+				return err
+			}
+			deletedIDs = append(deletedIDs, logEntry.ID)
+		}
+
+		// Delete successfully sent logs
+		if err := logBuf.DeleteBatch(deletedIDs); err != nil {
+			lgr.Error("Failed to delete sent logs from buffer", "service", service, "err", err)
+		}
+		deletedIDs = deletedIDs[:0]
+	}
+
+	_, err = scli.CloseAndRecv()
+	lgr.Info("Buffer flush complete", "service", service)
+	return err
+}
+
+// reconnectStream attempts to recreate a gRPC stream connection
+func reconnectStream(
+	ctx context.Context,
+	scli *grpc.ClientStreamingClient[proto.CollectorRequest, proto.CollectorResponse],
+	ccli proto.CollectorClient,
+	service, agentName, token string,
+	buf *buffer.LogBuffer,
+	lgr *logger.Logger,
+) error {
+	lgr.Info("Attempting to reconnect stream...", "service", service)
+
+	// Try up to 5 times with exponential backoff
+	for i := 0; i < 5; i++ {
+		time.Sleep(time.Duration(i+1) * time.Second)
+
+		newCli, err := ccli.Stream(
+			metadata.NewOutgoingContext(ctx, metadata.MD{
+				"whoami":  []string{agentName},
+				"service": []string{service},
+				"token":   []string{token},
+			}),
+		)
+		if err != nil {
+			lgr.Warn("Reconnect attempt failed", "service", service, "attempt", i+1, "err", err)
+			continue
+		}
+
+		*scli = newCli
+		lgr.Info("Stream reconnected successfully", "service", service)
+		return flushBufferedLogs(ctx, ccli, buf, service, agentName, token, lgr)
+	}
+
+	return fmt.Errorf("failed to reconnect after 5 attempts for service %s", service)
+}
+
+// reportServices periodically sends service status updates to the backend via gRPC.
+func reportServices(
+	ctx context.Context,
+	grpcAddr string,
+	creds credentials.TransportCredentials,
+	label string,
+	services []config.ServiceConfig,
+	lgr *logger.Logger,
+) error {
+	conn, err := grpc.NewClient(grpcAddr, grpc.WithTransportCredentials(creds))
+	if err != nil {
+		return fmt.Errorf("failed to connect for services report: %w", err)
+	}
+	defer conn.Close()
+
+	ccli := proto.NewCollectorClient(conn)
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	// Send immediately on start, then every 5 seconds
+	for {
+		svcUpdates := make([]*proto.ServicesUpdate_ServiceUpdate, 0, len(services))
+		for _, svc := range services {
+			status := checkServiceStatus(svc, lgr)
+			svcUpdates = append(svcUpdates, &proto.ServicesUpdate_ServiceUpdate{
+				Name:   svc.Name,
+				Status: status,
+			})
+		}
+
+		md := metadata.New(map[string]string{"whoami": label})
+		_, err := ccli.ReportServices(
+			metadata.NewOutgoingContext(ctx, md),
+			&proto.ServicesUpdate{Services: svcUpdates},
+		)
+		if err != nil {
+			lgr.Warn("Failed to report services", "err", err)
+		} else {
+			lgr.Debug("Services reported successfully", "count", len(services))
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+	}
+}
+
+// checkServiceStatus checks if a service is alive based on its type.
+func checkServiceStatus(svc config.ServiceConfig, lgr *logger.Logger) string {
+	// If systemd_unit is specified, check systemd first
+	if svc.SystemdUnit != nil && *svc.SystemdUnit != "" {
+		status := checkSystemdService(*svc.SystemdUnit)
+		if status != "up" {
+			lgr.Debug("Systemd service check", "unit", *svc.SystemdUnit, "status", status)
+			return status
+		}
+	}
+
+	// For docker type, check container is running
+	if svc.Type == "docker" {
+		status := checkDockerContainer(svc.Name)
+		if status != "up" {
+			lgr.Debug("Docker container check", "container", svc.Name, "status", status)
+			return status
+		}
+	}
+
+	return "up"
+}
+
+// checkSystemdService checks if a systemd service is active.
+func checkSystemdService(unit string) string {
+	cmd := exec.Command("systemctl", "is-active", "--quiet", unit)
+	if err := cmd.Run(); err != nil {
+		return "down"
+	}
+	return "up"
+}
+
+// checkDockerContainer checks if a Docker container is running.
+func checkDockerContainer(name string) string {
+	cmd := exec.Command("docker", "inspect", "-f", "{{.State.Running}}", name)
+	out, err := cmd.Output()
+	if err != nil {
+		return "down"
+	}
+	if strings.TrimSpace(string(out)) == "true" {
+		return "up"
+	}
+	return "down"
+}
+
+// reportSystemMetrics periodically collects and sends system metrics to the backend via gRPC.
+func reportSystemMetrics(
+	ctx context.Context,
+	grpcAddr string,
+	creds credentials.TransportCredentials,
+	label string,
+	lgr *logger.Logger,
+) error {
+	conn, err := grpc.NewClient(grpcAddr, grpc.WithTransportCredentials(creds))
+	if err != nil {
+		return fmt.Errorf("failed to connect for metrics report: %w", err)
+	}
+	defer conn.Close()
+
+	ccli := proto.NewCollectorClient(conn)
+	collector := agentmetrics.NewCollector()
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	lgr.Info("System metrics collector started")
+
+	for {
+		metrics, err := collector.Collect()
+		if err != nil {
+			lgr.Warn("Failed to collect system metrics", "err", err)
+		} else {
+			md := metadata.New(map[string]string{"whoami": label})
+			_, err := ccli.ReportSystemMetrics(
+				metadata.NewOutgoingContext(ctx, md),
+				&proto.SystemMetrics{
+					CpuPercent:     metrics.CPUPercent,
+					MemoryPercent:  metrics.MemoryPercent,
+					DiskPercent:    metrics.DiskPercent,
+					NetworkRxBytes: metrics.NetworkRxBytes,
+					NetworkTxBytes: metrics.NetworkTxBytes,
+				},
+			)
+			if err != nil {
+				lgr.Warn("Failed to report system metrics", "err", err)
+			} else {
+				lgr.Debug("System metrics reported",
+					"cpu", metrics.CPUPercent,
+					"mem", metrics.MemoryPercent,
+					"disk", metrics.DiskPercent,
+				)
+			}
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+	}
+}

backend/.golangci.yml

@@ -0,0 +1,21 @@
+version: "2"
+run:
+  timeout: 5m
+  tests: false
+  build-tags:
+    - integration
+
+linters:
+  enable:
+    - errcheck
+    - errname
+    - govet
+    - staticcheck
+    - gosec
+    - nilerr
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+    - golines

backend/cmd/main.go

@@ -0,0 +1,382 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"log"
+	"net"
+	"os"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/docs"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/config"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/collector"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/commander"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/handlers"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/service"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"github.com/gin-gonic/gin"
+	swaggerFiles "github.com/swaggo/files"
+	ginSwagger "github.com/swaggo/gin-swagger"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+)
+
+// @securityDefinitions.apikey Bearer
+// @in header
+// @name Authorization
+// @description Type "Bearer" followed by a space and the JWT token.
+
+func main() {
+	cfg_path, ok := os.LookupEnv("CONFIG_FILE")
+	if !ok {
+		cfg_path = "/etc/hellreign/config.yml"
+	}
+	cfg, err := config.ImportSettings(cfg_path)
+	if err != nil {
+		log.Fatalf("Err loading config: %v", err)
+	}
+
+	db, err := storage.Open(cfg.Database.Token_db)
+	if err != nil {
+		log.Fatalf("Err opening database: %v", err)
+	}
+	defer db.Close()
+
+	h := handlers.New(db)
+
+	// Initialize registration tokens table
+	if err := h.Repo.InitRegistrationTokens(); err != nil {
+		log.Printf("Warning: failed to initialize registration tokens table: %v", err)
+	}
+
+	// Initialize jobs table
+	jobRepo := repository.NewJobRepository(db)
+	if err := jobRepo.Init(context.Background()); err != nil {
+		log.Printf("Warning: failed to initialize jobs table: %v", err)
+	}
+
+	// Initialize ClickHouse and log repository
+	logRepo := repository.NewLogRepository()
+	if cfg.Database.Clickhouse_host != "" {
+		go func() {
+			db, err := storage.OpenClickHouseWithRetry(storage.ClickHouseConfig{
+				Host:     cfg.Database.Clickhouse_host,
+				User:     cfg.Database.Clickhouse_user,
+				Password: cfg.Database.Clickhouse_password,
+				Database: cfg.Database.Clickhouse_database,
+			}, 10, 5*time.Second)
+			if err != nil {
+				log.Printf("Warning: ClickHouse connection failed: %v", err)
+				return
+			}
+			log.Println("ClickHouse connected successfully")
+			logRepo.SetDB(db)
+			if err := logRepo.Init(context.Background()); err != nil {
+				log.Printf("Warning: Failed to initialize logs table: %v", err)
+			}
+		}()
+	}
+
+	// Initialize Collector (log streaming) with its own ConnTracker
+	collTracker := collector.NewConnTracker()
+	coll := collector.New(logRepo, collTracker)
+
+	// Initialize ConnTracker for Commander agent lifecycle
+	cmdTracker := commander.NewConnTracker()
+	cmdr := commander.New(jobRepo, cmdTracker)
+
+	// Initialize script interpreter repository and service
+	scriptRepo := repository.NewScriptInterpreterRepo(db)
+	if err := scriptRepo.Init(context.Background()); err != nil {
+		log.Fatalf("Warning: failed to initialize script interpreters table: %v\n", err)
+	}
+	scriptSvc := service.NewScriptServiceWithInterpreters(h.Repo, scriptRepo)
+	scriptHandlers := handlers.NewScriptHandlers(scriptSvc, cmdTracker,
+		os.Getenv("WHEREAMI"))
+	jobsHandlers := handlers.NewJobsHandlers(cmdTracker, scriptSvc,
+		os.Getenv("WHEREAMI"), /* our address for redirects */
+		jobRepo,
+	)
+
+	scriptManageHandlers := handlers.NewScriptHandlersGroup(scriptSvc, cmdr,
+		os.Getenv("WHEREAMI"))
+
+	graphPath := os.Getenv("GRAPH_YAML_PATH")
+	if graphPath == "" {
+		graphPath = "/etc/hellreign/services.yaml"
+	}
+	graphHandlers := handlers.NewGraphHandlers(graphPath, coll)
+
+	agents := handlers.NewAgentsGroup(h, coll)
+	auth := handlers.AuthGroup{Handlers: h}
+	agentReg := handlers.NewAgentRegistrationGroup(h)
+	agentDeploy := handlers.NewAgentDeployGroup(h)
+
+	// Create admin user from config if not exists
+	if cfg.Admin.Admin_login != "" && cfg.Admin.Admin_password != "" {
+		if !h.Repo.ExistsByLogin(cfg.Admin.Admin_login) {
+			_, err := h.Repo.CreateToken(repository.TokenCreate{
+				Name:             cfg.Admin.Admin_name,
+				LastName:         cfg.Admin.Admin_last_name,
+				Login:            cfg.Admin.Admin_login,
+				Password:         cfg.Admin.Admin_password,
+				PermissionView:   true,
+				PermissionManage: true,
+				PermissionAdmin:  true,
+				IsActive:         true,
+			})
+			if err != nil {
+				log.Printf("Warning: failed to create admin user: %v", err)
+			} else {
+				log.Println("Admin user created from config")
+			}
+		} else {
+			// Ensure existing admin is activated
+			if err := h.Repo.ActivateUserByLogin(cfg.Admin.Admin_login); err != nil {
+				log.Printf("Warning: failed to activate admin user: %v", err)
+			} else {
+				log.Println("Admin user activated")
+			}
+		}
+	}
+
+	router := gin.Default()
+	router.Use(handlers.CorsMiddleware("http://127.0.0.1:5173;http://localhost:5173"))
+	docs.SwaggerInfo.BasePath = "/api/v1"
+	docs.SwaggerInfo.Title = "HellreigN"
+	docs.SwaggerInfo.Version = "1.0"
+	docs.SwaggerInfo.Description = "API for HellreigN"
+	docs.SwaggerInfo.Schemes = []string{"http"}
+	router.GET("/swagger/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))
+
+	v1 := router.Group("/api/v1")
+	{
+		// Auth routes (public)
+		authGroup := v1.Group("/auth")
+		{
+			authGroup.POST("/login", auth.Login)
+			authGroup.POST("/register", auth.RegisterUser)
+		}
+
+		// Auth token management (requires auth)
+		authTokenGroup := v1.Group("/auth")
+		authTokenGroup.Use(auth.AuthMiddleware())
+		{
+			authTokenGroup.POST("/token", auth.CreateToken)
+			authTokenGroup.GET("/validate", auth.ValidateToken)
+			authTokenGroup.GET("/tokens", handlers.RequireAdmin(), auth.ListTokens)
+			authTokenGroup.DELETE("/token", auth.DeleteMyToken)
+			authTokenGroup.DELETE("/tokens/:login", handlers.RequireAdmin(), auth.DeleteToken)
+
+			// User management (admin only) - Full CRUD
+			authTokenGroup.GET("/users/:login", handlers.RequireAdmin(), auth.GetUser)
+			authTokenGroup.PUT("/users/:login", handlers.RequireAdmin(), auth.UpdateUser)
+			authTokenGroup.PUT(
+				"/users/:login/permissions",
+				handlers.RequireAdmin(),
+				auth.UpdateUserPermissions,
+			)
+			authTokenGroup.PUT(
+				"/users/:login/password",
+				handlers.RequireAdmin(),
+				auth.ResetUserPassword,
+			)
+
+			// User activation management (admin only)
+			authTokenGroup.POST(
+				"/users/:login/activate",
+				handlers.RequireAdmin(),
+				auth.ActivateUser,
+			)
+			authTokenGroup.POST(
+				"/users/:login/deactivate",
+				handlers.RequireAdmin(),
+				auth.DeactivateUser,
+			)
+			authTokenGroup.GET("/users/inactive", handlers.RequireAdmin(), auth.ListInactiveUsers)
+		}
+
+		// Agents (requires manage_agent permission)
+		agentsGroup := v1.Group("/agents")
+		agentsGroup.Use(auth.AuthMiddleware(), handlers.RequireManageAgent())
+		{
+			agentsGroup.GET("", agents.List)
+			agentsGroup.GET("/system-metrics", agents.GetSystemMetrics)
+		}
+
+		// Jobs (requires admin permission)
+		jobsGroup := v1.Group("/jobs")
+		jobsGroup.Use(auth.AuthMiddleware(), handlers.RequireAdmin())
+		{
+			jobsGroup.POST("", jobsHandlers.AddJob)
+			jobsGroup.POST("/:id/wait", jobsHandlers.WaitJob)
+			jobsGroup.GET("/metrics", jobsHandlers.GetJobMetrics)
+		}
+
+		// Service dependency graph
+		graphGroup := v1.Group("/graph")
+		graphGroup.Use(auth.AuthMiddleware())
+		{
+			// Read-only endpoints: GET (require view)
+			graphView := graphGroup.Group("")
+			graphView.Use(handlers.RequireView())
+			{
+				graphView.GET("", graphHandlers.GetGraph)
+				graphView.GET("/order", graphHandlers.StartupOrder)
+				graphView.GET("/cycle", graphHandlers.CycleCheck)
+				graphView.GET("/failure", graphHandlers.GetFailureRootCause)
+			}
+			// Write endpoints: PUT (require admin)
+			graphAdmin := graphGroup.Group("")
+			graphAdmin.Use(handlers.RequireAdmin())
+			{
+				graphAdmin.PUT("", graphHandlers.UpdateYAML)
+			}
+		}
+
+		// Agent registration
+		agentRegGroup := v1.Group("/agents")
+		{
+			agentRegGroup.POST("/register", agentReg.Register)
+		}
+		agentRegTokenGroup := v1.Group("/agents")
+		agentRegTokenGroup.Use(auth.AuthMiddleware(), handlers.RequireManageAgent())
+		{
+			agentRegTokenGroup.POST("/register-token", agentReg.CreateRegistrationToken)
+			agentRegTokenGroup.POST("/deploy", agentDeploy.DeployAgents)
+		}
+
+		// Logs (requires view permission)
+		logsGroup := v1.Group("/logs")
+		logsGroup.Use(auth.AuthMiddleware(), handlers.RequireView())
+		{
+			// Mock logs endpoint (always available, no ClickHouse required)
+			mockLogHandlers := handlers.NewLogHandlers(nil)
+			logsGroup.GET("/mock", mockLogHandlers.GetMockLogs)
+
+			// ClickHouse log handlers (always registered, work when ClickHouse connects)
+			logHandlers := handlers.NewLogHandlers(logRepo)
+			logsGroup.POST("", logHandlers.Insert)
+			logsGroup.POST("/batch", logHandlers.InsertBatch)
+			logsGroup.GET("", logHandlers.Search)
+			logsGroup.GET("/services", logHandlers.GetServices)
+			logsGroup.GET("/agents", logHandlers.GetAgents)
+			logsGroup.GET("/levels", logHandlers.GetLevels)
+		}
+
+		// Scripts (requires admin permission)
+		scriptsGroup := v1.Group("/scripts")
+		scriptsGroup.Use(auth.AuthMiddleware(), handlers.RequireAdmin())
+		{
+			scriptsGroup.POST("/run", scriptHandlers.RunScript)
+			scriptsGroup.GET("/interpreters", scriptHandlers.ListInterpreters)
+			scriptsGroup.POST("/interpreters", scriptHandlers.CreateInterpreter)
+			scriptsGroup.GET("/interpreters/:id", scriptHandlers.GetInterpreter)
+			scriptsGroup.PUT("/interpreters/:id", scriptHandlers.UpdateInterpreter)
+			scriptsGroup.DELETE("/interpreters/:id", scriptHandlers.DeleteInterpreter)
+
+			// Script management (tree, CRUD)
+			scriptsGroup.GET("/tree", scriptManageHandlers.GetTree)
+			scriptsGroup.POST("", scriptManageHandlers.CreateScript)
+			scriptsGroup.GET("/:id", scriptManageHandlers.GetScript)
+			scriptsGroup.PUT("/:id", scriptManageHandlers.UpdateScript)
+			scriptsGroup.DELETE("/:id", scriptManageHandlers.DeleteScript)
+			scriptsGroup.POST("/:id/run", scriptManageHandlers.RunScriptByID)
+
+			// Folder management
+			scriptsGroup.POST("/folder", scriptManageHandlers.CreateFolder)
+			scriptsGroup.DELETE("/folder", scriptManageHandlers.DeleteFolder)
+
+			// Rename script or folder
+			scriptsGroup.POST("/rename", scriptManageHandlers.Rename)
+
+			// Get script by path
+			scriptsGroup.GET("/by-path", scriptManageHandlers.GetScriptByPath)
+		}
+	}
+
+	// Start gRPC server with mTLS in background
+	grpcPort := os.Getenv("GRPC_PORT")
+	if grpcPort == "" {
+		grpcPort = "9001"
+	}
+
+	certDir := os.Getenv("SSL_CERT_DIR")
+	if certDir == "" {
+		certDir = "/var/lib/hellreign/ssl"
+	}
+
+	certFile := certDir + "/server.crt"
+	keyFile := certDir + "/server.key"
+	caFile := certDir + "/ca.crt"
+
+	// Load server cert
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		log.Fatalf("Failed to load server cert: %v", err)
+	}
+
+	// Load CA cert for client verification
+	caCert, err := os.ReadFile(caFile)
+	if err != nil {
+		log.Fatalf("Failed to load CA cert: %v", err)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		ClientCAs:    caCertPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	grpcServer := grpc.NewServer(
+		grpc.Creds(credentials.NewTLS(tlsConfig)),
+		grpc.StatsHandler(collTracker),
+		grpc.StatsHandler(cmdTracker),
+	)
+	proto.RegisterCommanderServer(grpcServer, cmdr)
+	proto.RegisterCollectorServer(grpcServer, coll)
+
+	lis, err := net.Listen("tcp", ":"+grpcPort)
+	if err != nil {
+		log.Fatalf("Failed to listen on gRPC port %s: %v", grpcPort, err)
+	}
+
+	g, ctx := errgroup.WithContext(context.Background())
+
+	g.Go(func() error {
+		log.Printf("gRPC server starting on port %s with mTLS", grpcPort)
+		errCh := make(chan error, 1)
+		go func() { errCh <- grpcServer.Serve(lis) }()
+		select {
+		case err := <-errCh:
+			return err
+		case <-ctx.Done():
+			grpcServer.GracefulStop()
+			return nil
+		}
+	})
+
+	g.Go(func() error {
+		log.Printf("HTTP server starting on :8080")
+		errCh := make(chan error, 1)
+		go func() { errCh <- router.Run(":8080") }()
+		select {
+		case err := <-errCh:
+			return err
+		case <-ctx.Done():
+			return nil
+		}
+	})
+
+	if err := g.Wait(); err != nil {
+		log.Fatalf("Server error: %v", err)
+	}
+}

backend/dockerfile

@@ -0,0 +1,24 @@
+FROM golang:1.26.1 as builder
+
+WORKDIR /app
+
+COPY backend/ backend/
+COPY proto/ proto/
+WORKDIR /app/backend
+ENV CGO_ENABLED=0
+ENV GIN_MODE=release
+RUN --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=cache,target=/root/.cache/go-build \
+  go mod download && \
+  go build -ldflags "-s -w" -o backend ./cmd/main.go
+
+FROM alpine:3.23.0
+
+RUN apk add --no-cache curl openssl bash ansible sqlite
+
+COPY --from=builder /app/backend/backend .
+COPY --from=builder /app/backend/scripts /etc/hellreign/scripts
+RUN chmod +x /etc/hellreign/scripts/generate-certs.sh
+
+# Generate certificates on container start
+ENTRYPOINT ["/bin/sh", "-c", "/etc/hellreign/scripts/generate-certs.sh ${SSL_CERT_DIR:-/var/lib/hellreign/ssl} && exec ./backend"]

backend/go.mod

@@ -0,0 +1,85 @@
+module gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend
+
+go 1.26.1
+
+require (
+	gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto v0.0.0-20260404174628-3389df740c20
+	github.com/ClickHouse/clickhouse-go/v2 v2.44.0
+	github.com/gin-gonic/gin v1.12.0
+	github.com/samber/lo v1.53.0
+	github.com/swaggo/files v1.0.1
+	github.com/swaggo/gin-swagger v1.6.1
+	github.com/swaggo/swag v1.16.6
+	golang.org/x/crypto v0.49.0
+	golang.org/x/sync v0.20.0
+	google.golang.org/grpc v1.80.0
+	gopkg.in/yaml.v3 v3.0.1
+	modernc.org/sqlite v1.48.1
+)
+
+require (
+	github.com/ClickHouse/ch-go v0.71.0 // indirect
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/bytedance/gopkg v0.1.4 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
+	github.com/gin-contrib/sse v1.1.1 // indirect
+	github.com/go-faster/city v1.0.1 // indirect
+	github.com/go-faster/errors v0.7.1 // indirect
+	github.com/go-openapi/jsonpointer v0.22.5 // indirect
+	github.com/go-openapi/jsonreference v0.21.5 // indirect
+	github.com/go-openapi/spec v0.22.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.5 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.5 // indirect
+	github.com/go-openapi/swag/loading v0.25.5 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.5 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.5 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.5 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.30.2 // indirect
+	github.com/goccy/go-json v0.10.6 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.3 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
+	github.com/paulmach/orb v0.12.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.3.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.25 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
+	go.opentelemetry.io/otel v1.41.0 // indirect
+	go.opentelemetry.io/otel/trace v1.41.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/arch v0.25.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	modernc.org/libc v1.70.0 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
+)
+
+replace gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto => ../proto

backend/go.sum

@@ -0,0 +1,306 @@
+github.com/ClickHouse/ch-go v0.71.0 h1:bUdZ/EZj/LcVHsMqaRUP2holqygrPWQKeMjc6nZoyRM=
+github.com/ClickHouse/ch-go v0.71.0/go.mod h1:NwbNc+7jaqfY58dmdDUbG4Jl22vThgx1cYjBw0vtgXw=
+github.com/ClickHouse/clickhouse-go/v2 v2.44.0 h1:9pxs5pRwIvhni5BDRPn/n5A8DeUod5TnBaeulFBX8EQ=
+github.com/ClickHouse/clickhouse-go/v2 v2.44.0/go.mod h1:giJfUVlMkcfUEPVfRpt51zZaGEx9i17gCos8gBl392c=
+github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
+github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
+github.com/bytedance/gopkg v0.1.4 h1:oZnQwnX82KAIWb7033bEwtxvTqXcYMxDBaQxo5JJHWM=
+github.com/bytedance/gopkg v0.1.4/go.mod h1:v1zWfPm21Fb+OsyXN2VAHdL6TBb2L88anLQgdyje6R4=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.1 h1:Ygpfa9zwRCCKSlrp5bBP/b/Xzc3VxsAW+5NIYXrOOpI=
+github.com/bytedance/sonic/loader v0.5.1/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/gzip v0.0.6 h1:NjcunTcGAj5CO1gn4N8jHOSIeRFHIbn51z6K+xaN4d4=
+github.com/gin-contrib/gzip v0.0.6/go.mod h1:QOJlmV2xmayAjkNS2Y8NQsMneuRShOU/kjovCXNuzzk=
+github.com/gin-contrib/sse v1.1.1 h1:uGYpNwTacv5R68bSGMapo62iLTRa9l5zxGCps4hK6ko=
+github.com/gin-contrib/sse v1.1.1/go.mod h1:QXzuVkA0YO7o/gun03UI1Q+FTI8ZV/n5t03kIQAI89s=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
+github.com/go-faster/city v1.0.1 h1:4WAxSZ3V2Ws4QRDrscLEDcibJY8uf41H6AhXDrNDcGw=
+github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw=
+github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg=
+github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA=
+github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0=
+github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
+github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
+github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
+github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
+github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
+github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+tGu97g=
+github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k=
+github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo=
+github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU=
+github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo=
+github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5/go.mod h1:/2KvOTrKWjVA5Xli3DZWdMCZDzz3uV/T7bXwrKWPquo=
+github.com/go-openapi/swag/loading v0.25.5 h1:odQ/umlIZ1ZVRteI6ckSrvP6e2w9UTF5qgNdemJHjuU=
+github.com/go-openapi/swag/loading v0.25.5/go.mod h1:I8A8RaaQ4DApxhPSWLNYWh9NvmX2YKMoB9nwvv6oW6g=
+github.com/go-openapi/swag/stringutils v0.25.5 h1:NVkoDOA8YBgtAR/zvCx5rhJKtZF3IzXcDdwOsYzrB6M=
+github.com/go-openapi/swag/stringutils v0.25.5/go.mod h1:PKK8EZdu4QJq8iezt17HM8RXnLAzY7gW0O1KKarrZII=
+github.com/go-openapi/swag/typeutils v0.25.5 h1:EFJ+PCga2HfHGdo8s8VJXEVbeXRCYwzzr9u4rJk7L7E=
+github.com/go-openapi/swag/typeutils v0.25.5/go.mod h1:itmFmScAYE1bSD8C4rS0W+0InZUBrB2xSPbWt6DLGuc=
+github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
+github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.0 h1:7SgOMTvJkM8yWrQlU8Jm18VeDPuAvB/xWrdxFJkoFag=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.0/go.mod h1:14iV8jyyQlinc9StD7w1xVPW3CO3q1Gj04Jy//Kw4VM=
+github.com/go-openapi/testify/v2 v2.4.0 h1:8nsPrHVCWkQ4p8h1EsRVymA2XABB4OT40gcvAu+voFM=
+github.com/go-openapi/testify/v2 v2.4.0/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.30.2 h1:JiFIMtSSHb2/XBUbWM4i/MpeQm9ZK2xqPNk8vgvu5JQ=
+github.com/go-playground/validator/v10 v10.30.2/go.mod h1:mAf2pIOVXjTEBrwUMGKkCWKKPs9NheYGabeB04txQSc=
+github.com/goccy/go-json v0.10.6 h1:p8HrPJzOakx/mn/bQtjgNjdTcN+/S6FcG2CTtQOrHVU=
+github.com/goccy/go-json v0.10.6/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw=
+github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/paulmach/orb v0.12.0 h1:z+zOwjmG3MyEEqzv92UN49Lg1JFYx0L9GpGKNVDKk1s=
+github.com/paulmach/orb v0.12.0/go.mod h1:5mULz1xQfs3bmQm63QEJA6lNGujuRafwA5S/EnuLaLU=
+github.com/paulmach/protoscan v0.2.1/go.mod h1:SpcSwydNLrxUGSDvXvO0P7g7AuhJ7lcKfDlhJCDw2gY=
+github.com/pelletier/go-toml/v2 v2.3.0 h1:k59bC/lIZREW0/iVaQR8nDHxVq8OVlIzYCOJf421CaM=
+github.com/pelletier/go-toml/v2 v2.3.0/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pierrec/lz4/v4 v4.1.25 h1:kocOqRffaIbU5djlIBr7Wh+cx82C0vtFb0fOurZHqD0=
+github.com/pierrec/lz4/v4 v4.1.25/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/samber/lo v1.53.0 h1:t975lj2py4kJPQ6haz1QMgtId2gtmfktACxIXArw3HM=
+github.com/samber/lo v1.53.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/swaggo/files v1.0.1 h1:J1bVJ4XHZNq0I46UU90611i9/YzdrF7x92oX1ig5IdE=
+github.com/swaggo/files v1.0.1/go.mod h1:0qXmMNH6sXNf+73t65aKeB+ApmgxdnkQzVTAj2uaMUg=
+github.com/swaggo/gin-swagger v1.6.1 h1:Ri06G4gc9N4t4k8hekMigJ9zKTFSlqj/9paAQCQs7cY=
+github.com/swaggo/gin-swagger v1.6.1/go.mod h1:LQ+hJStHakCWRiK/YNYtJOu4mR2FP+pxLnILT/qNiTw=
+github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
+github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
+github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
+github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mongodb.org/mongo-driver v1.11.4/go.mod h1:PTSz5yu21bkT/wXpkS7WR5f0ddqw5quethTUn9WM+2g=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/arch v0.25.0 h1:qnk6Ksugpi5Bz32947rkUgDt9/s5qvqDPl/gBKdMJLE=
+golang.org/x/arch v0.25.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 h1:sNrWoksmOyF5bvJUcnmbeAmQi8baNhqg5IWaI3llQqU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
+modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
+modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
+modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
+modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
+modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
+modernc.org/sqlite v1.48.1 h1:S85iToyU6cgeojybE2XJlSbcsvcWkQ6qqNXJHtW5hWA=
+modernc.org/sqlite v1.48.1/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
+modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=

backend/internal/ansible/executor.go

@@ -0,0 +1,190 @@
+package ansible
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+)
+
+// ErrUnknownDeployType is returned when an unsupported deployment type is specified
+var ErrUnknownDeployType = fmt.Errorf("unknown deploy type, expected 'docker' or 'binary'")
+
+// Executor handles running Ansible playbooks
+type Executor struct {
+	workDir          string
+	grpcServerHost   string
+	grpcServerPort   string
+	backendURL       string
+	giteaReleasesURL string
+}
+
+// ExecutorConfig holds configuration for the Executor
+type ExecutorConfig struct {
+	WorkDir          string
+	GRPCServerHost   string
+	GRPCServerPort   string
+	BackendURL       string
+	GiteaReleasesURL string
+}
+
+// NewExecutor creates a new Ansible executor
+func NewExecutor(cfg ExecutorConfig) *Executor {
+	return &Executor{
+		workDir:          cfg.WorkDir,
+		grpcServerHost:   cfg.GRPCServerHost,
+		grpcServerPort:   cfg.GRPCServerPort,
+		backendURL:       cfg.BackendURL,
+		giteaReleasesURL: cfg.GiteaReleasesURL,
+	}
+}
+
+// DeployResult holds the result of a deployment
+type DeployResult struct {
+	Host    string
+	Success bool
+	Stdout  string
+	Stderr  string
+	Err     error
+}
+
+// WorkDir returns the work directory path
+func (e *Executor) WorkDir() string {
+	return e.workDir
+}
+
+// GRPCURL returns the gRPC server URL (host:port)
+func (e *Executor) GRPCURL() string {
+	return e.grpcServerHost + ":" + e.grpcServerPort
+}
+
+// CheckDockerCollection verifies that the community.docker Ansible collection is installed.
+// Returns an error if the collection is not found.
+func (e *Executor) CheckDockerCollection() error {
+	cmd := exec.Command("ansible-galaxy", "collection", "list", "community.docker")
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("community.docker collection not found: %s", stderr.String())
+	}
+
+	// ansible-galaxy collection list returns output like:
+	// # /usr/share/ansible/collections/ansible_collections
+	// Collection       Version
+	// ---------------- -------
+	// community.docker 3.10.0
+	//
+	// If the collection is not installed, it won't appear in the output.
+	if !strings.Contains(stdout.String(), "community.docker") {
+		return fmt.Errorf("community.docker collection is not installed. Run: ansible-galaxy collection install community.docker")
+	}
+
+	return nil
+}
+
+// Deploy runs Ansible playbook for the given inventory
+func (e *Executor) Deploy(
+	ctx context.Context,
+	inventoryPath string,
+	deployType string,
+) ([]DeployResult, error) {
+	if deployType != "docker" && deployType != "binary" {
+		return nil, fmt.Errorf("invalid deploy type %q: %w", deployType, ErrUnknownDeployType)
+	}
+
+	playbookName := "binary_deploy.yml"
+	if deployType == "docker" {
+		playbookName = "docker_deploy.yml"
+	}
+
+	playbookPath := filepath.Join(e.workDir, playbookName)
+
+	cmd := exec.CommandContext(ctx, "ansible-playbook",
+		"-i", inventoryPath,
+		"-e", fmt.Sprintf("backend_url=%s", e.backendURL),
+		"-e", fmt.Sprintf("grpc_url=%s", e.grpcServerHost+":"+e.grpcServerPort),
+		"-e", fmt.Sprintf("gitea_releases_url=%s", e.giteaReleasesURL),
+		playbookPath,
+	)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	runErr := cmd.Run()
+
+	// Parse results per host (simplified - returns single result for all)
+	return []DeployResult{
+		{
+			Host:    "all",
+			Success: runErr == nil,
+			Stdout:  stdout.String(),
+			Stderr:  stderr.String(),
+			Err:     runErr,
+		},
+	}, nil
+}
+
+// DeployParallel runs Ansible playbook for multiple inventories in parallel
+func (e *Executor) DeployParallel(
+	ctx context.Context,
+	inventoryPaths []string,
+	deployType string,
+) (map[string][]DeployResult, error) {
+	var wg sync.WaitGroup
+	var mu sync.Mutex
+	results := make(map[string][]DeployResult)
+	errCh := make(chan error, len(inventoryPaths))
+
+	for _, path := range inventoryPaths {
+		wg.Add(1)
+		go func(p string) {
+			defer wg.Done()
+			res, err := e.Deploy(ctx, p, deployType)
+			if err != nil {
+				errCh <- err
+			}
+			mu.Lock()
+			results[p] = res
+			mu.Unlock()
+		}(path)
+	}
+
+	wg.Wait()
+	close(errCh)
+
+	// Collect errors
+	var errs []error
+	for err := range errCh {
+		errs = append(errs, err)
+	}
+
+	if len(errs) > 0 {
+		return results, fmt.Errorf("some deployments failed: %v", errs)
+	}
+
+	return results, nil
+}
+
+// WritePlaybook writes a playbook to the work directory
+func (e *Executor) WritePlaybook(name string, content string) error {
+	path := filepath.Join(e.workDir, name)
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		return err
+	}
+	return os.WriteFile(path, []byte(content), 0644)
+}
+
+// WriteAllPlaybooks writes all playbooks to the work directory
+func (e *Executor) WriteAllPlaybooks() error {
+	if err := e.WritePlaybook("binary_deploy.yml", BinaryDeployPlaybook); err != nil {
+		return err
+	}
+	return e.WritePlaybook("docker_deploy.yml", DockerDeployPlaybook)
+}

backend/internal/ansible/inventory.go

@@ -0,0 +1,61 @@
+package ansible
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"text/template"
+)
+
+// InventoryHost represents a single host in the inventory
+type InventoryHost struct {
+	Name       string
+	IP         string
+	Port       int
+	User       string
+	AuthMethod string
+	SSHKey     string
+	Password   string
+	DeployType string
+	Token      string
+	GRPCURL    string
+}
+
+// Inventory represents an Ansible inventory file
+type Inventory struct {
+	Hosts []InventoryHost
+}
+
+const inventoryTemplateText = `{{- range $i, $host := .Hosts }}
+{{ $host.Name }} ansible_host={{ $host.IP }} ansible_port={{ $host.Port }} ansible_user={{ $host.User }} ansible_connection=ssh{{ if eq $host.AuthMethod "key" }} ansible_ssh_private_key_file={{ $host.SSHKey }}{{ end }}{{ if eq $host.AuthMethod "password" }} ansible_ssh_pass={{ $host.Password }}{{ end }}
+deploy_type={{ $host.DeployType }}
+agent_token={{ $host.Token }}
+agent_label={{ $host.Name }}
+grpc_url={{ $host.GRPCURL }}
+{{ end -}}`
+
+// GenerateInventory generates an Ansible inventory file from the given hosts
+func GenerateInventory(hosts []InventoryHost, outputPath string) error {
+	tmpl, err := template.New("inventory").Parse(inventoryTemplateText)
+	if err != nil {
+		return fmt.Errorf("failed to parse inventory template: %w", err)
+	}
+
+	// Ensure directory exists
+	dir := filepath.Dir(outputPath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("failed to create inventory directory: %w", err)
+	}
+
+	file, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("failed to create inventory file: %w", err)
+	}
+	defer file.Close()
+
+	if err := tmpl.Execute(file, Inventory{Hosts: hosts}); err != nil {
+		return fmt.Errorf("failed to execute inventory template: %w", err)
+	}
+
+	return nil
+}

backend/internal/ansible/playbooks.go

@@ -0,0 +1,163 @@
+package ansible
+
+// BinaryDeployPlaybook returns the Ansible playbook for binary deployment.
+// Downloads the agent binary, writes config, and installs a systemd unit for automatic restart.
+const BinaryDeployPlaybook = `---
+- name: Deploy HellreigN Agent (Binary)
+  hosts: all
+  become: yes
+  vars:
+    agent_label: "{{ agent_label }}"
+    agent_token: "{{ agent_token }}"
+    backend_url: "{{ backend_url }}"
+    install_dir: /opt/hellreign
+    bin_name: hellreign-agent
+    cert_dir: "{{ install_dir }}/certs"
+    gitea_releases_url: "{{ gitea_releases_url | default('https://gitea.d3m0k1d.ru/d3m0k1d/HellreigN/releases/latest/download') }}"
+
+  tasks:
+    - name: Create installation directory
+      file:
+        path: "{{ install_dir }}"
+        state: directory
+        mode: '0755'
+
+    - name: Create certificates directory
+      file:
+        path: "{{ cert_dir }}"
+        state: directory
+        mode: '0755'
+
+    - name: Download HellreigN Agent binary
+      get_url:
+        url: "{{ gitea_releases_url }}/{{ bin_name }}"
+        dest: "{{ install_dir }}/{{ bin_name }}"
+        mode: '0755'
+
+    - name: Create agent configuration
+      copy:
+        content: |
+          backend_url: "{{ backend_url }}"
+          grpc_url: "{{ grpc_url | default('localhost:9001') }}"
+          label: "{{ agent_label }}"
+          registration_token: "{{ agent_token }}"
+          cert_dir: "{{ cert_dir }}"
+          services:
+            - name: system
+              type: journald
+        dest: "{{ install_dir }}/config.yml"
+        mode: '0644'
+
+    - name: Create systemd unit file
+      copy:
+        content: |
+          [Unit]
+          Description=HellreigN Agent
+          After=network-online.target
+          Wants=network-online.target
+
+          [Service]
+          Type=simple
+          ExecStart={{ install_dir }}/{{ bin_name }}
+          Restart=always
+          RestartSec=5
+          Environment=CONFIG_FILE={{ install_dir }}/config.yml
+
+          [Install]
+          WantedBy=multi-user.target
+        dest: /etc/systemd/system/hellreign-agent.service
+        mode: '0644'
+
+    - name: Reload systemd daemon
+      systemd:
+        daemon_reload: yes
+
+    - name: Enable and start HellreigN Agent service
+      systemd:
+        name: hellreign-agent
+        enabled: yes
+        state: started
+
+    - name: Wait for agent to start
+      pause:
+        seconds: 3
+
+    - name: Verify HellreigN Agent is running
+      command: systemctl is-active --quiet hellreign-agent
+      changed_when: false
+`
+
+// DockerDeployPlaybook returns the Ansible playbook for Docker deployment.
+const DockerDeployPlaybook = `---
+- name: Deploy HellreigN Agent (Docker)
+  hosts: all
+  become: yes
+  vars:
+    agent_label: "{{ agent_label }}"
+    agent_token: "{{ agent_token }}"
+    backend_url: "{{ backend_url }}"
+    grpc_url: "{{ grpc_url | default('localhost:9001') }}"
+    container_name: hellreign-agent-{{ agent_label }}
+    image: "gitea.d3m0k1d.ru/d3m0k1d/hellreign-agent:latest"
+    install_dir: /opt/hellreign
+    cert_dir: /etc/hellreign-agent/certs
+    config_dir: /etc/hellreign-agent
+
+  tasks:
+    - name: Install Docker (if not present)
+      block:
+        - name: Check if Docker is installed
+          command: docker --version
+          register: docker_check
+          ignore_errors: yes
+          changed_when: false
+
+        - name: Install Docker
+          shell: |
+            curl -fsSL https://get.docker.com | sh
+          when: docker_check.rc != 0
+
+    - name: Create certificates directory
+      file:
+        path: "{{ cert_dir }}"
+        state: directory
+        mode: '0755'
+
+    - name: Create configuration directory
+      file:
+        path: "{{ config_dir }}"
+        state: directory
+        mode: '0755'
+
+    - name: Pull HellreigN Agent image
+      community.docker.docker_image:
+        name: "{{ image }}"
+        source: pull
+
+    - name: Create agent configuration
+      copy:
+        content: |
+          backend_url: "{{ backend_url }}"
+          grpc_url: "{{ grpc_url | default('localhost:9001') }}"
+          label: "{{ agent_label }}"
+          registration_token: "{{ agent_token }}"
+          cert_dir: "{{ cert_dir }}"
+          services:
+            - name: "{{ agent_label }}"
+              type: docker
+              path: "{{ container_name }}"
+        dest: "{{ config_dir }}/config.yml"
+        mode: '0644'
+
+    - name: Create and run HellreigN Agent container
+      community.docker.docker_container:
+        name: "{{ container_name }}"
+        image: "{{ image }}"
+        state: started
+        restart_policy: always
+        volumes:
+          - "{{ cert_dir }}:/etc/hellreign-agent/certs"
+          - "{{ config_dir }}/config.yml:/etc/hellreign-agent/config.yml:ro"
+        env:
+          CONFIG_FILE: /etc/hellreign-agent/config.yml
+`

backend/internal/ansible/templates.go

@@ -0,0 +1,4 @@
+package ansible
+
+// This package contains embedded Ansible templates for playbooks and inventory generation.
+// All templates are defined in playbooks.go and inventory.go.

backend/internal/config/config.go

@@ -0,0 +1,22 @@
+package config
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+)
+
+func ImportSettings(path string) (*HellreigN, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		fmt.Println(err)
+	}
+	var cfg HellreigN
+
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}

backend/internal/config/types.go

@@ -0,0 +1,20 @@
+package config
+
+type HellreigN struct {
+	Database Databases `yaml:"database"`
+	Admin    Admin     `yaml:"admin"`
+}
+
+type Databases struct {
+	Token_db            string `yaml:"token_db"`
+	Clickhouse_host     string `yaml:"clickhouse_host"`
+	Clickhouse_user     string `yaml:"clickhouse_user"`
+	Clickhouse_password string `yaml:"clickhouse_password"`
+	Clickhouse_database string `yaml:"clickhouse_database"`
+}
+type Admin struct {
+	Admin_name      string `yaml:"admin_name"`
+	Admin_last_name string `yaml:"admin_last_name"`
+	Admin_login     string `yaml:"admin_login"`
+	Admin_password  string `yaml:"admin_password"`
+}

backend/internal/graph/graph.go

@@ -0,0 +1,238 @@
+package graph
+
+import (
+	"fmt"
+	"sort"
+)
+
+// DepCondition represents how a service waits for a dependency.
+type DepCondition string
+
+const (
+	Started               DepCondition = "started"
+	Healthy               DepCondition = "healthy"
+	CompletedSuccessfully DepCondition = "completed_successfully"
+)
+
+// ServiceRef uniquely identifies a service across nodes.
+// If NodeID is empty, it refers to a service in the same node.
+type ServiceRef struct {
+	NodeID string `json:"node_id,omitempty"`
+	Name   string `json:"name"`
+}
+
+// String returns a human-readable reference like "node:service" or just "service".
+func (r ServiceRef) String() string {
+	if r.NodeID != "" {
+		return r.NodeID + ":" + r.Name
+	}
+	return r.Name
+}
+
+// Dependency declares that a service depends on another service (possibly in a different node).
+type Dependency struct {
+	Target    ServiceRef   `json:"target"`
+	Condition DepCondition `json:"condition"`
+}
+
+// Service represents a named service within a node with its dependency declarations.
+type Service struct {
+	Name         string       `json:"name"`
+	Dependencies []Dependency `json:"dependencies,omitempty"`
+}
+
+// Node represents a logical grouping of services (e.g., a server or cluster).
+type Node struct {
+	ID       string    `json:"id"`
+	Services []*Service `json:"services"`
+}
+
+// Graph holds nodes, services, and computes dependency order.
+type Graph struct {
+	nodes map[string]*Node
+	// adj[key] = list of services that key depends on
+	// key format: "nodeID:serviceName"
+	adj map[string][]ServiceRef
+}
+
+func New() *Graph {
+	return &Graph{
+		nodes: make(map[string]*Node),
+		adj:   make(map[string][]ServiceRef),
+	}
+}
+
+// AddNode adds a node to the graph.
+func (g *Graph) AddNode(nodeID string) *Node {
+	if n, ok := g.nodes[nodeID]; ok {
+		return n
+	}
+	n := &Node{ID: nodeID}
+	g.nodes[nodeID] = n
+	return n
+}
+
+// AddService adds a service to a node.
+func (g *Graph) AddService(nodeID string, svc *Service) {
+	node := g.AddNode(nodeID)
+	node.Services = append(node.Services, svc)
+	key := nodeID + ":" + svc.Name
+	g.adj[key] = nil
+}
+
+// ResolveRef resolves a ServiceRef to its full "nodeID:serviceName" key.
+// If ref.NodeID is empty, it's resolved relative to the given sourceNodeID.
+func (g *Graph) ResolveRef(ref ServiceRef, sourceNodeID string) (string, error) {
+	nodeID := ref.NodeID
+	if nodeID == "" {
+		nodeID = sourceNodeID
+	}
+	key := nodeID + ":" + ref.Name
+	if _, ok := g.adj[key]; !ok {
+		return "", fmt.Errorf("unknown service %q", key)
+	}
+	return key, nil
+}
+
+// AddDependency adds a dependency: source service depends on target service.
+func (g *Graph) AddDependency(sourceNodeID, sourceName string, dep Dependency) error {
+	srcKey := sourceNodeID + ":" + sourceName
+	if _, ok := g.adj[srcKey]; !ok {
+		return fmt.Errorf("unknown source service %q", srcKey)
+	}
+
+	if _, err := g.ResolveRef(dep.Target, sourceNodeID); err != nil {
+		return fmt.Errorf("dependency target invalid: %w", err)
+	}
+
+	g.adj[srcKey] = append(g.adj[srcKey], dep.Target)
+
+	// Also update the Service struct for serialization
+	node, ok := g.nodes[sourceNodeID]
+	if !ok {
+		return nil
+	}
+	for _, svc := range node.Services {
+		if svc.Name == sourceName {
+			svc.Dependencies = append(svc.Dependencies, dep)
+			break
+		}
+	}
+	return nil
+}
+
+// HasCycle detects if the dependency graph contains a cycle.
+func (g *Graph) HasCycle() bool {
+	const (
+		white = 0
+		gray  = 1
+		black = 2
+	)
+	color := make(map[string]int)
+	for key := range g.adj {
+		color[key] = white
+	}
+
+	var dfs func(string) bool
+	dfs = func(u string) bool {
+		color[u] = gray
+		for _, depRef := range g.adj[u] {
+			v, _ := g.ResolveRef(depRef, nodeIDFromKey(u))
+			if color[v] == gray {
+				return true
+			}
+			if color[v] == white && dfs(v) {
+				return true
+			}
+		}
+		color[u] = black
+		return false
+	}
+
+	for key := range g.adj {
+		if color[key] == white {
+			if dfs(key) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// TopologicalSort returns services in startup order (dependencies first).
+// Returns a flat list of "nodeID:serviceName" keys.
+func (g *Graph) TopologicalSort() ([]string, error) {
+	if g.HasCycle() {
+		return nil, fmt.Errorf("dependency cycle detected")
+	}
+
+	var result []string
+	visited := make(map[string]bool)
+
+	var dfs func(string)
+	dfs = func(u string) {
+		if visited[u] {
+			return
+		}
+		visited[u] = true
+		for _, depRef := range g.adj[u] {
+			v, _ := g.ResolveRef(depRef, nodeIDFromKey(u))
+			dfs(v)
+		}
+		result = append(result, u)
+	}
+
+	keys := make([]string, 0, len(g.adj))
+	for k := range g.adj {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	for _, k := range keys {
+		dfs(k)
+	}
+
+	return result, nil
+}
+
+// GetNode returns a node by ID.
+func (g *Graph) GetNode(id string) (*Node, bool) {
+	n, ok := g.nodes[id]
+	return n, ok
+}
+
+// GetService returns a service by node ID and name.
+func (g *Graph) GetService(nodeID, name string) (*Service, bool) {
+	node, ok := g.nodes[nodeID]
+	if !ok {
+		return nil, false
+	}
+	for _, s := range node.Services {
+		if s.Name == name {
+			return s, true
+		}
+	}
+	return nil, false
+}
+
+// Nodes returns all nodes sorted by ID.
+func (g *Graph) Nodes() []*Node {
+	result := make([]*Node, 0, len(g.nodes))
+	for _, n := range g.nodes {
+		result = append(result, n)
+	}
+	sort.Slice(result, func(i, j int) bool {
+		return result[i].ID < result[j].ID
+	})
+	return result
+}
+
+// nodeIDFromKey extracts the node ID from a "nodeID:serviceName" key.
+func nodeIDFromKey(key string) string {
+	for i := 0; i < len(key); i++ {
+		if key[i] == ':' {
+			return key[:i]
+		}
+	}
+	return ""
+}

backend/internal/graph/yaml.go

@@ -0,0 +1,135 @@
+package graph
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+// yamlNode is the intermediate YAML representation of a node.
+type yamlNode struct {
+	Services map[string]yamlService `yaml:"services"`
+}
+
+// yamlService is the intermediate YAML representation of a service.
+type yamlService struct {
+	DependsOn yamlDependsOn `yaml:"depends_on"`
+}
+
+// yamlDependsOn supports both short form (list of strings) and long form (map with conditions).
+type yamlDependsOn struct {
+	simple []string
+	detail map[string]yamlDepCondition
+}
+
+type yamlDepCondition struct {
+	Condition DepCondition `yaml:"condition"`
+}
+
+func (d *yamlDependsOn) UnmarshalYAML(value *yaml.Node) error {
+	switch value.Kind {
+	case yaml.SequenceNode:
+		var names []string
+		if err := value.Decode(&names); err != nil {
+			return err
+		}
+		d.simple = names
+		return nil
+	case yaml.MappingNode:
+		d.detail = make(map[string]yamlDepCondition)
+		if err := value.Decode(&d.detail); err != nil {
+			return err
+		}
+		return nil
+	default:
+		return fmt.Errorf("depends_on must be a list or mapping, got %v", value.Kind)
+	}
+}
+
+// parseServiceRef parses a reference like "redis" or "infra:redis".
+func parseServiceRef(ref string) ServiceRef {
+	parts := strings.SplitN(ref, ":", 2)
+	if len(parts) == 2 {
+		return ServiceRef{NodeID: parts[0], Name: parts[1]}
+	}
+	return ServiceRef{Name: parts[0]}
+}
+
+// ParseYAML parses a node/service dependency graph from YAML bytes.
+//
+// Example:
+//
+//	nodes:
+//	  server1:
+//	    services:
+//	      web:
+//	        agent_id: agent-1
+//	        depends_on:
+//	          - redis
+//	          - infra:cache
+//	      api:
+//	        depends_on:
+//	          redis:
+//	            condition: healthy
+//	  infra:
+//	    services:
+//	      cache:
+//	      db:
+func ParseYAML(data []byte) (*Graph, error) {
+	var raw struct {
+		Nodes map[string]yamlNode `yaml:"nodes"`
+	}
+
+	if err := yaml.Unmarshal(data, &raw); err != nil {
+		return nil, fmt.Errorf("parse yaml: %w", err)
+	}
+
+	g := New()
+
+	// Phase 1: register all nodes and services
+	for nodeID, yn := range raw.Nodes {
+		g.AddNode(nodeID)
+		for svcName := range yn.Services {
+			g.AddService(nodeID, &Service{Name: svcName})
+		}
+	}
+
+	// Phase 2: wire dependencies
+	for nodeID, yn := range raw.Nodes {
+		for svcName, ys := range yn.Services {
+			// Short form
+			for _, ref := range ys.DependsOn.simple {
+				target := parseServiceRef(ref)
+				if err := g.AddDependency(nodeID, svcName, Dependency{
+					Target:    target,
+					Condition: Started,
+				}); err != nil {
+					return nil, err
+				}
+			}
+			// Long form
+			for ref, cond := range ys.DependsOn.detail {
+				target := parseServiceRef(ref)
+				if err := g.AddDependency(nodeID, svcName, Dependency{
+					Target:    target,
+					Condition: cond.Condition,
+				}); err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
+	return g, nil
+}
+
+// ParseYAMLFile reads and parses from a file.
+func ParseYAMLFile(path string) (*Graph, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return ParseYAML(data)
+}

backend/internal/grpcsrv/collector/collector.go

@@ -0,0 +1,164 @@
+package collector
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"google.golang.org/grpc/metadata"
+)
+
+// Collector handles log streaming from connected agents.
+type Collector struct {
+	proto.UnimplementedCollectorServer
+	logRepo       *repository.LogRepository
+	tracker       *ConnTracker
+	batchSize     int
+	flushInterval time.Duration
+}
+
+func New(logRepo *repository.LogRepository, tracker *ConnTracker) *Collector {
+	return &Collector{
+		logRepo:       logRepo,
+		tracker:       tracker,
+		batchSize:     100,
+		flushInterval: 2 * time.Second,
+	}
+}
+
+func (c *Collector) Stream(stream proto.Collector_StreamServer) error {
+	md, ok := metadata.FromIncomingContext(stream.Context())
+	if !ok {
+		return fmt.Errorf("no metadata in context")
+	}
+
+	whoamiVals := md["whoami"]
+	if len(whoamiVals) == 0 {
+		return fmt.Errorf("whoami metadata missing")
+	}
+	agentName := whoamiVals[0]
+
+	serviceVals := md["service"]
+	if len(serviceVals) == 0 {
+		return fmt.Errorf("service metadata missing")
+	}
+	service := serviceVals[0]
+
+	agent := &Agent{
+		ID:          agentName,
+		Label:       agentName,
+		Services:    make([]Service, 0),
+		ConnectedAt: time.Now(),
+	}
+
+	c.tracker.Register(agent)
+	defer c.tracker.Unregister(agent.ID)
+
+	log.Printf("Agent %s connected, streaming logs for service: %s", agentName, service)
+
+	// If no ClickHouse, just consume the stream without storing
+	if !c.logRepo.IsConnected() {
+		log.Printf(
+			"Warning: ClickHouse not connected yet, consuming logs without storing for agent %s",
+			agentName,
+		)
+		for {
+			_, err := stream.Recv()
+			if err == io.EOF {
+				return nil
+			}
+			if err != nil {
+				return fmt.Errorf("failed to receive: %w", err)
+			}
+		}
+	}
+
+	// Channels for communication with recv goroutine
+	recvCh := make(chan *proto.CollectorRequest, 1)
+	errCh := make(chan error, 1)
+
+	// Goroutine that blocks on Recv
+	go func() {
+		for {
+			req, err := stream.Recv()
+			if err != nil {
+				errCh <- err
+				return
+			}
+			recvCh <- req
+		}
+	}()
+
+	// Buffer for batch inserts
+	var batch []storage.LogEntry
+	ticker := time.NewTicker(c.flushInterval)
+	defer ticker.Stop()
+
+	flush := func() error {
+		if len(batch) == 0 {
+			return nil
+		}
+		if err := c.logRepo.InsertBatch(stream.Context(), batch); err != nil {
+			log.Printf(
+				"Failed to insert batch for agent %s, service %s: %v",
+				agentName,
+				service,
+				err,
+			)
+			return err
+		}
+		log.Printf("Flushed %d logs for agent %s, service %s", len(batch), agentName, service)
+		batch = batch[:0]
+		return nil
+	}
+
+	for {
+		select {
+		case <-stream.Context().Done():
+			_ = flush()
+			return stream.Context().Err()
+		case <-ticker.C:
+			if err := flush(); err != nil {
+				return err
+			}
+		case req := <-recvCh:
+			batch = append(batch, storage.LogEntry{
+				Timestamp: time.Now(),
+				Level:     "info",
+				Service:   service,
+				Agent:     agentName,
+				Message:   req.Message,
+			})
+
+			if len(batch) >= c.batchSize {
+				if err := flush(); err != nil {
+					return err
+				}
+			}
+		case err := <-errCh:
+			if err == io.EOF {
+				return flush()
+			}
+			return fmt.Errorf("failed to receive: %w", err)
+		}
+	}
+}
+
+// GetAgent delegates to the tracker.
+func (c *Collector) GetAgent(name string) (*Agent, bool) {
+	return c.tracker.GetAgent(name)
+}
+
+// Agents delegates to the tracker.
+func (c *Collector) Agents() []*Agent {
+	return c.tracker.Agents()
+}
+
+// GetSystemMetrics delegates to the tracker.
+func (c *Collector) GetSystemMetrics() map[string]AgentMetricsInfo {
+	return c.tracker.GetSystemMetrics()
+}

backend/internal/grpcsrv/collector/services.go

@@ -0,0 +1,92 @@
+package collector
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"google.golang.org/grpc/metadata"
+)
+
+// ReportServices handles a unary service status update from an agent.
+// Agents send their current services list, which is stored in the collector.
+func (c *Collector) ReportServices(ctx context.Context, req *proto.ServicesUpdate) (*proto.ServicesUpdateResp, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, fmt.Errorf("no metadata in context")
+	}
+
+	whoamiVals := md["whoami"]
+	if len(whoamiVals) == 0 {
+		return nil, fmt.Errorf("whoami metadata missing")
+	}
+	agentName := whoamiVals[0]
+
+	// Auto-register agent if not yet known (e.g. log stream not connected yet)
+	c.ensureAgentRegistered(agentName)
+
+	services := make([]Service, 0, len(req.Services))
+	for _, s := range req.Services {
+		services = append(services, Service{s.Name, s.Status})
+	}
+
+	if ok := c.tracker.UpdateServices(agentName, services); ok {
+		log.Printf("Updated services for agent %s: %v", agentName, services)
+	} else {
+		log.Printf("Warning: received services update for unknown agent %s", agentName)
+	}
+
+	return &proto.ServicesUpdateResp{}, nil
+}
+
+// ReportSystemMetrics handles system metrics update from an agent.
+// Agents send their current system metrics (CPU, RAM, disk, network).
+func (c *Collector) ReportSystemMetrics(ctx context.Context, req *proto.SystemMetrics) (*proto.SystemMetricsResp, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, fmt.Errorf("no metadata in context")
+	}
+
+	whoamiVals := md["whoami"]
+	if len(whoamiVals) == 0 {
+		return nil, fmt.Errorf("whoami metadata missing")
+	}
+	agentName := whoamiVals[0]
+
+	// Auto-register agent if not yet known (e.g. log stream not connected yet)
+	c.ensureAgentRegistered(agentName)
+
+	metrics := SystemMetrics{
+		CPUPercent:    req.CpuPercent,
+		MemoryPercent: req.MemoryPercent,
+		DiskPercent:   req.DiskPercent,
+		NetworkRxBytes: req.NetworkRxBytes,
+		NetworkTxBytes: req.NetworkTxBytes,
+	}
+
+	if ok := c.tracker.UpdateSystemMetrics(agentName, metrics); ok {
+		log.Printf("Updated system metrics for agent %s: CPU=%.1f%%, RAM=%.1f%%, Disk=%.1f%%",
+			agentName, metrics.CPUPercent, metrics.MemoryPercent, metrics.DiskPercent)
+	} else {
+		log.Printf("Warning: received system metrics for unknown agent %s", agentName)
+	}
+
+	return &proto.SystemMetricsResp{}, nil
+}
+
+// ensureAgentRegistered registers the agent in the tracker if it's not already there.
+// This handles the case where agents send metrics/services before connecting to the log stream.
+func (c *Collector) ensureAgentRegistered(agentName string) {
+	if _, ok := c.tracker.GetAgent(agentName); !ok {
+		agent := &Agent{
+			ID:          agentName,
+			Label:       agentName,
+			Services:    make([]Service, 0),
+			ConnectedAt: time.Now(),
+		}
+		c.tracker.Register(agent)
+		log.Printf("Auto-registered agent via unary RPC: %s", agentName)
+	}
+}

backend/internal/grpcsrv/collector/tracker.go

@@ -0,0 +1,165 @@
+package collector
+
+import (
+	"context"
+	"log"
+	"sync"
+	"time"
+
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/stats"
+)
+
+// ConnTracker tracks connected Collector agents and handles cleanup on disconnect.
+// It implements grpc.StatsHandler for disconnect detection.
+type ConnTracker struct {
+	mu     sync.RWMutex
+	agents map[string]*Agent
+}
+
+func NewConnTracker() *ConnTracker {
+	return &ConnTracker{
+		agents: make(map[string]*Agent),
+	}
+}
+
+// Register adds an agent to the tracker. Called by Collector.Stream().
+func (t *ConnTracker) Register(agent *Agent) {
+	t.mu.Lock()
+	t.agents[agent.ID] = agent
+	t.mu.Unlock()
+	log.Printf("[collector] agent registered: %s", agent.ID)
+}
+
+// Unregister removes an agent from the tracker.
+func (t *ConnTracker) Unregister(id string) {
+	t.mu.Lock()
+	delete(t.agents, id)
+	t.mu.Unlock()
+	log.Printf("[collector] agent unregistered: %s", id)
+}
+
+// GetAgent returns the agent for the given ID.
+func (t *ConnTracker) GetAgent(id string) (*Agent, bool) {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	a, ok := t.agents[id]
+	return a, ok
+}
+
+// Agents returns all connected agents.
+func (t *ConnTracker) Agents() []*Agent {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	result := make([]*Agent, 0, len(t.agents))
+	for _, a := range t.agents {
+		result = append(result, a)
+	}
+	return result
+}
+
+// grpc.StatsHandler implementation.
+
+func (t *ConnTracker) TagRPC(ctx context.Context, _ *stats.RPCTagInfo) context.Context {
+	return ctx
+}
+
+func (t *ConnTracker) HandleRPC(ctx context.Context, _ stats.RPCStats) {}
+
+func (t *ConnTracker) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
+	return ctx
+}
+
+func (t *ConnTracker) HandleConn(ctx context.Context, s stats.ConnStats) {
+	switch s.(type) {
+	case *stats.ConnEnd:
+		md, ok := metadata.FromIncomingContext(ctx)
+		if !ok {
+			return
+		}
+		whoamiVals := md["whoami"]
+		if len(whoamiVals) == 0 {
+			return
+		}
+		t.Unregister(whoamiVals[0])
+	}
+}
+
+// UpdateServices updates the services list for the given agent.
+func (t *ConnTracker) UpdateServices(id string, services []Service) bool {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	agent, ok := t.agents[id]
+	if !ok {
+		return false
+	}
+	agent.Services = services
+	return true
+}
+
+// UpdateSystemMetrics updates the system metrics for the given agent.
+func (t *ConnTracker) UpdateSystemMetrics(id string, metrics SystemMetrics) bool {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	agent, ok := t.agents[id]
+	if !ok {
+		return false
+	}
+	agent.SystemMetrics = metrics
+	return true
+}
+
+// GetSystemMetrics returns system metrics for all connected agents.
+func (t *ConnTracker) GetSystemMetrics() map[string]AgentMetricsInfo {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	result := make(map[string]AgentMetricsInfo)
+	for id, agent := range t.agents {
+		result[id] = AgentMetricsInfo{
+			ID:            id,
+			Label:         agent.Label,
+			ConnectedAt:   agent.ConnectedAt,
+			CPUPercent:    agent.SystemMetrics.CPUPercent,
+			MemoryPercent: agent.SystemMetrics.MemoryPercent,
+			DiskPercent:   agent.SystemMetrics.DiskPercent,
+			NetworkRxBytes: agent.SystemMetrics.NetworkRxBytes,
+			NetworkTxBytes: agent.SystemMetrics.NetworkTxBytes,
+		}
+	}
+	return result
+}
+
+// Service represents a named service with its current status.
+type Service struct {
+	Name, Status string
+}
+
+// SystemMetrics represents system resource metrics.
+type SystemMetrics struct {
+	CPUPercent    float64
+	MemoryPercent float64
+	DiskPercent   float64
+	NetworkRxBytes float64
+	NetworkTxBytes float64
+}
+
+// AgentMetricsInfo contains agent info with its system metrics.
+type AgentMetricsInfo struct {
+	ID             string    `json:"id"`
+	Label          string    `json:"label"`
+	ConnectedAt    time.Time `json:"connected_at"`
+	CPUPercent     float64   `json:"cpu_percent"`
+	MemoryPercent  float64   `json:"memory_percent"`
+	DiskPercent    float64   `json:"disk_percent"`
+	NetworkRxBytes float64   `json:"network_rx_bytes"`
+	NetworkTxBytes float64   `json:"network_tx_bytes"`
+}
+
+// Agent represents a connected agent streaming logs to the collector.
+type Agent struct {
+	ID            string
+	Label         string
+	Services      []Service
+	SystemMetrics SystemMetrics
+	ConnectedAt   time.Time
+}

backend/internal/grpcsrv/commander/commander.go

@@ -0,0 +1,256 @@
+package commander
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log"
+	"sync"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/stats"
+)
+
+// Commander handles command execution on connected agents.
+type Commander struct {
+	proto.UnimplementedCommanderServer
+	tracker *ConnTracker
+	jobber  Jobber
+}
+
+// Jobber persists job state.
+type Jobber interface {
+	InitJob(ctx context.Context, agentID string, job models.JobForInsert) (int64, error)
+	UpdateJobInDB(ctx context.Context, jid int64, msg models.JobForUpdate) (models.Job, error)
+}
+
+func New(jobber Jobber, tracker *ConnTracker) *Commander {
+	return &Commander{
+		jobber:  jobber,
+		tracker: tracker,
+	}
+}
+
+// Agent represents a connected agent with an active bidirectional stream.
+type Agent struct {
+	bidi   grpc.BidiStreamingServer[proto.FinishedCommand, proto.Command]
+	in     chan *proto.Command
+	jobs   map[int64]Job
+	jobber Jobber
+	ctx    context.Context
+	aid    string
+
+	Token    string
+	Label    string
+	Services []string
+}
+
+type JobOut struct {
+	fc  models.Job
+	err error
+}
+
+type Job struct {
+	out chan JobOut
+}
+
+// ConnTracker tracks connected agents and handles cleanup on disconnect.
+// It implements grpc.StatsHandler for disconnect detection.
+type ConnTracker struct {
+	mu     sync.RWMutex
+	agents map[string]*Agent
+}
+
+// GetAgentByLabel searches for an agent by its human-readable label.
+func (self *ConnTracker) GetAgentByLabel(label string) (agent Agent, ok bool) {
+	self.mu.RLock()
+	defer self.mu.RUnlock()
+	for _, a := range self.agents {
+		if a.Label == label {
+			return *a, true
+		}
+	}
+	return
+}
+
+func NewConnTracker() *ConnTracker {
+	return &ConnTracker{
+		agents: make(map[string]*Agent),
+	}
+}
+
+func (t *ConnTracker) Register(aid string, agent *Agent) {
+	t.mu.Lock()
+	t.agents[aid] = agent
+	t.mu.Unlock()
+	log.Printf("[conntracker] agent registered: %s", aid)
+}
+
+func (t *ConnTracker) Unregister(aid string) {
+	t.mu.Lock()
+	delete(t.agents, aid)
+	t.mu.Unlock()
+	log.Printf("[conntracker] agent unregistered: %s", aid)
+}
+
+func (t *ConnTracker) GetAgent(aid string) (*Agent, bool) {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	a, ok := t.agents[aid]
+	return a, ok
+}
+
+func (t *ConnTracker) Agents() []*Agent {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	result := make([]*Agent, 0, len(t.agents))
+	for _, a := range t.agents {
+		result = append(result, a)
+	}
+	return result
+}
+
+// grpc.StatsHandler implementation.
+
+func (t *ConnTracker) TagRPC(ctx context.Context, _ *stats.RPCTagInfo) context.Context {
+	return ctx
+}
+
+func (t *ConnTracker) HandleRPC(ctx context.Context, _ stats.RPCStats) {}
+
+func (t *ConnTracker) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
+	return ctx
+}
+
+func (t *ConnTracker) HandleConn(ctx context.Context, s stats.ConnStats) {
+	switch s.(type) {
+	case *stats.ConnEnd:
+		md, ok := metadata.FromIncomingContext(ctx)
+		if !ok {
+			return
+		}
+		aidVals := md["agentid"]
+		if len(aidVals) == 0 {
+			return
+		}
+		t.Unregister(aidVals[0])
+	}
+}
+
+// Stream handles a new agent connection and runs the send/recv loops.
+func (c *Commander) Stream(
+	bidi grpc.BidiStreamingServer[proto.FinishedCommand, proto.Command],
+) error {
+	md, ok := metadata.FromIncomingContext(bidi.Context())
+	if !ok {
+		return fmt.Errorf("no metadata in context")
+	}
+	aidVals := md["agentid"]
+	if len(aidVals) == 0 {
+		return fmt.Errorf("agentid metadata missing")
+	}
+	aid := aidVals[0]
+
+	var label string
+	if vals := md["label"]; len(vals) > 0 {
+		label = vals[0]
+	}
+
+	agent := NewAgent(bidi.Context(), c.jobber, aid, label)
+	agent.bidi = bidi
+
+	c.tracker.Register(aid, agent)
+	defer c.tracker.Unregister(aid)
+
+	return agent.run()
+}
+
+// GetAgent returns the agent by ID. Delegates to the tracker.
+func (c *Commander) GetAgent(aid string) (*Agent, bool) {
+	return c.tracker.GetAgent(aid)
+}
+
+func (a *Agent) AddJob(job models.JobForInsert) (int64, error) {
+	jid, err := a.jobber.InitJob(a.ctx, a.aid, job)
+	if err != nil {
+		return 0, err
+	}
+	a.jobs[jid] = newJob()
+	a.in <- &proto.Command{
+		Id:      jid,
+		Command: job.Command,
+		Stdin:   job.Stdin,
+	}
+	return jid, nil
+}
+
+func (a *Agent) WaitJob(jid int64) (*models.Job, error) {
+	result := <-a.jobs[jid].out
+	return &result.fc, result.err
+}
+
+func (a *Agent) run() error {
+	wg := new(errgroup.Group)
+	wg.Go(a.recv)
+	wg.Go(a.send)
+	return wg.Wait()
+}
+
+func (a *Agent) recv() error {
+	for {
+		job, err := func() (job models.Job, err error) {
+			msg, err := a.bidi.Recv()
+			if err != nil {
+				return
+			}
+			return a.jobber.UpdateJobInDB(a.ctx, msg.Id, models.JobForUpdate{
+				Stdout: msg.Stdout,
+				Stderr: msg.Stderr,
+				Status: msg.Status,
+			})
+		}()
+		if err == io.EOF {
+			return nil
+		}
+		out := a.jobs[job.ID].out
+		out <- JobOut{
+			fc:  job,
+			err: err,
+		}
+		close(out)
+	}
+}
+
+func (a *Agent) send() error {
+	for job := range a.in {
+		if err := a.bidi.Send(job); err != nil {
+			return err
+		}
+	}
+	return io.EOF
+}
+
+func NewAgent(
+	ctx context.Context,
+	jobber Jobber,
+	aid string,
+	label string,
+) *Agent {
+	return &Agent{
+		in:     make(chan *proto.Command, 10),
+		jobs:   make(map[int64]Job),
+		jobber: jobber,
+		ctx:    ctx,
+		aid:    aid,
+		Label:  label,
+		Token:  aid,
+	}
+}
+
+func newJob() Job {
+	return Job{make(chan JobOut, 1)}
+}

backend/internal/handlers/agent_deploy.go

@@ -0,0 +1,234 @@
+package handlers
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/ansible"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"github.com/gin-gonic/gin"
+)
+
+type AgentDeployGroup struct {
+	*Handlers
+	executor *ansible.Executor
+}
+
+func NewAgentDeployGroup(h *Handlers) *AgentDeployGroup {
+	workDir := os.Getenv("ANSIBLE_WORK_DIR")
+	if workDir == "" {
+		workDir = "/tmp/hellreign/ansible"
+	}
+
+	grpcPort := os.Getenv("GRPC_PORT")
+	if grpcPort == "" {
+		grpcPort = "9001"
+	}
+
+	grpcHost := os.Getenv("GRPC_SERVER_HOST")
+	if grpcHost == "" {
+		grpcHost = "0.0.0.0"
+	}
+
+	backendURL := os.Getenv("BACKEND_URL")
+	if backendURL == "" {
+		backendURL = "http://localhost:8080"
+	}
+
+	giteaURL := os.Getenv("GITEA_RELEASES_URL")
+	if giteaURL == "" {
+		giteaURL = "https://gitea.d3m0k1d.ru/d3m0k1d/HellreigN/releases/latest/download"
+	}
+
+	exec := ansible.NewExecutor(ansible.ExecutorConfig{
+		WorkDir:        workDir,
+		GRPCServerHost: grpcHost,
+		GRPCServerPort: grpcPort,
+		BackendURL:     backendURL,
+		GiteaReleasesURL: giteaURL,
+	})
+
+	// Write playbooks on init
+	if err := exec.WriteAllPlaybooks(); err != nil {
+		// Log the error - deployment will fail later if playbooks can't be written
+		fmt.Fprintf(os.Stderr, "WARNING: failed to write Ansible playbooks: %v\n", err)
+	}
+
+	return &AgentDeployGroup{
+		Handlers: h,
+		executor: exec,
+	}
+}
+
+// DeployAgents deploys agents to multiple servers
+// @Summary Deploy agents to multiple servers via Ansible
+// @Description Deploy HellreigN agents to multiple servers using Ansible playbooks. Supports Docker and Binary deployment types.
+// @Tags agents
+// @Accept json
+// @Produce json
+// @Param request body repository.DeployAgentsRequest true "Deployment configuration for servers"
+// @Success 200 {object} repository.DeployResponse "Deployment results with tokens for each server"
+// @Failure 400 {object} map[string]string "Invalid request"
+// @Failure 500 {object} map[string]string "Internal server error"
+// @Security Bearer
+// @Router /agents/deploy [post]
+func (adg *AgentDeployGroup) DeployAgents(c *gin.Context) {
+	var req repository.DeployAgentsRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Validate auth credentials for each server
+	for i, server := range req.Servers {
+		switch server.AuthMethod {
+		case repository.AuthMethodKey:
+			if server.SSHKey == "" {
+				c.JSON(http.StatusBadRequest, gin.H{
+					"error": fmt.Sprintf("server %d (%s): sshKey is required when authMethod is 'key'", i, server.IP),
+				})
+				return
+			}
+		case repository.AuthMethodPassword:
+			if server.Password == "" {
+				c.JSON(http.StatusBadRequest, gin.H{
+					"error": fmt.Sprintf("server %d (%s): password is required when authMethod is 'password'", i, server.IP),
+				})
+				return
+			}
+		default:
+			c.JSON(http.StatusBadRequest, gin.H{
+				"error": fmt.Sprintf("server %d (%s): invalid authMethod %q, expected 'key' or 'password'", i, server.IP, server.AuthMethod),
+			})
+			return
+		}
+	}
+
+	// Pre-flight check: verify community.docker collection is available for docker deployments
+	needsDockerCollection := false
+	for _, server := range req.Servers {
+		if server.DeployType == repository.DeployTypeDocker {
+			needsDockerCollection = true
+			break
+		}
+	}
+	if needsDockerCollection {
+		if err := adg.executor.CheckDockerCollection(); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{
+				"error": fmt.Sprintf("Docker deployment requires 'community.docker' Ansible collection: %v", err),
+			})
+			return
+		}
+	}
+
+	// Create work directory
+	workDir := adg.executor.WorkDir()
+	if err := os.MkdirAll(workDir, 0755); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create work directory"})
+		return
+	}
+
+	// Generate registration tokens for each server
+	results := make([]repository.DeployResult, 0, len(req.Servers))
+	timestamp := time.Now().UnixMilli()
+
+	ctx, cancel := context.WithTimeout(c.Request.Context(), 10*time.Minute)
+	defer cancel()
+
+	for i, server := range req.Servers {
+		// Create registration token
+		token, err := adg.Repo.CreateRegistrationToken(server.AgentLabel)
+		if err != nil {
+			results = append(results, repository.DeployResult{
+				IP:         server.IP,
+				AgentLabel: server.AgentLabel,
+				Success:    false,
+				Error:      fmt.Sprintf("failed to create token: %v", err),
+			})
+			continue
+		}
+
+		// Set default port
+		port := server.Port
+		if port == 0 {
+			port = 22
+		}
+
+		// Generate inventory for this single server
+		inventoryHosts := []ansible.InventoryHost{
+			{
+				Name:       server.AgentLabel,
+				IP:         server.IP,
+				Port:       port,
+				User:       server.User,
+				AuthMethod: string(server.AuthMethod),
+				SSHKey:     server.SSHKey,
+				Password:   server.Password,
+				DeployType: string(server.DeployType),
+				Token:      token,
+				GRPCURL:    adg.executor.GRPCURL(),
+			},
+		}
+
+		inventoryPath := filepath.Join(workDir, fmt.Sprintf("inventory_%d_%d", timestamp, i))
+		if err := ansible.GenerateInventory(inventoryHosts, inventoryPath); err != nil {
+			// Rollback: delete the token we just created
+			_ = adg.Repo.DeleteRegistrationToken(token)
+			results = append(results, repository.DeployResult{
+				IP:         server.IP,
+				AgentLabel: server.AgentLabel,
+				Token:      token,
+				Success:    false,
+				Error:      fmt.Sprintf("failed to generate inventory: %v", err),
+			})
+			continue
+		}
+
+		// Run Ansible playbook for this server
+		deployResults, err := adg.executor.Deploy(ctx, inventoryPath, string(server.DeployType))
+
+		// Clean up inventory file (log error but don't fail deployment)
+		if cleanupErr := os.Remove(inventoryPath); cleanupErr != nil {
+			fmt.Fprintf(os.Stderr, "WARNING: failed to remove inventory file %s: %v\n", inventoryPath, cleanupErr)
+		}
+
+		if err != nil {
+			// Rollback: delete the token since deployment failed
+			_ = adg.Repo.DeleteRegistrationToken(token)
+			results = append(results, repository.DeployResult{
+				IP:         server.IP,
+				AgentLabel: server.AgentLabel,
+				Token:      token,
+				Success:    false,
+				Error:      fmt.Sprintf("deployment failed: %v", err),
+			})
+			continue
+		}
+
+		success := true
+		errMsg := ""
+		if len(deployResults) > 0 && !deployResults[0].Success {
+			success = false
+			errMsg = deployResults[0].Stderr
+			// Rollback: delete the token since ansible playbook reported failure
+			_ = adg.Repo.DeleteRegistrationToken(token)
+		}
+
+		results = append(results, repository.DeployResult{
+			IP:         server.IP,
+			AgentLabel: server.AgentLabel,
+			Token:      token,
+			Success:    success,
+			Error:      errMsg,
+		})
+	}
+
+	c.JSON(http.StatusOK, repository.DeployResponse{
+		Message: "Deployment completed",
+		Results: results,
+	})
+}

backend/internal/handlers/agent_register.go

@@ -0,0 +1,121 @@
+package handlers
+
+import (
+	"log"
+	"net/http"
+	"os"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/utils"
+	"github.com/gin-gonic/gin"
+)
+
+type AgentRegistrationGroup struct {
+	*Handlers
+	certBundle *utils.CertBundle
+}
+
+func NewAgentRegistrationGroup(h *Handlers) *AgentRegistrationGroup {
+	certDir := getCertDir()
+	bundle, err := utils.LoadCertBundle(certDir)
+	if err != nil {
+		log.Printf("[agent-reg] WARNING: cert bundle load failed: %v", err)
+	}
+	return &AgentRegistrationGroup{
+		Handlers:   h,
+		certBundle: bundle,
+	}
+}
+
+// CreateRegistrationToken — админ создаёт токен для агента
+// @Summary Create registration token
+// @Tags agents
+// @Accept json
+// @Produce json
+// @Param request body repository.RegistrationRequest true "Label"
+// @Success 200 {object} map[string]string
+// @Security Bearer
+// @Router /agents/register-token [post]
+func (arg *AgentRegistrationGroup) CreateRegistrationToken(c *gin.Context) {
+	var req repository.RegistrationRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	token, err := arg.Repo.CreateRegistrationToken(req.Label)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create token"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"token": token})
+}
+
+// Register — агент шлёт CSR + token, получает сертификаты
+// @Summary Register agent
+// @Tags agents
+// @Accept json
+// @Produce json
+// @Param request body RegisterRequest true "CSR + token"
+// @Success 200 {object} RegisterResponse
+// @Router /agents/register [post]
+func (arg *AgentRegistrationGroup) Register(c *gin.Context) {
+	var req RegisterRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if arg.certBundle == nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "certificate bundle not available"})
+		return
+	}
+
+	regToken, err := arg.Repo.GetRegistrationToken(req.Token)
+	if err != nil {
+		if err == repository.ErrNotFound {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid registration token"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to verify token"})
+		return
+	}
+
+	if regToken.Used {
+		c.JSON(http.StatusGone, gin.H{"error": "registration token already used"})
+		return
+	}
+
+	clientCertPEM, err := arg.certBundle.SignCSR([]byte(req.CSR), regToken.Label)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "failed to sign CSR: " + err.Error()})
+		return
+	}
+
+	if err := arg.Repo.MarkRegistrationTokenUsed(req.Token); err != nil {
+		log.Printf("[agent-reg] WARNING: failed to mark token used: %v", err)
+	}
+
+	c.JSON(http.StatusOK, RegisterResponse{
+		CACert:     string(arg.certBundle.GetCACertPEM()),
+		ClientCert: string(clientCertPEM),
+	})
+}
+
+type RegisterRequest struct {
+	CSR   string `json:"csr"   binding:"required"`
+	Token string `json:"token" binding:"required"`
+}
+
+type RegisterResponse struct {
+	CACert     string `json:"ca_cert"`
+	ClientCert string `json:"client_cert"`
+}
+
+func getCertDir() string {
+	if d := os.Getenv("SSL_CERT_DIR"); d != "" {
+		return d
+	}
+	return "/var/lib/hellreign/ssl"
+}

backend/internal/handlers/agents.go

@@ -0,0 +1,94 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/collector"
+	"github.com/gin-gonic/gin"
+)
+
+type AgentsGroup struct {
+	*Handlers
+	collector *collector.Collector
+}
+
+func NewAgentsGroup(h *Handlers, coll *collector.Collector) AgentsGroup {
+	return AgentsGroup{Handlers: h, collector: coll}
+}
+
+// AgentInfo represents a connected agent's current status.
+type AgentInfo struct {
+	Token       string   `json:"token" example:"agent-001"`                  // Unique agent identifier
+	Label       string   `json:"label" example:"web-server-1"`               // Human-readable label
+	Services    []string `json:"services" example:"nginx:running,redis:up"`  // List of services with status (format: "name:status")
+	ConnectedAt string   `json:"connected_at" example:"2026-04-04 10:30:00"` // Time when agent connected (RFC3339-like)
+}
+
+// @Summary Get connected agents
+// @Description Returns a list of all agents currently connected via Collector (log streaming)
+// @Tags agents
+// @Security Bearer
+// @Accept json
+// @Produce json
+// @Success 200 {array} AgentInfo
+// @Router /agents [get]
+func (ag *AgentsGroup) List(c *gin.Context) {
+	agents := make([]AgentInfo, 0)
+
+	for _, agent := range ag.collector.Agents() {
+		services := make([]string, 0, len(agent.Services))
+		for _, s := range agent.Services {
+			services = append(services, fmt.Sprintf("%s:%s", s.Name, s.Status))
+		}
+		agents = append(agents, AgentInfo{
+			Token:       agent.ID,
+			Label:       agent.Label,
+			Services:    services,
+			ConnectedAt: agent.ConnectedAt.Format("2006-01-02 15:04:05"),
+		})
+	}
+
+	c.JSON(http.StatusOK, agents)
+}
+
+// AgentSystemMetricsOut represents system metrics for a single agent.
+type AgentSystemMetricsOut struct {
+	ID             string  `json:"id" example:"agent-001"`
+	Label          string  `json:"label" example:"web-server-1"`
+	ConnectedAt    string  `json:"connected_at" example:"2026-04-04 10:30:00"`
+	CPUPercent     float64 `json:"cpu_percent" example:"45.2"`
+	MemoryPercent  float64 `json:"memory_percent" example:"62.5"`
+	DiskPercent    float64 `json:"disk_percent" example:"78.9"`
+	NetworkRxBytes float64 `json:"network_rx_bytes" example:"1048576.0"`
+	NetworkTxBytes float64 `json:"network_tx_bytes" example:"524288.0"`
+}
+
+// GetSystemMetrics returns system load metrics for all connected agents.
+// @Summary Get agent system metrics
+// @Description Returns CPU, RAM, disk, and network usage metrics for all connected agents
+// @Tags agents
+// @Security Bearer
+// @Accept json
+// @Produce json
+// @Success 200 {array} AgentSystemMetricsOut
+// @Router /agents/system-metrics [get]
+func (ag *AgentsGroup) GetSystemMetrics(c *gin.Context) {
+	metricsMap := ag.collector.GetSystemMetrics()
+	
+	metrics := make([]AgentSystemMetricsOut, 0, len(metricsMap))
+	for _, m := range metricsMap {
+		metrics = append(metrics, AgentSystemMetricsOut{
+			ID:             m.ID,
+			Label:          m.Label,
+			ConnectedAt:    m.ConnectedAt.Format("2006-01-02 15:04:05"),
+			CPUPercent:     m.CPUPercent,
+			MemoryPercent:  m.MemoryPercent,
+			DiskPercent:    m.DiskPercent,
+			NetworkRxBytes: m.NetworkRxBytes,
+			NetworkTxBytes: m.NetworkTxBytes,
+		})
+	}
+
+	c.JSON(http.StatusOK, metrics)
+}

backend/internal/handlers/auth.go

@@ -0,0 +1,451 @@
+package handlers
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"github.com/gin-gonic/gin"
+)
+
+// AuthGroup handles authentication routes.
+type AuthGroup struct {
+	*Handlers
+}
+
+// Login authenticates a user by login and password, returns a token.
+// @Summary Login
+// @Description Authenticate with login and password, returns a token and permissions
+// @Tags auth
+// @Accept json
+// @Param request body repository.LoginRequest true "Login credentials"
+// @Success 200 {object} repository.LoginResponse
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 403 {object} map[string]string
+// @Router /auth/login [post]
+func (ag *AuthGroup) Login(c *gin.Context) {
+	var req repository.LoginRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	resp, err := ag.Repo.Login(req.Login, req.Password)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})
+			return
+		}
+		if errors.Is(err, repository.ErrAccountInactive) {
+			c.JSON(http.StatusForbidden, gin.H{"error": "account is not activated by admin"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to authenticate"})
+		return
+	}
+
+	c.JSON(http.StatusOK, resp)
+}
+
+// RegisterUser registers a new user with all permissions set to false.
+// @Summary Register user
+// @Description Registers a new user with login, password, name, last name. All permissions are set to false.
+// @Tags auth
+// @Accept json
+// @Param request body repository.UserRegister true "Registration data"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 409 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Router /auth/register [post]
+func (ag *AuthGroup) RegisterUser(c *gin.Context) {
+	var req repository.UserRegister
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	id, err := ag.Repo.RegisterUser(req)
+	if err != nil {
+		if strings.Contains(err.Error(), "UNIQUE constraint") {
+			c.JSON(http.StatusConflict, gin.H{"error": "login already exists"})
+			return
+		}
+		log.Printf("[register] failed: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to register user: %v", err)})
+		return
+	}
+
+	log.Printf("[register] user registered: id=%s login=%s", id, req.Login)
+	c.JSON(http.StatusOK, gin.H{"message": "user registered"})
+}
+
+// CreateToken creates a new user.
+// @Summary Create user
+// @Description Creates a new user with permissions
+// @Tags auth
+// @Accept json
+// @Param request body repository.TokenCreate true "User data"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/token [post]
+func (ag *AuthGroup) CreateToken(c *gin.Context) {
+	var tc repository.TokenCreate
+	if err := c.ShouldBindJSON(&tc); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	if _, err := ag.Repo.CreateToken(tc); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create user"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "user created"})
+}
+
+// ValidateToken validates the current Bearer token and returns user info.
+// @Summary Validate token
+// @Description Check if the provided Bearer token is valid and return its permissions
+// @Tags auth
+// @Produce json
+// @Success 200 {object} repository.Tokens
+// @Failure 401 {object} map[string]string
+// @Security Bearer
+// @Router /auth/validate [get]
+func (ag *AuthGroup) ValidateToken(c *gin.Context) {
+	tokenVal, exists := c.Get(string(tokenContextKey))
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authenticated"})
+		return
+	}
+
+	token, ok := tokenVal.(*repository.Tokens)
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token context"})
+		return
+	}
+
+	c.JSON(http.StatusOK, token)
+}
+
+// ListTokens returns all users.
+// @Summary List users
+// @Description Returns list of all users with their permissions
+// @Tags auth
+// @Produce json
+// @Success 200 {array} repository.Tokens
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/tokens [get]
+func (ag *AuthGroup) ListTokens(c *gin.Context) {
+	tokens, err := ag.Repo.ListTokens()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list users"})
+		return
+	}
+	c.JSON(http.StatusOK, tokens)
+}
+
+// DeleteToken deletes a user by login from URL path.
+// @Summary Delete user
+// @Description Deletes a user by their login
+// @Tags auth
+// @Param login path string true "Login of the user to delete"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/tokens/:login [delete]
+func (ag *AuthGroup) DeleteToken(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	if err := ag.Repo.DeleteTokenByLogin(login); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete user"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "user deleted"})
+}
+
+// DeleteMyToken deletes the current user's account.
+// @Summary Delete my account
+// @Description Deletes the current authenticated user
+// @Tags auth
+// @Success 200 {object} map[string]string
+// @Failure 401 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/token [delete]
+func (ag *AuthGroup) DeleteMyToken(c *gin.Context) {
+	tokenVal, exists := c.Get(string(tokenContextKey))
+	if !exists {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authenticated"})
+		return
+	}
+
+	token, ok := tokenVal.(*repository.Tokens)
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token context"})
+		return
+	}
+
+	if err := ag.Repo.DeleteToken(token.Token); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete account"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "account deleted"})
+}
+
+// ActivateUser activates a user by login.
+// @Summary Activate user
+// @Description Activates a user account by login (admin only)
+// @Tags auth
+// @Param login path string true "Login of the user to activate"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/:login/activate [post]
+func (ag *AuthGroup) ActivateUser(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	if err := ag.Repo.ActivateUserByLogin(login); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to activate user"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "user activated"})
+}
+
+// DeactivateUser deactivates a user by login.
+// @Summary Deactivate user
+// @Description Deactivates a user account by login (admin only)
+// @Tags auth
+// @Param login path string true "Login of the user to deactivate"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/:login/deactivate [post]
+func (ag *AuthGroup) DeactivateUser(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	if err := ag.Repo.DeactivateUserByLogin(login); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to deactivate user"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "user deactivated"})
+}
+
+// ListInactiveUsers returns all users that are not activated.
+// @Summary List inactive users
+// @Description Returns list of all users waiting for activation
+// @Tags auth
+// @Produce json
+// @Success 200 {array} repository.Tokens
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/inactive [get]
+func (ag *AuthGroup) ListInactiveUsers(c *gin.Context) {
+	tokens, err := ag.Repo.ListInactiveTokens()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list inactive users"})
+		return
+	}
+	c.JSON(http.StatusOK, tokens)
+}
+
+// GetUser returns a user by login.
+// @Summary Get user by login
+// @Description Returns a user by their login (admin only)
+// @Tags auth
+// @Produce json
+// @Param login path string true "Login of the user"
+// @Success 200 {object} repository.Tokens
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/:login [get]
+func (ag *AuthGroup) GetUser(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	user, err := ag.Repo.GetTokenByLogin(login)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get user"})
+		return
+	}
+
+	c.JSON(http.StatusOK, user)
+}
+
+// UpdateUser updates user's name and last name.
+// @Summary Update user
+// @Description Updates a user's name and last name (admin only)
+// @Tags auth
+// @Accept json
+// @Param login path string true "Login of the user"
+// @Param request body repository.TokenUpdate true "User data to update"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/:login [put]
+func (ag *AuthGroup) UpdateUser(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	var update repository.TokenUpdate
+	if err := c.ShouldBindJSON(&update); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	if err := ag.Repo.UpdateToken(login, update); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update user"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "user updated"})
+}
+
+// UpdateUserPermissions updates user's permissions and activation status.
+// @Summary Update user permissions
+// @Description Updates a user's permissions and activation status (admin only)
+// @Tags auth
+// @Accept json
+// @Param login path string true "Login of the user"
+// @Param request body repository.TokenUpdatePermissions true "Permissions to update"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/:login/permissions [put]
+func (ag *AuthGroup) UpdateUserPermissions(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	var update repository.TokenUpdatePermissions
+	if err := c.ShouldBindJSON(&update); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	if err := ag.Repo.UpdatePermissions(login, update); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update permissions"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "permissions updated"})
+}
+
+// ResetUserPassword resets a user's password.
+// @Summary Reset user password
+// @Description Resets a user's password to a new value (admin only)
+// @Tags auth
+// @Accept json
+// @Param login path string true "Login of the user"
+// @Param request body repository.TokenPasswordReset true "New password"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /auth/users/:login/password [put]
+func (ag *AuthGroup) ResetUserPassword(c *gin.Context) {
+	login := c.Param("login")
+	if login == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "login required"})
+		return
+	}
+
+	var req repository.TokenPasswordReset
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	if err := ag.Repo.UpdatePassword(login, req.NewPassword); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to reset password"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "password reset"})
+}
+
+// getTokenFromHeader extracts the Bearer token from the Authorization header.
+func getTokenFromHeader(c *gin.Context) string {
+	auth := c.GetHeader("Authorization")
+	if auth == "" {
+		return ""
+	}
+	parts := strings.SplitN(auth, " ", 2)
+	if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
+		return ""
+	}
+	return parts[1]
+}

backend/internal/handlers/cors.go

@@ -0,0 +1,35 @@
+package handlers
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/samber/lo"
+)
+
+func CorsMiddleware(origincfg string) gin.HandlerFunc {
+	origins := strings.Split(origincfg, ";")
+	if origins[0] == "" {
+		panic("zero cors origins wtf is your config")
+	}
+	return func(c *gin.Context) {
+		origin := c.GetHeader("Origin")
+		if !lo.Contains(origins, origin) {
+			origin = origins[0]
+		}
+		c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
+		// c.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+		c.Writer.Header().
+			Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Accept-Encoding, Authorization")
+		c.Writer.Header().
+			Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PATCH, DELETE, PUT")
+
+		if c.Request.Method == "OPTIONS" {
+			c.AbortWithStatus(http.StatusNoContent)
+			return
+		}
+
+		c.Next()
+	}
+}

backend/internal/handlers/graph.go

@@ -0,0 +1,385 @@
+package handlers
+
+import (
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/graph"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/collector"
+	"github.com/gin-gonic/gin"
+)
+
+// GraphHandlers manages the service dependency graph.
+type GraphHandlers struct {
+	path      string
+	mu        sync.RWMutex
+	yamlData  []byte
+	loaded    *graph.Graph
+	collector *collector.Collector
+}
+
+// NewGraphHandlers loads the graph from the given YAML file path.
+func NewGraphHandlers(yamlPath string, coll *collector.Collector) *GraphHandlers {
+	h := &GraphHandlers{path: yamlPath, collector: coll}
+	if err := h.reload(); err != nil {
+		if _, ok := err.(*os.PathError); ok {
+			log.Printf("[graph] no graph file at %q, starting with empty graph", yamlPath)
+			h.loaded = graph.New()
+			h.yamlData = []byte("nodes: {}\n")
+		} else {
+			log.Fatalf("[graph] failed to load graph from %q: %v", yamlPath, err)
+		}
+	}
+	return h
+}
+
+func (h *GraphHandlers) reload() error {
+	data, err := os.ReadFile(h.path)
+	if err != nil {
+		return err
+	}
+	g, err := graph.ParseYAML(data)
+	if err != nil {
+		return err
+	}
+	h.mu.Lock()
+	h.yamlData = data
+	h.loaded = g
+	h.mu.Unlock()
+	return nil
+}
+
+// LoadedGraph returns the current parsed graph.
+func (h *GraphHandlers) LoadedGraph() *graph.Graph {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	return h.loaded
+}
+
+// GetGraph returns the current dependency graph as JSON.
+// @Summary Get dependency graph
+// @Description Returns the service dependency graph as JSON
+// @Tags graph
+// @Produce json
+// @Success 200 {object} map[string]interface{} "Dependency graph"
+// @Security Bearer
+// @Router /graph [get]
+func (h *GraphHandlers) GetGraph(c *gin.Context) {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+
+	g := h.loaded
+	if g == nil {
+		c.JSON(http.StatusOK, gin.H{"nodes": map[string]interface{}{}})
+		return
+	}
+
+	nodes := make(map[string]interface{})
+	for _, node := range g.Nodes() {
+		services := make(map[string]interface{})
+		for _, svc := range node.Services {
+			deps := make([]map[string]interface{}, 0)
+			for _, dep := range svc.Dependencies {
+				deps = append(deps, map[string]interface{}{
+					"target":    dep.Target,
+					"condition": dep.Condition,
+				})
+			}
+			services[svc.Name] = map[string]interface{}{
+				"dependencies": deps,
+			}
+		}
+		nodes[node.ID] = map[string]interface{}{
+			"services": services,
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"nodes": nodes})
+}
+
+// UpdateYAML updates the graph from new YAML text.
+// @Summary Update dependency graph YAML
+// @Description Replaces the service dependency graph YAML and reloads it
+// @Tags graph
+// @Accept plain
+// @Produce json
+// @Param body body string true "New YAML content"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Security Bearer
+// @Router /graph [put]
+func (h *GraphHandlers) UpdateYAML(c *gin.Context) {
+	body, err := io.ReadAll(c.Request.Body)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "failed to read body"})
+		return
+	}
+
+	g, err := graph.ParseYAML(body)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if err := os.WriteFile(h.path, body, 0o644); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to write graph file"})
+		return
+	}
+
+	h.mu.Lock()
+	h.yamlData = body
+	h.loaded = g
+	h.mu.Unlock()
+
+	log.Printf("[graph] updated graph from admin, saved to %s", h.path)
+	c.JSON(http.StatusOK, gin.H{"message": "graph updated"})
+}
+
+// StartupOrder returns the computed service startup order.
+// @Summary Get startup order
+// @Description Returns the topologically sorted service startup order
+// @Tags graph
+// @Produce json
+// @Success 200 {array} string
+// @Failure 400 {object} map[string]string
+// @Security Bearer
+// @Router /graph/order [get]
+func (h *GraphHandlers) StartupOrder(c *gin.Context) {
+	h.mu.RLock()
+	g := h.loaded
+	h.mu.RUnlock()
+
+	order, err := g.TopologicalSort()
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, order)
+}
+
+// CycleCheck checks if the graph has cycles.
+// @Summary Check for cycles
+// @Description Returns whether the dependency graph contains cycles
+// @Tags graph
+// @Produce json
+// @Success 200 {object} map[string]bool
+// @Security Bearer
+// @Router /graph/cycle [get]
+func (h *GraphHandlers) CycleCheck(c *gin.Context) {
+	h.mu.RLock()
+	g := h.loaded
+	h.mu.RUnlock()
+
+	c.JSON(http.StatusOK, gin.H{"has_cycle": g.HasCycle()})
+}
+
+// ServiceStatusOut represents a service and its current status.
+type ServiceStatusOut struct {
+	NodeID  string `json:"node_id"`
+	Name    string `json:"name"`
+	Status  string `json:"status"`
+	Healthy bool   `json:"healthy"`
+}
+
+// FailureRootCauseOut represents the result of a failure analysis.
+type FailureRootCauseOut struct {
+	Affected   ServiceStatusOut `json:"affected"`
+	RootCause  *ServiceStatusOut `json:"root_cause,omitempty"`
+	DependencyChain []string    `json:"dependency_chain,omitempty"`
+}
+
+// GetFailureRootCause analyzes the dependency graph and current service
+// statuses to find the root cause of a service failure.
+// If the specified service is unhealthy, it traverses its dependencies
+// to find the first unhealthy dependency — the one that is the root cause.
+// @Summary Find failure root cause
+// @Description Analyzes dependencies and service statuses to find the root cause of a failure
+// @Tags graph
+// @Param node_id query string false "Node ID (agent label)"
+// @Param service query string true "Service name"
+// @Produce json
+// @Success 200 {object} FailureRootCauseOut
+// @Failure 400 {object} map[string]string
+// @Security Bearer
+// @Router /graph/failure [get]
+func (h *GraphHandlers) GetFailureRootCause(c *gin.Context) {
+	nodeID := c.Query("node_id")
+	svcName := c.Query("service")
+	if svcName == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "service query param is required"})
+		return
+	}
+
+	h.mu.RLock()
+	g := h.loaded
+	h.mu.RUnlock()
+
+	if g == nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "no graph loaded"})
+		return
+	}
+
+	// Build a map of service statuses from all agents
+	svcStatus := h.buildServiceStatusMap()
+
+	// If no node specified, search all nodes for the service
+	if nodeID == "" {
+		for _, node := range g.Nodes() {
+			if _, ok := g.GetService(node.ID, svcName); ok {
+				nodeID = node.ID
+				break
+			}
+		}
+	}
+
+	if nodeID == "" {
+		c.JSON(http.StatusNotFound, gin.H{"error": "service not found in graph"})
+		return
+	}
+
+	if _, ok := g.GetService(nodeID, svcName); !ok {
+		c.JSON(http.StatusNotFound, gin.H{"error": "service not found in node"})
+		return
+	}
+
+	// Get current status
+	status := svcStatus[nodeID+":"+svcName]
+	affected := ServiceStatusOut{
+		NodeID:  nodeID,
+		Name:    svcName,
+		Status:  status.status,
+		Healthy: status.healthy,
+	}
+
+	// If the service is healthy, no failure to analyze
+	if status.healthy {
+		c.JSON(http.StatusOK, FailureRootCauseOut{
+			Affected: affected,
+		})
+		return
+	}
+
+	// Find root cause: traverse dependencies to find the first unhealthy one
+	rootCause, chain := findRootCause(g, nodeID, svcName, svcStatus)
+
+	out := FailureRootCauseOut{
+		Affected:        affected,
+		DependencyChain: chain,
+	}
+	if rootCause != nil {
+		out.RootCause = rootCause
+	}
+
+	c.JSON(http.StatusOK, out)
+}
+
+// svcStatusEntry holds parsed status info.
+type svcStatusEntry struct {
+	status  string
+	healthy bool
+}
+
+// buildServiceStatusMap creates a map of "nodeID:serviceName" → status.
+// Matches graph nodes to agent labels in the collector.
+func (h *GraphHandlers) buildServiceStatusMap() map[string]svcStatusEntry {
+	result := make(map[string]svcStatusEntry)
+
+	h.mu.RLock()
+	nodes := h.loaded.Nodes()
+	h.mu.RUnlock()
+
+	for _, agent := range h.collector.Agents() {
+		for _, svc := range agent.Services {
+			healthy := isHealthyStatus(svc.Status)
+			entry := svcStatusEntry{status: svc.Status, healthy: healthy}
+
+			// Try exact node match first
+			key := agent.Label + ":" + svc.Name
+			result[key] = entry
+
+			// Also register under all nodes that don't have a status yet
+			for _, node := range nodes {
+				nodeKey := node.ID + ":" + svc.Name
+				if _, exists := result[nodeKey]; !exists {
+					result[nodeKey] = entry
+				}
+			}
+		}
+	}
+
+	return result
+}
+
+// findRootCause traverses the dependency graph to find the first unhealthy dependency.
+func findRootCause(g *graph.Graph, nodeID, svcName string, statusMap map[string]svcStatusEntry) (*ServiceStatusOut, []string) {
+	visited := make(map[string]bool)
+	var chain []string
+
+	var dfs func(string, string) *ServiceStatusOut
+	dfs = func(nid, sname string) *ServiceStatusOut {
+		key := nid + ":" + sname
+		chain = append(chain, key)
+		visited[key] = true
+
+		svc, ok := g.GetService(nid, sname)
+		if !ok {
+			return nil
+		}
+
+		// Check each dependency
+		for _, dep := range svc.Dependencies {
+			depNodeID := dep.Target.NodeID
+			if depNodeID == "" {
+				depNodeID = nid
+			}
+			depKey := depNodeID + ":" + dep.Target.Name
+
+			if visited[depKey] {
+				continue // avoid loops
+			}
+
+			depStatus := statusMap[depKey]
+
+			if !depStatus.healthy {
+				// This dependency is unhealthy — check if IT has an unhealthy dependency
+				// (to find the true root cause)
+				if deeper := dfs(depNodeID, dep.Target.Name); deeper != nil {
+					return deeper
+				}
+				// This is the root cause
+				return &ServiceStatusOut{
+					NodeID:  depNodeID,
+					Name:    dep.Target.Name,
+					Status:  depStatus.status,
+					Healthy: false,
+				}
+			}
+		}
+
+		return nil
+	}
+
+	root := dfs(nodeID, svcName)
+
+	// Deduplicate chain
+	seen := make(map[string]bool)
+	var deduped []string
+	for _, k := range chain {
+		if !seen[k] {
+			seen[k] = true
+			deduped = append(deduped, k)
+		}
+	}
+
+	return root, deduped
+}
+
+func isHealthyStatus(status string) bool {
+	s := strings.ToLower(status)
+	return s == "running" || s == "up" || s == "healthy"
+}

backend/internal/handlers/handlers.go

@@ -0,0 +1,19 @@
+package handlers
+
+import (
+	"database/sql"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+)
+
+type Handlers struct {
+	DB   *sql.DB
+	Repo *repository.Repository
+}
+
+func New(db *sql.DB) *Handlers {
+	return &Handlers{
+		DB:   db,
+		Repo: repository.New(db),
+	}
+}

backend/internal/handlers/jobs.go

@@ -0,0 +1,237 @@
+package handlers
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/commander"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/service"
+	"github.com/gin-gonic/gin"
+)
+
+type JobsHandlers struct {
+	tracker  *commander.ConnTracker
+	svc      *service.ScriptService
+	whereami string
+	jobRepo  *repository.JobRepository
+}
+
+func NewJobsHandlers(tracker *commander.ConnTracker, svc *service.ScriptService, whereami string, jobRepo *repository.JobRepository) JobsHandlers {
+	return JobsHandlers{tracker: tracker, svc: svc, whereami: whereami, jobRepo: jobRepo}
+}
+
+// AddJobIn is the request body for creating a job.
+type AddJobIn struct {
+	Command       string  `json:"command"        binding:"required"`
+	InterpreterID int64   `json:"interpreter_id"`
+	Stdin         *string `json:"stdin"`
+	AgentID       string  `json:"agent_id"       binding:"required"`
+}
+
+// AddJobOut is the response body for a submitted job.
+type AddJobOut struct {
+	ID      int64    `json:"id"`
+	Command []string `json:"command"`
+	WaitURL string   `json:"wait_url"`
+}
+
+// JobResult is the response body for a completed job.
+type JobResult struct {
+	ID      int64    `json:"id"`
+	Command []string `json:"command"`
+	Stdin   *string  `json:"stdin"`
+	Stdout  string   `json:"stdout"`
+	Stderr  string   `json:"stderr"`
+	Status  int32    `json:"status"`
+}
+
+// AddJob submits a job to an agent and returns a wait_url for the result.
+// @Summary Submit a job to an agent
+// @Description Sends a command to the specified agent and returns a URL to wait for the result
+// @Tags jobs
+// @Accept json
+// @Produce json
+// @Param body body AddJobIn true "Job request"
+// @Success 201 {object} AddJobOut
+// @Router /jobs [post]
+func (h *JobsHandlers) AddJob(c *gin.Context) {
+	var in AddJobIn
+	if err := c.Bind(&in); err != nil {
+		c.Error(err)
+		return
+	}
+
+	result, err := h.runCommand(c, in.AgentID, in.InterpreterID, in.Command, in.Stdin)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, result)
+}
+
+// runCommand resolves command, submits a job to the agent, and returns AddJobOut.
+// Shared between jobs and scripts handlers.
+func (h *JobsHandlers) runCommand(
+	c *gin.Context,
+	agentID string,
+	interpID int64,
+	command string,
+	stdin *string,
+) (*AddJobOut, error) {
+	agent, ok := h.tracker.GetAgent(agentID)
+	if !ok {
+		return nil, fmt.Errorf("agent not found")
+	}
+
+	cmd, err := resolveCommand(c, h.svc, interpID, command)
+	if err != nil {
+		return nil, err
+	}
+
+	jid, err := agent.AddJob(models.JobForInsert{
+		Command: cmd,
+		Stdin:   stdin,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	waitURL := fmt.Sprintf("%s/api/v1/jobs/%d/wait", h.whereami, jid)
+
+	return &AddJobOut{
+		ID:      jid,
+		Command: cmd,
+		WaitURL: waitURL,
+	}, nil
+}
+
+// WaitJob waits for a submitted job to complete (long-poll).
+// First checks the database; if already finished, returns immediately.
+// Otherwise waits on the agent for the result.
+// @Summary Wait for job result
+// @Description Long-polls for a job result. Returns immediately if the job is already finished.
+// @Tags jobs
+// @Accept json
+// @Produce json
+// @Param id path int true "Job ID"
+// @Success 200 {object} JobResult
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Router /jobs/{id}/wait [post]
+func (h *JobsHandlers) WaitJob(c *gin.Context) {
+	jid, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid job id"})
+		return
+	}
+
+	// Check database first
+	job, err := h.jobRepo.GetJobByID(c.Request.Context(), jid)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "job not found"})
+			return
+		}
+		c.Error(err)
+		return
+	}
+
+	// If job is already completed (has output or non-zero status), return immediately
+	if job.Status != nil || job.Stdout != nil || job.Stderr != nil {
+		c.JSON(http.StatusOK, JobResult{
+			ID:      job.ID,
+			Command: job.Command,
+			Stdin:   job.Stdin,
+			Stdout:  *job.Stdout,
+			Stderr:  *job.Stderr,
+			Status:  *job.Status,
+		})
+		return
+	}
+
+	// Job is still pending — wait on the agent
+	agent, ok := h.tracker.GetAgent(job.AgentID)
+	if !ok {
+		c.JSON(http.StatusNotFound, gin.H{"error": "agent not found"})
+		return
+	}
+
+	ajob, err := agent.WaitJob(jid)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, JobResult{
+		ID:      ajob.ID,
+		Command: ajob.Command,
+		Stdin:   ajob.Stdin,
+		Stdout:  *ajob.Stdout,
+		Stderr:  *ajob.Stderr,
+		Status:  *ajob.Status,
+	})
+}
+
+func resolveCommand(c *gin.Context, svc *service.ScriptService, interpID int64, cmd string) ([]string, error) {
+	if interpID == 0 {
+		return []string{"sh", "-c", cmd}, nil
+	}
+
+	command, err := svc.ResolveCommand(c.Request.Context(), interpID, cmd)
+	if err != nil {
+		return nil, err
+	}
+
+	return command, nil
+}
+
+// JobMetricsOut is the response body for the job metrics endpoint.
+type JobMetricsOut struct {
+	Total   int    `json:"total"`
+	Success int    `json:"success"`
+	Failed  int    `json:"failed"`
+	Pending int    `json:"pending"`
+	Period  string `json:"period"`
+}
+
+// GetJobMetrics returns job success metrics over a parameterized period.
+// @Summary Get job metrics
+// @Description Returns total, successful, failed, and pending job counts over the given period
+// @Tags jobs
+// @Produce json
+// @Param period query string false "Time period (e.g. 1h, 24h, 7d)" default(24h)
+// @Param agent_id query string false "Filter by agent ID"
+// @Success 200 {object} JobMetricsOut
+// @Failure 400 {object} map[string]string
+// @Security Bearer
+// @Router /jobs/metrics [get]
+func (h *JobsHandlers) GetJobMetrics(c *gin.Context) {
+	periodStr := c.DefaultQuery("period", "24h")
+	period, err := time.ParseDuration(periodStr)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid period, use Go duration format (e.g. 1h, 24h, 7d)"})
+		return
+	}
+
+	agentID := c.Query("agent_id")
+	since := time.Now().Add(-period)
+	metrics, err := h.jobRepo.GetJobMetrics(c.Request.Context(), since, agentID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, JobMetricsOut{
+		Total:   metrics.Total,
+		Success: metrics.Success,
+		Failed:  metrics.Failed,
+		Pending: metrics.Pending,
+		Period:  periodStr,
+	})
+}

backend/internal/handlers/logs.go

@@ -0,0 +1,235 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+	"github.com/gin-gonic/gin"
+)
+
+type LogHandlers struct {
+	LogRepo *repository.LogRepository
+}
+
+func NewLogHandlers(logRepo *repository.LogRepository) *LogHandlers {
+	return &LogHandlers{LogRepo: logRepo}
+}
+
+type InsertLogRequest struct {
+	Timestamp time.Time `json:"timestamp"`
+	Level     string    `json:"level"     binding:"required"`
+	Service   string    `json:"service"   binding:"required"`
+	Agent     string    `json:"agent"     binding:"required"`
+	Message   string    `json:"message"   binding:"required"`
+}
+
+// @Summary Insert log entry
+// @Description Inserts a single log entry into ClickHouse
+// @Tags logs
+// @Accept json
+// @Produce json
+// @Param body body InsertLogRequest true "Log entry"
+// @Success 201 {object} map[string]string
+// @Security Bearer
+// @Router /logs [post]
+func (lh *LogHandlers) Insert(c *gin.Context) {
+	var req InsertLogRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if req.Timestamp.IsZero() {
+		req.Timestamp = time.Now()
+	}
+
+	log := storage.LogEntry{
+		Timestamp: req.Timestamp,
+		Level:     req.Level,
+		Service:   req.Service,
+		Agent:     req.Agent,
+		Message:   req.Message,
+	}
+
+	if err := lh.LogRepo.Insert(c.Request.Context(), log); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to insert log"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"status": "ok"})
+}
+
+type InsertLogsRequest struct {
+	Logs []InsertLogRequest `json:"logs" binding:"required"`
+}
+
+// @Summary Insert log entries (batch)
+// @Description Inserts multiple log entries into ClickHouse
+// @Tags logs
+// @Accept json
+// @Produce json
+// @Param body body InsertLogsRequest true "Log entries"
+// @Success 201 {object} map[string]string
+// @Security Bearer
+// @Router /logs/batch [post]
+func (lh *LogHandlers) InsertBatch(c *gin.Context) {
+	var req InsertLogsRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	logs := make([]storage.LogEntry, len(req.Logs))
+	for i, l := range req.Logs {
+		if l.Timestamp.IsZero() {
+			l.Timestamp = time.Now()
+		}
+		logs[i] = storage.LogEntry{
+			Timestamp: l.Timestamp,
+			Level:     l.Level,
+			Service:   l.Service,
+			Agent:     l.Agent,
+			Message:   l.Message,
+		}
+	}
+
+	if err := lh.LogRepo.InsertBatch(c.Request.Context(), logs); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to insert logs"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"status": "ok", "count": len(logs)})
+}
+
+type SearchLogsRequest struct {
+	Level    string `form:"level"`
+	Service  string `form:"service"`
+	Agent    string `form:"agent"`
+	DateFrom string `form:"date_from"`
+	DateTo   string `form:"date_to"`
+	Limit    int    `form:"limit"`
+	Offset   int    `form:"offset"`
+}
+
+// @Summary Search logs
+// @Description Searches logs with various filters
+// @Tags logs
+// @Produce json
+// @Param level query string false "Log level (INFO, WARNING, ERROR, FATAL)"
+// @Param service query string false "Service name"
+// @Param agent query string false "Agent name"
+// @Param date_from query string false "Date from (RFC3339)"
+// @Param date_to query string false "Date to (RFC3339)"
+// @Param limit query int false "Limit results" default(100)
+// @Param offset query int false "Offset results" default(0)
+// @Success 200 {array} storage.LogEntry
+// @Security Bearer
+// @Router /logs [get]
+func (lh *LogHandlers) Search(c *gin.Context) {
+	var req SearchLogsRequest
+	if err := c.ShouldBindQuery(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	filter := repository.LogFilter{
+		Level:   req.Level,
+		Service: req.Service,
+		Agent:   req.Agent,
+		Limit:   req.Limit,
+		Offset:  req.Offset,
+	}
+
+	if req.DateFrom != "" {
+		if t, err := time.Parse(time.RFC3339, req.DateFrom); err == nil {
+			filter.DateFrom = t
+		}
+	}
+
+	if req.DateTo != "" {
+		if t, err := time.Parse(time.RFC3339, req.DateTo); err == nil {
+			filter.DateTo = t
+		}
+	}
+
+	if filter.Limit <= 0 {
+		filter.Limit = 100
+	}
+
+	logs, err := lh.LogRepo.Search(c.Request.Context(), filter)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to search logs"})
+		return
+	}
+
+	c.JSON(http.StatusOK, logs)
+}
+
+// @Summary Get distinct services
+// @Description Returns list of all unique service names in logs
+// @Tags logs
+// @Produce json
+// @Success 200 {array} string
+// @Security Bearer
+// @Router /logs/services [get]
+func (lh *LogHandlers) GetServices(c *gin.Context) {
+	services, err := lh.LogRepo.GetDistinctServices(c.Request.Context())
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get services"})
+		return
+	}
+
+	if services == nil {
+		services = []string{}
+	}
+
+	c.JSON(http.StatusOK, services)
+}
+
+// @Summary Get distinct agents
+// @Description Returns list of all unique agent names in logs
+// @Tags logs
+// @Produce json
+// @Success 200 {array} string
+// @Security Bearer
+// @Router /logs/agents [get]
+func (lh *LogHandlers) GetAgents(c *gin.Context) {
+	agents, err := lh.LogRepo.GetDistinctAgents(c.Request.Context())
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get agents"})
+		return
+	}
+
+	if agents == nil {
+		agents = []string{}
+	}
+
+	c.JSON(http.StatusOK, agents)
+}
+
+// @Summary Get distinct log levels
+// @Description Returns list of all unique log levels in logs
+// @Tags logs
+// @Produce json
+// @Success 200 {array} string
+// @Security Bearer
+// @Router /logs/levels [get]
+func (lh *LogHandlers) GetLevels(c *gin.Context) {
+	levels, err := lh.LogRepo.GetDistinctLevels(c.Request.Context())
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get levels"})
+		return
+	}
+
+	if levels == nil {
+		levels = []string{}
+	}
+
+	c.JSON(http.StatusOK, levels)
+}
+
+// Ensure context is used
+var _ = context.Background

backend/internal/handlers/logs_mock.go

@@ -0,0 +1,203 @@
+package handlers
+
+import (
+	"math/rand"
+	"net/http"
+	"strconv"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+	"github.com/gin-gonic/gin"
+)
+
+// GetMockLogs returns 100 mock log entries for frontend development
+// @Summary Get mock logs
+// @Description Returns 100 mock log entries for frontend development (no ClickHouse required)
+// @Tags logs
+// @Produce json
+// @Param level query string false "Filter by level"
+// @Param service query string false "Filter by service"
+// @Param agent query string false "Filter by agent"
+// @Param limit query int false "Limit results" default(100)
+// @Param offset query int false "Offset results" default(0)
+// @Success 200 {array} storage.LogEntry
+// @Security Bearer
+// @Router /logs/mock [get]
+func (lh *LogHandlers) GetMockLogs(c *gin.Context) {
+	levelFilter := c.Query("level")
+	serviceFilter := c.Query("service")
+	agentFilter := c.Query("agent")
+
+	limit := 100
+	offset := 0
+
+	if l := c.Query("limit"); l != "" {
+		if parsed, err := strconv.Atoi(l); err == nil && parsed > 0 {
+			limit = parsed
+		}
+	}
+	if o := c.Query("offset"); o != "" {
+		if parsed, err := strconv.Atoi(o); err == nil && parsed >= 0 {
+			offset = parsed
+		}
+	}
+
+	logs := generateMockLogs(100)
+
+	// Apply filters
+	var filtered []storage.LogEntry
+	for _, log := range logs {
+		if levelFilter != "" && log.Level != levelFilter {
+			continue
+		}
+		if serviceFilter != "" && log.Service != serviceFilter {
+			continue
+		}
+		if agentFilter != "" && log.Agent != agentFilter {
+			continue
+		}
+		filtered = append(filtered, log)
+	}
+
+	// Apply pagination
+	end := offset + limit
+	if end > len(filtered) {
+		end = len(filtered)
+	}
+	if offset > len(filtered) {
+		filtered = []storage.LogEntry{}
+	} else {
+		filtered = filtered[offset:end]
+	}
+
+	c.JSON(http.StatusOK, filtered)
+}
+
+func generateMockLogs(count int) []storage.LogEntry {
+	services := []string{
+		"auth-service",
+		"user-service",
+		"agent-service",
+		"gateway",
+		"scheduler",
+		"notification-service",
+		"metrics-collector",
+		"deployment-service",
+	}
+
+	agents := []string{
+		"agent-prod-01",
+		"agent-prod-02",
+		"agent-staging-01",
+		"agent-dev-01",
+		"agent-dev-02",
+		"agent-monitoring-01",
+		"agent-backup-01",
+		"agent-ci-runner-01",
+	}
+
+	levels := []string{"INFO", "WARNING", "ERROR", "FATAL", "DEBUG"}
+	levelWeights := []int{50, 20, 15, 5, 10} // weighted distribution
+
+	messages := map[string][]string{
+		"INFO": {
+			"Service started successfully",
+			"Health check passed",
+			"Configuration loaded",
+			"Connection established to database",
+			"Cache refreshed successfully",
+			"Request processed in 45ms",
+			"User login successful",
+			"Agent registered successfully",
+			"Deployment completed for 3 servers",
+			"Metrics exported to storage",
+			"Backup completed successfully",
+			"SSL certificate valid for 89 days",
+			"Task scheduled: cleanup-temp-files",
+			"Webhook delivered successfully",
+			"Session created for user admin",
+		},
+		"WARNING": {
+			"High memory usage detected: 85%",
+			"Slow query detected: 2.3s",
+			"Rate limit approaching for client 192.168.1.50",
+			"Certificate expires in 7 days",
+			"Retry attempt 2/3 for request",
+			"Disk usage above threshold: 78%",
+			"Connection pool nearly exhausted: 45/50",
+			"Deprecated API endpoint called: /api/v1/legacy",
+			"Response time exceeded SLA: 1.2s > 1s",
+			"Agent heartbeat delayed by 5s",
+		},
+		"ERROR": {
+			"Failed to connect to database: timeout after 30s",
+			"Authentication failed for user test_user",
+			"Agent deployment failed: SSH connection refused",
+			"Failed to send notification: SMTP server unavailable",
+			"Request failed with status 500",
+			"File not found: /etc/hellreign/config.yml",
+			"Invalid token provided",
+			"Permission denied for user viewer",
+			"Failed to parse configuration: invalid YAML",
+			"Agent unreachable: connection timeout",
+		},
+		"FATAL": {
+			"Out of memory: cannot allocate 512MB",
+			"Database connection lost, all retries exhausted",
+			"Critical: SSL certificate expired",
+			"Unrecoverable error: data corruption detected",
+			"Service crashed: segmentation fault",
+		},
+		"DEBUG": {
+			"Processing request payload: 2.3KB",
+			"Cache hit ratio: 78%",
+			"Executing query: SELECT * FROM logs WHERE...",
+			"HTTP request headers: {Content-Type: application/json}",
+			"Agent status check: 8 agents online",
+			"Memory allocation: 256MB used of 1024MB",
+			"Thread pool size: 12 active, 4 idle",
+			"GC pause: 15ms",
+		},
+	}
+
+	r := rand.New(rand.NewSource(42)) // fixed seed for reproducibility
+
+	var logs []storage.LogEntry
+	now := time.Now()
+
+	for i := 0; i < count; i++ {
+		level := weightedRandom(r, levels, levelWeights)
+		service := services[r.Intn(len(services))]
+		agent := agents[r.Intn(len(agents))]
+		msgs := messages[level]
+		message := msgs[r.Intn(len(msgs))]
+
+		// Spread logs over the last 24 hours
+		timestamp := now.Add(-time.Duration(count-i) * time.Minute * 15)
+
+		logs = append(logs, storage.LogEntry{
+			Timestamp: timestamp,
+			Level:     level,
+			Service:   service,
+			Agent:     agent,
+			Message:   message,
+		})
+	}
+
+	return logs
+}
+
+func weightedRandom(r *rand.Rand, items []string, weights []int) string {
+	total := 0
+	for _, w := range weights {
+		total += w
+	}
+	n := r.Intn(total)
+	for i, w := range weights {
+		n -= w
+		if n < 0 {
+			return items[i]
+		}
+	}
+	return items[len(items)-1]
+}

backend/internal/handlers/middlewares.go

@@ -0,0 +1,86 @@
+package handlers
+
+import (
+	"net/http"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"github.com/gin-gonic/gin"
+)
+
+// TokenContextKey is the context key for storing authenticated token info.
+type TokenContextKey string
+
+const tokenContextKey TokenContextKey = "token"
+
+// AuthMiddleware validates that a Bearer token exists and is valid.
+// It stores the token info in the context for later use.
+// Returns 401 if token is missing or invalid.
+func (ag *AuthGroup) AuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		token := getTokenFromHeader(c)
+		if token == "" {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "missing authorization header"})
+			c.Abort()
+			return
+		}
+
+		// Look up user by token value
+		tokens, err := ag.Repo.GetToken(token)
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
+			c.Abort()
+			return
+		}
+
+		c.Set(string(tokenContextKey), tokens)
+		c.Next()
+	}
+}
+
+// RequirePermission is a generic permission checker.
+func RequirePermission(check func(*repository.Tokens) bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		tokenVal, exists := c.Get(string(tokenContextKey))
+		if !exists {
+			c.JSON(http.StatusForbidden, gin.H{"error": "authentication required"})
+			c.Abort()
+			return
+		}
+
+		token, ok := tokenVal.(*repository.Tokens)
+		if !ok {
+			c.JSON(http.StatusForbidden, gin.H{"error": "invalid token context"})
+			c.Abort()
+			return
+		}
+
+		if !check(token) {
+			c.JSON(http.StatusForbidden, gin.H{"error": "insufficient permissions"})
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
+
+// RequireView requires permission_view.
+func RequireView() gin.HandlerFunc {
+	return RequirePermission(func(t *repository.Tokens) bool {
+		return t.PermissionView
+	})
+}
+
+// RequireManageAgent requires permission_manage_agent.
+func RequireManageAgent() gin.HandlerFunc {
+	return RequirePermission(func(t *repository.Tokens) bool {
+		return t.PermissionManage
+	})
+}
+
+// RequireAdmin requires permission_admin.
+func RequireAdmin() gin.HandlerFunc {
+	return RequirePermission(func(t *repository.Tokens) bool {
+		return t.PermissionAdmin
+	})
+}

backend/internal/handlers/scripts.go

@@ -0,0 +1,198 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/commander"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/service"
+	"github.com/gin-gonic/gin"
+)
+
+type ScriptHandlers struct {
+	svc      *service.ScriptService
+	tracker  *commander.ConnTracker
+	whereami string
+}
+
+func NewScriptHandlers(svc *service.ScriptService, tracker *commander.ConnTracker, whereami string) ScriptHandlers {
+	return ScriptHandlers{svc: svc, tracker: tracker, whereami: whereami}
+}
+
+type RunScriptIn struct {
+	AgentID       string  `json:"agent_id"       binding:"required"`
+	InterpreterID int64   `json:"interpreter_id" binding:"required"`
+	ScriptText    string  `json:"script_text"    binding:"required"`
+	Stdin         *string `json:"stdin"`
+}
+
+// RunScript submits a script as a job and returns a wait_url for the result.
+// @Summary Run a script on an agent
+// @Description Resolves interpreter argv[] and sends the full command to the agent
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param body body RunScriptIn true "Script request"
+// @Success 201 {object} AddJobOut
+// @Security Bearer
+// @Router /scripts/run [post]
+func (h *ScriptHandlers) RunScript(c *gin.Context) {
+	var in RunScriptIn
+	if err := c.Bind(&in); err != nil {
+		c.Error(err)
+		return
+	}
+
+	agent, ok := h.tracker.GetAgent(in.AgentID)
+	if !ok {
+		c.Status(http.StatusNotFound)
+		c.Error(fmt.Errorf("agent not found"))
+		return
+	}
+
+	command, err := h.svc.ResolveCommand(c.Request.Context(), in.InterpreterID, in.ScriptText)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	jid, err := agent.AddJob(models.JobForInsert{
+		Command: command,
+		Stdin:   in.Stdin,
+	})
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	waitURL := fmt.Sprintf("%s/api/v1/jobs/%d/wait", h.whereami, jid)
+
+	c.JSON(http.StatusCreated, AddJobOut{
+		ID:      jid,
+		Command: command,
+		WaitURL: waitURL,
+	})
+}
+
+// ListInterpreters returns all registered script interpreters.
+// @Summary List interpreters
+// @Description Returns all script interpreters available in the system
+// @Tags scripts
+// @Produce json
+// @Success 200 {array} repository.ScriptInterpreter
+// @Security Bearer
+// @Router /scripts/interpreters [get]
+func (h *ScriptHandlers) ListInterpreters(c *gin.Context) {
+	interpreters, err := h.svc.List(c.Request.Context())
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	c.JSON(http.StatusOK, interpreters)
+}
+
+// CreateInterpreter registers a new script interpreter.
+// @Summary Create interpreter
+// @Description Registers a new script interpreter with name, label, and argv
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param body body repository.ScriptInterpreterCreate true "Interpreter definition"
+// @Success 201 {object} repository.ScriptInterpreter
+// @Security Bearer
+// @Router /scripts/interpreters [post]
+func (h *ScriptHandlers) CreateInterpreter(c *gin.Context) {
+	var in repository.ScriptInterpreterCreate
+	if err := c.BindJSON(&in); err != nil {
+		c.Error(err)
+		return
+	}
+
+	si, err := h.svc.Create(c.Request.Context(), in)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	c.JSON(http.StatusCreated, si)
+}
+
+// GetInterpreter returns a single interpreter by ID.
+// @Summary Get interpreter
+// @Description Returns a script interpreter by ID
+// @Tags scripts
+// @Produce json
+// @Param id path int true "Interpreter ID"
+// @Success 200 {object} repository.ScriptInterpreter
+// @Security Bearer
+// @Router /scripts/interpreters/:id [get]
+func (h *ScriptHandlers) GetInterpreter(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	si, err := h.svc.GetByID(c.Request.Context(), id)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	c.JSON(http.StatusOK, si)
+}
+
+// UpdateInterpreter updates an interpreter.
+// @Summary Update interpreter
+// @Description Updates fields of a script interpreter
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param id path int true "Interpreter ID"
+// @Param body body repository.ScriptInterpreterUpdate true "Interpreter fields"
+// @Success 200 {object} repository.ScriptInterpreter
+// @Security Bearer
+// @Router /scripts/interpreters/:id [put]
+func (h *ScriptHandlers) UpdateInterpreter(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var in repository.ScriptInterpreterUpdate
+	if err := c.BindJSON(&in); err != nil {
+		c.Error(err)
+		return
+	}
+
+	si, err := h.svc.Update(c.Request.Context(), id, in)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	c.JSON(http.StatusOK, si)
+}
+
+// DeleteInterpreter removes an interpreter.
+// @Summary Delete interpreter
+// @Description Removes a script interpreter by ID
+// @Tags scripts
+// @Param id path int true "Interpreter ID"
+// @Success 204
+// @Security Bearer
+// @Router /scripts/interpreters/:id [delete]
+func (h *ScriptHandlers) DeleteInterpreter(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	if err := h.svc.Delete(c.Request.Context(), id); err != nil {
+		c.Error(err)
+		return
+	}
+	c.Status(http.StatusNoContent)
+}

backend/internal/handlers/scripts_manage.go

@@ -0,0 +1,528 @@
+package handlers
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/grpcsrv/commander"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/service"
+	"github.com/gin-gonic/gin"
+)
+
+// ScriptHandlersGroup handles script management routes.
+type ScriptHandlersGroup struct {
+	svc      *service.ScriptService
+	cmder    *commander.Commander
+	whereami string
+}
+
+// NewScriptHandlersGroup creates a new ScriptHandlersGroup.
+func NewScriptHandlersGroup(svc *service.ScriptService, cmder *commander.Commander, whereami string) *ScriptHandlersGroup {
+	return &ScriptHandlersGroup{svc: svc, cmder: cmder, whereami: whereami}
+}
+
+// GetTree returns the script directory tree.
+// @Summary Get script directory tree
+// @Description Returns a hierarchical tree of all scripts organized by their paths
+// @Tags scripts
+// @Produce json
+// @Success 200 {array} repository.ScriptTreeNode
+// @Security Bearer
+// @Router /scripts/tree [get]
+func (sh *ScriptHandlersGroup) GetTree(c *gin.Context) {
+	tree, err := sh.svc.BuildTree()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to build script tree"})
+		return
+	}
+
+	if tree == nil {
+		tree = []repository.ScriptTreeNode{}
+	}
+
+	c.JSON(http.StatusOK, tree)
+}
+
+// CreateScript creates a new script.
+// @Summary Create script
+// @Description Creates a new script with path, content, and interpreter binding
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param body body repository.ScriptCreate true "Script data"
+// @Success 201 {object} repository.Script
+// @Security Bearer
+// @Router /scripts [post]
+func (sh *ScriptHandlersGroup) CreateScript(c *gin.Context) {
+	var req repository.ScriptCreate
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	// Validate path
+	if err := validateScriptPath(req.Path); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	script, err := sh.svc.Repo.CreateScript(req)
+	if err != nil {
+		if isUniqueConstraint(err) {
+			c.JSON(http.StatusConflict, gin.H{"error": "script with this path already exists"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create script"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, script)
+}
+
+// GetScript returns a script by ID.
+// @Summary Get script
+// @Description Returns a script by its ID
+// @Tags scripts
+// @Produce json
+// @Param id path int true "Script ID"
+// @Success 200 {object} repository.Script
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Security Bearer
+// @Router /scripts/:id [get]
+func (sh *ScriptHandlersGroup) GetScript(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
+		return
+	}
+
+	script, err := sh.svc.Repo.GetScript(id)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "script not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get script"})
+		return
+	}
+
+	c.JSON(http.StatusOK, script)
+}
+
+// UpdateScript updates a script.
+// @Summary Update script
+// @Description Updates a script's path, content, or interpreter
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param id path int true "Script ID"
+// @Param body body repository.ScriptUpdate true "Script data"
+// @Success 200 {object} repository.Script
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Security Bearer
+// @Router /scripts/:id [put]
+func (sh *ScriptHandlersGroup) UpdateScript(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
+		return
+	}
+
+	var req repository.ScriptUpdate
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	// Validate path if it's being updated
+	if req.Path != nil {
+		if err := validateScriptPath(*req.Path); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+			return
+		}
+	}
+
+	script, err := sh.svc.Repo.UpdateScript(id, req)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "script not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to update script"})
+		return
+	}
+
+	c.JSON(http.StatusOK, script)
+}
+
+// DeleteScript deletes a script.
+// @Summary Delete script
+// @Description Deletes a script by its ID
+// @Tags scripts
+// @Param id path int true "Script ID"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Security Bearer
+// @Router /scripts/:id [delete]
+func (sh *ScriptHandlersGroup) DeleteScript(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
+		return
+	}
+
+	if err := sh.svc.Repo.DeleteScript(id); err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "script not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete script"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "script deleted"})
+}
+
+// RunScriptByID executes a stored script on a target agent.
+// @Summary Run script by ID
+// @Description Loads a script from storage, resolves interpreter command, and submits it to the agent
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param id path int true "Script ID"
+// @Param body body RunStoredScriptIn true "Agent ID and optional stdin"
+// @Success 201 {object} AddJobOut
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 500 {object} map[string]string
+// @Security Bearer
+// @Router /scripts/:id/run [post]
+func (sh *ScriptHandlersGroup) RunScriptByID(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
+		return
+	}
+
+	var in RunStoredScriptIn
+	if err := c.ShouldBindJSON(&in); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	script, err := sh.svc.Repo.GetScript(id)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "script not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get script"})
+		return
+	}
+
+	command, err := sh.svc.ResolveCommand(c.Request.Context(), script.InterpreterID, script.Content)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to resolve command: %v", err)})
+		return
+	}
+
+	agent, ok := sh.cmder.GetAgent(in.Token)
+	if !ok {
+		c.JSON(http.StatusNotFound, gin.H{"error": "agent not found"})
+		return
+	}
+
+	jid, err := agent.AddJob(models.JobForInsert{
+		Command: command,
+		Stdin:   in.Stdin,
+	})
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to add job: %v", err)})
+		return
+	}
+
+	waitURL := fmt.Sprintf("%s/api/v1/jobs/%d/wait", sh.whereami, jid)
+
+	c.JSON(http.StatusCreated, AddJobOut{
+		ID:      jid,
+		Command: command,
+		WaitURL: waitURL,
+	})
+}
+
+// RunStoredScriptIn is the request body for running a stored script on an agent.
+type RunStoredScriptIn struct {
+	Token string  `json:"token" binding:"required"`
+	Stdin *string `json:"stdin"`
+}
+
+// CreateFolderRequest is the request body for creating a script folder.
+type CreateFolderRequest struct {
+	Path string `json:"path" binding:"required" example:"deploy/nginx" description:"Folder path (e.g. 'deploy/nginx')"`
+}
+
+// DeleteFolderRequest is the request body for deleting a script folder.
+type DeleteFolderRequest struct {
+	Path string `json:"path" binding:"required" example:"deploy/nginx" description:"Folder path to delete"`
+}
+
+// RenameRequest is the request body for renaming a script or folder.
+type RenameRequest struct {
+	OldPath string `json:"old_path" binding:"required" example:"deploy/nginx" description:"Current path"`
+	NewPath string `json:"new_path" binding:"required" example:"deploy/nginx-v2" description:"New path"`
+}
+
+// Rename renames a script or all scripts under a folder path.
+// @Summary Rename script or folder
+// @Description Renames a single script or all scripts under a folder prefix
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param body body RenameRequest true "Rename request"
+// @Success 200 {object} map[string]interface{} "Rename result with count of renamed scripts"
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Failure 409 {object} map[string]string
+// @Security Bearer
+// @Router /scripts/rename [post]
+func (sh *ScriptHandlersGroup) Rename(c *gin.Context) {
+	var req RenameRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	// Validate new path
+	if err := validateScriptPath(req.NewPath); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("invalid new path: %v", err)})
+		return
+	}
+
+	// Validate old path
+	if err := validateScriptPath(req.OldPath); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("invalid old path: %v", err)})
+		return
+	}
+
+	// Get all scripts
+	allScripts, err := sh.svc.Repo.ListScripts()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list scripts"})
+		return
+	}
+
+	// Find scripts to rename: exact match or folder prefix
+	prefix := req.OldPath + "/"
+	var toRename []repository.Script
+	for _, script := range allScripts {
+		if script.Path == req.OldPath || strings.HasPrefix(script.Path, prefix) {
+			toRename = append(toRename, script)
+		}
+	}
+
+	if len(toRename) == 0 {
+		c.JSON(http.StatusNotFound, gin.H{"error": "no scripts found with this path"})
+		return
+	}
+
+	// Rename each script
+	renamedCount := 0
+	for _, script := range toRename {
+		newPath := req.NewPath + strings.TrimPrefix(script.Path, req.OldPath)
+
+		// Check if new path already exists (excluding the scripts we're renaming)
+		for _, existing := range allScripts {
+			if existing.ID != script.ID && existing.Path == newPath {
+				c.JSON(http.StatusConflict, gin.H{"error": fmt.Sprintf("path '%s' already exists", newPath)})
+				return
+			}
+		}
+
+		_, err := sh.svc.Repo.UpdateScript(script.ID, repository.ScriptUpdate{
+			Path: &newPath,
+		})
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to rename %s: %v", script.Path, err)})
+			return
+		}
+		renamedCount++
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"message":       "renamed",
+		"old_path":      req.OldPath,
+		"new_path":      req.NewPath,
+		"renamed_count": renamedCount,
+	})
+}
+
+// CreateFolder creates a virtual folder in the script tree.
+// @Summary Create folder
+// @Description Creates a virtual folder by creating a placeholder script with the folder path
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param body body CreateFolderRequest true "Folder path"
+// @Success 201 {object} map[string]string "Folder created"
+// @Security Bearer
+// @Router /scripts/folder [post]
+func (sh *ScriptHandlersGroup) CreateFolder(c *gin.Context) {
+	var req CreateFolderRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	// Validate folder path
+	if err := validateScriptPath(req.Path); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("invalid folder path: %v", err)})
+		return
+	}
+
+	// Create a placeholder script with the folder path to ensure the folder exists in the tree
+	// The placeholder uses ".folder" as content and interpreter_id 0 (will be resolved at runtime)
+	_, err := sh.svc.Repo.CreateScript(repository.ScriptCreate{
+		Path:          req.Path,
+		Content:       "",
+		InterpreterID: 0,
+	})
+	if err != nil {
+		if isUniqueConstraint(err) {
+			c.JSON(http.StatusConflict, gin.H{"error": "folder with this path already exists"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create folder"})
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"message": "folder created", "path": req.Path})
+}
+
+// DeleteFolder deletes all scripts under a given path prefix.
+// @Summary Delete folder
+// @Description Deletes all scripts that start with the given folder path
+// @Tags scripts
+// @Accept json
+// @Produce json
+// @Param body body DeleteFolderRequest true "Folder path"
+// @Success 200 {object} map[string]interface{} "Folder deleted with count of deleted scripts"
+// @Security Bearer
+// @Router /scripts/folder [delete]
+func (sh *ScriptHandlersGroup) DeleteFolder(c *gin.Context) {
+	var req DeleteFolderRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
+		return
+	}
+
+	// Validate folder path
+	if err := validateScriptPath(req.Path); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("invalid folder path: %v", err)})
+		return
+	}
+
+	// Get all scripts and filter by path prefix
+	allScripts, err := sh.svc.Repo.ListScripts()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list scripts"})
+		return
+	}
+
+	prefix := req.Path + "/"
+	deletedCount := 0
+	for _, script := range allScripts {
+		// Delete scripts that are in this folder (path starts with prefix)
+		// or the folder placeholder itself (exact match)
+		if script.Path == req.Path || strings.HasPrefix(script.Path, prefix) {
+			if err := sh.svc.Repo.DeleteScript(script.ID); err != nil && !errors.Is(err, repository.ErrNotFound) {
+				c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to delete script %s: %v", script.Path, err)})
+				return
+			}
+			deletedCount++
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"message": "folder deleted", "path": req.Path, "deleted_count": deletedCount})
+}
+
+// GetScriptByPath returns a script by its path.
+// @Summary Get script by path
+// @Description Returns a script by its full path (e.g. 'deploy/nginx/restart.sh')
+// @Tags scripts
+// @Produce json
+// @Param path query string true "Script path"
+// @Success 200 {object} repository.Script
+// @Failure 400 {object} map[string]string
+// @Failure 404 {object} map[string]string
+// @Security Bearer
+// @Router /scripts/by-path [get]
+func (sh *ScriptHandlersGroup) GetScriptByPath(c *gin.Context) {
+	path := c.Query("path")
+	if path == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "path query parameter is required"})
+		return
+	}
+
+	script, err := sh.svc.Repo.GetScriptByPath(path)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "script not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get script"})
+		return
+	}
+
+	c.JSON(http.StatusOK, script)
+}
+
+// isUniqueConstraint checks if the error is a SQLite UNIQUE constraint violation.
+func isUniqueConstraint(err error) bool {
+	return err != nil && (err.Error() != "" && contains(err.Error(), "UNIQUE constraint"))
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && searchSubstring(s, substr)
+}
+
+func searchSubstring(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}
+
+// validateScriptPath validates that a script path is well-formed.
+// Rules: non-empty, no leading slash, no double slashes, no trailing slash, no empty segments.
+func validateScriptPath(path string) error {
+	if path == "" {
+		return fmt.Errorf("path cannot be empty")
+	}
+	if strings.HasPrefix(path, "/") {
+		return fmt.Errorf("path cannot start with '/'")
+	}
+	if strings.HasSuffix(path, "/") {
+		return fmt.Errorf("path cannot end with '/'")
+	}
+	if strings.Contains(path, "//") {
+		return fmt.Errorf("path cannot contain '//'")
+	}
+	// Check for empty segments (e.g. "a//b" already caught, but "a/ /b" should be allowed)
+	segments := strings.Split(path, "/")
+	for i, seg := range segments {
+		if strings.TrimSpace(seg) == "" {
+			return fmt.Errorf("path segment %d cannot be empty or whitespace", i+1)
+		}
+	}
+	return nil
+}

backend/internal/models/job.go

@@ -0,0 +1,22 @@
+package models
+
+type JobBase struct {
+	ID      int64
+	AgentID string
+}
+type JobForInsert struct {
+	Command []string
+	Stdin   *string
+}
+type JobForUpdate struct {
+	Stdout string
+	Stderr string
+	Status int32
+}
+type Job struct {
+	JobBase
+	JobForInsert
+	Stdout *string
+	Stderr *string
+	Status *int32
+}

backend/internal/repository/job_repository.go

@@ -0,0 +1,136 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/models"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+)
+
+type JobRepository struct {
+	DB *sql.DB
+}
+
+func NewJobRepository(db *sql.DB) *JobRepository {
+	return &JobRepository{DB: db}
+}
+
+func (r *JobRepository) Init(ctx context.Context) error {
+	_, err := r.DB.ExecContext(ctx, storage.CreateJobsTable)
+	return err
+}
+
+func (r *JobRepository) InitJob(
+	ctx context.Context,
+	agentID string,
+	job models.JobForInsert,
+) (int64, error) {
+	commandJSON, err := json.Marshal(job.Command)
+	if err != nil {
+		return 0, fmt.Errorf("marshal command: %w", err)
+	}
+
+	var stdinVal *string
+	if job.Stdin != nil {
+		stdinVal = job.Stdin
+	}
+
+	result, err := r.DB.ExecContext(
+		ctx,
+		`INSERT INTO jobs (agent_id, command, stdin, stdout, stderr, status) VALUES (?, ?, ?, '', '', 0)`,
+		agentID,
+		string(commandJSON),
+		stdinVal,
+	)
+	if err != nil {
+		return 0, err
+	}
+
+	return result.LastInsertId()
+}
+
+func (r *JobRepository) UpdateJobInDB(
+	ctx context.Context,
+	jid int64,
+	msg models.JobForUpdate,
+) (models.Job, error) {
+	result, err := r.DB.ExecContext(
+		ctx,
+		`UPDATE jobs SET stdout = ?, stderr = ?, status = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?`,
+		msg.Stdout,
+		msg.Stderr,
+		msg.Status,
+		jid,
+	)
+	if err != nil {
+		return models.Job{}, err
+	}
+
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return models.Job{}, err
+	}
+	if affected == 0 {
+		return models.Job{}, ErrNotFound
+	}
+
+	return r.GetJobByID(ctx, jid)
+}
+
+func (r *JobRepository) GetJobByID(ctx context.Context, jid int64) (models.Job, error) {
+	var job models.Job
+	var commandJSON string
+	var stdinVal *string
+
+	err := r.DB.QueryRowContext(ctx,
+		`SELECT id, agent_id, command, stdin, stdout, stderr, status FROM jobs WHERE id = ?`,
+		jid,
+	).Scan(&job.ID, &job.AgentID, &commandJSON, &stdinVal, &job.Stdout, &job.Stderr, &job.Status)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return models.Job{}, ErrNotFound
+		}
+		return models.Job{}, err
+	}
+
+	if err := json.Unmarshal([]byte(commandJSON), &job.Command); err != nil {
+		return models.Job{}, fmt.Errorf("unmarshal command: %w", err)
+	}
+
+	job.Stdin = stdinVal
+	return job, nil
+}
+
+type JobMetrics struct {
+	Total     int
+	Success   int
+	Failed    int
+	Pending   int
+}
+
+// GetJobMetrics returns job success metrics for jobs updated since the given time.
+// If agentID is non-empty, results are filtered to that agent only.
+func (r *JobRepository) GetJobMetrics(ctx context.Context, since time.Time, agentID string) (JobMetrics, error) {
+	var m JobMetrics
+	query := `SELECT
+		COUNT(*),
+		SUM(CASE WHEN status = 0 AND (stdout != '' OR stderr != '') THEN 1 ELSE 0 END),
+		SUM(CASE WHEN status != 0 THEN 1 ELSE 0 END),
+		SUM(CASE WHEN status = 0 AND stdout = '' AND stderr = '' THEN 1 ELSE 0 END)
+	FROM jobs WHERE updated_at >= ?`
+	args := []any{since}
+	if agentID != "" {
+		query += " AND agent_id = ?"
+		args = append(args, agentID)
+	}
+
+	err := r.DB.QueryRowContext(ctx, query, args...).Scan(&m.Total, &m.Success, &m.Failed, &m.Pending)
+	if err != nil {
+		return JobMetrics{}, err
+	}
+	return m, nil
+}

backend/internal/repository/log_repository.go

@@ -0,0 +1,242 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"sync"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+)
+
+type LogRepository struct {
+	mu sync.RWMutex
+	DB *sql.DB
+}
+
+func NewLogRepository() *LogRepository {
+	return &LogRepository{}
+}
+
+func (r *LogRepository) SetDB(db *sql.DB) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.DB = db
+}
+
+func (r *LogRepository) IsConnected() bool {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	return r.DB != nil
+}
+
+func (r *LogRepository) getDB() *sql.DB {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	return r.DB
+}
+
+func (r *LogRepository) Init(ctx context.Context) error {
+	db := r.getDB()
+	if db == nil {
+		return nil
+	}
+	_, err := db.ExecContext(ctx, storage.CreateLogsTable)
+	return err
+}
+
+func (r *LogRepository) Insert(ctx context.Context, log storage.LogEntry) error {
+	db := r.getDB()
+	if db == nil {
+		return nil
+	}
+	_, err := db.ExecContext(ctx, `
+		INSERT INTO logs (timestamp, level, service, agent, message)
+		VALUES ($1, $2, $3, $4, $5)
+	`, log.Timestamp, log.Level, log.Service, log.Agent, log.Message)
+	return err
+}
+
+func (r *LogRepository) InsertBatch(ctx context.Context, logs []storage.LogEntry) error {
+	db := r.getDB()
+	if db == nil {
+		return nil
+	}
+	if len(logs) == 0 {
+		return nil
+	}
+
+	// Build multi-row INSERT statement
+	query := "INSERT INTO logs (timestamp, level, service, agent, message) VALUES "
+	args := make([]interface{}, 0, len(logs)*5)
+	for i, log := range logs {
+		if i > 0 {
+			query += ", "
+		}
+		query += fmt.Sprintf("($%d, $%d, $%d, $%d, $%d)",
+			i*5+1, i*5+2, i*5+3, i*5+4, i*5+5)
+		args = append(args, log.Timestamp, log.Level, log.Service, log.Agent, log.Message)
+	}
+
+	_, err := db.ExecContext(ctx, query, args...)
+	return err
+}
+
+type LogFilter struct {
+	Level    string
+	Service  string
+	Agent    string
+	DateFrom time.Time
+	DateTo   time.Time
+	Limit    int
+	Offset   int
+}
+
+func (r *LogRepository) Search(ctx context.Context, filter LogFilter) ([]storage.LogEntry, error) {
+	db := r.getDB()
+	if db == nil {
+		return []storage.LogEntry{}, nil
+	}
+
+	query := "SELECT timestamp, level, service, agent, message FROM logs WHERE 1=1"
+	args := make([]interface{}, 0)
+	argIdx := 1
+
+	if filter.Level != "" {
+		query += " AND level = $" + string(rune('0'+argIdx))
+		args = append(args, filter.Level)
+		argIdx++
+	}
+
+	if filter.Service != "" {
+		query += " AND service = $" + string(rune('0'+argIdx))
+		args = append(args, filter.Service)
+		argIdx++
+	}
+
+	if filter.Agent != "" {
+		query += " AND agent = $" + string(rune('0'+argIdx))
+		args = append(args, filter.Agent)
+		argIdx++
+	}
+
+	if !filter.DateFrom.IsZero() {
+		query += " AND timestamp >= $" + string(rune('0'+argIdx))
+		args = append(args, filter.DateFrom)
+		argIdx++
+	}
+
+	if !filter.DateTo.IsZero() {
+		query += " AND timestamp <= $" + string(rune('0'+argIdx))
+		args = append(args, filter.DateTo)
+		argIdx++
+	}
+
+	query += " ORDER BY timestamp DESC"
+
+	if filter.Limit > 0 {
+		query += " LIMIT $" + string(rune('0'+argIdx))
+		args = append(args, filter.Limit)
+		argIdx++
+	} else {
+		query += " LIMIT 100"
+	}
+
+	if filter.Offset > 0 {
+		query += " OFFSET $" + string(rune('0'+argIdx))
+		args = append(args, filter.Offset)
+	}
+
+	rows, err := db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	logs := make([]storage.LogEntry, 0)
+	for rows.Next() {
+		var log storage.LogEntry
+		if err := rows.Scan(
+			&log.Timestamp,
+			&log.Level,
+			&log.Service,
+			&log.Agent,
+			&log.Message,
+		); err != nil {
+			return nil, err
+		}
+		logs = append(logs, log)
+	}
+
+	return logs, rows.Err()
+}
+
+func (r *LogRepository) GetDistinctServices(ctx context.Context) ([]string, error) {
+	db := r.getDB()
+	if db == nil {
+		return []string{}, nil
+	}
+	rows, err := db.QueryContext(ctx, "SELECT DISTINCT service FROM logs ORDER BY service")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	services := make([]string, 0)
+	for rows.Next() {
+		var service string
+		if err := rows.Scan(&service); err != nil {
+			return nil, err
+		}
+		services = append(services, service)
+	}
+
+	return services, rows.Err()
+}
+
+func (r *LogRepository) GetDistinctAgents(ctx context.Context) ([]string, error) {
+	db := r.getDB()
+	if db == nil {
+		return []string{}, nil
+	}
+	rows, err := db.QueryContext(ctx, "SELECT DISTINCT agent FROM logs ORDER BY agent")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	agents := make([]string, 0)
+	for rows.Next() {
+		var agent string
+		if err := rows.Scan(&agent); err != nil {
+			return nil, err
+		}
+		agents = append(agents, agent)
+	}
+
+	return agents, rows.Err()
+}
+
+func (r *LogRepository) GetDistinctLevels(ctx context.Context) ([]string, error) {
+	db := r.getDB()
+	if db == nil {
+		return []string{}, nil
+	}
+	rows, err := db.QueryContext(ctx, "SELECT DISTINCT level FROM logs ORDER BY level")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	levels := make([]string, 0)
+	for rows.Next() {
+		var level string
+		if err := rows.Scan(&level); err != nil {
+			return nil, err
+		}
+		levels = append(levels, level)
+	}
+
+	return levels, rows.Err()
+}

backend/internal/repository/models.go

@@ -0,0 +1,185 @@
+package repository
+
+// Tokens represents a user record with info and permissions.
+type Tokens struct {
+	ID               int64  `json:"id"`
+	Name             string `json:"name"`
+	LastName         string `json:"last_name"`
+	Login            string `json:"login"`
+	Token            string `json:"token"`
+	PermissionView   bool   `json:"permission_view"`
+	PermissionManage bool   `json:"permission_manage_agent"`
+	PermissionAdmin  bool   `json:"permission_admin"`
+	IsActive         bool   `json:"is_active"`
+}
+
+// TokenCreate is the request body for creating a new user.
+type TokenCreate struct {
+	Name             string `json:"name"                    binding:"required"`
+	LastName         string `json:"last_name"               binding:"required"`
+	Login            string `json:"login"                   binding:"required"`
+	Password         string `json:"password"                binding:"required"`
+	PermissionView   bool   `json:"permission_view"`
+	PermissionManage bool   `json:"permission_manage_agent"`
+	PermissionAdmin  bool   `json:"permission_admin"`
+	IsActive         bool   `json:"is_active"`
+}
+
+// UserRegister is the request body for public user registration (all permissions false).
+type UserRegister struct {
+	Name     string `json:"name"      binding:"required"`
+	LastName string `json:"last_name" binding:"required"`
+	Login    string `json:"login"     binding:"required"`
+	Password string `json:"password"  binding:"required"`
+}
+
+// TokenUpdate is the request body for updating an existing user.
+type TokenUpdate struct {
+	Name     string `json:"name"`
+	LastName string `json:"last_name"`
+}
+
+// TokenUpdatePermissions is the request body for updating user permissions.
+type TokenUpdatePermissions struct {
+	PermissionView   *bool `json:"permission_view"`
+	PermissionManage *bool `json:"permission_manage_agent"`
+	PermissionAdmin  *bool `json:"permission_admin"`
+	IsActive         *bool `json:"is_active"`
+}
+
+// TokenPasswordReset is the request body for resetting a user's password.
+type TokenPasswordReset struct {
+	NewPassword string `json:"new_password" binding:"required"`
+}
+
+// BatchActionRequest is the request body for batch activate/deactivate users.
+type BatchActionRequest struct {
+	Logins []string `json:"logins" binding:"required,min=1"`
+}
+
+// LoginRequest is the request body for login.
+type LoginRequest struct {
+	Login    string `json:"login"    binding:"required"`
+	Password string `json:"password" binding:"required"`
+}
+
+// LoginResponse is returned after successful login.
+type LoginResponse struct {
+	Token            string `json:"token"`
+	Name             string `json:"name"`
+	LastName         string `json:"last_name"`
+	Login            string `json:"login"`
+	PermissionView   bool   `json:"permission_view"`
+	PermissionManage bool   `json:"permission_manage_agent"`
+	PermissionAdmin  bool   `json:"permission_admin"`
+	IsActive         bool   `json:"is_active"`
+}
+
+// RegistrationToken represents a one-time agent registration token.
+type RegistrationToken struct {
+	ID        int64   `json:"id"`
+	Token     string  `json:"token"`
+	Label     string  `json:"label"`
+	Used      bool    `json:"used"`
+	CreatedAt *string `json:"created_at"`
+	UsedAt    *string `json:"used_at"`
+}
+
+// RegistrationRequest is the request body for creating a registration token.
+type RegistrationRequest struct {
+	Label string `json:"label" binding:"required"`
+}
+
+// RegistrationResponse is returned when an agent registers.
+type RegistrationResponse struct {
+	CACert     string `json:"ca_cert"`
+	ClientCert string `json:"client_cert"`
+}
+
+// DeployType represents the type of agent deployment
+// @Description Type of deployment: docker or binary
+type DeployType string
+
+const (
+	DeployTypeDocker DeployType = "docker"
+	DeployTypeBinary DeployType = "binary"
+)
+
+// AuthMethod represents the SSH authentication method
+// @Description SSH authentication method: key or password
+type AuthMethod string
+
+const (
+	AuthMethodKey      AuthMethod = "key"
+	AuthMethodPassword AuthMethod = "password"
+)
+
+// AgentDeployConfig represents the configuration for deploying an agent to a server
+// @Description Configuration for deploying HellreigN agent to a single server
+type AgentDeployConfig struct {
+	User       string     `json:"user"               binding:"required" example:"admin"                               description:"SSH username"`
+	IP         string     `json:"ip"                 binding:"required" example:"192.168.1.100"                       description:"Server IP address"`
+	Port       int        `json:"port"                                  example:"22"                                  description:"SSH port (default: 22)"`
+	AuthMethod AuthMethod `json:"authMethod"         binding:"required" example:"key"                                 description:"SSH auth method: key or password"`
+	SSHKey     string     `json:"sshKey,omitempty"                      example:"-----BEGIN OPENSSH PRIVATE KEY-----" description:"SSH private key (required if authMethod=key)"`
+	Password   string     `json:"password,omitempty"                    example:"secret"                              description:"SSH password (required if authMethod=password)"`
+	DeployType DeployType `json:"deployType"         binding:"required" example:"docker"                              description:"Deployment type: docker or binary"`
+	AgentLabel string     `json:"agentLabel"         binding:"required" example:"production-server-1"                 description:"Unique label for the agent"`
+}
+
+// DeployAgentsRequest represents the request body for deploying agents to multiple servers
+// @Description Request to deploy HellreigN agents to multiple servers
+type DeployAgentsRequest struct {
+	Servers []AgentDeployConfig `json:"servers" binding:"required,min=1,dive" description:"List of server configurations"`
+}
+
+// DeployResponse represents the response after deploying agents
+// @Description Response containing deployment results and registration tokens
+type DeployResponse struct {
+	Message string         `json:"message" example:"Deployment completed"`
+	Results []DeployResult `json:"results"                                description:"Deployment results for each server"`
+}
+
+// DeployResult represents the result of deploying to a single server
+// @Description Result of deploying to a single server
+type DeployResult struct {
+	IP         string `json:"ip"              example:"192.168.1.100"       description:"Server IP address"`
+	AgentLabel string `json:"agent_label"     example:"production-server-1" description:"Agent label"`
+	Token      string `json:"token"           example:"abc123..."           description:"Registration token for agent registration"`
+	Success    bool   `json:"success"         example:"true"                description:"Whether deployment succeeded"`
+	Error      string `json:"error,omitempty" example:""                    description:"Error message if deployment failed"`
+}
+
+// Script represents a stored script with path and interpreter binding.
+type Script struct {
+	ID            int64   `json:"id"`
+	Path          string  `json:"path"`
+	Content       string  `json:"content"`
+	InterpreterID int64   `json:"interpreter_id"`
+	CreatedAt     *string `json:"created_at"`
+	UpdatedAt     *string `json:"updated_at"`
+}
+
+// ScriptCreate is the request body for creating a script.
+type ScriptCreate struct {
+	Path          string `json:"path" binding:"required"`
+	Content       string `json:"content"`
+	InterpreterID int64  `json:"interpreter_id" binding:"required"`
+}
+
+// ScriptUpdate is the request body for updating a script.
+type ScriptUpdate struct {
+	Path          *string `json:"path"`
+	Content       *string `json:"content"`
+	InterpreterID *int64  `json:"interpreter_id"`
+}
+
+// ScriptTreeNode represents a node in the script directory tree.
+type ScriptTreeNode struct {
+	Name          string           `json:"name"`
+	Type          string           `json:"type"` // "folder" or "file"
+	Children      []ScriptTreeNode `json:"children,omitempty"`
+	ID            *int64           `json:"id,omitempty"`
+	Content       *string          `json:"content,omitempty"`
+	InterpreterID *int64           `json:"interpreter_id,omitempty"`
+}

backend/internal/repository/repository.go

@@ -0,0 +1,646 @@
+package repository
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+	"log"
+	"strconv"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/utils"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Repository wraps a SQLite database connection.
+type Repository struct {
+	DB *sql.DB
+}
+
+// New creates a new Repository.
+func New(db *sql.DB) *Repository {
+	return &Repository{DB: db}
+}
+
+var ErrNotFound = errors.New("not found")
+var ErrAccountInactive = errors.New("account is not activated")
+
+// Init creates the tokens table if it does not exist.
+func (r *Repository) Init() error {
+	_, err := r.DB.Exec(storage.CreateSqlite)
+	if err != nil {
+		return err
+	}
+	// Migration: add is_active column if it doesn't exist (SQLite ignores errors for duplicate column)
+	_, _ = r.DB.Exec(storage.AddIsActiveColumn)
+	return nil
+}
+
+// CreateToken inserts a new user record with hashed password and generated token.
+// New users are created with is_active=false by default.
+func (r *Repository) CreateToken(tc TokenCreate) (string, error) {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(tc.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+
+	token, err := utils.RandomToken()
+	if err != nil {
+		return "", err
+	}
+
+	result, err := r.DB.Exec(
+		`INSERT INTO tokens (name, last_name, login, password, token, permission_view, permission_manage_agent, permission_admin, is_active)
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		tc.Name,
+		tc.LastName,
+		tc.Login,
+		string(hashed),
+		token,
+		tc.PermissionView,
+		tc.PermissionManage,
+		tc.PermissionAdmin,
+		tc.IsActive,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(id, 10), nil
+}
+
+// RegisterUser inserts a new user with all permissions set to false and is_active=false.
+func (r *Repository) RegisterUser(ur UserRegister) (string, error) {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(ur.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", fmt.Errorf("hash password: %w", err)
+	}
+
+	token, err := utils.RandomToken()
+	if err != nil {
+		return "", fmt.Errorf("generate token: %w", err)
+	}
+
+	result, err := r.DB.Exec(
+		`INSERT INTO tokens (name, last_name, login, password, token, permission_view, permission_manage_agent, permission_admin, is_active)
+		 VALUES (?, ?, ?, ?, ?, 0, 0, 0, 0)`,
+		ur.Name,
+		ur.LastName,
+		ur.Login,
+		string(hashed),
+		token,
+	)
+	if err != nil {
+		return "", fmt.Errorf("insert user: %w", err)
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return "", fmt.Errorf("get last insert id: %w", err)
+	}
+	log.Printf("[register] user created: id=%s login=%s", strconv.FormatInt(id, 10), ur.Login)
+	return strconv.FormatInt(id, 10), nil
+}
+
+// Login authenticates by login/password, generates a new token, and returns LoginResponse.
+func (r *Repository) Login(login, password string) (*LoginResponse, error) {
+	var t Tokens
+	var hashedPassword string
+
+	err := r.DB.QueryRow(
+		`SELECT id, name, last_name, login, password, token, permission_view, permission_manage_agent, permission_admin, is_active
+		 FROM tokens WHERE login = ?`,
+		login,
+	).Scan(&t.ID, &t.Name, &t.LastName, &t.Login, &hashedPassword, &t.Token,
+		&t.PermissionView, &t.PermissionManage, &t.PermissionAdmin, &t.IsActive)
+
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+
+	if err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password)); err != nil {
+		return nil, ErrNotFound
+	}
+
+	if !t.IsActive {
+		return nil, ErrAccountInactive
+	}
+
+	// Generate new token on each login
+	newToken, err := utils.RandomToken()
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = r.DB.Exec(`UPDATE tokens SET token = ? WHERE id = ?`, newToken, t.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginResponse{
+		Token:            newToken,
+		Name:             t.Name,
+		LastName:         t.LastName,
+		Login:            t.Login,
+		PermissionView:   t.PermissionView,
+		PermissionManage: t.PermissionManage,
+		PermissionAdmin:  t.PermissionAdmin,
+		IsActive:         t.IsActive,
+	}, nil
+}
+
+// GetTokenByToken retrieves a user record by token value.
+func (r *Repository) GetToken(token string) (*Tokens, error) {
+	var t Tokens
+	err := r.DB.QueryRow(
+		`SELECT id, name, last_name, login, token, permission_view, permission_manage_agent, permission_admin, is_active
+		 FROM tokens WHERE token = ?`,
+		token,
+	).Scan(&t.ID, &t.Name, &t.LastName, &t.Login, &t.Token,
+		&t.PermissionView, &t.PermissionManage, &t.PermissionAdmin, &t.IsActive)
+
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &t, nil
+}
+
+// ListTokens returns all users without password and token.
+func (r *Repository) ListTokens() ([]Tokens, error) {
+	rows, err := r.DB.Query(
+		`SELECT id, name, last_name, login, permission_view, permission_manage_agent, permission_admin, is_active
+		 FROM tokens`,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var tokens []Tokens
+	for rows.Next() {
+		var t Tokens
+		if err := rows.Scan(&t.ID, &t.Name, &t.LastName, &t.Login,
+			&t.PermissionView, &t.PermissionManage, &t.PermissionAdmin, &t.IsActive); err != nil {
+			return nil, err
+		}
+		tokens = append(tokens, t)
+	}
+	return tokens, rows.Err()
+}
+
+// DeleteToken deletes a user by token value.
+func (r *Repository) DeleteToken(token string) error {
+	result, err := r.DB.Exec(`DELETE FROM tokens WHERE token = ?`, token)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// DeleteTokenByLogin deletes a user by login.
+func (r *Repository) DeleteTokenByLogin(login string) error {
+	result, err := r.DB.Exec(`DELETE FROM tokens WHERE login = ?`, login)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// ExistsByLogin checks if a user with given login exists.
+func (r *Repository) ExistsByLogin(login string) bool {
+	var count int
+	err := r.DB.QueryRow(`SELECT COUNT(*) FROM tokens WHERE login = ?`, login).Scan(&count)
+	if err != nil {
+		return false
+	}
+	return count > 0
+}
+
+// InitRegistrationTokens creates the registration_tokens table if it does not exist.
+func (r *Repository) InitRegistrationTokens() error {
+	_, err := r.DB.Exec(storage.CreateRegistrationTokensTable)
+	return err
+}
+
+// CreateRegistrationToken inserts a new one-time registration token.
+func (r *Repository) CreateRegistrationToken(label string) (string, error) {
+	token, err := utils.RandomToken()
+	if err != nil {
+		return "", err
+	}
+
+	_, err = r.DB.Exec(
+		`INSERT INTO registration_tokens (token, label, used) VALUES (?, ?, 0)`,
+		token, label,
+	)
+	if err != nil {
+		return "", err
+	}
+	return token, nil
+}
+
+// GetRegistrationToken retrieves a registration token if it exists and is not used.
+func (r *Repository) GetRegistrationToken(token string) (*RegistrationToken, error) {
+	var rt RegistrationToken
+	err := r.DB.QueryRow(
+		`SELECT id, token, label, used, created_at, used_at FROM registration_tokens WHERE token = ?`,
+		token,
+	).Scan(&rt.ID, &rt.Token, &rt.Label, &rt.Used, &rt.CreatedAt, &rt.UsedAt)
+
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &rt, nil
+}
+
+// MarkRegistrationTokenUsed marks a registration token as used.
+func (r *Repository) MarkRegistrationTokenUsed(token string) error {
+	result, err := r.DB.Exec(
+		`UPDATE registration_tokens SET used = 1, used_at = CURRENT_TIMESTAMP WHERE token = ? AND used = 0`,
+		token,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// DeleteRegistrationToken deletes a registration token (used for rollback on deployment failure).
+func (r *Repository) DeleteRegistrationToken(token string) error {
+	_, err := r.DB.Exec(`DELETE FROM registration_tokens WHERE token = ?`, token)
+	return err
+}
+
+// ActivateToken activates a user by token value.
+func (r *Repository) ActivateToken(token string) error {
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET is_active = 1 WHERE token = ?`,
+		token,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// DeactivateToken deactivates a user by token value.
+func (r *Repository) DeactivateToken(token string) error {
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET is_active = 0 WHERE token = ?`,
+		token,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// ActivateUserByLogin activates a user by login.
+func (r *Repository) ActivateUserByLogin(login string) error {
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET is_active = 1 WHERE login = ?`,
+		login,
+	)
+	if err != nil {
+		return fmt.Errorf("activate exec: %w", err)
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("rows affected: %w", err)
+	}
+	log.Printf("[activate] login=%s affected=%d", login, affected)
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// DeactivateUserByLogin deactivates a user by login.
+func (r *Repository) DeactivateUserByLogin(login string) error {
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET is_active = 0 WHERE login = ?`,
+		login,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// ListInactiveTokens returns all users that are not activated.
+func (r *Repository) ListInactiveTokens() ([]Tokens, error) {
+	rows, err := r.DB.Query(
+		`SELECT id, name, last_name, login, token, permission_view, permission_manage_agent, permission_admin, is_active
+		 FROM tokens WHERE is_active = 0`,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var tokens []Tokens
+	for rows.Next() {
+		var t Tokens
+		if err := rows.Scan(&t.ID, &t.Name, &t.LastName, &t.Login, &t.Token,
+			&t.PermissionView, &t.PermissionManage, &t.PermissionAdmin, &t.IsActive); err != nil {
+			return nil, err
+		}
+		tokens = append(tokens, t)
+	}
+	return tokens, rows.Err()
+}
+
+// GetTokenByLogin retrieves a user by login.
+func (r *Repository) GetTokenByLogin(login string) (*Tokens, error) {
+	var t Tokens
+	err := r.DB.QueryRow(
+		`SELECT id, name, last_name, login, token, permission_view, permission_manage_agent, permission_admin, is_active
+		 FROM tokens WHERE login = ?`,
+		login,
+	).Scan(&t.ID, &t.Name, &t.LastName, &t.Login, &t.Token,
+		&t.PermissionView, &t.PermissionManage, &t.PermissionAdmin, &t.IsActive)
+
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &t, nil
+}
+
+// UpdateToken updates name and last_name for a user by login.
+func (r *Repository) UpdateToken(login string, update TokenUpdate) error {
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET name = ?, last_name = ? WHERE login = ?`,
+		update.Name, update.LastName, login,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// UpdatePermissions updates permissions and is_active for a user by login.
+func (r *Repository) UpdatePermissions(login string, update TokenUpdatePermissions) error {
+	user, err := r.GetTokenByLogin(login)
+	if err != nil {
+		return err
+	}
+
+	// Use existing values if not provided
+	newView := user.PermissionView
+	newManage := user.PermissionManage
+	newAdmin := user.PermissionAdmin
+	newActive := user.IsActive
+
+	if update.PermissionView != nil {
+		newView = *update.PermissionView
+	}
+	if update.PermissionManage != nil {
+		newManage = *update.PermissionManage
+	}
+	if update.PermissionAdmin != nil {
+		newAdmin = *update.PermissionAdmin
+	}
+	if update.IsActive != nil {
+		newActive = *update.IsActive
+	}
+
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET permission_view = ?, permission_manage_agent = ?, permission_admin = ?, is_active = ? WHERE login = ?`,
+		newView,
+		newManage,
+		newAdmin,
+		newActive,
+		login,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// UpdatePassword updates the password for a user by login.
+func (r *Repository) UpdatePassword(login string, newPassword string) error {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
+	if err != nil {
+		return err
+	}
+
+	result, err := r.DB.Exec(
+		`UPDATE tokens SET password = ? WHERE login = ?`,
+		string(hashed), login,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// CreateScript inserts a new script into the database.
+func (r *Repository) CreateScript(sc ScriptCreate) (*Script, error) {
+	result, err := r.DB.Exec(
+		`INSERT INTO scripts (path, content, interpreter_id) VALUES (?, ?, ?)`,
+		sc.Path, sc.Content, sc.InterpreterID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("insert script: %w", err)
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return nil, fmt.Errorf("get last insert id: %w", err)
+	}
+
+	return &Script{
+		ID:            id,
+		Path:          sc.Path,
+		Content:       sc.Content,
+		InterpreterID: sc.InterpreterID,
+	}, nil
+}
+
+// GetScript retrieves a script by ID.
+func (r *Repository) GetScript(id int64) (*Script, error) {
+	var s Script
+	err := r.DB.QueryRow(
+		`SELECT id, path, content, interpreter_id, created_at, updated_at FROM scripts WHERE id = ?`,
+		id,
+	).Scan(&s.ID, &s.Path, &s.Content, &s.InterpreterID, &s.CreatedAt, &s.UpdatedAt)
+
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &s, nil
+}
+
+// GetScriptByPath retrieves a script by its path.
+func (r *Repository) GetScriptByPath(path string) (*Script, error) {
+	var s Script
+	err := r.DB.QueryRow(
+		`SELECT id, path, content, interpreter_id, created_at, updated_at FROM scripts WHERE path = ?`,
+		path,
+	).Scan(&s.ID, &s.Path, &s.Content, &s.InterpreterID, &s.CreatedAt, &s.UpdatedAt)
+
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &s, nil
+}
+
+// ListScripts returns all scripts.
+func (r *Repository) ListScripts() ([]Script, error) {
+	rows, err := r.DB.Query(
+		`SELECT id, path, content, interpreter_id, created_at, updated_at FROM scripts`,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var scripts []Script
+	for rows.Next() {
+		var s Script
+		if err := rows.Scan(&s.ID, &s.Path, &s.Content, &s.InterpreterID, &s.CreatedAt, &s.UpdatedAt); err != nil {
+			return nil, err
+		}
+		scripts = append(scripts, s)
+	}
+	return scripts, rows.Err()
+}
+
+// UpdateScript updates a script by ID.
+func (r *Repository) UpdateScript(id int64, update ScriptUpdate) (*Script, error) {
+	existing, err := r.GetScript(id)
+	if err != nil {
+		return nil, err
+	}
+
+	newPath := existing.Path
+	newContent := existing.Content
+	newInterpreterID := existing.InterpreterID
+
+	if update.Path != nil {
+		newPath = *update.Path
+	}
+	if update.Content != nil {
+		newContent = *update.Content
+	}
+	if update.InterpreterID != nil {
+		newInterpreterID = *update.InterpreterID
+	}
+
+	_, err = r.DB.Exec(
+		`UPDATE scripts SET path = ?, content = ?, interpreter_id = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?`,
+		newPath, newContent, newInterpreterID, id,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("update script: %w", err)
+	}
+
+	return &Script{
+		ID:            id,
+		Path:          newPath,
+		Content:       newContent,
+		InterpreterID: newInterpreterID,
+	}, nil
+}
+
+// DeleteScript deletes a script by ID.
+func (r *Repository) DeleteScript(id int64) error {
+	result, err := r.DB.Exec(`DELETE FROM scripts WHERE id = ?`, id)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}

backend/internal/repository/script_interpreter_repository.go

@@ -0,0 +1,204 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"time"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/storage"
+)
+
+type ScriptInterpreter struct {
+	ID        int64     `json:"id"`
+	Name      string    `json:"name"`
+	Label     string    `json:"label"`
+	Argv      []string  `json:"argv"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+type ScriptInterpreterCreate struct {
+	Name  string   `json:"name"  binding:"required"`
+	Label string   `json:"label" binding:"required"`
+	Argv  []string `json:"argv"  binding:"required"`
+}
+
+type ScriptInterpreterUpdate struct {
+	Name  *string  `json:"name"`
+	Label *string  `json:"label"`
+	Argv  []string `json:"argv"`
+}
+
+type ScriptInterpreterRepo struct {
+	DB *sql.DB
+}
+
+func NewScriptInterpreterRepo(db *sql.DB) *ScriptInterpreterRepo {
+	return &ScriptInterpreterRepo{DB: db}
+}
+
+func (r *ScriptInterpreterRepo) Init(ctx context.Context) error {
+	_, err := r.DB.ExecContext(ctx, storage.CreateScriptInterpretersTable)
+	return err
+}
+
+func (r *ScriptInterpreterRepo) Create(
+	ctx context.Context,
+	in ScriptInterpreterCreate,
+) (*ScriptInterpreter, error) {
+	argvJSON, err := json.Marshal(in.Argv)
+	if err != nil {
+		return nil, err
+	}
+
+	result, err := r.DB.ExecContext(ctx,
+		`INSERT INTO script_interpreters (name, label, argv) VALUES (?, ?, ?)`,
+		in.Name, in.Label, string(argvJSON),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return nil, err
+	}
+
+	return r.GetByID(ctx, id)
+}
+
+func (r *ScriptInterpreterRepo) GetByID(ctx context.Context, id int64) (*ScriptInterpreter, error) {
+	var si ScriptInterpreter
+	var argvJSON string
+	var createdAt, updatedAt string
+
+	err := r.DB.QueryRowContext(
+		ctx,
+		`SELECT id, name, label, argv, created_at, updated_at FROM script_interpreters WHERE id = ?`,
+		id,
+	).Scan(&si.ID, &si.Name, &si.Label, &argvJSON, &createdAt, &updatedAt)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+
+	if err := json.Unmarshal([]byte(argvJSON), &si.Argv); err != nil {
+		return nil, err
+	}
+	si.CreatedAt, _ = time.Parse(time.RFC3339, createdAt)
+	si.UpdatedAt, _ = time.Parse(time.RFC3339, updatedAt)
+	return &si, nil
+}
+
+func (r *ScriptInterpreterRepo) List(ctx context.Context) ([]ScriptInterpreter, error) {
+	rows, err := r.DB.QueryContext(ctx,
+		`SELECT id, name, label, argv, created_at, updated_at FROM script_interpreters`,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var interpreters []ScriptInterpreter
+	for rows.Next() {
+		var si ScriptInterpreter
+		var argvJSON, createdAt, updatedAt string
+		if err := rows.Scan(
+			&si.ID,
+			&si.Name,
+			&si.Label,
+			&argvJSON,
+			&createdAt,
+			&updatedAt,
+		); err != nil {
+			return nil, err
+		}
+		if err := json.Unmarshal([]byte(argvJSON), &si.Argv); err != nil {
+			return nil, err
+		}
+		si.CreatedAt, _ = time.Parse(time.RFC3339, createdAt)
+		si.UpdatedAt, _ = time.Parse(time.RFC3339, updatedAt)
+		interpreters = append(interpreters, si)
+	}
+	return interpreters, rows.Err()
+}
+
+func (r *ScriptInterpreterRepo) Update(
+	ctx context.Context,
+	id int64,
+	in ScriptInterpreterUpdate,
+) (*ScriptInterpreter, error) {
+	si, err := r.GetByID(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	set := ""
+	args := make([]interface{}, 0)
+	idx := 1
+
+	if in.Name != nil {
+		set += "name = ?"
+		args = append(args, *in.Name)
+		idx++
+	}
+	if in.Label != nil {
+		if idx > 1 {
+			set += ", "
+		}
+		set += "label = ?"
+		args = append(args, *in.Label)
+		idx++
+	}
+	if in.Argv != nil {
+		if idx > 1 {
+			set += ", "
+		}
+		argvJSON, err := json.Marshal(in.Argv)
+		if err != nil {
+			return nil, err
+		}
+		set += "argv = ?"
+		args = append(args, string(argvJSON))
+		idx++
+	}
+
+	if idx == 1 {
+		return si, nil
+	}
+
+	set += ", updated_at = CURRENT_TIMESTAMP"
+	args = append(args, id)
+
+	_, err = r.DB.ExecContext(ctx,
+		`UPDATE script_interpreters SET `+set+` WHERE id = ?`,
+		args...,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return r.GetByID(ctx, id)
+}
+
+func (r *ScriptInterpreterRepo) Delete(ctx context.Context, id int64) error {
+	result, err := r.DB.ExecContext(ctx,
+		`DELETE FROM script_interpreters WHERE id = ?`,
+		id,
+	)
+	if err != nil {
+		return err
+	}
+	affected, err := result.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return ErrNotFound
+	}
+	return nil
+}

backend/internal/service/script_service.go

@@ -0,0 +1,191 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+
+	"gitea.d3m0k1d.ru/d3m0k1d/HellreigN/backend/internal/repository"
+)
+
+// ScriptService handles script CRUD, tree building, and interpreter resolution.
+type ScriptService struct {
+	Repo            *repository.Repository
+	InterpreterRepo *repository.ScriptInterpreterRepo
+}
+
+// NewScriptService creates a new ScriptService with both script and interpreter repos.
+func NewScriptService(repo *repository.Repository) *ScriptService {
+	return &ScriptService{Repo: repo}
+}
+
+// NewScriptServiceWithInterpreters creates a ScriptService with interpreter support.
+func NewScriptServiceWithInterpreters(repo *repository.Repository, interpRepo *repository.ScriptInterpreterRepo) *ScriptService {
+	return &ScriptService{Repo: repo, InterpreterRepo: interpRepo}
+}
+
+// treeNode is an internal representation for building the tree.
+type treeNode struct {
+	name     string
+	typ      string // "folder" or "file"
+	children map[string]*treeNode
+	// File-specific fields
+	id            *int64
+	content       *string
+	interpreterID *int64
+}
+
+// BuildTree builds a directory tree from all scripts in the database.
+// Each script path is treated as a file path (e.g. "deploy/nginx/restart.sh").
+// Scripts with empty content and interpreter_id=0 are treated as folder placeholders.
+func (s *ScriptService) BuildTree() ([]repository.ScriptTreeNode, error) {
+	scripts, err := s.Repo.ListScripts()
+	if err != nil {
+		return nil, err
+	}
+
+	root := make(map[string]*treeNode)
+
+	for _, sc := range scripts {
+		parts := strings.Split(sc.Path, "/")
+
+		// A script with empty content and interpreter_id=0 is a folder placeholder
+		isPlaceholder := sc.Content == "" && sc.InterpreterID == 0
+
+		// Walk through path parts, creating folders as needed
+		currentMap := root
+		for i, part := range parts {
+			isLastPart := i == len(parts)-1
+			isFile := isLastPart && !isPlaceholder
+
+			if _, exists := currentMap[part]; !exists {
+				node := &treeNode{
+					name:     part,
+					children: make(map[string]*treeNode),
+				}
+				if isFile {
+					node.typ = "file"
+					id := sc.ID
+					content := sc.Content
+					interpreterID := sc.InterpreterID
+					node.id = &id
+					node.content = &content
+					node.interpreterID = &interpreterID
+				} else {
+					node.typ = "folder"
+				}
+				currentMap[part] = node
+			} else if isFile {
+				// Node already exists but was created as a folder (e.g. by another script's path).
+				// Convert it to a file if it was a folder placeholder.
+				existing := currentMap[part]
+				if existing.typ == "folder" {
+					id := sc.ID
+					content := sc.Content
+					interpreterID := sc.InterpreterID
+					existing.typ = "file"
+					existing.id = &id
+					existing.content = &content
+					existing.interpreterID = &interpreterID
+				}
+			}
+			currentMap = currentMap[part].children
+		}
+	}
+
+	return buildTreeSlice(root), nil
+}
+
+// buildTreeSlice converts a map of treeNodes to a sorted slice of ScriptTreeNode.
+func buildTreeSlice(m map[string]*treeNode) []repository.ScriptTreeNode {
+	result := make([]repository.ScriptTreeNode, 0, len(m))
+	for _, node := range m {
+		result = append(result, toScriptTreeNode(node))
+	}
+
+	// Sort: folders first, then files, alphabetically within each group
+	sort.Slice(result, func(i, j int) bool {
+		if result[i].Type != result[j].Type {
+			return result[i].Type == "folder"
+		}
+		return result[i].Name < result[j].Name
+	})
+
+	return result
+}
+
+// toScriptTreeNode converts a treeNode to a ScriptTreeNode with recursively converted children.
+func toScriptTreeNode(node *treeNode) repository.ScriptTreeNode {
+	result := repository.ScriptTreeNode{
+		Name:     node.name,
+		Type:     node.typ,
+		Children: []repository.ScriptTreeNode{},
+	}
+
+	if node.typ == "file" {
+		result.ID = node.id
+		result.Content = node.content
+		result.InterpreterID = node.interpreterID
+	} else {
+		result.Children = buildTreeSlice(node.children)
+	}
+
+	return result
+}
+
+// ResolveCommand resolves the full command for a script using its interpreter.
+func (s *ScriptService) ResolveCommand(ctx context.Context, interpreterID int64, scriptText string) ([]string, error) {
+	if s.InterpreterRepo == nil {
+		return nil, fmt.Errorf("interpreter repo not configured")
+	}
+
+	interpreter, err := s.InterpreterRepo.GetByID(ctx, interpreterID)
+	if err != nil {
+		return nil, fmt.Errorf("get interpreter: %w", err)
+	}
+
+	// Build command: argv[0] argv[1] ... -c scriptText
+	cmd := append(interpreter.Argv, "-c", scriptText)
+	return cmd, nil
+}
+
+// List returns all interpreters.
+func (s *ScriptService) List(ctx context.Context) ([]repository.ScriptInterpreter, error) {
+	if s.InterpreterRepo == nil {
+		return nil, fmt.Errorf("interpreter repo not configured")
+	}
+	return s.InterpreterRepo.List(ctx)
+}
+
+// Create creates a new interpreter.
+func (s *ScriptService) Create(ctx context.Context, in repository.ScriptInterpreterCreate) (*repository.ScriptInterpreter, error) {
+	if s.InterpreterRepo == nil {
+		return nil, fmt.Errorf("interpreter repo not configured")
+	}
+	return s.InterpreterRepo.Create(ctx, in)
+}
+
+// GetByID returns an interpreter by ID.
+func (s *ScriptService) GetByID(ctx context.Context, id int64) (*repository.ScriptInterpreter, error) {
+	if s.InterpreterRepo == nil {
+		return nil, fmt.Errorf("interpreter repo not configured")
+	}
+	return s.InterpreterRepo.GetByID(ctx, id)
+}
+
+// Update updates an interpreter.
+func (s *ScriptService) Update(ctx context.Context, id int64, in repository.ScriptInterpreterUpdate) (*repository.ScriptInterpreter, error) {
+	if s.InterpreterRepo == nil {
+		return nil, fmt.Errorf("interpreter repo not configured")
+	}
+	return s.InterpreterRepo.Update(ctx, id, in)
+}
+
+// Delete deletes an interpreter.
+func (s *ScriptService) Delete(ctx context.Context, id int64) error {
+	if s.InterpreterRepo == nil {
+		return fmt.Errorf("interpreter repo not configured")
+	}
+	return s.InterpreterRepo.Delete(ctx, id)
+}

backend/internal/storage/clickhouse.go

@@ -0,0 +1,76 @@
+package storage
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"log"
+	"time"
+
+	_ "github.com/ClickHouse/clickhouse-go/v2"
+)
+
+type ClickHouseConfig struct {
+	Host     string
+	User     string
+	Password string
+	Database string
+}
+
+func OpenClickHouse(cfg ClickHouseConfig) (*sql.DB, error) {
+	dsn := fmt.Sprintf("clickhouse://%s:%s@%s/%s",
+		cfg.User, cfg.Password, cfg.Host, cfg.Database)
+
+	db, err := sql.Open("clickhouse", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("clickhouse open: %w", err)
+	}
+
+	db.SetMaxOpenConns(5)
+	db.SetMaxIdleConns(2)
+	db.SetConnMaxLifetime(10 * time.Minute)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	if err := db.PingContext(ctx); err != nil {
+		db.Close()
+		return nil, fmt.Errorf("clickhouse ping: %w", err)
+	}
+
+	log.Printf("ClickHouse connected via database/sql: %s", cfg.Host)
+	return db, nil
+}
+
+// OpenClickHouseWithRetry attempts to connect to ClickHouse with retries and backoff.
+func OpenClickHouseWithRetry(
+	cfg ClickHouseConfig,
+	maxRetries int,
+	initialDelay time.Duration,
+) (*sql.DB, error) {
+	var lastErr error
+	delay := initialDelay
+
+	for i := 0; i < maxRetries; i++ {
+		db, err := OpenClickHouse(cfg)
+		if err == nil {
+			return db, nil
+		}
+		lastErr = err
+		log.Printf(
+			"ClickHouse connection attempt %d/%d failed: %v, retrying in %v...",
+			i+1,
+			maxRetries,
+			err,
+			delay,
+		)
+		time.Sleep(delay)
+		delay *= 2
+	}
+
+	return nil, fmt.Errorf(
+		"clickhouse connection failed after %d attempts: %w",
+		maxRetries,
+		lastErr,
+	)
+}

backend/internal/storage/log_entry.go

@@ -0,0 +1,11 @@
+package storage
+
+import "time"
+
+type LogEntry struct {
+	Timestamp time.Time `ch:"timestamp"`
+	Level     string    `ch:"level"`
+	Service   string    `ch:"service"`
+	Agent     string    `ch:"agent"`
+	Message   string    `ch:"message"`
+}

backend/internal/storage/migrations.go

@@ -0,0 +1,377 @@
+package storage
+
+const CreateSqlite = `
+	CREATE TABLE IF NOT EXISTS tokens (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	name TEXT NOT NULL,
+	last_name TEXT NOT NULL,
+	login TEXT NOT NULL UNIQUE,
+	password TEXT NOT NULL,
+	token TEXT NOT NULL UNIQUE,
+	permission_view BOOL NOT NULL,
+	permission_manage_agent BOOL NOT NULL,
+	permission_admin BOOL NOT NULL,
+	is_active BOOL NOT NULL DEFAULT 0
+);
+`
+
+// AddIsActiveColumn adds is_active column to tokens table if it doesn't exist.
+// This is a migration for existing databases that don't have this column.
+const AddIsActiveColumn = `
+	ALTER TABLE tokens ADD COLUMN is_active BOOL NOT NULL DEFAULT 0
+`
+
+const CreateRegistrationTokensTable = `
+CREATE TABLE IF NOT EXISTS registration_tokens (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	token TEXT NOT NULL UNIQUE,
+	label TEXT NOT NULL,
+	used BOOL NOT NULL DEFAULT 0,
+	created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+	used_at DATETIME
+);
+`
+
+const CreateJobsTable = `
+CREATE TABLE IF NOT EXISTS jobs (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	agent_id TEXT NOT NULL,
+	command TEXT NOT NULL,
+	stdin TEXT,
+	stdout TEXT DEFAULT '',
+	stderr TEXT DEFAULT '',
+	status INTEGER DEFAULT 0,
+	created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+	updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+`
+
+const CreateScriptInterpretersTable = `
+CREATE TABLE IF NOT EXISTS script_interpreters (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	name TEXT NOT NULL UNIQUE,
+	label TEXT NOT NULL,
+	argv TEXT NOT NULL,
+	created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+	updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+`
+
+const CreateScriptsTable = `
+CREATE TABLE IF NOT EXISTS scripts (
+	id INTEGER PRIMARY KEY AUTOINCREMENT,
+	path TEXT NOT NULL UNIQUE,
+	content TEXT NOT NULL DEFAULT '',
+	interpreter_id INTEGER NOT NULL,
+	created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+	updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+	FOREIGN KEY (interpreter_id) REFERENCES script_interpreters(id)
+);
+`
+
+const CreateLogsTable = `
+CREATE TABLE IF NOT EXISTS logs (
+    timestamp DateTime64(3) DEFAULT now(),
+    level     LowCardinality(String),
+    service   LowCardinality(String),
+    agent     LowCardinality(String),
+    message   String
+) ENGINE = MergeTree()
+ORDER BY (timestamp, level, service, agent)
+TTL timestamp + INTERVAL 30 DAY
+SETTINGS index_granularity = 8192
+`
+
+// SeedDefaultScripts inserts the bash interpreter and default diagnostic scripts.
+// Uses INSERT OR IGNORE to avoid duplicates on subsequent runs.
+const SeedDefaultScripts = `
+-- Create bash interpreter with id=2
+INSERT OR IGNORE INTO script_interpreters (id, name, label, argv) VALUES
+(2, 'bash', 'Bash Shell', '["/bin/bash"]');
+
+-- Insert default scripts bound to bash interpreter (id=2)
+INSERT OR IGNORE INTO scripts (path, content, interpreter_id) VALUES
+('default/system_info.sh', '#!/bin/bash
+# Скрипт сбора базовой информации о системе: hostname, IP-адреса, сетевые интерфейсы, версия ОС
+
+echo "=== SYSTEM INFORMATION ==="
+echo ""
+
+# Hostname
+echo "--- Hostname ---"
+hostname 2>/dev/null || echo "hostname command failed"
+echo ""
+
+# OS Version
+echo "--- OS Version ---"
+if [ -f /etc/os-release ]; then
+    cat /etc/os-release
+elif [ -f /etc/redhat-release ]; then
+    cat /etc/redhat-release
+elif command -v uname >/dev/null 2>&1; then
+    uname -a
+else
+    echo "Unable to determine OS version"
+fi
+echo ""
+
+# Network Interfaces
+echo "--- Network Interfaces ---"
+if command -v ip >/dev/null 2>&1; then
+    ip addr show 2>/dev/null
+elif command -v ifconfig >/dev/null 2>&1; then
+    ifconfig -a 2>/dev/null
+else
+    echo "Neither ip nor ifconfig available"
+fi
+echo ""
+
+# IP Addresses (summary)
+echo "--- IP Addresses Summary ---"
+if command -v ip >/dev/null 2>&1; then
+    ip -brief addr show 2>/dev/null || ip addr show | grep "inet " | awk ''{print $2, $4}''
+elif command -v ifconfig >/dev/null 2>&1; then
+    ifconfig | grep "inet " | awk ''{print $2}''
+else
+    echo "Unable to retrieve IP addresses"
+fi
+echo ""
+
+# Default Gateway
+echo "--- Default Gateway ---"
+if command -v ip >/dev/null 2>&1; then
+    ip route show default 2>/dev/null | head -5
+elif command -v route >/dev/null 2>&1; then
+    route -n | grep "^0.0.0.0"
+else
+    echo "Unable to determine default gateway"
+fi
+echo ""
+
+# DNS Configuration
+echo "--- DNS Configuration ---"
+if [ -f /etc/resolv.conf ]; then
+    cat /etc/resolv.conf
+else
+    echo "/etc/resolv.conf not found"
+fi
+echo ""
+
+echo "=== END SYSTEM INFORMATION ==="', 2),
+
+('default/services_scan.sh', '#!/bin/bash
+# Скрипт сканирования доступных сервисов и портов на машине
+
+echo "=== SERVICES AND PORTS SCAN ==="
+echo ""
+
+# Listening ports
+echo "--- Listening Ports ---"
+if command -v ss >/dev/null 2>&1; then
+    echo "Using ss:"
+    ss -tulnp 2>/dev/null
+elif command -v netstat >/dev/null 2>&1; then
+    echo "Using netstat:"
+    netstat -tulnp 2>/dev/null
+else
+    echo "Neither ss nor netstat available"
+fi
+echo ""
+
+# Common services check
+echo "--- Common Services Check ---"
+COMMON_PORTS="22 80 443 3306 5432 6379 8080 8443 27017 9200"
+for port in $COMMON_PORTS; do
+    if command -v ss >/dev/null 2>&1; then
+        if ss -tuln | grep -q ":${port} "; then
+            echo "Port ${port}: LISTENING"
+        fi
+    elif command -v netstat >/dev/null 2>&1; then
+        if netstat -tuln | grep -q ":${port} "; then
+            echo "Port ${port}: LISTENING"
+        fi
+    fi
+done
+echo ""
+
+# Running services
+echo "--- Running Services (systemd) ---"
+if command -v systemctl >/dev/null 2>&1; then
+    systemctl list-units --type=service --state=running --no-pager 2>/dev/null | head -30
+else
+    echo "systemctl not available"
+    echo "--- Running processes (top 20) ---"
+    ps aux --sort=-%mem 2>/dev/null | head -20 || ps aux | head -20
+fi
+echo ""
+
+# Docker containers (if available)
+echo "--- Docker Containers ---"
+if command -v docker >/dev/null 2>&1; then
+    docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" 2>/dev/null || echo "Docker command failed"
+else
+    echo "Docker not installed"
+fi
+echo ""
+
+echo "=== END SERVICES AND PORTS SCAN ==="', 2),
+
+('default/diagnostics.sh', '#!/bin/bash
+# Скрипт выполнения базовых диагностических команд
+
+echo "=== DIAGNOSTIC COMMANDS ==="
+echo ""
+
+# Uptime
+echo "--- Uptime ---"
+uptime 2>/dev/null || echo "uptime command failed"
+echo ""
+
+# Load average
+echo "--- Load Average ---"
+cat /proc/loadavg 2>/dev/null || echo "/proc/loadavg not available"
+echo ""
+
+# Memory usage
+echo "--- Memory Usage ---"
+if command -v free >/dev/null 2>&1; then
+    free -h 2>/dev/null
+elif [ -f /proc/meminfo ]; then
+    head -10 /proc/meminfo
+else
+    echo "Unable to retrieve memory info"
+fi
+echo ""
+
+# Disk usage
+echo "--- Disk Usage ---"
+df -h 2>/dev/null || echo "df command failed"
+echo ""
+
+# CPU info
+echo "--- CPU Info ---"
+if [ -f /proc/cpuinfo ]; then
+    echo "CPU cores: $(grep -c ^processor /proc/cpuinfo 2>/dev/null || echo ''unknown'')"
+    grep "model name" /proc/cpuinfo 2>/dev/null | head -1 || echo "CPU model unknown"
+else
+    echo "/proc/cpuinfo not available"
+fi
+echo ""
+
+# Top processes by CPU
+echo "--- Top 10 Processes by CPU ---"
+ps aux --sort=-%cpu 2>/dev/null | head -11 || ps aux | head -11
+echo ""
+
+# Network connectivity check
+echo "--- Network Connectivity ---"
+echo "Pinging 8.8.8.8..."
+ping -c 2 -W 2 8.8.8.8 2>/dev/null || echo "Ping to 8.8.8.8 failed"
+echo ""
+
+echo "Pinging 1.1.1.1..."
+ping -c 2 -W 2 1.1.1.1 2>/dev/null || echo "Ping to 1.1.1.1 failed"
+echo ""
+
+# Last reboots
+echo "--- Last Reboots (last 5) ---"
+last reboot 2>/dev/null | head -5 || echo "Unable to get reboot history"
+echo ""
+
+# Systemd failed services
+echo "--- Failed Systemd Services ---"
+if command -v systemctl >/dev/null 2>&1; then
+    systemctl list-units --state=failed --no-pager 2>/dev/null | head -10 || echo "No failed services or systemctl unavailable"
+else
+    echo "systemctl not available"
+fi
+echo ""
+
+echo "=== END DIAGNOSTIC COMMANDS ==="', 2),
+
+('default/network_info.sh', '#!/bin/bash
+# Скрипт сбора базовой сетевой информации
+
+echo "=== NETWORK INFORMATION ==="
+echo ""
+
+# Network interfaces with IPs
+echo "--- Network Interfaces ---"
+if command -v ip >/dev/null 2>&1; then
+    ip addr show 2>/dev/null
+elif command -v ifconfig >/dev/null 2>&1; then
+    ifconfig -a 2>/dev/null
+else
+    echo "Unable to retrieve network interface info"
+fi
+echo ""
+
+# Routing table
+echo "--- Routing Table ---"
+if command -v ip >/dev/null 2>&1; then
+    ip route show 2>/dev/null
+elif command -v route >/dev/null 2>&1; then
+    route -n 2>/dev/null
+else
+    echo "Unable to retrieve routing table"
+fi
+echo ""
+
+# ARP table
+echo "--- ARP Table ---"
+if command -v ip >/dev/null 2>&1; then
+    ip neigh show 2>/dev/null
+elif command -v arp >/dev/null 2>&1; then
+    arp -an 2>/dev/null
+else
+    echo "Unable to retrieve ARP table"
+fi
+echo ""
+
+# DNS resolution test
+echo "--- DNS Resolution Test ---"
+echo "Resolving google.com..."
+if command -v nslookup >/dev/null 2>&1; then
+    nslookup google.com 2>/dev/null | head -10
+elif command -v dig >/dev/null 2>&1; then
+    dig google.com +short 2>/dev/null
+elif command -v host >/dev/null 2>&1; then
+    host google.com 2>/dev/null | head -5
+elif command -v getent >/dev/null 2>&1; then
+    getent hosts google.com 2>/dev/null
+else
+    echo "No DNS tools available"
+fi
+echo ""
+
+# Active connections
+echo "--- Active Connections (ESTABLISHED) ---"
+if command -v ss >/dev/null 2>&1; then
+    ss -tnp state established 2>/dev/null | head -20
+elif command -v netstat >/dev/null 2>&1; then
+    netstat -tnp 2>/dev/null | grep ESTABLISHED | head -20
+else
+    echo "Unable to retrieve active connections"
+fi
+echo ""
+
+# Firewall rules (if accessible)
+echo "--- Firewall Rules ---"
+if command -v iptables >/dev/null 2>&1; then
+    iptables -L -n 2>/dev/null | head -30 || echo "iptables: permission denied or error"
+else
+    echo "iptables not available"
+fi
+echo ""
+
+# Network namespaces (if applicable)
+echo "--- Network Namespaces ---"
+if command -v ip >/dev/null 2>&1; then
+    ip netns list 2>/dev/null || echo "No network namespaces or permission denied"
+else
+    echo "ip command not available"
+fi
+echo ""
+
+echo "=== END NETWORK INFORMATION ==="', 2);
+`

backend/internal/storage/sqlite.go

@@ -0,0 +1,60 @@
+package storage
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"strings"
+
+	_ "modernc.org/sqlite"
+)
+
+var pragmas = map[string]string{
+	`journal_mode`: `wal`,
+	`synchronous`:  `normal`,
+	`busy_timeout`: `30000`,
+}
+
+func buildSqliteDsn(path string, pragmas map[string]string) string {
+	pragmastrs := make([]string, len(pragmas))
+	i := 0
+	for k, v := range pragmas {
+		pragmastrs[i] = (fmt.Sprintf(`pragma=%s(%s)`, k, v))
+		i++
+	}
+	return path + "?" + "mode=rwc&" + strings.Join(pragmastrs, "&")
+}
+
+func Open(path string) (*sql.DB, error) {
+	dsn := buildSqliteDsn(path, pragmas)
+	db, err := sql.Open("sqlite", dsn)
+	if err != nil {
+		return nil, err
+	}
+
+	// Run migrations
+	if _, err := db.Exec(CreateSqlite); err != nil {
+		return nil, fmt.Errorf("migrate: %w", err)
+	}
+
+	// Migration: add is_active column if it doesn't exist
+	if _, err := db.Exec(AddIsActiveColumn); err != nil {
+		log.Printf("[sqlite] WARNING: failed to add is_active column: %v", err)
+	} else {
+		log.Println("[sqlite] is_active column migration applied")
+	}
+
+	// Create scripts table if not exists
+	if _, err := db.Exec(CreateScriptsTable); err != nil {
+		return nil, fmt.Errorf("migrate scripts: %w", err)
+	}
+
+	// Seed default diagnostic scripts
+	if _, err := db.Exec(SeedDefaultScripts); err != nil {
+		log.Printf("[sqlite] WARNING: failed to seed default scripts: %v", err)
+	} else {
+		log.Println("[sqlite] default scripts seeded successfully")
+	}
+
+	return db, nil
+}

backend/internal/utils/cert_helper.go

@@ -0,0 +1,157 @@
+package utils
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// CertBundle holds CA and server certificates loaded from disk.
+type CertBundle struct {
+	CACert     *x509.Certificate
+	CAKey      *rsa.PrivateKey
+	ServerCert *x509.Certificate
+	ServerKey  *rsa.PrivateKey
+}
+
+// LoadCertBundle loads CA and server certificates from the given directory.
+func LoadCertBundle(certDir string) (*CertBundle, error) {
+	caCertPEM, err := os.ReadFile(filepath.Join(certDir, "ca.crt"))
+	if err != nil {
+		return nil, fmt.Errorf("read ca.crt: %w", err)
+	}
+
+	caKeyPEM, err := os.ReadFile(filepath.Join(certDir, "ca.key"))
+	if err != nil {
+		return nil, fmt.Errorf("read ca.key: %w", err)
+	}
+
+	serverCertPEM, err := os.ReadFile(filepath.Join(certDir, "server.crt"))
+	if err != nil {
+		return nil, fmt.Errorf("read server.crt: %w", err)
+	}
+
+	serverKeyPEM, err := os.ReadFile(filepath.Join(certDir, "server.key"))
+	if err != nil {
+		return nil, fmt.Errorf("read server.key: %w", err)
+	}
+
+	caCert := decodeCert(caCertPEM)
+	caKey, err := decodeRSAPrivateKey(caKeyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("parse ca.key: %w", err)
+	}
+	serverCert := decodeCert(serverCertPEM)
+	serverKey, err := decodeRSAPrivateKey(serverKeyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("parse server.key: %w", err)
+	}
+
+	return &CertBundle{
+		CACert:     caCert,
+		CAKey:      caKey,
+		ServerCert: serverCert,
+		ServerKey:  serverKey,
+	}, nil
+}
+
+// SignCSR signs a client CSR with the CA and returns the client certificate PEM.
+func (b *CertBundle) SignCSR(csrPEM []byte, label string) ([]byte, error) {
+	csr := decodeCSR(csrPEM)
+
+	// Verify CSR signature
+	if err := csr.CheckSignature(); err != nil {
+		return nil, fmt.Errorf("invalid CSR signature: %w", err)
+	}
+
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, fmt.Errorf("generate serial: %w", err)
+	}
+
+	now := time.Now()
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName:   label,
+			Organization: csr.Subject.Organization,
+		},
+		NotBefore:             now,
+		NotAfter:              now.Add(365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, b.CACert, csr.PublicKey, b.CAKey)
+	if err != nil {
+		return nil, fmt.Errorf("create certificate: %w", err)
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certDER,
+	})
+
+	return certPEM, nil
+}
+
+// GetCACertPEM returns the CA certificate as PEM bytes.
+func (b *CertBundle) GetCACertPEM() []byte {
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: b.CACert.Raw,
+	})
+}
+
+func decodeCert(pemData []byte) *x509.Certificate {
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil
+	}
+	return cert
+}
+
+func decodeRSAPrivateKey(pemData []byte) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM block found")
+	}
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		// Try PKCS1 fallback
+		key, err = x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parse PKCS1: %w", err)
+		}
+		return key.(*rsa.PrivateKey), nil
+	}
+	rsaKey, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("key is not RSA, got %T", key)
+	}
+	return rsaKey, nil
+}
+
+func decodeCSR(pemData []byte) *x509.CertificateRequest {
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil
+	}
+	csr, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return nil
+	}
+	return csr
+}

backend/internal/utils/token_gen.go

@@ -0,0 +1,15 @@
+package utils
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+)
+
+// TOOD: fuck
+func RandomToken() (string, error) {
+	token := make([]byte, 32)
+	if _, err := rand.Read(token); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(token), nil
+}

backend/makefile

@@ -0,0 +1,6 @@
+.PHONY: docs lint
+docs:
+	swag init -g ./cmd/main.go --parseDependency --parseInternal
+
+lint:
+	golangci-lint run --fix

backend/scripts/generate-certs.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+# Скрипт генерации SSL сертификатов для mTLS gRPC
+
+set -e
+
+CERT_DIR="${1:-/etc/HellreigN/ssl}"
+DAYS_VALID=365
+
+echo "Generating CA and server certificates in ${CERT_DIR}..."
+
+# Создаём директорию
+mkdir -p "${CERT_DIR}"
+
+# Если сертификаты уже есть и не пустые - не перегенерируем
+if [ -s "${CERT_DIR}/ca.crt" ] && [ -s "${CERT_DIR}/server.crt" ] && [ -s "${CERT_DIR}/server.key" ]; then
+    echo "Certificates already exist, skipping generation."
+    exit 0
+fi
+
+# Если файлы существуют но пустые - удаляем их для перегенерации
+rm -f "${CERT_DIR}/ca.crt" "${CERT_DIR}/ca.key" "${CERT_DIR}/server.crt" "${CERT_DIR}/server.key" "${CERT_DIR}/server.csr"
+
+# Генерация CA
+echo "Generating CA..."
+openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/ca.key"
+openssl req -x509 -new -nodes -sha256 -days ${DAYS_VALID} \
+    -key "${CERT_DIR}/ca.key" \
+    -out "${CERT_DIR}/ca.crt" \
+    -subj "/CN=HellreigN Root CA"
+
+# Генерация серверного сертификата
+echo "Generating server certificate..."
+openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/server.key"
+openssl req -new -sha256 \
+    -key "${CERT_DIR}/server.key" \
+    -out "${CERT_DIR}/server.csr" \
+    -subj "/CN=${SERVER_CN:-localhost}"
+
+# Создаём конфиг для server SAN
+# Поддержка переменных окружения:
+#   SERVER_SAN_DNS - список DNS имен через запятую (например: localhost,backend,myserver.example.com)
+#   SERVER_SAN_IP - список IP адресов через запятую (например: 127.0.0.1,192.168.1.100)
+cat > "${CERT_DIR}/server.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+EOF
+
+# Добавляем DNS SAN
+dns_idx=1
+IFS=',' read -ra DNS_NAMES <<< "${SERVER_SAN_DNS:-localhost,backend}"
+for dns_name in "${DNS_NAMES[@]}"; do
+    dns_name=$(echo "$dns_name" | xargs)  # trim whitespace
+    if [ -n "$dns_name" ]; then
+        echo "DNS.${dns_idx} = ${dns_name}" >> "${CERT_DIR}/server.ext"
+        ((dns_idx++))
+    fi
+done
+
+# Добавляем wildcard для localhost если есть
+echo "DNS.${dns_idx} = *.localhost" >> "${CERT_DIR}/server.ext"
+((dns_idx++))
+
+# Добавляем IP SAN
+ip_idx=1
+IFS=',' read -ra IP_ADDRS <<< "${SERVER_SAN_IP:-127.0.0.1}"
+for ip_addr in "${IP_ADDRS[@]}"; do
+    ip_addr=$(echo "$ip_addr" | xargs)  # trim whitespace
+    if [ -n "$ip_addr" ]; then
+        echo "IP.${ip_idx} = ${ip_addr}" >> "${CERT_DIR}/server.ext"
+        ((ip_idx++))
+    fi
+done
+
+openssl x509 -req -sha256 -days ${DAYS_VALID} \
+    -in "${CERT_DIR}/server.csr" \
+    -CA "${CERT_DIR}/ca.crt" \
+    -CAkey "${CERT_DIR}/ca.key" \
+    -CAcreateserial \
+    -out "${CERT_DIR}/server.crt" \
+    -extfile "${CERT_DIR}/server.ext"
+
+# Очистка лишних файлов
+rm -f "${CERT_DIR}/server.ext"
+
+# Установка прав
+chmod 600 "${CERT_DIR}"/*.key
+chmod 644 "${CERT_DIR}"/*.crt
+
+echo "Certificates generated successfully!"
+echo "  CA:     ${CERT_DIR}/ca.crt"
+echo "  Server: ${CERT_DIR}/server.crt + ${CERT_DIR}/server.key"
+echo "  SAN DNS: ${SERVER_SAN_DNS:-localhost,backend}"
+echo "  SAN IP:  ${SERVER_SAN_IP:-127.0.0.1}"

frontend/.env.example

@@ -0,0 +1,3 @@
+# Backend API URL. По умолчанию "/api/v1" (через nginx proxy).
+# Для локальной разработки: "http://localhost:8080/api/v1"
+VITE_API_BASE_URL=/api/v1

frontend/dockerfile

@@ -0,0 +1,19 @@
+FROM node:25-alpine3.23 AS builder
+
+WORKDIR /app
+
+ARG VITE_API_BASE_URL=/api/v1
+ENV VITE_API_BASE_URL=${VITE_API_BASE_URL}
+
+COPY package.json yarn.lock ./
+
+RUN yarn install --frozen-lockfile
+COPY . .
+RUN yarn build
+FROM nginx:alpine
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+CMD ["nginx", "-g", "daemon off;"]

frontend/nginx.conf

@@ -0,0 +1,30 @@
+
+server {
+    listen 80;
+    server_name localhost;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    location /api/ {
+        proxy_pass http://backend:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Gzip сжатие
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+}

frontend/src/shared/api/axios.instance.ts

@@ -16,7 +16,7 @@ class ApiClient {
 
   constructor() {
     this.axiosInstance = axios.create({
-      baseURL: "http://213.165.213.170:8080/api/v1",
+      baseURL: import.meta.env.VITE_API_BASE_URL || "/api/v1",
       timeout: 10000,
       headers: {
         "Content-Type": "application/json",

go.work

@@ -0,0 +1,7 @@
+go 1.26.1
+
+use (
+	./agent
+	./backend
+	./proto
+)

infra/agent/config.yml

@@ -0,0 +1,13 @@
+backend_url: http://backend:8080
+grpc_url: backend:9001
+label: test-agent-1
+registration_token: "58b1cd3857774f690e4534ec222af4ec08eaae8cd5577614365f2b19c78d03d6"
+cert_dir: /etc/hellreign-agent/certs
+services:
+  - name: system
+    type: journald
+  - name: nginx
+    type: docker
+  - name: sshd
+    type: journald
+    systemd_unit: sshd

infra/backend/config.yml

@@ -0,0 +1,11 @@
+database:
+  token_db: /var/lib/hellreign/tokens.db
+  clickhouse_host: clickhouse:9000
+  clickhouse_user: default
+  clickhouse_password: testpassword
+  clickhouse_database: hellreign
+admin:
+  admin_name: Admin
+  admin_last_name: User
+  admin_login: admin
+  admin_password: admin123

infra/clickhouse/init/01_create_logs_table.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+clickhouse-client --query "CREATE DATABASE IF NOT EXISTS hellreign;"
+
+clickhouse-client --query "
+CREATE TABLE IF NOT EXISTS hellreign.logs (
+    timestamp DateTime64(3) DEFAULT now(),
+    level LowCardinality(String),
+    service LowCardinality(String),
+    agent LowCardinality(String),
+    message String
+) ENGINE = MergeTree()
+ORDER BY (timestamp, level, service, agent)
+SETTINGS index_granularity = 8192;
+"

infra/docker-compose.yml

@@ -0,0 +1,92 @@
+services:
+  clickhouse:
+    image: clickhouse/clickhouse-server:24.8
+    container_name: hellreign-clickhouse
+    environment:
+      CLICKHOUSE_DB: hellreign
+      CLICKHOUSE_USER: default
+      CLICKHOUSE_PASSWORD: testpassword
+      CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
+    ports:
+      - "8123:8123"
+      - "9000:9000"
+    volumes:
+      - clickhouse_data:/var/lib/clickhouse
+      - ./clickhouse/init:/docker-entrypoint-initdb.d
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8123/ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
+      start_period: 30s
+    networks:
+      - hellreign
+
+  backend:
+    build:
+      context: ..
+      dockerfile: backend/dockerfile
+    container_name: hellreign-backend
+    environment:
+      CONFIG_FILE: /etc/hellreign/config.yml
+      GRAPH_YAML_PATH: /etc/hellreign/services.yaml
+      SSL_CERT_DIR: /var/lib/hellreign/ssl
+      SERVER_SAN_DNS: localhost,backend
+      SERVER_SAN_IP: 127.0.0.1
+    ports:
+      - "8080:8080"
+      - "9001:9001"
+    volumes:
+      - ./backend/config.yml:/etc/hellreign/config.yml:ro
+      - ./services.yaml:/etc/hellreign/services.yaml:ro
+      - backend_data:/var/lib/hellreign
+    depends_on:
+      clickhouse:
+        condition: service_healthy
+    networks:
+      - hellreign
+
+  frontend:
+    build:
+      context: ../frontend
+      dockerfile: dockerfile
+    container_name: hellreign-frontend
+    ports:
+      - "3000:80"
+    depends_on:
+      - backend
+    networks:
+      - hellreign
+
+  agent:
+    build:
+      context: ..
+      dockerfile: agent/dockerfile
+    container_name: hellreign-agent
+    environment:
+      CONFIG_FILE: /etc/hellreign-agent/config.yml
+      JOURNALD_LOGDIR: /var/log/journal
+      BUFFER_DB: /var/lib/hellreign-agent/agent_buffer.db
+    volumes:
+      - ./agent/config.yml:/etc/hellreign-agent/config.yml:ro
+      - agent_certs:/etc/hellreign-agent/certs
+      - agent_data:/var/lib/hellreign-agent
+      - /var/log/journal:/var/log/journal:ro
+    depends_on:
+      - backend
+    networks:
+      - hellreign
+
+volumes:
+  clickhouse_data:
+    driver: local
+  backend_data:
+    driver: local
+  agent_certs:
+    driver: local
+  agent_data:
+    driver: local
+
+networks:
+  hellreign:
+    driver: bridge

infra/services.yaml

@@ -0,0 +1,11 @@
+nodes:
+  test-agent-1:
+    services:
+      nginx:
+        depends_on:
+          - sshd
+      sshd:
+        depends_on: []
+      system:
+        depends_on:
+          - sshd

migrations/001-jobs-drop-default.sql

@@ -0,0 +1,15 @@
+CREATE TABLE [jobs_new_17f2f1dd010f] (
+   [id] INTEGER PRIMARY KEY,
+   [agent_id] TEXT NOT NULL,
+   [command] TEXT NOT NULL,
+   [stdin] TEXT,
+   [stdout] TEXT,
+   [stderr] TEXT,
+   [status] INTEGER,
+   [created_at] FLOAT DEFAULT CURRENT_TIMESTAMP,
+   [updated_at] FLOAT DEFAULT CURRENT_TIMESTAMP
+);
+INSERT INTO [jobs_new_17f2f1dd010f] ([rowid], [id], [agent_id], [command], [stdin], [stdout], [stderr], [status], [created_at], [updated_at])
+   SELECT [rowid], [id], [agent_id], [command], [stdin], [stdout], [stderr], [status], [created_at], [updated_at] FROM [jobs];
+DROP TABLE [jobs];
+ALTER TABLE [jobs_new_17f2f1dd010f] RENAME TO [jobs];

proto/do.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -exuo pipefail
+
+protogen() {
+	in=./hellreign.proto
+	protoc --go_out="." --go_opt=module="gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto" \
+		--go-grpc_out="." --go-grpc_opt=module="gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto" "$in"
+}
+
+"$@"

proto/go.mod

@@ -0,0 +1,16 @@
+module gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto
+
+go 1.25.0
+
+require (
+	google.golang.org/grpc v1.80.0
+	google.golang.org/protobuf v1.36.11
+)
+
+require (
+	go.opentelemetry.io/otel v1.41.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect
+)

proto/go.sum

@@ -0,0 +1,38 @@
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 h1:sNrWoksmOyF5bvJUcnmbeAmQi8baNhqg5IWaI3llQqU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=

proto/hellreign.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package chat;
+
+option go_package="gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/proto";
+
+service Collector {
+	rpc Stream(stream CollectorRequest) returns (CollectorResponse);
+	rpc ReportServices(ServicesUpdate) returns (ServicesUpdateResp);
+	rpc ReportSystemMetrics(SystemMetrics) returns (SystemMetricsResp);
+}
+message ServicesUpdateResp {
+}
+message SystemMetricsResp {
+}
+message SystemMetrics {
+	double cpu_percent = 1;       // CPU usage percentage (0-100)
+	double memory_percent = 2;    // RAM usage percentage (0-100)
+	double disk_percent = 3;      // Disk usage percentage (0-100)
+	double network_rx_bytes = 4;  // Network received bytes per second
+	double network_tx_bytes = 5;  // Network transmitted bytes per second
+}
+message ServicesUpdate {
+	message ServiceUpdate {
+		string name = 1;
+		string status = 2;
+	}
+	repeated ServiceUpdate services = 1;
+}
+
+message CollectorRequest {
+	string message = 1;
+}
+
+message CollectorResponse {
+}
+
+service Commander {
+	rpc Stream(stream FinishedCommand) returns (stream Command);
+}
+
+message Command {
+	int64 id = 1;
+	repeated string command = 2;
+	optional string stdin = 3;
+}
+
+message FinishedCommand {
+	int64 id = 1;
+	int32 status = 2;
+	string stdout = 3;
+	string stderr = 4;
+}
+

proto/proto/hellreign.pb.go

@@ -0,0 +1,579 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v7.34.1
+// source: hellreign.proto
+
+package proto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type ServicesUpdateResp struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ServicesUpdateResp) Reset() {
+	*x = ServicesUpdateResp{}
+	mi := &file_hellreign_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ServicesUpdateResp) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServicesUpdateResp) ProtoMessage() {}
+
+func (x *ServicesUpdateResp) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServicesUpdateResp.ProtoReflect.Descriptor instead.
+func (*ServicesUpdateResp) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{0}
+}
+
+type SystemMetricsResp struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SystemMetricsResp) Reset() {
+	*x = SystemMetricsResp{}
+	mi := &file_hellreign_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SystemMetricsResp) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SystemMetricsResp) ProtoMessage() {}
+
+func (x *SystemMetricsResp) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SystemMetricsResp.ProtoReflect.Descriptor instead.
+func (*SystemMetricsResp) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{1}
+}
+
+type SystemMetrics struct {
+	state          protoimpl.MessageState `protogen:"open.v1"`
+	CpuPercent     float64                `protobuf:"fixed64,1,opt,name=cpu_percent,json=cpuPercent,proto3" json:"cpu_percent,omitempty"`               // CPU usage percentage (0-100)
+	MemoryPercent  float64                `protobuf:"fixed64,2,opt,name=memory_percent,json=memoryPercent,proto3" json:"memory_percent,omitempty"`      // RAM usage percentage (0-100)
+	DiskPercent    float64                `protobuf:"fixed64,3,opt,name=disk_percent,json=diskPercent,proto3" json:"disk_percent,omitempty"`            // Disk usage percentage (0-100)
+	NetworkRxBytes float64                `protobuf:"fixed64,4,opt,name=network_rx_bytes,json=networkRxBytes,proto3" json:"network_rx_bytes,omitempty"` // Network received bytes per second
+	NetworkTxBytes float64                `protobuf:"fixed64,5,opt,name=network_tx_bytes,json=networkTxBytes,proto3" json:"network_tx_bytes,omitempty"` // Network transmitted bytes per second
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
+}
+
+func (x *SystemMetrics) Reset() {
+	*x = SystemMetrics{}
+	mi := &file_hellreign_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SystemMetrics) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SystemMetrics) ProtoMessage() {}
+
+func (x *SystemMetrics) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SystemMetrics.ProtoReflect.Descriptor instead.
+func (*SystemMetrics) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SystemMetrics) GetCpuPercent() float64 {
+	if x != nil {
+		return x.CpuPercent
+	}
+	return 0
+}
+
+func (x *SystemMetrics) GetMemoryPercent() float64 {
+	if x != nil {
+		return x.MemoryPercent
+	}
+	return 0
+}
+
+func (x *SystemMetrics) GetDiskPercent() float64 {
+	if x != nil {
+		return x.DiskPercent
+	}
+	return 0
+}
+
+func (x *SystemMetrics) GetNetworkRxBytes() float64 {
+	if x != nil {
+		return x.NetworkRxBytes
+	}
+	return 0
+}
+
+func (x *SystemMetrics) GetNetworkTxBytes() float64 {
+	if x != nil {
+		return x.NetworkTxBytes
+	}
+	return 0
+}
+
+type ServicesUpdate struct {
+	state         protoimpl.MessageState          `protogen:"open.v1"`
+	Services      []*ServicesUpdate_ServiceUpdate `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ServicesUpdate) Reset() {
+	*x = ServicesUpdate{}
+	mi := &file_hellreign_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ServicesUpdate) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServicesUpdate) ProtoMessage() {}
+
+func (x *ServicesUpdate) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServicesUpdate.ProtoReflect.Descriptor instead.
+func (*ServicesUpdate) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *ServicesUpdate) GetServices() []*ServicesUpdate_ServiceUpdate {
+	if x != nil {
+		return x.Services
+	}
+	return nil
+}
+
+type CollectorRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Message       string                 `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CollectorRequest) Reset() {
+	*x = CollectorRequest{}
+	mi := &file_hellreign_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CollectorRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CollectorRequest) ProtoMessage() {}
+
+func (x *CollectorRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CollectorRequest.ProtoReflect.Descriptor instead.
+func (*CollectorRequest) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *CollectorRequest) GetMessage() string {
+	if x != nil {
+		return x.Message
+	}
+	return ""
+}
+
+type CollectorResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CollectorResponse) Reset() {
+	*x = CollectorResponse{}
+	mi := &file_hellreign_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CollectorResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CollectorResponse) ProtoMessage() {}
+
+func (x *CollectorResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CollectorResponse.ProtoReflect.Descriptor instead.
+func (*CollectorResponse) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{5}
+}
+
+type Command struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Id            int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Command       []string               `protobuf:"bytes,2,rep,name=command,proto3" json:"command,omitempty"`
+	Stdin         *string                `protobuf:"bytes,3,opt,name=stdin,proto3,oneof" json:"stdin,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Command) Reset() {
+	*x = Command{}
+	mi := &file_hellreign_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Command) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Command) ProtoMessage() {}
+
+func (x *Command) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Command.ProtoReflect.Descriptor instead.
+func (*Command) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *Command) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *Command) GetCommand() []string {
+	if x != nil {
+		return x.Command
+	}
+	return nil
+}
+
+func (x *Command) GetStdin() string {
+	if x != nil && x.Stdin != nil {
+		return *x.Stdin
+	}
+	return ""
+}
+
+type FinishedCommand struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Id            int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Status        int32                  `protobuf:"varint,2,opt,name=status,proto3" json:"status,omitempty"`
+	Stdout        string                 `protobuf:"bytes,3,opt,name=stdout,proto3" json:"stdout,omitempty"`
+	Stderr        string                 `protobuf:"bytes,4,opt,name=stderr,proto3" json:"stderr,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *FinishedCommand) Reset() {
+	*x = FinishedCommand{}
+	mi := &file_hellreign_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *FinishedCommand) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FinishedCommand) ProtoMessage() {}
+
+func (x *FinishedCommand) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FinishedCommand.ProtoReflect.Descriptor instead.
+func (*FinishedCommand) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *FinishedCommand) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *FinishedCommand) GetStatus() int32 {
+	if x != nil {
+		return x.Status
+	}
+	return 0
+}
+
+func (x *FinishedCommand) GetStdout() string {
+	if x != nil {
+		return x.Stdout
+	}
+	return ""
+}
+
+func (x *FinishedCommand) GetStderr() string {
+	if x != nil {
+		return x.Stderr
+	}
+	return ""
+}
+
+type ServicesUpdate_ServiceUpdate struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Name          string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Status        string                 `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ServicesUpdate_ServiceUpdate) Reset() {
+	*x = ServicesUpdate_ServiceUpdate{}
+	mi := &file_hellreign_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ServicesUpdate_ServiceUpdate) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServicesUpdate_ServiceUpdate) ProtoMessage() {}
+
+func (x *ServicesUpdate_ServiceUpdate) ProtoReflect() protoreflect.Message {
+	mi := &file_hellreign_proto_msgTypes[8]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServicesUpdate_ServiceUpdate.ProtoReflect.Descriptor instead.
+func (*ServicesUpdate_ServiceUpdate) Descriptor() ([]byte, []int) {
+	return file_hellreign_proto_rawDescGZIP(), []int{3, 0}
+}
+
+func (x *ServicesUpdate_ServiceUpdate) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *ServicesUpdate_ServiceUpdate) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
+var File_hellreign_proto protoreflect.FileDescriptor
+
+const file_hellreign_proto_rawDesc = "" +
+	"\n" +
+	"\x0fhellreign.proto\x12\x04chat\"\x14\n" +
+	"\x12ServicesUpdateResp\"\x13\n" +
+	"\x11SystemMetricsResp\"\xce\x01\n" +
+	"\rSystemMetrics\x12\x1f\n" +
+	"\vcpu_percent\x18\x01 \x01(\x01R\n" +
+	"cpuPercent\x12%\n" +
+	"\x0ememory_percent\x18\x02 \x01(\x01R\rmemoryPercent\x12!\n" +
+	"\fdisk_percent\x18\x03 \x01(\x01R\vdiskPercent\x12(\n" +
+	"\x10network_rx_bytes\x18\x04 \x01(\x01R\x0enetworkRxBytes\x12(\n" +
+	"\x10network_tx_bytes\x18\x05 \x01(\x01R\x0enetworkTxBytes\"\x8d\x01\n" +
+	"\x0eServicesUpdate\x12>\n" +
+	"\bservices\x18\x01 \x03(\v2\".chat.ServicesUpdate.ServiceUpdateR\bservices\x1a;\n" +
+	"\rServiceUpdate\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
+	"\x06status\x18\x02 \x01(\tR\x06status\",\n" +
+	"\x10CollectorRequest\x12\x18\n" +
+	"\amessage\x18\x01 \x01(\tR\amessage\"\x13\n" +
+	"\x11CollectorResponse\"X\n" +
+	"\aCommand\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\x03R\x02id\x12\x18\n" +
+	"\acommand\x18\x02 \x03(\tR\acommand\x12\x19\n" +
+	"\x05stdin\x18\x03 \x01(\tH\x00R\x05stdin\x88\x01\x01B\b\n" +
+	"\x06_stdin\"i\n" +
+	"\x0fFinishedCommand\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\x03R\x02id\x12\x16\n" +
+	"\x06status\x18\x02 \x01(\x05R\x06status\x12\x16\n" +
+	"\x06stdout\x18\x03 \x01(\tR\x06stdout\x12\x16\n" +
+	"\x06stderr\x18\x04 \x01(\tR\x06stderr2\xcf\x01\n" +
+	"\tCollector\x12;\n" +
+	"\x06Stream\x12\x16.chat.CollectorRequest\x1a\x17.chat.CollectorResponse(\x01\x12@\n" +
+	"\x0eReportServices\x12\x14.chat.ServicesUpdate\x1a\x18.chat.ServicesUpdateResp\x12C\n" +
+	"\x13ReportSystemMetrics\x12\x13.chat.SystemMetrics\x1a\x17.chat.SystemMetricsResp2?\n" +
+	"\tCommander\x122\n" +
+	"\x06Stream\x12\x15.chat.FinishedCommand\x1a\r.chat.Command(\x010\x01B0Z.gitea.d3m0k1d.ru/d3m0k1d/HellreigN/proto/protob\x06proto3"
+
+var (
+	file_hellreign_proto_rawDescOnce sync.Once
+	file_hellreign_proto_rawDescData []byte
+)
+
+func file_hellreign_proto_rawDescGZIP() []byte {
+	file_hellreign_proto_rawDescOnce.Do(func() {
+		file_hellreign_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_hellreign_proto_rawDesc), len(file_hellreign_proto_rawDesc)))
+	})
+	return file_hellreign_proto_rawDescData
+}
+
+var file_hellreign_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
+var file_hellreign_proto_goTypes = []any{
+	(*ServicesUpdateResp)(nil),           // 0: chat.ServicesUpdateResp
+	(*SystemMetricsResp)(nil),            // 1: chat.SystemMetricsResp
+	(*SystemMetrics)(nil),                // 2: chat.SystemMetrics
+	(*ServicesUpdate)(nil),               // 3: chat.ServicesUpdate
+	(*CollectorRequest)(nil),             // 4: chat.CollectorRequest
+	(*CollectorResponse)(nil),            // 5: chat.CollectorResponse
+	(*Command)(nil),                      // 6: chat.Command
+	(*FinishedCommand)(nil),              // 7: chat.FinishedCommand
+	(*ServicesUpdate_ServiceUpdate)(nil), // 8: chat.ServicesUpdate.ServiceUpdate
+}
+var file_hellreign_proto_depIdxs = []int32{
+	8, // 0: chat.ServicesUpdate.services:type_name -> chat.ServicesUpdate.ServiceUpdate
+	4, // 1: chat.Collector.Stream:input_type -> chat.CollectorRequest
+	3, // 2: chat.Collector.ReportServices:input_type -> chat.ServicesUpdate
+	2, // 3: chat.Collector.ReportSystemMetrics:input_type -> chat.SystemMetrics
+	7, // 4: chat.Commander.Stream:input_type -> chat.FinishedCommand
+	5, // 5: chat.Collector.Stream:output_type -> chat.CollectorResponse
+	0, // 6: chat.Collector.ReportServices:output_type -> chat.ServicesUpdateResp
+	1, // 7: chat.Collector.ReportSystemMetrics:output_type -> chat.SystemMetricsResp
+	6, // 8: chat.Commander.Stream:output_type -> chat.Command
+	5, // [5:9] is the sub-list for method output_type
+	1, // [1:5] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() { file_hellreign_proto_init() }
+func file_hellreign_proto_init() {
+	if File_hellreign_proto != nil {
+		return
+	}
+	file_hellreign_proto_msgTypes[6].OneofWrappers = []any{}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_hellreign_proto_rawDesc), len(file_hellreign_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   9,
+			NumExtensions: 0,
+			NumServices:   2,
+		},
+		GoTypes:           file_hellreign_proto_goTypes,
+		DependencyIndexes: file_hellreign_proto_depIdxs,
+		MessageInfos:      file_hellreign_proto_msgTypes,
+	}.Build()
+	File_hellreign_proto = out.File
+	file_hellreign_proto_goTypes = nil
+	file_hellreign_proto_depIdxs = nil
+}

proto/proto/hellreign_grpc.pb.go

@@ -0,0 +1,287 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.6.1
+// - protoc             v7.34.1
+// source: hellreign.proto
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	Collector_Stream_FullMethodName              = "/chat.Collector/Stream"
+	Collector_ReportServices_FullMethodName      = "/chat.Collector/ReportServices"
+	Collector_ReportSystemMetrics_FullMethodName = "/chat.Collector/ReportSystemMetrics"
+)
+
+// CollectorClient is the client API for Collector service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type CollectorClient interface {
+	Stream(ctx context.Context, opts ...grpc.CallOption) (grpc.ClientStreamingClient[CollectorRequest, CollectorResponse], error)
+	ReportServices(ctx context.Context, in *ServicesUpdate, opts ...grpc.CallOption) (*ServicesUpdateResp, error)
+	ReportSystemMetrics(ctx context.Context, in *SystemMetrics, opts ...grpc.CallOption) (*SystemMetricsResp, error)
+}
+
+type collectorClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewCollectorClient(cc grpc.ClientConnInterface) CollectorClient {
+	return &collectorClient{cc}
+}
+
+func (c *collectorClient) Stream(ctx context.Context, opts ...grpc.CallOption) (grpc.ClientStreamingClient[CollectorRequest, CollectorResponse], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &Collector_ServiceDesc.Streams[0], Collector_Stream_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[CollectorRequest, CollectorResponse]{ClientStream: stream}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Collector_StreamClient = grpc.ClientStreamingClient[CollectorRequest, CollectorResponse]
+
+func (c *collectorClient) ReportServices(ctx context.Context, in *ServicesUpdate, opts ...grpc.CallOption) (*ServicesUpdateResp, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ServicesUpdateResp)
+	err := c.cc.Invoke(ctx, Collector_ReportServices_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *collectorClient) ReportSystemMetrics(ctx context.Context, in *SystemMetrics, opts ...grpc.CallOption) (*SystemMetricsResp, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SystemMetricsResp)
+	err := c.cc.Invoke(ctx, Collector_ReportSystemMetrics_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// CollectorServer is the server API for Collector service.
+// All implementations must embed UnimplementedCollectorServer
+// for forward compatibility.
+type CollectorServer interface {
+	Stream(grpc.ClientStreamingServer[CollectorRequest, CollectorResponse]) error
+	ReportServices(context.Context, *ServicesUpdate) (*ServicesUpdateResp, error)
+	ReportSystemMetrics(context.Context, *SystemMetrics) (*SystemMetricsResp, error)
+	mustEmbedUnimplementedCollectorServer()
+}
+
+// UnimplementedCollectorServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedCollectorServer struct{}
+
+func (UnimplementedCollectorServer) Stream(grpc.ClientStreamingServer[CollectorRequest, CollectorResponse]) error {
+	return status.Error(codes.Unimplemented, "method Stream not implemented")
+}
+func (UnimplementedCollectorServer) ReportServices(context.Context, *ServicesUpdate) (*ServicesUpdateResp, error) {
+	return nil, status.Error(codes.Unimplemented, "method ReportServices not implemented")
+}
+func (UnimplementedCollectorServer) ReportSystemMetrics(context.Context, *SystemMetrics) (*SystemMetricsResp, error) {
+	return nil, status.Error(codes.Unimplemented, "method ReportSystemMetrics not implemented")
+}
+func (UnimplementedCollectorServer) mustEmbedUnimplementedCollectorServer() {}
+func (UnimplementedCollectorServer) testEmbeddedByValue()                   {}
+
+// UnsafeCollectorServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to CollectorServer will
+// result in compilation errors.
+type UnsafeCollectorServer interface {
+	mustEmbedUnimplementedCollectorServer()
+}
+
+func RegisterCollectorServer(s grpc.ServiceRegistrar, srv CollectorServer) {
+	// If the following call panics, it indicates UnimplementedCollectorServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&Collector_ServiceDesc, srv)
+}
+
+func _Collector_Stream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(CollectorServer).Stream(&grpc.GenericServerStream[CollectorRequest, CollectorResponse]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Collector_StreamServer = grpc.ClientStreamingServer[CollectorRequest, CollectorResponse]
+
+func _Collector_ReportServices_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ServicesUpdate)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CollectorServer).ReportServices(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Collector_ReportServices_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CollectorServer).ReportServices(ctx, req.(*ServicesUpdate))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Collector_ReportSystemMetrics_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SystemMetrics)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CollectorServer).ReportSystemMetrics(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Collector_ReportSystemMetrics_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CollectorServer).ReportSystemMetrics(ctx, req.(*SystemMetrics))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// Collector_ServiceDesc is the grpc.ServiceDesc for Collector service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Collector_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "chat.Collector",
+	HandlerType: (*CollectorServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ReportServices",
+			Handler:    _Collector_ReportServices_Handler,
+		},
+		{
+			MethodName: "ReportSystemMetrics",
+			Handler:    _Collector_ReportSystemMetrics_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "Stream",
+			Handler:       _Collector_Stream_Handler,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "hellreign.proto",
+}
+
+const (
+	Commander_Stream_FullMethodName = "/chat.Commander/Stream"
+)
+
+// CommanderClient is the client API for Commander service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type CommanderClient interface {
+	Stream(ctx context.Context, opts ...grpc.CallOption) (grpc.BidiStreamingClient[FinishedCommand, Command], error)
+}
+
+type commanderClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewCommanderClient(cc grpc.ClientConnInterface) CommanderClient {
+	return &commanderClient{cc}
+}
+
+func (c *commanderClient) Stream(ctx context.Context, opts ...grpc.CallOption) (grpc.BidiStreamingClient[FinishedCommand, Command], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &Commander_ServiceDesc.Streams[0], Commander_Stream_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[FinishedCommand, Command]{ClientStream: stream}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Commander_StreamClient = grpc.BidiStreamingClient[FinishedCommand, Command]
+
+// CommanderServer is the server API for Commander service.
+// All implementations must embed UnimplementedCommanderServer
+// for forward compatibility.
+type CommanderServer interface {
+	Stream(grpc.BidiStreamingServer[FinishedCommand, Command]) error
+	mustEmbedUnimplementedCommanderServer()
+}
+
+// UnimplementedCommanderServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedCommanderServer struct{}
+
+func (UnimplementedCommanderServer) Stream(grpc.BidiStreamingServer[FinishedCommand, Command]) error {
+	return status.Error(codes.Unimplemented, "method Stream not implemented")
+}
+func (UnimplementedCommanderServer) mustEmbedUnimplementedCommanderServer() {}
+func (UnimplementedCommanderServer) testEmbeddedByValue()                   {}
+
+// UnsafeCommanderServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to CommanderServer will
+// result in compilation errors.
+type UnsafeCommanderServer interface {
+	mustEmbedUnimplementedCommanderServer()
+}
+
+func RegisterCommanderServer(s grpc.ServiceRegistrar, srv CommanderServer) {
+	// If the following call panics, it indicates UnimplementedCommanderServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&Commander_ServiceDesc, srv)
+}
+
+func _Commander_Stream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(CommanderServer).Stream(&grpc.GenericServerStream[FinishedCommand, Command]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Commander_StreamServer = grpc.BidiStreamingServer[FinishedCommand, Command]
+
+// Commander_ServiceDesc is the grpc.ServiceDesc for Commander service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Commander_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "chat.Commander",
+	HandlerType: (*CommanderServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "Stream",
+			Handler:       _Commander_Stream_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "hellreign.proto",
+}